| <!DOCTYPE html> |
| <!-- |
| Copyright 2019 NXP |
| |
| This software is owned or controlled by NXP and may only be used |
| strictly in accordance with the applicable license terms. By expressly |
| accepting such terms or by downloading, installing, activating and/or |
| otherwise using the software, you are agreeing that you have read, and |
| that you agree to comply with and are bound by, such license terms. If |
| you do not agree to be bound by the applicable license terms, then you |
| may not retain, install, activate or otherwise use the software. |
| --> |
| |
| <html xmlns="http://www.w3.org/1999/xhtml"> |
| <head> |
| <meta charset="utf-8" /> |
| <title>6.1. Introduction — Plug & Trust MW v03.00.05 documentation</title> |
| <link rel="stylesheet" href="../../_static/bootstrap-sphinx.css" type="text/css" /> |
| <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> |
| <link rel="stylesheet" type="text/css" href="../../_static/graphviz.css" /> |
| <script id="documentation_options" data-url_root="../../" src="../../_static/documentation_options.js"></script> |
| <script src="../../_static/jquery.js"></script> |
| <script src="../../_static/underscore.js"></script> |
| <script src="../../_static/doctools.js"></script> |
| <script src="../../_static/language_data.js"></script> |
| <link rel="index" title="Index" href="../../genindex.html" /> |
| <link rel="search" title="Search" href="../../search.html" /> |
| <link rel="next" title="6.6. API" href="edgelock2go_agent_apis.html" /> |
| <link rel="prev" title="6. NXP EdgeLock 2GO Agent" href="../../edgelock2go-agent.html" /> |
| <meta charset='utf-8'> |
| <meta http-equiv='X-UA-Compatible' content='IE=edge,chrome=1'> |
| <meta name='viewport' content='width=device-width, initial-scale=1.0, maximum-scale=1'> |
| <meta name="apple-mobile-web-app-capable" content="yes"> |
| <script type="text/javascript" src="../../_static/js/jquery-1.11.0.min.js "></script> |
| <script type="text/javascript" src="../../_static/js/jquery-fix.js "></script> |
| <script type="text/javascript" src="../../_static/bootstrap-3.3.7/js/bootstrap.min.js "></script> |
| <script type="text/javascript" src="../../_static/bootstrap-sphinx.js "></script> |
| |
| </head><body> |
| |
| <div id="navbar" class="navbar navbar-inverse navbar-default navbar-fixed-top"> |
| <div class="container"> |
| <div class="navbar-header"> |
| <!-- .btn-navbar is used as the toggle for collapsed navbar content --> |
| <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".nav-collapse"> |
| <span class="icon-bar"></span> |
| <span class="icon-bar"></span> |
| <span class="icon-bar"></span> |
| </button> |
| <a class="navbar-brand" href="../../toc.html"><span><img src="../../_static/NXP_logo_JPG.jpg"></span> |
| MW</a> |
| <span class="navbar-text navbar-version pull-left"><b>v03.00.05</b></span> |
| </div> |
| |
| <div class="collapse navbar-collapse nav-collapse"> |
| <ul class="nav navbar-nav"> |
| |
| |
| <li class="dropdown globaltoc-container"> |
| <a role="button" |
| id="dLabelGlobalToc" |
| data-toggle="dropdown" |
| data-target="#" |
| href="../../toc.html">TOC <b class="caret"></b></a> |
| <ul class="dropdown-menu globaltoc" |
| role="menu" |
| aria-labelledby="dLabelGlobalToc"><ul class="current"> |
| <li class="toctree-l1"><a class="reference internal" href="../../index.html">1. NXP Plug & Trust Middleware</a><ul> |
| <li class="toctree-l2"><a class="reference internal" href="../../organization-of-documentation.html">1.1. Organization of Documentation</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../folder-structure.html">1.2. Folder Structure</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../sw-prerequisites.html">1.3. List of Platform Prerequisites</a></li> |
| </ul> |
| </li> |
| <li class="toctree-l1"><a class="reference internal" href="../../changes/index.html">2. Changes</a><ul> |
| <li class="toctree-l2"><a class="reference internal" href="../../changes/pending.html">2.1. Pending Refactoring items</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../changes/pending.html#known-limitations">2.2. Known limitations</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../changes/v03_00_05.html">2.3. Release <code class="docutils literal notranslate"><span class="pre">v03.00.05</span></code></a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../changes/v03_00_04.html">2.4. Release <code class="docutils literal notranslate"><span class="pre">v03.00.04</span></code></a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../changes/v03_00_03.html">2.5. Release <code class="docutils literal notranslate"><span class="pre">v03.00.03</span></code></a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../changes/v03_00_02.html">2.6. Release <code class="docutils literal notranslate"><span class="pre">v03.00.02</span></code></a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../changes/v02_16_01.html">2.7. Release <code class="docutils literal notranslate"><span class="pre">v02.16.01</span></code></a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../changes/v02_16_00.html">2.8. Release <code class="docutils literal notranslate"><span class="pre">v02.16.00</span></code></a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../changes/v02_15_00.html">2.9. Release <code class="docutils literal notranslate"><span class="pre">v02.15.00</span></code></a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../changes/v02_14_00.html">2.10. Release <code class="docutils literal notranslate"><span class="pre">v02.14.00</span></code></a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../changes/v02_12_00.html">2.11. Release <code class="docutils literal notranslate"><span class="pre">v02.12.05</span></code></a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../changes/v02_12_00.html#release-v02-12-04">2.12. Release <code class="docutils literal notranslate"><span class="pre">v02.12.04</span></code></a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../changes/v02_12_00.html#release-v02-12-03">2.13. Release <code class="docutils literal notranslate"><span class="pre">v02.12.03</span></code></a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../changes/v02_12_00.html#release-v02-12-02">2.14. Release <code class="docutils literal notranslate"><span class="pre">v02.12.02</span></code></a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../changes/v02_12_00.html#release-v02-12-01">2.15. Release <code class="docutils literal notranslate"><span class="pre">v02.12.01</span></code></a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../changes/v02_12_00.html#release-v02-12-00">2.16. Release <code class="docutils literal notranslate"><span class="pre">v02.12.00</span></code></a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../changes/v02_11_03.html">2.17. Release <code class="docutils literal notranslate"><span class="pre">v02.11.03</span></code></a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../changes/v02_11_01.html">2.18. Internal Release <code class="docutils literal notranslate"><span class="pre">v02.11.01</span></code></a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../changes/v02_11_00.html">2.19. Release <code class="docutils literal notranslate"><span class="pre">v02.11.00</span></code></a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../changes/v02_10_00.html">2.20. Release <code class="docutils literal notranslate"><span class="pre">v02.10.00</span></code></a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../changes/v02_09_00.html">2.21. Release <code class="docutils literal notranslate"><span class="pre">v02.09.00</span></code></a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../changes/v02_07_00.html">2.22. Release <code class="docutils literal notranslate"><span class="pre">v02.07.00</span></code></a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../changes/v02_06_00.html">2.23. Release <code class="docutils literal notranslate"><span class="pre">v02.06.00</span></code></a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../changes/v02_05_00_to_v02_03_00.html">2.24. Release <code class="docutils literal notranslate"><span class="pre">v02.05.00</span></code></a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../changes/v02_05_00_to_v02_03_00.html#release-v02-04-00">2.25. Release <code class="docutils literal notranslate"><span class="pre">v02.04.00</span></code></a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../changes/v02_05_00_to_v02_03_00.html#release-02-03-00">2.26. Release <code class="docutils literal notranslate"><span class="pre">02.03.00</span></code></a></li> |
| </ul> |
| </li> |
| <li class="toctree-l1"><a class="reference internal" href="../../stack/index.html">3. Plug & Trust MW Stack</a><ul> |
| <li class="toctree-l2"><a class="reference internal" href="../../stack/features.html">3.1. Features</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../stack/features.html#plug-trust-mw-block-diagram">3.2. Plug & Trust MW : Block Diagram</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../sss-apis.html">3.3. SSS APIs</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../stack/se05xfeatures.html">3.4. SSS APIs: SE051 vs SE050</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../stack/param_checks.html">3.5. Parameter Check & Conventions</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../stack/i2cm.html">3.6. I2CM / Secure Sensor</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../stack/logging.html">3.7. Logging</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../stack/feature-file.html">3.8. Feature File - <code class="docutils literal notranslate"><span class="pre">fsl_sss_ftr.h</span></code></a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../stack/platf-scp-from-fs.html">3.9. Using Platform SCP Keys from File System</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../stack/auth/auth-objects.html">3.10. Auth Objects</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../stack/auth/auth-objects-userid.html">3.11. Auth Objects : UserID</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../stack/auth/auth-objects-aeskey.html">3.12. Auth Objects : AESKey</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../stack/auth/auth-objects-eckey.html">3.13. Auth Objects : ECKey</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../stack/key-id-range.html">3.14. Key Id Range and Purpose</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../stack/key-id-range.html#authentication-keys">3.15. Authentication Keys</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../stack/key-id-range.html#trust-provisioned-keyids">3.16. Trust provisioned KeyIDs</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../sss/ex/doc/puf-scp03.html">3.17. SCP03 with PUF</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../sss/doc/sss_heap_management.html">3.18. SSS Heap Management</a></li> |
