Embedded cryptographic operations and secure element integration. Expert skill for hardware crypto accelerators, secure key storage, TrustZone configuration, and side-channel attack mitigation.
Configures embedded cryptographic systems with hardware acceleration and secure key management.
npx claudepluginhub a5c-ai/babysitterThis skill is limited to using the following tools:
README.mdExpert skill for cryptographic operations in embedded systems. Provides expertise in hardware crypto accelerators, secure key storage, TrustZone configuration, and security best practices.
The Embedded Crypto skill enables secure cryptographic implementation in embedded systems:
Leverage hardware acceleration for cryptographic operations:
/**
* @brief Initialize hardware crypto accelerator
*
* Enables clock and configures the crypto peripheral for
* accelerated AES, SHA, and random number generation.
*
* @return CRYPTO_OK on success
*/
crypto_status_t crypto_hw_init(void)
{
// Enable peripheral clock
RCC->AHB2ENR |= RCC_AHB2ENR_CRYPTEN;
// Enable AES, SHA, and RNG modules
CRYP->CR = CRYP_CR_ALGODIR | CRYP_CR_ALGOMODE_AES_CBC;
// Configure for interrupt or DMA mode
CRYP->CR |= CRYP_CR_CRYPEN;
return CRYPTO_OK;
}
/**
* @brief Hardware-accelerated AES-128 CBC encryption
*
* @param[in] key 128-bit encryption key
* @param[in] iv 128-bit initialization vector
* @param[in] plaintext Data to encrypt
* @param[out] ciphertext Encrypted output
* @param[in] length Data length (must be multiple of 16)
*
* @return CRYPTO_OK on success
*/
crypto_status_t crypto_aes128_cbc_encrypt(
const uint8_t key[16],
const uint8_t iv[16],
const uint8_t *plaintext,
uint8_t *ciphertext,
size_t length
);
Configure secure key storage mechanisms:
/**
* @brief Key storage locations and protection levels
*/
typedef enum {
KEY_STORAGE_RAM, // Volatile, cleared on reset
KEY_STORAGE_OTP, // One-time programmable fuses
KEY_STORAGE_SECURE_FLASH, // Encrypted flash with RDP
KEY_STORAGE_TRUSTZONE, // TrustZone secure region
KEY_STORAGE_HSM, // External secure element
} key_storage_t;
/**
* @brief Key attributes for secure storage
*/
typedef struct {
uint32_t id; // Key identifier
key_storage_t location; // Storage location
uint32_t algorithm; // Key algorithm (AES, ECC, etc.)
uint16_t bits; // Key size in bits
uint32_t usage; // Allowed operations (encrypt, sign, etc.)
uint32_t lifetime; // Persistent or volatile
uint8_t exportable; // Can key be exported
} key_attributes_t;
/**
* @brief Import key into secure storage
*
* @param[in] attributes Key attributes
* @param[in] data Key material
* @param[in] length Key length
* @param[out] key_id Assigned key ID
*
* @return CRYPTO_OK on success
*/
crypto_status_t secure_key_import(
const key_attributes_t *attributes,
const uint8_t *data,
size_t length,
uint32_t *key_id
);
Configure TrustZone for secure/non-secure separation:
/**
* @brief TrustZone memory region configuration
*
* Memory Map with TrustZone:
*
* Address Range | Security | Purpose
* --------------------|----------|------------------
* 0x00000000-0x0001FFFF | Secure | Secure bootloader
* 0x00020000-0x0007FFFF | NS | Non-secure app
* 0x10000000-0x1000FFFF | Secure | Secure code/data
* 0x20000000-0x20007FFF | Secure | Secure RAM
