Inquiry Regarding default_ta.pem for Offline TA Signing and Early TAs.

[ydonghyuk]

I would like to apply offline TA signing by generating a new key as shown below, instead of using the default TA signing key (default_ta.pem) provided by default.

test_private_key.pem 
test_public_key.pem

The purpose is to avoid providing the private key for TA signing to an external vendor providing OP-TEE.

Reference document: https://optee.readthedocs.io/en/latest/building/trusted_applications.html#offline-signing-of-tas

The TEE binary is modified and built as follows.

diff --git a/mk/config.mk b/mk/config.mk
index 4107f8486..eb87434eb 100644
--- a/mk/config.mk
+++ b/mk/config.mk
@@ -229,7 +229,7 @@ _CFG_WITH_SECURE_STORAGE := $(call cfg-one-enabled,CFG_REE_FS CFG_RPMB_FS)
 # key and then set TA_PUBLIC_KEY to match public key from the HSM.
 # TA_PUBLIC_KEY's public key will be embedded into OP-TEE OS.
 TA_SIGN_KEY ?= keys/default_ta.pem
-TA_PUBLIC_KEY ?= $(TA_SIGN_KEY)
+TA_PUBLIC_KEY ?= test_public_key.pem

After this, I applied offline TA signing to the TA under development according to the guide and confirmed that it works correctly. I have two questions from two perspectives:

1) The necessity of default_ta.pem 2) Signing of early TAs

Questions: 1) The necessity of default_ta.pem

• Can I delete default_ta.pem? 2) Is it necessary to sign early TAs with the generated key (test_private_key.pem)?
  • From what I have confirmed, it seems that early TAs do not require a separate signing process,but I would like to confirm if I understand this correctly.

Additional question: I understand that early TAs are included within the TEE binary, why do they also exist in the rootfs (/lib/optee_armtz/)?

Thank you in advance for your help.

[etienne-lms]

1. The necessity of default_ta.pem
   • Can I delete default_ta.pem?

Yes you can delete the file assuming you set config switches at least TA_PUBLIC_KEY to the appropriate public key PEM file. That said, when you build OP-TEE OS with CFG_BUILD_IN_TREE_TA=y or CFG_ULIBS_SHARED=y, the build process generates signed TAs/TA libraries, based on TA_SIGN_KEY. If you do not have access to the private key at this point (maybe you sign TAs/libs offline after OP-TEE build completes) then you likely need a dummy key (like default_ta.pem) for build to succeed, after which you can sign TAs/libs with the right key in some post-build sequence.

2. Is it necessary to sign early TAs with the generated key (test_private_key.pem)?
   • From what I have confirmed, it seems that early TAs do not require a separate signing process,but I would like to confirm if I understand this correctly.

I confirm that early TAs are not signed.

Additional question: I understand that early TAs are included within the TEE binary, why do they also exist in the rootfs (/lib/optee_armtz/)?

They are present in the rootfs only if the build process embeds them whether or not they are lists in EARLY_TA_PATHS/CFG_IN_TREE_EARLY_TAS. That is what is done by OP-TEE/build.git repo, for sake of simplicity. However it is not needed at all.