I am evaluating se050 as secure element for our Yocto-based SAMA5D3 board.
I would like to use the secure element as engine for openssl, but there seem to be some problems in making the system to work correctly.
I have built openssl version 3.0.0-alpha10-dev and it works correctly with built-in crypto. Now what I need is to use se050 as the crypto engine for it.
I have built libsss_engine.so with Plug & Trust SDK 3.0.5 but have trouble getting openssl to recognize the engine. I am able to build and run the simple example executables (like se05x_InjectCertificate / se05x_GetCertificate) to interface to the chip and I know it is wired up correctly on the i2c bus.
What exactly are the steps needed to create a shared library for openssl to use and how to configure it?
How do I correctly specify the openssl command line to use the se050 as engine?
For example I cannot find info on what parameter to pass to openssl to tell that the chip is on /dev/i2c-0:0x48
Hello @juiceme ,
We provide a document on this topic, please kindly refer to "simw-top/doc/sss/plugin/openssl/scripts/readme.html#intro-openssl-engine" for details.
Hope that helps,
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
Thanks for your reply, @Kan_Li
I have read the said documentation, and it says that the engine should be compatible with OpenSSL versions 1.0.2 or 1.1.1.
I have tried it with version 1.1.1h (git hash f123043faa) and it does not seem to work.
Are there some extra options I need to pass to cmake when building it?
Hi @juiceme ,
The supported openSSLversions are 1.0.2 and 1.1.1 and will be compiled using for either of these versions depending on the detected available version. For me they load for sure fine up to 1.1.1g (i.mx8m sd card image). This is described (together with the compilation/installation/configuration) in
simw-top/doc/sss/plugin/openssl/scripts/readme.html
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
Again, thanks for your kind reply.
Please note that I was unable to answer to my ticket #00321983 on the NXP suport because some "Salesforce Problem" seems to not let me login there...?
However, I recompiled the openssl engine with the modification to use /dev/i2c-0 as the default device as you suggested.
Here are the details on how I am compiling and the error that I get when trying to use the engine with openssl on the target board. (Note that I also verified that my toolchain is correct by compiling a small skeleton engine that does really nothing, just to see that the registration and openssl versions match...)
----- Commands to build libsss_engine.so from scratch -----
cd simw-top/
python scripts/create_cmake_projects.py
cd ../simw-top_build/imx_cc_se050_t1oi2c/
cmake -DCMAKE_VERBOSE_MAKEFILE=yes -DCMAKE_INSTALL_PREFIX=/usr --build .
cd sss/plugin/openssl/
make
----- Copy the library to target, and check with openssl -----
[juice@thranx openssl]$ scp libsss_engine.so root@10.0.0.7:/usr/local/lib/      libsss_engine.so 100%  1090KB 739.6KB/s 00:01
[juice@thranx openssl]$
juice@platypus:~$ ssh root@10.0.0.7
root@eke32:~#
root@eke32:~# export LD_LIBRARY_PATH=/usr/local/lib
root@eke32:~#
root@eke32:~# openssl engine -t -c /usr/local/lib/libsss_engine.so
3069490160:error:260B606D:engine routines:dynamic_load:init failed:crypto/engine/eng_dyn.c:485:
3069490160:error:2606A074:engine routines:ENGINE_by_id:no such engine:crypto/engine/eng_list.c:334:id=/usr/local/lib/libsss_engine.so
root@eke32:~#
I include below a full text output from make.
Hi @juiceme ,
The way of loading the engine looks wrong. Either the engine should be loaded using a config file (as in simw-top/doc/sss/plugin/openssl/scripts/readme.html):
root@raspberrypi:/home/pi/03.00.05/simw-top/demos/linux/common# OPENSSL_CONF=/home/pi/03.00.05/simw-top/demos/linux/common/openssl11_sss_se050.cnf  openssl  engine  -t
ssse-flw: EmbSe_Init(): Entry
App   :INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments.
sss   :INFO :atr (Len=35)
      00 A0 00 00    03 96 04 03    E8 00 FE 02    0B 03 E8 08
      01 00 00 00    00 64 00 00    0A 4A 43 4F    50 34 20 41
      54 50 4F
sss   :WARN :Communication channel is Plain.
sss   :WARN :!!!Not recommended for production use.!!!
ssse-flw: Version: 1.0.5
ssse-flw: EmbSe_Init(): Exit
(dynamic) Dynamic engine loading support
     [ unavailable ]
(e4sss) se hardware engine support
     [ available ]
ssse-flw: EmbSe_Finish(): Entry
ssse-flw: EmbSe_Finish(): Exit
ssse-flw: EmbSe_Destroy(): Entry
Or the parameters gets set like this on the command line:
root@raspberrypi:~# EX_SSS_BOOT_SSS_PORT=/dev/i2c-1:0x48 openssl engine -t  -pre SO_PATH:/usr/local/lib/libsss_engine.so -pre ID:e4sss  -pre LIST_ADD:1 -pre LOAD
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/local/lib/libsss_engine.so
[Success]: ID:e4sss
[Success]: LIST_ADD:1
[Success]: LOAD
Loaded: (e4sss) se hardware engine support
     ssse-flw: EmbSe_Init(): Entry
App   :INFO :Using PortName='/dev/i2c-1:0x48' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-1:0x48)
sss   :INFO :atr (Len=35)
      00 A0 00 00    03 96 04 03    E8 00 FE 02    0B 03 E8 08
      01 00 00 00    00 64 00 00    0A 4A 43 4F    50 34 20 41
      54 50 4F
sss   :WARN :Communication channel is Plain.
sss   :WARN :!!!Not recommended for production use.!!!
ssse-flw: Version: 1.0.5
ssse-flw: EmbSe_Init(): Exit
[ available ]
ssse-flw: EmbSe_Finish(): Entry
ssse-flw: EmbSe_Finish(): Exit
ssse-flw: EmbSe_Destroy(): Entry
Depending on the build options used maybe on top other dependencies of the engine needs to be copied as well:
root@raspberrypi:~# ldd /usr/local/lib/libsss_engine.so
        linux-vdso.so.1 (0xbebed000)
        /usr/lib/arm-linux-gnueabihf/libarmmem-${PLATFORM}.so => /usr/lib/arm-linux-gnueabihf/libarmmem-v7l.so (0xb6f72000)
        libex_common.so => /usr/local/lib/libex_common.so (0xb6f5c000)
        libSSS_APIs.so => /usr/local/lib/libSSS_APIs.so (0xb6f15000)
        liba7x_utils.so => /usr/local/lib/liba7x_utils.so (0xb6f01000)
        libssl.so.1.1 => /usr/lib/arm-linux-gnueabihf/libssl.so.1.1 (0xb6e82000)
        libcrypto.so.1.1 => /usr/lib/arm-linux-gnueabihf/libcrypto.so.1.1 (0xb6c69000)
        libse05x.so => /usr/local/lib/libse05x.so (0xb6c45000)
        libsmCom.so => /usr/local/lib/libsmCom.so (0xb6c28000)
        libpthread.so.0 => /lib/arm-linux-gnueabihf/libpthread.so.0 (0xb6bfe000)
        libc.so.6 => /lib/arm-linux-gnueabihf/libc.so.6 (0xb6ab0000)
        libdl.so.2 => /lib/arm-linux-gnueabihf/libdl.so.2 (0xb6a9d000)
        /lib/ld-linux-armhf.so.3 (0xb6fa2000)
Hope that helps,
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
This is what happens when I am trying to identify the engine with openssl;
root@eke32:~# ls -l /usr/local/lib
drwxrwxr-x 2 1000 1000 376 Aug 20 2020 engines-3
-rw-r--r-- 1 1000 1000 22773240 Dec 4 2020 libcrypto.a
lrwxrwxrwx 1 root root 14 Aug 28 2020 libcrypto.so -> libcrypto.so.3
-rwxr-xr-x 1 1000 1000 14007952 Dec 4 2020 libcrypto.so.3
-rw-r--r-- 1 1000 1000 4196522 Dec 4 2020 libssl.a
lrwxrwxrwx 1 root root 11 Aug 28 2020 libssl.so -> libssl.so.3
-rwxr-xr-x 1 1000 1000 2667016 Dec 4 2020 libssl.so.3
-rwxr-xr-x 1 root root 1115640 Aug 23 2020 libsss_engine.so
drwxrwxr-x 2 1000 1000 296 Aug 28 2020 ossl-modules
drwxrwxr-x 2 1000 1000 376 Aug 28 2020 pkgconfig
drwxr-xr-x 2 root root 240 Aug 20 16:57 systemd
root@eke32:~#
root@eke32:~# openssl engine -t -c /usr/local/lib/libsss_engine.so
8062F3B6:error:1300006D:engine routines:dynamic_load:init failed:crypto/engine/eng_dyn.c:489:
8062F3B6:error:13000074:engine routines:ENGINE_by_id:no such engine:crypto/engine/eng_list.c:338:id=/usr/local/lib/libsss_engine.so
root@eke32:~#