* 0x20008000-0x2001FFFF | NS | Non-secure RAM
* 0x40000000-0x4FFFFFFF | NS-call | Peripherals (SAU)
*/
/**
* @brief Configure SAU regions for TrustZone
*/
void sau_configure(void)
{
// Region 0: Non-secure flash (application)
SAU->RNR = 0;
SAU->RBAR = 0x00020000U; // Base address
SAU->RLAR = 0x0007FFFFU | SAU_RLAR_ENABLE_Msk; // Non-secure
// Region 1: Non-secure RAM
SAU->RNR = 1;
SAU->RBAR = 0x20008000U;
SAU->RLAR = 0x2001FFFFU | SAU_RLAR_ENABLE_Msk;
// Region 2: Non-secure callable (NSC) for secure API
SAU->RNR = 2;
SAU->RBAR = 0x0001F000U;
SAU->RLAR = 0x0001FFFFU | SAU_RLAR_NSC_Msk | SAU_RLAR_ENABLE_Msk;
// Enable SAU
SAU->CTRL = SAU_CTRL_ENABLE_Msk;
}
/**
* @brief Secure function exposed to non-secure world
*
* @note Function must be in NSC region
*/
__attribute__((cmse_nonsecure_entry))
int32_t secure_encrypt(uint8_t *data, size_t length)
{
// Validate non-secure pointer
if (cmse_check_address_range(data, length, CMSE_AU_NONSECURE) == NULL) {
return CRYPTO_ERR_INVALID_PARAM;
}
// Perform encryption in secure world
return crypto_aes128_encrypt_internal(data, length);
}
Implement secure random number generation:
/**
* @brief Initialize hardware TRNG
*
* Configures the true random number generator with
* health tests and conditioning.
*
* @return CRYPTO_OK on success, error if health test fails
*/
crypto_status_t trng_init(void)
{
// Enable RNG clock
RCC->AHB2ENR |= RCC_AHB2ENR_RNGEN;
// Configure health tests
RNG->CR |= RNG_CR_CED; // Clock error detection
RNG->CR |= RNG_CR_RNG_CONFIG3; // Conditioning
// Enable RNG
RNG->CR |= RNG_CR_RNGEN;
// Wait for first random number and verify
if (!trng_health_test()) {
return CRYPTO_ERR_HEALTH_TEST;
}
return CRYPTO_OK;
}
/**
* @brief Generate cryptographically secure random bytes
*
* @param[out] output Buffer to fill with random data
* @param[in] length Number of random bytes to generate
*
* @return CRYPTO_OK on success
*
* @note Blocks until sufficient entropy available
*/
crypto_status_t trng_generate(uint8_t *output, size_t length);
Handle X.509 certificates for device identity:
/**
* @brief Device certificate chain
*
* Chain structure:
* 1. Device certificate (leaf)
* 2. Intermediate CA certificate
* 3. Root CA certificate (optional, often trusted by peer)
*/
typedef struct {
uint8_t *device_cert;
size_t device_cert_len;
uint8_t *intermediate_cert;
size_t intermediate_cert_len;
uint8_t *root_cert;
size_t root_cert_len;
} cert_chain_t;
/**
* @brief Verify certificate chain validity
*
* @param[in] chain Certificate chain to verify
* @param[in] trusted Trusted root certificates
*
* @return CRYPTO_OK if valid, error code otherwise
*/
crypto_status_t cert_verify_chain(
const cert_chain_t *chain,
const cert_store_t *trusted
);
/**
* @brief Extract public key from certificate
*
* @param[in] cert DER-encoded certificate
* @param[in] cert_len Certificate length
* @param[out] pubkey Extracted public key
*
* @return CRYPTO_OK on success
*/
crypto_status_t cert_get_public_key(
const uint8_t *cert,
size_t cert_len,
public_key_t *pubkey
);
Implement countermeasures against side-channel attacks:
/**
* @brief Side-channel resistant comparison
*
* Compares two buffers in constant time to prevent
* timing attacks.
*
* @param[in] a First buffer
* @param[in] b Second buffer
* @param[in] length Number of bytes to compare
*
* @return 0 if equal, non-zero otherwise
*/
int crypto_compare_constant_time(
const uint8_t *a,
const uint8_t *b,
size_t length
)
{
uint8_t result = 0;
for (size_t i = 0; i < length; i++) {
result |= a[i] ^ b[i];
}
return result;
}
/**
* @brief AES with masking countermeasure
*
* Applies random masking to intermediate values
* to protect against DPA attacks.
*/
typedef struct {
uint8_t key_masked[16];
uint8_t mask[16];
uint8_t state_mask[16];
} aes_masked_ctx_t;
/**
* @brief Initialize AES with random mask
*/
crypto_status_t aes_masked_init(
aes_masked_ctx_t *ctx,
const uint8_t key[16]
)
{
// Generate random mask
trng_generate(ctx->mask, 16);
// XOR key with mask
for (int i = 0; i < 16; i++) {
ctx->key_masked[i] = key[i] ^ ctx->mask[i];
}
return CRYPTO_OK;
}
This skill integrates with the following processes:
| Process | Integration Point |
|---|---|
secure-boot-implementation.js | Crypto verification and signing |
functional-safety-certification.js | Security certification aspects |
ota-firmware-update.js | Update encryption and signing |
## Security Requirements Checklist
- [ ] Identify assets to protect (keys, data, code)
- [ ] Determine threat model (local, network, physical)
- [ ] Select appropriate algorithms (AES-128/256, ECC P-256)
- [ ] Define key management strategy
- [ ] Plan for side-channel resistance
- [ ] Identify certification requirements (PSA, SESIP, CC)
# Check for crypto accelerator
grep -i "crypto\|aes\|sha\|rng" device_datasheet.pdf
# Verify TrustZone support (Cortex-M33/M55)
arm-none-eabi-gcc -mcpu=cortex-m33 -print-multi-lib | grep cmse
// Initialize crypto subsystem
crypto_hw_init();
trng_init();
// Import device key
key_attributes_t attr = {
.algorithm = KEY_ALG_AES,
.bits = 128,
.usage = KEY_USAGE_ENCRYPT | KEY_USAGE_DECRYPT,
.location = KEY_STORAGE_TRUSTZONE
};
secure_key_import(&attr, device_key, 16, &key_id);
// Configure TrustZone (if available)
sau_configure();
# Run static analysis for crypto issues
cppcheck --enable=security src/crypto/
# Check for timing vulnerabilities
python tools/timing_analysis.py build/firmware.elf
# Verify random number quality
python tools/rng_test_suite.py
{
"cryptoCapabilities": {
"hardware": {
"aes": true,
"sha": true,
"ecc": false,
"trng": true
},
"trustzone": true,
"secureElement": false
},
"keyManagement": {
"storageLocations": ["otp", "trustzone"],
"algorithms": ["aes-128-gcm", "ecdsa-p256"],
"keyCount": 5
},
"implementation": {
"library": "mbedtls",
"hwAcceleration": true,
"sideChannelProtection": true
},
"compliance": {
"psaLevel": 1,
"certifications": ["PSA Certified Level 1"]
},
"artifacts": [
"src/crypto/crypto_hal.c",
"src/crypto/trustzone_config.c",
"src/crypto/key_storage.c",
"docs/security-architecture.md"
]
}
secure-boot-implementation.js - Secure boot processota-firmware-update.js - Secure updatesActivates when the user asks about AI prompts, needs prompt templates, wants to search for prompts, or mentions prompts.chat. Use for discovering, retrieving, and improving prompts.
Search, retrieve, and install Agent Skills from the prompts.chat registry using MCP tools. Use when the user asks to find skills, browse skill catalogs, install a skill for Claude, or extend Claude's capabilities with reusable AI agent components.
This skill should be used when the user asks to "create an agent", "add an agent", "write a subagent", "agent frontmatter", "when to use description", "agent examples", "agent tools", "agent colors", "autonomous agent", or needs guidance on agent structure, system prompts, triggering conditions, or agent development best practices for Claude Code plugins.