Google Git
Sign in
coral / a71ch-crypto-support / 8dc1f1434da50a4b7361d651239c1f3f4f8cc25b / . / doc / nxp_iot_agent / doc / introduction.html
blob: 16e3c38c8ff068203ba9e3707a8ed24fe0893a1e [file] [log] [blame]
<!DOCTYPE html>
<!--
Copyright 2019 NXP
This software is owned or controlled by NXP and may only be used
strictly in accordance with the applicable license terms. By expressly
accepting such terms or by downloading, installing, activating and/or
otherwise using the software, you are agreeing that you have read, and
that you agree to comply with and are bound by, such license terms. If
you do not agree to be bound by the applicable license terms, then you
may not retain, install, activate or otherwise use the software.
-->
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta charset="utf-8" />
<title>6.1. Introduction &#8212; Plug &amp; Trust MW v03.00.05 documentation</title>
<link rel="stylesheet" href="../../_static/bootstrap-sphinx.css" type="text/css" />
<link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
<link rel="stylesheet" type="text/css" href="../../_static/graphviz.css" />
<script id="documentation_options" data-url_root="../../" src="../../_static/documentation_options.js"></script>
<script src="../../_static/jquery.js"></script>
<script src="../../_static/underscore.js"></script>
<script src="../../_static/doctools.js"></script>
<script src="../../_static/language_data.js"></script>
<link rel="index" title="Index" href="../../genindex.html" />
<link rel="search" title="Search" href="../../search.html" />
<link rel="next" title="6.6. API" href="edgelock2go_agent_apis.html" />
<link rel="prev" title="6. NXP EdgeLock 2GO Agent" href="../../edgelock2go-agent.html" />
<meta charset='utf-8'>
<meta http-equiv='X-UA-Compatible' content='IE=edge,chrome=1'>
<meta name='viewport' content='width=device-width, initial-scale=1.0, maximum-scale=1'>
<meta name="apple-mobile-web-app-capable" content="yes">
<script type="text/javascript" src="../../_static/js/jquery-1.11.0.min.js "></script>
<script type="text/javascript" src="../../_static/js/jquery-fix.js "></script>
<script type="text/javascript" src="../../_static/bootstrap-3.3.7/js/bootstrap.min.js "></script>
<script type="text/javascript" src="../../_static/bootstrap-sphinx.js "></script>
</head><body>
<div id="navbar" class="navbar navbar-inverse navbar-default navbar-fixed-top">
<div class="container">
<div class="navbar-header">
<!-- .btn-navbar is used as the toggle for collapsed navbar content -->
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".nav-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="../../toc.html"><span><img src="../../_static/NXP_logo_JPG.jpg"></span>
MW</a>
<span class="navbar-text navbar-version pull-left"><b>v03.00.05</b></span>
</div>
<div class="collapse navbar-collapse nav-collapse">
<ul class="nav navbar-nav">
<li class="dropdown globaltoc-container">
<a role="button"
id="dLabelGlobalToc"
data-toggle="dropdown"
data-target="#"
href="../../toc.html">TOC <b class="caret"></b></a>
<ul class="dropdown-menu globaltoc"
role="menu"
aria-labelledby="dLabelGlobalToc"><ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../index.html">1. NXP Plug &amp; Trust Middleware</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../organization-of-documentation.html">1.1. Organization of Documentation</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../folder-structure.html">1.2. Folder Structure</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../sw-prerequisites.html">1.3. List of Platform Prerequisites</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../changes/index.html">2. Changes</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../changes/pending.html">2.1. Pending Refactoring items</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../changes/pending.html#known-limitations">2.2. Known limitations</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../changes/v03_00_05.html">2.3. Release <code class="docutils literal notranslate"><span class="pre">v03.00.05</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../changes/v03_00_04.html">2.4. Release <code class="docutils literal notranslate"><span class="pre">v03.00.04</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../changes/v03_00_03.html">2.5. Release <code class="docutils literal notranslate"><span class="pre">v03.00.03</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../changes/v03_00_02.html">2.6. Release <code class="docutils literal notranslate"><span class="pre">v03.00.02</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../changes/v02_16_01.html">2.7. Release <code class="docutils literal notranslate"><span class="pre">v02.16.01</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../changes/v02_16_00.html">2.8. Release <code class="docutils literal notranslate"><span class="pre">v02.16.00</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../changes/v02_15_00.html">2.9. Release <code class="docutils literal notranslate"><span class="pre">v02.15.00</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../changes/v02_14_00.html">2.10. Release <code