EdgeLock SE050 OpenSSL, pkcs11-tool, and SM_Connect Failed. Status 7012

cancel
Showing results for 
Search instead for 
Did you mean: 

EdgeLock SE050 OpenSSL, pkcs11-tool, and SM_Connect Failed. Status 7012

87 Views
Contributor I

Hello!

 I am trying to get EdgeLock SE050 (AN12570) to work on Raspberry Pi (both 3 and 4, OpenSSL 1.0.2 and 1.1.1).

 I am getting errors with every utility I could lay my hands on, besides the seTool from the demos, which works. Here come the details:

1. seTool (works)

 

root@raspberrypi:/home/se050_middleware/simw-top/doc/demos/se05x/seTool# /home/se050_middleware/simw-top_build/raspbian_native_se050_t1oi2c/bin/seTool genECC 0x01010101 /dev/i2c-1
App   :INFO :PlugAndTrust_v02.16.01_20200818
App   :INFO :Running /home/se050_middleware/simw-top_build/raspbian_native_se050_t1oi2c/bin/seTool
App   :INFO :Using PortName='/dev/i2c-1' (CLI)
sss   :INFO :atr (Len=35)
      00 A0 00 00    03 96 04 03    E8 00 FE 02    0B 03 E8 08
      01 00 00 00    00 64 00 00    0A 4A 43 4F    50 34 20 41
      54 50 4F
sss   :WARN :Communication channel is Plain.
sss   :WARN :!!!Not recommended for production use.!!!
sss   :WARN :Object id 0x1010101 exists
App   :INFO :ex_sss Finished

 

 

2. the pkcs11-tool (does not work, fails to connect to i2c device)

 

root@raspberrypi:/home/se050_middleware/simw-top/sss/plugin/openssl/scripts# pkcs11-tool --module $PKCS11_MODULE --keypairgen --key-type rsa:1024 --label "sss:20202020"
ssse-flw: EmbSe_Init(): Entry
App   :INFO :Using PortName='/dev/i2c-1' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-1)
smCom :ERROR:Failed writing data (nrWritten=-1).

smCom :ERROR: - Error in I2C Write.....
smCom :ERROR:phNxpEseProto7816_SendRawFrame Error phNxpEse_WriteFrame
smCom :ERROR:TransceiveProcess Transceive send failed, going to recovery!
smCom :ERROR:phNxpEseProto7816_Open failed
smCom :ERROR: Failed to Open session
sss   :ERROR:SM_Connect Failed. Status 7012
App   :ERROR:sss_session_open failed
App   :WARN :nxEnsure:'kStatus_SSS_Success == status' failed. At Line:356 Function:engineSessionOpen
ssse-flw: EmbSe_Init(): Failed to initialize
ssse-flw: EmbSe_Finish(): Entry
ssse-flw: EmbSe_Finish(): Exit
Using slot 0 with a present token (0x1)
smCom :ERROR:phNxpEseProto7816_SendRawFrame Error phNxpEse_WriteFrame
smCom :ERROR:TransceiveProcess Transceive send failed, going to recovery!
smCom :ERROR:phNxpEseProto7816_Close TransceiveProcess failed
smCom :ERROR:Failed to close session
App   :INFO :Using PortName='/dev/i2c-1' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-1)
smCom :ERROR:Failed writing data (nrWritten=-1).

smCom :ERROR: - Error in I2C Write.....
smCom :ERROR:phNxpEseProto7816_SendRawFrame Error phNxpEse_WriteFrame
smCom :ERROR:TransceiveProcess Transceive send failed, going to recovery!
smCom :ERROR:phNxpEseProto7816_Open failed
smCom :ERROR: Failed to Open session
sss   :ERROR:SM_Connect Failed. Status 7012
App   :ERROR:sss_session_open failed
App   :ERROR:Session Open Failed
App   :INFO :Destroyed mutex
error: PKCS11 function C_OpenSession failed: rv = CKR_GENERAL_ERROR (0x5)
Aborting.
ssse-flw: EmbSe_Destroy(): Entry

 

 

Now here it is where it gets interesting: comparing the straces of seTool and any of the commands that do not work, reveal one difference in the i2c connect sequence: `write(3, "Z\300\0\377\374", 5)` call fails in the latter case, while works for the former. Here come the two strace snippets: 

 

# seTools, (works):
18659 10:12:30.522584 openat(AT_FDCWD, "/dev/i2c-1", O_RDWR) = 3 <0.000063>
18659 10:12:30.522760 ioctl(3, _IOC(_IOC_NONE, 0x7, 0x3, 0), 0x48) = 0 <0.000047>
18659 10:12:30.522928 ioctl(3, _IOC(_IOC_NONE, 0x7, 0x8, 0), 0) = 0 <0.000032>
18659 10:12:30.523316 ioctl(3, _IOC(_IOC_NONE, 0x7, 0x5, 0), 0x7ee2187c) = 0 <0.000037>
18659 10:12:30.523509 nanosleep({tv_sec=0, tv_nsec=5000000}, NULL) = 0 <0.007258>
18659 10:12:30.531005 read(3, 0x7ee2161c, 260) = -1 EREMOTEIO (Remote I/O error) <0.000179>
18659 10:12:30.531346 nanosleep({tv_sec=0, tv_nsec=1000000}, NULL) = 0 <0.001129>
18659 10:12:30.532644 write(3, "Z\300\0\377\374", 5) = 5 <0.000640>
# pkcs11-tool (does not work)
18684 10:13:47.901991 openat(AT_FDCWD, "/dev/i2c-1", O_RDWR) = 3 <0.000071>
18684 10:13:47.902200 ioctl(3, _IOC(_IOC_NONE, 0x7, 0x3, 0), 0x48) = 0 <0.000041>
18684 10:13:47.902344 ioctl(3, _IOC(_IOC_NONE, 0x7, 0x8, 0), 0) = 0 <0.000034>
18684 10:13:47.902473 ioctl(3, _IOC(_IOC_NONE, 0x7, 0x5, 0), 0x7ecf65c4) = 0 <0.000034>
18684 10:13:47.902662 nanosleep({tv_sec=0, tv_nsec=5000000}, NULL) = 0 <0.005108>
18684 10:13:47.907892 read(3, 0x7ecf6364, 260) = -1 EREMOTEIO (Remote I/O error) <0.000176>
18684 10:13:47.908185 nanosleep({tv_sec=0, tv_nsec=1000000}, NULL) = 0 <0.001099>
18684 10:13:47.909392 write(3, "Z\300\0\377\374", 5) = -1 EREMOTEIO (Remote I/O error) <0.000169>

 

Every other attempt with:

* the python scripts (/home/se050_middleware/simw-top/sss/plugin/openssl/scripts) `export EX_SSS_BOOT_SSS_PORT=/dev/i2c-1; export OPENSSL_CONF=/etc/ssl/nxp_openssl.cnf; python3 openssl_provisionEC.py --key_type prime256v1`

* the openssl command `openssl req -new -x509 -subj "/CN=Units" -engine e4sss -keyform engine -key 'pkcs11:id=xxxx;type=private' -out cert.pem` (with openssl configured with /usr/local/lib/libsss_engine.so),

* ssscli

fails in the same way.

 any help would be greatly appreciated! It is crucial from the business perspective for me to get it working.

 

best regards,

peter

 

0 Kudos
2 Replies

77 Views
Contributor I

an update: when I have the gdb running:

root@raspberrypi:/home/se050_middleware/simw-top/demos/se05x/seTool# ps axuw | grep gdb
root     19894  0.3  4.6  53500 44184 pts/2    S+   13:33   0:06 gdb --args /home/se050_middleware/simw-top_build/raspbian_native_se050_t1oi2c/bin/seTool genECC 0x01010101 /dev/i2c-1

the pkcs11-tool command works, (as well as the python scripts examples)

root@raspberrypi:/home/se050_middleware/simw-top/demos/se05x/seTool# pkcs11-tool --module $PKCS11_MODULE --keypairgen --key-type rsa:1024 --label "sss:20202020"
ssse-flw: EmbSe_Init(): Entry
App   :INFO :Using PortName='/dev/i2c-1' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-1)
sss   :INFO :atr (Len=35)
      00 A0 00 00    03 96 04 03    E8 00 FE 02    0B 03 E8 08
      01 00 00 00    00 64 00 00    0A 4A 43 4F    50 34 20 41
      54 50 4F
sss   :WARN :Communication channel is Plain.
sss   :WARN :!!!Not recommended for production use.!!!
ssse-flw: Version: 1.0.5
ssse-flw: EmbSe_Init(): Exit
ssse-flw: EmbSe_Finish(): Entry
ssse-flw: EmbSe_Finish(): Exit
Using slot 0 with a present token (0x1)
smCom :ERROR:phNxpEseProto7816_SendRawFrame Error phNxpEse_WriteFrame
smCom :ERROR:TransceiveProcess Transceive send failed, going to recovery!
smCom :ERROR:phNxpEseProto7816_Close TransceiveProcess failed
smCom :ERROR:Failed to close session
App   :INFO :Using PortName='/dev/i2c-1' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-1)
sss   :INFO :atr (Len=35)
      00 A0 00 00    03 96 04 03    E8 00 FE 02    0B 03 E8 08
      01 00 00 00    00 64 00 00    0A 4A 43 4F    50 34 20 41
      54 50 4F
sss   :WARN :Communication channel is Plain.
sss   :WARN :!!!Not recommended for production use.!!!
App   :INFO :Destroyed mutex
Key pair generated:
Private Key Object; RSA
  label:      sss:20202020
  ID:         20202020
  Usage:      decrypt, signApp   :WARN :Attribute required : 0xcf534301


Private Key Object; RSA
  label:      sss:20202020
  ID:         20202020
  Usage:      decrypt, signApp   :WARN :Attribute required : 0xcf534301


App   :INFO :Destroyted mutex
App   :INFO :SessionCount = 0
ssse-flw: EmbSe_Destroy(): Entry

the gdb is stopped at:

106	    if (ioctl(axSmDevice, I2C_FUNCS, &funcs) < 0)
(gdb) p funcs
$4 = 66
(gdb) bt
#0  axI2CInit (conn_ctx=0x7efff894, pDevName=0x7efffd3c "/dev/i2c-1")
    at /home/se050_middleware/simw-top/hostlib/hostLib/platform/linux/i2c_a7.c:106
0 Kudos

50 Views
NXP TechSupport
NXP TechSupport

Hello @peter_nt ,

 

Did you build the PKCS#11 library as below:

PKCS build.png

Please kindly refer to "SE050-PLUG-TRUST-MW/simw-top/doc/plugins/pkcs11.html" for more details.

 

Hope that helps,

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos