diff options
author | Jerome Forissier <jerome.forissier@linaro.org> | 2017-01-23 12:44:58 +0100 |
---|---|---|
committer | Jerome Forissier <jerome.forissier@linaro.org> | 2017-01-23 13:33:47 +0100 |
commit | ed1993b7f167482550bb8ed55dab700695b9008d (patch) | |
tree | 62962ac9f67734f69ee31f1c907772d900857f87 /mk/config.mk | |
parent | b1ecda78bab43d76bc570ecff30ddd232caecf18 (diff) |
storage: RPMB: don't try to program the RPMB key by default
Prevent leakage of the RPMB security key by never programming it,
unless a special build option is set (CFG_RPMB_WRITE_KEY=y).
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Diffstat (limited to 'mk/config.mk')
-rw-r--r-- | mk/config.mk | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/mk/config.mk b/mk/config.mk index a444ce73..6aa3f338 100644 --- a/mk/config.mk +++ b/mk/config.mk @@ -130,6 +130,16 @@ CFG_RPMB_FS ?= n # tee-supplicant process will open /dev/mmcblk<id>rpmb CFG_RPMB_FS_DEV_ID ?= 0 +# Enables RPMB key programming by the TEE, in case the RPMB partition has not +# been configured yet. +# !!! Security warning !!! +# Do *NOT* enable this in product builds, as doing so would allow the TEE to +# leak the RPMB key. +# This option is useful in the following situations: +# - Testing +# - RPMB key provisioning in a controlled environment (factory setup) +CFG_RPMB_WRITE_KEY ?= n + # SQL FS stores its data in a SQLite database, accessed by normal world CFG_SQL_FS ?= n |