Hi Team,
i am trying to run the Qi Authentication demo. Setup is using A5000 (OM-A5000ARD) with FRDM-K64 board and using IAR Embedded Workbench.
For this i ran the Qi provisioning example to inject the keys and certificate chain as per documentation. The private key injection returned success but certificate chain failed with error code 0x6a80 which is due to policy issue i believe.
Also i tried to delete these secure objects but that fails now related to policy (looks like now read, delete objects all giving error 0x6986, for the injected key object too, which is access denied based on object policy). So i have now 4 slots injected but cannot delete these and they seem unusable due to policy settings issue.
Had tried deletion using using Delete and test provision demo as well as EX_SSS_BOOT_DO_ERASE set to 1, but they fail with error code as above. Hence request help to delete and inject the objects again for running the Qi Authenticator example.
Below is a terraterm log with EX_SSS_BOOT_DO_ERASE set, where it is now unable to delete the secure objects in the slots.
Thanking you,
Best Regards,
Shilin
Hi @sshak ,
Are you still referring to the nano-package? Actually I didn't find ex_sss_main_inc.h in that package. If you are referring to the MW instead, you may enable the Auth type as AESKey and then the ex_sss_boot_factory_reset process may go on to erase the objects created in the AESKey session, this can be achieved as below:
For more details regarding session and policy usages, please kindly refer to the following docs from the MW:
simw-top/doc/sss/doc/apis-sss_session.html
simw-top/doc/sss/doc/apis-sss_policy.html
Hope that helps,
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
Hi Kan,
Thank you for your reply and for these documentation references. So yes you are right, i use the MW. I am building in IAR embedded workbench environment. So i did the equivalent of the cmake screenshot you provided using the fsl_sss_ftr.h file and executed the se05x_Delete_and_test_provision based on the below instructions here:
/** PTMW_SE05X_Auth : SE050 Authentication
*
* This settings is used by examples to connect using various options
* to authenticate with the Applet.
* The SE05X_Auth options can be changed for KSDK Demos and Examples.
* To change SE05X_Auth option follow below steps.
* Set flag ``SSS_HAVE_SCP_SCP03_SSS`` to 1 and Reset flag ``SSS_HAVE_SCP_NONE`` to 0.
* To change SE05X_Auth option other than ``None`` and ``PlatfSCP03``,
* execute se05x_Delete_and_test_provision.exe in order to provision the Authentication Key.
* To change SE05X_Auth option to ``ECKey`` or ``ECKey_PlatfSCP03``,
* Set additional flag ``SSS_HAVE_HOSTCRYPTO_ANY`` to 1.
*/
So with this the objects get deleted i believe. Then now when i run the sa_qi_provisioning demo, the ecckey seems to be provisioned but the cert chain still seems to fail. For both the key as well as cert chain though it mentions can_Read/can_Write policy is not applied (see log screenshot below). Also the certchain injection fails with error 0x6986 (SW_COMMAND_NOT_ALLOWED) in the Se05x_API_UpdateBinary_Ver call. Hence I am investigating these now.
Apart from this, a few doubts on my understanding i give below, if you can check if this is ok:
1) To provision secure objects in A5000, we always need an authenticated session correct?
2) Once keys and cert chains are provisioned, to use these in examples like Qi Authentication demo , we do not need an authenticated session ?
Thank you,
Br, shilin
Hi Kan,
Thanks much for your answers.
Regarding the AESKey, i had set the SSS_HAVE_SE05X_AUTH_AESKEY macro to 1 in fsl_sss_ftr.h file, hopefully this enabled aeskey authentication . Attached the fsl_sss_ftr.h file that i am using. Also below is a screenshot of the debug session where it seems success creating the authenticated session using aeskey looking at the callstack functions and ret value. Still had got those R/W not set warnings. Will also investigate a bit on this.
Thanking you,
Br, shilin
Hi Kan,
So i setup and used MCUExpresso IDE by importing project example. Had used document AN12396_EdgeLock SE05x Quick start guide with FRDM-K64F.pdf for this. To note here that this document mentions to set SSS_HAVE_SE05X_VER_07_02 in fsl_sss_ftr.h file (section 4.6 table 7) as below.
In our case setting this throws error due to applet mismatch as below .
So have now set this to SSS_HAVE_SE05X_VER_06_00 as before.
With MCUExpresso also it is unsuccessful when trying to execute sa_qi_provisioning (key provisioning seems success but cert chain provision fails with 0x6986 in the Se05x_API_UpdateBinary_ver call).
Screenshots of a debug window and terraterm log as below.
(SDK-EVK-FRDMK64F-SE-v04.02.00.zip does not have the se05x_Delete_and_test_provision nor sa_qi_provisioning examples, which are available with the SE05x_MW.zip. So took the files from there and added them to the frdmk64f_se05x_Minimal project and used now.)
Do you have any hints for it? Not sure what is issue here now. Do you maybe have a provisioning example for version 6.0.0 as A5000 does not support upgrading you mentioned?
Thanking you,
Br, shilin
hi Kan,
Thank you for this info. We have contacted the respective FAE for a newer version of this. Will go ahead once its received. Hence will close this thread.
Thank you again for your support here,
Best Regards,
Shilin
( also jfyi that for the sake of it i had gone ahead and was able to get the provisioning to succeed as seen in log below.. by increasing the BINARY_WRITE_MAX_LEN to 750 so that the test cert chain of 720 bytes get injected in one shot though this may not be desirable
)
Hi Kan,
So this warning seems to come as the version i set is 060000. R/W in common policy applies from 070200. Below screen shot of code where this warning came
Also below screenshot of log when i executed se05x_GetInfo demo.
So here the A5000 applet version indicated is 060000 right? Is it possible to update this to 070200?
Thanking you,
Br, shilin
