I am currently trying to sing a few TAs using the Yocto environment, namely
The three in-tree TAs shipped with optee-os oemcrypto needed for widevine
For some reason I can't sign oemcrypto successfully using the offline singing method described in the documentation. I could however successfully exchange the default_ta.pem successfully to accomplish the above. optee-os is then built with the exchanged default private key and the oemcrypto recipe pulls this key as dependency. This is not optimal though, since we want to use an HSM for offline signing to increase security. I am therefore suspecting that oemcrypto is somehow signed differently or that that the stripped.elf is somehow different. From what I have read, it should not matter though what you sign you TA with during the build. You can always create the digest, sign and stitch everything back together. For some reason this does not work. If I sideload the oemcrypto TA that was built by exchanging the default_ta.pem file, everything works again. Do you have an idea what is happening here?