aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJens Wiklander <jens.wiklander@linaro.org>2019-04-25 16:06:02 +0200
committerJérôme Forissier <jerome.forissier@linaro.org>2019-04-30 13:15:54 +0200
commitdf91a52223295c917ef5a8eb6bfaf0ad0544b6b8 (patch)
tree2c50ba1e85b1d0e4dcd761fe53643d8c9e3564f2
parent178887362ae97acfd0f30653f15ac7e3f18b1e36 (diff)
core: derive SSK using huk_subkey_derive()
tee_fs_init_key_manager() uses huk_subkey_derive() to derive the SSK instead of MAC:ing etc directly. Note that this is only backwards compatible if CFG_CORE_HUK_SUBKEY_COMPAT=y. Reviewed-by: Joakim Bech <joakim.bech@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Diffstat
-rw-r--r--core/tee/tee_fs_key_manager.c31
1 files changed, 7 insertions, 24 deletions
diff --git a/core/tee/tee_fs_key_manager.c b/core/tee/tee_fs_key_manager.c
index 1bdb7973..b5adad1e 100644
--- a/core/tee/tee_fs_key_manager.c
+++ b/core/tee/tee_fs_key_manager.c
@@ -15,9 +15,11 @@
* RNG - Random Number Generator
*/
+#include <assert.h>
#include <compiler.h>
#include <crypto/crypto.h>
#include <initcall.h>
+#include <kernel/huk_subkey.h>
#include <kernel/panic.h>
#include <kernel/tee_common_otp.h>
#include <kernel/tee_ta_manager.h>
@@ -34,8 +36,6 @@ struct tee_fs_ssk {
};
static struct tee_fs_ssk tee_fs_ssk;
-static uint8_t string_for_ssk_gen[] = "ONLY_FOR_tee_fs_ssk";
-
static TEE_Result do_hmac(void *out_key, size_t out_key_size,
const void *in_key, size_t in_key_size,
@@ -137,29 +137,12 @@ static TEE_Result generate_fek(uint8_t *key, uint8_t len)
static TEE_Result tee_fs_init_key_manager(void)
{
- int res = TEE_SUCCESS;
- struct tee_hw_unique_key huk;
- uint8_t chip_id[TEE_FS_KM_CHIP_ID_LENGTH];
- uint8_t message[sizeof(chip_id) + sizeof(string_for_ssk_gen)];
-
- /* Secure Storage Key Generation:
- *
- * SSK = HMAC(HUK, message)
- * message := concatenate(chip_id, static string)
- * */
- tee_otp_get_hw_unique_key(&huk);
- memset(chip_id, 0, sizeof(chip_id));
- if (tee_otp_get_die_id(chip_id, sizeof(chip_id)))
- return TEE_ERROR_BAD_STATE;
-
- memcpy(message, chip_id, sizeof(chip_id));
- memcpy(message + sizeof(chip_id), string_for_ssk_gen,
- sizeof(string_for_ssk_gen));
-
- res = do_hmac(tee_fs_ssk.key, sizeof(tee_fs_ssk.key),
- huk.data, sizeof(huk.data),
- message, sizeof(message));
+ TEE_Result res = TEE_SUCCESS;
+
+ COMPILE_TIME_ASSERT(TEE_FS_KM_SSK_SIZE <= HUK_SUBKEY_MAX_LEN);
+ res = huk_subkey_derive(HUK_SUBKEY_SSK, NULL, 0,
+ tee_fs_ssk.key, sizeof(tee_fs_ssk.key));
if (res == TEE_SUCCESS)
tee_fs_ssk.is_init = 1;
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-20 06:48:07 +0000