Inquiry regarding root key leak after using subkey

[ydonghyuk]

Assuming that several TAs have been developed using a normal subkey, if the subkey that signed a specific TA (mytest.ta) is leaked to an attacker, only updates to mytest.ta would be possible. If the root key itself is leaked to an attacker, what risks are there?

In my opinion, it would be possible to verify the operation of all TAs in the system, but it would not be possible to update the TAs. I am curious about others' thoughts on this matter.

[jenswi-linaro]

I assume that you mean the private root key. If that's leaked, it's game over. With the private root key, you can sign any TA.

[ydonghyuk]

@jenswi-linaro

I agree.

Let me summarize my questions again.

Let's assume that in an OP-TEE system with the same public root key, there are multiple TAs signed with different subkeys.

In this case, if one of the subkeys is leaked, wouldn't it be possible to sign and build a TA that can operate on that system? I don't understand what advantage this has compared to the situation where the private root key is leaked.

I don't think it would be possible to update the signed and built .ta file anyway (just my thought), so I'm curious about the meaning of the statement that a TA signed with a leaked subkey cannot be tampered with.

[jenswi-linaro]

The root of trust for subkeys starts with the root key. So if the private root key is leaked, the root of trust is broken for subkeys.

However, if a private key of a subkey is leaked, only TAs and subkeys verified with that subkey are affected.

[etienne-lms]

In this case, if one of the subkeys is leaked, wouldn't it be possible to sign and build a TA that can operate on that system? I don't understand what advantage this has compared to the situation where the private root key is leaked.

As a complementary information: the interest is in the TA UUID namespace related to a sub-key. If the private sub-key is leaked, indeed one could build TAs and sign them with that subkey. However, only TAs with a UUID that fits within the UUID namespace related to the leaked sub-key could be generated, not any TA, especially not the TAs signed with other sub-keys since their UUID would related to another UUID namespace.