ContextQMD
Back to Connectedhomeip

NXP SE05x Secure Element Integration in Matter

docs/platforms/nxp/nxp_se05x_guide.md

1.5.1.06.3 KB
Original Source

NXP SE05x Secure Element Integration in Matter

<hr>

<a name="introduction"></a>

Introduction

The integration of SE05x Secure Element in Matter stack can be used to offload required crypto operations of matter to SE05x.

The following crypto operations are supported using SE05x,

  • Random number generation
  • EC Key Generate
  • ECDSA Sign
  • ECDSA Verify
  • HKDF
  • HMAC
  • Spake2P

<a name="supported_platforms"></a>

Supported Platforms

The integration of secure element is done with the following platforms

NXP i.MX 8M Mini EVK

Integration of SE05x with i.MX 8M Mini EVK is demonstrated using the thermostat example. Refer i.MX 8M Mini EVK to set up the build environment.

Hardware connections

  • Connections using OM-SE051ARD board :

    Signali.MX 8M PinOM-SE051ARD Pin
    I2C SDAJ801_SDAJ2_9
    I2C SCLJ801_SCLJ2_10
    3V3J801_VCCJ8_4
    GNDJ801_GNDJ8_7

Build the example as

    cd connectedhomeip
    ./scripts/examples/imxlinux_example.sh -s examples/thermostat/nxp/linux-se05x/ -o out/thermostat -d

Refer SE05x Crypto Configurations sections to control what crypto operations to be offloaded to SE05x.

Refer SE05x Type Configurations sections to select the correct variant of secure element connected.

RW61x

Integration of SE05x with RW61x is demonstrated using the thermostat and all cluster app. Refer RW61x to set up the build environment.

Hardware connections and Building the example with SE05x

Refer RW61x and SE05x for hardware connections / Building.

Refer SE05x Crypto Configurations sections to control what crypto operations to be offloaded to SE05x.

Refer SE05x Type Configurations sections to select the correct variant of secure element connected.

<a name="se05x_crypto_configurations"></a>

SE05x Crypto Configurations

Following GN / cmake options can be used to enable / disable the crypto operations to be offloaded to SE05x

  • GN Options :

    GN OptionsDescriptionTypeDefault setting
    chip_se05x_spake_verifierSpake2P Verifier on SEBooleanDisabled
    chip_se05x_spake_proverSpake2P Prover on SEBooleanDisabled
    chip_se05x_rnd_genRandom number generationBooleanDisabled
    chip_se05x_gen_ec_keyGenerate EC key in SEBooleanEnabled
    chip_se05x_ecdsa_verifyECDSA VerifyBooleanEnabled
    chip_se05x_pbkdf2_sha256PBKDF2-SHA256BooleanDisabled
    chip_se05x_hkdf_sha256HKDF-SHA256BooleanDisabled
    chip_se05x_hmac_sha256HMAC-SHA256BooleanDisabled
    chip_se05x_device_attestationDevice attestationBooleanDisabled

  • CMAKE Options :

    Kconfig OptionsDescriptionDefault setting
    CONFIG_CHIP_SE05X_SPAKE_VERIFIERSpake2P Verifier on SEDisabled
    CONFIG_CHIP_SE05X_SPAKE_PROVERSpake2P Prover on SEDisabled
    CONFIG_CHIP_SE05X_RND_GENRandom number generationDisabled
    CONFIG_CHIP_SE05X_GENERATE_EC_KEYGenerate EC key in SEEnabled
    CONFIG_CHIP_SE05X_ECDSA_VERIFYECDSA VerifyEnabled
    CONFIG_CHIP_SE05X_PBKDF2_SHA256PBKDF2-SHA256Disabled
    CONFIG_CHIP_SE05X_HKDF_SHA256HKDF-SHA256Disabled
    CONFIG_CHIP_SE05X_HMAC_SHA256HMAC-SHA256Disabled
    CONFIG_CHIP_SE05X_DEVICE_ATTESTATIONDevice attestationDisabled

<a name="se05x_type_configurations"></a>

SE05x Type Configuration

Ensure to update the SE05x feature file third_party/simw-top-mini/repo/fsl_sss_ftr.h with correct product variant.

SE050E is enabled by default.

/** Compiling without any Applet Support */
#define SSS_HAVE_APPLET_NONE 0

/** SE050 Type A (ECC) */
#define SSS_HAVE_APPLET_SE05X_A 0

/** SE050 Type B (RSA) */
#define SSS_HAVE_APPLET_SE05X_B 0

/** SE050 (Super set of A + B), SE051, SE052 */
#define SSS_HAVE_APPLET_SE05X_C 0

/** SE051 with SPAKE Support */
#define SSS_HAVE_APPLET_SE051_H 0

/** AUTH */
#define SSS_HAVE_APPLET_AUTH 0

/** SE050E */
#define SSS_HAVE_APPLET_SE050_E 1

<a name="device_attestation"></a>

Device attestation

To use SE05x for device attestation,

  1. Enable device attestation when building the example using "chip_se05x_device_attestation=true" for GN build OR "-DCHIP_SE05X_DEVICE_ATTESTATION" for cmake Build.

  2. Run the provision example (one time) third_party/simw-top-mini/repo/demos/se05x_dev_attest_key_prov/ to provision the device attestation key at id - 0x7D300000 and device attestation certificate at id - 0x7D300001.

cd third_party/simw-top-mini/repo/demos/se05x_dev_attest_key_prov/linux
gn gen out
ninja -C out se05x_dev_attest_key_prov
./out/se05x_dev_attest_key_prov

[!IMPORTANT] The example is currently supported for i.MX 8M Mini EVK, FRDM i.MX93 and RW61x. Adapt the above commands to the i.MX and RW612 build commands accordingly.

<a name="scp03"></a>

SCP03

To enable SCP03 authentication with SE05x, build the example with option

For GN Build system -

gn gen out --args="chip_se05x_auth=\"scp03\""

Ensure to enable CMAC (MBEDTLS_CMAC_C) in mbedtls config file used.