DISCLAIMER APPLICABLE TO THIS DOCUMENT CONTENTS:
Any support, information, and technology (“Materials”) provided by NXP are provided AS IS, without any warranty express or implied, and NXP disclaims all direct and indirect liability and damages in connection with the Material to the maximum extent permitted by the applicable law. NXP accepts no liability for any assistance with applications or product design. Materials may only be used in connection with NXP products. Any feedback provided to NXP regarding the Materials may be used by NXP without restriction.
Abstract
This document is intended to guide developers to integrate the EdgeLock® SE050 security chip on the NXP FRDM-i.MX91 development board to achieve hardware-level security enhancement. By combining the high-performance computing capabilities of the i.MX 91 with the certified security features of the SE050, end-to-end security can be provided for applications such as industrial IoT and smart homes, while significantly reducing development complexity and time to mark
Hardware Prerequisite
Host Platform: FRDM-i.MX91
Expansion Board: OM-SE050X
Hardware setup
1. Configuring the OM-SE05xARD jumpers as below[1]:
2. Confirm the boot switches on FRDM-i.MX91 to run the pre-loaded Linux® image[2].
Boot switches should be set to boot from “eMMC”.
3. Connecting SE05X with FRDM-i.MX91 as below:
Wire connection is fine, and alternatively, you may use #OM-SE050RPI to connect them together as following.
4. Connect FRDM-i.MX91 with PC host
Connect a type C USB cable to port P16 on FRDM-i.MX91 and into the PC (as a host terminal)[2].
Connect another type C USB cable to port 1 as power supply[2].
Software setup
1. Enable the I2C interface
The I2C4(/dev/i2c-3) on the 40-pin expansion interface is not enabled by default , so we need to switch DTB to “imx91-11x11-frdm-8mic.dtb” in u-boot phase.
u-boot=>setenv fdtfile imx91-11x11-frdm-8mic.dtb
u-boot=>saveenv
u-boot=>reset
The following command may be used to check the connection between the host and SE then.
i2cdetect -y -a -q 3
Build EdgeLock SE Plug & Trust Middleware
1. Copy or download the plug and trust middleware package to the i.MX file system, and extract to some folder. In this article, the package refers to ver 04.07.00.
unzip SE-PLUG-TRUST-MW_xx.xx.xx -d {folder name}2. Build EdgeLock SE Plug & Trust Middleware
cd /home/root/simw-top/scripts
python3 create_cmake_projects.py
cd ../simw-top_build/imx_native_se050_t1oi2c
cmake -DPTMW_SMCOM=T1oI2C -DPTMW_Host=iMXLinux -DPTMW_HostCrypto=OPENSSL .
cmake --build .
make install
ldconfig /usr/local/lib3. In case there are some required cmake options need to be changed and some libraries need to be rebuilt and installed. we may use the following method:
cd simw-top_build/imx_native_se050_t1oi2c
cmake -DSE05X_Auth=UserID .
cmake --build .Verify the integration with SSS examples
With above steps we may have the examples that illustrate the usage of se05x. They can be used to verify the integration as well and you may find them in build folder/bin, and if you have run "make install", some of them can also be found in /usr/local/bin so that you may execute them anywhere in the file system. but as /dev/i2c-3 is used instead of the default /dev/i2c-1, we have to set up the port accordingly before run any demo.
export EX_SSS_BOOT_SSS_PORT=/dev/i2c-3Alternatively , we may specify the port together with the command for demo:
EX_SSS_BOOT_SSS_PORT=/dev/i2c-3 se05x_GetInfo
Generate a SD card image based on Yocto
After completing the hardware integration of SE050 and FRDM-i.MX91 development board, building a complete operating system image including security services is a key step in achieving an end-to-end trusted system. The following steps provide a customized Linux image building solution based on the Yocto Project.
1. Install Yocto on a Linux PC with the internet access[3].
- Setup the host
sudo apt install gawk wget git diffstat unzip texinfo gcc build-essential chrpath socat cpio python3 python3-pip python3-pexpect xz-utils debianutils iputils-ping python3-git python3-jinja2 python3-subunit zstd liblz4-tool file locales libacl1- Setup the repo utility
$ mkdir ~/bin
$ curl https://storage.googleapis.com/git-repo-downloads/repo > ~/bin/repo
$ chmod a+x ~/bin/repo
$ export PATH=~/bin:$PATH- Setup the Yocto project
$ git config --global user.name "Your Name"
$ git config --global user.email "Your Email"
$ git config --list- Download i.MX Linux Yocto release
$ mkdir -p ~/projects/imx-yocto-bsp
$ cd ~/projects/imx-yocto-bsp
$ repo init -u https://github.com/nxp-imx/imx-manifest -b imx-linux-scarthgap -m imx-6.6.36-2.1.0.xml
$ repo sync2. Integrate i.MX FRDM layer into i.MX Yocto Project
$: cd ./sources
$: git clone https://github.com/nxp-imx-support/meta-imx-frdm.git
$: cd meta-imx-frdm
$: git checkout imx-frdm-4.03. Add a custom Yocto layer for the Plug&Trust MW
This custom Yocto layer is part of the Plug&Trust SW distribution (simw_top/scripts/
yocto/layers/meta-custom.tgz) and must be copied and unpacked into the sources directory created above.
cp <PlugTrust>/simw_top/scripts/yocto/layers/meta-custom.tgz ~/projects/imx-yocto-bsp/sources
cd ~/projects/imx-yocto-bsp/sources
tar xzvf meta-custom.tgzPut the se05x recipe(se05x_mw.bb) and the source code package (for example, SE050-PLUG-TRUST-MW-v04.07.00.zip) into the existing .../sources/meta-custom/recipes directory of the Yocto development PC.
The resulting imx-yocto-bsp/sources/meta-custom directory on the Yocto development PC should look like:
Update the conf/bblayers.conf and conf/local.conf within the build folder accordingly .
- How to have the updated se05x_mw.bb, local.conf and bblayers.conf
unzip the source code package and go to the folder of "SE-PLUG-TRUST-MW_04.07.00\simw-top\scripts\yocto\bitbake_script_and_conf_files". Then apply the attached patch in this folder with the git command:
$ git apply bitbake_script_and_conf_files.patch4. Go to the top directory of the Yocto source code and execute the command below to set up the environment for build.
MACHINE=imx91frdm DISTRO=fsl-imx-xwayland source sources/meta-imx-frdm/tools/imx-frdm-setup.sh -b frdm-imx91
5. To switch the DTB to “imx91-11x11-frdm-8mic.dtb” which enables "/dev/i2c-3", update the patch file of "0003-imx-imx91_frdm-Add-basic-board-support.patch" in the following path("~projects/imx-yocto-bsp/sources/meta-imx-frdm/meta-imx-bsp/recipes-bsp/u-boot/u-boot-imx/")
6. Issue the bitbake command to generate the SD card image.
$: bitbake imx-image-fullThe image file can be found in "~/projects/imx-yocto-bsp/build_imx91frdm/tmp/deploy/images/imx91frdm/"
[1]EdgeLock SE05x Quick start guide with Raspberry Pi
[2]FRDM-IMX91 Quick Start Guide
