SE050: key rotation: DoAPDUTxRx_s_Case4 returns 0x6a80

I noticed the problem in the data fields.

After updating the default DEK key for the SE050 ARD board now I get a proper log (however still fails with the same error code of 0x6a80)

I/TC: se050: key: 40.41.42.43.44.45.46.47 48.49.4a.4b.4c.4d.4e.4f

I/TC: se050: dek: a1.bc.84.38.bf.77.93.5b 36.1a.44.25.fe.79.fa.29

==>

I/TC: se050: enc: 17.b1.c1.65.0d.1f.ee.5b 21.63.00.1a.d7.e4.6d.58

And now the command looks like:

I/TC: se050: scp: tlv_header:
I/TC: se050: scp: 80.d8.0b.81
I/TC: se050: scp: cmd_buf:
I/TC: se050: scp: 0b.88.11.10.17.b1.c1.65 0d.1f.ee.5b.21.63.00.1a
I/TC: se050: scp: d7.e4.6d.58.03.50.4a.77 88.11.10.17.b1.c1.65.0d
I/TC: se050: scp: 1f.ee.5b.21.63.00.1a.d7 e4.6d.58.03.50.4a.77.88
I/TC: se050: scp: 11.10.17.b1.c1.65.0d.1f ee.5b.21.63.00.1a.d7.e4
I/TC: se050: scp: 6d.58.03.50.4a.77

I highlighted the encrypted keys that are set in the command.

thanks

Hello Jorge,

The example se05x_RotatePlatformSCP03Keys has the following definition:

which triggers SSD selection instead of IoT Applet selection to rotate the keys:

You may also follow this in your application.

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Hi Kan

Right, I had found the exact same thing on my application so you were spot

on.

https://github.com/ldts/optee_os/commit/4988bd70ebd6a081dba7f57f5090fddeaba2b066#diff-ac8f07735297dd...

Sorry that I forgot to update the thread once I had the issue fixed.

thanks

Jorge

Hello Jorge,

Thanks for the sharing!

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Hi Kan Li, all,
I have trouble with the demo se05x_TP_PlatformSCP03keys.c.

I did the following:
Compilation on Linux using build options SE05X_Auth := PlatfSCP03, SCP := SCP03_SSS. Demos se05x_Get_Info and se05x_minimal
work well. The GP Initialize Update Command succeeds there.
Within se05x_TP_PlatformSCP03keys I left the "#define EX_SSS_BOOT_SKIP_SELECT_APPLET 1" in the code, but
I added debug output to get the old keys to be sure I used the same ones that work on other demos successfully.

Here debug information:
se05x_RotatePlatformSCP03Keys
App:INFO :PlugAndTrust_v02.12.00_20191122
App:INFO :Running ../simw-top_build/raspbian_native_se050_t1oi2c/bin/se05x_RotatePlatformSCP03Keys
App:INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments.
sss:INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
scp:DEBUG:FN: nxScp03_AuthenticateChannel
scp:DEBUG: Output: hostChallenge (Len=8)
75 73 B3 26 35 5B 9B 2A
scp:DEBUG:FN: nxScp03_GP_InitializeUpdate
scp:DEBUG:Input:keyVersion 0b
scp:DEBUG: Input: hostChallenge (Len=8)
75 73 B3 26 35 5B 9B 2A
scp:DEBUG:Sending GP Initialize Update Command !!!
sss:WARN :nxEnsure:'ret == SM_OK' failed. At Line:4843 Function:sss_se05x_TXn
sss:INFO :Output:apduStatus 6a88
sss:INFO :Header: (Len=4)
80 50 0B 00
sss:INFO :Cmdbuf: (Len=8)
75 73 B3 26 35 5B 9B 2A
sss:INFO :Receivebuf: (Len=2)
6A 88
scp:ERROR:GP_InitializeUpdate Failure on communication Link 6A88
scp:ERROR:nxScp03_GP_InitializeUpdate fails with Status 3C3C0000
sss:ERROR:Could not set SCP03 Secure Channel
App:INFO :OLD_ENC (Len=16)
85 2B 59 62 E9 CC E5 D0 BE 74 6B 83 3B CC 62 87
App:INFO :OLD_MAC (Len=16)
DB 0A A3 19 A4 08 69 6C 8E 10 7A B4 E3 C2 6B 47
App:INFO :OLD_DEK (Len=16)
4C 2F 75 C6 A2 78 A4 AE E5 C9 AF 7C 50 EE A8 0C
Apparently nxScp03_GP_InitializeUpdate is called when the demo starts. But in difference to other demos, I get error
message 6A 88, which means according to GP spec: "Referenced data not found". The function "tp_PlatformKeys" of the Rotate Demo
is not even called, the error comes before.
I understand that the boot sequence is different when rotating keys, but what is the precondition to make it work?
Fresh powerup? Special keys? Remove SE05X_Auth := PlatfSCP03 / SCP := SCP03_SSS options?
Does the SE050´s Global Platform part require specific keys, different from the provisioned ones for SE050C1 (that work on other
demos)?

Kind regards,
Markus

Kan, Jorge,

Thanks for the info, this solved my problem with rotating platform keys. 

Dean