Whether to support pkcs11 AES_GCM #6406
Comments
|
Hi @etienne-lms, +1 for that request, this is highly valuable for many use-cases, for example for usage with Alexa enabled-devices, according to the documentation, the AVS Device SDK uses AES-GCM encryption to protect sensitive information. To maintain security, only manage your main encryption key with HSM and make sure it's not accessible from anywhere outside of your SDK configuration. Best |
|
Sorry, AES-GCM is currently not supported by OP-TEE pkcs11 TA. Be warned that if you want this support to be merged soon, I fear you'll need to find some contributors to help. I can work on that but I can't tell when it will be ready. There is a draft version for AES-CCM and AES-GCM support in the pkcs11 TA in my repo that may help: see commit f486bcf from my old sks-to-pkcs11 branch. There are also some patches on my optee_test repo to test the feature: 1e847b + 999236. The implementation was drafty, not reviewed by peers and not tested enough. I remember some corner case input arguments made to TA to crash (invalid AE parameters not sufficiently sanitized). In case it helps. |
|
+1 for adding AES-GCM support. |
thanks. |
Thank you @etienne-lms , I'll try them and open a PR. |
|
This issue has been marked as a stale issue because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment, otherwise this issue will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time. |
|
Implemented by P-R #6467. |
|
This issue has been marked as a stale issue because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment, otherwise this issue will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time. |
|
Still under development/review (#6467 + OP-TEE/optee_test#720). |
|
@etienne-lms, any update on this? Thx! |
|
#6467 seems stalled. The implementation looks good to me but for the one-shot operation that is not supported and needs to be. |
|
I had a look at the implementation and tried to progress on that topic. I have few findings. @maroueneboubakri, would you mind if I create new P-Rs for optee_os and optee_test for implementation proposals that would supersede #6467 and OP-TEE/optee_test#720? I've also found test cases that revealed an minor issue in optee_client, see OP-TEE/optee_client#375. |
@etienne-lms Sure ! |
|
New implementation proposal through P-Rs #6683, OP-TEE/optee_client#375 and OP-TEE/optee_test#730. |
|
@408419237, @moose-rivieh, this issue is expected to be solved through the P-Rs mentioned above. We'll close this issue. Please create another issue if you face any problems related to this feature. |
HI TEAM:
Excuse me, whether to support PKCS11 AES_GCM?
I can't find any related information about PKCS11 AES_GCM support.
Has it now supported the protocol of PKCS11 3.1 version?
Looking forward to your reply! Thanks.
The text was updated successfully, but these errors were encountered: