Introduction
Many people are interested in secure elements, but perhaps they have the impression that they are "somehow difficult to use."
NXP's Secure Element SE05x comes with middleware called Plug and Trust Middleware. This includes a dedicated API for using SE05x, as well as plugins for widely used libraries such as OpenSSL and mbed-TLS. Therefore, applications using these libraries (e.g., Eclipse Mosquitto ™ , etc.) can leverage the functionality of the Secure Element with little to no modifications.
This middleware's reference operating environment supports "Windows PCs" and "various NXP MCUs/MPUs (Linux)," but it also supports the readily available "Raspberry Pi."
Command-line tools are available in Windows and Linux environments, making it easy to verify various operations.
This article explains how to set up Plug and Trust Middleware on a Raspberry Pi.
Hardware, software, and versions used in writing this article
Hardware:
- Raspberry Pi 3 Model B+
- EdgeLock ® SE050 Development Kit ( OM-SE050ARD-E )
- Five jumper wires (male-to-female or female-to-female) or an Arduino to Raspberry Pi adapter board ( OM-SE050RPI )
software:
- Raspberry Pi OS 12 64-bit
- SE-PLUG-TRUST-MW_04.07.01 *The method for accessing the documentation is explained below.
Download the Plug and Trust middleware package.
First, please download the Plug and Trust middleware package (SE05x-PLUG-TRUST-MW) from here.
* A MyNXP account is required for downloading. Registration is free and easy.
* After unzipping, you can access the documentation from simw-top/doc/index.html (hereafter, "documentation" refers to this HTML file).
For information on using Plug and Trust middleware with Raspberry Pi, please also refer to AN12570 .
Hardware preparation
Connect the Raspberry Pi and the OM-SE050ARD-E using jumper wires (or OM-SE050RPI).
For connections using jumper wires, see section 4.5 in the documentation. Please refer to the diagram below for Raspberry Pi Build.
However, as of the time of writing this article, GPIO22 connected as described above does not function correctly due to changes in the GPIO control specifications of the Raspberry Pi OS.
Although the cause and solution are known, for the time being, this article will show how to disable control via GPIO22 by changing the jumper settings.
To operate without using GPIO22, change the following two jumper settings on the OM-SE050ARD-E.
J13: 1-2
J14: 1-2
Setting J13 to 1-2 connects SE050's ENA to GND, and setting J14 to 1-2 connects SE050's VCC to VIN.
ENA is the control pin for DPD (Deep Power-down) mode. When using DPD, connect VOUT and VCC, and control the power supply from VOUT using ENA to reduce current consumption.
Since the ENA control is not working properly this time, we will temporarily disable the DPD setting.
If DPD is not used, leave VOUT open and connect VCC to VIN to ensure a constant power supply.
While connecting ENA to GND appears to be acceptable in terms of evaluation, the datasheet recommends connecting it to VCC if ENA is not being used.
Pre-build preparations
After flashing Raspberry Pi OS using Raspberry Pi Imager and booting, open a terminal.
Enable I2C
If i2c-1 is not displayed after running the following command, I2C is not enabled, so enable it.
ls /sys/bus/i2c/devicesAfter executing the following command, go to Interfacing Options -> I2C and enable I2C.
sudo raspi-config- Install additional build tools
Perform the following:
sudo apt-get install cmake cmake-curses-gui cmake-gui libssl-dev libsystemd-devMiddleware setup and running the sample application
Copy the downloaded Plug and Trust middleware package to your Raspberry Pi.
Navigate to the directory where you copied the Plug and Trust middleware and execute the following:
cd simw-top
python scripts/create_cmake_projects.py
cd ../simw-top_build/raspberrypi_native_se050_t1oi2c
cmake --build .
sudo make install
sudo ldconfig /usr/local/libThe built applications are located in simw-top_build/raspbian_native_se050_t1oi2c/bin.
Since the files were copied to /usr/local/bin/ during the installation process described earlier, you can run the program without specifying the files in that location.
