Skip to content

Secure Storage

Welma provides support for an OP-TEE solution on the following machines:

  • sm2s-imx8plus-mbep5
  • imx8mm-cgt-sx8m-rev-a
  • stm32mp25-disco-welma

OP-TEE

OP-TEE relies on:

  • ARM Trust Zone
  • HUK: Hardware Unique Key. Machine-specific support is needed for this.

Reference: https://optee.readthedocs.io/

Overview

OP-TEE diagram

Activating packages in Welma

In your build environment, in local.conf: 

EXTRA_IMAGE_FEATURES += "secure-storage"

This will generate a Linux image with all needed packages.

Usage

The commands in this section should be run on the Welma device.

Initialize the key store: 

pkcs11-tool --module /usr/lib/libckteec.so.0 \
            --init-token --label token0 --so-pin 00000000

pkcs11-tool --module /usr/lib/libckteec.so.0 \
            --init-pin --label token0 --login --so-pin 00000000 --pin 0000

Create a RSA key pair labelled key0: 

pkcs11-tool --module /usr/lib/libckteec.so.0 \
            --login --pin 0000 --keypairgen --label key0 --key-type rsa:2048

Read the public key key0: 

pkcs11-tool --module /usr/lib/libckteec.so.0 \
            --read-object --label key0 --type pubkey

Using pkcs11-tool, sign "hello" with key0, then verify: 

echo hello | pkcs11-tool --module /usr/lib/libckteec.so.0 \
                         --label key0 --type privkey --pin 0000 \
                         --sign --mechanism RSA-PKCS > /tmp/hello.sig

echo hello | pkcs11-tool --module /usr/lib/libckteec.so.0 \
                         --label key0 --type privkey --pin 0000 \
                         --verify --mechanism RSA-PKCS --signature-file /tmp/hello.sig

Using openssl, sign "hello" with key0, then verify: 

echo hello | PKCS11_MODULE_PATH=/usr/lib/libckteec.so.0 openssl pkeyutl \
                 -engine pkcs11 -keyform engine \
                 -sign -inkey "pkcs11:object=key0;pin-value=0000" \
                 -out /tmp/hello.sig

echo hello | PKCS11_MODULE_PATH=/usr/lib/libckteec.so.0 openssl pkeyutl \
                  -engine pkcs11 -keyform engine \
                  -verify -inkey "pkcs11:object=key0;pin-value=0000" \
                  -sigfile /tmp/hello.sig

Erase the key store: 

rm -rf /var/lib/tee
reboot

Security Considerations

  • Secure boot must be used in order to keep OP-TEE OS trusted, or an attacker would be able to forge their own, and have (for example) the HUK leaked (eg: printed).

  • TAs loaded by OP-TEE from the filesystem (/lib/optee_armtz/*.ta) are signed by a development key (optee_os/keys/default_ta.pem). In a production environment you should either:

    • change the key
    • or have your TA built inside optee-os (this is what Welma does for the pkcs11 TA)

You can also completely deactivate the loading of TAs from the Linux filesystem:

Example of optee-os_%.bbappend
# Deactivate loading user TAs from the REE (Linux) filesystem
EXTRA_OEMAKE += "CFG_REE_FS_TA=n"