PKCS11 as early TA - Githubissues

OP-TEE / optee_os

Trusted side of the TEE

Other

1.59k stars 1.07k forks source link

PKCS11 as early TA #6943

Closed afshinpir closed 2 months ago

afshinpir commented 4 months ago

Hi,

I wonder if it is possible to build PKCS11 as an early TA or not. Any idea? Because when I try build build it as early TA, I get "TEE_RAM_VA_SIZE is too small" error:

aarch64-linux-gnu-ld.bfd: TEE_RAM_VA_SIZE is too small
aarch64-linux-gnu-ld.bfd: section .dynamic VMA [000000009e200000,000000009e20011f] overlaps section .heap1 VMA [000000009e14e018,000000009e20efff]

Best Regards

etienne-lms commented 4 months ago

Yes you can define the pkcs11 TA as an early TA. If TEE_RAM_VA_SIZE is too small, define CFG_TEE_RAM_VA_SIZE with a value large enough. When CFG_TEE_RAM_VA_SIZE is not defined, TEE_RAM_VA_SIZE defaults to 2MBbyte (on Aarch64).

afshinpir commented 4 months ago

@etienne-lms Thanks a lot. This resolved my issue. BTW, are early TAs also signed? If they are not signed and their integrity is checked as part of OS, do I need to update default TA signing keys if I only use early TAs?

etienne-lms commented 4 months ago

As you said early TA binary images are checked with the OP-TEE core image(s) at boot time hence are not signed.

If you want your OP-TEE core to not load any external TA image, I strongly suggest you change OP-TEE implementation to forbid loading of external TAs in which case the TA signing key would be no more relevant. Otherwise, use a safe TA signing key so that only legitimate TAs can be loaded.

afshinpir commented 4 months ago

@etienne-lms Thanks a lot for reply. If I forbid loading of external TAs, early TAs will still be loaded? Because in addition to PKCS11, I have some other custom early TAs as well. Is there any configuration option to disable external TAs?

etienne-lms commented 4 months ago

Loading early TAs requires CFG_EARLY_TA=y. Loading user TAs from a non-secure filesystem (the standard way) requires CFG_REE_FS_TA=y. Loading user TAs from OP-TEE secure storage (REE_FS or RPMB_FS, or a custom one) requires CFG_SECSTOR_TA=y.

If you disable CFG_REE_FS_TA and CFG_SECSTOR_TA, you should be fine. The default TA signing key is used only when at least one of these 2 is enabled.

github-actions[bot] commented 2 months ago

This issue has been marked as a stale issue because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment, otherwise this issue will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time.