Middleware
Are all the SEO5x MW packages the same just reduce code between Nano and Full?Answer: No, the SEO5x MW packages are not the same. The Nano MW package only supports a subset of features and commands compared to the Full MW package. The Nano MW package is designed for resource-constrained environments and has a smaller code footprint.
Why are some of the SEO5x MW packages on NXP.com and others in git hub? Answer: The SE05x MW package on nxp.com is a multi-platform release for all supported platforms incl. documentation and various dependencies to have a quick out of the box compilation of the MW possible. The github releases are targeting dedicated use cases like resource constrained devices with the nano package and automated build system for Linux with the mini package. Strategy is to constantly move more components of the full MW package to github.
What is the best practice for updating/changing to the latest MW release ? Answer: NXP recommends to always update to newest MW to have most up to date fixes included. The MW has no big architectural changes anymore. First step is to read the changelog in the integrated documentation to check if any breaking changes are expected. The integration of the new MW version is then just a repletion of the platform specific steps taken on design in.
Where can I find a list of all the supported applet versions to different MW releases ? Answer: The cmake setting PTMW_SE05X_Ver defines the supported applet major version. The supported applet versions are provided as selectable values for this setting.
Can I use the same MW release on A5000 and SEO51? Answer: Yes, you can use the same MW release on A5000 and SEO51.The MW release supports both the A5000 and the SEO51 platforms.
My developers get a common error … mis match to MW to applet version.. What is the preferred way to remove this error and still get all the features/fixes of the latest MW release? Answer: A major version mismatch has to be fixed. A minor version mismatch is a not care unless specific new features are needed. If this is an issue cannot be decided by the MW. Typically minor version mismatch can be ignored.
Are all MW release/fixes mapped back to a specific SEO5x part or applet version and where can I find it? Answer: The MW releases usually cover all released and available product variants until they are discontinued. The MW change log provides information on the middleware version, any applet version support change, the supported platforms, and the changes and enhancements.
Secure Element Configuration
Are the demo boards on NXP.com always the latest applet version on them? Answer: yes, the demo boards on NXP.com have the latest applet version on them. You can check the applet version on the demo board by using the SEO5x SEMS Lite CLI tool or the SEO5x Get Info example. The GetInfo example tells the OEF as well.
What is the default I2C addresses (target and controller) for SEO5x part and is it the same on all SEO5x parts ? Answer: The default I2C target address for SEO5x part is 0x48. It is the same on all SEO5x parts. The I2C controller address is specified in the payload of the I2C controller commands sent to the SE.
Can I change I2C address on both the target and controller side ? Answer: You can change I2C target address of SE051A/C using the SEO5x PERSO applet. This applet allows you to modify the I2C address and other parameters of the secure element. The I2C controller address is specified in the payload of the I2C controller commands sent to the SE.
Can I have 2 or 3 interfaces on the SEO5x active at the same time? Answer: No, the SEO5x supports only one active interface at a time, either I2C, ISO 7816, or ISO 14443. However, you can switch between the interfaces by resetting the device. The availability of other interfaces depends on the type.
Are there specific keys or features that should be used for I2C clock stretching ? Answer: Clock stretching is by default enabled on SE050F. On all newer parts (SE050E, A5000, SE051, SE052) it is by default disabled.
Secure Element performance
Are there specific crypto operations that take longer than 100 ms to complete? Answer: Yes, some crypto operations may take longer than 100 ms to complete, depending on the algorithm, key size, and input data. For example, RSA key generation, RSA signature generation and verification, ECC key generation, and EdDSA signature generation or any new object creation may take longer than 100 ms.
What are the performance deltas between RSA sizes for RSA key gen? What is NXP’s recommended key length? Which RSA key length meets FIPS 140-3 ? Answer: The performance deltas between RSA sizes for RSA key generation are as follows: - RSA 1024: ~0,6 s - RSA 2048: ~3 s - RSA 3072: ~12 s - RSA 4096: ~30 s NXP's recommended key length for RSA is 2048 bits or higher, as lower key lengths are considered insecure and vulnerable to attacks. RSA 2048 bit and up key length meets FIPS 140-3 requirements.
Does the write command have the same performance as read commands ? Answer: No, the write command has a lower performance than the read command, as it involves writing to the flash memory, which takes longer than reading from the flash memory.
What are the common places (I2C bus, application, etc.) to look for performance tuning? Answer: - The I2C bus: You can optimize the performance of the I2C bus by using the maximum supported clock frequency (1 MHz default), and checking if the polling interval on the bus is not slowed down by the I2C driver. The fastest polling interval is 1 ms. - The application: You can optimize the performance of the application by using the most suitable crypto algorithms (use ECC instead of RSA) and key sizes (mainly for RSA), minimizing the number of APDU exchanges (not opening and closing session for every operation), and batching multiple operations into a single command if possible. For performance critical operations it makes sense to enable debug logging to be able to analyze the exchanged commands. For checking the I2C bus performance a logic analyzer trace is very helpful to check.
Secure Element Memory
How to check how much space I have used or left in the SE05x? Answer: You can check how much space you have left in the SE05x by using the example se05x_Minimal. It returns the amount of free NVM memory.
Does memory wear out on the SEO5x and how can I check status or memory writes? Answer: Yes, the flash memory on the SEO5x has a limited number of write cycles. The wear is automatically distributed by the SE over the whole memory to reach the flash write endurance given in the datasheet. You cannot read the amount of write cycles happened, but the MW write a info message on every APDU which causes at least one NVM write.
Secure Element Contactless (NFC) Interface
Can I change the ATS on contactless interface ? Answer: Yes, you can change the historical characters of the ATS on the contactless interface by using the PERSO applet on products which are delivered with installed PERSO applet.
Does the SEO5x have an NFC antenna and application note for updating secure object via NFC? Answer:. The general process on how the NFC interface can be used to update secure objects is described in AN12664 EdgeLock SE05x for NFC late-stage configuration.
View full article