Se05x_API_DeleteAll() on SE050E-ARD

Kan,

I have created a bin file with userId policy and your magic identifier. The code I posted above won't override it and gives error. I really need your help on this. If I cannot use the object I created with ssscli, we are locked out because that object occupies RESERVED_ID_FACTORY_RESET and I cannot delete it.

Hi @psvz ,

How did you setup the policy for the bin file? If you have disabled the delete option I am afraid it can not be deleted at all, but anyway, you can try the demo of se05x_Delete_and_test_provision out of the MW, and it also provisions the kSE05x_AppletResID_FACTORY_RESET as Auth UserID after a delete operation.

Hope that helps,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Hi Kan

You said I could create user with that special "index" with ssscli tool, which I did. Here are my commands again:

ssscli policy userid RESERVED_ID_FACTORY_RESET 7FFF0205
ssscli set bin --policy_name RESERVED_ID_FACTORY_RESET 7FFF0205 MYSECRETUSER

Here is the output of the command you suggested:

 simw-top_build/raspbian_native_se050_t1oi2c/bin/se05x_Delete_and_test_provision
App   :INFO :PlugAndTrust_v04.02.00_20220524
App   :INFO :Running simw-top_build/raspbian_native_se050_t1oi2c/bin/se05x_Delete_and_test_provision
App   :INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments.
App   :INFO :Using default PlatfSCP03 keys. You can use keys from file using ENV=EX_SSS_BOOT_SCP03_PATH
sss   :INFO :atr (Len=35)
      01 A0 00 00    03 96 04 03    E8 00 FE 02    0B 03 E8 00
      01 00 00 00    00 64 13 88    0A 00 65 53    45 30 35 31
      00 00 00
sss   :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
hostLib:WARN :Error in erasing ObjId=0x0000FA3E (Others)
sss   :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
hostLib:WARN :Error in erasing ObjId=0x000003E3 (Others)
App   :ERROR:# se05x_Delete_and_test_provision !!! Only for testing. NOT FOR PRODUCTION USE!!!!
sss   :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
hostLib:WARN :Error in erasing ObjId=0x0000FA3E (Others)
sss   :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
hostLib:WARN :Error in erasing ObjId=0x000003E3 (Others)
sss   :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
App   :INFO :Se05x_API_CreateCurve_prime256v1 status = 6985
App   :WARN :ECC_ATTESTATION_KEY_ID Object already exists
sss   :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
App   :INFO :Se05x_API_WriteRSAKey (Attestation key - RSA_ATTESTATION_KEY_ID) status = 6985
sss   :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
App   :INFO :Se05x_API_CreateCurve_prime256v1 status = 6985
App   :WARN :kSE05x_AppletResID_FACTORY_RESET Object already exists
App   :INFO :kSE05x_AppletResID_PLATFORM_SCP status = 9000
App   :INFO :kEX_SSS_ObjID_UserID_Auth status = 9000
App   :INFO :kEX_SSS_ObjID_UserID_Auth + 0x10 status = 9000
App   :INFO :kSE05x_AppletResID_RESTRICT status = 9000
App   :INFO :kEX_SSS_ObjID_APPLETSCP03_Auth status = 9000
App   :INFO :kEX_SSS_ObjID_APPLETSCP03_Auth + 0x10 status = 9000
App   :INFO :kSE05x_ECCurve_NIST_P256 status = 9000
App   :INFO :kSE05x_ECCurve_NIST_P256 + 0x10 status = 9000
App   :INFO :ex_sss Finished

I do not really see how it helps. It has created a lot of mess, which I'd also like to delete now.

I am pasting my relevant code again:

#include <err.h>
#include <sm_const.h>
#include <ex_sss_boot.h>
#include <fsl_sss_api.h>
#include <se05x_APDU_apis.h>
#include <fsl_sss_se05x_apis.h>

int
main(int argc, char **argv)
{
  sss_status_t        status;
  smStatus_t          sm_status;
  ex_sss_boot_ctx_t   ctx            = { 0 };
  sss_object_t        sobj           = { 0 };
  SE_Connect_Ctx_t    eraseAuthCtx   = { 0 };
  const uint8_t       userid_value[] = { 'M','Y','S','E','C','R','E','T','U','S','E','R' };

  pSe05xSession_t     coresesh = &((sss_se05x_session_t*)&ctx.session)->s_ctx;

  warnx("Make sure you have created a special user, if not, issue:");
  warnx("ssscli policy userid RESERVED_ID_FACTORY_RESET 7FFF0205");
  warnx("ssscli set bin --policy_name RESERVED_ID_FACTORY_RESET 7FFF0205 MYSECRETUSER");

  status = ex_sss_boot_open(&ctx, NULL);

  if (status != kStatus_SSS_Success) errx(1, "ex_sss_boot_se05x_open() failed");

  status = sss_key_object_init(&sobj, &ctx.host_ks);

  if (status != kStatus_SSS_Success) errx(1, "sss_key_object_init() failed");

  status = sss_key_object_allocate_handle(&sobj, 0x3A8D0E, // RANDOM
                                          kSSS_KeyPart_Default,
                                          kSSS_CipherType_UserID,
                                          sizeof(userid_value),
                                          kKeyObject_Mode_Transient);

  if (status != kStatus_SSS_Success) errx(1, "sss_key_object_allocate_handle() failed");

  status = sss_key_store_set_key(&ctx.host_ks, &sobj, userid_value,
                                 sizeof(userid_value), sizeof(userid_value) * 8,
                                 NULL, 0);

  if (status != kStatus_SSS_Success) errx(1, "sss_key_store_set_key() failed");
  /*
  sm_status  = Se05x_API_WriteUserID(coresesh, NULL, SE05x_MaxAttemps_NA,
                                     kSE05x_AppletResID_FACTORY_RESET,
                                     userid_value, sizeof(userid_value),
                                     kSE05x_AttestationType_AUTH);

  if (sm_status != SM_OK) errx(1, "Se05x_API_WriteUserID() failed %x", sm_status);
  */

  eraseAuthCtx.auth.ctx.idobj.pObj = &sobj;
  //eraseAuthCtx.tunnelCtx = ctx.se05x_open_ctx.tunnelCtx; //&retunnel;
  eraseAuthCtx.connType = ctx.se05x_open_ctx.connType; //kType_SE_Conn_Type_Channel;
  eraseAuthCtx.portName = ctx.se05x_open_ctx.portName; //NULL
  eraseAuthCtx.auth.authType = kSSS_AuthType_ID;

  sss_session_close(&ctx.session);

  status = sss_session_open(&ctx.session, kType_SSS_SE_SE05x,
                            kSE05x_AppletResID_FACTORY_RESET,
                            kSSS_ConnectionType_Password, &eraseAuthCtx);

  if (status != kStatus_SSS_Success) errx(1, "sss_session_open() failed");

  sm_status = Se05x_API_DeleteAll(coresesh);

  if (sm_status != SM_OK) errx(1, "Se05x_API_DeleteAll() failed %x", sm_status);

  return 0;
}

Just to re-iterate again: Se05x_API_WriteUserID() commented out because it fails - the ID exists. The second sss_session_open() in the code above fails with SM_ERR_COMMAND_NOT_ALLOWED.

So, my understanding is that ssscli does NOT work properly - it should never be used for anything. We do not know what it has done, but the required object ID is occupied. Could you please discuss it internally - I need to reset my SE050 to the state it had on arrival: delete everything except ORIGIN_PROVISIONED. Could you just give me some code that does it.

Hi,

i have the same issue and also used the example Code.  Do you have an improved code and can I get it?

Hi @psvz ,

My fault, the ssscli tool can be used to open a session with some UserID but can not create a secure object as UserID, I messed them up, but anyway, this tool can be used to erase such kind of secure objects with the command line like "ssscli erase xxx", if you setup the policy properly, so I am wondering how you setup the policy for bin file at 7FFF0205, did you enable the delete option for the common policy , or for some Auth ID? Please kindly clarify.

As you mentioned, "Se05x_API_WriteUserID() commented out because it fails - the ID exists. The second sss_session_open() in the code above fails with SM_ERR_COMMAND_NOT_ALLOWED." I think the root cause is due to the bin file you created occupies the ID for RESERVED_ID_FACTORY_RESET while the bin file is not an Auth ID such as UserID/ECKey/AESKey, so you could not open a session with it to perform the deleteall command.

Hope that makes sense,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Hi Kan,

I have already clarified what I have done:

ssscli policy userid RESERVED_ID_FACTORY_RESET 7FFF0205
ssscli set bin --policy_name RESERVED_ID_FACTORY_RESET 7FFF0205 MYSECRETUSER

You tell me what kind of things have happened after this. What I can confirm with debugger:

Se05x_API_CreateSession(): SM_ERR_COMMAND_NOT_ALLOWED

Se05x_API_DeleteSecureObject(session, 0x7FFF0205): SM_ERR_COMMAND_NOT_ALLOWED

So, we are locked out, and I was wondering what my options are?

NB you can dump policy and see all nice things there, but they are all lies because ssscli can't even readIdList properly.

Hi @psvz ,

I am not sure if you have checked the ssscli help manual already, but ssscli set bin is used to set a secure object as Binary not UserID, that is the main reason your code can not run properly , the only way is to erase this binary file and create a UserID Auth object instead with the same id , but I am not aware of the policy you set for RESERVED_ID_FACTORY_RESET, so far you haven't provided any info regarding this topic. Would you please clarify?

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Hi Kan,

Since you initially mentioned I could use ssscli to fix missing RESERVED_ID_FACTORY_RESET userID, I thought this line:

ssscli policy userid RESERVED_ID_FACTORY_RESET 7FFF0205

would do it for us. I can't understand what clarification you ask for in the last three replies: I did NOT do anything apart from the line above. I do NOT set any other polices in any way or form. The line above is the only policy related thing I did. The line above created a .pkl file with some policy, you can examine it yourself if you like. After the line above, I issued the following comand:

ssscli set bin --policy_name RESERVED_ID_FACTORY_RESET 7FFF0205 MYSECRETUSER

This command used that .pkl file. The problem is that ssscli is faulty, and it does not do what it says it does. I would like to repeat it again, I did NOT set any policies other than with commands above.

I do not understand what this phrase means: "the only way is to erase this binary file and create a UserID Auth object instead". Are you saying there is a way to delete the object other than Se05x_API_DeleteSecureObject() ??? I would like to repeat myself again - Se05x_API_DeleteSecureObject is NOT allowed.

Hi @psvz ,

The command to generate a policy for userid is ok ,but the problem here is the auth_obj_id in the end, in your case it is set as 7FFF0205, actually the auth_obj_id in the policy means the user who has the access rights specified in this policy, so in your case, only authentication object with id of 7FFF0205 can access the secure objects attached with this policy, but then you created a binary file with the same ID of 7FFF0205 and attached this policy, this leads to only this secure object can access itself, but as this secure object is a binary file which can not be used to open a session, because only UserID/ECKey/AESKey can do that, so the result is no one can access/delete this binary file which occupies the ID for RESERVED_ID_FACTORY_RESET forever . 

Normally we set the auth_obj_id as 0x00000000 for a policy, 0x00000000 here means all other users, so you can access the secure objects with this kind of policy in the default session. For example,

This kind of policy can also be assigned to a binary file:

but the secure object itself is always a binary file, not USERID. and since the auth_obj_id is set as all other users, we may delete this object in the default session.

The device on your hand can still work but just can not perform the deleteall command as the ID of  RESERVED_ID_FACTORY_RESET is occupied by a binary file which can not be erased. If you fell unhappy with that, you may submit a private ticket for warranty according to the following video :

https://www.nxp.com/video/tutorial-for-nxp-support-case-portal:NCP-VIDEO

Sorry for the inconvenience that has caused.

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Hi Kan,

Thanks a lot for this explainer! I appreciate your help. So, what I have missed completely is this: "actually the auth_obj_id in the policy means the user who has the access rights specified in this policy". My take was that ssscli set a binary object as a user if I create a policy saying userID=objectID. Anyway, I think the best is to not use ssscli for creation of critical objects with reserved IDs. I am now comfortable with my c code for that.

When you say that I could create a private warranty ticket - what are my options? Is it for replacement of the SE050E-ARD board under warranty or would you be able to reset it remotely under such ticket?

Hi @psvz ,

You may just create a private ticket according to https://www.nxp.com/video/tutorial-for-nxp-support-case-portal:NCP-VIDEO and tell me the ticket number when it is available, and then I will assign this ticket to the proper team who provides further assistance .

Hope that makes sense,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Hi Kan, sure - here we go: 00512235

Hi @psvz ,

Thanks for the information! I have forwarded this ticket to the team. 

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------