-
-
Notifications
You must be signed in to change notification settings - Fork 212
Lifecycle management
Note
GlobalPlatformPro focuses on application management during development stage, but it is also a Swiss Army knife for card lifecycle management.
Most of the preparations should be done in OP_READY state. The exact difference between OP_READY and INITIALIZED is not precisely defined and depends on specific cards and vendors. Features of the card, management keys and supplementary security domains should be fixed in this stage.
Use $ gp -i (failsafe) and $ gp -lv (requires keys) to get an overview of the card, before continuing.
Warning
Some of these operations are only available ONCE and are irreversible! All lifecycle changes are one way only.
Please note that not all features are available with all cards and actual usage restrictions vary depending on the card.
$ gp -i shows CPLC information, if present on the card (only missing on older and some Chinese cards).
...
ICPrePersonalizer=0000
ICPrePersonalizationEquipmentDate=0000 (2010-01-01)
ICPrePersonalizationEquipmentID=00000000
ICPersonalizer=0000
ICPersonalizationDate=0000 (2010-01-01)
ICPersonalizationEquipmentID=00000000
The date format is not universally and reliably defined. To set the Pre-Personalization information, use $ gp -set-pre-perso XXXXXXXXXXXXXXXX. To set Peronalization information, use $ gp -set-perso XXXXXXXXXXXXXXXX. To automagically set the date portion (bytes on position 3 and 4) to current date, specify -today.
$ gp -set-pre-perso 1111111111111111 -set-perso 2222222222222222 -today would give as a result:
...
ICPrePersonalizer=1111
ICPrePersonalizationEquipmentDate=8075 (2018-03-16)
ICPrePersonalizationEquipmentID=11111111
ICPersonalizer=2222
ICPersonalizationDate=8075 (2018-03-16)
ICPersonalizationEquipmentID=22222222
Warning
On some cards this can only be done ONCE!
The standard AID for Issuer Security Domain is A000000151000000 (or A000000003000000 on older cards). Actual AID can be checked with $ gp -l:
ISD: A000000003000000 (OP_READY)
Privs: SecurityDomain, CardLock, CardTerminate, CardReset, CVMManagement
...
This can be changed with $ gp -rename-isd XXXXXXXXXXXX:
$ gp -l
ISD: A000000151000000 (INITIALIZED)
Privs: SecurityDomain, CardLock, CardTerminate, CardReset, ...
...
$ gp -rename-isd 112233445566
$ gp -l
ISD: 112233445566 (INITIALIZED)
Privs: SecurityDomain, CardLock, CardTerminate, CardReset, ...
...
Tip
Do not change the ISD AID unless you know what and why.
Once preparations are done and before the card is put into use, it should be set to SECURED state.
Warning
The transition is OP_READY -> INITIALIZED -> SECURED. This transition path is irreversible.
To transition the card to INITIALIZED state, use $ gp -initialize-card. To transition the card to SECURED state, use $ gp -secure-card. You can automatically transition to SECURED from whatever previous state by using the force with -force: $ gp -f -secure-card
Note
Some cards or card applications have restrictions based on current card state. For example, allowing certain initialization or personalization steps only in INITIALIZED state or refusing to execute certain functions normally unless the card is in SECURED state.
This is the normal state of the card, once the card has been issued.
Administrator, the card itself or an application (with the CardLock privilege) on the card can transition the card to CARD_LOCKED state. To do this manually, use $ gp -lock-card. If this has happened and the card should be unlocked, use $ gp -unlock-card to transition the card back to the SECURED state.
Similarly, an application can become LOCKED if the administrator or card or the application itself decides so. To do this manually, use $ gp -lock-applet XXXXXXXXXXXX. Use $ gp -unlock-applet XXXXXXXXXXXX to transition the application back to whatever state it was before coming LOCKED.
Note
Supplementary security domains can be also be locked and unlocked from/to PERSONALIZED state with the same command.