| </ul> |
| </li> |
| <li class="toctree-l1"><a class="reference internal" href="../../building/index.html">4. Building / Compiling</a><ul> |
| <li class="toctree-l2"><a class="reference internal" href="../../building/windows.html">4.1. Windows Build</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../building/frdm-k64f-sdk.html">4.2. Import MCUXPresso projects from SDK</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../building/frdm-k64f-cmake.html">4.3. Freedom K64F Build (CMake - Advanced)</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../building/imx6.html">4.4. i.MX Linux Build</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../building/rpi3.html">4.5. Raspberry Pi Build</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../building/cmake.html">4.6. CMake</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../scripts/cmake_options.html">4.7. CMake Options</a></li> |
| </ul> |
| </li> |
| <li class="toctree-l1"><a class="reference internal" href="../../demos/index.html">5. Demo and Examples</a><ul> |
| <li class="toctree-l2"><a class="reference internal" href="../../demos/index.html#demo-list">5.1. Demo List</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../demos/index.html#sss-api-examples">5.2. SSS API Examples</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../demos/index.html#cloud-demos">5.3. Cloud Demos</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../demos/index.html#linux-specific-demos">5.4. Linux Specific Demos</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../demos/index.html#opc-ua-example">5.5. OPC-UA Example</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../demos/index.html#arm-psa-example">5.6. ARM PSA Example</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../demos/index.html#se05x-examples">5.7. SE05X Examples</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../demos/index.html#openssl-examples">5.8. OpenSSL Examples</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../demos/index.html#tests-for-user-crypto">5.9. Tests for User Crypto</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../demos/index.html#nxpnfcrdlib-examples">5.10. NXPNFCRDLIB examples</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../demos/index.html#ease-of-use-examples">5.11. Ease-of-Use examples</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../demos/index.html#semslite-examples">5.12. Semslite examples</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../demos/index.html#puf-examples">5.13. PUF examples</a></li> |
| </ul> |
| </li> |
| <li class="toctree-l1 current"><a class="reference internal" href="../../edgelock2go-agent.html">6. NXP EdgeLock 2GO Agent</a><ul class="current"> |
| <li class="toctree-l2 current"><a class="current reference internal" href="#">6.1. Introduction</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="#building-and-running-the-edgelock-2go-agent">6.2. Building and running the EdgeLock 2GO agent</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="#datastore-keystore">6.3. Datastore / Keystore</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="#connection-to-the-edgelock-2go-cloud-service">6.4. Connection to the EdgeLock 2GO cloud service</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="#claim-codes">6.5. Claim Codes</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="edgelock2go_agent_apis.html">6.6. API</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="readme_usage_examples.html">6.7. Usage Examples</a></li> |
| </ul> |
| </li> |
| <li class="toctree-l1"><a class="reference internal" href="../../semslite/doc/index.html">7. SEMS Lite Agent</a><ul> |
| <li class="toctree-l2"><a class="reference internal" href="../../semslite/doc/sems_lite_overview.html">7.1. SEMS Lite Overview (Only for SE051)</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../semslite/doc/sems_lite_package.html">7.2. Update Package</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../semslite/doc/sems_lite_usage.html">7.3. SEMS Lite Agent Usage</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../semslite/doc/sems_lite_mgmt_api.html">7.4. SEMS Lite management APIs</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../semslite/doc/sems_lite_process.html">7.5. SEMS Lite Agent Package Load Process</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../semslite/doc/sems_lite_api.html">7.6. APIs</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../semslite/doc/sems_lite_known_issue.html">7.7. SEMS Lite Known Issue</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../semslite/doc/demo_update.html">7.8. SEMS Lite DEMOs</a></li> |
| </ul> |
| </li> |
| <li class="toctree-l1"><a class="reference internal" href="../../plugins/index.html">8. Plugins / Add-ins</a><ul> |
| <li class="toctree-l2"><a class="reference internal" href="../../sss/plugin/openssl/scripts/readme.html">8.1. Introduction on OpenSSL engine</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../sss/plugin/mbedtls/scripts/readme.html">8.2. Introduction on mbedTLS ALT Implementation</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../sss/plugin/psa/Readme.html">8.3. Platform Security Architecture</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../plugins/akm.html">8.4. Android Key master</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../sss/plugin/open62541/readme.html">8.5. Introduction on Open62541 (OPC UA stack)</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../plugins/wifiEAP/wifiEAP.html">8.6. WiFi EAP Demo with Raspberry Pi3</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../plugins/pkcs11.html">8.7. PKCS#11 Standalone Library</a></li> |
