Searched hist:"3 ecd96bbf821d170671cc19a9bb6dc3eba5b9136" (Results 1 – 2 of 2) sorted by relevance
| /optee_os/core/ |
| H A D | sub.mk | 3ecd96bbf821d170671cc19a9bb6dc3eba5b9136 Sun Nov 22 13:23:22 UTC 2020 Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com> core: Add support to import external TA signing public key
Build process requires that private key is present when signing TAs.
In order to support external HSM based re-signing of the TAs, add support
to import different TA signing public key into TEE OS binary by
introducing TA_PUBLIC_KEY.
By default TA_PUBLIC_KEY gets the value of TA_SIGN_KEY.
Re-signing of the TA's works by first signing TA during the build with
private key readily available during the build process (TA_SIGN_KEY).
Private key can in example be bundled key in keys/default_ta.pem.
Build will generate TA binary with signature embedded matching provided
private key.
This TA binary will be sent for HSM re-signing process where digest will
be calculated from the binary to get digest which will be signed with
private key protected by HSM. New signature will replaced the old
signature in the TA binary.
This re-signed TA will need to be deployed into the device for execution.
In order for OP-TEE OS to load the TA it needs to have the matching public
key from the HSM. Public key needs to be available during the build
process (TA_PUBLIC_KEY).
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
|
| /optee_os/mk/ |
| H A D | config.mk | 3ecd96bbf821d170671cc19a9bb6dc3eba5b9136 Sun Nov 22 13:23:22 UTC 2020 Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com> core: Add support to import external TA signing public key
Build process requires that private key is present when signing TAs.
In order to support external HSM based re-signing of the TAs, add support
to import different TA signing public key into TEE OS binary by
introducing TA_PUBLIC_KEY.
By default TA_PUBLIC_KEY gets the value of TA_SIGN_KEY.
Re-signing of the TA's works by first signing TA during the build with
private key readily available during the build process (TA_SIGN_KEY).
Private key can in example be bundled key in keys/default_ta.pem.
Build will generate TA binary with signature embedded matching provided
private key.
This TA binary will be sent for HSM re-signing process where digest will
be calculated from the binary to get digest which will be signed with
private key protected by HSM. New signature will replaced the old
signature in the TA binary.
This re-signed TA will need to be deployed into the device for execution.
In order for OP-TEE OS to load the TA it needs to have the matching public
key from the HSM. Public key needs to be available during the build
process (TA_PUBLIC_KEY).
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
|