Secure Authentication Knowledge Base

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Secure Authentication Knowledge Base

Labels

Discussions

Sort by:
Middleware Are all the SEO5x MW packages the same just reduce code between Nano and Full?Answer: No, the SEO5x MW packages are not the same. The Nano MW package only supports a subset of features and commands compared to the Full MW package. The Nano MW package is designed for resource-constrained environments and has a smaller code footprint. Why are some of the SEO5x MW packages on NXP.com and others in git hub? Answer: The SE05x MW package on nxp.com is a multi-platform release for all supported platforms incl. documentation and various dependencies to have a quick out of the box compilation of the MW possible. The github releases are targeting dedicated use cases like resource constrained devices with the nano package and automated build system for Linux with the mini package. Strategy is to constantly move more components of the full MW package to github. What is the best practice for updating/changing to the latest MW release ? Answer: NXP recommends to always update to newest MW to have most up to date fixes included. The MW has no big architectural changes anymore. First step is to read the changelog in the integrated documentation to check if any breaking changes are expected. The integration of the new MW version is then just a repletion of the platform specific steps taken on design in. Where can I find a list of all the supported applet versions to different MW releases ? Answer: The cmake setting PTMW_SE05X_Ver defines the supported applet major version. The supported applet versions are provided as selectable values for this setting. Can I use the same MW release on A5000 and SEO51? Answer: Yes, you can use the same MW release on A5000 and SEO51.The MW release supports both the A5000 and the SEO51 platforms. My developers get a common error … mis match to MW to applet version.. What is the preferred way to remove this error and still get all the features/fixes of the latest MW release? Answer: A major version mismatch has to be fixed. A minor version mismatch is a not care unless specific new features are needed. If this is an issue cannot be decided by the MW. Typically minor version mismatch can be ignored. Are all MW release/fixes mapped back to a specific SEO5x part or applet version and where can I find it? Answer: The MW releases usually cover all released and available product variants until they are discontinued. The MW change log provides information on the middleware version, any applet version support change, the supported platforms, and the changes and enhancements.   Secure Element Configuration Are the demo boards on NXP.com always the latest applet version on them? Answer: yes, the demo boards on NXP.com have the latest applet version on them. You can check the applet version on the demo board by using the SEO5x SEMS Lite CLI tool or the SEO5x Get Info example. The GetInfo example tells the OEF as well. What is the default I2C addresses (target and controller) for SEO5x part and is it the same on all SEO5x parts ? Answer: The default I2C target address for SEO5x part is 0x48. It is the same on all SEO5x parts. The I2C controller address is specified in the payload of the I2C controller commands sent to the SE. Can I change I2C address on both the target and controller side ? Answer: You can change I2C target address of SE051A/C using the SEO5x PERSO applet. This applet allows you to modify the I2C address and other parameters of the secure element. The I2C controller address is specified in the payload of the I2C controller commands sent to the SE. Can I have 2 or 3 interfaces on the SEO5x active at the same time? Answer: No, the SEO5x supports only one active interface at a time, either I2C, ISO 7816, or ISO 14443. However, you can switch between the interfaces by resetting the device. The availability of other interfaces depends on the type. Are there specific keys or features that should be used for I2C clock stretching ? Answer: Clock stretching is by default enabled on SE050F. On all newer parts (SE050E, A5000, SE051, SE052) it is by default disabled.   