| </ul> |
| </li> |
| <li class="toctree-l1"><a class="reference internal" href="../../cli-tool.html">9. CLI Tool</a><ul> |
| <li class="toctree-l2"><a class="reference internal" href="../../pycli/doc/introduction.html">9.1. Introduction</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../pycli/doc/block-diagram.html">9.2. Block Diagram</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../pycli/doc/pre-steps.html">9.3. Steps needed before running <code class="docutils literal notranslate"><span class="pre">ssscli</span></code> tool</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../pycli/doc/running.html">9.4. Running the <code class="docutils literal notranslate"><span class="pre">ssscli</span></code> tool - Windows</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../pycli/Provisioning/readme.html">9.5. CLI Provisioning</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../pycli/doc/readme_usage_examples.html">9.6. Usage Examples</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../pycli/doc/cli_commands_list.html">9.7. List of <code class="docutils literal notranslate"><span class="pre">ssscli</span></code> commands</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../pycli/doc/cli_data_format.html">9.8. CLI Data formats</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../pycli/doc/cli_object_policy.html">9.9. Object Policies Through ssscli</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../appendix/upload_se05x_using_pycli.html">9.10. Upload keys and certificates to SE05X using ssscli tool</a></li> |
| </ul> |
| </li> |
| <li class="toctree-l1"><a class="reference internal" href="../../a71ch.html">10. A71CH</a><ul> |
| <li class="toctree-l2"><a class="reference internal" href="../../a71ch/a71ch_sss.html">10.1. A71CH and SSS API</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../a71ch/a71ch_miscellaneous.html">10.2. Miscellaneous</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../a71ch/a71ch_legacy_host_api.html">10.3. A71CH Legacy API</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../a71ch/a71ch_legacy_hlse_api.html">10.4. A71CH Legacy HLSE (Generic) API</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../a71ch/a71ch_configure_tool.html">10.5. A71CH Legacy Configure Tool</a></li> |
| </ul> |
| </li> |
| <li class="toctree-l1"><a class="reference internal" href="../../appendix.html">11. Appendix</a><ul> |
| <li class="toctree-l2"><a class="reference internal" href="../../appendix/glossary.html">11.1. Glossary</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../appendix/vcom.html">11.2. APDU Commands over VCOM</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../appendix/vs2019-setup.html">11.3. Visual Studio 2019 Setup</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../appendix/ide_mcux.html">11.4. Setting up MCUXPresso IDE</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../dev-platforms.html">11.5. Development Platforms</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../appendix/se_uid.html">11.6. How to get SE Platform Information and UID</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../appendix/version_info.html">11.7. Version Information</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../demos/Certificate_Chains/Readme.html">11.8. Certificate Chains</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../appendix/rjct_server.html">11.9. JRCP_v1 Server</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../appendix/platfscp.html">11.10. Using own Platform SCP03 Keys</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../appendix/apdu_write_to_buffer.html">11.11. Write APDU to buffer</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../../api/api_list.html">11.12. Plug & Trust MW APIs</a></li> |
| </ul> |
| </li> |
| </ul> |
| </ul> |
| </li> |
| |
| <li class="dropdown"> |
| <a role="button" |
| id="dLabelLocalToc" |
| data-toggle="dropdown" |
| data-target="#" |
| href="#">Page <b class="caret"></b></a> |
| <ul class="dropdown-menu localtoc" |
| role="menu" |
| aria-labelledby="dLabelLocalToc"><ul> |
| <li><a class="reference internal" href="#">6.1. Introduction</a></li> |
| <li><a class="reference internal" href="#building-and-running-the-edgelock-2go-agent">6.2. Building and running the EdgeLock 2GO agent</a><ul> |
| <li><a class="reference internal" href="#building-compiling-the-edgelock-2go-agent">6.2.1. Building / Compiling the EdgeLock 2GO agent</a></li> |
| <li><a class="reference internal" href="#registering-the-device-to-the-edgelock-2go-service">6.2.2. Registering the device to the EdgeLock 2GO service</a></li> |
| <li><a class="reference internal" href="#connecting-the-device-to-the-edgelock-2go-service">6.2.3. Connecting the device to the EdgeLock 2GO service</a></li> |
| </ul> |
| </li> |
| <li><a class="reference internal" href="#datastore-keystore">6.3. Datastore / Keystore</a></li> |
| <li><a class="reference internal" href="#connection-to-the-edgelock-2go-cloud-service">6.4. Connection to the EdgeLock 2GO cloud service</a><ul> |
