diff options
author | Jens Wiklander <jens.wiklander@linaro.org> | 2019-04-25 16:06:02 +0200 |
---|---|---|
committer | Jérôme Forissier <jerome.forissier@linaro.org> | 2019-04-30 13:15:54 +0200 |
commit | df91a52223295c917ef5a8eb6bfaf0ad0544b6b8 (patch) | |
tree | 2c50ba1e85b1d0e4dcd761fe53643d8c9e3564f2 /core | |
parent | 178887362ae97acfd0f30653f15ac7e3f18b1e36 (diff) |
core: derive SSK using huk_subkey_derive()
tee_fs_init_key_manager() uses huk_subkey_derive() to derive the SSK
instead of MAC:ing etc directly.
Note that this is only backwards compatible if
CFG_CORE_HUK_SUBKEY_COMPAT=y.
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Diffstat (limited to 'core')
-rw-r--r-- | core/tee/tee_fs_key_manager.c | 31 |
1 files changed, 7 insertions, 24 deletions
diff --git a/core/tee/tee_fs_key_manager.c b/core/tee/tee_fs_key_manager.c index 1bdb7973..b5adad1e 100644 --- a/core/tee/tee_fs_key_manager.c +++ b/core/tee/tee_fs_key_manager.c @@ -15,9 +15,11 @@ * RNG - Random Number Generator */ +#include <assert.h> #include <compiler.h> #include <crypto/crypto.h> #include <initcall.h> +#include <kernel/huk_subkey.h> #include <kernel/panic.h> #include <kernel/tee_common_otp.h> #include <kernel/tee_ta_manager.h> @@ -34,8 +36,6 @@ struct tee_fs_ssk { }; static struct tee_fs_ssk tee_fs_ssk; -static uint8_t string_for_ssk_gen[] = "ONLY_FOR_tee_fs_ssk"; - static TEE_Result do_hmac(void *out_key, size_t out_key_size, const void *in_key, size_t in_key_size, @@ -137,29 +137,12 @@ static TEE_Result generate_fek(uint8_t *key, uint8_t len) static TEE_Result tee_fs_init_key_manager(void) { - int res = TEE_SUCCESS; - struct tee_hw_unique_key huk; - uint8_t chip_id[TEE_FS_KM_CHIP_ID_LENGTH]; - uint8_t message[sizeof(chip_id) + sizeof(string_for_ssk_gen)]; - - /* Secure Storage Key Generation: - * - * SSK = HMAC(HUK, message) - * message := concatenate(chip_id, static string) - * */ - tee_otp_get_hw_unique_key(&huk); - memset(chip_id, 0, sizeof(chip_id)); - if (tee_otp_get_die_id(chip_id, sizeof(chip_id))) - return TEE_ERROR_BAD_STATE; - - memcpy(message, chip_id, sizeof(chip_id)); - memcpy(message + sizeof(chip_id), string_for_ssk_gen, - sizeof(string_for_ssk_gen)); - - res = do_hmac(tee_fs_ssk.key, sizeof(tee_fs_ssk.key), - huk.data, sizeof(huk.data), - message, sizeof(message)); + TEE_Result res = TEE_SUCCESS; + + COMPILE_TIME_ASSERT(TEE_FS_KM_SSK_SIZE <= HUK_SUBKEY_MAX_LEN); + res = huk_subkey_derive(HUK_SUBKEY_SSK, NULL, 0, + tee_fs_ssk.key, sizeof(tee_fs_ssk.key)); if (res == TEE_SUCCESS) tee_fs_ssk.is_init = 1; |