Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to encrypt a .ta file? #7112

Open
andreas-brix opened this issue Nov 6, 2024 · 3 comments
Open

How to encrypt a .ta file? #7112

andreas-brix opened this issue Nov 6, 2024 · 3 comments

Comments

@andreas-brix
Copy link

Hello,

I created a trusted application using optee_examples and added my application there in the same way. I tested it using the qemu emulator and it works as expected. If I understand correctly, the optee_examples refer to user mode trusted applications. I read in the documentation, that "they consist of a ELF file, signed and optionally encrypted, named from the UUID of the TA and the suffix .ta."

For possible deployment, I want to protect my algorithms inside the TEE since they are intellectual property, so I would like to use the optional encryption. Is there any documentation how this can be done? Is it correct, that the .ta file would then reside in an encrypted form in the REE and would only be decrypted and executed in the TEE if I use scripts/sign_encrypt.py properly? Is there anything to be changed in the trusted application such that I can use that encryption?

Any help would be appreciated and if I have mistakes in my understanding, please point them out.

Thank you very much.
@jforissier
Copy link
Contributor

Hello @andreas-brix,

TA encryption uses the --enc-key argument to sign_encrypt.py. The key is derived fron the Hardware Unique Key. To try this out with the default key, just rebuild your TA with CFG_ENCRYPT_TA=y.
You may then customize the key by doing the following:

  1. Change the HUK (hardware unique key) in tee_otp_get_hw_unique_key() in core/kernel/otp_stubs.c (if that files applies to your platform, i.e., you don't have a true HUK)
  2. Print out the content of subkey_bbuf in system_derive_ta_unique_key(). You may use the DHEXDUMP() macro for instance with TEE_CORE_LOG_LEVEL=3 (DEBUG). The value in subkey_bbuf is what you should set in TA_ENC_KEY when rebuilding the TA (make CFG_ENCRYPT_TA=y TA_ENC_KEY=<hex_key>).

HTH.

@zjchen666
Copy link

is the TA encryption key TA unique? thanks

@etienne-lms
Copy link
Contributor

No, the TA encryption key is currently shared for all TAs, see tee_ta_decrypt_init() and its use of tee_otp_get_ta_enc_key().
Current implementation of tee_otp_get_ta_enc_key() does not have the TA UUID as argument or some other hint which could be used to select the expected encryption key when TA is loaded.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jforissier @etienne-lms @zjchen666 @andreas-brix