class="docutils literal notranslate"><span class="pre">v02.14.00</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../changes/v02_12_00.html">2.11. Release <code class="docutils literal notranslate"><span class="pre">v02.12.05</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../changes/v02_12_00.html#release-v02-12-04">2.12. Release <code class="docutils literal notranslate"><span class="pre">v02.12.04</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../changes/v02_12_00.html#release-v02-12-03">2.13. Release <code class="docutils literal notranslate"><span class="pre">v02.12.03</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../changes/v02_12_00.html#release-v02-12-02">2.14. Release <code class="docutils literal notranslate"><span class="pre">v02.12.02</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../changes/v02_12_00.html#release-v02-12-01">2.15. Release <code class="docutils literal notranslate"><span class="pre">v02.12.01</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../changes/v02_12_00.html#release-v02-12-00">2.16. Release <code class="docutils literal notranslate"><span class="pre">v02.12.00</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../changes/v02_11_03.html">2.17. Release <code class="docutils literal notranslate"><span class="pre">v02.11.03</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../changes/v02_11_01.html">2.18. Internal Release <code class="docutils literal notranslate"><span class="pre">v02.11.01</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../changes/v02_11_00.html">2.19. Release <code class="docutils literal notranslate"><span class="pre">v02.11.00</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../changes/v02_10_00.html">2.20. Release <code class="docutils literal notranslate"><span class="pre">v02.10.00</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../changes/v02_09_00.html">2.21. Release <code class="docutils literal notranslate"><span class="pre">v02.09.00</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../changes/v02_07_00.html">2.22. Release <code class="docutils literal notranslate"><span class="pre">v02.07.00</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../changes/v02_06_00.html">2.23. Release <code class="docutils literal notranslate"><span class="pre">v02.06.00</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../changes/v02_05_00_to_v02_03_00.html">2.24. Release <code class="docutils literal notranslate"><span class="pre">v02.05.00</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../changes/v02_05_00_to_v02_03_00.html#release-v02-04-00">2.25. Release <code class="docutils literal notranslate"><span class="pre">v02.04.00</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../changes/v02_05_00_to_v02_03_00.html#release-02-03-00">2.26. Release <code class="docutils literal notranslate"><span class="pre">02.03.00</span></code></a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../stack/index.html">3. Plug &amp; Trust MW Stack</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../stack/features.html">3.1. Features</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../stack/features.html#plug-trust-mw-block-diagram">3.2. Plug &amp; Trust MW : Block Diagram</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../sss-apis.html">3.3. SSS APIs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../stack/se05xfeatures.html">3.4. SSS APIs: SE051 vs SE050</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../stack/param_checks.html">3.5. Parameter Check &amp; Conventions</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../stack/i2cm.html">3.6. I2CM / Secure Sensor</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../stack/logging.html">3.7. Logging</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../stack/feature-file.html">3.8. Feature File - <code class="docutils literal notranslate"><span class="pre">fsl_sss_ftr.h</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../stack/platf-scp-from-fs.html">3.9. Using Platform SCP Keys from File System</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../stack/auth/auth-objects.html">3.10. Auth Objects</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../stack/auth/auth-objects-userid.html">3.11. Auth Objects : UserID</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../stack/auth/auth-objects-aeskey.html">3.12. Auth Objects : AESKey</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../stack/auth/auth-objects-eckey.html">3.13. Auth Objects : ECKey</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../stack/key-id-range.html">3.14. Key Id Range and Purpose</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../stack/key-id-range.html#authentication-keys">3.15. Authentication Keys</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../stack/key-id-range.html#trust-provisioned-keyids">3.16. Trust provisioned KeyIDs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../sss/ex/doc/puf-scp03.html">3.17. SCP03 with PUF</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../sss/doc/sss_heap_management.html">3.18. SSS Heap