SE05x - DeleteAll() fails with 0x6985

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SE05x - DeleteAll() fails with 0x6985

Jump to solution
1,719 Views
HenrikK
Contributor II

I'm trying to use DeleteAll() but just cannot make it work. I'm using NXPPlugNTrust nano-package API. Steps I'm taking:

  1. In a separate session, write UserID to RESERVED_ID_FACTORY_RESET
  2. Create session with that key
  3. Send DeleteAll

I have checked that every step except DeleteAll returns 0x9000 and the user ID does exist (CheckObjectExists). I have compared my code against se05x_mandate_scp03 example and it is basically identical except that RESERVED_ID_FACTORY_RESET is written and used instead.

Writing user ID (relevant part):

 

 

    uint8_t userId[] = DELETE_ALL_USERID_VALUE;
    status = Se05x_API_WriteUserID(
        &session,
        &policy,
        0,
        kSE05x_AppletResID_FACTORY_RESET,
        userId, sizeof(userId),
        kSE05x_AttestationType_AUTH
    );

 

 

Using DeleteAll:

 

 

    smStatus_t status;
    Se05xSession_t session = { 0 };
    size_t sessionIdLen = sizeof(se05x_applet_session_value);

    set_keys(
        &session,
        scp03_key_enc, sizeof(scp03_key_enc),
        scp03_key_mac, sizeof(scp03_key_mac)
    );

    status = Se05x_API_SessionOpen(&session);
    if (status != SM_OK) {
        SMLOG_E("Se05x_API_SessionOpen %x\n", status);
        return status;
    }

    uint8_t userId[] = DELETE_ALL_USERID_VALUE;

    SE05x_Result_t exists = kSE05x_Result_FAILURE;
    size_t sessionIdLen   = sizeof(se05x_applet_session_value);

    status = Se05x_API_CheckObjectExists(
        &session,
        kSE05x_AppletResID_FACTORY_RESET,
        &exists
    );
    if (status != SM_OK) {
        SMLOG_E("Se05x_API_CheckObjectExists %x\n", status);
        return status;
    }

    status = Se05x_API_CreateSession(
        &session, 
        kSE05x_AppletResID_FACTORY_RESET,
        &se05x_applet_session_value[0],
        &sessionIdLen
    );
    if (status != SM_OK) {
        SMLOG_E("Se05x_API_CreateSession %x\n", status);
        return status;
    }

    status = Se05x_API_VerifySessionUserID(&session, userId, sizeof(userId));
    if (status != SM_OK) {
        SMLOG_E("Se05x_API_VerifySessionUserID %x\n", status);
        return status;
    }

    status = Se05x_API_DeleteAll(&session);
    if (status != SM_OK) {
        SMLOG_E("Se05x_API_DeleteAll: %x", status);
        return status;
    }

    return status;

 

 

I have attached a debug console output that included both setting the userID and using it.

Labels (1)
Tags (2)
1 Solution
1,650 Views
HenrikK
Contributor II

Thank you. The reason to why it failed was correct, it was not issued within the UserID session. However, it had nothing to do with the session id or se05xSession->value (that does not even exist in nano-package).

The problem was in my Se05x_API_DeleteAll(). I needed to add ex_se05x_process_session_command() to request the command to be processed within the specific session.

For anyone coming across this in the future, here is the fixed code:

 

mStatus_t Se05x_API_DeleteAll(pSe05xSession_t session_ctx)
{
    smStatus_t retStatus = SM_NOT_OK;
    /* Original command */
    tlvHeader_t hdr      = {{kSE05x_CLA, kSE05x_INS_MGMT, kSE05x_P1_DEFAULT, kSE05x_P2_DELETE_ALL}};
    /* Modified command to be processed in a session context */
    tlvHeader_t hdr_new = { 0, };

    uint8_t cmdbuf[64] = { 0, };
    size_t cmdbufLen = 0;
    uint8_t tmpbuf[64] = { 0, };
    size_t tmpbufLen = sizeof(tmpbuf);

    SMLOG_D("APDU - Se05x_API_DeleteAll [] \n");

    /* We need to use ProcessSessionCmd to wrap the command with the session identifier */
    retStatus = ex_se05x_process_session_command(
        &hdr,
        &cmdbuf[0], cmdbufLen,
        &hdr_new,
        tmpbuf, &tmpbufLen,
        0
    );
    if (retStatus != SM_OK) {
        SMLOG_E("ex_se05x_process_session_command failed");
        return retStatus;
    }

    retStatus = DoAPDUTx(session_ctx, &hdr_new, &tmpbuf[0], tmpbufLen, 0);
    if (retStatus != SM_OK) {
        SMLOG_E("DoAPDUTx failed");
        return retStatus;
    }
    return retStatus;
}

 

Note that this is just for nano-package, not for the full middleware package.

