se05x_API_DeleteAll_Iterative() of Plug and trust middleware

取消
显示结果 
显示  仅  | 搜索替代 
您的意思是: 
已解决

se05x_API_DeleteAll_Iterative() of Plug and trust middleware

跳至解决方案
2,042 次查看
kei_odagiri
Contributor III

Hello,

I'm developing an app to delete some secure objects of se050, so to speak a reset command. The app utilizes Se05x_API_DeleteAll_Iterative(), and I found a phenomenon that secure objects having keyid from 1 to 3 are not deleted. I did quick check for source code in plug and trust middle ware.

I think SE05X_OBJID_TP_MASK causes the phenomenon which the secure objects aren't deleted.

https://github.com/NXP/plug-and-trust/blob/v04.02.00/hostlib/hostLib/se05x/src/se05x_mw.c#L51

            else if (!SE05X_OBJID_TP_MASK(id) && id) {
                LOG_D("Not erasing Trust Provisioned objects");
            }

 

https://github.com/NXP/plug-and-trust/blob/v04.02.00/sss/ex/inc/ex_sss_objid.h#L31

#define SE05X_OBJID_TP_MASK(X)              (0xFFFFFFFC & (X))

 

Kei Odagiri

Atmark techno,Inc.

标签 (1)
0 项奖励
回复
1 解答
2,015 次查看
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @kei_odagiri ,

 

Yes, the range of keyid from 1 to 0x7BFFFFFF is opened to users, but there are cases customers trust provision some secure objects there, and SE05X_OBJID_TP_MASK can be used to prevent deleting such kind of objects accidently , but of course users may adjust SE05X_OBJID_TP_MASK definition according to their requirements.

 

Hope that makes sense,

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

 

在原帖中查看解决方案

0 项奖励
回复
4 回复数
2,021 次查看
kei_odagiri
Contributor III

I tried deleting manually the keyid range, I succeeded to delete the keyid. Therefore users can't delete the range by se05x_API_DeleteAll_Iterative() but users can delete it by Se05x_API_DeleteSecureObject().

 

# ssscli erase 1
ssse-flw: EmbSe_Init(): Entry
App :INFO :Using PortName='/dev/i2c-2:0x48' (ENV: EX_SSS_BOOT_SSS_PORT=/dev/i2c-2:0x48)
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
ssse-flw: Version: 1.0.5
ssse-flw: EmbSe_Init(): Exit
ssse-flw: Control Command EMBSE_LOG_LEVEL; requested log level = 7
Erasing Key entry from KeyID = 0x00000001
sss :INFO :atr (Len=35)
00 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 08
01 00 00 00 00 64 00 00 0A 4A 43 4F 50 34 20 41
54 50 4F
sss :WARN :Communication channel is Plain.
sss :WARN :!!!Not recommended for production use.!!!
Erased Key entry from KeyID = 0x00000001
ssse-flw: EmbSe_Finish(): Entry
ssse-flw: EmbSe_Finish(): Exit
ssse-flw: EmbSe_Destroy(): Entry

0 项奖励
回复
2,023 次查看
kei_odagiri
Contributor III

Please let me add this information. 

According to AN13030 Plug & Trust MW Documentation (Rev. 1.9 — 30 June 2022), the range of keyid from 1 to 0x7BFFFFFF is opened to users. But users can't delete the keyid from 1 to 3 by using Se05x_API_DeleteAll_Iterative(). I think the implementation of the Se05x_API_DeleteAll_Iterative() does not allow it. 

3.14 Key Id Range and Purpose

se050_keyid_range.png

 

 

0 项奖励
回复
2,016 次查看
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @kei_odagiri ,

 

Yes, the range of keyid from 1 to 0x7BFFFFFF is opened to users, but there are cases customers trust provision some secure objects there, and SE05X_OBJID_TP_MASK can be used to prevent deleting such kind of objects accidently , but of course users may adjust SE05X_OBJID_TP_MASK definition according to their requirements.

 

Hope that makes sense,

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

 

0 项奖励
回复
2,007 次查看
kei_odagiri
Contributor III

Hi Kan_Li ,

I suspected there is a policy to protect NXP's special trust provisioning objects. Additionally, I considered the middle ware should implement the restriction for all apis. But, sure, if middle ware restrict to delete the keyid in all apis, users may not handle under unexpected situation.

Anyway since you mentioned users can adjust the protection, I will modify the range of the macro to my suitable spec.

Thank you,

Kei Odagiri

0 项奖励
回复