Management</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../building/index.html">4. Building / Compiling</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../building/windows.html">4.1. Windows Build</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../building/frdm-k64f-sdk.html">4.2. Import MCUXPresso projects from SDK</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../building/frdm-k64f-cmake.html">4.3. Freedom K64F Build (CMake - Advanced)</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../building/imx6.html">4.4. i.MX Linux Build</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../building/rpi3.html">4.5. Raspberry Pi Build</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../building/cmake.html">4.6. CMake</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../scripts/cmake_options.html">4.7. CMake Options</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../demos/index.html">5. Demo and Examples</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../demos/index.html#demo-list">5.1. Demo List</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../demos/index.html#sss-api-examples">5.2. SSS API Examples</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../demos/index.html#cloud-demos">5.3. Cloud Demos</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../demos/index.html#linux-specific-demos">5.4. Linux Specific Demos</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../demos/index.html#opc-ua-example">5.5. OPC-UA Example</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../demos/index.html#arm-psa-example">5.6. ARM PSA Example</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../demos/index.html#se05x-examples">5.7. SE05X Examples</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../demos/index.html#openssl-examples">5.8. OpenSSL Examples</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../demos/index.html#tests-for-user-crypto">5.9. Tests for User Crypto</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../demos/index.html#nxpnfcrdlib-examples">5.10. NXPNFCRDLIB examples</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../demos/index.html#ease-of-use-examples">5.11. Ease-of-Use examples</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../demos/index.html#semslite-examples">5.12. Semslite examples</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../demos/index.html#puf-examples">5.13. PUF examples</a></li>
</ul>
</li>
<li class="toctree-l1 current"><a class="reference internal" href="../../edgelock2go-agent.html">6. NXP EdgeLock 2GO Agent</a><ul class="current">
<li class="toctree-l2 current"><a class="current reference internal" href="#">6.1. Introduction</a></li>
<li class="toctree-l2"><a class="reference internal" href="#building-and-running-the-edgelock-2go-agent">6.2. Building and running the EdgeLock 2GO agent</a></li>
<li class="toctree-l2"><a class="reference internal" href="#datastore-keystore">6.3. Datastore / Keystore</a></li>
<li class="toctree-l2"><a class="reference internal" href="#connection-to-the-edgelock-2go-cloud-service">6.4. Connection to the EdgeLock 2GO cloud service</a></li>
<li class="toctree-l2"><a class="reference internal" href="#claim-codes">6.5. Claim Codes</a></li>
<li class="toctree-l2"><a class="reference internal" href="edgelock2go_agent_apis.html">6.6. API</a></li>
<li class="toctree-l2"><a class="reference internal" href="readme_usage_examples.html">6.7. Usage Examples</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../semslite/doc/index.html">7. SEMS Lite Agent</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../semslite/doc/sems_lite_overview.html">7.1. SEMS Lite Overview (Only for SE051)</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../semslite/doc/sems_lite_package.html">7.2. Update Package</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../semslite/doc/sems_lite_usage.html">7.3. SEMS Lite Agent Usage</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../semslite/doc/sems_lite_mgmt_api.html">7.4. SEMS Lite management APIs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../semslite/doc/sems_lite_process.html">7.5. SEMS Lite Agent Package Load Process</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../semslite/doc/sems_lite_api.html">7.6. APIs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../semslite/doc/sems_lite_known_issue.html">7.7. SEMS Lite Known Issue</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../semslite/doc/demo_update.html">7.8. SEMS Lite DEMOs</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../plugins/index.html">8. Plugins / Add-ins</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../sss/plugin/openssl/scripts/readme.html">8.1. Introduction on OpenSSL engine</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../sss/plugin/mbedtls/scripts/readme.html">8.2. Introduction on mbedTLS ALT Implementation</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../sss/plugin/psa/Readme.html">8.3. Platform Security Architecture</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../plugins/akm.html">8.4. Android Key master</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../sss/plugin/open62541/readme.html">8.5. Introduction