| <li><a class="reference internal" href="#transport-layer-security">6.4.1. Transport layer security</a></li> |
| <li><a class="reference internal" href="#client-authentication">6.4.2. Client authentication</a></li> |
| <li><a class="reference internal" href="#server-authentication">6.4.3. Server authentication</a></li> |
| <li><a class="reference internal" href="#application-layer-protocol">6.4.4. Application layer protocol</a></li> |
| <li><a class="reference internal" href="#parameters-for-the-connection-to-edgelock-2go-cloud-service">6.4.5. Parameters for the connection to EdgeLock 2GO cloud service</a></li> |
| </ul> |
| </li> |
| <li><a class="reference internal" href="#claim-codes">6.5. Claim Codes</a></li> |
| </ul> |
| </ul> |
| </li> |
| |
| |
| |
| |
| |
| <li> |
| <a href="../../edgelock2go-agent.html" title="Previous Chapter: 6. NXP EdgeLock 2GO Agent"><span class="glyphicon glyphicon-chevron-left visible-sm"></span><span class="hidden-sm hidden-tablet">« 6. NXP EdgeLo...</span> |
| </a> |
| </li> |
| <li> |
| <a href="edgelock2go_agent_apis.html" title="Next Chapter: 6.6. API"><span class="glyphicon glyphicon-chevron-right visible-sm"></span><span class="hidden-sm hidden-tablet">6.6. API »</span> |
| </a> |
| </li> |
| |
| |
| |
| |
| |
| </ul> |
| |
| |
| |
| </div> |
| </div> |
| </div> |
| |
| <div class="container"> |
| <div class="row"> |
| <div class="col-md-3"> |
| <div id="sidebar" class="bs-sidenav" role="complementary"> |
| |
| <div class="sidebar-header"> |
| <h3>Plug & Trust MW</h3> |
| </div> |
| |
| <div class="row"> |
| <ul class="current"> |
| <li class="toctree-l1"><a class="reference internal" href="../../index.html">1. NXP Plug & Trust Middleware</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../../changes/index.html">2. Changes</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../../stack/index.html">3. Plug & Trust MW Stack</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../../building/index.html">4. Building / Compiling</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../../demos/index.html">5. Demo and Examples</a></li> |
| <li class="toctree-l1 current"><a class="reference internal" href="../../edgelock2go-agent.html">6. NXP EdgeLock 2GO Agent</a><ul class="current"> |
| <li class="toctree-l2 current"><a class="current reference internal" href="#">6.1. Introduction</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="#building-and-running-the-edgelock-2go-agent">6.2. Building and running the EdgeLock 2GO agent</a><ul> |
| <li class="toctree-l3"><a class="reference internal" href="#building-compiling-the-edgelock-2go-agent">6.2.1. Building / Compiling the EdgeLock 2GO agent</a></li> |
| <li class="toctree-l3"><a class="reference internal" href="#registering-the-device-to-the-edgelock-2go-service">6.2.2. Registering the device to the EdgeLock 2GO service</a></li> |
| <li class="toctree-l3"><a class="reference internal" href="#connecting-the-device-to-the-edgelock-2go-service">6.2.3. Connecting the device to the EdgeLock 2GO service</a></li> |
| </ul> |
| </li> |
| <li class="toctree-l2"><a class="reference internal" href="#datastore-keystore">6.3. Datastore / Keystore</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="#connection-to-the-edgelock-2go-cloud-service">6.4. Connection to the EdgeLock 2GO cloud service</a><ul> |
| <li class="toctree-l3"><a class="reference internal" href="#transport-layer-security">6.4.1. Transport layer security</a></li> |
| <li class="toctree-l3"><a class="reference internal" href="#client-authentication">6.4.2. Client authentication</a></li> |
| <li class="toctree-l3"><a class="reference internal" href="#server-authentication">6.4.3. Server authentication</a></li> |
| <li class="toctree-l3"><a class="reference internal" href="#application-layer-protocol">6.4.4. Application layer protocol</a></li> |
| <li class="toctree-l3"><a class="reference internal" href="#parameters-for-the-connection-to-edgelock-2go-cloud-service">6.4.5. Parameters for the connection to EdgeLock 2GO cloud service</a></li> |
| </ul> |
| </li> |
| <li class="toctree-l2"><a class="reference internal" href="#claim-codes">6.5. Claim Codes</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="edgelock2go_agent_apis.html">6.6. API</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="readme_usage_examples.html">6.7. Usage Examples</a></li> |
| </ul> |
| </li> |
| <li class="toctree-l1"><a class="reference internal" href="../../semslite/doc/index.html">7. SEMS Lite Agent</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../../plugins/index.html">8. Plugins / Add-ins</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../../cli-tool.html">9. CLI Tool</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../../a71ch.html">10. A71CH</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../../appendix.html">11. Appendix</a></li> |
| </ul> |
| |
| </div> |
| <div class="row"> |
| <form class="form" action="../../search.html" method="get"> |
| <div class="form-group"> |
| <label for="Search">Search:</label> |
| <input type="text" name="q" class="form-control" placeholder="Search" /> |
| </div> |
| <input type="hidden" name="check_keywords" value="yes" /> |
| <input type="hidden" name="area" value="default" /> |
| </form> |
| </div> |
| </div> |
| </div> |
| <div class="body col-md-9 content" role="main"> |
| |
| <div class="section" id="introduction"> |
