-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Offline signing of TAs #5284
Comments
Hello @abhkr24, In both case, see sign_encrypt.py argument Digging into information, I found this comment pointing to 3 commits (not permalinks, maybe need a rebasing) as a PoC to use PKCS11 interface to access the offline signing backend and run build-on-the-fly offline signature of TAs. $ # Set env variable to identify the pkcs11 token and the key in the token.
$ # Possibly the pkcs11 user pin (PKCS11_TOKEN_PIN optional)
$ export PKCS11_MODULE=/path/to/module/libxxxpkcs11xxx.so
$ export PKCS11_TOKEN_LABEL=token-label PKCS11_TOKEN_PIN=user-pin
$ # Hint to identify the target key in the token (at least one of):
$ export PKCS11_KEY_LABEL=attrib-label-in-key-object
$ export PKCS11_KEY_ID=attrib-id-in-key-object
$ # Call pkcs11 token to get the public key related to the hidden TA signature key.
$ sign_pkcs11_pubkey.py $PWD/ta_authen_pub_key.bin || exit -1
$ export TA_PUBLIC_KEY=$PWD/ta_authen_pub_key.bin
$ # build the whole thing
$ make all |
This issue has been marked as a stale issue because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment, otherwise this issue will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time. |
Hello,
I have a scenario where I do not have access to the private keys that will be used for signing TAs. However, I have access to a function that can provide signed images. Can I use this to offline sign TAs?
The methods described in the doc require access to the private key. Is there a way around it?
Edit -
After some reading, I figured that I can use this function to sign the TA. Now the last question I have is: how do I load this TA? I know that the signed TAs should be under
target/lib/optee-armtz/
. But how do I put it there once the build is done?Or should I run another
make
?Thanks
The text was updated successfully, but these errors were encountered: