-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Inquiry Regarding default_ta.pem for Offline TA Signing and Early TAs. #7126
Comments
Yes you can delete the file assuming you set config switches at least
I confirm that early TAs are not signed.
They are present in the rootfs only if the build process embeds them whether or not they are lists in |
Thank you for your response.
Ultimately, I am curious about the possibility of deleting default_ta.pem when applying offline TA signing for external TAs and using early TAs (e.g., pkcs#11). |
Indeed, when That said, you can build OP-TEE core with pkcs11 early TA without using
For example, to build OP-TEE core with pkcs11 as early TA and without any private key file defined:
make PLATFORM=<...> O=my-out CFG_BUILD_IN_TREE_TA=n TA_SIGN_KEY="" ta_dev_kit
make -C ta/pkcs11 O=out \
TA_DEV_KIT_DIR=$PWD/my-out/export-ta_arm32/ \
CFG_PKCS11_TA_ALLOW_DIGEST_KEY=y \
CFG_PKCS11_TA_AUTH_TEE_IDENTITY=y \
CFG_PKCS11_TA_HEAP_SIZE=32768 \
CFG_PKCS11_TA_TOKEN_COUNT=1 \
CFG_PKCS11_TA_CHECK_VALUE_ATTRIBUTE=n \
out/fd02c9da-306c-48c7-a49c-bbd827ae86ee.stripped.elf
make PLATFORM=<...> O=my-out CFG_BUILD_IN_TREE_TA=n TA_SIGN_KEY="" \
TA_PUBLIC_KEY=my-ta-public-key.pem \
EARLY_TA_PATHS=ta/pkcs11/out/fd02c9da-306c-48c7-a49c-bbd827ae86ee.stripped.elf \
all Remember that what count is the public key your OP-TEE OS core is built with. This key shall be the right one. |
I think I understand most of your detailed explanation. Thank you. I understand that I can build the early TA (elf) using the ta_dev_kit and include it in EARLY_TA_PATHS. (Command below)
Is it possible to skip the process of building the early TA (elf) and use CFG_IN_TREE_EARLY_TAS instead of EARLY_TA_PATHS with the following command?
If it is not possible, do CFG_IN_TREE_EARLY_TAS and CFG_BUILD_IN_TREE_TA need to be enabled together? |
With current build process, |
This issue has been marked as a stale issue because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment, otherwise this issue will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time. |
I would like to apply offline TA signing by generating a new key as shown below,
instead of using the default TA signing key (default_ta.pem) provided by default.
The purpose is to avoid providing the private key for TA signing to an external vendor providing OP-TEE.
Reference document: https://optee.readthedocs.io/en/latest/building/trusted_applications.html#offline-signing-of-tas
The TEE binary is modified and built as follows.
After this, I applied offline TA signing to the TA under development according to the guide and confirmed that it works correctly.
I have two questions from two perspectives:
Questions:
Additional question:
I understand that early TAs are included within the TEE binary, why do they also exist in the rootfs (/lib/optee_armtz/)?
Thank you in advance for your help.
The text was updated successfully, but these errors were encountered: