Unable to Retrieve ECC Curve Details from SE050 using Plug & Trust Nano Package

krsuresh

Hi Team,

I am currently using the Plug & Trust Nano package to read the ECC curve details from the SE050.
However, I am consistently receiving zero values for the curve details, even though the function call returns a success status.

I have reviewed the APDU configuration and verified my setup based on the following NXP community discussion, but I did not find any issues:
https://community.nxp.com/t5/Secure-Authentication/Read-ECC-Curvelist-fails-when-SCP03-enabled/m-p/1...

Could you please advise on the possible cause of this issue and how I can correctly retrieve the ECC curve details from the SE050?

Environment details:

SE050 variant: SE050-C and SE050-F
Package: Plug & Trust Nano
SCP03 status: Enabled
Host platform: Raspberry Pi

Code Details:

status = Se05x_API_ReadECCurveList(&se05x_session, curveList, &curveListLen);
printf("curveListLen: %d\n", curveListLen);
if (status == SM_OK) {
printf("Supported ECC Curves:\n");
for (i = 0; i < curveListLen; i++) {
printf(" Curve ID: 0x%02X\n", curveList[i]);
}
} else {
printf("Failed to read curve list\n");
}

smStatus_t Se05x_API_ReadECCurveList(pSe05xSession_t session_ctx, uint8_t *data, size_t *pdataLen)
{
smStatus_t retStatus = SM_NOT_OK;
tlvHeader_t hdr = {{kSE05x_CLA, kSE05x_INS_READ, kSE05x_P1_CURVE, kSE05x_P2_LIST}};
size_t cmdbufLen = 0;
uint8_t *pCmdbuf = NULL;
int tlvRet = 0;
uint8_t *pRspbuf = NULL;
size_t rspbufLen = 0;

ENSURE_OR_GO_CLEANUP(session_ctx != NULL);

memset(session_ctx->apdu_buffer, 0, sizeof(session_ctx->apdu_buffer));

pCmdbuf = &session_ctx->apdu_buffer[0];
pRspbuf = &session_ctx->apdu_buffer[0];
rspbufLen = sizeof(session_ctx->apdu_buffer);

SMLOG_D("APDU - Se05x_API_ReadECCurveList [] \n");

retStatus = DoAPDUTxRx(session_ctx, &hdr, session_ctx->apdu_buffer, cmdbufLen, pRspbuf, &rspbufLen, 1);

if (retStatus == SM_OK) {
size_t rspIndex = 0;
tlvRet = tlvGet_u8buf(pRspbuf, &rspIndex, rspbufLen, kSE05x_TAG_1, data, pdataLen); /* */
if (0 != tlvRet) {
goto cleanup;
}
if ((rspIndex + 2) == rspbufLen) {
retStatus = (pRspbuf[rspIndex] << 8 | (pRspbuf[rspIndex + 1]));
}
}
if (retStatus == SM_ERR_ACCESS_DENIED_BASED_ON_POLICY) {
SMLOG_I("Denied to ReadECCurveList");
}

cleanup:
return retStatus;
}

Thanks,

Sureshkumar R

krsuresh

Please find the APDU log details.

Kan_Li

Hi @krsuresh ，

Thanks for the info! have you tried the plain communication with SE050C？ The log should be something like below:

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

krsuresh

Hi @Kan_Li,

Thank you for your prompt response.

Please find attached the APDU log details captured in open mode. I have observed that the Se05x_API_ReadECCurveList API returns a failure in open mode, whereas it executes successfully in secure mode.

Kindly review the provided details and advise if there are any steps or configurations I might have missed in the flow.

Build steps followed:

$ cmake ..
$ make
$ ./build/src/se05x_app

Thanks,

Sureshkumar R

krsuresh

Hi @Kan_Li,

While generating an ECC key pair, the Se05x_API_WriteECKey function returns 0x6985 on the SE050-C board.

The same code was working fine on this board previously, and it is still working correctly on the SE050-F board.

This issue occurred suddenly, and I am unable to determine the cause. Kindly help me to resolve this issue.

SE05x_ECCurve_t curveID = kSE05x_ECCurve_NIST_P256;

status = Se05x_API_WriteECKey(

&se05x_session, NULL, 0, keyID, curveID, NULL, 0, NULL, 0, kSE05x_INS_NA, kSE05x_KeyPart_Pair);

if (status != SM_OK) {

SMLOG_E("Error in Se05x_API_WriteECKey \n");

return 1;

}

Thanks,

Sureshkumar R

Kan_Li

Hi @krsuresh ,

Thanks for the info! Have you modified the source code of nano package? Looks like your code is different from the code from the Github repo. Please kindly refer to https://github.com/NXPPlugNTrust/nano-package/blob/737b61c527d4145f6dc96db9b51e22a4067ca09c/lib/apdu... for details.

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

krsuresh

I have not made any code changes. I am using the older Plug & Trust package version v1.2.1 because, in the latest version, I am facing build issues when building with SCP03 mode (PLUGANDTRUST_SCP03) enabled.

The steps I followed to build in SCP mode are:

mkdir build && cd build

cmake -DPLUGANDTRUST_SCP03=ON ..

make

/usr/bin/ld: build/libse05x_lib.a(se05x_APDU_impl.c.o): in function `Se05x_API_SessionOpen':

se05x_APDU_impl.c:(.text+0x384): undefined reference to `Se05x_API_SCP03_CreateSession'

/usr/bin/ld: build/libse05x_lib.a(se05x_tlv.c.o): in function `DoAPDUTx':

se05x_tlv.c:(.text+0xe90): undefined reference to `Se05x_API_SCP03_Encrypt'

/usr/bin/ld: se05x_tlv.c:(.text+0xf0c): undefined reference to `Se05x_API_SCP03_Decrypt'

/usr/bin/ld: build/libse05x_lib.a(se05x_tlv.c.o): in function `DoAPDUTxRx':

se05x_tlv.c:(.text+0x11d0): undefined reference to `Se05x_API_SCP03_Encrypt'

/usr/bin/ld: se05x_tlv.c:(.text+0x1248): undefined reference to `Se05x_API_SCP03_Decrypt'

collect2: error: ld returned 1 exit status

make[2]: *** [CMakeFiles/ex_se05x_GetInfo.dir/build.make:114: ex_se05x_GetInfo] Error 1

make[1]: *** [CMakeFiles/Makefile2:100: CMakeFiles/ex_se05x_GetInfo.dir/all] Error 2

make: *** [Makefile:91: all] Error 2

The same issue is observed in both the older and the latest code versions, even when operating in open (non-SCP) mode.

./ex_se05x_sign

Se05x Sign Example !

Plug and Trust nano package - version: 1.5.4

I2C driver supports plain i2c-level commands.

Generate ecc key

Error in Se05x_API_WriteECKey

SE05x Sign Example Failed !

./ex_se05x_sign

Se05x Sign Example !

Plug and Trust nano package - version: 1.2.1

I2C driver supports plain i2c-level commands.

Generate ecc key

Error in Se05x_API_WriteECKey

SE05x Sign Example Failed !

Thanks,

Sureshkumar R

krsuresh

Hi @Kan_Li.,

I believe this issue began after executing the kSE05x_ECCurve_NIST_P384/ kSE05x_ECCurve_NIST_P521 sample. Based on the Plug & Trust full package, the se05x_Minimal and se05x_GetInfo examples are functioning correctly; however, the ex_ecc and ex_ecc_rsa examples are failing. Could it be that the secure memory has been locked? I am still able to perform Se05x_API_WriteBinary operations using the Nano package.
Kindly advise if there is any option to perform a complete reset of the SE050 device.

Thanks,

Sureshkumar R