Secure Element performance Are there specific crypto operations that take longer than 100 ms to complete? Answer: Yes, some crypto operations may take longer than 100 ms to complete, depending on the algorithm, key size, and input data. For example, RSA key generation, RSA signature generation and verification, ECC key generation, and EdDSA signature generation or any new object creation may take longer than 100 ms. What are the performance deltas between RSA sizes for RSA key gen? What is NXP’s recommended key length? Which RSA key length meets FIPS 140-3 ? Answer: The performance deltas between RSA sizes for RSA key generation are as follows: - RSA 1024: ~0,6 s - RSA 2048: ~3 s - RSA 3072: ~12 s - RSA 4096: ~30 s NXP's recommended key length for RSA is 2048 bits or higher, as lower key lengths are considered insecure and vulnerable to attacks. RSA 2048 bit and up key length meets FIPS 140-3 requirements. Does the write command have the same performance as read commands ? Answer: No, the write command has a lower performance than the read command, as it involves writing to the flash memory, which takes longer than reading from the flash memory. What are the common places (I2C bus, application, etc.) to look for performance tuning? Answer: - The I2C bus: You can optimize the performance of the I2C bus by using the maximum supported clock frequency (1 MHz default), and checking if the polling interval on the bus is not slowed down by the I2C driver. The fastest polling interval is 1 ms. - The application: You can optimize the performance of the application by using the most suitable crypto algorithms (use ECC instead of RSA) and key sizes (mainly for RSA), minimizing the number of APDU exchanges (not opening and closing session for every operation), and batching multiple operations into a single command if possible. For performance critical operations it makes sense to enable debug logging to be able to analyze the exchanged commands. For checking the I2C bus performance a logic analyzer trace is very helpful to check.   Secure Element Memory   How to check how much space I have used or left in the SE05x? Answer: You can check how much space you have left in the SE05x by using the example se05x_Minimal. It returns the amount of free NVM memory. Does memory wear out on the SEO5x and how can I check status or memory writes? Answer: Yes, the flash memory on the SEO5x has a limited number of write cycles. The wear is automatically distributed by the SE over the whole memory to reach the flash write endurance given in the datasheet. You cannot read the amount of write cycles happened, but the MW write a info message on every APDU which causes at least one NVM write.   Secure Element Contactless (NFC) Interface Can I change the ATS on contactless interface ? Answer: Yes, you can change the historical characters of the ATS on the contactless interface by using the PERSO applet on products which are delivered with installed PERSO applet. Does the SEO5x have an NFC antenna and application note for updating secure object via NFC? Answer:. The general process on how the NFC interface can be used to update secure objects is described in AN12664 EdgeLock SE05x for NFC late-stage configuration.  
View full article
This example shows all steps for an onboarding process of a device to AWS IoT Core using the pre-provisioned credentials of the EdgeLock SE050E secure element. AWS IoT authenticates client certificates using the TLS protocol's client authentication mode. In TLS client authentication, AWS IoT requests an X.509 client certificate and validates the certificate's status against a registry of certificates in the AWS account. It challenges the client for proof of ownership of the private key that corresponds to the public key contained in the certificate. The secure element EdgeLock SE050E is used to securely store the private client keys and perform the client authentication. AWS IoT supports these types of X.509 client certificates, all are supported by EdgeLock SE050E: X.509 certificates generated by AWS IoT X.509 certificates signed by a CA registered with AWS IoT. X.509 certificates signed by a CA that is not registered with AWS IoT. Client certificates must be registered with AWS IoT before a client can communicate with AWS IoT. Only Option 3 supports the onboarding process of a device to AWS IoT Core using pre-provisioned credentials of a generic EdgeLock SE050. This option is known as “AWS IoT Core Multi-Account Registration” and is supported by the AWS CLI interface. Customer-specific configurations of EdgeLock SE050E can even use Option 2 with pre-provisioned certificates.   