Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Offline signing of TAs #5284

Closed
abhkr24 opened this issue Apr 25, 2022 · 2 comments
Closed

Offline signing of TAs #5284

abhkr24 opened this issue Apr 25, 2022 · 2 comments
Labels
Stale

Comments

@abhkr24
Copy link

abhkr24 commented Apr 25, 2022
edited

Hello,

I have a scenario where I do not have access to the private keys that will be used for signing TAs. However, I have access to a function that can provide signed images. Can I use this to offline sign TAs?
The methods described in the doc require access to the private key. Is there a way around it?
Edit -
After some reading, I figured that I can use this function to sign the TA. Now the last question I have is: how do I load this TA? I know that the signed TAs should be under target/lib/optee-armtz/ . But how do I put it there once the build is done?
Or should I run another make?

Thanks
@etienne-lms
Copy link
Contributor

Hello @abhkr24,
I am not sure to understand the question.
When using offline signature of TA bins you need to call an extra tool to request offline tool to sign TAs.
Recommended sequence is that when or after TA binaries .ta file are generated, call sign_encrypt.py disgest to get a footprint for each TA and call external tool to sign the footprints, then call sign_encrypt.py stitch to insert the signature into the .ta file. Either change a bit optee_os makefiles to call your tool.
Or run 2 passes: build optee_os and TAs, then run local TA signature/stitching seuqence, and complete build (a.k.a run install).
Or do the sign/stitch and install manually.

In both case, see sign_encrypt.py argument stitch and disgest commands.

Digging into information, I found this comment pointing to 3 commits (not permalinks, maybe need a rebasing) as a PoC to use PKCS11 interface to access the offline signing backend and run build-on-the-fly offline signature of TAs.
(patches for sign_encrypt.py, new sign_pkcs11_pubkey.py and in TA build ta/arch/arm/link.mk).
These 3 applied to optee_os.git repo should allow to define a PKCS#11 token in the host shell environment:
and run OP-TEE/build usual make all to get the TA signed at build time.
Something like:

$ # Set env variable to identify the pkcs11 token and the key in the token.
$ # Possibly the pkcs11 user pin (PKCS11_TOKEN_PIN optional)
$ export PKCS11_MODULE=/path/to/module/libxxxpkcs11xxx.so
$ export PKCS11_TOKEN_LABEL=token-label PKCS11_TOKEN_PIN=user-pin
$ # Hint to identify the target key in the token (at least one of):
$ export PKCS11_KEY_LABEL=attrib-label-in-key-object
$ export PKCS11_KEY_ID=attrib-id-in-key-object
$ # Call pkcs11 token to get the public key related to the hidden TA signature key.
$ sign_pkcs11_pubkey.py $PWD/ta_authen_pub_key.bin || exit -1
$ export TA_PUBLIC_KEY=$PWD/ta_authen_pub_key.bin
$ # build the whole thing
$ make all

@github-actions
Copy link

This issue has been marked as a stale issue because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment, otherwise this issue will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time.

@github-actions github-actions bot added the Stale label May 29, 2022
@github-actions github-actions bot closed this as completed Jun 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@etienne-lms @abhkr24