call to "GP_Select" and AccessManager

grzegorz2 · ‎03-03-2022

Hi

I see a problem with accessManager and I want to ask what am I doing wrong.

When I build Plug & Trust software with these options:

PTMW_Host=Raspbian
PTMW_Applet=SE05X_A
CMAKE_BUILD_TYPE=Release
PTMW_HostCrypto=OPENSSL
PTMW_SCP=SCP03_SSS
PTMW_SMCOM=T1oI2C

Then I can run example "se05x_GetInfo" without any issues but if I want to use accessManager (which was build with above options) I have an error.

To run "se05x_GetInfo" I built Plug & Trust again with below options:

PTMW_Host=Raspbian
PTMW_Applet=SE05X_A
CMAKE_BUILD_TYPE=Release
PTMW_HostCrypto=OPENSSL
PTMW_SCP=None
PTMW_SMCOM=JRCP_V1_AM

I noticed that call to "GP_Select" fails in the example "se05x_GetInfo". I pasted output from this example below (accessmanager didn't print any errors):

# ./se05x_GetInfo
App :INFO :PlugAndTrust_v04.01.01_20220112
App :INFO :Running ./se05x_GetInfo
App :INFO :Using PortName='localhost:8040' (ENV: EX_SSS_BOOT_SSS_PORT=localhost:8040)
smCom :WARN :nxEnsure:'nSuccess != 1' failed. At Line:130 Function:getSocketParams
App :WARN :nxEnsure:'conn_ctx != NULL' failed. At Line:156 Function:sems_lite_session_open
App :WARN :No SemsLite Applet Available.
App :INFO :Running ./se05x_GetInfo
App :INFO :Using PortName='localhost:8040' (ENV: EX_SSS_BOOT_SSS_PORT=localhost:8040)
smCom :WARN :nxEnsure:'nSuccess != 1' failed. At Line:130 Function:getSocketParams
sss :INFO :Newer version of Applet Found
sss :INFO :Compiled for 0x30100. Got newer 0x30600
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
App :WARN :#####################################################
App :INFO :uid (Len=18)
04 00 50 01 54 72 09 C9 9B 39 B1 04 33 03 89 99
00 00
App :WARN :#####################################################
App :INFO :Applet Major = 3
App :INFO :Applet Minor = 6
App :INFO :Applet patch = 0
App :INFO :AppletConfig = 61D2
App :INFO :WithOut ECDAA
App :INFO :With ECDSA_ECDH_ECDHE
App :INFO :WithOut EDDSA
App :INFO :WithOut DH_MONT
App :INFO :With HMAC
App :INFO :WithOut RSA_PLAIN
App :INFO :With RSA_CRT
App :INFO :With AES
App :INFO :With DES
App :INFO :WithOut PBKDF
App :INFO :WithOut TLS
App :INFO :WithOut MIFARE
App :INFO :With I2CM
App :INFO :Internal = 010B
App :ERROR:Could not select ISD.
App :ERROR:se05x_GetInfoPlainApplet Example Failed !!!...
App :INFO :ex_sss Finished
App :ERROR:ex_sss_entry Failed
App :ERROR:!ERROR! ret != 0.

I also using OpenSSL plugin, I can generate and use private keys on SE050 with accessManager without any issues but I wanted to ask why this call fails when I am using accessManager, am I missing something?

Another thing is that I see many errors related with I2C

ambarella-i2c e400a000.i2c: No ACK from address 0x91, 0:0!

Regards

Kan_Li · ‎03-31-2022

Hi @grzegorz2 ,

Thanks for the clarification! I understand now, but after checking with the expert, if you have lost the

the PlatfromSCP keys which are set on SE050F there is no way to recover.

But as preventive measure e.g. an additional Platform SCP keyset can be created on the SE. This works exactly like rotating the Platform SCP keys, but on the put-key command you specify a different (new) keyset number (e.g. 12) instead of the existing one (11). This stored keys could be e.g. set in factory and be kept there in a backup system to allow to recover communication to the SE using the alternative keyset.

Hope that helps,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

View solution in original post

Kan_Li · ‎03-04-2022

Hi @grzegorz2 ,

Actually it is the expected behavior for the case of se05x_GetInfo working with AccessManager. Indeed the access manager intentionally does not support additional GP select commands. Reason is that in normal operation a client sending a GP select would interrupt the potential open sessions from other client as the IoT applet gets deselected. Allowing the AccessManager for supporting the GP select commands is under discussion, but there will for sure be no fast solution.

