Hello!
I am trying to get EdgeLock SE050 (AN12570) to work on Raspberry Pi (both 3 and 4, OpenSSL 1.0.2 and 1.1.1).
I am getting errors with every utility I could lay my hands on, besides the seTool from the demos, which works. Here come the details:
1. seTool (works)
root@raspberrypi:/home/se050_middleware/simw-top/doc/demos/se05x/seTool# /home/se050_middleware/simw-top_build/raspbian_native_se050_t1oi2c/bin/seTool genECC 0x01010101 /dev/i2c-1
App :INFO :PlugAndTrust_v02.16.01_20200818
App :INFO :Running /home/se050_middleware/simw-top_build/raspbian_native_se050_t1oi2c/bin/seTool
App :INFO :Using PortName='/dev/i2c-1' (CLI)
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
sss :WARN :Object id 0x1010101 exists
App :INFO :ex_sss Finished
2. the pkcs11-tool (does not work, fails to connect to i2c device)
root@raspberrypi:/home/se050_middleware/simw-top/sss/plugin/openssl/scripts# pkcs11-tool --module $PKCS11_MODULE --keypairgen --key-type rsa:1024 --label "sss:20202020"
ssse-flw: EmbSe_Init(): Entry
App :INFO :Using PortName='/dev/i2c-1' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-1)
smCom :ERROR:Failed writing data (nrWritten=-1).
smCom :ERROR: - Error in I2C Write.....
smCom :ERROR:phNxpEseProto7816_SendRawFrame Error phNxpEse_WriteFrame
smCom :ERROR:TransceiveProcess Transceive send failed, going to recovery!
smCom :ERROR:phNxpEseProto7816_Open failed
smCom :ERROR: Failed to Open session
sss :ERROR:SM_Connect Failed. Status 7012
App :ERROR:sss_session_open failed
App :WARN :nxEnsure:'kStatus_SSS_Success == status' failed. At Line:356 Function:engineSessionOpen
ssse-flw: EmbSe_Init(): Failed to initialize
ssse-flw: EmbSe_Finish(): Entry
ssse-flw: EmbSe_Finish(): Exit
Using slot 0 with a present token (0x1)
smCom :ERROR:phNxpEseProto7816_SendRawFrame Error phNxpEse_WriteFrame
smCom :ERROR:TransceiveProcess Transceive send failed, going to recovery!
smCom :ERROR:phNxpEseProto7816_Close TransceiveProcess failed
smCom :ERROR:Failed to close session
App :INFO :Using PortName='/dev/i2c-1' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-1)
smCom :ERROR:Failed writing data (nrWritten=-1).
smCom :ERROR: - Error in I2C Write.....
smCom :ERROR:phNxpEseProto7816_SendRawFrame Error phNxpEse_WriteFrame
smCom :ERROR:TransceiveProcess Transceive send failed, going to recovery!
smCom :ERROR:phNxpEseProto7816_Open failed
smCom :ERROR: Failed to Open session
sss :ERROR:SM_Connect Failed. Status 7012
App :ERROR:sss_session_open failed
App :ERROR:Session Open Failed
App :INFO :Destroyed mutex
error: PKCS11 function C_OpenSession failed: rv = CKR_GENERAL_ERROR (0x5)
Aborting.
ssse-flw: EmbSe_Destroy(): Entry
Now here it is where it gets interesting: comparing the straces of seTool and any of the commands that do not work, reveal one difference in the i2c connect sequence: `write(3, "Z\300\0\377\374", 5)` call fails in the latter case, while works for the former. Here come the two strace snippets:
# seTools, (works):
18659 10:12:30.522584 openat(AT_FDCWD, "/dev/i2c-1", O_RDWR) = 3 <0.000063>
18659 10:12:30.522760 ioctl(3, _IOC(_IOC_NONE, 0x7, 0x3, 0), 0x48) = 0 <0.000047>
18659 10:12:30.522928 ioctl(3, _IOC(_IOC_NONE, 0x7, 0x8, 0), 0) = 0 <0.000032>
18659 10:12:30.523316 ioctl(3, _IOC(_IOC_NONE, 0x7, 0x5, 0), 0x7ee2187c) = 0 <0.000037>
18659 10:12:30.523509 nanosleep({tv_sec=0, tv_nsec=5000000}, NULL) = 0 <0.007258>
18659 10:12:30.531005 read(3, 0x7ee2161c, 260) = -1 EREMOTEIO (Remote I/O error) <0.000179>
18659 10:12:30.531346 nanosleep({tv_sec=0, tv_nsec=1000000}, NULL) = 0 <0.001129>
18659 10:12:30.532644 write(3, "Z\300\0\377\374", 5) = 5 <0.000640>
# pkcs11-tool (does not work)
18684 10:13:47.901991 openat(AT_FDCWD, "/dev/i2c-1", O_RDWR) = 3 <0.000071>
18684 10:13:47.902200 ioctl(3, _IOC(_IOC_NONE, 0x7, 0x3, 0), 0x48) = 0 <0.000041>
18684 10:13:47.902344 ioctl(3, _IOC(_IOC_NONE, 0x7, 0x8, 0), 0) = 0 <0.000034>
18684 10:13:47.902473 ioctl(3, _IOC(_IOC_NONE, 0x7, 0x5, 0), 0x7ecf65c4) = 0 <0.000034>
18684 10:13:47.902662 nanosleep({tv_sec=0, tv_nsec=5000000}, NULL) = 0 <0.005108>
18684 10:13:47.907892 read(3, 0x7ecf6364, 260) = -1 EREMOTEIO (Remote I/O error) <0.000176>
18684 10:13:47.908185 nanosleep({tv_sec=0, tv_nsec=1000000}, NULL) = 0 <0.001099>
18684 10:13:47.909392 write(3, "Z\300\0\377\374", 5) = -1 EREMOTEIO (Remote I/O error) <0.000169>
Every other attempt with:
* the python scripts (/home/se050_middleware/simw-top/sss/plugin/openssl/scripts) `export EX_SSS_BOOT_SSS_PORT=/dev/i2c-1; export OPENSSL_CONF=/etc/ssl/nxp_openssl.cnf; python3 openssl_provisionEC.py --key_type prime256v1`
* the openssl command `openssl req -new -x509 -subj "/CN=Units" -engine e4sss -keyform engine -key 'pkcs11:id=xxxx;type=private' -out cert.pem` (with openssl configured with /usr/local/lib/libsss_engine.so),
* ssscli
fails in the same way.
any help would be greatly appreciated! It is crucial from the business perspective for me to get it working.
best regards,
peter
The pkcs11 example from SE050-PLUG-TRUST-MW/simw-top/doc/plugins/pkcs11.html is NOT working (Version 04.02.00):
I have built the middleware using the following cmake options :
EXTRA_OECMAKE = " -DPTMW_Host=iMXLinux -DPTMW_HostCrypto=OPENSSL -DPTMW_SMCOM=T1oI2C \
-DPTMW_SE05X_Auth=None -DPTMW_SE05X_Ver=03_XX -DPTMW_Applet=SE05X_C \
-DCMAKE_BUILD_TYPE=Release -DSSS_HAVE_HOSTCRYPTO_MBEDTLS=ON -DRTOS_Default=ON"
# export EX_SSS_BOOT_SSS_PORT=/dev/i2c-1
# se05x_GetInfo
App :INFO :PlugAndTrust_v04.02.00_20220524
App :INFO :Running se05x_GetInfo
App :INFO :Using PortName='/dev/i2c-1' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-1)
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
App :WARN :No SemsLite Applet Available.
App :INFO :Running se05x_GetInfo
App :INFO :Using PortName='/dev/i2c-1' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-1)
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
App :WARN :#####################################################
App :INFO :uid (Len=18)
04 00 50 01 12 C6 95 52 78 CE 6D 04 48 5F EA BA
6A 80
App :WARN :#####################################################
App :INFO :Applet Major = 3
App :INFO :Applet Minor = 1
App :INFO :Applet patch = 1
App :INFO :AppletConfig = 479A
App :INFO :With ECDSA_ECDH_ECDHE
App :INFO :WithOut EDDSA
App :INFO :With DH_MONT
App :INFO :With HMAC
App :INFO :WithOut RSA_PLAIN
App :INFO :WithOut RSA_CRT
App :INFO :With AES
App :INFO :With DES
App :INFO :With PBKDF
App :INFO :With TLS
App :INFO :WithOut MIFARE
App :INFO :WithOut I2CM
App :INFO :Internal = 010B
App :WARN :#####################################################
App :INFO :Tag value - proprietary data 0xFE = 0xFE
App :INFO :Length of following data 0x45 = 0x45
App :INFO :Tag card identification data (Len=2)
DF 28
App :INFO :Length of card identification data = 0x42
App :INFO :Tag configuration ID (Must be 0x01) = 0x01
App :INFO :Configuration ID (Len=12)
00 03 A2 05 5A 4B 63 E5 51 8D 0C C4
App :INFO :OEF ID (Len=2)
A2 05
App :INFO :Tag patch ID (Must be 0x02) = 0x02
App :INFO :Patch ID (Len=8)
00 00 00 00 00 00 00 01
App :INFO :Tag platform build ID1 (Must be 0x03) = 0x03
App :INFO :Platform build ID (Len=24)
4A 33 52 33 35 31 30 32 31 45 45 45 30 34 30 30
BC 03 04 79 33 8D 18 10
App :INFO :JCOP Platform ID = J3R351021EEE0400
App :INFO :Tag FIPS mode (Must be 0x05) = 0x05
App :INFO :FIPS mode var = 0x00
App :INFO :Tag pre-perso state (Must be 0x07) = 0x07
App :INFO :Bit mask of pre-perso state var = 0x00
App :INFO :Tag ROM ID (Must be 0x08) = 0x08
App :INFO :ROM ID (Len=8)
2E 5A D8 84 09 C9 BA DB
App :INFO :Status Word (SW) (Len=2)
90 00
App :INFO :se05x_GetInfoPlainApplet Example Success !!!...
App :WARN :#####################################################
App :INFO :cplc_data.IC_fabricator (Len=2)
47 90
App :INFO :cplc_data.IC_type1 (Len=2)
D3 21
App :INFO :cplc_data.Operating_system_identifier (Len=2)
47 00
App :INFO :cplc_data.Operating_system_release_date (Len=2)
00 00
App :INFO :cplc_data.Operating_system_release_level (Len=2)
00 00
App :INFO :cplc_data.IC_fabrication_date (Len=2)
00 23
App :INFO :cplc_data.IC_Serial_number (Len=4)
15 87 31 99
App :INFO :cplc_data.IC_Batch_identifier (Len=2)
44 17
App :INFO :cplc_data.IC_module_fabricator (Len=2)
00 00
App :INFO :cplc_data.IC_module_packaging_date (Len=2)
00 00
App :INFO :cplc_data.ICC_manufacturer (Len=2)
00 00
App :INFO :cplc_data.IC_embedding_date (Len=2)
00 00
App :INFO :cplc_data.IC_OS_initializer (Len=2)
08 48
App :INFO :cplc_data.IC_OS_initialization_date (Len=2)
5F 35
App :INFO :cplc_data.IC_OS_initialization_equipment (Len=4)
38 37 33 31
App :INFO :cplc_data.IC_personalizer (Len=2)
00 00
App :INFO :cplc_data.IC_personalization_date (Len=2)
00 00
App :INFO :cplc_data.IC_personalization_equipment_ID (Len=4)
00 00 00 00
App :INFO :cplc_data.SW (Len=2)
90 00
App :INFO :ex_sss Finished
ls -l /usr/lib/libsss_pkcs11.so
-rwxr-xr-x 1 root root 559808 Jul 18 08:19 /usr/lib/libsss_pkcs11.so
# pkcs11-tool --module /usr/lib/libsss_pkcs11.so --keypairgen --key-type rsa:1024 --label "sss:11223344"
Using slot 0 with a present token (0x1)
smCom :WARN :Invalid conn_ctx
App :INFO :Using PortName='/dev/i2c-1' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-1)
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :nxEnsure:'status == SM_OK' failed. At Line:3578 Function:sss_se05x_key_store_generate_key
error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_FUNCTION_FAILED (0x6)
Aborting.
what am I missing ?
The pkcs11 example from SE050-PLUG-TRUST-MW/simw-top/doc/plugins/pkcs11.html is NOT working (Version 04.02.00):
I have built the middleware using the following cmake options :
EXTRA_OECMAKE = " -DPTMW_Host=iMXLinux -DPTMW_HostCrypto=OPENSSL -DPTMW_SMCOM=T1oI2C \
-DPTMW_SE05X_Auth=None -DPTMW_SE05X_Ver=03_XX -DPTMW_Applet=SE05X_C \
-DCMAKE_BUILD_TYPE=Release -DSSS_HAVE_HOSTCRYPTO_MBEDTLS=ON -DRTOS_Default=ON"
# export EX_SSS_BOOT_SSS_PORT=/dev/i2c-1
# se05x_GetInfo
App :INFO :PlugAndTrust_v04.02.00_20220524
App :INFO :Running se05x_GetInfo
App :INFO :Using PortName='/dev/i2c-1' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-1)
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
App :WARN :No SemsLite Applet Available.
App :INFO :Running se05x_GetInfo
App :INFO :Using PortName='/dev/i2c-1' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-1)
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
App :WARN :#####################################################
App :INFO :uid (Len=18)
04 00 50 01 12 C6 95 52 78 CE 6D 04 48 5F EA BA
6A 80
App :WARN :#####################################################
App :INFO :Applet Major = 3
App :INFO :Applet Minor = 1
App :INFO :Applet patch = 1
App :INFO :AppletConfig = 479A
App :INFO :With ECDSA_ECDH_ECDHE
App :INFO :WithOut EDDSA
App :INFO :With DH_MONT
App :INFO :With HMAC
App :INFO :WithOut RSA_PLAIN
App :INFO :WithOut RSA_CRT
App :INFO :With AES
App :INFO :With DES
App :INFO :With PBKDF
App :INFO :With TLS
App :INFO :WithOut MIFARE
App :INFO :WithOut I2CM
App :INFO :Internal = 010B
App :WARN :#####################################################
App :INFO :Tag value - proprietary data 0xFE = 0xFE
App :INFO :Length of following data 0x45 = 0x45
App :INFO :Tag card identification data (Len=2)
DF 28
App :INFO :Length of card identification data = 0x42
App :INFO :Tag configuration ID (Must be 0x01) = 0x01
App :INFO :Configuration ID (Len=12)
00 03 A2 05 5A 4B 63 E5 51 8D 0C C4
App :INFO :OEF ID (Len=2)
A2 05
App :INFO :Tag patch ID (Must be 0x02) = 0x02
App :INFO :Patch ID (Len=8)
00 00 00 00 00 00 00 01
App :INFO :Tag platform build ID1 (Must be 0x03) = 0x03
App :INFO :Platform build ID (Len=24)
4A 33 52 33 35 31 30 32 31 45 45 45 30 34 30 30
BC 03 04 79 33 8D 18 10
App :INFO :JCOP Platform ID = J3R351021EEE0400
App :INFO :Tag FIPS mode (Must be 0x05) = 0x05
App :INFO :FIPS mode var = 0x00
App :INFO :Tag pre-perso state (Must be 0x07) = 0x07
App :INFO :Bit mask of pre-perso state var = 0x00
App :INFO :Tag ROM ID (Must be 0x08) = 0x08
App :INFO :ROM ID (Len=8)
2E 5A D8 84 09 C9 BA DB
App :INFO :Status Word (SW) (Len=2)
90 00
App :INFO :se05x_GetInfoPlainApplet Example Success !!!...
