NXP AN12663 User Manual

AN12663

EdgeLockTM SE05x to implement TPM-like functionality

Rev. 1.0 — 13 April 2021 Application note

Document information

Information Content

Keywords EdgeLock SE050, EdgeLock SE051, TPM functionality, TPM Software Stack

(TSS)

Abstract This document introduces the benefits provided by EdgeLock SE05x to

implement TPM-like functionalities in your IoT devices. It also describes the
TSS wrapper layer implemented in the Plug & Trust middleware to simplify
integration of EdgeLock SE05x and to enable fast migration from a traditional
TPM, and explains how to run and evaluate the TPM project examples
provided in the support package.

NXP Semiconductors

EdgeLockTM SE05x to implement TPM-like functionality

Revision history

Revision history

Revision number Date Description

1.0 2021-04-13 First document release

AN12663

AN12663 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2021. All rights reserved.

Application note Rev. 1.0 — 13 April 2021

2 / 29

NXP Semiconductors

1 Introduction

For more than a decade, the computing industry has relied on a special type of secure
crypto-processor, called a Trust Platform Module (TPM), to provide hardware-based
protection of PCs, laptops, networking equipment, and other computing devices. TPM
functionality is specified as ISO/IEC 118889, and TPM operation is certified by the
Trusted Computing Group (TCG), an industry organization formed by leading computer­platform companies.

In computing, the TPM is a tamper resilient coprocessor chip used to securely store the
credentials required for user password protection, disk encryption and trusted execution.
TPM chips can also store Platform Configuration Registers (PCRs), which allow tracking
the installed SW and system configuration and help ensure the computing platform’s
trustworthiness over time.

IoT devices face some of the same risks as network-connected computers. In
resource-constrained IoT devices that require flexible crypto functionality in lightweight
implementations, adding a traditional TPM can create excess overhead in terms of size
of the SW stack and platform resources required.

In addition, traditional TPMs are not flexible enough to provide the crypto functionality
required to support IoT-specific tasks, such as creating a secure network connection,
onboarding on multiple cloud, storing multiple keys to authenticate data or securely
connect to multiple other devices, among others.

AN12663

EdgeLockTM SE05x to implement TPM-like functionality

Furthermore, the different threat model and form factor associated with IoT devices
require features typically not implemented in a TPM, such as: secure binding to the host
controller, a small footprint to fit in compact devices, or programmability to adapt the
security logic to the type of IoT device.

As a result, a secure element equipped with TPM functionality, like EdgeLock SE05x, can
add high-level protection in a format better suited for IoT operation. In addition, to simplify
integration of TPM functionality using EdgeLock SE05x, the Plug & Trust middleware
provides an adaptation layer for easy integration into the TPM Software Stack (TSS), as
outlined in Section 3.

AN12663 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2021. All rights reserved.

Application note Rev. 1.0 — 13 April 2021

3 / 29

NXP Semiconductors

EdgeLockTM SE05x to implement TPM-like functionality

2 EdgeLock SE05x to implement TPM-like functionality

The EdgeLock SE05x is a tamper-resistant secure element able to bring TPM
functionality to IoT applications. The entire EdgeLock SE05x secure element family is
delivered with a pre-installed applet optimized for IoT use cases that also provides TPM­like functions, such as secure cryptographic processing, secure key storage, unique
ID generation and storage, attestation capabilities, and PCRs to remotely verify device
health and ensure trust.

The EdgeLock SE05x goes beyond baseline TPM operation to provide special support
for IoT operation, including:

• Flexible approach to manage credentials and user policies (i.e. more user/policy
combinations are possible per credential object).

• Support secure binding to a host MCU (e.g. using GlobalPlatform's SCP03 standard
protocol).

• Ability to freeze keys (and avoid deletion by other stakeholders).

• Configuration of access-right policies on the on-chip memory (in combination with NXP

EdgeLock 2GO service, supports management of keys and digital certificates over the
air, in the field).

• Multi-tenancy, where multiple stakeholders can use the same EdgeLock SE05x secure
element to securely store their sensitive data and credentials.

AN12663

In addition, the EdgeLock SE05x is part of NXP EdgeLock Assurance Program and
provides certified security according to Common Criteria framework with EAL 6+
resistance level at hardware but also at operating system level. The EdgeLock SE05x
secure elements are also designed for scalability, and can easily be configured to support
existing and upcoming standards, such as CHIP (Connected Home over IP) for Smart
Home, DLMS-COSEM for Smart Metering, ISA/IEC 62443 for Industrial Control Security
and the Open Platform Communication United Architecture (OPC UA), which defines
data-exchange standards for industrial communication.

As a result, the major advantage of EdgeLock SE05x over traditional TPMs is that it
supports more IoT-relevant features, a wider variety of development and usage models,
and can be used in tiny sensors as well as powerful IoT equipment such as edge
computing platforms.

AN12663 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2021. All rights reserved.

Application note Rev. 1.0 — 13 April 2021

4 / 29

NXP Semiconductors

EdgeLockTM SE05x to implement TPM-like functionality

3 TSS implementation in Plug & Trust middleware

The Plug & Trust middleware provides already an OpenSSL engine to let standard
applications use cryptography via the secure element without influence on the
applications code. In case the applications do not use OpenSSL as cryptographic API
the Plug & Trust middleware provides a TSS adaptation layer for integration into the TPM
Software Stack (TSS) to enable a fast migration from a traditional TPM to an embedded
secure element. Refer to Appendix A for some additional details about TPM 2.0 and TPM
Software Stack (TSS).

The TSS implementation available at https://github.com/tpm2-software/tpm2-tss is used
by the Plug & Trust middleware to provide TPM functions. An Esys wrapper software
implementation, interfacing with the ESAPI and FAPI layers, takes care of translating
TPM commands to commands that can be managed by the Plug & Trust middleware.
This architecture is shown in Figure 1:

AN12663

Figure 1.  TSS architecture in EdgeLock SE05x

The functions supported by the EdgeLock SE05x TPM implementation are listed in

Table 1. For a list of limitations and unsupported features, please refer to Section 6.

Table 1. TPM Functions supported by Plug & Trust middleware

Function TPM APIs Supported Algorithms

Asymmetric Signing and
Verification

Asymmetric RSA Encryption
and Decryption

AES Encryption & Decryption Esys_EncryptDecrypt ()

Hashing Esys_Hash () SHA1 (TPM2_ALG_SHA1)

Esys_VerifySignature ()
Esys_Sign ()

Esys_RSA_Encrypt ()
Esys_RSA_Decrypt ()

Esys_EncryptDecrypt2 ()

RSA-SSA (TPM2_ALG_RSASSA)
RSA-PSS (TPM2_ALG_RSAPSS)
RSA-ECDSA (TPM2_ALG_

ECDSA)

RSA-OAEP (TPM2_ALG_OAEP)
RSA (TPM2_ALG_RSAES)

AES-CTR (TPM2_ALG_CTR)
AES-CBC (TPM2_ALG_CBC)
AES-ECB (TPM2_ALG_ECB)

SHA256 (TPM2_ALG_SHA256)
SHA384 (TPM2_ALG_SHA384)
SHA512 (TPM2_ALG_SHA512)

AN12663 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2021. All rights reserved.

Application note Rev. 1.0 — 13 April 2021

5 / 29

NXP Semiconductors

Table 1. TPM Functions supported by Plug & Trust middleware...continued

Function TPM APIs Supported Algorithms

HMAC Esys_HMAC () SHA1 (TPM2_ALG_SHA1)

Random number generation Esys_GetRandom () -

PCR Esys_PCR_Extend ()

Support functions Esys_ReadPublic () -

AN12663

EdgeLockTM SE05x to implement TPM-like functionality

SHA256 (TPM2_ALG_SHA256)
SHA384 (TPM2_ALG_SHA384)
SHA512 (TPM2_ALG_SHA512)

­Esys_PCR_Event ()
Esys_PCR_Read ()
Esys_PCR_Allocate ()
Esys_PCR_Reset ()

AN12663 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2021. All rights reserved.

Application note Rev. 1.0 — 13 April 2021

6 / 29

NXP Semiconductors

EdgeLockTM SE05x to implement TPM-like functionality

4 Run the Plug & Trust middleware TPM examples

This section describes how to compile and run the TPM examples provided as part of
the Plug & Trust middleware. The examples use the TPM2-Tools as a convenient way
to demonstrate the TPM capabilities of EdgeLock SE05x. The TPM2-Tools are only
supported in Linux, but the underlying TPM library can also be used in other operating
systems.

4.1 Hardware preparation

In this section the necessary hardware for running the Plug & Trust middleware with the
TPM examples is described.

4.1.1 Required hardware

The following hardware is used to run the TPM project examples:

1. OM-SE05xARD development kit:
The EdgeLock SE05x support package provides development boards for evaluating
EdgeLock SE050 and EdgeLock SE051 features. Select the development board of
the product you want to evaluate. Table 2 details the ordering details of the EdgeLock
SE05x development boards.

AN12663

Table 2. EdgeLock SE05x development boards.

Part number 12NC Description Picture

OM-SE050ARD 935383282598 SE050 Arduino

compatible
development kit

OM-SE051ARD 935399187598 SE051 Arduino

compatible
development kit

®

®

Note: The pictures in this guide will show EdgeLock SE050, but EdgeLock SE051 can
be used as well with the same configuration.

AN12663 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2021. All rights reserved.

Application note Rev. 1.0 — 13 April 2021

7 / 29

NXP Semiconductors

2. OM-SE050RPI adapter board for Raspberry Pi:

3. Raspberry Pi board:

AN12663

EdgeLockTM SE05x to implement TPM-like functionality

Table 3. OM-SE050RPI adapter board details

Part number 12NC Content Picture

OM-SE050RPI 935379833598 Raspberry Pi to OM-

SE05xARD adapter

Table 4. Raspberry Pi

Part number Content Picture

Raspberry Pi Any Raspberry Pi model is

sufficient, usually models 2, 3
and 4 are used

4.1.2 Hardware setup

The hardware setup consists of two steps:

1. Make sure the jumpers in your OM-SE05xARD board are configured as shown in

Figure 2:

Figure 2.  OM-SE05xARD jumper configuration

For more information on the hardware refer to AN12395 - OM-SE050ARD hardware

overview.

2. Connect the OM-SE05xARD to the Raspberry Pi, following the steps shown in

Figure 3: First mount the OM-SE05xARD on top of the OM-SE050RPI board using

AN12663 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2021. All rights reserved.

Application note Rev. 1.0 — 13 April 2021

8 / 29

NXP Semiconductors

4.2 Install Raspberry OS

AN12663

EdgeLockTM SE05x to implement TPM-like functionality

the Arduino connectors. Then mount the two boards on top of the Raspberry Pi using
the Raspberry connectors in the OM-SE050RPI. The result is three boards stacked
together, with the OM-SE050RPI the board in between the Raspberry Pi and OM­SE05xARD.

Figure 3.  OM-SE05xARD connection to the Raspberry Pi using the OM-SE050RPI
adapter board

Note: In case you do not have the OM-SE050RPI adapter board, you can also

manually wire the Raspberry Pi to the OM-SE05xARD using the external I2C
connector. For more information refer AN12570 - Quick start guide with Raspberry Pi.

The Raspberry OS installation consists of two steps:

1. Install your preferred Linux distribution in your device as described in Section 4.2.1.

2. Enable the I2C interface in your Linux distribution to allow the communication with the
security IC of the OM-SE05xARD board as described in Section 4.2.2.

4.2.1 Installation

First, we need to install the OS for our Raspberry Pi. For that, we use the latest Raspbian
OS version available in the Raspberry website. It recommends tw options:

1. Using New Out of Box Software (NOOBS), an easy operating system installation
manager for the Raspberry Pi. This tool is the easiest and most recommended
option, but requires a screen to go through the initial installation process. Installation
instructions are provided in the official Raspberry NOOBS webpage.

2. Downloading the official Raspbian image from the official Raspberry Pi image

repository and then flashing the image in the SD card by following the instructions

provided in the official documentation.

Note: Raspbian is used just as a reference; you can use your preferred Linux
distribution.

4.2.2 Enable the I2C interface

The Raspberry Pi board communicates with the OM-SE05xARD security IC through
the I2C interface. The I2C interface is not enabled by default in Raspbian and must be
activated before the Plug & Trust middleware test examples can be executed. To enable
I2C, open a Terminal window and follow these steps:

AN12663 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2021. All rights reserved.

Application note Rev. 1.0 — 13 April 2021

9 / 29