on Open62541 (OPC UA stack)</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../plugins/wifiEAP/wifiEAP.html">8.6. WiFi EAP Demo with Raspberry Pi3</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../plugins/pkcs11.html">8.7. PKCS#11 Standalone Library</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../cli-tool.html">9. CLI Tool</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../pycli/doc/introduction.html">9.1. Introduction</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../pycli/doc/block-diagram.html">9.2. Block Diagram</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../pycli/doc/pre-steps.html">9.3. Steps needed before running <code class="docutils literal notranslate"><span class="pre">ssscli</span></code> tool</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../pycli/doc/running.html">9.4. Running the <code class="docutils literal notranslate"><span class="pre">ssscli</span></code> tool - Windows</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../pycli/Provisioning/readme.html">9.5. CLI Provisioning</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../pycli/doc/readme_usage_examples.html">9.6. Usage Examples</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../pycli/doc/cli_commands_list.html">9.7. List of <code class="docutils literal notranslate"><span class="pre">ssscli</span></code> commands</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../pycli/doc/cli_data_format.html">9.8. CLI Data formats</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../pycli/doc/cli_object_policy.html">9.9. Object Policies Through ssscli</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../appendix/upload_se05x_using_pycli.html">9.10. Upload keys and certificates to SE05X using ssscli tool</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../a71ch.html">10. A71CH</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../a71ch/a71ch_sss.html">10.1. A71CH and SSS API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../a71ch/a71ch_miscellaneous.html">10.2. Miscellaneous</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../a71ch/a71ch_legacy_host_api.html">10.3. A71CH Legacy API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../a71ch/a71ch_legacy_hlse_api.html">10.4. A71CH Legacy HLSE (Generic) API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../a71ch/a71ch_configure_tool.html">10.5. A71CH Legacy Configure Tool</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../appendix.html">11. Appendix</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../appendix/glossary.html">11.1. Glossary</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../appendix/vcom.html">11.2. APDU Commands over VCOM</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../appendix/vs2019-setup.html">11.3. Visual Studio 2019 Setup</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../appendix/ide_mcux.html">11.4. Setting up MCUXPresso IDE</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../dev-platforms.html">11.5. Development Platforms</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../appendix/se_uid.html">11.6. How to get SE Platform Information and UID</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../appendix/version_info.html">11.7. Version Information</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../demos/Certificate_Chains/Readme.html">11.8. Certificate Chains</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../appendix/rjct_server.html">11.9. JRCP_v1 Server</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../appendix/platfscp.html">11.10. Using own Platform SCP03 Keys</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../appendix/apdu_write_to_buffer.html">11.11. Write APDU to buffer</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../api/api_list.html">11.12. Plug &amp; Trust MW APIs</a></li>
</ul>
</li>
</ul>
</ul>
</li>
<li class="dropdown">
<a role="button"
id="dLabelLocalToc"
data-toggle="dropdown"
data-target="#"
href="#">Page <b class="caret"></b></a>
<ul class="dropdown-menu localtoc"
role="menu"
aria-labelledby="dLabelLocalToc"><ul>
<li><a class="reference internal" href="#">6.1. Introduction</a></li>
<li><a class="reference internal" href="#building-and-running-the-edgelock-2go-agent">6.2. Building and running the EdgeLock 2GO agent</a><ul>
<li><a class="reference internal" href="#building-compiling-the-edgelock-2go-agent">6.2.1. Building / Compiling the EdgeLock 2GO agent</a></li>
<li><a class="reference internal" href="#registering-the-device-to-the-edgelock-2go-service">6.2.2. Registering the device to the EdgeLock 2GO service</a></li>
<li><a class="reference internal" href="#connecting-the-device-to-the-edgelock-2go-service">6.2.3. Connecting the device to the EdgeLock 2GO service</a></li>
</ul>
</li>
<li><a class="reference internal" href="#datastore-keystore">6.3. Datastore / Keystore</a></li>
<li><a class="reference internal" href="#connection-to-the-edgelock-2go-cloud-service">6.4. Connection to the EdgeLock 2GO cloud service</a><ul>
<li><a class="reference internal" href="#transport-layer-security">6.4.1. Transport layer security</a></li>
<li><a class="reference internal" href="#client-authentication">6.4.2. Client authentication</a></li>
<li><a class="reference internal" href="#server-authentication">6.4.3. Server authentication</a></li>
<li><a class="reference internal" href="#application-layer-protocol">6.4.4. Application layer protocol</a></li>
<li><a class="reference internal" href="#parameters-for-the-connection-to-edgelock-2go-cloud-service">6.4.5. Parameters for the connection to EdgeLock 2GO cloud service</a></li>
</ul>
</li>
<li><a class="reference internal" href="#claim-codes">6.5. Claim Codes</a></li>
</ul>
</ul>
</li>
<li>
<a href="../../edgelock2go-agent.html" title="Previous Chapter: 6. NXP EdgeLock 2GO Agent"><span class="glyphicon glyphicon-chevron-left visible-sm"></span><span class="hidden-sm hidden-tablet">&laquo; 6. NXP EdgeLo...</span>
</a>
</li>
<li>
<a href="edgelock2go_agent_apis.html" title="Next Chapter: 6.6. API"><span class="glyphicon glyphicon-chevron-right visible-sm"></span><span class="hidden-sm hidden-tablet">6.6. API &raquo;</span>
</a>
</li>
</ul>
</div>
</div>
</div>
<div class="container">
<div class="row">
<div class="col-md-3">
<div id="sidebar" class="bs-sidenav" role="complementary">
<div class="sidebar-header">
<h3>Plug &amp; Trust MW</h3>
</div>
<div class="row">
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../index.html">1. NXP Plug &amp; Trust Middleware</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../changes/index.html">2. Changes</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../stack/index.html">3. Plug &amp; Trust MW Stack</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../building/index.html">4. Building / Compiling</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../demos/index.html">5. Demo and Examples</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="../../edgelock2go-agent.html">6. NXP EdgeLock 2GO Agent</a><ul class="current">
<li class="toctree-l2 current"><a class="current reference internal" href="#">6.1. Introduction</a></li>
<li class="toctree-l2"><a class="reference internal" href="#building-and-running-the-edgelock-2go-agent">6.2. Building and running the EdgeLock 2GO agent</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#building-compiling-the-edgelock-2go-agent">6.2.1. Building / Compiling the EdgeLock 2GO agent</a></li>
<li class="toctree-l3"><a class="reference internal" href="#registering-the-device-to-the-edgelock-2go-service">6.2.2. Registering the device to the EdgeLock 2GO service</a></li>
<li class="toctree-l3"><a class="reference internal" href="#connecting-the-device-to-the-edgelock-2go-service">6.2.3. Connecting the device to the EdgeLock 2GO service</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#datastore-keystore">6.3. Datastore / Keystore</a></li>
<li class="toctree-l2"><a class="reference internal" href="#connection-to-the-edgelock-2go-cloud-service">6.4. Connection to the EdgeLock 2GO cloud service</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#transport-layer-security">6.4.1. Transport layer security</a></li>
<li class="toctree-l3"><a class="reference internal" href="#client-authentication">6.4.2. Client authentication</a></li>
<li class="toctree-l3"><a class="reference internal" href="#server-authentication">6.4.3. Server authentication</a></li>
<li class="toctree-l3"><a class="reference internal" href="#application-layer-protocol">6.4.4. Application layer protocol</a></li>
<li class="toctree-l3"><a class="reference internal" href="#parameters-for-the-connection-to-edgelock-2go-cloud-service">6.4.5. Parameters for the connection to EdgeLock 2GO cloud service</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#claim-codes">6.5. Claim Codes</a></li>
<li class="toctree-l2"><a class="reference internal" href="edgelock2go_agent_apis.html">6.6. API</a></li>
<li class="toctree-l2"><a class="reference internal" href="readme_usage_examples.html">6.7. Usage Examples</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../semslite/doc/index.html">7. SEMS Lite Agent</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../plugins/index.html">8. Plugins / Add-ins</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../cli-tool.html">9. CLI Tool</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../a71ch.html">10. A71CH</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../appendix.html">11. Appendix</a></li>
</ul>
</div>
<div class="row">
<form class="form" action="../../search.html" method="get">
<div class="form-group">
<label for="Search">Search:</label>
<input type="text" name="q" class="form-control" placeholder="Search" />
</div>
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div>
</div>
<div class="body col-md-9 content" role="main">
<div class="section" id="introduction">
<h1><span class="section-number">6.1. </span>Introduction<a class="headerlink" href="#introduction" title="Permalink to this headline"></a></h1>
<p>EdgeLock 2GO is a cloud service by NXP for provisioning keys and credentials into devices equiped with SE050
and for easily onboarding the device into the cloud services of the user.
Please visit <a class="reference external" href="https://www.nxp.com/edgelock2go">https://www.nxp.com/edgelock2go</a> for more information.</p>
<p>The EdgeLock 2GO agent is the on-device counterpart of the EdgeLock 2GO cloud service. Its purpose
is to establish a secure connection to the EdgeLock 2GO service, report status of the device and update the
device with up-to-date credentials and configuration data. It handles credentials for authentication
at customer cloud services in cooperation with a secure keystore and manages configuration data/connection
information for these the cloud services.</p>
</div>
<div class="section" id="building-and-running-the-edgelock-2go-agent">
<h1><span class="section-number">6.2. </span>Building and running the EdgeLock 2GO agent<a class="headerlink" href="#building-and-running-the-edgelock-2go-agent" title="Permalink to this headline"></a></h1>
<div class="section" id="building-compiling-the-edgelock-2go-agent">
<h2><span class="section-number">6.2.1. </span>Building / Compiling the EdgeLock 2GO agent<a class="headerlink" href="#building-compiling-the-edgelock-2go-agent" title="Permalink to this headline"></a></h2>
<p>The build instructions for the EdgeLock 2GO agent do not deviate from the build instructions already
introduced in section <a class="reference internal" href="../../building/index.html#building"><span class="std std-ref">Building / Compiling</span></a>. For convenience, the script
<code class="docutils literal notranslate"><span class="pre">&lt;SE05X_root_folder&gt;/simw-top/scripts/create_cmake_projects.py</span></code>
will generate bespoke CMake configurations with all CMake options set correctly for building the
EdgeLock2 GO agent for KSDK (FRDMK64F, LPC55S69), and i.MX:</p>
<ul class="simple">
<li><p>KSDK: <code class="docutils literal notranslate"><span class="pre">&lt;SE05X_root_folder&gt;/simw-top_build/simw-top-eclipse_arm_el2go</span></code></p></li>
<li><p>i.MX (native compilation): <code class="docutils literal notranslate"><span class="pre">&lt;SE05X_root_folder&gt;/simw-top_build/imx_native_se050_t1oi2c_openssl_el2go</span></code></p></li>
</ul>
</div>
<div class="section" id="registering-the-device-to-the-edgelock-2go-service">
<h2><span class="section-number">6.2.2. </span>Registering the device to the EdgeLock 2GO service<a class="headerlink" href="#registering-the-device-to-the-edgelock-2go-service" title="Permalink to this headline"></a></h2>
<p>In order to connect your device to EdgeLock 2GO and provision the keys and credentials that you have configured,
you first need to register your device to your EdgeLock 2GO account. This can be done in different ways including:</p>
<ul class="simple">
<li><p>Registering your device UUID into your EdgeLock 2GO account. You must first read-out the UUID of your device.
This can be achieved for example by executing the se05x_Get_Info executable that is part of this release. How to do
this is described in more detail in <a class="reference internal" href="../../demos/se05x/se05x_GetInfo/Readme.html#ex-se05x-info"><span class="std std-ref">SE05X Get Info example</span></a>.</p></li>
<li><p>Injecting a claim code on the device, see <a class="reference internal" href="#el2go-claimcodes"><span class="std std-ref">Claim Codes</span></a>.</p></li>
</ul>
<p>For more details, please refer to the EdgeLock 2GO documentation.</p>
</div>
<div class="section" id="connecting-the-device-to-the-edgelock-2go-service">
<h2><span class="section-number">6.2.3. </span>Connecting the device to the EdgeLock 2GO service<a class="headerlink" href="#connecting-the-device-to-the-edgelock-2go-service" title="Permalink to this headline"></a></h2>
<p>Once you have registered your device or installed a claim code, you can simply connect your device to the EdgeLock 2GO service
by calling the EdgeLock 2GO Agent API. See <a class="reference internal" href="readme_usage_examples.html#el2go-usage-examples"><span class="std std-ref">Usage Examples</span></a> for an example.
When your device connects to EdgeLock 2GO and if you have configured your device in your EdgeLock 2GO account, then the device will
retrieve the credentials that you have configured. For more details, please refer to the EdgeLock 2GO documentation.</p>
</div>
</div>
<div class="section" id="datastore-keystore">
<h1><span class="section-number">6.3. </span>Datastore / Keystore<a class="headerlink" href="#datastore-keystore" title="Permalink to this headline"></a></h1>
<p>For storage of credentials and configuration data two types of storage entities are available. A
keystore is used for storing sensitive information, typically private keys for a client
authentication, whereas a datastore is used for storing configuration data required for connecting
to a cloud service. Both are managed remotely from the EdgeLock 2GO cloud service. From the point of
view of the EdgeLock 2GO cloud service datastores and keystores are considered endpoints. The
EdgeLock 2GO cloud service sends messages to endpoints to set them up according to the
desired configuration.</p>
<p>After the device is configured/provisioned for a cloud service by the EdgeLock 2GO cloud service,
the relevant information can be extracted for usage in client software from the storages. The access
to the credentials is abstracted by using the <a class="reference internal" href="../../sss-apis.html#sss-apis"><span class="std std-ref">SSS APIs</span></a>, configuration data is accessed using
a service descriptor struct object.</p>
<p>One keystore implementation is included for supporting the SE050. The EdgeLock 2GO cloud service
uses a direct APDU channel to read out from and insert objects into the secure element.</p>
<p>For the sake of demonstration, also two datastore implementations are part of this package. A
filesystem based datastore which uses files for storing the data delivered by the EdgeLock 2GO cloud
service is present in <code class="docutils literal notranslate"><span class="pre">&lt;SE05X_root_folder&gt;/simw-top/nxp_iot_agent/*/nxp_iot_agent_datastore_fs.*</span></code>,
one that uses raw memory can be found in
<code class="docutils literal notranslate"><span class="pre">&lt;SE05X_root_folder&gt;/simw-top/nxp_iot_agent/*/nxp_iot_agent_datastore_plain.*</span></code>.</p>
<p>When writing contents to a datastore, EdgeLock 2GO cloud service protects the data with a checksum.
This allows the EdgeLock 2GO agent to check whether the data that is found inside a datastore is
valid/uncorrupted.</p>
</div>
<div class="section" id="connection-to-the-edgelock-2go-cloud-service">
<h1><span class="section-number">6.4. </span>Connection to the EdgeLock 2GO cloud service<a class="headerlink" href="#connection-to-the-edgelock-2go-cloud-service" title="Permalink to this headline"></a></h1>
<p>This section gives a short overview of the communication channel between the EdgeLock 2GO agent and
the EdgeLock 2GO cloud service. The connection to the EdgeLock 2GO cloud service is always initiated
from the EdgeLock 2GO agent.</p>
<div class="section" id="transport-layer-security">
<h2><span class="section-number">6.4.1. </span>Transport layer security<a class="headerlink" href="#transport-layer-security" title="Permalink to this headline"></a></h2>
<p>Communication between client and server is protected in a mutually authenticated TLS channel. The
TLS protocol versions TLS 1.2 and TLS 1.3 are supported. The supported ciphersuites are:</p>
<p>For TLS 1.2:</p>
<ul class="simple">
<li><p>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</p></li>
<li><p>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384</p></li>
<li><p>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</p></li>
<li><p>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</p></li>
<li><p>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</p></li>
<li><p>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384</p></li>
</ul>
<p>For TLS 1.3:</p>
<ul class="simple">
<li><p>TLS_AES_128_GCM_SHA256</p></li>
<li><p>TLS_AES_256_GCM_SHA384</p></li>
</ul>
</div>
<div class="section" id="client-authentication">
<h2><span class="section-number">6.4.2. </span>Client authentication<a class="headerlink" href="#client-authentication" title="Permalink to this headline"></a></h2>
<p>When using SE050 for authenticating at the EdgeLock 2GO cloud service, the client’s private key as
well as the client certificate are stored on the secure element. SE050 comes with those credentials
already pre-installed from the NXP production site with predefined object identifiers.</p>
<p>There are two crypto libraries available to do the TLS handshake in combination with the SE050. It
is possible to use OpenSSL with an custom crypto engine (see <a class="reference internal" href="../../sss/plugin/openssl/scripts/readme.html#intro-openssl-engine"><span class="std std-ref">Introduction on OpenSSL engine</span></a>).
Alternatively mbedTLS with an alternative implementation for the SE050 can be used (see
<a class="reference internal" href="../../sss/plugin/mbedtls/scripts/readme.html#mbedtls-alt"><span class="std std-ref">Introduction on mbedTLS ALT Implementation</span></a>).</p>
</div>
<div class="section" id="server-authentication">
<h2><span class="section-number">6.4.3. </span>Server authentication<a class="headerlink" href="#server-authentication" title="Permalink to this headline"></a></h2>
<p>The server is authenticated by using a certificate chain ultimately signed by an NXP root CA. There
are two different certificate chains available, one using ECC with the NIST P-384 curve, the other
chain uses RSA with 4096 bit keys. The trusted root CA certificates are included with the
distributed package of the NXP Plug &amp; Trust Middleware (see also <a class="reference internal" href="#parameters-for-the-connection-to-edgelock-2go-cloud-service">Parameters for the connection to
EdgeLock 2GO cloud service</a>).</p>
<p>The EdgeLock 2GO cloud service provides certificate revocation lists (CRLs) for the CA signing the
server certificates. The CRLs are transferred via TLS channel in order to avoid having to implement
another protocol (typically http) for retrieving the CRL. When using openssl as crypto library, the
CRL processing is skipped for openssl versions &lt; 1.1.1.</p>
</div>
<div class="section" id="application-layer-protocol">
<h2><span class="section-number">6.4.4. </span>Application layer protocol<a class="headerlink" href="#application-layer-protocol" title="Permalink to this headline"></a></h2>
<p>On the application layer, the EdgeLock 2GO cloud service sends protobuf messages (requests) to
individual endpoints which are handled by those. Depending on the endpoint type, different requests
are used. Requests to the EdgeLock 2GO agent itself are used for querying the presence of endpoints
and their supported features and managing the communication channel. Other requests directly address
reading data or writing contents of keystores and datastores.</p>
<p>For configuring an SE050 keystore, the EdgeLock 2GO cloud service uses APDU commands that are
directly forwarded to the secure element. If sensitive information is included or integrity
protection is required, APDUs can be encrypted. This way a secure end-to-end channel between the
EdgeLock 2GO cloud service and the secure element can be established.</p>
<p>For datastores the EdgeLock 2GO cloud service is able to perform read operations to retrieve the
current contents. Should it be necessary, an update of the datastore contents can be performed. The
EdgeLock 2GO cloud service always replaces the complete contents of the datastore. The first request
is an allocate operation, allowing the datastore to make sure memory for the contents is available.
It is followed by one or more write operations. If the datastore supports transactions, after the
last write, an additional commit operation is done to trigger an atomic update of the datastore
contents.</p>
<p>The definition of the protobuf application layer protocol can be found in
<code class="docutils literal notranslate"><span class="pre">&lt;SE05X_root_folder&gt;/simw-top/nxp_iot_agent/doc/protobuf</span></code>.</p>
</div>
<div class="section" id="parameters-for-the-connection-to-edgelock-2go-cloud-service">
<h2><span class="section-number">6.4.5. </span>Parameters for the connection to EdgeLock 2GO cloud service<a class="headerlink" href="#parameters-for-the-connection-to-edgelock-2go-cloud-service" title="Permalink to this headline"></a></h2>
<p>The EdgeLock 2GO agent attempts to take hostname, port, a reference to the client key and client
certificate as well as a collection of trusted root ca certificates from a datastore that is
registered with a particular id. If a datastore with this id is registered and contains valid data
(checksum verification), then the EdgeLock 2GO agent uses its contents. If this is not the case, it
falls back to compile-time constants defined in
<code class="docutils literal notranslate"><span class="pre">&lt;SE05X_root_folder&gt;/simw-top/nxp_iot_agent/inc/nxp_iot_agent_config.h</span></code>.</p>
<p>For demonstration purposes, in the demo application in
<code class="docutils literal notranslate"><span class="pre">&lt;SE05X_root_folder&gt;/simw-top/nxp_iot_agent/ex/src/iot_agent_demo.c</span></code>, a datastore for the EdgeLock
2GO cloud service connection parameters is registered. It is filled at the first boot with the
compile-time constants from the configuration file.</p>
<p>In order to be able to mitigate a potential corruption of the keys of the trusted root certificates,
in case the connection parameters are taken from the datastore, the EdgeLock 2GO cloud service has
the opportunity to update the connection parameters remotely.</p>
</div>
</div>
<div class="section" id="claim-codes">
<span id="el2go-claimcodes"></span><h1><span class="section-number">6.5. </span>Claim Codes<a class="headerlink" href="#claim-codes" title="Permalink to this headline"></a></h1>
<p>A claim code allows registering the device into the user account automatically. Claim codes are created and managed from
the EdgeLock 2GO service. Please refer to the EdgeLock 2GO documentation for more details.</p>
<p>To facilitate injection of claim code into device, a simple application capable of injecting and
deleting claim codes (claimcode_inject) is delivered in combination with the EdgeLock 2GO agent.
This application reads a claim code from a text file.</p>
<p>To inject a claim code that is present in a file <code class="docutils literal notranslate"><span class="pre">claim.txt</span></code>, the following command can be used:</p>
<p><code class="docutils literal notranslate"><span class="pre">./claimcode_inject</span> <span class="pre">claim.txt</span></code></p>
<p>Application also supports deleting existing claim code from with the following command:</p>
<p><code class="docutils literal notranslate"><span class="pre">./claimcode_inject</span> <span class="pre">--delete</span></code></p>
</div>
</div>
</div>
</div>
<footer class="footer">
<div class="container">
<p class="pull-right">
<a href="#">Back to top</a>
</p>
<p>
&copy; Copyright 2018-2020, NXP.<br/>
Created using <a href="http://sphinx-doc.org/">Sphinx</a> 2.4.1.<br/>
</p>
</div>
</footer>
</body>
</html>