View solution in original post

4 Replies
1,705 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @HenrikK ,

 

Actually it is not recommended running this command from the beginning, because it deletes all secure objects, all curves and crypto objects. Only secure objects that are trust provisioned by NXP are not deleted but not including the certificates, so that this device would fail to connect with the edgelock2go cloud service then, but if you insist, you may run the demo of "Delete and Test Provision" at first to provision the RESERVED_ID_FACTORY_RESET, and then run your application code.

 

Hope that makes sense,

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

1,693 Views
HenrikK
Contributor II

Thanks for the quick reply, but it does not really help. For my application it is necessary to delete everything on the chip for security reasons.

In the delete and test provision example the factory reset user ID is set just like I did minus the policy because I don't want to set it permanently yet. So I still see no reason why DeleteAll fails. Can the policy be the issue somehow? I'm mostly interested what's the issue with my code.

 

Edit: I did run delete and test provision example to set the user ID but DeleteAll still does not work. Also I realised no example contained C implementation of DeleteAll so here's my code I wrote earlier, maybe the problem lies there.

 

smStatus_t Se05x_API_DeleteAll(pSe05xSession_t session_ctx)
{
    smStatus_t retStatus = SM_NOT_OK;
    tlvHeader_t hdr      = {{kSE05x_CLA, kSE05x_INS_MGMT, kSE05x_P1_DEFAULT, kSE05x_P2_DELETE_ALL}};
    uint8_t cmdbuf[MAX_APDU_BUFFER];
    size_t cmdbufLen = 0;

    SMLOG_D("APDU - Se05x_API_DeleteAll [] \n");

    retStatus = DoAPDUTx(session_ctx, &hdr, cmdbuf, cmdbufLen, 0);
    return retStatus;
}

 

1,667 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @HenrikK ,

 

It looks like the DeleteAll command was not issued within the UserID session, but the default session instead. and seems you store the UserID session's session ID in se05x_applet_session_value[] , but usually we store this value in the session itself. For example,

Kan_Li_0-1683784381759.png

Hope that helps,

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

 

1,651 Views
HenrikK
Contributor II

Thank you. The reason to why it failed was correct, it was not issued within the UserID session. However, it had nothing to do with the session id or se05xSession->value (that does not even exist in nano-package).

The problem was in my Se05x_API_DeleteAll(). I needed to add ex_se05x_process_session_command() to request the command to be processed within the specific session.

For anyone coming across this in the future, here is the fixed code:

 

mStatus_t Se05x_API_DeleteAll(pSe05xSession_t session_ctx)
{
    smStatus_t retStatus = SM_NOT_OK;
    /* Original command */
    tlvHeader_t hdr      = {{kSE05x_CLA, kSE05x_INS_MGMT, kSE05x_P1_DEFAULT, kSE05x_P2_DELETE_ALL}};
    /* Modified command to be processed in a session context */
    tlvHeader_t hdr_new = { 0, };

    uint8_t cmdbuf[64] = { 0, };
    size_t cmdbufLen = 0;
    uint8_t tmpbuf[64] = { 0, };
    size_t tmpbufLen = sizeof(tmpbuf);

    SMLOG_D("APDU - Se05x_API_DeleteAll [] \n");

    /* We need to use ProcessSessionCmd to wrap the command with the session identifier */
    retStatus = ex_se05x_process_session_command(
        &hdr,
        &cmdbuf[0], cmdbufLen,
        &hdr_new,
        tmpbuf, &tmpbufLen,
        0
    );
    if (retStatus != SM_OK) {
        SMLOG_E("ex_se05x_process_session_command failed");
        return retStatus;
    }

    retStatus = DoAPDUTx(session_ctx, &hdr_new, &tmpbuf[0], tmpbufLen, 0);
    if (retStatus != SM_OK) {
        SMLOG_E("DoAPDUTx failed");
        return retStatus;
    }
    return retStatus;
}

 

Note that this is just for nano-package, not for the full middleware package.