ATECC608B-TNGTLS

[Jeroen-Lardot-ACA]

Hey everyone,

I'm trying to get the ATECC608B working on greengrass through cryptoauthlib, but am running into some issues with authentication when running greengrass that I can't seem to get around. I tried changing pins etc, but that doesn't seem possible on the TNG variant. Does anyone have any idea on the underlying issue? AWS certificates and policies have been attached to the thing through the manifest file as provided by Microchip.

This is the module setup:

root@blox-rema:\~# p11tool --provider=/usr/lib/libcryptoauth.so --list-tokens
Token 0:
URL: pkcs11:model=ATECC608B;manufacturer=Microchip%20Technology%20Inc;serial=ABCDEFGH;token=MCHP
Label: MCHP
Type: Hardware token
Flags: RNG, uPIN uninitialized
Manufacturer: Microchip Technology Inc
Model: ATECC608B
Serial: ABCDEFGH
Module:

root@blox-rema:\~# p11tool --provider=/usr/lib/libcryptoauth.so --list-all
Object 0:
URL: pkcs11:model=ATECC608B;manufacturer=Microchip%20Technology%20Inc;serial=ABCDEFGH;token=MCHP;id=ABCDEFGH;object=device;type=private
Type: Private key (EC/ECDSA-SECP256R1)
Label: device
Flags: CKA_PRIVATE; CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE;
ID: ABCDEFGH

Object 1:
URL: pkcs11:model=ATECC608B;manufacturer=Microchip%20Technology%20Inc;serial=ABCDEFGH;token=MCHP;id=ABCDEFGH;object=device;type=public
Type: Public key (EC/ECDSA-SECP256R1)
Label: device
ID: ABCDEFGH

The greengrass config (without nucleus):

system:
  certificateFilePath: "pkcs11:object=device;type=cert"
  privateKeyPath: "pkcs11:object=device;type=private"
  rootCaPath: "/greengrass/v2/config/AmazonRootCA1.pem"
  rootpath: "/greengrass/v2"
  thingName: "thingname"
services:
  aws.greengrass.crypto.Pkcs11Provider:
    configuration:
      library: "/usr/lib/libcryptoauth.so"
      name: "lybcryptauth_pkcs11"
      slot: 0
      userPin: 1234
    dependencies: []
    version: "0.0.0"

The error I'm getting:

24-11-21T16:33:44.921Z [INFO] (pool-3-thread-14) com.aws.greengrass.security.SecurityService: Register crypto key service provider. {keyType=pkcs11}
2024-11-21T16:33:44.921Z [INFO] (pool-3-thread-14) com.aws.greengrass.security.SecurityService: Register MQTT connection security provider. {keyType=pkcs11}
2024-11-21T16:33:44.922Z [INFO] (aws.greengrass.crypto.Pkcs11Provider-lifecycle) com.aws.greengrass.security.provider.pkcs11.PKCS11CryptoKeyService: service-set-state. {serviceName=aws.greengrass.crypto.Pkcs11Provider, currentState=STARTING, newState=RUNNING}
2024-11-21T16:33:44.923Z [INFO] (main-lifecycle) com.aws.greengrass.lifecyclemanager.GenericExternalService: service-set-state. {serviceName=main, currentState=INSTALLED, newState=STARTING}
2024-11-21T16:33:44.924Z [INFO] (main-lifecycle) com.aws.greengrass.lifecyclemanager.GenericExternalService: service-set-state. {serviceName=main, currentState=STARTING, newState=FINISHED}
2024-11-21T16:33:44.924Z [INFO] (pool-3-thread-8) com.aws.greengrass.lifecyclemanager.GenericExternalService: generic-service-finished. Nothing done. {serviceName=main, currentState=STARTING}
2024-11-21T16:33:44.927Z [INFO] (main-lifecycle) com.aws.greengrass.lifecyclemanager.GenericExternalService: service-set-state. {serviceName=main, currentState=FINISHED, newState=STOPPING}
2024-11-21T16:33:44.927Z [INFO] (pool-3-thread-8) com.aws.greengrass.lifecyclemanager.GenericExternalService: Shutdown initiated. {serviceName=main, currentState=STOPPING}
2024-11-21T16:33:44.927Z [INFO] (pool-3-thread-8) com.aws.greengrass.lifecyclemanager.GenericExternalService: generic-service-shutdown. {serviceName=main, currentState=STOPPING}
2024-11-21T16:33:44.928Z [INFO] (main-lifecycle) com.aws.greengrass.lifecyclemanager.GenericExternalService: service-set-state. {serviceName=main, currentState=STOPPING, newState=FINISHED}
2024-11-21T16:33:45.533Z [ERROR] (pool-3-thread-6) com.aws.greengrass.mqttclient.MqttClient: Error subscribing. {topic=$aws/things/thingname/jobs/$next/namespace-aws-gg-deployment/get/accepted}
java.util.concurrent.CompletionException: software.amazon.awssdk.crt.mqtt.MqttException: Error during getting mqtt connection builder
	at java.base/java.util.concurrent.CompletableFuture.encodeThrowable(CompletableFuture.java:331)

Thanks a lot for anyone providing any insights!

[majh]

this issue may be relevant.

[github-actions]

This issue has been marked as stale - please confirm the issue still exists with the latest version of the library and update the issue if it remains

[leonau-amzn]

I'm still seeing this issue at the tip of main as of Sept 8th, 2025 at 788acf6

I did some analysis and this feature broke with the 3.4 release at e723fd0a

[Srinivas-E]

Hi @leonau-amzn
Thank you for reaching us.
We shall review the issue and get back with more updates.

[leonau-amzn]

Thank you for reopening the issue.

Let me know if there is any information that I can provide that can be of use. I'm doing some prototyping with the ATECC608B-TNGTLS chip and trying to run Greengrass v2 on top and getting the same set of failures as above (was torn on whether to open a new issue, but I took a chance at reusing the same issue so that there is one thing to follow).