SE05x: SCP communication fails with error for "04.02.00" version of plug and trust middleware

ajitsj3 · ‎08-02-2022

Hi,

I have integrated the se05x package onto our yocto build environment with latest plug and trust middleware for se05x downloaded from nxp website. But upon running the "se05x_Minimal" binary I am getting the below error.

# se05x_Minimal /dev/i2c-0:0x48
App :INFO :PlugAndTrust_v04.02.00_20220524
App :INFO :Running se05x_Minimal
App :INFO :Using PortName='/dev/i2c-0:0x48' (CLI)
App :INFO :Using default PlatfSCP03 keys. You can use keys from file using ENV=EX_SSS_BOOT_SCP03_PATH
sss :INFO :atr (Len=35)
01 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 00
01 00 00 00 00 64 13 88 0A 00 65 53 45 30 35 31
00 00 00
scp :WARN :nxEnsure:'status == kStatus_SSS_Success' failed. At Line:144 Function:nxScp03_AuthenticateChannel
sss :ERROR:Could not set SCP03 Secure Channel
App :ERROR:sss_session_open failed
App :ERROR:ex_sss_session_open Failed
App :ERROR:!ERROR! ret != 0.

We have also used the latest plug and trust middleware with version "v04.02.00_20220701_151557".

We have used the below mentioned "do_configure" options as mentioned below.
do_configure() {
cd ${B}

cmake -S ../simw-top \
-DWithSharedLIB=OFF -DCMAKE_BUILD_TYPE=Debug -DCMAKE_INSTALL_PREFIX=/usr \
-DPTMW_Host=iMXLinux -DPTMW_HostCrypto=OPENSSL \
-DPTMW_SMCOM=T1oI2C -DPTMW_SE05X_Auth=PlatfSCP03 -DPTMW_SCP=SCP03_SSS \
-DIOT=None -DPTMW_Applet=SE05X_C -DPTMW_SE05X_Ver=06_00 \
-DOPENSSL_INSTALL_PREFIX=${WORKDIR}/recipe-sysroot/usr/ \
-DPAHO_BUILD_DEB_PACKAGE=OFF -DPAHO_BUILD_DOCUMENTATION=OFF \
-DPAHO_BUILD_SAMPLES=OFF -DPAHO_BUILD_SHARED=OFF \
-DPAHO_BUILD_STATIC=ON -DPAHO_ENABLE_CPACK=ON \
-DPAHO_ENABLE_TESTING=OFF -DPAHO_WITH_SSL=ON \
-DOPENSSL_ROOT_DIR=${WORKDIR}/recipe-sysroot/usr/
}

However with the same do_configure options if I use the previous version "v04.01.03_20220331_140602" of the plug and trust middleware this "se05x_Minimal" utility works fine with SCP protocol.

The log attached below.

se05x_Minimal /dev/i2c-0:0x48
App :INFO :PlugAndTrust_v04.01.03_20220331
App :INFO :Running se05x_Minimal
App :INFO :Using PortName='/dev/i2c-0:0x48' (CLI)
App :INFO :Using default PlatfSCP03 keys. You can use keys from file using ENV=EX_SSS_BOOT_SCP03_PATH
sss :INFO :atr (Len=35)
01 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 00
01 00 00 00 00 64 13 88 0A 00 65 53 45 30 35 31
00 00 00
App :INFO :mem=25064
App :INFO :se05x_Minimal Example Success !!!...
App :INFO :ex_sss Finished

Looks like there is some issue w.r.t the latest released se05x plug and trust middleware. Please help us fix this issue. SCP protocol is needed for our project. We also need the latest plug and trust middleware.

Thanks and regards,

Ajit S J

Kan_Li · ‎08-04-2022

Hi @ajitsj3 ,

Thanks for the information! This is an expected result with SE051C2, as it has two OEF ids as shown in https://www.nxp.com/webapp/Download?colCode=AN12973 , so you have to manually confirm which default platform SCP03 keys should be used according to the OEF ID you get from the GetInfo demo. Please open the fsl_sss_ftr.h.in file which is located in: /simw-top/sss/inc. and enable the option for "A564" as below:

Then reconfigure the MW with cmake to generate a new "fsl_sss_ftr.h" in place and build it as well. You may have a result something like below:

Hope that makes sense,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

View solution in original post

ajitsj3 · ‎08-07-2022

Hi @Kan_Li ,

As suggested by you, I changed the macro "SSS_PFSCP_ENABLE_SE051C2" definition to "1" in the fi/simw-top/sss/inc/fsl_sss_ftr.h.in". After that the latest plug and trust middleware binaries started working and it is communicating with SE05x as well. Thanks for your support.

Thanks and regards

Ajit S J

Kan_Li · ‎08-03-2022

Hi @ajitsj3 ,

Would you please tell me the platform as well as the SE050 variant on it? Are you using the same platform to run the demos from 4.02.00 and 4.01.03? I may try to reproduce this issue here.

Thanks for your patience!

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

ajitsj3 · ‎08-03-2022

Hi @Kan_Li,

We are using "i.MX7D" platform.

Yes, we are using the same "i.MX7D" platform to run the demos from 4.02.00 and 4.01.03.

The SE05x variant is "SE05X_C" as the version returned from registers is "06_00".

# se05x_GetInfo /dev/i2c-0:0x48
App :INFO :PlugAndTrust_v04.01.03_20220331
App :INFO :Running se05x_GetInfo
App :INFO :Using PortName='/dev/i2c-0:0x48' (CLI)
App :INFO :Using default PlatfSCP03 keys. You can use keys from file using ENV=EX_SSS_BOOT_SCP03_PATH
sss :INFO :atr (Len=35)
01 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 00
01 00 00 00 00 64 13 88 0A 00 65 53 45 30 35 31
00 00 00
App :WARN :#####################################################
App :INFO :uid (Len=18)
04 00 50 01 D1 D3 D4 7E 60 E8 DF 04 56 A1 22 1F
70 80
App :INFO :Running se05x_GetInfo
App :INFO :Using PortName='/dev/i2c-0:0x48' (CLI)
App :INFO :Using default PlatfSCP03 keys. You can use keys from file using ENV=EX_SSS_BOOT_SCP03_PATH
sss :INFO :atr (Len=35)
01 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 00
01 00 00 00 00 64 13 88 0A 00 65 53 45 30 35 31
00 00 00
App :WARN :#####################################################
App :INFO :Applet Major = 6
App :INFO :Applet Minor = 0
App :INFO :Applet patch = 0

Kan_Li · ‎08-03-2022

Hi @ajitsj3 ,

Thanks for the information! Actually I run this demo on Raspberry Pi platform just now, but no issue found.

App :INFO :PlugAndTrust_v04.02.00_20220524
App :INFO :Running bin/se05x_Minimal
App :INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments.
App :INFO :Using default PlatfSCP03 keys. You can use keys from file using ENV=EX_SSS_BOOT_SCP03_PATH
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
App :INFO :mem=32767
App :WARN :If 32768 bytes or more bytes are available, 32767 bytes free is reported.
App :INFO :se05x_Minimal Example Success !!!...
App :INFO :ex_sss Finished
pi@raspberrypi:~/se05x_mw_v04.02.00_20220701_151557/

The only difference is I set PTMW_SE05X_Ver = 03_XX as I am using OM-SE050ARD, would you please tell me the OEF ID you got from the GetInfo demo? The value is something like below:

Most likely your issue is due to the platform SCP03 keys mismatch. so if we know the exact variant from the OEF ID, we may use EX_SSS_BOOT_SCP03_PATH to check if the PlatfSCP03 keys are the root cause. For example, create a similar text file as below:

echo ENC D2DB63E7A0A5AED72A6460C4DFDCAF64 > se050E_scp_keys.txt
echo MAC 738D5B798ED241B0B24768514BFBA95B >> se050E_scp_keys.txt
echo DEK 6702DAC30942B2C85E7F47B42CED4E7F >> se050E_scp_keys.txt

(The default platfscp03 keys as well as the OEF ID for each variant can be referred from https://www.nxp.com.cn/docs/en/application-note/AN12436.pdf .)

