AccessManager for se05x Fails communicating over i2c interface.

ajitsj3 · ‎08-03-2022

Hi,

We built the "accessManager" binary utility with the below mentioned cmake configure options.

do_configure() {
cd ${B}

cmake -S ../simw-top \
-DWithSharedLIB=OFF -DCMAKE_BUILD_TYPE=Debug -DCMAKE_INSTALL_PREFIX=/usr \
-DPTMW_Host=iMXLinux -DPTMW_HostCrypto=OPENSSL \
-DPTMW_SMCOM=T1oI2C -DPTMW_SE05X_Auth=PlatfSCP03 -DPTMW_SCP=SCP03_SSS \
-DIOT=None -DPTMW_Applet=SE05X_C -DPTMW_SE05X_Ver=06_00 \
-DOPENSSL_INSTALL_PREFIX=${WORKDIR}/recipe-sysroot/usr/ \
-DPAHO_BUILD_DEB_PACKAGE=OFF -DPAHO_BUILD_DOCUMENTATION=OFF \
-DPAHO_BUILD_SAMPLES=OFF -DPAHO_BUILD_SHARED=OFF \
-DPAHO_BUILD_STATIC=ON -DPAHO_ENABLE_CPACK=ON \
-DPAHO_ENABLE_TESTING=OFF -DPAHO_WITH_SSL=ON \
-DOPENSSL_ROOT_DIR=${WORKDIR}/recipe-sysroot/usr/
}

Then we built a client application "se05x_ConcurrentEcc" which communicates with the "accessManager" over JRCPv1 protocol using the below mentioned cmake configuration.

do_configure() {
cd ${B}

cmake -S ../simw-top \
-DWithSharedLIB=OFF -DCMAKE_BUILD_TYPE=Debug -DCMAKE_INSTALL_PREFIX=/usr \
-DPTMW_Host=iMXLinux -DPTMW_HostCrypto=OPENSSL \
-DPTMW_SMCOM=JRCP_V1_AM -DPTMW_SE05X_Auth=None -DPTMW_SCP=None \
-DIOT=None -DPTMW_Applet=SE05X_C -DPTMW_SE05X_Ver=06_00 \
-DOPENSSL_INSTALL_PREFIX=${WORKDIR}/recipe-sysroot/usr/ \
-DPAHO_BUILD_DEB_PACKAGE=OFF -DPAHO_BUILD_DOCUMENTATION=OFF \
-DPAHO_BUILD_SAMPLES=OFF -DPAHO_BUILD_SHARED=OFF \
-DPAHO_BUILD_STATIC=ON -DPAHO_ENABLE_CPACK=ON \
-DPAHO_ENABLE_TESTING=OFF -DPAHO_WITH_SSL=ON \
-DOPENSSL_ROOT_DIR=${WORKDIR}/recipe-sysroot/usr/
}

After this we ran the "accessManager" utility in background.

# ./accessManager &
# Starting accessManager (Rev.1.1).
Protect Link between accessManager and SE: YES.
accessManager JRCPv1 (T1oI2C SE side)
******************************************************************************
Server: waiting for connections on port 8040.
Server: only localhost based processes can connect.

Then we ran the client "se05x_ConcurrentEcc". The client communicated well with the "accessManager" over JRCPv1 protocol. But the "accessManager" could not establish communication with the se05x device over I2C interface. The log is as mentioned below.

# ./se05x_ConcurrentEcc -authid 0x7DA00001 -keyid 0xEF001234 -cnt 100 -port 127.0.0.1:8040
App :INFO :PlugAndTrust_v04.01.03_20220331
App :INFO :

App :INFO :Running Elliptic Curve Cryptography Example se05x_ConcurrentEcc
App :INFO :

New client connection from 127.0.0.1. Client ID: 4
Command 0x00 from client 4
smCom :ERROR:opening failed...
Failed to open the i2c bus: No such file or d[12776.642027] systemd-coredump[8359]: EXE '/home/root/accessManager' is not in coredump whitelist, skipping.
irectory
smCom :INFO :Pass i2c device address in the format <i2c_port>:<i2c_addr(optional. Default 0x48)>.
smCom :INFO :Example ./example /dev/i2c-1:0x48 OR ./example /dev/i2c-1
smCom :ERROR:phPalEse_i2c_open_and_configure Failed retry
smCom :ERROR:I2C init Failed: retval d
smCom :ERROR:phPalEse_Init Failed
smCom :ERROR: Failed to create physical connection with ESE

Could anyone please help me resolve this issue. Looks like the "accessManager" needs and argument to be passed with the I2C device details like "/dev/i2c-0". But we are not sure how to pass this I2C device as an argument to the "accessManager" binary utility.

