- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- Neural Processing UnitsNeural Processing Units
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
- Neural Processing Units
-
- NXP Tech Blogs
- Home
- :
- Identification and Security
- :
- Secure Authentication
- :
- OpenSSL Provider with SE052F for RNG
OpenSSL Provider with SE052F for RNG
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
OpenSSL Provider with SE052F for RNG
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have a requirement to use the SE052F as a FIPS compliant source for random number generation. We require OpenSSL to use the SE052F, and in turn, all applications that use the openssl libraries to use the SE052F for RNG.
I understand we must use the NXP MW accessManager and the OpenSSL Provider.
I am using: SE-PLUG-TRUST-MW_04.07.01
I have followed the instructions in:
AN14028.pdf
SE-PLUG-TRUST-MW_04.07.01/simw-top/doc/hostlib/hostLib/accessManager/doc/accessManager.html
and the README info here (but not using this repo): https://github.com/NXPPlugNTrust/se05x-openssl-provider
accessManager built with the following cmake options:
NXP_SE_MW_CONF_OPTS += -DWithSharedLIB=OFF -DPTMW_Host=Raspbian -DPTMW_SMCOM=T1oI2C -DPTMW_Applet=SE05X_C \
-DPTMW_FIPS=None -DPTMW_SE05X_Ver=07_02 -DPTMW_SE05X_Auth=PlatfSCP03 -DPTMW_SCP=SCP03_SSS -DSE05X_EN_PIN=582 -DSE_RESET_LOGIC=0 \
-DPAHO_BUILD_SHARED=FALSE -DPAHO_BUILD_STATIC=TRUE
OpenSSL Provider built with the following cmake options:
NXP_SE_MW2_CONF_OPTS += -DWithSharedLIB=ON -DPTMW_HostCrypto=OPENSSL -DPTMW_Host=Raspbian -DPTMW_SMCOM=JRCP_V1_AM -DPTMW_SE05X_Auth=None
openssl.cnf modified as follows:
[provider_sect]
nxp_prov = nxp_sect
default = default_sect
[nxp_sect]
identity = nxp_prov
module = /usr/lib/libsssProvider.so
activate = 1
[default_sect]
activate = 1
The accessManager starts:
Starting accessManager (Rev.1.1).
Protect Link between accessManager and SE: YES.
accessManager JRCPv1 (T1oI2C SE side)
******************************************************************************
Server: waiting for connections on port 8040.
Server: only localhost based processes can connect.
RNG using openssl from the command line seems to work OK:
# openssl rand -hex 64
sssprov-dbg: Enter - OSSL_provider_init
App :INFO :Using PortName='127.0.0.1:8040' (gszSocketPortDefault)
App :INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments.
New client connection from 127.0.0.1. Client ID: 5
Command 0x00 from client 5
DUMMY_ATR=0x01.A0.00.00.03.96.04.03.E8.00.FE.02.0B.03.E8.00.01.00.00.00.00.64.13.88.0A.00.65.53.45.30.35.31.00.00.00.
Replacing *_ATR by default (pre-cooked) ATR.
ATR=0x3B.FB.18.00.00.81.31.FE.45.50.4C.41.43.45.48.4F.4C.44.45.52.AB.
Command 0x01 from client 5
SM_EstablishPlatformSCP03Am (Entry)
App :WARN :Using SCP03 keys from:'/tmp/SE05X/plain_scp.txt' (FILE=/tmp/SE05X/plain_scp.txt)
SE051 connected.
SM_EstablishPlatformSCP03Am (Exit); Status = 0x9000
sss :INFO :Newer version of Applet Found
sss :INFO :Compiled for 0x70200. Got newer 0x70216
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
sssprov-dbg: Enter - sss_rand_newctx
sssprov-dbg: Enter - sss_rand_instantiate
sssprov-dbg: Enter - sss_rand_enable_locking
sssprov-dbg: Enter - sss_rand_newctx
sssprov-dbg: Enter - sss_rand_instantiate
sssprov-dbg: Enter - sss_rand_get_ctx_params
sssprov-dbg: Enter - sss_rand_generate
sssprov-flw: Get random data from SE05x
Command 0x01 from client 5
SM_SendAPDUAm: smStatus = 0x9000
5f0f4d63e4ec771b8cfd46dd50c497b7e4e56e203ad5bc6eca9f8c28d23f39aa2d4a807915e3c60cf2e6a833794cb1208554f3e635811354eadd7b2c911c60da
sssprov-dbg: Enter - sss_rand_freectx
sssprov-dbg: Enter - sss_rand_freectx
sssprov-dbg: Enter - sss_teardown
Received 0 byte from client 5 (Message Header Phase) .
But, starting the ssh daemon fails:
# /usr/sbin/sshd &
sssprov-dbg: Enter - OSSL_provider_init
App :INFO :Using PortName='127.0.0.1:8040' (gszSocketPortDefault)
App :INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments.
New client connection from 127.0.0.1. Client ID: 5
Command 0x00 from client 5
ATR=0x3B.FB.18.00.00.81.31.FE.45.50.4C.41.43.45.48.4F.4C.44.45.52.AB.
Command 0x01 from client 5
Pre-cooked response (rspAppletSelect)
sss :INFO :Newer version of Applet Found
sss :INFO :Compiled for 0x70200. Got newer 0x70216
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
sssprov-dbg: Enter - sss_rand_newctx
sssprov-dbg: Enter - sss_rand_instantiate
sssprov-dbg: Enter - sss_rand_enable_locking
sssprov-dbg: Enter - sss_rand_get_ctx_params
PRNG is not seeded
Received 0 byte from client 5 (Message Header Phase) .
[2]+ Done(255) /usr/sbin/sshd
I'd be very grateful for any help,
Sam
Kan_Li
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sam123 ,
The Openssh support is not tested with our provider currently. This needs to be analyzed further and may require changes. An internal ticket was created for RnD and they will do analysis. I will let you know when I have any more info from there.
Thanks for your patience!
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
