SE050: key rotation: DoAPDUTxRx_s_Case4 returns 0x6a80

cancel
Showing results for 
Search instead for 
Did you mean: 

SE050: key rotation: DoAPDUTxRx_s_Case4 returns 0x6a80

331 Views
Contributor III

Hi all,

I am running the sample code from SE05X Rotate PlatformSCP Keys Demo on the SE050 ARD board (OEFID = 6). I am using simw-top version 2.14.

The APDU request from the sample code returns 0x6A80 (invalid policy?)

An object is only created if the attached policy is valid and, if the policy validation fails, the error code 0x6A80 is returned as response to the object creation command. AFAICS the sample code doesnt configure any policy. Is there anything else that needs to be done? anything that is missing?

many thanks in advance

Jorge

Labels (1)
0 Kudos
7 Replies

204 Views
Contributor III

Not sure if it helps but the data exchanged with the SE050 over I2C would be as follows:

I/TC: se050: scp: tlv_header:
I/TC: se050: scp: 80.d8.0b.81

I/TC: se050: scp: cmd_buf:
I/TC: se050: scp: 0b.88.11.10.a9.55.af.51 09.81.2d.47.51.bb.9d.bc
I/TC: se050: scp: 7c.bb.c9.38.03.50.4a.77 88.11.10.70.eb.a0.47.18
I/TC: se050: scp: 91.97.82.cf.3b.e8.0e.8e 4b.e3.d0.03.50.4a.77.88
I/TC: se050: scp: 11.10.b6.2a.03.c4.6f.1b 67.ef.c3.3e.34.23.4c.6d
I/TC: se050: scp: 81.b4.03.50.4a.77

204 Views
Contributor III

I noticed the problem in the data fields.

After updating the default DEK key for the SE050 ARD board now I get a proper log (however still fails with the same error code of 0x6a80)

I/TC: se050: key: 40.41.42.43.44.45.46.47 48.49.4a.4b.4c.4d.4e.4f

I/TC: se050: dek: a1.bc.84.38.bf.77.93.5b 36.1a.44.25.fe.79.fa.29

==>

I/TC: se050: enc: 17.b1.c1.65.0d.1f.ee.5b 21.63.00.1a.d7.e4.6d.58

And now the command looks like:

I/TC: se050: scp: tlv_header:
I/TC: se050: scp: 80.d8.0b.81
I/TC: se050: scp: cmd_buf:
I/TC: se050: scp: 0b.88.11.10.17.b1.c1.65 0d.1f.ee.5b.21.63.00.1a
I/TC: se050: scp: d7.e4.6d.58.03.50.4a.77 88.11.10.17.b1.c1.65.0d
I/TC: se050: scp: 1f.ee.5b.21.63.00.1a.d7 e4.6d.58.03.50.4a.77.88
I/TC: se050: scp: 11.10.17.b1.c1.65.0d.1f ee.5b.21.63.00.1a.d7.e4
I/TC: se050: scp: 6d.58.03.50.4a.77

I highlighted the encrypted keys that are set in the command.

thanks

0 Kudos

204 Views
NXP TechSupport
NXP TechSupport

Hello Jorge,

The example se05x_RotatePlatformSCP03Keys has the following definition:

pastedImage_1.png

which triggers SSD selection instead of IoT Applet selection to rotate the keys:

pastedImage_2.png

You may also follow this in your application.

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos

204 Views
Contributor III

Hi Kan

Right, I had found the exact same thing on my application so you were spot

on.

https://github.com/ldts/optee_os/commit/4988bd70ebd6a081dba7f57f5090fddeaba2b066#diff-ac8f07735297dd...

Sorry that I forgot to update the thread once I had the issue fixed.

thanks

Jorge

0 Kudos

204 Views
NXP TechSupport
NXP TechSupport

Hello Jorge,

Thanks for the sharing!

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos

47 Views
Contributor I

Hi Kan Li, all,
I have trouble with the demo se05x_TP_PlatformSCP03keys.c.

I did the following:
Compilation on Linux using build options SE05X_Auth := PlatfSCP03, SCP := SCP03_SSS. Demos se05x_Get_Info and se05x_minimal
work well. The GP Initialize Update Command succeeds there.
Within se05x_TP_PlatformSCP03keys I left the "#define EX_SSS_BOOT_SKIP_SELECT_APPLET 1" in the code, but
I added debug output to get the old keys to be sure I used the same ones that work on other demos successfully.

Here debug information:
se05x_RotatePlatformSCP03Keys
App:INFO :PlugAndTrust_v02.12.00_20191122
App:INFO :Running ../simw-top_build/raspbian_native_se050_t1oi2c/bin/se05x_RotatePlatformSCP03Keys
App:INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments.
sss:INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
scp:DEBUG:FN: nxScp03_AuthenticateChannel
scp:DEBUG: Output: hostChallenge (Len=8)
75 73 B3 26 35 5B 9B 2A
scp:DEBUG:FN: nxScp03_GP_InitializeUpdate
scp:DEBUG:Input:keyVersion 0b
scp:DEBUG: Input: hostChallenge (Len=8)
75 73 B3 26 35 5B 9B 2A
scp:DEBUG:Sending GP Initialize Update Command !!!
sss:WARN :nxEnsure:'ret == SM_OK' failed. At Line:4843 Function:sss_se05x_TXn
sss:INFO :Output:apduStatus 6a88
sss:INFO :Header: (Len=4)
80 50 0B 00
sss:INFO :Cmdbuf: (Len=8)
75 73 B3 26 35 5B 9B 2A
sss:INFO :Receivebuf: (Len=2)
6A 88
scp:ERROR:GP_InitializeUpdate Failure on communication Link 6A88
scp:ERROR:nxScp03_GP_InitializeUpdate fails with Status 3C3C0000
sss:ERROR:Could not set SCP03 Secure Channel
App:INFO :OLD_ENC (Len=16)
85 2B 59 62 E9 CC E5 D0 BE 74 6B 83 3B CC 62 87
App:INFO :OLD_MAC (Len=16)
DB 0A A3 19 A4 08 69 6C 8E 10 7A B4 E3 C2 6B 47
App:INFO :OLD_DEK (Len=16)
4C 2F 75 C6 A2 78 A4 AE E5 C9 AF 7C 50 EE A8 0C
Apparently nxScp03_GP_InitializeUpdate is called when the demo starts. But in difference to other demos, I get error
message 6A 88, which means according to GP spec: "Referenced data not found". The function "tp_PlatformKeys" of the Rotate Demo
is not even called, the error comes before.
I understand that the boot sequence is different when rotating keys, but what is the precondition to make it work?
Fresh powerup? Special keys? Remove SE05X_Auth := PlatfSCP03 / SCP := SCP03_SSS options?
Does the SE050´s Global Platform part require specific keys, different from the provisioned ones for SE050C1 (that work on other
demos)?

Kind regards,
Markus

0 Kudos

204 Views
Contributor I

Kan, Jorge,

Thanks for the info, this solved my problem with rotating platform keys. 

Dean

0 Kudos