Thanks and regards

Ajit SJ

Kan_Li · ‎08-05-2022

Hi @ajitsj3 ,

Looks like AccessManager keeps using the default settings, would you please modify the default settings in the file of "simw-top\hostlib\hostLib\platform\linux\i2c_a7.c" as below?

Please kindly let me know if the problem is still there.

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

在原帖中查看解决方案

ajitsj3 · ‎08-07-2022

Hi @Kan_Li ,

As suggested by you, I changed the i2c device name to "i2c-0" in the file "simw-top\hostlib\hostLib\platform\linux\i2c_a7.c". After that the accessManager started working and it is communicating with SE05x as well. Thanks for your support.

Thanks and regards

Ajit S J

Kan_Li · ‎08-07-2022

Hi @ajitsj3 ,

Great to know that! Thanks for the update!

Have a great day!

Best Regards,

Kan

Kan_Li · ‎08-03-2022

Hi @ajitsj3 ,

Looks like the way you run client application is not correct, the channel between clients and AccessManager is plain as you set up, so you just have to run the client similar as below:

root@imx8mqevk:~/home/root# EX_SSS_BOOT_SSS_PORT=127.0.0.1:8040 se05x_ConcurrentEcc

Hope that makes sense,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

ajitsj3 · ‎08-03-2022

Hi @Kan_Li ,

As mentioned in my post there is no issue between the client and AccessManager. The command "se05x_ConcurrentEcc -authid 0x7DA00001 -keyid 0xEF001234 -cnt 100 -port 127.0.0.1:8040" which I used was taken from the plug and trust middleware document by NXP only. I have shared the document.

The below mentioned log proves that the client and accessManager are in good communication.

New client connection from 127.0.0.1. Client ID: 4
Command 0x00 from client 4

Also our requirement is that the client should communicate with AccessManager using JRCPv1 protocol as mentioned in the plug and trust middleware document.

The log below shows that there some issue w.r.t I2C communication between AccessManager and se05x.

smCom :ERROR:opening failed...
Failed to open the i2c bus: No such file or d[12776.642027] systemd-coredump[8359]: EXE '/home/root/accessManager' is not in coredump whitelist, skipping.
irectory
smCom :INFO :Pass i2c device address in the format <i2c_port>:<i2c_addr(optional. Default 0x48)>.
smCom :INFO :Example ./example /dev/i2c-1:0x48 OR ./example /dev/i2c-1
smCom :ERROR:phPalEse_i2c_open_and_configure Failed retry

Anyways I tried the command that you sent which is not ideal for us. Even this failed too.

# accessManager &
# Starting accessManager (Rev.1.1).
Protect Link between accessManager and SE: YES.
accessManager JRCPv1 (T1oI2C SE side)
******************************************************************************
Server: waiting for connections on port 8040.
Server: only localhost based processes can connect.

#
# EX_SSS_BOOT_SSS_PORT=127.0.0.1:8040 se05x_ConcurrentEcc
App :INFO :PlugAndTrust_v04.01.03_20220331
App :INFO :

App :INFO :Running Elliptic Curve Cryptography Example se05x_ConcurrentEcc
App :INFO :

App :ERROR:Auth key Id not passed
App :WARN :
usage:
se05x_ConcurrentEcc.exe
-authid <auth object id to open Session >
-keyid <Key id to store Key>
-cnt <no of times to loop the operation >
-port <port to be connected >

App :WARN :nxEnsure:'status == kStatus_SSS_Success' failed. At Line:101 Function:ex_sss_entry
App :INFO :ex_sss Finished
App :ERROR:ex_sss_entry Failed
App :ERROR:!ERROR! ret != 0.

So my question is that there must be a way to specify the i2c device node information to accessManager. Please let us know that.

Thanks and regards

Ajit S J

Kan_Li · ‎08-04-2022

Hi @ajitsj3 ,

Have you run se05x_Delete_and_test_provision demo before the se05x_ConcurrentEcc demo? I just run the se05x_ConcurrentEcc demo from different consoles and they works well from my side, please kindly refer to the attached video for more details.

The following is my cmake configuration for accessManager .

pi@raspberrypi:~/se05x_mw_v04.02.00_20220701_151557/simw-top_build/raspbian_native_se050_t1oi2c $ cmake . -L
-- BUILD_TYPE: Debug
-- Found: /usr/lib/arm-linux-gnueabihf/libssl.so/usr/lib/arm-linux-gnueabihf/libcrypto.so
-- CMAKE_CXX_COMPILER_ID = GNU
-- CMAKE_SYSTEM_NAME = Linux
-- PTMW_SE05X_Auth - PlatfSCP03
-- Could not detect git directories. Using STUB Values for GIT Version
-- CMake version: 3.16.3
-- CMake system name: Linux
-- Timestamp is 2022-08-04T07:08:59Z
accessManager is not copied to default binary directory upon install
-- Configuring done
-- Generating done
-- Build files have been written to: /home/pi/se05x_mw_v04.02.00_20220701_151557/simw-top_build/raspbian_native_se050_t1oi2c
-- Cache values
CMAKE_BUILD_TYPE:STRING=Debug
CMAKE_INSTALL_PREFIX:PATH=/usr/local
LIB_ANL:FILEPATH=/usr/lib/arm-linux-gnueabihf/libanl.so
NXPInternal:BOOL=OFF
OPENSSL_ROOT_DIR:PATH=
PAHO_BUILD_DEB_PACKAGE:BOOL=FALSE
PAHO_BUILD_DOCUMENTATION:BOOL=FALSE
PAHO_BUILD_SAMPLES:BOOL=FALSE
PAHO_BUILD_SHARED:BOOL=TRUE
PAHO_BUILD_STATIC:BOOL=FALSE
PAHO_ENABLE_CPACK:BOOL=TRUE
PAHO_ENABLE_TESTING:BOOL=FALSE
PAHO_WITH_SSL:BOOL=TRUE
PTMW_A71CH_AUTH:STRING=None
PTMW_Applet:STRING=SE05X_C
PTMW_FIPS:STRING=None
PTMW_Host:STRING=Raspbian
PTMW_HostCrypto:STRING=OPENSSL
PTMW_Log:STRING=Default
PTMW_RTOS:STRING=Default
PTMW_SBL:STRING=None
PTMW_SCP:STRING=SCP03_SSS
PTMW_SE05X_Auth:STRING=PlatfSCP03
PTMW_SE05X_Ver:STRING=03_XX
PTMW_SMCOM:STRING=T1oI2C
PTMW_mbedTLS_ALT:STRING=None
SSSFTR_SE05X_AES:BOOL=ON
SSSFTR_SE05X_AuthECKey:BOOL=ON
SSSFTR_SE05X_AuthSession:BOOL=ON
SSSFTR_SE05X_CREATE_DELETE_CRYPTOOBJ:BOOL=ON
SSSFTR_SE05X_ECC:BOOL=ON
SSSFTR_SE05X_KEY_GET:BOOL=ON
SSSFTR_SE05X_KEY_SET:BOOL=ON
SSSFTR_SE05X_RSA:BOOL=ON
SSSFTR_SW_AES:BOOL=ON
SSSFTR_SW_ECC:BOOL=ON
SSSFTR_SW_KEY_GET:BOOL=ON
SSSFTR_SW_KEY_SET:BOOL=ON
SSSFTR_SW_RSA:BOOL=ON
SSSFTR_SW_TESTCOUNTERPART:BOOL=ON
WithAccessMgr_UnixSocket:BOOL=OFF
WithCodeCoverage:BOOL=OFF
WithExtCustomerTPMCode:BOOL=OFF
WithNXPNFCRdLib:BOOL=OFF
WithOPCUA_open62541:BOOL=OFF
WithSharedLIB:BOOL=ON

