There is one thing I really don't understand about the offline signing process for TAs using an HSM:
In the documentation (https://link.getmailspring.com/link/4CCC8610-79B9-4890-AF1F-7A0AA56F0C20@get...) it says to generate a keypair with openssl and sign the TAs using the public key as ${TA_SIGN_KEY}. In point 4. the usage of an HSM is described, but since it is not possible to extract the private key from an HSM, I wonder how steps 3.-5. are even possible. Do you mix the previously generated RSA key with the one from the HSM? I cannot image that is as it should be. Can you please clarify this! Thank you
Sign the TAs using the private key I meant...
On Nov. 15 2023, at 2:35 pm, Jan Claußen jan.claussen10@web.de wrote:
There is one thing I really don't understand about the offline signing process for TAs using an HSM:
In the documentation (https://link.getmailspring.com/link/756A14AB-7D5B-4EB4-B980-50EB714532CD@get...) it says to generate a keypair with openssl and sign the TAs using the public key as ${TA_SIGN_KEY}. In point 4. the usage of an HSM is described, but since it is not possible to extract the private key from an HSM, I wonder how steps 3.-5. are even possible. Do you mix the previously generated RSA key with the one from the HSM? I cannot image that is as it should be. Can you please clarify this! Thank you
The example shell script for the pkcs11-tools does not work btw. This could be fixed!
I had no luck today with the HSM signing. Neither with the described solution using the pkcs11-tool or openssl with the pkcs11 engine. I also wonder if the header in the documentation will be the same in any case or if I have to prepend my own header. This part is not documented. Would be great if some could get back to me regarding this!
Am 15.11.2023 um 17:56 schrieb Jan Claußen jan.claussen10@web.de:
The example shell script for the pkcs11-tools does not work btw. This could be fixed!
I guess the pkcs11-tool is just an example for signing and I would have to come up with a way to calculate the digest and stitch everything back together myself, don’t I?
Am 15.11.2023 um 19:35 schrieb Jan Claußen jan.claussen10@web.de:
I had no luck today with the HSM signing. Neither with the described solution using the pkcs11-tool or openssl with the pkcs11 engine. I also wonder if the header in the documentation will be the same in any case or if I have to prepend my own header. This part is not documented. Would be great if some could get back to me regarding this!
Am 15.11.2023 um 17:56 schrieb Jan Claußen jan.claussen10@web.de:
The example shell script for the pkcs11-tools does not work btw. This could be fixed!
Hello Jan,
I believe the documentation at [1] has some issues and should be revised. Please refer to the output of:
sign_encrypt.py --help sign_encrypt.py digest --help sign_encrypt.py stitch --help
The script can be found in optee_os/scripts. From the help text and my recollection if all this, here are some commands that should hopefully help (untested):
- To generate the digest (<UUID>.dig) you use "sign_encrypt.py digest": $ sign_encrypt.py digest --uuid <UUID> --in path/to/<UUID>.stripped.elf --key path/to/<your-public-key>.pem --dig <UUID>.dig
- Then you sign the digest with the HSM using pkcs11-tool: $ pkcs11-tool --id <your-key-id> -s --login -m RSA-PKCS-PSS --hash-algorithm SHA256 --mgf MGF1-SHA256 --input-file <UUID>.dig | base64
<UUID>.sig
- Finally to create the signed TA you use "sign_encrypt.py stitch" $ sign_encrypt.py stitch --uuid <UUID> --in path/to/<UUID>.stripped.elf --key <your-public-key>.pem --sig <UUID>.sig --out <UUID>.ta
Make sure OP-TEE is built with "make TA_PBLIC_KEY=<your-public-key>.pem" as documented in mk/config.mk.
[1] https://optee.readthedocs.io/en/latest/building/trusted_applications.html#of...
HTH,
Dear all,
The method suggested by Jérôme is OP-TEE native way to stitch a signature computed offline, possibly through a PKCS#11 token. An alternate way was proposed in discussion thread [1]. We proposed to integrate use of python PKCS#11 support in OP-TEE's sign_encrypt.py script to automate the signing process using a PKCS#11 token. However, at the time there was demand for such support so I dropped it.
Please tell us if you see an interest in rebasing the proposed change [1] in OP-TEE OS mainline repository. If so, we could take a bit of time to do this but as usual, feel free to create a P-R and propose the required changes if you rather have them to be reviewed (eventually merged) in a short time frame.