For time being, the AccessManager does not support GetInfo.

Hope that makes sense,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

grzegorz2 · ‎03-08-2022

Hi @Kan_Li

Thanks for clarification.

I was looking at this GetInfo example because I wanted to get some information about this chip:

Configuration ID, Patch ID, Platform build ID, ROM ID and I wanted to know if FIPS mode is active or not. If I understand correctly getting all of this information is not possible in my setup? Is there another way to get this information without calling GP_Select?

Kan_Li · ‎03-08-2022

Hi @grzegorz2 ,

I am sorry, but GP_Select is needed to fetch such info, and you have to run the GetInfo demo without AccessManager.

Sorry for the inconvenience that might cause.

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

grzegorz2 · ‎03-28-2022

Hi @Kan_Li

Does SE050 has a procedure for factory cleanup/reset all data? I'm afraid that I will lost whole device SE050 when I lost my SCP keys because I will not able to connect to SE050 in that case. Is it possible to restore SE050 without SCP keys?

Regards

Kan_Li · ‎03-28-2022

Hi @grzegorz2 ,

Yes, there is such kind of demo available , you may refer to "simw-top/doc/demos/se05x/se05x_Delete_and_test_provision/Readme.html" for more details.

The binary can be found in "simw-top\binaries\PCWindows", for example, VCOM-None-se050_Delete_and_test_provision, with the help of FRDM-K64 board with "se05x_vcom-T1oI2C-frdmk64f.bin" pre-installed(locates in "simw-top\binaries\MCU\se05x"). You may refer to https://www.nxp.com/docs/en/application-note/AN12398.pdf for more details.

Hope that helps,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

grzegorz2 · ‎03-30-2022

Hi @Kan_Li

Thanks for answer but it doesn't work for me. Maybe I don't understand something. Firstly I ran "se05x_RotatePlatformSCP03Keys" with commented out original SCP keys so I left my device with these keys:

ENC 404142434445464748494a4b4c4d4e4f
MAC 404142434445464748494a4b4c4d4e4f
DEK 404142434445464748494a4b4c4d4e4f

Everything works when I use these keys but let's assume that I want to reset this device to factory state because I lost these keys (so I'm expecting that everything will be removed from the device and SCP keys will be automatically restored to the original ones).

Regarding to the "Readme.rst" I built the example "se05x_Delete_and_test_provision" with flag "SE05X_Auth=None" and tried to run and this is the output:

# ./se05x_Delete_and_test_provision /dev/i2c-2
App :INFO :PlugAndTrust_v04.01.01_20220112
App :INFO :Running ./se05x_Delete_and_test_provision
App :INFO :Using PortName='/dev/i2c-2' (CLI)
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :INFO :Newer version of Applet Found
sss :INFO :Compiled for 0x30100. Got newer 0x30600
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6884 Function:sss_se05x_TXn
App :ERROR:# se05x_Delete_and_test_provision !!! Only for testing. NOT FOR PRODUCTION USE!!!!
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6884 Function:sss_se05x_TXn
App :WARN :kSE05x_AppletResID_UNIQUE_ID Missing. Injecting Dummy KEY!.
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6884 Function:sss_se05x_TXn
App :INFO :sw_status=0x6985
sss :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6884 Function:sss_se05x_TXn
App :ERROR:Failed Se05x_API_DeleteAll
App :INFO :ex_sss Finished
App :ERROR:ex_sss_entry Failed
App :ERROR:!ERROR! ret != 0.

I'm using evaluation kit with SE050F so it should require SCP mode but such reset procedure must work in plain mode (because I don't have SCP keys). Is it possible?

We want to use SE050 on our cameras and generate SCP keys on each camera separately. In case when we lost keys because somebody will flash camera again or trigger a factory reset etc. we will lost these keys so it must be a procedure to restore this SE050 to the factory state. If it will be not possible we must set the same SCP keys on all cameras and keep them forever which looks insecure

Regards

Kan_Li · ‎03-30-2022

Hi @grzegorz2 ,

What do you mean with " reset this device to factory state" ? Did you send the DeleteAll command to SE050? Please kindly clarify.

The example "se05x_Delete_and_test_provision" can also be built with flag "SE05X_Auth=value other than None", for example , you may find the file of "VCOM-PlatfSCP03-se050_Delete_and_test_provision.exe" in "simw-top\binaries\PCWindows" as a reference, and of course, you may use your own platform keys with this bin file, as mentioned below:

PS C:\se050_middleware\simw-top\binaries\PCWindows> .\VCOM-PlatfSCP03-se050_Delete_and_test_provision.exe
App :INFO :PlugAndTrust_v04.01.00_20211214
App :INFO :Running C:\se050_middleware\simw-top\binaries\PCWindows\VCOM-PlatfSCP03-se050_Delete_and_test_provision.exe
App :INFO :Using PortName='\\.\COM7' (gszCOMPortDefault)
App :INFO :If you want to over-ride the selection, use ENV=EX_SSS_BOOT_SSS_PORT or pass in command line arguments.
App :WARN :Using SCP03 keys from:'C:\nxp\SE05X\plain_scp.txt' (FILE=C:\nxp\SE05X\plain_scp.txt)

Hope that helps,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

grzegorz2 · ‎03-31-2022

Hi @Kan_Li

What do you mean with " reset this device to factory state" ?

If I buy a new SE050F it has some default configuration such as SCP keys defined in document "AN12436
SE050 configurations" and some provisioned objects under IDs reserved for Applet etc.

During lifetime of this device I will change SCP keys or add some private ec keys to SE050F or other objects. "Reset to factory state" I mean that this is a procedure that will restore this SE050F to the same state just after I bought it. So I will expect that all my uploaded objects will be removed and SCP keys that I changed will be also removed (and default SCP keys will be set according to the AN12436 document).

But I have a problem with this because I don't see a possibility to do it.

Of course I found DeleteAll function in "simw-top/hostlib/hostLib/se05x_03_xx_xx/se05x_APDU_impl.h"

smStatus_t Se05x_API_DeleteAll(pSe05xSession_t session_ctx)

But this function requires session_ctx. To have this session_ctx I have to open session. To open session I have to provide SCP keys and this is a problem because I don't have my SCP keys. I can't open session in plain text because this SE050F requires SCP mode.

So when SE050F requires SCP session (plain text mode is rejected) and I changed SCP keys and I lost these keys then this SE050F is unusable because I'm unable to connect to it and this is no "reset to factory" procedure to back it to the working state (I expected that this procedure will remove all my existing objects because of security reasons). Am I correct? Looks like "DeleteAll" still needs opened session (so proper SCP keys are required) to be executed but maybe I misunderstood something.

I'm unable to run any Windows binary. This SE050F is mounted on the camera with Linux and connected with I2C bus only. I don't even have python on this system (I can't use "ssscli") so I can use only Linux binaries which can send commands via I2C bus.

The example "se05x_Delete_and_test_provision" can also be built with flag "SE05X_Auth=value other than None"

I tried but it doesn't work because I still need to provide SCP keys that I don't have.

What we wanted to do is just generate SCP keys on this camera internally and there is a possibility to lost them. If SE050 can't be used without these lost SCP keys then we will have to set the same (and of course well known by us) SCP keys on hundreds of cameras.

Thanks for help

Regards

Kan_Li · ‎03-31-2022

Hi @grzegorz2 ,

Thanks for the clarification! I understand now, but after checking with the expert, if you have lost the

the PlatfromSCP keys which are set on SE050F there is no way to recover.

But as preventive measure e.g. an additional Platform SCP keyset can be created on the SE. This works exactly like rotating the Platform SCP keys, but on the put-key command you specify a different (new) keyset number (e.g. 12) instead of the existing one (11). This stored keys could be e.g. set in factory and be kept there in a backup system to allow to recover communication to the SE using the alternative keyset.

Hope that helps,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

grzegorz2 · ‎03-09-2022

Hi @Kan_Li

Ok, I understand, thanks for answer.

I have two offtopic questions:

1. Does SE050 has any procedure to do factory reset? For example when I loose scp keys. Is it possible to reset device and restore factory settings? (with removing all existing private keys/certificates etc.)

2. The next thing are below errors I can see on my system:

ambarella-i2c e400a000.i2c: No ACK from address 0x91

Looks like this chip does not send ACK for read address (0x91) which is quite strange for me because it looks like SE050 works ok. May it be caused because accessManager send read requests too fast and do some retries?

Regards

EDIT:

The second issue was caused by my hardware setup and I will resolved it but I still don't know how to restore my device if it will be possibly not reachable (for example when I lost scp keys).