HUK on STM32MP1 version 3.16

[johndoe31415]

In digging through OP-TEE I just found something that I don't fully understand. I need to be on 3.16, working on the STM32MP1 target and noticed that the platform main.c does not seem to override the weak tee_otp_get_hw_unique_key. The weak implementation is just a memset to zero. Indeed, with vanilla 3.16:

30030a8a <tee_otp_get_hw_unique_key>:
30030a8a:       2210            movs    r2, #16
30030a8c:       2100            movs    r1, #0
30030a8e:       b508            push    {r3, lr}
30030a90:       f797 fe72       bl      2ffc8778 <memset>
30030a94:       2000            movs    r0, #0
30030a96:       bd08            pop     {r3, pc}

Am I reading this right? Does this mean 3.16 in this form should not be used for productive use on the STM32MP1? Or is there any other location where the HUK is read out of OTP/BSEC? Sorry if I'm overly cautious but this has me a bit worried right now.

[etienne-lms]

Am I reading this right?

Yes you are. OP-TEE release tag 3.16.0 does not embed a secure HUK for platform stm32mp1. Such support was added in 3.20.0 with various means to define which BSEC words store the HUK bytes: see stm32mp15_huk.c.

[github-actions[bot]]

This issue has been marked as a stale issue because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment, otherwise this issue will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time.