Generate DeviceKey Root of Trust if SecureStore is enabled #66
Conversation
LDong-Arm
force-pushed
the
devicekey_rot
branch
2 times, most recently
from
701fb5d
to
9e8750e
Compare
TDB_INTERNAL is based on SecureStore which uses DeviceKey.
LDong-Arm
force-pushed
the
devicekey_rot
branch
from
9e8750e
to
7c90d71
Compare
|
Now ready for review. |
| #define STR_EXPAND(tok) #tok | ||
| #define STR(tok) STR_EXPAND(tok) |
There was a problem hiding this comment.
This is copied from https://github.com/ARMmbed/mbed-os/blob/f2278567d09b9ae9f4843e1d9d393526b9462783/storage/kvstore/kv_config/source/kv_config.cpp#L170-L171
It doesn't look pretty but we need it, see below.
| @@ -59,6 +63,11 @@ void kv_store_global_api_example() | |||
| res = kv_reset("/kv/"); | |||
| printf("kv_reset -> %d\n", err_code(res)); | |||
|
|
|||
| if (strcmp(STR(MBED_CONF_STORAGE_STORAGE_TYPE), "TDB_EXTERNAL") == 0) { | |||
There was a problem hiding this comment.
In most projects, we normally do
#if (MBED_CONF_STORAGE_STORAGE_TYPE == TDB_EXTERNAL)
but kv-config doesn't define TDB_EXTERNAL as a macro, so we need to convert MBED_CONF_STORAGE_STORAGE_TYPE to string for string comparison (like everywhere MBED_CONF_STORAGE_STORAGE_TYPE is checked in Mbed OS)...
The runtime check is probably not optimal in terms of code size (i.e. DeviceKey dependencies get pulled in even if the condition is not true). Unless the compiler compares the strings at compile time for optimisation?
Fixes: #52
Following ARMmbed/mbed-os#12385, DeviceKey Root of Trust is not implicitly generated anymore. The Root of Trust can be either auto generated with
DeviceKey::get_instance().generate_root_of_trust(), or injected withDeviceKey::device_inject_root_of_trust(...).External TDB uses SecureStore which depends on DeviceKey (here), so we need to set up a Root of Trust by generating one. Note:
generate_root_of_trust()depends on TRNG support, which is already a requirement for SecureStore so we don't need an extra check here.Tested on K64F with SD card.
@ARMmbed/mbed-os-core