Running se05x_GetInfo to verify operation will display device information.
shinji@raspberrypi:~/SE-PLUG-TRUST-MW_04.07.01/simw-top_build/raspbian_native_se050_t1oi2c $ se05x_GetInfo
Failed to export Enable pin : Invalid argument
Failed to open GPIO value file : No such file or directory
Failed to unexport GPIO : Invalid argument
App :INFO :Running se05x_GetInfo
App :INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments.
App :INFO :PlugAndTrust_v04.07.01_20250519
sss :INFO :atr (Len=35)
01 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 00
01 00 00 00 00 64 13 88 0A 00 65 53 45 30 35 31
00 00 00
App :WARN :No SemsLite Applet Available.
App :INFO :Running se05x_GetInfo
App :INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments.
sss :INFO :atr (Len=35)
01 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 00
01 00 00 00 00 64 13 88 0A 00 65 53 45 30 35 31
00 00 00
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
App :WARN :#####################################################
App :INFO :uid (Len=18)
04 00 50 01 6A 17 2A E0 43 2E 7C 04 27 6A D2 9C
1D 90
App :WARN :#####################################################
App :INFO :Applet Major = 7
App :INFO :Applet Minor = 2
App :INFO :Applet patch = 0
App :INFO :AppletConfig = 3F9F
App :INFO :With ECDSA_ECDH_ECDHE
App :INFO :With EDDSA
App :INFO :With DH_MONT
App :INFO :With HMAC
App :INFO :WithOut RSA_PLAIN
App :INFO :WithOut RSA_CRT
App :INFO :With AES
App :INFO :With DES
App :INFO :With PBKDF
App :INFO :With TLS
App :INFO :With MIFARE
App :INFO :With I2CM
App :INFO :Internal = FFFF
App :WARN :#####################################################
App :INFO :Tag value - proprietary data 0xFE = 0xFE
App :INFO :Length of following data 0x45 = 0x45
App :INFO :Tag card identification data (Len=2)
DF 28
App :INFO :Length of card identification data = 0x42
App :INFO :Tag configuration ID (Must be 0x01) = 0x01
App :INFO :Configuration ID (Len=12)
00 01 A9 21 89 0A 6F 56 4A 23 9C 41
App :INFO :OEF ID (Len=2)
A9 21
App :INFO :Tag patch ID (Must be 0x02) = 0x02
App :INFO :Patch ID (Len=8)
00 00 00 00 00 00 00 01
App :INFO :Tag platform build ID1 (Must be 0x03) = 0x03
App :INFO :Platform build ID (Len=24)
4A 33 52 33 35 31 30 32 39 42 34 31 31 31 30 30
1A 08 FA 50 67 B5 F2 56
App :INFO :JCOP Platform ID = J3R351029B411100
App :INFO :Tag FIPS mode (Must be 0x05) = 0x05
App :INFO :FIPS mode var = 0x00
App :INFO :Tag pre-perso state (Must be 0x07) = 0x07
App :INFO :Bit mask of pre-perso state var = 0x00
App :INFO :Tag ROM ID (Must be 0x08) = 0x08
App :INFO :ROM ID (Len=8)
2E 5A D8 84 09 C9 BA DB
App :INFO :Status Word (SW) (Len=2)
90 00
App :INFO :se05x_GetInfoPlainApplet Example Success !!!...
App :WARN :#####################################################
App :INFO :cplc_data.IC_fabricator (Len=2)
47 90
App :INFO :cplc_data.IC_type1 (Len=2)
D3 21
App :INFO :cplc_data.Operating_system_identifier (Len=2)
47 00
App :INFO :cplc_data.Operating_system_release_date (Len=2)
00 00
App :INFO :cplc_data.Operating_system_release_level (Len=2)
00 00
App :INFO :cplc_data.IC_fabrication_date (Len=2)
41 50
App :INFO :cplc_data.IC_Serial_number (Len=4)
13 93 77 21
App :INFO :cplc_data.IC_Batch_identifier (Len=2)
05 57
App :INFO :cplc_data.IC_module_fabricator (Len=2)
00 00
App :INFO :cplc_data.IC_module_packaging_date (Len=2)
00 00
App :INFO :cplc_data.ICC_manufacturer (Len=2)
00 00
App :INFO :cplc_data.IC_embedding_date (Len=2)
00 00
App :INFO :cplc_data.IC_OS_initializer (Len=2)
07 27
App :INFO :cplc_data.IC_OS_initialization_date (Len=2)
6A 33
App :INFO :cplc_data.IC_OS_initialization_equipment (Len=4)
39 33 37 37
App :INFO :cplc_data.IC_personalizer (Len=2)
00 00
App :INFO :cplc_data.IC_personalization_date (Len=2)
00 00
App :INFO :cplc_data.IC_personalization_equipment_ID (Len=4)
00 00 00 00
App :INFO :cplc_data.SW (Len=2)
90 00
App :INFO :ex_sss Finished
Failed to open GPIO value file : No such file or directory
Failed to unexport GPIO : Invalid argument
Failed to unexport GPIO : Invalid argument
As mentioned earlier, there is a problem with GPIO control, so GPIO-related errors will be displayed at the beginning and end of the message, but this does not affect the operation.
If you see a section reading the uid (Unique ID) as shown below, it's working correctly. Since the uid is a different value for each device, a different value should be read depending on the board being used.
App :INFO :uid (Len=18)
04 00 50 01 6A 17 2A E0 43 2E 7C 04 27 6A D2 9C
1D 90The following message is also displayed, which indicates that protection (message authentication and encryption) for communication between the host and SE050 is not enabled.
During mass production, we strongly recommend changing the middleware build settings to enable protection.
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
Setting up the command line tool (ssscli)
ssscli is a Python-based command-line tool for controlling SE05X.
Document 9.3.1.3. We will set it up according to the instructions for the Raspberry Pi.
The following instructions will create a venv in simw-top/pycli, but you can change this according to your preference.
cd simw-top/pycli
sudo apt-get install python3-pip python3-dev libffi-dev
sudo apt install python3-virtualenv
virtualenv venv
source venv/bin/activate
pip install -r requirements.txt
cd src
pip install --editable .Once the above is complete, try using ssscli to retrieve the uid.
(venv) shinji@raspberrypi:~/SE-PLUG-TRUST-MW_04.07.01/simw-top/pycli $ ssscli connect se05x t1oi2c none
(venv) shinji@raspberrypi:~/SE-PLUG-TRUST-MW_04.07.01/simw-top/pycli $ ssscli se05x uid
sss :INFO :atr (Len=35)
01 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 00
01 00 00 00 00 64 13 88 0A 00 65 53 45 30 35 31
00 00 00
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
040050016a172ae0432e7c04276ad29c1d90
Unique ID: 040050016a172ae0432e7c04276ad29c1d90
(venv) shinji@raspberrypi:~/SE-PLUG-TRUST-MW_04.07.01/simw-top/pycli $ ssscli disconnectThe same ID was obtained as in the previous execution of se05x_GetInfo, indicating that it is working correctly.
This completes the setup of Plug and Trust Middleware.
Specific usage examples will be introduced in a separate article.
=========================
We are currently unable to respond to comments left in the " Comment "
section of this post . We apologize for the inconvenience, but please refer to "
Technical Questions to NXP - How to Contact Us( Japanese Blog) " when making inquiries.(If you are already an NXP distributor or have a relationship with NXP, you may ask your representative directly.)
Many people are interested in secure elements, but perhaps they have the impression that they are "somehow difficult to use."
NXP's Secure Element SE05x comes with middleware called Plug and Trust Middleware. This includes a dedicated API for using SE05x, as well as plugins for widely used libraries such as OpenSSL and mbed-TLS. Therefore, applications using these libraries (e.g., Eclipse Mosquitto ™ etc.) can leverage the functionality of the Secure Element with little to no modifications.
This middleware's reference operating environment supports Windows PCs and various NXP MCUs/MPUs (Linux), but it also supports the readily available Raspberry Pi.
Command-line tools are available for Windows and Linux environments, making it easy to verify various operations.
This article explains how to set up Plug and Trust Middleware on a Raspberry Pi.
(Working time: 20 minutes)