| <h1><span class="section-number">6.1. </span>Introduction<a class="headerlink" href="#introduction" title="Permalink to this headline">¶</a></h1> |
| <p>EdgeLock 2GO is a cloud service by NXP for provisioning keys and credentials into devices equiped with SE050 |
| and for easily onboarding the device into the cloud services of the user. |
| Please visit <a class="reference external" href="https://www.nxp.com/edgelock2go">https://www.nxp.com/edgelock2go</a> for more information.</p> |
| <p>The EdgeLock 2GO agent is the on-device counterpart of the EdgeLock 2GO cloud service. Its purpose |
| is to establish a secure connection to the EdgeLock 2GO service, report status of the device and update the |
| device with up-to-date credentials and configuration data. It handles credentials for authentication |
| at customer cloud services in cooperation with a secure keystore and manages configuration data/connection |
| information for these the cloud services.</p> |
| </div> |
| <div class="section" id="building-and-running-the-edgelock-2go-agent"> |
| <h1><span class="section-number">6.2. </span>Building and running the EdgeLock 2GO agent<a class="headerlink" href="#building-and-running-the-edgelock-2go-agent" title="Permalink to this headline">¶</a></h1> |
| <div class="section" id="building-compiling-the-edgelock-2go-agent"> |
| <h2><span class="section-number">6.2.1. </span>Building / Compiling the EdgeLock 2GO agent<a class="headerlink" href="#building-compiling-the-edgelock-2go-agent" title="Permalink to this headline">¶</a></h2> |
| <p>The build instructions for the EdgeLock 2GO agent do not deviate from the build instructions already |
| introduced in section <a class="reference internal" href="../../building/index.html#building"><span class="std std-ref">Building / Compiling</span></a>. For convenience, the script |
| <code class="docutils literal notranslate"><span class="pre"><SE05X_root_folder>/simw-top/scripts/create_cmake_projects.py</span></code> |
| will generate bespoke CMake configurations with all CMake options set correctly for building the |
| EdgeLock2 GO agent for KSDK (FRDMK64F, LPC55S69), and i.MX:</p> |
| <ul class="simple"> |
| <li><p>KSDK: <code class="docutils literal notranslate"><span class="pre"><SE05X_root_folder>/simw-top_build/simw-top-eclipse_arm_el2go</span></code></p></li> |
| <li><p>i.MX (native compilation): <code class="docutils literal notranslate"><span class="pre"><SE05X_root_folder>/simw-top_build/imx_native_se050_t1oi2c_openssl_el2go</span></code></p></li> |
| </ul> |
| </div> |
| <div class="section" id="registering-the-device-to-the-edgelock-2go-service"> |
| <h2><span class="section-number">6.2.2. </span>Registering the device to the EdgeLock 2GO service<a class="headerlink" href="#registering-the-device-to-the-edgelock-2go-service" title="Permalink to this headline">¶</a></h2> |
| <p>In order to connect your device to EdgeLock 2GO and provision the keys and credentials that you have configured, |
| you first need to register your device to your EdgeLock 2GO account. This can be done in different ways including:</p> |
| <ul class="simple"> |
| <li><p>Registering your device UUID into your EdgeLock 2GO account. You must first read-out the UUID of your device. |
| This can be achieved for example by executing the se05x_Get_Info executable that is part of this release. How to do |
| this is described in more detail in <a class="reference internal" href="../../demos/se05x/se05x_GetInfo/Readme.html#ex-se05x-info"><span class="std std-ref">SE05X Get Info example</span></a>.</p></li> |
| <li><p>Injecting a claim code on the device, see <a class="reference internal" href="#el2go-claimcodes"><span class="std std-ref">Claim Codes</span></a>.</p></li> |
| </ul> |
| <p>For more details, please refer to the EdgeLock 2GO documentation.</p> |
| </div> |
| <div class="section" id="connecting-the-device-to-the-edgelock-2go-service"> |
| <h2><span class="section-number">6.2.3. </span>Connecting the device to the EdgeLock 2GO service<a class="headerlink" href="#connecting-the-device-to-the-edgelock-2go-service" title="Permalink to this headline">¶</a></h2> |
| <p>Once you have registered your device or installed a claim code, you can simply connect your device to the EdgeLock 2GO service |
| by calling the EdgeLock 2GO Agent API. See <a class="reference internal" href="readme_usage_examples.html#el2go-usage-examples"><span class="std std-ref">Usage Examples</span></a> for an example. |
| When your device connects to EdgeLock 2GO and if you have configured your device in your EdgeLock 2GO account, then the device will |
| retrieve the credentials that you have configured. For more details, please refer to the EdgeLock 2GO documentation.</p> |
| </div> |
| </div> |
| <div class="section" id="datastore-keystore"> |
| <h1><span class="section-number">6.3. </span>Datastore / Keystore<a class="headerlink" href="#datastore-keystore" title="Permalink to this headline">¶</a></h1> |
| <p>For storage of credentials and configuration data two types of storage entities are available. A |
| keystore is used for storing sensitive information, typically private keys for a client |
| authentication, whereas a datastore is used for storing configuration data required for connecting |
| to a cloud service. Both are managed remotely from the EdgeLock 2GO cloud service. From the point of |
| view of the EdgeLock 2GO cloud service datastores and keystores are considered endpoints. The |
| EdgeLock 2GO cloud service sends messages to endpoints to set them up according to the |
| desired configuration.</p> |
| <p>After the device is configured/provisioned for a cloud service by the EdgeLock 2GO cloud service, |
| the relevant information can be extracted for usage in client software from the storages. The access |
| to the credentials is abstracted by using the <a class="reference internal" href="../../sss-apis.html#sss-apis"><span class="std std-ref">SSS APIs</span></a>, configuration data is accessed using |
| a service descriptor struct object.</p> |
| <p>One keystore implementation is included for supporting the SE050. The EdgeLock 2GO cloud service |
| uses a direct APDU channel to read out from and insert objects into the secure element.</p> |
| <p>For the sake of demonstration, also two datastore implementations are part of this package. A |
| filesystem based datastore which uses files for storing the data delivered by the EdgeLock 2GO cloud |
| service is present in <code class="docutils literal notranslate"><span class="pre"><SE05X_root_folder>/simw-top/nxp_iot_agent/*/nxp_iot_agent_datastore_fs.*</span></code>, |
| one that uses raw memory can be found in |
| <code class="docutils literal notranslate"><span class="pre"><SE05X_root_folder>/simw-top/nxp_iot_agent/*/nxp_iot_agent_datastore_plain.*</span></code>.</p> |
| <p>When writing contents to a datastore, EdgeLock 2GO cloud service protects the data with a checksum. |
| This allows the EdgeLock 2GO agent to check whether the data that is found inside a datastore is |
| valid/uncorrupted.</p> |
| </div> |
| <div class="section" id="connection-to-the-edgelock-2go-cloud-service"> |
| <h1><span class="section-number">6.4. </span>Connection to the EdgeLock 2GO cloud service<a class="headerlink" href="#connection-to-the-edgelock-2go-cloud-service" title="Permalink to this headline">¶</a></h1> |
| <p>This section gives a short overview of the communication channel between the EdgeLock 2GO agent and |
| the EdgeLock 2GO cloud service. The connection to the EdgeLock 2GO cloud service is always initiated |
| from the EdgeLock 2GO agent.</p> |
| <div class="section" id="transport-layer-security"> |
| <h2><span class="section-number">6.4.1. </span>Transport layer security<a class="headerlink" href="#transport-layer-security" title="Permalink to this headline">¶</a></h2> |
| <p>Communication between client and server is protected in a mutually authenticated TLS channel. The |
| TLS protocol versions TLS 1.2 and TLS 1.3 are supported. The supported ciphersuites are:</p> |
| <p>For TLS 1.2:</p> |
| <ul class="simple"> |
| <li><p>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</p></li> |
| <li><p>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384</p></li> |
| <li><p>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</p></li> |
| <li><p>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</p></li> |
| <li><p>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</p></li> |
| <li><p>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384</p></li> |
| </ul> |
| <p>For TLS 1.3:</p> |
| <ul class="simple"> |
| <li><p>TLS_AES_128_GCM_SHA256</p></li> |
| <li><p>TLS_AES_256_GCM_SHA384</p></li> |
| </ul> |
| </div> |
| <div class="section" id="client-authentication"> |
| <h2><span class="section-number">6.4.2. </span>Client authentication<a class="headerlink" href="#client-authentication" title="Permalink to this headline">¶</a></h2> |
| <p>When using SE050 for authenticating at the EdgeLock 2GO cloud service, the client’s private key as |
| well as the client certificate are stored on the secure element. SE050 comes with those credentials |
| already pre-installed from the NXP production site with predefined object identifiers.</p> |
| <p>There are two crypto libraries available to do the TLS handshake in combination with the SE050. It |
| is possible to use OpenSSL with an custom crypto engine (see <a class="reference internal" href="../../sss/plugin/openssl/scripts/readme.html#intro-openssl-engine"><span class="std std-ref">Introduction on OpenSSL engine</span></a>). |
| Alternatively mbedTLS with an alternative implementation for the SE050 can be used (see |
| <a class="reference internal" href="../../sss/plugin/mbedtls/scripts/readme.html#mbedtls-alt"><span class="std std-ref">Introduction on mbedTLS ALT Implementation</span></a>).</p> |
| </div> |
| <div class="section" id="server-authentication"> |
| <h2><span class="section-number">6.4.3. </span>Server authentication<a class="headerlink" href="#server-authentication" title="Permalink to this headline">¶</a></h2> |
| <p>The server is authenticated by using a certificate chain ultimately signed by an NXP root CA. There |
| are two different certificate chains available, one using ECC with the NIST P-384 curve, the other |
| chain uses RSA with 4096 bit keys. The trusted root CA certificates are included with the |
| distributed package of the NXP Plug & Trust Middleware (see also <a class="reference internal" href="#parameters-for-the-connection-to-edgelock-2go-cloud-service">Parameters for the connection to |
| EdgeLock 2GO cloud service</a>).</p> |
| <p>The EdgeLock 2GO cloud service provides certificate revocation lists (CRLs) for the CA signing the |
| server certificates. The CRLs are transferred via TLS channel in order to avoid having to implement |
| another protocol (typically http) for retrieving the CRL. When using openssl as crypto library, the |
| CRL processing is skipped for openssl versions < 1.1.1.</p> |
| </div> |
| <div class="section" id="application-layer-protocol"> |
| <h2><span class="section-number">6.4.4. </span>Application layer protocol<a class="headerlink" href="#application-layer-protocol" title="Permalink to this headline">¶</a></h2> |
| <p>On the application layer, the EdgeLock 2GO cloud service sends protobuf messages (requests) to |
| individual endpoints which are handled by those. Depending on the endpoint type, different requests |
| are used. Requests to the EdgeLock 2GO agent itself are used for querying the presence of endpoints |
| and their supported features and managing the communication channel. Other requests directly address |
| reading data or writing contents of keystores and datastores.</p> |
| <p>For configuring an SE050 keystore, the EdgeLock 2GO cloud service uses APDU commands that are |
| directly forwarded to the secure element. If sensitive information is included or integrity |
| protection is required, APDUs can be encrypted. This way a secure end-to-end channel between the |
| EdgeLock 2GO cloud service and the secure element can be established.</p> |
| <p>For datastores the EdgeLock 2GO cloud service is able to perform read operations to retrieve the |
| current contents. Should it be necessary, an update of the datastore contents can be performed. The |
| EdgeLock 2GO cloud service always replaces the complete contents of the datastore. The first request |
| is an allocate operation, allowing the datastore to make sure memory for the contents is available. |
| It is followed by one or more write operations. If the datastore supports transactions, after the |
| last write, an additional commit operation is done to trigger an atomic update of the datastore |
| contents.</p> |
| <p>The definition of the protobuf application layer protocol can be found in |
| <code class="docutils literal notranslate"><span class="pre"><SE05X_root_folder>/simw-top/nxp_iot_agent/doc/protobuf</span></code>.</p> |
| </div> |
| <div class="section" id="parameters-for-the-connection-to-edgelock-2go-cloud-service"> |
| <h2><span class="section-number">6.4.5. </span>Parameters for the connection to EdgeLock 2GO cloud service<a class="headerlink" href="#parameters-for-the-connection-to-edgelock-2go-cloud-service" title="Permalink to this headline">¶</a></h2> |
| <p>The EdgeLock 2GO agent attempts to take hostname, port, a reference to the client key and client |
| certificate as well as a collection of trusted root ca certificates from a datastore that is |
| registered with a particular id. If a datastore with this id is registered and contains valid data |
| (checksum verification), then the EdgeLock 2GO agent uses its contents. If this is not the case, it |
| falls back to compile-time constants defined in |
| <code class="docutils literal notranslate"><span class="pre"><SE05X_root_folder>/simw-top/nxp_iot_agent/inc/nxp_iot_agent_config.h</span></code>.</p> |
| <p>For demonstration purposes, in the demo application in |
| <code class="docutils literal notranslate"><span class="pre"><SE05X_root_folder>/simw-top/nxp_iot_agent/ex/src/iot_agent_demo.c</span></code>, a datastore for the EdgeLock |
| 2GO cloud service connection parameters is registered. It is filled at the first boot with the |
| compile-time constants from the configuration file.</p> |
| <p>In order to be able to mitigate a potential corruption of the keys of the trusted root certificates, |
| in case the connection parameters are taken from the datastore, the EdgeLock 2GO cloud service has |
| the opportunity to update the connection parameters remotely.</p> |
| </div> |
| </div> |
| <div class="section" id="claim-codes"> |
| <span id="el2go-claimcodes"></span><h1><span class="section-number">6.5. </span>Claim Codes<a class="headerlink" href="#claim-codes" title="Permalink to this headline">¶</a></h1> |
| <p>A claim code allows registering the device into the user account automatically. Claim codes are created and managed from |
| the EdgeLock 2GO service. Please refer to the EdgeLock 2GO documentation for more details.</p> |
| <p>To facilitate injection of claim code into device, a simple application capable of injecting and |
| deleting claim codes (claimcode_inject) is delivered in combination with the EdgeLock 2GO agent. |
| This application reads a claim code from a text file.</p> |
| <p>To inject a claim code that is present in a file <code class="docutils literal notranslate"><span class="pre">claim.txt</span></code>, the following command can be used:</p> |
| <p><code class="docutils literal notranslate"><span class="pre">./claimcode_inject</span> <span class="pre">claim.txt</span></code></p> |
| <p>Application also supports deleting existing claim code from with the following command:</p> |
| <p><code class="docutils literal notranslate"><span class="pre">./claimcode_inject</span> <span class="pre">--delete</span></code></p> |
| </div> |
| |
| |
| </div> |
| |
| </div> |
| </div> |
| <footer class="footer"> |
| <div class="container"> |
| <p class="pull-right"> |
| <a href="#">Back to top</a> |
| |
| </p> |
| <p> |
| © Copyright 2018-2020, NXP.<br/> |
| Created using <a href="http://sphinx-doc.org/">Sphinx</a> 2.4.1.<br/> |
| </p> |
| </div> |
| </footer> |
| </body> |
| </html> |