5.7.6. SE05X Rotate PlatformSCP Keys Demo¶
This project is to demonstrate rotation of Platform SCP03 keys for IOT SSD. The Platform SCP03 keys used during inital authentication can be replaced using this example. In this example, we will rotate existing SCP03 keys to new keys and then revert back to the old keys.
Once the key rotation is successful on the IC a file is created
plain_scp.txt
. This file contains updated key values written to IC. For
the next authentication if the above file is available, the keys are taken
from the file. If the file is not present, the keys which are pre-compiled are
picked up for authentication.
Note
SCP03 uses 3 sets of AES keys ENC MAC and DEK. After first rotation user can delete DEK key from file/code for security purpose.
Following are the file paths for different platforms:
For Android
#define EX_SSS_SCP03_FILE_DIR "/data/vendor/SE05x/"
#define EX_SSS_SCP03_FILE_PATH EX_SSS_SCP03_FILE_DIR "plain_scp.txt"
For Linux
#define EX_SSS_SCP03_FILE_DIR "/tmp/SE05X/"
#define EX_SSS_SCP03_FILE_PATH EX_SSS_SCP03_FILE_DIR "plain_scp.txt"
For Windows
#define EX_SSS_SCP03_FILE_DIR "C:\\nxp\\SE05X\\"
#define EX_SSS_SCP03_FILE_PATH EX_SSS_SCP03_FILE_DIR "plain_scp.txt"
Note
For Android based platforms, it is important that the keymaster service has access to the PlatfSCP03 keys file while system boot. Be sure to update sepolicy accordingly.
5.7.6.1. Prerequisites¶
Since this example is portable across various platforms, the needs are different.
See Build Plug & Trust middleware stack. (Refer Building / Compiling)
5.7.6.2. Configuring the Demo¶
New Platform SCP03 keys are defined as following. Update your keys here.
#define EX_SSS_AUTH_NEW_ENC_KEY \
{ \
0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C, 0x4D, 0x4E, 0x4F \
}
#define EX_SSS_AUTH_NEW_MAC_KEY \
{ \
0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C, 0x4D, 0x4E, 0x4F \
}
#define EX_SSS_AUTH_NEW_DEK_KEY \
{ \
0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C, 0x4D, 0x4E, 0x4F \
}
Note
We have hard-coded new PlatformSCP03 keys for demonstration purpose. The user can either modify these to their own keys or use a random number generator for randomized keys.
Old Platform SCP03 keys are defined as following. Make sure these match the ones in SE05X.
uint8_t OLD_KEY_ENC[16] = {0};
uint8_t OLD_KEY_MAC[16] = {0};
uint8_t OLD_KEY_DEK[] = EX_SSS_AUTH_SE05X_KEY_DEK;
The following code reverts to old Platform SCP03 keys. If you do not wish to revert to old keys and want to use the new keys, comment out the following line from the example. For development testing, we rollback to original keys. It is left to customer to comment out this line.
status = tp_PlatformKeys(OLD_KEY_ENC, OLD_KEY_MAC, OLD_KEY_DEK, pCtx);
ENSURE_OR_GO_CLEANUP(status == kStatus_SSS_Success);
5.7.6.3. Building the Demo¶
Use the following configurations in CMake:
SE05X_Auth_PlatfSCP03
: ON
Build project: se05x_RotatePlatformSCP03Keys
5.7.6.4. Running the Example¶
If you have built a binary, flash the se05x_RotatePlatformSCP03Keys
binary on to the board and reset the board.
If you have built an exe to be run from PC using VCOM, run as:
se05x_RotatePlatformSCP03Keys.exe <PORT NAME>
Where <PORT NAME> is the VCOM COM port.
On Raspberry-Pi or iMX board, run as:
./se05x_RotatePlatformSCP03Keys
5.7.6.5. Console output¶
If everything is setup correctly the output would be as follows
App:INFO :Congratulations !!! Key Rotation Successful!!!!
App:INFO :Congratulations !!! Key Rotation Successful!!!!
App:INFO :ex_sss Finished