-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
core: huk definition #5570
core: huk definition #5570
Conversation
The RPMB key derivation algorithm consumes the HUK and therefore is impacted by changes in its value. The platform specific function plat_rpmb_key_is_ready() should be allowed to query the HUK in order to allow/deny burning the RPMB key. Signed-off-by: Jorge Ramirez-Ortiz <[email protected]>
if this change is accepted, I will update the zynqmp and the stm32mp15_huk PR to use this value. Versal will follow - the versal huk is pending in my trees waiting for current stuff to be merged...2bc7d71 |
@@ -13,6 +13,8 @@ | |||
|
|||
struct tee_hw_unique_key { | |||
uint8_t data[HW_UNIQUE_KEY_LENGTH]; | |||
/* The hardware unique key is now inmmutable */ | |||
bool locked; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How does this relate to plat_rpmb_key_is_ready()
?
Edit: reading the description again it seems that plat_rpmb_key_is_ready()
should check this value. Are we just moving the logic to decide when the key can be used?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
plat_rpmb_key_is_ready
often depends on the platform being considered closed/secured - ie, the bootrom booting signed firmware. However it should also depend on the HUK key being immutable (so the RPMB derived key doesnt change on a subsequent boot causing the RPMB not to be accesible).
So IMO having some information with respect to the RPMB key derivation mutability is required. I propose to do it here since the only reason for variability in the RPMB key is the HUK changing, but really what plat_rpmb_key_is_ready needs to know is if the key that has been generated can change; then it can decide whether to allow the key to be written or not.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree with Jens. It's up to the platform to refuse or not to provide a HUK. There is no unique definition of what is a locked/closed device, possibly several levels of device closure.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not saying anything different. I think I am not being understood. Let me summarize Wittegenstein style:
- OP-TEE uses the HUK to derive secrets.
- The RPMB key must be a secret.
- OP-TEE does not enforce a secure HUK.
It follows that OP-TEE secrets are not necessarily secrets
It also follows that the RPMB key that OP-TEE writes is not a secret.
Please let me know if you disagree in anything so far so I can keep on building. Otherwise there is no point to spend more time on this and I can close the PR
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- isn't accurate. OP-TEE assumes a secure HUK. If the HUK is known outside OP-TEE it's assumed that it's treated as securely as OP-TEE itself can, that is, the security of the HUK is not supposed to be reduced.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, no, it is 100 accurate: you are saying exactly what I am saying. OP-TEE does not enforce a secure HUK. However it treats the HUK as if it was secure..hence all these discussions we have been having on the same subject.
This commit allows the HUK user to know - and not assume- if the HUK is secure or not. And as I was trying to explain (probably not very clearly), this is simpler than enforcing a secure HUK.
The HUK users need to know - depending on the product development phase- if the HUK can be trusted or not.
I would rather delegate the decision of when to write the RPMB key to the normal world like in #5338 |
If OP-TEE calculates the key, OP-TEE will still need to let the normal world know if the key is to be trusted - which is the problem we are discussing. Or if OP-TEE is not going to provide a key, then someone else will need to figure out how to derive (or where to store!) the RPMB key. The good thing about OP-TEE deriving it is that the key doesn't need to be stored. The problem of enforcing a secure HUK across all architectures and products is harder than the problem of letting the platform know if the HUK - and consequently the RPMB key- is a secret....I find this a more liberal/flexible approach to a problem with to many variants that is hard to attack head on. Products and platforms can then make their own decisions. |
Thanks for the clarification.
