How to enable Platform SCP when using SE050

yang_lee

Hello everyone,

I'm using SE050E and having trouble using Platform SCP. I followed the instructions in AN12542 (https://www.nxp.jp/docs/en/application-note/AN12542.pdf#4#4) and defined SSS_HAVE_SE05X_AUTH_PLATFSCP03 1, but when I open a session by calling the ex_sss_boot_open function, the result is kStatus_SSS_Fail. Did I do something wrong? Everything worked fine when I use plain communication. Please let me know if I need to configure anything else.

Thanks

Kan_Li

Hi @yang_lee ,

The example provided in the chapter 6 is just for SE050E, but at first please make sure which build system you are using.

1. For MCUXpresso SDK based, please follow the steps within 6.2 and 6.3

2. For Cmake based, please follow the steps within 6.4 and 6.5

Hope that helps,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

yang_lee

Hi @Kan_Li ,

I followed the instructions in sections 6.2 and 6.3 and tried running the se05x_MandatePlatformSCP example in SE-PLUG-TRUST-MW_04.07.01, but the sss_key_object_init(eraseAuthCtx.auth.ctx.idobj.pObj, &pCtx->host_ks) function returned kStatus_SSS_InvalidArgument. Do I need to call the ex_sss_boot_open, ex_sss_key_store_and_object_init, and ex_sss_boot_open_host_session functions as in the ex_sss_main_inc.h file before calling the sss_key_object_init function? The code is below:

/* clang-format off */

#define MandateSCP_UserID_VALUE \

{ \

'N', 'E', 'E', 'D', 'S', 'C', 'P' \

}

/* clang-format ON */

sss_status_t se050_platformSCP03(void)

{

sss_status_t status = kStatus_SSS_Fail;

sss_object_t keyObject;

ex_sss_boot_ctx_t gex_sss_mandate_scp_boot_ctx;

SE_Connect_Ctx_t eraseAuthCtx = { 0 };

sss_se05x_session_t *pSession = (sss_se05x_session_t *)&gex_sss_mandate_scp_boot_ctx.session;

smStatus_t sw_status;

Se05xSession_t *pSe05xSession;

SE_Connect_Ctx_t* pOpenCtx;

sss_object_t ex_id = { 0 };

const uint8_t host_userid_value[] = MandateSCP_UserID_VALUE;

const uint8_t userid_value_factoryreset[] = MandateSCP_UserID_VALUE;

eraseAuthCtx.auth.ctx.idobj.pObj = &ex_id;

const char *portName = NULL;

memset(&gex_sss_mandate_scp_boot_ctx, 0, sizeof(gex_sss_mandate_scp_boot_ctx));

// /* initialize session to connect to the SE050 */

// status = ex_sss_boot_open(&gex_sss_mandate_scp_boot_ctx, portName);

// if (kStatus_SSS_Success != status)

// {

// ex_sss_session_close(&gex_sss_mandate_scp_boot_ctx);

// return status; /* return error if can't initialize session with SE050 */

// }

// /* setup KeyStore */

// status = ex_sss_key_store_and_object_init(&gex_sss_mandate_scp_boot_ctx);

// if (kStatus_SSS_Success != status)

// {

// ex_sss_session_close(&gex_sss_mandate_scp_boot_ctx);

// return status; /* close sesion and return error if can't initialize fail */

// }

// ex_sss_boot_open_host_session(&gex_sss_mandate_scp_boot_ctx);

/* Prepare host */

status = sss_key_object_init(eraseAuthCtx.auth.ctx.idobj.pObj, &gex_sss_mandate_scp_boot_ctx.host_ks);

if (kStatus_SSS_Success != status) {

LOG_E("Failed sss_key_object_init");

goto cleanup;

}

status = sss_key_object_allocate_handle(eraseAuthCtx.auth.ctx.idobj.pObj,

MAKE_TEST_ID(__LINE__),

kSSS_KeyPart_Default,

kSSS_CipherType_UserID,

sizeof(host_userid_value),

kKeyObject_Mode_Transient);

if (kStatus_SSS_Success != status) {

LOG_E("Failed sss_key_object_allocate_handle");

goto cleanup;

}

status = sss_key_store_set_key(&gex_sss_mandate_scp_boot_ctx.host_ks,

eraseAuthCtx.auth.ctx.idobj.pObj,

host_userid_value,

sizeof(host_userid_value),

sizeof(host_userid_value) * 8,

NULL,

0);

if (kStatus_SSS_Success != status) {

LOG_E("Failed sss_key_store_set_key");

goto cleanup;

}

pSe05xSession = &pSession->s_ctx;

sw_status = Se05x_API_WriteUserID(pSe05xSession,

NULL,

SE05x_MaxAttemps_NA,

kSE05x_AppletResID_PLATFORM_SCP,

userid_value_factoryreset,

sizeof(userid_value_factoryreset),

kSE05x_AttestationType_AUTH);

pOpenCtx = &gex_sss_mandate_scp_boot_ctx.se05x_open_ctx;

eraseAuthCtx.tunnelCtx = pOpenCtx->tunnelCtx;

eraseAuthCtx.connType = pOpenCtx->connType;

eraseAuthCtx.portName = pOpenCtx->portName;

eraseAuthCtx.auth.authType = kSSS_AuthType_ID;

sss_session_close(&gex_sss_mandate_scp_boot_ctx.session);

pSe05xSession = &pSession->s_ctx;

status = sss_session_open(&gex_sss_mandate_scp_boot_ctx.session, kType_SSS_SE_SE05x,

kSE05x_AppletResID_PLATFORM_SCP,

kSSS_ConnectionType_Password, &eraseAuthCtx);

if (kStatus_SSS_Success != status) {

LOG_E("Failed sss_session_open");

goto cleanup;

}

/* Call SE05X API to Mandate Platform SCP. */

sw_status = Se05x_API_SetPlatformSCPRequest(&pSession->s_ctx, kSE05x_PlatformSCPRequest_REQUIRED);

if(SM_OK != sw_status) {

LOG_E("Se05x_API_SetPlatformSCPRequest Failed");

goto cleanup;

}

else {

LOG_I("Se05x_API_SetPlatformSCPRequest Successful");

LOG_W("Further communication must be encrypted");

}

cleanup:

if (kStatus_SSS_Success == status) {

LOG_I("se05x_MandatePlatformSCP Example Success !!!...");

}

else {

LOG_E("se05x_MandatePlatformSCP Example Failed !!!...");

}

return status;

}

Thanks,

Duong