Open shirinebadi opened 1 week ago
Hi. Does my question make sense and has an explanation? I would appreciate your help.
Hi @shirinebadi, Want do you want to attest? The OP-TEE core itself (or equivalently a/some PTA service(s) exposed by OP-TEE core)? A trusted application hosted in OP-TEE secure userland? A non-secure application running in non-secure userland world? Or maybe something else...
I want to attest a TA in TEE user-space.
There is an OP-TEE core service called the attestation PTA that is designed for that purpose: core/pta/attestation.c, pta_attestation.h. OP-TEE test implements some example of use: see xtest regression_1037. I think https://github.com/OP-TEE/optee_os/issues/6921 will also interest you.
I see. My concern is regarding Chain of Trust. I'm using ATF-A to ensure secure boot of TEE, but how should I ensure the authenticated boot of Attestation service? Does ATF-A ensures it? I can't understand how chain of trust should work.
I guess I misunderstood your initial question. I hope the below is more accurate.
As you stated, OP-TEE core image is authenticated at boot time by TF-A based on an embedded public key provisioned in the device (e.g. some OTP fuses). See porting_guidelines.html#root-and-chain-of-trust in OP-TEE documentation.
Authentication of TAs loaded by OP-TEE in the secure userspace depends on how the TA is embedded in the system. In any cases, it is based on the assumption OP-TEE has been authenticated (e.g. by TF-A boot stage) and the chain of trust has delegated to OP-TEE the authentication of the TAs.
TA_PUBLIC_KEY
in mk/config.mk, or see TA subkeys). OP-TEE can support rollback protection of such TA version. OP-TEE can also provide encryption of TAs stored in the REE filesystem.When a client opens a session towards a TA (identified by its UUID), OP-TEE core looks for the related TA image in the below priority order:
OP-TEE attestation PTA is not mandated to ensure TA authentication. It is rather a runtime service to attest the state of an already loaded TA instance, to verify it is untampered (at least for its read-only segments).
(edited)
Thanks. So if I implement my RA service as a PTA or early TA, it will get authenticated during boot by TF-A? And this establishes the chain of trust of RA?
Yes.
Thanks for resources and explanation.
I want to implement an attestation service in OP-TEE that establishes a chain of trust. Using ATF-A, I can ensure secure boot up to OP-TEE. So, how my service forms part of the TEE’s secure boot? e.g. I implement it as a PTA.