To build the clients, the cmake configuration is as below:

pi@raspberrypi:~/se05x_mw_v04.02.00_20220701_151557/simw-top_build/raspbian_native_se050_t1oi2c $ cmake . -L
-- BUILD_TYPE: Debug
-- Found: /usr/lib/arm-linux-gnueabihf/libssl.so/usr/lib/arm-linux-gnueabihf/libcrypto.so
-- CMAKE_CXX_COMPILER_ID = GNU
-- CMAKE_SYSTEM_NAME = Linux
-- PTMW_SE05X_Auth - None
-- Could not detect git directories. Using STUB Values for GIT Version
-- CMake version: 3.16.3
-- CMake system name: Linux
-- Timestamp is 2022-08-04T07:12:21Z
-- Configuring done
-- Generating done
-- Build files have been written to: /home/pi/se05x_mw_v04.02.00_20220701_151557/simw-top_build/raspbian_native_se050_t1oi2c
-- Cache values
CMAKE_BUILD_TYPE:STRING=Debug
CMAKE_INSTALL_PREFIX:PATH=/usr/local
LIB_ANL:FILEPATH=/usr/lib/arm-linux-gnueabihf/libanl.so
NXPInternal:BOOL=OFF
OPENSSL_ROOT_DIR:PATH=
PAHO_BUILD_DEB_PACKAGE:BOOL=FALSE
PAHO_BUILD_DOCUMENTATION:BOOL=FALSE
PAHO_BUILD_SAMPLES:BOOL=FALSE
PAHO_BUILD_SHARED:BOOL=TRUE
PAHO_BUILD_STATIC:BOOL=FALSE
PAHO_ENABLE_CPACK:BOOL=TRUE
PAHO_ENABLE_TESTING:BOOL=FALSE
PAHO_WITH_SSL:BOOL=TRUE
PTMW_A71CH_AUTH:STRING=None
PTMW_Applet:STRING=SE05X_C
PTMW_FIPS:STRING=None
PTMW_Host:STRING=Raspbian
PTMW_HostCrypto:STRING=OPENSSL
PTMW_Log:STRING=Default
PTMW_RTOS:STRING=Default
PTMW_SBL:STRING=None
PTMW_SCP:STRING=None
PTMW_SE05X_Auth:STRING=None
PTMW_SE05X_Ver:STRING=03_XX
PTMW_SMCOM:STRING=JRCP_V1_AM
PTMW_mbedTLS_ALT:STRING=None
SSSFTR_SE05X_AES:BOOL=ON
SSSFTR_SE05X_AuthECKey:BOOL=ON
SSSFTR_SE05X_AuthSession:BOOL=ON
SSSFTR_SE05X_CREATE_DELETE_CRYPTOOBJ:BOOL=ON
SSSFTR_SE05X_ECC:BOOL=ON
SSSFTR_SE05X_KEY_GET:BOOL=ON
SSSFTR_SE05X_KEY_SET:BOOL=ON
SSSFTR_SE05X_RSA:BOOL=ON
SSSFTR_SW_AES:BOOL=ON
SSSFTR_SW_ECC:BOOL=ON
SSSFTR_SW_KEY_GET:BOOL=ON
SSSFTR_SW_KEY_SET:BOOL=ON
SSSFTR_SW_RSA:BOOL=ON
SSSFTR_SW_TESTCOUNTERPART:BOOL=ON
WithAccessMgr_UnixSocket:BOOL=OFF
WithCodeCoverage:BOOL=OFF
WithExtCustomerTPMCode:BOOL=OFF
WithNXPNFCRdLib:BOOL=OFF
WithOPCUA_open62541:BOOL=OFF
WithSharedLIB:BOOL=ON

Usually I build clients at first and then build accessManager after "make install" the clients , so that I run accessManager in the build folder directly and run client demos from "usr/local/bin".

Hope that helps,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

ajitsj3 · ‎08-04-2022

Hi @Kan_Li ,

Could you please run the below command and send me the logs.

accessManager &

se05x_ConcurrentEcc -authid 0x7DA00001 -keyid 0xEF001234 -cnt 1 -port 127.0.0.1:8040

We could compare and check what is going wrong.

Thanks and regards

Ajit S J

Kan_Li · ‎08-04-2022

Hi @ajitsj3 ,

Please kindly have the log as attached. Please refer to 5.4.3.8 of "simw-top/doc/hostlib/hostLib/accessManager/doc/accessManager.html" for more details.

