Hello,

I am trying to use the OpenSSL Provider with the EdgeLock SE051 and SCP03 on Linux. I have run into an issue where the se05x_Minimal example works perfectly at first, but fails with SCP03 authentication errors after I install the shared libraries for the OpenSSL Provider.

Could you please advise on what might be causing this conflict?

Environment:

• Board: MCIMX8M-WEVK and OM-SE051ARD

• SoC: i.MX 8M

• Linux version: 6.1.151-cip46

• OpenSSL version: 3.0.20

• Plug & Trust MW version: 04.07.01

Steps Taken:

1. Built the Plug & Trust MW with the following CMake configuration:

   cmake ../simw-top \
   -DPTMW_Applet=SE05X_C \
   -DPTMW_SE05X_Ver=07_02 \
   -DPTMW_Host=iMXLinux \
   -DPTMW_SMCOM=T1oI2C \
   -DPTMW_HostCrypto=OPENSSL \
   -DPTMW_RTOS=Default \
   -DPTMW_mbedTLS_ALT=None \
   -DPTMW_SCP=SCP03_SSS \
   -DPTMW_FIPS=None \
   -DPTMW_SBL=None \
   -DPTMW_SE05X_Auth=PlatfSCP03 \
   -DPTMW_Log=Default \
   -DCMAKE_BUILD_TYPE=Release \
   -DPTMW_SE_RESET_LOGIC=1

2. Copied simw-top/demos/linux/common/openssl30_sss_se050.cnf from the Plug & Trust MW directory to /root on the i.MX 8M.

3. Exported the configuration environment variable:

   export OPENSSL_CONF=/root/openssl30_sss_se050.cnf

4. Executed se05x_Minimal to confirm that the SE051 with SCP03 works correctly. It succeeded.

   App   :INFO :Running bin/se05x_Minimal
   App   :INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments.
   App   :INFO :PlugAndTrust_v04.07.01_20250519
   App   :INFO :Using default PlatfSCP03 keys. You can use keys from file using ENV=EX_SSS_BOOT_SCP03_PATH
   sss   :INFO :atr (Len=35)
         (snip)
   App   :INFO :mem=17196
   App   :INFO :se05x_Minimal Example Success !!!...
   App   :INFO :ex_sss Finished

5. Copied libsssapisw.so, libsss_pkcs11.so, and libsssProvider.so to /usr/local/lib/. (Note: /usr/local/lib/ is the path specified in the [nxp_prov_sec] section of /root/openssl30_sss_se050.cnf)

6. Executed se05x_Minimal again. This time, it failed with the following errors:

Error Output:

App   :INFO :Running bin/se05x_Minimal
App   :INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments.
App   :INFO :PlugAndTrust_v04.07.01_20250519
App   :INFO :Using default PlatfSCP03 keys. You can use keys from file using ENV=EX_SSS_BOOT_SCP03_PATH
sss   :INFO :atr (Len=35)
      (snip)
App   :INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments.
App   :INFO :Using default PlatfSCP03 keys. You can use keys from file using ENV=EX_SSS_BOOT_SCP03_PATH
sss   :INFO :atr (Len=35)
      (snip)
sss   :ERROR:Error in RAND_pseudo_bytes 
scp   :WARN :nxEnsure:'status == kStatus_SSS_Success' failed. At Line:121 Function:nxScp03_AuthenticateChannel
sss   :ERROR:Could not set SCP03 Secure Channel
App   :ERROR:sss_session_open failed
App   :WARN :nxEnsure:'kStatus_SSS_Success == status' failed. At Line:240 Function:OSSL_provider_init
smCom :ERROR:phNxpEseProto7816_DecodeFrame Max retry count reached!!! 
smCom :ERROR:phNxpEseProto7816_Transceive Transceive failed, hard reset to proceed 
smCom :ERROR: phNxpEse_Transceive phNxpEseProto7816_Transceive- Failed 
smCom :ERROR: Transcive Failed 
sss   :WARN :nxEnsure:'retStatus == SM_OK' failed. At Line:7977 Function:sss_se05x_channel_txn
sss   :WARN :nxEnsure:'ret == SM_OK' failed. At Line:7839 Function:sss_se05x_TXn
sss   :WARN :APDU Transaction Error: Error (0xFFFF)

scp   :ERROR:GP_InitializeUpdate Failure on communication Link FFFF
scp   :ERROR:nxScp03_GP_InitializeUpdate fails with Status 3C3C0000
sss   :ERROR:Could not set SCP03 Secure Channel
App   :ERROR:sss_session_open failed
App   :ERROR:ex_sss_session_open Failed
App   :ERROR:!ERROR! ret != 0.

It seems that once the OpenSSL provider is successfully loaded by the configuration, something (possibly related to RAND_pseudo_bytes) breaks the SCP03 channel establishment.

Has anyone encountered this or knows what additional configurations might be missing?

Thank you in advance for your help.

Hi @Uc_S ,

Did you set up the proper openssl version?  Please use the following option:

-DPTMW_OpenSSL=3_0

BTW, for test purpose, please enable verbose log to have more debug info. 

-DPTMW_Log=Verbose

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Thank you very much for your advice. You were exactly right.

The root cause of the issue was indeed the missing "-DPTMW_OpenSSL=3_0" option in my CMake configuration.

After adding "-DPTMW_OpenSSL=3_0 -DPTMW_Log=Verbose" and rebuilding the MW, the problem was completely resolved. Here are the results:

Executing Step 6 no longer throws any errors. It successfully outputs "App :INFO :mem=17196" as expected.

I also confirmed that even when setting the log level back to my originally intended configuration ("-DPTMW_Log=Default"  instead of Verbose), the application still executes perfectly and outputs "App :INFO :mem=17196".

I will mark this topic as resolved.