SE050 Security Breakout Board

A new version of the board a now available on Tindie. Schematic is the same but the breakout board is smaller to better fit your project.

There is a limited 20% discount (24$ instead of 30$) on the SE050 Breakout board. Don't miss it!

NXP already provides all the stuff needed to use the SE050 as a pkcs11 token but documentation is not so easy to understand.

First of all you will have to install all the required packages on raspbian:

sudo apt-get update
sudo apt-get install cmake cmake-curses-gui cmake-gui libssl-dev python3-pip libffi-dev
sudo apt-get install gnutls-bin
sudo apt-get install opensc opensc-pkcs11

The if we consider that you have already downloaded and unzipped the Plug & Trust MW from NXP in the '~/se050_mw' directory (as explained in my previous post), you can type the following commands:

cd ~/se050_mw/simw-top/
python scripts/create_cmake_projects.py
cd ~/se050_mw/simw-top_build/raspbian_native_se050_t1oi2c
ccmake .

A configuration window should appear, set the following parameters to the given values:

RTOS = Default
mbedTLS_ALT = SSS
HostCrypto = MBEDTLS

 Launch the compilation and wait for a while (-_-) :

cmake --build .
sudo make install
sudo ldconfig /usr/local/lib
export PKCS11_MODULE=/usr/local/lib/libsss_pkcs11.so

Now your SE050 breakout board is ready to bu used as a PKCS11 token. if you list the available PKCS11 slots using pkcs11-tool from OpenSC, you should see the following output:

pkcs11-tool --module $PKCS11_MODULE --list-slots

Available slots:
Slot 0 (0x1):
  token label        : SSS_PKCS11
  token manufacturer : NXP
  token model        :
  token flags        : rng, token initialized
  hardware version   : 3.1
  firmware version   : 2.16
  serial num         :
  pin min/max        : 0/10

In a next post, we will see how to use SE050 breakout board through pkcs11-tool.

NXP provides a simple tool intended to ease SE050 configuration. To install it type the following commands:

cd ~/se050_mw/simw-top/pycli/
sudo pip3 install -r requirements.txt
sudo pip3 install -e src/

Then you can use the 'ssscli' command to control/configure your SE050 secure element. For example:

#connect to se050
ssscli connect se050 t1oi2c none
#get SE050 UID
ssscli se05x uid
#list objects on SE050
ssscli se05x readidlist
#generate a 4096bits RSA key pair at address 0xf0000201
ssscli generate rsa 0xf0000201 4096
#sign a file
touch foo
ssscli sign 0xf0000201 foo foo_sig
#verify file
ssscli verify 0xf0000201 foo foo_sig

SSCLI program provides other interesting features allowing to easily personalize your SE050 chip. Check the documentation provided with the NXP Plug & Trust MW for more information.

In the next post, i will explain how to use the SE050 chip as a standard PKCS11 token using OpenSC pkcs11-tool.