Using SE050 Breakout board as a PKCS11 token

A project log for SE050 Security Breakout Board

Breakout board intended to secure Raspberry PI or others IoT products thanks to SE050 secure element from NXP

Michael GrandMichael Grand 10/22/2020 at 18:390 Comments

NXP already provides all the stuff needed to use the SE050 as a pkcs11 token but documentation is not so easy to understand.

First of all you will have to install all the required packages on raspbian:

sudo apt-get update
sudo apt-get install cmake cmake-curses-gui cmake-gui libssl-dev python3-pip libffi-dev
sudo apt-get install gnutls-bin
sudo apt-get install opensc opensc-pkcs11

The if we consider that you have already downloaded and unzipped the Plug & Trust MW from NXP in the '~/se050_mw' directory (as explained in my previous post), you can type the following commands:

cd ~/se050_mw/simw-top/
python scripts/
cd ~/se050_mw/simw-top_build/raspbian_native_se050_t1oi2c
ccmake .

A configuration window should appear, set the following parameters to the given values:

RTOS = Default
HostCrypto = MBEDTLS

 Launch the compilation and wait for a while (-_-) :

cmake --build .
sudo make install
sudo ldconfig /usr/local/lib
export PKCS11_MODULE=/usr/local/lib/

Now your SE050 breakout board is ready to bu used as a PKCS11 token. if you list the available PKCS11 slots using pkcs11-tool from OpenSC, you should see the following output:

pkcs11-tool --module $PKCS11_MODULE --list-slots

Available slots:
Slot 0 (0x1):
  token label        : SSS_PKCS11
  token manufacturer : NXP
  token model        :
  token flags        : rng, token initialized
  hardware version   : 3.1
  firmware version   : 2.16
  serial num         :
  pin min/max        : 0/10

In a next post, we will see how to use SE050 breakout board through pkcs11-tool.