Hope that helps,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Kan_Li · ‎08-04-2022

Hi @ajitsj3 ,

It is not the right way to run both AccessManager and the client applications like that , as you could not make sure AccessManager set up all things before the client connects with it. Please use a single console for each of them and run AccessManager at first.

Hope that makes sense,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

ajitsj3 · ‎08-04-2022

Hi @Kan_Li

How does accessManager know which i2c bus it needs to use for secure element (se05x) communication?

Thanks and regards,

Ajit S J

Kan_Li · ‎08-04-2022

Hi @ajitsj3 ,

The environment variable of EX_SSS_BOOT_SSS_PORT helps pass the I2C device name to AccessManager, and if no, then use the default name.

Hope that makes sense,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

ajitsj3 · ‎08-05-2022

Hi @Kan_Li ,

I tried to set the environment variable "EX_SSS_BOOT_SSS_PORT" as "/dev/i2c-0:0x48". But the I2C device name was not passed to AccessManager. As mentioned in the below log, still the accessManager is failing because I2C device name is not passed to it.

# export EX_SSS_BOOT_SSS_PORT=/dev/i2c-0:0x48
#
# accessManager &
# Starting accessManager (Rev.1.1).
Protect Link between accessManager and SE: YES.
accessManager JRCPv1 (T1oI2C SE side)
******************************************************************************
Server: waiting for connections on port 8040.
Server: only localhost based processes can connect.

#
# ./se05x_ConcurrentEcc -authid 0x7DA00001 -keyid 0xEF001234 -cnt 1 -port 127.0.0.1:8040
App :INFO :PlugAndTrust_v04.02.00_20220524
App :INFO :

App :INFO :Running Elliptic Curve Cryptography Example se05x_ConcurrentEcc
App :INFO :

New client connection from 127.0.0.1. Client ID: 4
Command 0x00 from client 4
smCom :ERROR:opening failed...
Failed to open the i2c bus: No such file or directory
smCom :INFO :Pass i2c device address in the format <i2c_port>:<i2c_addr(opti[81600.549838] systemd-coredump[4889]: EXE '/usr/bin/accessManager' is not in coredump whitelist, skipping.
onal. Default 0x48)>.
smCom :INFO :Example ./example /dev/i2c-1:0x48 OR ./example /dev/i2c-1
smCom :ERROR:phPalEse_i2c_open_and_configure Failed retry
smCom :ERROR:I2C init Failed: retval d
smCom :ERROR:phPalEse_Init Failed
smCom :ERROR: Failed to create physical connection with ESE
smCom :WARN :Client: recv() failed: error 0
smCom :WARN :nxEnsure:'0' failed. At Line:174 Function:smComSocket_GetATRFD
smCom :WARN :Client: send() failed: error -1
smCom :ERROR:SM_CONNECT Failed.
sss :ERROR:SM_RjctConnect Failed. Status 7002
App :ERROR:sss_session_open failed
App :ERROR: sss_key_store_context_init Failed...
App :ERROR:ex_sss_key_store_and_object_init Failed
App :INFO :ex_sss Finished
App :ERROR:ex_sss_entry Failed
App :ERROR:!ERROR! ret != 0.
[1]+ Segmentation fault (core dumped) accessManager

How are you setting the I2C device name in your raspberry pi device?

Thanks and regards

Ajit

Kan_Li · ‎08-05-2022

Hi @ajitsj3 ,

Looks like AccessManager keeps using the default settings, would you please modify the default settings in the file of "simw-top\hostlib\hostLib\platform\linux\i2c_a7.c" as below?

Please kindly let me know if the problem is still there.

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

ajitsj3 · ‎08-08-2022

Hi @Kan_Li ,

Could we configure the I2C device name as "i2c-0" without making changes in the code?

Because in other hardware device we might have to use "i2c-1" as I2C device name.

So please let me know if there is a way to send this I2C device name as argument for accessManager?

Thanks and regards

Ajit S J

Kan_Li · ‎08-09-2022

Hi @ajitsj3 ,

No, so far AccessManager just use the default I2C device name without acceptance for external parameter, but you may try the solution as I mentioned in https://community.nxp.com/t5/Secure-Authentication/AccessManager-I2C-device-name-configuration-using... , so that you needn't modify the source code frequently.

Hope that helps,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------