4.7. CMake Options

4.7.1. PTMW_Applet

PTMW_Applet

The Secure Element Applet

You can compile host library for different Applets listed below. Please note, some of these Applets may be for NXP Internal use only.

-DPTMW_Applet=None: Compiling without any Applet Support

-DPTMW_Applet=A71CH: A71CH (ECC)

-DPTMW_Applet=SE05X_A: SE050 Type A (ECC)

-DPTMW_Applet=SE05X_B: SE050 Type B (RSA)

-DPTMW_Applet=SE05X_C: SE050 (Super set of A + B)

-DPTMW_Applet=AUTH: AUTH

4.7.2. PTMW_SE05X_Ver

PTMW_SE05X_Ver

SE05X Applet version.

Selection of Applet version 03_XX enables SE050 features. Selection of Applet version 06_00 enables SE051 features.

-DPTMW_SE05X_Ver=03_XX: SE050

-DPTMW_SE05X_Ver=06_00: SE051

-DPTMW_SE05X_Ver=07_02: SE051

4.7.3. PTMW_Host

PTMW_Host

Host where the software stack is running

e.g. Windows, PC Linux, Embedded Linux, Kinetis like embedded platform

-DPTMW_Host=Darwin: OS X / Macintosh

-DPTMW_Host=PCLinux32: PC/Laptop Linux with 32bit libraries

-DPTMW_Host=PCLinux64: PC/Laptop Linux with 64bit libraries

-DPTMW_Host=PCWindows: PC/Laptop Windows

-DPTMW_Host=Cygwin: Using Cygwin

-DPTMW_Host=frdmk64f: Embedded Kinetis Freedom K64F

-DPTMW_Host=evkmimxrt1060: Embedded Kinetis i.MX RT 1060

-DPTMW_Host=evkmimxrt1170: Embedded Kinetis i.MX RT1170

-DPTMW_Host=lpcxpresso55s: Embedded LPCXpresso55s (No demarcation of secure/non-secure world)

-DPTMW_Host=lpcxpresso55s_ns: Non Secure world of LPCXpresso55s

-DPTMW_Host=lpcxpresso55s_s: Secure world of LPCXpresso55s

-DPTMW_Host=iMXLinux: Embedded Linux on i.MX

-DPTMW_Host=Raspbian: Embedded Linux on RaspBerry PI

-DPTMW_Host=Android: Android

4.7.4. PTMW_SMCOM

PTMW_SMCOM

Communication Interface

How the host library communicates to the Secure Element. This may be directly over an I2C interface on embedded platform. Or sometimes over Remote protocol like JRCP_V1 / JRCP_V1_AM / JRCP_V2 / VCOM from PC.

-DPTMW_SMCOM=None: Not using any Communication layer

-DPTMW_SMCOM=JRCP_V2: Socket Interface New Implementation

-DPTMW_SMCOM=JRCP_V1: Socket Interface Old Implementation.

This is the interface used from Host PC when when we run jrcpv1_server from the linux PC.

-DPTMW_SMCOM=JRCP_V1_AM: JRCP_V1 extended with Access manager features

-DPTMW_SMCOM=VCOM: Virtual COM Port

-DPTMW_SMCOM=SCI2C: Smart Card I2C for A71CH and A71CH

-DPTMW_SMCOM=T1oI2C: T=1 over I2C for SE050

-DPTMW_SMCOM=PCSC: CCID PC/SC reader interface

4.7.5. PTMW_HostCrypto

PTMW_HostCrypto

Counterpart Crypto on Host

What is being used as a cryptographic library on the host. As of now only OpenSSL / mbedTLS is supported

-DPTMW_HostCrypto=MBEDTLS: Use mbedTLS as host crypto

-DPTMW_HostCrypto=MBEDCRYPTO: Use mbed-crypto as host crypto

Required for ARM-PSA / TF-M

-DPTMW_HostCrypto=OPENSSL: Use OpenSSL as host crypto

-DPTMW_HostCrypto=User: User Implementation of Host Crypto

e.g. Files at sss/src/user/crypto have low level AES/CMAC primitives. The files at sss/src/user use those primitives. This becomes an example for users with their own AES Implementation This then becomes integration without mbedTLS/OpenSSL for SCP03 / AESKey.

Note

ECKey abstraction is not implemented/available yet.

-DPTMW_HostCrypto=None: NO Host Crypto

Note, this is unsecure and only provided for experimentation on platforms that do not have an mbedTLS PORT Many Feature Control have to be disabled to have a valid build.

4.7.6. PTMW_RTOS

PTMW_RTOS

Choice of Operating system

Default would mean nothing special. i.e. Without any RTOS on embedded system, or default APIs on PC/Linux

-DPTMW_RTOS=Default: No specific RTOS. Either bare matal on embedded system or native linux or Windows OS

-DPTMW_RTOS=FreeRTOS: Free RTOS for embedded systems

4.7.7. PTMW_mbedTLS_ALT

PTMW_mbedTLS_ALT

ALT Engine implementation for mbedTLS

When set to None, mbedTLS would not use ALT Implementation to connect to / use Secure Element. This needs to be set to SSS for Cloud Demos over SSS APIs

-DPTMW_mbedTLS_ALT=SSS: Use SSS Layer ALT implementation

-DPTMW_mbedTLS_ALT=A71CH: Legacy implementation

-DPTMW_mbedTLS_ALT=None: Not using any mbedTLS_ALT

When this is selected, cloud demos can not work with mbedTLS

4.7.8. PTMW_SCP

PTMW_SCP

Secure Channel Protocol

In case we enable secure channel to Secure Element, which interface to be used.

-DPTMW_SCP=None

-DPTMW_SCP=SCP03_SSS: Use SSS Layer for SCP. Used for SE050 family.

-DPTMW_SCP=SCP03_HostCrypto: Use Host Crypto Layer for SCP03. Legacy implementation. Used for older demos of A71CH Family.

4.7.9. PTMW_FIPS

PTMW_FIPS

Enable or disable FIPS

This selection mostly impacts tests, and generally not the actual Middleware

-DPTMW_FIPS=None: NO FIPS

-DPTMW_FIPS=SE050: SE050 IC FIPS

4.7.10. PTMW_SBL

PTMW_SBL

Enable/Disable SBL Bootable support

This option is to enable/disable boot from SBL by switching linker address

-DPTMW_SBL=None: Not SBL bootable

-DPTMW_SBL=SBL_LPC55S: SE050 based LPC55S SBL bootable

4.7.11. PTMW_SE05X_Auth

PTMW_SE05X_Auth

SE050 Authentication

This settings is used by examples to connect using various options to authenticate with the Applet. The SE05X_Auth options can be changed for KSDK Demos and Examples. To change SE05X_Auth option follow below steps. Set flag SSS_HAVE_SCP_SCP03_SSS to 1 and Reset flag SSS_HAVE_SCP_NONE to 0. To change SE05X_Auth option other than None and PlatfSCP03, execute se05x_Delete_and_test_provision.exe in order to provision the Authentication Key. To change SE05X_Auth option to ECKey or ECKey_PlatfSCP03, Set additional flag SSS_HAVE_HOSTCRYPTO_ANY to 1.

-DPTMW_SE05X_Auth=None: Use the default session (i.e. session less) login

-DPTMW_SE05X_Auth=UserID: Do User Authentication with UserID

-DPTMW_SE05X_Auth=PlatfSCP03: Use Platform SCP for connection to SE

-DPTMW_SE05X_Auth=AESKey: Do User Authentication with AES Key

Earlier this was called AppletSCP03

-DPTMW_SE05X_Auth=ECKey: Do User Authentication with EC Key

Earlier this was called FastSCP

-DPTMW_SE05X_Auth=UserID_PlatfSCP03: UserID and PlatfSCP03

-DPTMW_SE05X_Auth=AESKey_PlatfSCP03: AESKey and PlatfSCP03

-DPTMW_SE05X_Auth=ECKey_PlatfSCP03: ECKey and PlatfSCP03

4.7.12. PTMW_A71CH_AUTH

PTMW_A71CH_AUTH

A71CH Authentication

This settings is used by SSS-API based examples to connect using either plain or authenticated to the A71CH.

