Skip to content

Secure storage

Overview

Welma provides confidentiality for private and secret keys (for example private keys used for signing or for TLS handshakes).

The following machines have secure storage:

  • sm2s-imx8plus-mbep5
  • imx8mm-cgt-sx8m-rev-a
  • stm32mp25-disco-welma

Runtime architecture

Secure storage uses OP-TEE, which relies on:

  • ARM Trust Zone
  • HUK: Hardware Unique Key. Machine-specific support is needed for this.

Reference: https://optee.readthedocs.io/

Architecture diagram:

OP-TEE diagram

Yocto configuration

To activate secure storage, add this line in your build configuration (eg: in local.conf): 

EXTRA_IMAGE_FEATURES += "secure-storage"

This will generate a Linux image with all needed packages.

Usage & test

This section shows how you can use and test secure storage. The following commands should be run on the Welma device.

Initialize the key store: 

pkcs11-tool --module /usr/lib/libckteec.so.0 \
            --init-token --label token0 --so-pin 00000000

pkcs11-tool --module /usr/lib/libckteec.so.0 \
            --init-pin --label token0 --login --so-pin 00000000 --pin 0000

Create a RSA key pair labelled key0: 

pkcs11-tool --module /usr/lib/libckteec.so.0 \
            --login --pin 0000 --keypairgen --label key0 --key-type rsa:2048

Read the public key key0: 

pkcs11-tool --module /usr/lib/libckteec.so.0 \
            --read-object --label key0 --type pubkey

Using pkcs11-tool, sign "hello" with key0, then verify: 

echo hello | pkcs11-tool --module /usr/lib/libckteec.so.0 \
                         --label key0 --type privkey --pin 0000 \
                         --sign --mechanism RSA-PKCS > /tmp/hello.sig

echo hello | pkcs11-tool --module /usr/lib/libckteec.so.0 \
                         --label key0 --type privkey --pin 0000 \
                         --verify --mechanism RSA-PKCS --signature-file /tmp/hello.sig

Using openssl, sign "hello" with key0, then verify: 

echo hello | PKCS11_MODULE_PATH=/usr/lib/libckteec.so.0 openssl pkeyutl \
                 -engine pkcs11 -keyform engine \
                 -sign -inkey "pkcs11:object=key0;pin-value=0000" \
                 -out /tmp/hello.sig

echo hello | PKCS11_MODULE_PATH=/usr/lib/libckteec.so.0 openssl pkeyutl \
                  -engine pkcs11 -keyform engine \
                  -verify -inkey "pkcs11:object=key0;pin-value=0000" \
                  -sigfile /tmp/hello.sig

Erase the key store: 

rm -rf /var/lib/tee
reboot

Security considerations

  • Secure boot must be used in order to keep OP-TEE OS trusted, or an attacker would be able to forge their own, and have (for example) the HUK leaked (eg: printed).

  • TAs loaded by OP-TEE from the filesystem (/lib/optee_armtz/*.ta) are signed by a development key (optee_os/keys/default_ta.pem). In a production environment you should either:

    • change the key
    • or have your TA built inside optee-os (this is what Welma does for the pkcs11 TA)

You can also completely deactivate the loading of TAs from the Linux filesystem:

Example of optee-os_%.bbappend
# Deactivate loading user TAs from the REE (Linux) filesystem
EXTRA_OEMAKE += "CFG_REE_FS_TA=n"