- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- Neural Processing UnitsNeural Processing Units
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
- Neural Processing Units
-
- NXP Tech Blogs
OpenSSL Provider with SE052F for RNG
星期四
159 次查看
We have a requirement to use the SE052F as a FIPS compliant source for random number generation. We require OpenSSL to use the SE052F, and in turn, all applications that use the openssl libraries to use the SE052F for RNG.
I understand we must use the NXP MW accessManager and the OpenSSL Provider.
I am using: SE-PLUG-TRUST-MW_04.07.01
I have followed the instructions in:
AN14028.pdf
SE-PLUG-TRUST-MW_04.07.01/simw-top/doc/hostlib/hostLib/accessManager/doc/accessManager.html
and the README info here (but not using this repo): https://github.com/NXPPlugNTrust/se05x-openssl-provider
accessManager built with the following cmake options:
NXP_SE_MW_CONF_OPTS += -DWithSharedLIB=OFF -DPTMW_Host=Raspbian -DPTMW_SMCOM=T1oI2C -DPTMW_Applet=SE05X_C \
-DPTMW_FIPS=None -DPTMW_SE05X_Ver=07_02 -DPTMW_SE05X_Auth=PlatfSCP03 -DPTMW_SCP=SCP03_SSS -DSE05X_EN_PIN=582 -DSE_RESET_LOGIC=0 \
-DPAHO_BUILD_SHARED=FALSE -DPAHO_BUILD_STATIC=TRUE
OpenSSL Provider built with the following cmake options:
NXP_SE_MW2_CONF_OPTS += -DWithSharedLIB=ON -DPTMW_HostCrypto=OPENSSL -DPTMW_Host=Raspbian -DPTMW_SMCOM=JRCP_V1_AM -DPTMW_SE05X_Auth=None
openssl.cnf modified as follows:
[provider_sect]
nxp_prov = nxp_sect
default = default_sect
[nxp_sect]
identity = nxp_prov
module = /usr/lib/libsssProvider.so
activate = 1
[default_sect]
activate = 1
The accessManager starts:
Starting accessManager (Rev.1.1).
Protect Link between accessManager and SE: YES.
accessManager JRCPv1 (T1oI2C SE side)
******************************************************************************
Server: waiting for connections on port 8040.
Server: only localhost based processes can connect.
RNG using openssl from the command line seems to work OK:
# openssl rand -hex 64
sssprov-dbg: Enter - OSSL_provider_init
App :INFO :Using PortName='127.0.0.1:8040' (gszSocketPortDefault)
App :INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments.
New client connection from 127.0.0.1. Client ID: 5
Command 0x00 from client 5
DUMMY_ATR=0x01.A0.00.00.03.96.04.03.E8.00.FE.02.0B.03.E8.00.01.00.00.00.00.64.13.88.0A.00.65.53.45.30.35.31.00.00.00.
Replacing *_ATR by default (pre-cooked) ATR.
ATR=0x3B.FB.18.00.00.81.31.FE.45.50.4C.41.43.45.48.4F.4C.44.45.52.AB.
Command 0x01 from client 5
SM_EstablishPlatformSCP03Am (Entry)
App :WARN :Using SCP03 keys from:'/tmp/SE05X/plain_scp.txt' (FILE=/tmp/SE05X/plain_scp.txt)
SE051 connected.
SM_EstablishPlatformSCP03Am (Exit); Status = 0x9000
sss :INFO :Newer version of Applet Found
sss :INFO :Compiled for 0x70200. Got newer 0x70216
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
sssprov-dbg: Enter - sss_rand_newctx
sssprov-dbg: Enter - sss_rand_instantiate
sssprov-dbg: Enter - sss_rand_enable_locking
sssprov-dbg: Enter - sss_rand_newctx
sssprov-dbg: Enter - sss_rand_instantiate
sssprov-dbg: Enter - sss_rand_get_ctx_params
sssprov-dbg: Enter - sss_rand_generate
sssprov-flw: Get random data from SE05x
Command 0x01 from client 5
SM_SendAPDUAm: smStatus = 0x9000
5f0f4d63e4ec771b8cfd46dd50c497b7e4e56e203ad5bc6eca9f8c28d23f39aa2d4a807915e3c60cf2e6a833794cb1208554f3e635811354eadd7b2c911c60da
sssprov-dbg: Enter - sss_rand_freectx
sssprov-dbg: Enter - sss_rand_freectx
sssprov-dbg: Enter - sss_teardown
Received 0 byte from client 5 (Message Header Phase) .
But, starting the ssh daemon fails:
# /usr/sbin/sshd &
sssprov-dbg: Enter - OSSL_provider_init
App :INFO :Using PortName='127.0.0.1:8040' (gszSocketPortDefault)
App :INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments.
New client connection from 127.0.0.1. Client ID: 5
Command 0x00 from client 5
ATR=0x3B.FB.18.00.00.81.31.FE.45.50.4C.41.43.45.48.4F.4C.44.45.52.AB.
Command 0x01 from client 5
Pre-cooked response (rspAppletSelect)
sss :INFO :Newer version of Applet Found
sss :INFO :Compiled for 0x70200. Got newer 0x70216
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
sssprov-dbg: Enter - sss_rand_newctx
sssprov-dbg: Enter - sss_rand_instantiate
sssprov-dbg: Enter - sss_rand_enable_locking
sssprov-dbg: Enter - sss_rand_get_ctx_params
PRNG is not seeded
Received 0 byte from client 5 (Message Header Phase) .
[2]+ Done(255) /usr/sbin/sshd
I'd be very grateful for any help,
Sam
0 回复数
