Shielded connection is not working

[SoftAvocado]

Hello,

I'm using Optiga Trust M V1 and I've been able to pair Optiga with Host via Binding Secret (I've updated metadata with Operational state).

With the following settings of crypt and util instances that are set after opening application in initialization function, everything seems to work.

        OPTIGA_UTIL_SET_COMMS_PROTECTION_LEVEL(me_util, OPTIGA_COMMS_FULL_PROTECTION);
        OPTIGA_UTIL_SET_COMMS_PROTOCOL_VERSION(me_util, OPTIGA_COMMS_PROTOCOL_VERSION_PRE_SHARED_SECRET);

        OPTIGA_CRYPT_SET_COMMS_PROTECTION_LEVEL(me_crypt, OPTIGA_COMMS_FULL_PROTECTION);
        OPTIGA_CRYPT_SET_COMMS_PROTOCOL_VERSION(me_crypt, OPTIGA_COMMS_PROTOCOL_VERSION_PRE_SHARED_SECRET);

If the secret on host is equal to the secret written to Optiga, no errors occur. If the secret on Host is different, there's OPTIGA_COMMS_ERROR_HANDSHAKE error. That is the behavior that I need.

But if I don't specify the protection level and protocol version, Optiga ignores the wrong secret from host and executes e.g. optiga_crypt_ecdsa_sign function without any errors. Is this a correct behavior? In that way it seems that a malefactor can connect to Optiga, send any command without setting up level and protocol version and get confidential data (e.g. signature).

Could you please help me figure this out and tell me if I might be doing something wrong?

[ShaikKarishma0]

Hello @SoftAvocado ,

But if I don't specify the protection level and protocol version, Optiga ignores the wrong secret from host and executes e.g. optiga_crypt_ecdsa_sign function without any errors. Is this a correct behavior?

In order to protect Data or Key objects from unauthorized access two things shall be done, first - setting up the Platform Binding Secret on both sides of the setup (Host MCU and OPTIGA) + defining the protection level for the communication, this is exactly what you have done already and it seems to work fine; second part is to setup corresponding metadata of the object you would like to protect, this part looks like a missing step in your setup.
More about access conditions and metadata expression you can find here, but in the nutshell, you need to define individually (per data/key object) rules for required access, so that the access will be only possible under shielded connection. Below is a figure from the Solution Reference Manual on how Metadata for an object might look like

Relevant example on how such settings might look like: you have a secret data stored in an object id 0xF0D0 and you would like to allow to read the data inside it only if a shielded connection is established, then you need to write the following expression into the metadata of the 0xf0d0 object using the optiga_util_write_metadata() function (here is also a usage example):

static const uint8_t metadata [] = {
//Metadata tag in the data object
0x20, 0x05,
//Read tag in the metadata
0xD1, 0x03,
//Conf(0xe140)
0x20, 0xE1, 0x40
};

The expression 0xD1, 0x03, 0x20, 0xE1, 0x40 is exactly doing what you want here, instructs the optiga, that read access should only happen if a shielded connection is established

[SoftAvocado]

Thank you so much! I've set 0x20, 0xE1, 0x40 (Conf) to EXE tag for private key and now everything works fine :)