A5000 Qi Authentication demo - help with few secure objects issues

Also to add that it was when running the Secure Authenticator (Qi) Provisioning demo that the private key injection returned success but certificate chain had failed with error code 0x6a80. Thanks

Hello @sshak ,

Thanks for the information! Referring to the documentation, I can see the Qi credentials are provisioned in an AESKey session, and no delete policy assigned to the default session, so in case you want to delete the Qi credentials, you have to open the AESKey session again and delete them in this session.

Hope that makes sense,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Hi Kan,

Thank you for checking this. Also can you point me to maybe a document with examples for sessions creations, policy settings, etc? Here now i had not done anything related to aeskey session and the session open, etc was being handled in the ex_sss_boot_open(PCONTEXT, portName) call in ex_sss_main_inc.h file of the demo.

(if you see, there is a ex_sss_boot_factory_reset((PCONTEXT)) call after the above ex_sss_boot_open which i had enabled, where it tries to delete the stored secure objects but failed as seen in that screenshot)

Thanking you,
Best Regards,
Shilin

Hi @sshak ,

Are you still referring to the nano-package? Actually I didn't find ex_sss_main_inc.h in that package. If you are referring to the MW instead, you may enable the Auth type as AESKey and then the  ex_sss_boot_factory_reset process may go on to erase the objects created in the AESKey session, this can be achieved as below:

For more details regarding session and policy usages, please kindly refer to the following docs from the MW:

simw-top/doc/sss/doc/apis-sss_session.html

simw-top/doc/sss/doc/apis-sss_policy.html

Hope that helps,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Hi Kan,

Thank you for your reply and for these documentation references. So yes you are right, i use the MW. I am building in IAR embedded workbench environment. So i did the equivalent of the cmake screenshot you provided using the fsl_sss_ftr.h file and executed the se05x_Delete_and_test_provision based on the below instructions here:

/** PTMW_SE05X_Auth : SE050 Authentication
*
* This settings is used by examples to connect using various options
* to authenticate with the Applet.
* The SE05X_Auth options can be changed for KSDK Demos and Examples.
* To change SE05X_Auth option follow below steps.
* Set flag ``SSS_HAVE_SCP_SCP03_SSS`` to 1 and Reset flag ``SSS_HAVE_SCP_NONE`` to 0.
* To change SE05X_Auth option other than ``None`` and ``PlatfSCP03``,
* execute se05x_Delete_and_test_provision.exe in order to provision the Authentication Key.
* To change SE05X_Auth option to ``ECKey`` or ``ECKey_PlatfSCP03``,
* Set additional flag ``SSS_HAVE_HOSTCRYPTO_ANY`` to 1.
*/

So with this the objects get deleted i believe. Then now when i run the sa_qi_provisioning demo, the ecckey seems to be provisioned but the cert chain still seems to fail. For both the key as well as cert chain though it mentions can_Read/can_Write policy is not applied (see log screenshot below). Also the certchain injection fails with error 0x6986 (SW_COMMAND_NOT_ALLOWED) in the Se05x_API_UpdateBinary_Ver call. Hence I am investigating these now.

Apart from this, a few doubts on my understanding i give below, if you can check if this is ok:

1) To provision secure objects in A5000, we always need an authenticated session correct?

2) Once keys and cert chains are provisioned, to use these in examples like Qi Authentication demo , we do not need an authenticated session ?

Thank you,
Br, shilin

Hi @sshak ,

Looks like you haven't enabled Auth=AESKey yet, so still running the demo in the default session, while the secure objects are just readable in the default session, so creation failed as expected.

1) To provision secure objects in A5000, we always need an authenticated session correct?

- Correct! To protect the secure objects from edition or deletion by any user in the default session, you always need an authenticated session to do the provisioning within it.

2) Once keys and cert chains are provisioned, to use these in examples like Qi Authentication demo , we do not need an authenticated session ?

- No, you don't need to. Both keys and cert are readable in the default session, and besides that the keys can also be used for sign and verification operation. You refer to sa_qi_provisioning.c for more details regarding the policy settings.

Hope that makes sense,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Hi Kan,

Thanks much for your answers.

Regarding the AESKey, i had set the SSS_HAVE_SE05X_AUTH_AESKEY macro to 1 in fsl_sss_ftr.h file, hopefully this enabled aeskey authentication . Attached the fsl_sss_ftr.h file that i am using. Also below is a screenshot of the debug session where it seems success creating the authenticated session using aeskey looking at the callstack functions and ret value. Still had got those R/W not set warnings. Will also investigate a bit on this.

Thanking you,

Br, shilin

Hi @sshak ,

Actually the MW doesn't support IAR , so I am suspecting if your issue is due to the IAR tool chain supported added by yourself, maybe you can try with MCUXpresso IDE instead to check if the demo works , and if the result is successful, you may foucs on the tool chain integration.

A5000 doesn't support applet upgrade. so far just SE051 variants support this feature.

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Hi Kan,

So i setup and used MCUExpresso IDE by importing project example. Had used document AN12396_EdgeLock SE05x Quick start guide with FRDM-K64F.pdf for this. To note here that this document mentions to set SSS_HAVE_SE05X_VER_07_02 in fsl_sss_ftr.h file (section 4.6 table 7) as below.

In our case setting this throws error due to applet mismatch as below .

So have now set this to SSS_HAVE_SE05X_VER_06_00 as before.

With MCUExpresso also it is unsuccessful when trying to execute sa_qi_provisioning (key provisioning seems success but cert chain provision fails with 0x6986 in the Se05x_API_UpdateBinary_ver call).

Screenshots of a debug window and terraterm log as below.

(SDK-EVK-FRDMK64F-SE-v04.02.00.zip does not have the se05x_Delete_and_test_provision nor sa_qi_provisioning examples, which are available with the SE05x_MW.zip. So took the files from there and added them to the frdmk64f_se05x_Minimal project and used now.)

Do you have any hints for it? Not sure what is issue here now. Do you maybe have a provisioning example for version 6.0.0 as A5000 does not support upgrading you mentioned?

Thanking you,
Br, shilin

hi Kan,

Thank you for this info. We have contacted the respective FAE for a newer version of this. Will go ahead once its received. Hence will close this thread.

Thank you again for your support here,
Best Regards,
Shilin

( also jfyi that for the sake of it i had gone ahead and was able to get the provisioning to succeed as seen in log below.. by increasing the BINARY_WRITE_MAX_LEN to 750 so that the test cert chain of 720 bytes get injected in one shot though this may not be desirable

)

Hello @sshak ,

Great to know that! Thanks for the update! I will also forward this info to the expert team , looks like there is some kind of code issue here.

Please kindly let me know if there is any further issue. 

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Hi Kan,

Thanks for your reply. One question here though..from the demo code, etc, it seems the R/W moved to common policies from applet version >= 7.2.0? the applet version inside our A5000 seems to indicate 6.0.0 based on the previous se05x_GetInfo demo screenshot right? 

Thanking you,

Br, shilin

Hi Kan,

So this warning seems to come as the version i set is 060000. R/W in common policy applies from 070200. Below screen shot of code where this warning came

Also below screenshot of log when i executed se05x_GetInfo demo.

So here the A5000 applet version indicated is 060000 right? Is it possible to update this to 070200?

Thanking you,

Br, shilin