App :WARN :#####################################################
App :INFO :cplc_data.IC_fabricator (Len=2)
47 90
App :INFO :cplc_data.IC_type1 (Len=2)
D3 21
App :INFO :cplc_data.Operating_system_identifier (Len=2)
47 00
App :INFO :cplc_data.Operating_system_release_date (Len=2)
00 00
App :INFO :cplc_data.Operating_system_release_level (Len=2)
00 00
App :INFO :cplc_data.IC_fabrication_date (Len=2)
00 23
App :INFO :cplc_data.IC_Serial_number (Len=4)
15 87 31 99
App :INFO :cplc_data.IC_Batch_identifier (Len=2)
44 17
App :INFO :cplc_data.IC_module_fabricator (Len=2)
00 00
App :INFO :cplc_data.IC_module_packaging_date (Len=2)
00 00
App :INFO :cplc_data.ICC_manufacturer (Len=2)
00 00
App :INFO :cplc_data.IC_embedding_date (Len=2)
00 00
App :INFO :cplc_data.IC_OS_initializer (Len=2)
08 48
App :INFO :cplc_data.IC_OS_initialization_date (Len=2)
5F 35
App :INFO :cplc_data.IC_OS_initialization_equipment (Len=4)
38 37 33 31
App :INFO :cplc_data.IC_personalizer (Len=2)
00 00
App :INFO :cplc_data.IC_personalization_date (Len=2)
00 00
App :INFO :cplc_data.IC_personalization_equipment_ID (Len=4)
00 00 00 00
App :INFO :cplc_data.SW (Len=2)
90 00
App :INFO :ex_sss Finished
ls -l /usr/lib/libsss_pkcs11.so
-rwxr-xr-x 1 root root 559808 Jul 18 08:19 /usr/lib/libsss_pkcs11.so
# pkcs11-tool --module /usr/lib/libsss_pkcs11.so --keypairgen --key-type rsa:1024 --label "sss:11223344"
Using slot 0 with a present token (0x1)
smCom :WARN :Invalid conn_ctx
App :INFO :Using PortName='/dev/i2c-1' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-1)
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
sss :WARN :nxEnsure:'status == SM_OK' failed. At Line:3578 Function:sss_se05x_key_store_generate_key
error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_FUNCTION_FAILED (0x6)
Aborting.
what am I missing ?
an update: when I have the gdb running:
root@raspberrypi:/home/se050_middleware/simw-top/demos/se05x/seTool# ps axuw | grep gdb
root 19894 0.3 4.6 53500 44184 pts/2 S+ 13:33 0:06 gdb --args /home/se050_middleware/simw-top_build/raspbian_native_se050_t1oi2c/bin/seTool genECC 0x01010101 /dev/i2c-1
the pkcs11-tool command works, (as well as the python scripts examples)
root@raspberrypi:/home/se050_middleware/simw-top/demos/se05x/seTool# pkcs11-tool --module $PKCS11_MODULE --keypairgen --key-type rsa:1024 --label "sss:20202020"
ssse-flw: EmbSe_Init(): Entry
App :INFO :Using PortName='/dev/i2c-1' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-1)
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
ssse-flw: Version: 1.0.5
ssse-flw: EmbSe_Init(): Exit
ssse-flw: EmbSe_Finish(): Entry
ssse-flw: EmbSe_Finish(): Exit
Using slot 0 with a present token (0x1)
smCom :ERROR:phNxpEseProto7816_SendRawFrame Error phNxpEse_WriteFrame
smCom :ERROR:TransceiveProcess Transceive send failed, going to recovery!
smCom :ERROR:phNxpEseProto7816_Close TransceiveProcess failed
smCom :ERROR:Failed to close session
App :INFO :Using PortName='/dev/i2c-1' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-1)
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
App :INFO :Destroyed mutex
Key pair generated:
Private Key Object; RSA
label: sss:20202020
ID: 20202020
Usage: decrypt, signApp :WARN :Attribute required : 0xcf534301
Private Key Object; RSA
label: sss:20202020
ID: 20202020
Usage: decrypt, signApp :WARN :Attribute required : 0xcf534301
App :INFO :Destroyted mutex
App :INFO :SessionCount = 0
ssse-flw: EmbSe_Destroy(): Entry
the gdb is stopped at:
106 if (ioctl(axSmDevice, I2C_FUNCS, &funcs) < 0)
(gdb) p funcs
$4 = 66
(gdb) bt
#0 axI2CInit (conn_ctx=0x7efff894, pDevName=0x7efffd3c "/dev/i2c-1")
at /home/se050_middleware/simw-top/hostlib/hostLib/platform/linux/i2c_a7.c:106
Hello @peter_nt ,
Did you build the PKCS#11 library as below:
Please kindly refer to "SE050-PLUG-TRUST-MW/simw-top/doc/plugins/pkcs11.html" for more details.
Hope that helps,
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------