A5000 Qi Authentication demo - help with few secure objects issues

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

A5000 Qi Authentication demo - help with few secure objects issues

Jump to solution
6,660 Views
sshak
Contributor I

Hi Team,

i am trying to run the Qi Authentication demo. Setup is using A5000 (OM-A5000ARD) with FRDM-K64 board and using IAR Embedded Workbench.

For this i ran the Qi provisioning example to inject the keys and certificate chain as per documentation. The private key injection returned success but certificate chain failed with error code 0x6a80 which is due to policy issue i believe.
Also i tried to delete these secure objects but that fails now related to policy (looks like now read, delete objects all giving error 0x6986, for the injected key object too, which is access denied based on object policy). So i have now 4 slots injected but cannot delete these and they seem unusable due to policy settings issue.

Had tried deletion using using Delete and test provision demo as well as EX_SSS_BOOT_DO_ERASE set to 1, but they fail with error code as above. Hence request help to delete and inject the objects again for running the Qi Authenticator example.

Below is a terraterm log with EX_SSS_BOOT_DO_ERASE set, where it is now unable to delete the secure objects in the slots.

sshak_0-1660811967073.png

Thanking you,
Best Regards,
Shilin

0 Kudos
Reply
1 Solution
6,566 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @sshak ,

 

Actually I am guessing maybe the part on your hands is a engineering sample of A5000 so it has an older applet version. Who is the contact you request this sample from? You may ask for a released version for this test.

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

View solution in original post

0 Kudos
Reply
16 Replies
6,645 Views
sshak
Contributor I

Hi Kan,

 

Thanks much for your response.

So here i followed the documentation here . There it mentioned as pre-requisite to run example Secure Authenticator (Qi) Provisioning demo.Hence i had run this provisioning demo example that i believe injects the private key and cert chain using the demo values in sa_qi_credentials.c

Thanking you,

Best Regards,

Shilin

0 Kudos
Reply
6,641 Views
sshak
Contributor I

Also to add that it was when running the Secure Authenticator (Qi) Provisioning demo that the private key injection returned success but certificate chain had failed with error code 0x6a80. Thanks

0 Kudos
Reply
6,636 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hello @sshak ,

 

Thanks for the information! Referring to the documentation, I can see the Qi credentials are provisioned in an AESKey session, and no delete policy assigned to the default session, so in case you want to delete the Qi credentials, you have to open the AESKey session again and delete them in this session.

 

Hope that makes sense,

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply
6,631 Views
sshak
Contributor I

Hi Kan,

Thank you for checking this. Also can you point me to maybe a document with examples for sessions creations, policy settings, etc? Here now i had not done anything related to aeskey session and the session open, etc was being handled in the ex_sss_boot_open(PCONTEXT, portName) call in ex_sss_main_inc.h file of the demo.

(if you see, there is a ex_sss_boot_factory_reset((PCONTEXT)) call after the above ex_sss_boot_open which i had enabled, where it tries to delete the stored secure objects but failed as seen in that screenshot)

Thanking you,
Best Regards,
Shilin

0 Kudos
Reply
6,616 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @sshak ,

 

Are you still referring to the nano-package? Actually I didn't find ex_sss_main_inc.h in that package. If you are referring to the MW instead, you may enable the Auth type as AESKey and then the  ex_sss_boot_factory_reset process may go on to erase the objects created in the AESKey session, this can be achieved as below:

Kan_Li_0-1661139280273.png

For more details regarding session and policy usages, please kindly refer to the following docs from the MW:

simw-top/doc/sss/doc/apis-sss_session.html

simw-top/doc/sss/doc/apis-sss_policy.html

 

Hope that helps,

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply
6,606 Views
sshak
Contributor I

Hi Kan,

Thank you for your reply and for these documentation references. So yes you are right, i use the MW. I am building in IAR embedded workbench environment. So i did the equivalent of the cmake screenshot you provided using the fsl_sss_ftr.h file and executed the se05x_Delete_and_test_provision based on the below instructions here:

/** PTMW_SE05X_Auth : SE050 Authentication
*
* This settings is used by examples to connect using various options
* to authenticate with the Applet.
* The SE05X_Auth options can be changed for KSDK Demos and Examples.
* To change SE05X_Auth option follow below steps.
* Set flag ``SSS_HAVE_SCP_SCP03_SSS`` to 1 and Reset flag ``SSS_HAVE_SCP_NONE`` to 0.
* To change SE05X_Auth option other than ``None`` and ``PlatfSCP03``,
* execute se05x_Delete_and_test_provision.exe in order to provision the Authentication Key.
* To change SE05X_Auth option to ``ECKey`` or ``ECKey_PlatfSCP03``,
* Set additional flag ``SSS_HAVE_HOSTCRYPTO_ANY`` to 1.
*/

So with this the objects get deleted i believe. Then now when i run the sa_qi_provisioning demo, the ecckey seems to be provisioned but the cert chain still seems to fail. For both the key as well as cert chain though it mentions can_Read/can_Write policy is not applied (see log screenshot below). Also the certchain injection fails with error 0x6986 (SW_COMMAND_NOT_ALLOWED) in the Se05x_API_UpdateBinary_Ver call. Hence I am investigating these now.

sshak_0-1661180261019.png

 

Apart from this, a few doubts on my understanding i give below, if you can check if this is ok:

1) To provision secure objects in A5000, we always need an authenticated session correct?

2) Once keys and cert chains are provisioned, to use these in examples like Qi Authentication demo , we do not need an authenticated session ?

Thank you,
Br, shilin

0 Kudos
Reply
6,600 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @sshak ,

 

Looks like you haven't enabled Auth=AESKey yet, so still running the demo in the default session, while the secure objects are just readable in the default session, so creation failed as expected.

 

1) To provision secure objects in A5000, we always need an authenticated session correct?

- Correct! To protect the secure objects from edition or deletion by any user in the default session, you always need an authenticated session to do the provisioning within it.

2) Once keys and cert chains are provisioned, to use these in examples like Qi Authentication demo , we do not need an authenticated session ?

- No, you don't need to. Both keys and cert are readable in the default session, and besides that the keys can also be used for sign and verification operation. You refer to sa_qi_provisioning.c for more details regarding the policy settings.

 

Hope that makes sense,

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply
6,590 Views
sshak
Contributor I

Hi Kan,

Thanks much for your answers.

Regarding the AESKey, i had set the SSS_HAVE_SE05X_AUTH_AESKEY macro to 1 in fsl_sss_ftr.h file, hopefully this enabled aeskey authentication . Attached the fsl_sss_ftr.h file that i am using. Also below is a screenshot of the debug session where it seems success creating the authenticated session using aeskey looking at the callstack functions and ret value. Still had got those R/W not set warnings. Will also investigate a bit on this.

sshak_0-1661239121623.png

 

Thanking you,

Br, shilin

0 Kudos
Reply
6,579 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @sshak ,

 

Actually the MW doesn't support IAR , so I am suspecting if your issue is due to the IAR tool chain supported added by yourself, maybe you can try with MCUXpresso IDE instead to check if the demo works , and if the result is successful, you may foucs on the tool chain integration.

 

A5000 doesn't support applet upgrade. so far just SE051 variants support this feature.

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply
6,565 Views
sshak
Contributor I

Hi Kan,

So i setup and used MCUExpresso IDE by importing project example. Had used document AN12396_EdgeLock SE05x Quick start guide with FRDM-K64F.pdf for this. To note here that this document mentions to set SSS_HAVE_SE05X_VER_07_02 in fsl_sss_ftr.h file (section 4.6 table 7) as below.

2022-08-24_11h37_25.png

In our case setting this throws error due to applet mismatch as below .

2022-08-24_12h45_34.png

So have now set this to SSS_HAVE_SE05X_VER_06_00 as before.

With MCUExpresso also it is unsuccessful when trying to execute sa_qi_provisioning (key provisioning seems success but cert chain provision fails with 0x6986 in the Se05x_API_UpdateBinary_ver call).

Screenshots of a debug window and terraterm log as below.

2022-08-24_13h09_35.png

2022-08-24_13h52_52.png

(SDK-EVK-FRDMK64F-SE-v04.02.00.zip does not have the se05x_Delete_and_test_provision nor sa_qi_provisioning examples, which are available with the SE05x_MW.zip. So took the files from there and added them to the frdmk64f_se05x_Minimal project and used now.)

Do you have any hints for it? Not sure what is issue here now. Do you maybe have a provisioning example for version 6.0.0 as A5000 does not support upgrading you mentioned?

Thanking you,
Br, shilin

0 Kudos
Reply
6,567 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @sshak ,

 

Actually I am guessing maybe the part on your hands is a engineering sample of A5000 so it has an older applet version. Who is the contact you request this sample from? You may ask for a released version for this test.

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply
6,549 Views
sshak
Contributor I

hi Kan,

Thank you for this info. We have contacted the respective FAE for a newer version of this. Will go ahead once its received. Hence will close this thread.

Thank you again for your support here,
Best Regards,
Shilin

( also jfyi that for the sake of it i had gone ahead and was able to get the provisioning to succeed as seen in log below.. by increasing the BINARY_WRITE_MAX_LEN to 750 so that the test cert chain of 720 bytes get injected in one shot though this may not be desirable

sshak_0-1661417705440.png

)

0 Kudos
Reply
6,543 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hello @sshak ,

 

Great to know that! Thanks for the update! I will also forward this info to the expert team , looks like there is some kind of code issue here.

 

Please kindly let me know if there is any further issue. 

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

6,573 Views
sshak
Contributor I

Hi Kan,

Thanks for your reply. One question here though..from the demo code, etc, it seems the R/W moved to common policies from applet version >= 7.2.0? the applet version inside our A5000 seems to indicate 6.0.0 based on the previous se05x_GetInfo demo screenshot right? 

Thanking you,

Br, shilin

0 Kudos
Reply
6,584 Views
sshak
Contributor I

Hi Kan,

So this warning seems to come as the version i set is 060000. R/W in common policy applies from 070200. Below screen shot of code where this warning came

sshak_0-1661241519023.png

 

Also below screenshot of log when i executed se05x_GetInfo demo.

sshak_2-1661241613706.png

 

So here the A5000 applet version indicated is 060000 right? Is it possible to update this to 070200?

Thanking you,

Br, shilin

0 Kudos
Reply
6,648 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @sshak ,

 

Which documentation are you referring to inject the keys and certificate chain? Please kindly clarify.

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

 

0 Kudos
Reply