Agreed
I don't see the point of the notion of an untrusted HUK. Either you have it and it can be used or you don't have it. If it's not trusted then you don't have it. We should try to avoid being flexible as that means more ifs and buts. |
And for the end user I agree 100% with you: if as a user you are going to use a HUK you better make sure if it holds a secret that you can trust - and not all HUK drivers that OP-TEE provides comply. Developing for security as is hard. And by not having these qualifiers on the quality of the keys used we are making it even harder. In fact, I dont understand why do we feel the need to have : OP-TEE only offers guarantees if the user knows exactly what to do, what to change, where to look - which is great for contractors, I wont deny that. But having the chance to share with the user if the root of trust is broken and not doing it seems wrong to me. |
Using an open device (a device where we can reprogram fuses or like) does not mean the HUK generated by OP-TEE is not reliable. It can be. One can burn a RPMB with a test key, not that secure, but still useful for test and development purpose. IIUC the issue you want to address is to prevent one from bruning a RPMB key, or another external secure element device pairing key, with wrong data possibly bricking the device. If you really want such guards, for example in the stm32mp15_huk.c from #5555, maybe the platform function could refuse to return the HUK when device is "closed" and target fuses not properly "locked" and maybe few other Soc information. That would remain a stm32mp15_huk.c specifc implementation, with a scope specifc to that platform. |
Yes that is something that I was considering (returning an error on the huk as you are suggesting). But I think it is simpler - and more generic- to have this change on the stm32mp15_huk.c
And then in main:
|
anyway, many ways of doing this but the key requirement is that HUK users need to know if the HUK is to be trusted. So what do we do? Shall I just close this PR? do we feel it deserves a larger discussion? should we merge this proposal? |
We should not merge this. As for the discussion, it seems we don't understand each other. |
|
Example of usage that should be extended to all functions in core/arch/arm/kernel/otp_stubs and drivers. There is no reason I can think of for not reporting a truly unsecure platform executing a Trusted-OS. Signed-off-by: Jorge Ramirez-Ortiz <[email protected]>
No, I disagree on 1 and 2. |
This is kind of surprising since you wrote: "I don't see the point of the notion of an untrusted HUK. Either you have it and it can be used or you don't have it. If it's not trusted then you don't have it." what did you mean then? your position is totally cryptic to me. |
This discussion is important IMO. please could we resume with it. To provide with some background -aside of RPMB- take for example the SCP03 support we have in the SE05x crypto driver controlling a whole family of HSMs SCP03 defines a set of symmetric keys that must be rotated once the platform is deemed secured. The rotation scheme that we (you and I during the review process) agreed was, rather than storing these keys in memory, we would derive their values from a secure key. In OP-TEE this is the HUK. So the SE05x key rotation scheme - just as the RPMB key generation scheme - would benefit from having an indication if the HUK is stable before going ahead. Incidentally, the current __weak definition of HUK is silly for most purposes as it doesnt generate a per-device unique key- something that causes issues when dealing with fleets of devices. So perhaps 1) that __weak should use just a CID if available (so at least it is unique...at the moment is not unique nor secure so it would be a step forward) and 2) OP-TEE requires HUK drivers to generate immutable secret value and raises a security warning when that is not the case. what do you think? |
Why not just let the platform return an error if it detects that the HUK can't be used yet? On QEMU and Hikey it's from a testing point of good enough to use zeroes. |
Right and that would be an option if we had a __weak implementation that provides a unique id. What NXP does in their hardware is that while the platform is not booting secured firmware (the SoC hasnt been fused/closed), the hardware provides a real unique id. But then, once the board is secured (fused) it generates a different one which is final and therefore secured. This is the ideal situation we have been trying to mimic on the other HUK drivers.. And the reason why |
I suppose we could remove the A HUK is supposed to be unique and secure. I don't see a point in using a non-secure HUK as NXP does, but perhaps I'm missing a use case. For testing purposes, you can of course use any non-changing HUK, but OP-TEE still treats it as if it's unique and secure. |
I think the root of the problem is that a HUK is needed during development that is truly unique - not just a string of zeroes common to all OP-TEE devices. if the __weak implementation returned a unique ID when executing on real hardware we could then enforce/recommend that any platform specific HUK driver must be unique and immutable and whenever possible a secret (ie, only readable when the BOOTROM is booting a signed firmware) having a generic HUK returning a unique id when executing on various hardware should be doable (ie just use the CID value use for booting). Then it would be clear at build time if the HUK derived keys are secured. |
Why can't zeroes be used?
The
What CID? The one from the eMMC? How can that be secure or even non-changing? It seems I'm missing a key point in your use case. |
This pull request has been marked as a stale pull request because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment, otherwise this pull request will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time. |
The RPMB key derivation algorithm consumes the HUK and therefore is impacted by changes in its value.
The platform specific function plat_rpmb_key_is_ready() should be allowed to query the HUK in order to allow/deny burning the RPMB key.
Signed-off-by: Jorge Ramirez-Ortiz [email protected]