Hardware setup Hardware Prerequisite The following hardware will be used for this demo: Raspberry Pi 4 Model B or Pi 3 Model B+ OM-SE050ARD-E development kit (NXP 12NC 9354 332 66598) Optional - OM-SE050RPI adapter board for Raspberry Pi (12NC 9353 798 33598) [1] [1] .. For further details see NXP “AN12570 Quick start guide with Raspberry Pi” chapter “2 Prepare your Raspberry Pi”. In the following sections, we will use the OM-SE050RPI adapter board.   Connecting the OM-SE050ARD-E to the Raspberry Pi Make sure the jumpers in your OM-SE050ARD-E board are configured as shown in the figure below (equal to the default configuration of OM-SE050ARD-E 😞   Stack the OM-SE050ARD-E with the adapter board to the Raspberry Pi Alternative it is possible to connect the OM-SE050ARD-E via wires to the OM-SE050RPI Raspberry Pi board as shown in the figure below: Software Setup This section explains how to get your Raspberry Pi ready to execute the EdgeLock SE050 Plug & Trust middleware. Prerequisite AWS account a current 32-bit Raspbian should be running on Raspberry Pi. The detailed Raspberry Pi software setup is described in the “AN12570 Quick start guide with Raspberry Pi” chapter “2.2 Software setup”. Enable I2C if not yet enabled on your Raspberry Pi. ls /sys/bus/i2c/devices If does not list i2c-1, I2C needs to be enabled for your board. sudo raspi-config Use the down arrow to select Interfacing Options. Follow instructions and Enable I2C. Create a new folder called se_mw: cd ~ mkdir se05x_mw cd se05x_mw   EdgeLock SE05x Plug & Trust middleware - Build Instructions Install the required build tools, if the image does not have them already. sudo apt-get install cmake cmake-curses-gui cmake-gui libssl-dev   Download the EdgeLock SE05x Plug & Trust middleware (nxp.com login needed) from the NXP website .   Unzip the EdgeLock SE05x Plug & Trust middleware in the se_mw folder: unzip ~/Downloads/SE050-PLUG-TRUST-MW.zip -d ~/se05x_mw   Run the following commands to build OpenSSL engine for SE050. For further details see please “AN12570 Quick start guide with Raspberry Pi” chapter “4.1 Example: SE050E CMake build settings”. If the hostname is “raspberrypi” automatically the config for a Raspberry Pi is created: cd simw-top python3 scripts/create_cmake_projects.py cd ~/se05x_mw/simw-top_build/raspbian_native_se050_t1oi2c cmake-gui .   Update the CMake settings as shown in the figure below. Press first the Configure button and second the Generate button and close the CMake GUI. cmake --build . sudo make install sudo ldconfig /usr/local/lib   Install the ssscli tool In this example, the SE050 Python-based ssscli tool is used to extract the credentials of the EdgeLock SE050. The following steps are needed before running the ssscli tool and needed are needed once per installation:   sudo apt-get install python3-pip sudo apt-get install libffi-dev cd ~/se05x_mw/simw-top/pycli pip3 install -r requirements.txt    To install ssscli tool, run the following commands once:  pip3 install --editable src Install AWS CLI To install the AWS CLI tool, run the following commands once: pip3 install awscli --upgrade --user Add AWS CLI executable to your Command-Line Path: export PATH=/home/pi/.local/bin:$PATH Confirm the AWS CLI tool was successful installed: aws --version         Configure AWS Get access key ID and secret access key When you first create an AWS account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user. Amazon strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, it is recommended to create an IMA user. Please read the following documentation for more details: What is IAM? - AWS Identity and Access Management (amazon.com) Perform the following steps to create an IAM (Identity and Access Management) user. Sign in as AWS account root user by using the email address and password that you used to create the AWS account. On the navigation menu, choose “Users” and press the “Add user” button. Add a username and select the options as shown below and press the “Next: Permissions” button. Press the “Attach existing policies directly” button. For this demo select “AWSIoTFullAccess” policy and press the “Next” button. For this demo you do not need to add any tag. Simple press the “Next” button. Review your entries and press the “Create user” button. Finally download the IAM user credentials as csv file. For the next steps you need to retrieve the Access key ID and Secret access key from the csv file. The csv file includes the user name, the password, access key id, the secret access key and the console login link. You can use the console login link to login as IAM user.   