- NXP Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- Vigiles
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
-
- Home
- :
- Identification and Security
- :
- Secure Authentication
- :
- Re: Change Mandate Platform SCP to not required
Change Mandate Platform SCP to not required
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've been able to mandate platform SCP to required with this call: Se05x_API_SetPlatformSCPRequest(ctx, kSE05x_PlatformSCPRequest_REQUIRED)
By creating an auth key (AES 128 bit) with the kSE05x_AppletResID_PLATFORM_SCP reserved ID. No problems. As expected, I can only connect to the se050 using SCP03. So far so good. The problem is, how to change mandate platform SCP back to no required? Since the above call (Se05x_API_SetPlatformSCPRequest()) requires authenticating with kSE05x_AppletResID_PLATFORM_SCP, but I can only connect using platform SCP.
The question is then: How can I change mandate platform SCP to not required after it has been set to required?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The code example I got from NXP didn't work. However I did figure out how to change the mandate, from my notes:
You need to create a User ID with the id of RESERVE_ID_PLATFORM_SCP. When SCP is mandatory, the connection to the SE050 is required to be platform SCP. When connected via Platform SCP, you can create a user id and create a session with this user id within an SCP session. That’s the key, authenticating using a UserID object with the id of RESERVE_ID_PLATFORM_SCP.
I initially created an AES object with a RESERVE_ID_PLATFORM_SCP id then make platform scp required. To undo I needed to authenticate with this id (RESERVE_ID_PLATFORM_SCP), however I can’t create a session with an AES key since mandatory SCP is enabled. One option would be to create a UserID with kSE05x_AppletResID_FACTORY_RESET id and then clear everything
I haven't worked on the SE050 for a while, so you'll probably need to do some debugging here. I can't share any sample code because it is proprietary.
Also, NXP might have a working example now.
Dean
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kan,
Debugging more and it looks like my problem is because I created an AES object (kSSS_CipherType_AES) with the kSE05x_AppletResID_PLATFORM_SCP object id. This enabled me to force platform SCP (setting kSE05x_PlatformSCPRequest_REQUIRED) , but you can’t subsequently create session with this AES key because now the use of Platform SCP is required.
However connecting to the SE050 with platform SCP, I can create User ID objects and then create and authenticate a session with this User ID. I should have created a User ID object with id of kSE05x_AppletResID_PLATFORM_SCP , this would have enable subsequent platform SCP connection to use this User ID.
Thanks for your help, you can close this ticket.
Kan_Li
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @deang ,
Thanks for the update! I will close that ticket later.
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kan,
Thanks for the code example, unfortunately this doesn't work.
Question: When will new the Plug&Trust MW (with the sample code to disable mandatory SCP) be released?
Thanks,
Dean
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Created case 00333109
Thanks
Kan_Li
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi deang,
Thanks for the information! I have replied you in that case.
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
Kan_Li
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @deang ,
The same API can be used for setting PlatformSCP into unrequired state. when host finishes the SCP03 authentication with SE050, then you may open a session with RESERVED_ID_PLATFORM_SCP, such like you did before, and then use the same API to disable platformSCP.
Hope that makes sense,
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kan,
This makes sense at a high level, but the details are not clear. Specifically "you may open a session with RESERVED_ID_PLATFORM_SCP". I've tried sss_se05x_session_open() without any luck. However Se05x_API_CreateSession() works and I do get back a session id. After this call, I'm a bit stuck.
I'm sure I have to use the session id along with the key for RESERVED_ID_PLATFORM_SCP, somehow to authenticate the session as as RESERVED_ID_PLATFORM_SCP. That's the part I'm stuck at, I can't find anything/any API along these lines.
Is there an example of how to create and authenticate a session like this?
Thanks,
Dean
Kan_Li
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @deang ,
Yes, there is a un-mandate PlatformSCP demo available, but it is not yet included in the public MW release. if you need it right now, you may create a private ticket for it. Please kindly refer to the following for more details.
Please kindly tell me case number when it is available.
Thanks for your patience!
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I run into this exact same problem. Can I have the "Unmandate" PlatformSCP demo please?
Thanks a lot,
André
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The code example I got from NXP didn't work. However I did figure out how to change the mandate, from my notes:
You need to create a User ID with the id of RESERVE_ID_PLATFORM_SCP. When SCP is mandatory, the connection to the SE050 is required to be platform SCP. When connected via Platform SCP, you can create a user id and create a session with this user id within an SCP session. That’s the key, authenticating using a UserID object with the id of RESERVE_ID_PLATFORM_SCP.
I initially created an AES object with a RESERVE_ID_PLATFORM_SCP id then make platform scp required. To undo I needed to authenticate with this id (RESERVE_ID_PLATFORM_SCP), however I can’t create a session with an AES key since mandatory SCP is enabled. One option would be to create a UserID with kSE05x_AppletResID_FACTORY_RESET id and then clear everything
I haven't worked on the SE050 for a while, so you'll probably need to do some debugging here. I can't share any sample code because it is proprietary.
Also, NXP might have a working example now.
Dean