-DPTMW_A71CH_AUTH=None: Plain communication, not authenticated or encrypted

-DPTMW_A71CH_AUTH=SCP03: SCP03 enabled

4.7.13. PTMW_Log

PTMW_Log

Logging

-DPTMW_Log=Default: Default Logging

-DPTMW_Log=Verbose: Very Verbose logging

-DPTMW_Log=Silent: Totally silent logging

4.7.14. CMAKE_BUILD_TYPE

CMAKE_BUILD_TYPE

See https://cmake.org/cmake/help/latest/variable/CMAKE_BUILD_TYPE.html

For embedded builds, this choices sets optimization levels. For MSVC builds, build type is selected from IDE As well

-DCMAKE_BUILD_TYPE=Debug: For developer

-DCMAKE_BUILD_TYPE=Release: Optimization enabled and debug symbols removed

-DCMAKE_BUILD_TYPE=RelWithDebInfo: Optimization enabled but with debug symbols

-DCMAKE_BUILD_TYPE=: Empty Allowed

4.7.15. Feature Control

Using these options, you can enable/disable individual features.

See Section 3.8.4 Using feature file to reduce code size for details on it’s usage and relevance.

SSSFTR_SE05X_AES

SE05X Secure Element : Symmetric AES

SSSFTR_SE05X_ECC

SE05X Secure Element : Elliptic Curve Cryptography

SSSFTR_SE05X_RSA

SE05X Secure Element : RSA

SSSFTR_SE05X_KEY_SET

SE05X Secure Element : KEY operations : SET Key

SSSFTR_SE05X_KEY_GET

SE05X Secure Element : KEY operations : GET Key

SSSFTR_SE05X_AuthECKey

SE05X Secure Element : Authenticate via ECKey

SSSFTR_SE05X_AuthSession

SE05X Secure Element : Allow creation of user/authenticated session.

If the intended deployment only uses Platform SCP Or it is a pure session less integration, this can save some code size.

SSSFTR_SE05X_CREATE_DELETE_CRYPTOOBJ

SE05X Secure Element : Allow creation/deletion of Crypto Objects

If disabled, new Crytpo Objects are neither created and old/existing Crypto Objects are not deleted. It is assumed that during provisioning phase, the required Crypto Objects are pre-created or they are never going to be needed.

SSSFTR_SW_AES

Software : Symmetric AES

SSSFTR_SW_ECC

Software : Elliptic Curve Cryptography

SSSFTR_SW_RSA

Software : RSA

SSSFTR_SW_KEY_SET

Software : KEY operations : SET Key

SSSFTR_SW_KEY_GET

Software : KEY operations : GET Key

SSSFTR_SW_TESTCOUNTERPART

Software : Used as a test counterpart

e.g. Major part of the mebdTLS SSS layer is purely used for testing of Secure Element implementation, and can be avoided fully during many production scenarios.

4.7.16. Deprecated Defines

Keept and for time being for backwards compatibility. They will be removed in some future release.

WithNXPNFCRdLib
  • Compile in NXP NFC RdLib support

  • Default is OFF

  • Use NXP NFC RdLib. This is used mainly for RC663 + SAM Use Cases. Package available under NDA is needed to use this feature

WithOPCUA_open62541
  • Compile With open62541 Support

  • Default is OFF

  • Compile with OPC UA. By default it is disabled from compilation.

WithSharedLIB
  • Create and use shared libraries

  • Default is OFF

  • Create shared libraries. Applicable for Engine DLL and other use cases.

WithAccessMgr_UnixSocket
  • Compile Access Manager with UNIX socket support (Default is STREAM sockets).

  • Default is OFF

  • Compile Access Manager with unix socket support.

4.7.17. NXP Internal Options

These options are not supported outside NXP.

NXPInternal
  • NXP Internal

  • Default is OFF. (ON only within NXP)

Note

For deliveries outside NXP, this option is disabled.

WithCodeCoverage
  • Compile with Code Coverage

  • Default is OFF

4.7.18. Other Variables

WithExtCustomerTPMCode
  • Include code from ../customer/tpm2

  • Default is OFF

  • Include code from external tpm2 folder. This way, TPM code can be included in build from outside the simw-top repository.

SIMW_INSTALL_INC_DIR
  • Location where library header files are installed for linux based targets. (Used for iMX Linux)

  • Default location is </usr/local/>include/se05x

SIMW_INSTALL_SHARE_DIR
  • Location where miscellaneous scripts get copiled for linux based targets. (Used for iMX Linux)

  • e.g. cmake_options.mak which has current cmake build settings.

  • Default location is </usr/local/>share/se05x