Set AWS credentials in AWS cli You can save your frequently used configuration settings and credentials in files that are maintained by the AWS CLI.  Run the following command to quickly set your credentials, region, and output format: aws configure Example: $ aws configure AWS Access Key ID [None]: <access key ID> AWS Secret Access Key [None]: <secret access key> Default region name [None]: <aws region name> Default output format [None]: json   Using credentials from EdgeLock SE050E We will be using ECC credentials in this example, the key with ID 0xF0000100 and the corresponding certificate at ID 0xF0000101. You can use any of the available certificates that are pre-provisioned in your EdgeLock SE050E. Please refer to AN12436 - SE050 Configurations for a list of available key and certificate IDs.   Create a folder to store the EdgeLock SE050 credentials: cd ~/se05x_mw/ mkdir se050_device_credentials cd se050_device_credentialsls   Extracting the EdgeLock SE050E Device Certificate Using pySSSCLI Tool, read out the device certificate. ssscli connect se05x t1oi2c none ssscli get cert 0xF0000101 se050_device_cert0_ecc.cer The Certificate/Public Key as read from the Secure Element can be inserted into the OpenSSL key structure. The x509 OpenSSL command also supports to display the public keys contents: openssl x509 -noout -text -in se050_device_cert0_ecc.cer Creating the EdgeLock SE050E Device Key Reference OpenSSL requires a key pair, consisting of a private and a public key, to be generated or loaded into the EdgeLock SE050E before the cryptographic operations can be executed. Private Key: The Private key is securely stored inside the SE050E Secure Element and cannot be retrieved by the OpenSSL engine. Reference Key: Standard OpenSSL API needs to be called with a key. Instead of a real private key the OpenSSL key data structure gets used with a reference to the private key inside the SE050E Secure Element. The reference key looks for OpenSSL like a real key, but it does not contain secret data. Using pySSSCLI Tool, read out the device reference key. sudo ssscli refpem ecc pair 0xF0000100 se050_device_key_ref0_ecc.pem ssscli disconnect   In the first glance, the reference key looks like as any other private key, therefore it is required to use OpenSSL to display the details: openssl ec -in se050_device_key_ref0_ecc.pem -text Registering Device Certificate Use the AWS CLI Tool to register the extracted device certificate on to your AWS IoT Console. The command line options are: aws iot register-certificate-without-ca --certificate-pem <certificate-filename>   Execute the following command: aws iot register-certificate-without-ca --certificate-pem file://se050_device_cert0_ecc.cer --status ACTIVE     This command returns the certificate ANR and ANR ID. A certificate Amazon Resource Name (ARN) uniquely identifies this certificate. You can open the AWS IoT console to check if the certificate was successfully registered. Note: You need to select the correct AWS region.     Create an AWS IoT policy. First, create a JSON document “se050_raspi_policy.json” with the following content. Note: this policy allows for demo purpose access to all IoT actions on all resources. {   "Version": "2012-10-17",   "Statement": [     {       "Effect": "Allow",       "Action": "iot:*",       "Resource": "*"     }   ] }   using for example the nano editor. The following command creates an empty file. nano se050_raspi_policy.json Copy & Paste the content into the text editor and save the file.       Use the AWS CLI Tool to create the policy on your AWS IoT Console. aws iot create-policy --policy-name se050_raspi_policy --policy-document file://se050_raspi_policy.json   You can open the AWS IoT console to check if the policy was successfully created.      Attach AWS IoT policy to certificate. Attaching an AWS IoT Core policy to a certificate gives the device connecting with this certificate the permissions specified in the policy.   Use the AWS CLI Tool to attach the policy to the device certificate.  aws iot attach-policy --target <certificate ARN> --policy-name se050_raspi_policy        Obtain the custom AWS IoT endpoint URL Run the following command to print out your AWS’ user’s endpoint address. This will be used later: aws iot describe-endpoint --endpoint-type iot:Data-ATS   Alternative you can obtain the customer AWS IoT endpoint using the AWS IoT console.       Run the IoT demo MQTT Example Navigate to demos se_mw/simw-top/demos/linux/aws_eou directory and execute the buildScript.sh. This will build the project iot_demo_mqtt.  cd ~/se_mw/simw-top/demos/linux/aws_eou/ chmod +x buildScript.sh ./buildScript.sh   Copy all SE50 credentials into the example output/bin folder: cd ~/se05x_mw/simw-top/demos/linux/aws_eou/aws-iot-device-sdk-embedded-C/build/output/bin cp ~/se05x_mw/simw-top/demos/linux/aws_eou/AmazonRootCA1.pem ~/se_mw/simw-top/demos/linux/aws_eou/aws-iot-device-sdk-embedded-C/build/output/bin cp ~/se05x_mw/se050_device_credentials/se050_device_cert0_ecc.cer ~/se_mw/simw-top/demos/linux/aws_eou/aws-iot-device-sdk-embedded-C/build/output/bin cp ~/se05x_mw/se050_device_credentials/se050_device_key_ref0_ecc.pem ~/se_mw/simw-top/demos/linux/aws_eou/aws-iot-device-sdk-embedded-C/build/output/bin   To let openSSL use the engine set the openssl config path to point to the preconfigured config file: export OPENSSL_CONF=/home/pi/se05x_mw/simw-top/demos/linux/common/openssl11_sss_se050.cnf   Navigate to demos binary folder: cd ~/se05x_mw/simw-top/demos/linux/aws_eou/aws-iot-device-sdk-embedded-C/build/output/bin Run the demo with specifying your endpoint URL and certificate + key files: ./iot_demo_mqtt -i "ThingName" -h <endpoint> -r AmazonRootCA1.pem -c <certificate-filename> -k <ref-filename> For example: ./iot_demo_mqtt -i "myRaspiSE050" -h <endpoint> -r AmazonRootCA1.pem -c se050_device_cert0_ecc.cer -k se050_device_key_ref0_ecc.pem   Go to the AWS IoT Core dashboard and subscribe to the following topic: iotdemo/#   The MQTT topic you subscribed will now appear in the Subscriptions section as shown in the figure below in case your run the demo again.        
View full article
This documentation shows how to connect with SE050 based on NFC Cockpit tool and a PNEV5180B dev board.
View full article
Introduction This is an exercise porting one of the SE050 examples from the NXP Secure Element Host library (se_hostlib) to another NXP MCU.  Appnote AN12448 EdgeLockTM SE050 Plug & Trust middleware porting guidelines is a great resource for porting the library to other targets.  This exercise provides additional details porting a project for MCUXpresso IDE to a different MCU.  The se_hostlib example used here is the se05x_get_info project.  The library provides this example for the RT1050 devices, and this exercise ports to the similar RT1060.  A simpler method might be to take the existing se_hostlib project, and change the device for the new target MCU, and tweak some other project settings.  But this exercise builds the ported project from scratch, to demonstrate how se_hostlib project can be created or added to another application.  NXP’s MCUXpresso IDE is used for this, but these general steps should also apply to other IDEs.    The projects and software used here are included in NXP’s MCUXpresso Software Development Kit (SDK), and can be download from https://mcuxpresso.nxp.com/, using SDK version 2.7.0.  The se_hostlib is provided in the SDK package for EVKB-IMXRT1050, and the example ported is \SDK_2.7.0\boards\evkbimxrt1050\se_hostlib_examples\se_SE05x_Get_Info.  The targeted MCU for the port uses the SDK package for EVK-MIMXRT1060, and the initial project used to start the port is hello_world at \SDK_2.7.0\boards\evkmimxrt1060\demo_apps\hello_world.  MCUXpresso IDE v 11.1.1 is used in this exercise.   Change application source files The hello_world demo for RT1060 is imported into MCUXpresso IDE using the default project settings.  The new project is renamed evkmimxrt1060_se_hostlib_se05x_get_info.  Then the following changes are made:   Removed: Source/hello_world.c   Copied the following source folders from evkbimxrt1050_se_hostlib_se05x_get_info: Doc MbedTLS se_hostlib source   For the RT1060 app, I kept these files from hello_world: Board CMSIS Component Device Drivers Startup Utilities Xip   And added these additional driver files used in the RT1050 example from \SDK_2.7.0\devices\MIMXRT1062\drivers to project \evkmimxrt1060_se_hostlib_se05x_get_info\drivers fsl_dcp.c fsl_dcp.h fsl_lpi2c.c fsl_lpi2c.h fsl_pit.c fsl_pit.h fsl_trng.c fsl_trng.h     Copy project preprocessor definitions The se_hostlib uses many preprocessor definitions to configure the library.  Updated the project properties for the compiler preprocessor definitions from the RT1050 example are used, and made the following changes to the RT1060 project:   Added: SDK_DEBUGCONSOLE_UART PHDRIVER_IMXRT1050RC663_BOARD IMX_RT MBEDTLS_CONFIG_FILE='&quot;a71ch_mbedtls_evkbimxrt1050_config.h&quot;' MBEDTLS SCP_MODE=C_MAC_C_ENC_R_MAC_R_ENC T1oI2C T1oI2C_UM1225_SE050 SSS_USE_FTR_FILE NO_SECURE_CHANNEL_SUPPORT __NEWLIB__ (MCUXpresso IDE does this automatically with the linker changes below)   Changed: PRINTF_ADVANCED_ENABLE=1   Removed:                                                                                                                           __REDLIB__ (MCUXpresso IDE does this automatically with the linker changes below)     Change linker settings Based on the preprocessor definitions above, I realized the RT1050 project used the NewLibNano runtime library in the IDE.  The linker settings were updated to change the library from RedLib to NewLibNano (this step could have been done during the SDK project import into MCUXpresso IDE).  Also the linker placement of all RAM is changed to the RT1060 SRAM_DTC region, and heap and stack sizes updated to match the RT1050 example.     Change compiler include paths Added the following paths for se_hostlib and mbedTLS to the compiler includes: "${workspace_loc:/${ProjName}/mbedtls/port/ksdk}" "${workspace_loc:/${ProjName}/se_hostlib/hostlib/hostLib/inc}" "${workspace_loc:/${ProjName}/se_hostlib/sss/inc}" "${workspace_loc:/${ProjName}/se_hostlib/sss/port/ksdk}" "${workspace_loc:/${ProjName}/se_hostlib/hostlib/hostLib/platform/inc}" "${workspace_loc:/${ProjName}/se_hostlib/hostlib/hostLib/libCommon/smCom/T1oI2C}" "${workspace_loc:/${ProjName}/se_hostlib/hostlib/hostLib/libCommon/smCom}" "${workspace_loc:/${ProjName}/se_hostlib/hostlib/hostLib/libCommon/infra}" "${workspace_loc:/${ProjName}/se_hostlib/sss/ex/inc}" "${workspace_loc:/${ProjName}/se_hostlib/sss/ex/src}" "${workspace_loc:/${ProjName}/se_hostlib/hostlib/hostLib/se05x_03_xx_xx}" "${workspace_loc:/${ProjName}/se_hostlib/hostlib/hostLib/mbedtls/inc}" "${workspace_loc:/${ProjName}/se_hostlib/sss/plugin/mbedtls}" "${workspace_loc:/${ProjName}/mbedtls/include}"     Port macros in source code Some of the application source configures for the RT1050 MCU using macros defined in the preprocessor settings.  This code should all apply to the RT1060 as well, but needs to be modified to use different macros.  Source updated the following in a few places.  Search for CPU_MIMXRT1052DVL6B to find these: #ifdefined(CPU_MIMXRT1052DVL6B)   Changed to #if(defined(CPU_MIMXRT1052DVL6B) || defined(CPU_MIMXRT1062DVL6A))   In the following locations: axReset_HostConfigure() In ax_reset.c i2c_imxrt10xx.c ex_ss_main_inc_imx_rt.h in the header file includes se_reset_config.h   Configure RT1060 pins To interface to the SE050, the example uses I2C peripheral and a GPIO pin for reset.  The new project needs to enable these pins in the pinmux settings, configured in pinmux.c.  Copying I2CPins() from RT1050 pinmux.c, and adding to RT1060 pinmux.c.  Then add call to I2CPins() in BOARD_InitBootPins() in pinmux.c, and add declaration of I2CPins() to pinmux.h   For the GPIO reset pin, the RT1050 example set the pinmux in spiPins().  Since SPI is not used, I just added this pin to the existing BOARD_InitPins().  Copy the line below from RT1050 pinmux.c, and add to BOARD_InitPins() for RT1060.       //Reset       IOMUXC_SetPinMux(       IOMUXC_GPIO_AD_B0_10_GPIO1_IO10,        /* GPIO_AD_B0_10 is configured as GPIO1_IO10 */       0U);                                    /* Software Input On Field: Input Path is determined by functionality */   Summary With these changes, the RT1060 project builds without any errors or warnings, and runs on the RT1060 as documented in the readme files from the RT1050 project.  The completed ported project for RT1060 is attached here.
View full article