and define the environment variable EX_SSS_BOOT_SCP03_PATH something like below:

export EX_SSS_BOOT_SCP03_PATH=~/se_mw/simw-top_build/
raspbian_native_se050_t1oi2c/bin/se050E_scp_keys.txt

Hope that makes sense,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

ajitsj3 · ‎08-04-2022

Hi @Kan_Li ,

Please find the OEF id information mentioned below.

root@evorack:~# se05x_GetInfo /dev/i2c-0:0x48
App :INFO :PlugAndTrust_v04.01.03_20220331
App :INFO :Running se05x_GetInfo
App :INFO :Using PortName='/dev/i2c-0:0x48' (CLI)
App :INFO :Using default PlatfSCP03 keys. You can use keys from file using ENV=EX_SSS_BOOT_SCP03_PATH
sss :INFO :atr (Len=35)
01 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 00
01 00 00 00 00 64 13 88 0A 00 65 53 45 30 35 31
00 00 00
App :WARN :#####################################################
App :INFO :uid (Len=18)
04 00 50 01 D1 D3 D4 7E 60 E8 DF 04 56 A1 22 1F
70 80
App :INFO :Running se05x_GetInfo
App :INFO :Using PortName='/dev/i2c-0:0x48' (CLI)
App :INFO :Using default PlatfSCP03 keys. You can use keys from file using ENV=EX_SSS_BOOT_SCP03_PATH
sss :INFO :atr (Len=35)
01 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 00
01 00 00 00 00 64 13 88 0A 00 65 53 45 30 35 31
00 00 00
App :WARN :#####################################################
App :INFO :Applet Major = 6
App :INFO :Applet Minor = 0
App :INFO :Applet patch = 0
App :INFO :AppletConfig = 3FFF
App :INFO :With ECDAA
App :INFO :With ECDSA_ECDH_ECDHE
App :INFO :With EDDSA
App :INFO :With DH_MONT
App :INFO :With HMAC
App :INFO :With RSA_PLAIN
App :INFO :With RSA_CRT
App :INFO :With AES
App :INFO :With DES
App :INFO :With PBKDF
App :INFO :With TLS
App :INFO :With MIFARE
App :INFO :With I2CM
App :INFO :Internal = FFFF
App :WARN :#####################################################
App :INFO :Tag value - proprietary data 0xFE = 0xFE
App :INFO :Length of following data 0x45 = 0x45
App :INFO :Tag card identification data (Len=2)
DF 28
App :INFO :Length of card identification data = 0x42
App :INFO :Tag configuration ID (Must be 0x01) = 0x01
App :INFO :Configuration ID (Len=12)
00 01 A5 64 D4 DE 6B B9 25 1E 15 92
App :INFO :OEF ID (Len=2)
A5 64

I think there should not be an issue w.r.t default keys as the same se05x_Minimal works well with "04.01.03" version of plug and trust middleware. If the issue is due to the platform SCP03 keys mismatch then the "se05x_Minimal" should not have worked with the "04.01.03" version of plug and trust middleware.

Thanks and regards

Ajit S J

ajitsj3 · ‎08-04-2022

From the document https://www.nxp.com/docs/en/application-note/AN13027.pdf I figured out that for OEFID value "A564" the se05x variant is "SE051C2" and we need to use the PTMW_SE05x_Ver=06_00 which is what even we have used. I have attached screenshot of the table for your reference. So please use the variant "SE051C2" at your and perform same tests.

I also could not find scp_keys for "SE051C2" variant. Please could you provide the same?

Thanks and regards

Ajit S J

Kan_Li · ‎08-04-2022

Hi @ajitsj3 ,

Thanks for the information! This is an expected result with SE051C2, as it has two OEF ids as shown in https://www.nxp.com/webapp/Download?colCode=AN12973 , so you have to manually confirm which default platform SCP03 keys should be used according to the OEF ID you get from the GetInfo demo. Please open the fsl_sss_ftr.h.in file which is located in: /simw-top/sss/inc. and enable the option for "A564" as below:

Then reconfigure the MW with cmake to generate a new "fsl_sss_ftr.h" in place and build it as well. You may have a result something like below:

Hope that makes sense,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------