- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
- Home
- :
- Identification and Security
- :
- Secure Authentication
- :
- Object policy issue on SE050
Object policy issue on SE050
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Object policy issue on SE050
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Kan_Li ,
I`m trying to implement a very simple use case with SE050. The secure element administrator must create a set of keys that must not be overwritten or deleted. The normal user could use the key only under the policy rules.
No matter how I create the policy, the Sign/Verify can still be performed despite assigning a special singing deny policy.
I`m using Auth Obj ID as 0 because I want the policy to be applied for all users.
I have a few questions:
1. Is it possible to create an object(asymkey or binary file) with special policy for signing/encryption for example? How?
2. How would a policy assigned to an object be different for multiple users ? Normal user canot delete an object, only the super user could delete the object.
3. How to perform authentication to the Administrator and then as normal user ? For example "ssscli connect se05x vcom COM4 --auth_type UserID" seem generic and misleading.
Please find below the ssscli commands. I have run the execute se05x_Delete_and_test_provision.exe before. Do you encounter a similar issue, or this needs a different approach?
Thanks!
ssscli connect se05x vcom COM4
ssscli policy asymkey nosign 0 --sign 0 --verify 0
ssscli policy dump nosign
Created object policy:
Key_type : Asymmetric_Key
Auth Obj ID : 0x0
Sign : False
Verify : False
Encrypt : True
Decrypt : True
Key Derive : True
Wrap : True
Generate : True
Write : True
Read : True
Import Export : True
Key Agreement : True
Attestation : True
forbid_derived_output : False
Policy in hex:
08 00 00 00 00 07 F8 10 00
ssscli connect se05x vcom COM4
ssscli generate rsa 0x400 2048 --policy_name nosign
echo 122>>in.txt
ssscli sign 0x400 in.txt out.txt
c:\Projects\Se050_Middleware\SE-PLUG-TRUST-MW _v3_3_0\simw-top\binaries\PCWindows\ssscli>ssscli generate rsa 400 2048 --policy_name nosign
Reading policy from file path:
c:\Projects\Se050_Middleware\SE-PLUG-TRUST-MW _v3_3_0\simw-top\binaries\PCWindows\ssscli\policy\ssscli_obj_policy_nosign.pkl
Generating RSA Key Pair at KeyID = 0x00000400, bits=2048
Opening COM Port 'COM4'
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is with UserID (But Plain).
sss :WARN :!!!Not recommended for production use.!!!
Generated RSA Key Pair at KeyID = 0x00000400
c:\Projects\Se050_Middleware\SE-PLUG-TRUST-MW _v3_3_0\simw-top\binaries\PCWindows\ssscli>ssscli sign 0x400 in.txt out.txt
Opening COM Port 'COM4'
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is with UserID (But Plain).
sss :WARN :!!!Not recommended for production use.!!!
Signed from KeyID = 0x00000400 <--- successfull, but it should not be ?!
Kan_Li
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Exocet ,
Please kindly have my comments as below:
1. Is it possible to create an object(asymkey or binary file) with special policy for signing/encryption for example? How?
- Yes, it is possible. Create a policy allowing for sign/encryption and then attach it to the object.
2. How would a policy assigned to an object be different for multiple users ? Normal user canot delete an object, only the super user could delete the object.
- By default POLICY_OBJ_ALLOW_DELETE is always enabled, but any policy specified for some Auth ID would override the default policy, so if you create a policy without allowing delete and related to some specific Auth ID , for example, some UserID, then only users perform a successful UserID authentication can access&delete the objects attached with this policy.
3. How to perform authentication to the Administrator and then as normal user ? For example "ssscli connect se05x vcom COM4 --auth_type UserID" seem generic and misleading.
- The example establishes a UserID session , so you have to disconnect from this session at first, then connect again with auth_type None.
In your example, the policy just specifies auth ID none, you may understand it is for normal user, while the session you built is based on UserID authentication, so it would not take effect.
Hope that makes senses,
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Kan
Thank you for yout time answering my questions.
The problem with the above ssscli commands was that RSA Sign and Verify end up using encrypt() and decrypt() methods. So even if you forbid sign and verify you will be able to perform such operations.
The same test for ECC key type works as expected.
Still I have 3 questions:
1. Given the example:
Step 1: Login with UserID 0x7AFFFFFF
Step 2: Create Object (0x100) with Policy POLICY_OBJ_ALLOW_DELETE, POLICY_OBJ_ALLOW_SIGN, POLICY_OBJ_ALLOW_VERIFY
Step 3 : Relogin with auth_id None
Step 4: Can I use object 0x100 to sign and verify but not delete the object ?
Please clarify how to implement this scenario.
2. How can we pass the UserID value when using the ssscli ? Like the below API call in which we provide the kEX_SSS_ObjID_UserID_Auth parameter:
sw_status = Se05x_API_CreateSession(&pSession->s_ctx, kEX_SSS_ObjID_UserID_Auth, userid1_value, &sess_len)
3. Is there a non invasive way to get the policy information for an object (in the current authenticated user context or even None) ?
For example, I don`t want to delete an object, to discover that it can be deleted.
I saw the Read_with_Attestation sample, but is there another simpler way besides creating another ECC key for the attested object? Can you post a sample with this feature.
The ssscli policy dump command only reads the policy from the local file, not from the SE.
Thanks!
Kan_Li
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Exocet ,
What is the auth id for Object (0x100)? If it is the UserID 0x7AFFFFFF, I don't think you can access this object in the default session.
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
