FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Unable to generate random bytes from the PKCS #11 module

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Unable to generate random bytes from the PKCS #11 module

‎10-31-2023 02:39 AM
955 Views
Geiger8759
Contributor III

Dear community,

We are encountering a hard to debug error on our FreeRTOS project which includes an EdgeLock SE050 security element and a i.MX RT1064 MCU.

Once in a while (one time per couple of months), the MCU reports that it is unable to generate random bytes from the PKCS #11 module. After which the MCU will reboot and try again, but it will keep on having the same error, and thus keep on rebooting.

In order to recover, a power cycle is needed (plug it in and out). After which it works without any problems.

Important to note is that we have a sensor on the same I2C bus as the SE050, which fails to initialize before the critical error. So it looks like the I2C bus gets corrupted in some way.

Any ideas why this might occur?
Or how to recover from this without manual interaction with the device?

Error log:

-6s:smCom:PAL Read status error status = ff
-6s:smCom:phNxpEseProto7816_GetRawFrame phNxpEse_read failed , status : 0xff
-6s:smCom:phNxpEseProto7816_ProcessResponse phNxpEseProto7816_GetRawFrame failed starting recovery
-6s:smCom:phNxpEseProto7816_ProcessResponse re-transmitting the previous frame
-6s:smCom:PAL Read status error status = ff
-6s:smCom:phNxpEseProto7816_GetRawFrame phNxpEse_read failed , status : 0xff
-6s:smCom:phNxpEseProto7816_ProcessResponse phNxpEseProto7816_GetRawFrame failed starting recovery
-6s:smCom:phNxpEseProto7816_ProcessResponse Recovery failed completely, Going to exit
-6s:smCom:phNxpEseProto7816_Open failed
-6s:smCom: Failed to Open session
-6s:sss:SM_Connect Failed. Status 7012
-6s:App:sss_session_open failed
-6s:App:Session Open Failed
Failed to generate random bytes from the PKCS #11 module.
 
 
Labels (1)
Labels
0 Kudos
Reply
9 Replies

‎11-02-2023 02:32 AM
924 Views
Geiger8759
Contributor III

Hi @Kan_Li ,

Thank you for your reply.
The SE050 variant is SE050C1HQ1/Z01SCZ.

As for the applet version, I'm not 100% sure but I think it is se05x_03_xx.

Thank you

0 Kudos
Reply

‎11-02-2023 07:59 PM
914 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @Geiger8759 ,

 

For SE050C1HQ1/Z01SCZ with the applet version of se05x_03_xx, there are some I2C errata, please kindly refer to  https://www.nxp.com/docs/en/errata/SE050_Erratasheet.pdf for details regarding the workaround. 

 

BTW, is your application based on the latest MW? It should have already contain the workarounds.

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

 

 

 

0 Kudos
Reply

‎11-03-2023 07:56 AM
906 Views
Geiger8759
Contributor III

Hello Kan_Li, 

Thank you for your response.
The errata does describe the behaviour that we are encountering. 

We've started from the example code in FreeRTOS reference design 'iot-reference-nxp-1060'. I can't say with which MW version this was made with.

We have now updated the code to work with the MW version 04.03.01 (which is definitely different from our original code). 


Would this resolve our issue?

Some additional questions about this MW:
- After I got the code compiling and running, I found in the code that the applet version should be 7.2.0, which is actually for the SE051. I found this in secure_element\hostlib\inc\Applet_SE050_Ver.h
- To change this, I would have to adjust SSS_HAVE_SE05X_VER_03_XX in secure_element\sss\inc\fsl_sss_ftr_default.h, this would give us applet version 3.1.0 according to Applet_SE050_Ver.h (ps: naming is confusing because this is apparently also for SE051)
- To get applet version 3.6.0 (= the latest?), we would have to enable SSS_HAVE_FIPS_SE050 in freertos\include\fsl_sss_ftr.h. 

Is this the correct way to get the SE050 chip working with the latest applet?

Please advise.

Thank you for your help.

0 Kudos
Reply

‎11-03-2023 08:52 AM
903 Views
Geiger8759
Contributor III

Small update: I tried setting the constants to get to applet version 3.6.0 but this didn't work. Output:

-6s:sss:Mismatch Applet version.
-6s:sss:Compiled for 0x30600. Got older 0x30101
-6s:sss:Aborting!!!
-6s:sss:Use a library with adjusted PTMW_SE05X_Ver compile time setting
-6s:App:sss_session_open failed
-6s:App:Session Open Failed

After some browsing I came to the conclusion that FIPS is only available for the SE050F.

So conclusion concerning applet version: we are on 3.1.1. 
From what I can see this is the only and latest for SE050 ?

Thank you.

0 Kudos
Reply

‎11-05-2023 11:56 PM
870 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @Geiger8759 ,

 

Was your project SDK based or Cmake based? Actually the MW supports both , and please kindly refer to https://www.nxp.com.cn/docs/en/application-note/AN12450.pdf for more details regarding how to configure the MW in chapter 4 & 5. 

 

Hope that helps,

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

 

 

0 Kudos
Reply

‎11-06-2023 02:52 AM
863 Views
Geiger8759
Contributor III

Hi @Kan_Li ,

Actually I've copied the latest hostlib and sss folders from the EdgeLock SE05x Plug & Trust Middleware (04.03.01) and tuned them to our existing application. 
But I verified the files and this is the same as an example project using the SDK.

But the main questions remain:

  1. Will our issue be solved by using this latest MW version?
  2. What is our applet version for our SE050?
    - Reported by the device it is 0x30101. 
    - Using the latest MW, this defaults to 7.2.0, but in the code it notes that this is for SE051?
    Geiger8759_0-1699263763631.png

    - With 7.2.0 set, the code weirdly enough notes a HEX_EXPECTED_APPLET_VERSION at runtime of 3.1.0 in secure_element\sss\src\se05x\fsl_sss_se05x_apis.c:

 

#if ENABLE_APPLET_VERSION_CHECK
   LOG_E("HEX_EXPECTED_APPLET_VERSION in HEX: 0x%X\n",    
                                                HEX_EXPECTED_APPLET_VERSION);
   LOG_E("Major %u Minor %u Pathc %u", APPLET_SE050_VER_MAJOR,       
                               APPLET_SE050_VER_MINOR, APPLET_SE050_VER_DEV);
   if (HEX_EXPECTED_APPLET_VERSION == (0xFFFFFF00 & CommState.appletVersion)) 
   {
      /* Fine */
   }

 

returns:

Geiger8759_1-1699264140450.png 

      3. Can we update the applet version on the SE050? (not the MW) and should we?
 
Please advise.
Many thanks,
Best regards

0 Kudos
Reply

‎11-06-2023 07:30 PM
850 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @Geiger8759 ,

 

Please kindly have my comments as below:

 

  1. Will our issue be solved by using this latest MW version? - Yes, but please also note that errata 3.3 and 3.4 are hardware design related, so please also check your custom board design.
  2. What is our applet version for our SE050? - It should be 3.1.0 which is typical for SE050C.
    - Reported by the device it is 0x30101. 
    - Using the latest MW, this defaults to 7.2.0, but in the code it notes that this is for SE051? The default configuration is for SE051C, you have to reconfigure it to the right variant, you may refer to https://www.nxp.com.cn/docs/en/application-note/AN12450.pdf for more details on this topic.
  3. Can we update the applet version on the SE050? (not the MW) and should we? - No, it is not possible with SE050 variants. If you need this, you may select SE051 variants.

 

Hope that makes sense,

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply

‎11-15-2023 06:23 AM
761 Views
Geiger8759
Contributor III

Hi @Kan_Li 

Thanks very much for your response and making this clear.

We replaced the hostlib and sss portions of our existing application, is the fix included in this area?

We'll update our custom board with the mentioned points in the errata for our next revision.

Best regards

0 Kudos
Reply

‎11-02-2023 01:00 AM
930 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @Geiger8759 ,

 

May I have the SE050 variant as well as the Applet version inside? Thanks for your patience!

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply