Hi. I started researching the ATECC508A IC and I have some questions. I read the basic provisioning PDF file that discusses provisioning the device to authenticate a client to a host and everything seems straight forward from a PKI point of view. However I have some questions and I would love if you are able to clarify them for me. I would like to connect the ATECC508A to a Linux devices, for the sake of the question let's assume it is something like RPi that can run a full blown Linux distro and at the same time has enough GPIOs and I2C bus to connect directly to the IC.
Question 1: Is there a way to provision the IC with F/OSS tools from Linux-land. If this was a smart-card, the usual path would be using pkcs15/pkcs11 tools from opensc and using openssl at some point. Is there a way where I can provision the IC while it is connected directly to the I2C bus?
Question 2: From the PDF with the node example, I can see that once the client is provisioned with the client cert and the signer cert and a private key has been generated, those are all "locked" in the devices. Does that mean that this operation can be done only once. Can the device be "formated", smartcards can be re-initialized. Also can the IC contain more than one chain of trust, lets assume for different PKI providers.
Question 3: If the device can hold more than one PKI chain, is there way to lock in place one of those, while we allow the extra available slots to be populated by end users.
So far this is what I can come up as questions. I'll order few ATECC508A right away and will start experimenting with them in Linux user land. I see that OpenSSL already supports the IC and I'll start playing around with it, but it will be a bit pointless if I can not provision the devices on my own. Note: at this point I don't want to order extra hardware so I can just provision the devices.