[1] https://github.com/OP-TEE/optee_os/issues/5284#issuecomment-1112173121
Regards, Etienne
________________________________________ From: Jérôme Forissier via OP-TEE op-tee@lists.trustedfirmware.org Sent: Thursday, November 16, 2023 12:21:25 AM To: Jan Claußen Cc: op-tee@lists.trustedfirmware.org Subject: Re: How to sign TAs with an HSM?
Hello Jan,
I believe the documentation at [1] has some issues and should be revised. Please refer to the output of:
sign_encrypt.py --help sign_encrypt.py digest --help sign_encrypt.py stitch --help
The script can be found in optee_os/scripts. From the help text and my recollection if all this, here are some commands that should hopefully help (untested):
- To generate the digest (<UUID>.dig) you use "sign_encrypt.py digest": $ sign_encrypt.py digest --uuid <UUID> --in path/to/<UUID>.stripped.elf --key path/to/<your-public-key>.pem --dig <UUID>.dig
- Then you sign the digest with the HSM using pkcs11-tool: $ pkcs11-tool --id <your-key-id> -s --login -m RSA-PKCS-PSS --hash-algorithm SHA256 --mgf MGF1-SHA256 --input-file <UUID>.dig | base64
<UUID>.sig
- Finally to create the signed TA you use "sign_encrypt.py stitch" $ sign_encrypt.py stitch --uuid <UUID> --in path/to/<UUID>.stripped.elf --key <your-public-key>.pem --sig <UUID>.sig --out <UUID>.ta
Make sure OP-TEE is built with "make TA_PBLIC_KEY=<your-public-key>.pem" as documented in mk/config.mk.
[1] https://optee.readthedocs.io/en/latest/building/trusted_applications.html#of...
HTH, -- Jerome
On Wed, Nov 15, 2023 at 7:44 PM Jan Claußen jan.claussen10@web.de wrote:
I guess the pkcs11-tool is just an example for signing and I would have to come up with a way to calculate the digest and stitch everything back together myself, don’t I?
Am 15.11.2023 um 19:35 schrieb Jan Claußen jan.claussen10@web.de:
I had no luck today with the HSM signing. Neither with the described
solution using the pkcs11-tool or openssl with the pkcs11 engine. I also wonder if the header in the documentation will be the same in any case or if I have to prepend my own header. This part is not documented. Would be great if some could get back to me regarding this!
Am 15.11.2023 um 17:56 schrieb Jan Claußen jan.claussen10@web.de:
The example shell script for the pkcs11-tools does not work btw. This
could be fixed!
Hi Etienne,
On Thu, 16 Nov 2023 at 14:23, Etienne CARRIERE - foss etienne.carriere@foss.st.com wrote:
Dear all,
The method suggested by Jérôme is OP-TEE native way to stitch a signature computed offline, possibly through a PKCS#11 token. An alternate way was proposed in discussion thread [1]. We proposed to integrate use of python PKCS#11 support in OP-TEE's sign_encrypt.py script to automate the signing process using a PKCS#11 token.
I think using OpenSSL for signing TAs should be a better alternative. It has a good concept of provider/engine which has support for PKCS#11, TPM etc. And even we can directly input the test key in OP-TEE OS tree.
-Sumit
However, at the time there was demand for such support so I dropped it.
Please tell us if you see an interest in rebasing the proposed change [1] in OP-TEE OS mainline repository. If so, we could take a bit of time to do this but as usual, feel free to create a P-R and propose the required changes if you rather have them to be reviewed (eventually merged) in a short time frame.
[1] https://github.com/OP-TEE/optee_os/issues/5284#issuecomment-1112173121
Regards, Etienne
From: Jérôme Forissier via OP-TEE op-tee@lists.trustedfirmware.org Sent: Thursday, November 16, 2023 12:21:25 AM To: Jan Claußen Cc: op-tee@lists.trustedfirmware.org Subject: Re: How to sign TAs with an HSM?
Hello Jan,
I believe the documentation at [1] has some issues and should be revised. Please refer to the output of:
sign_encrypt.py --help sign_encrypt.py digest --help sign_encrypt.py stitch --help
The script can be found in optee_os/scripts. From the help text and my recollection if all this, here are some commands that should hopefully help (untested):
- To generate the digest (<UUID>.dig) you use "sign_encrypt.py digest":
$ sign_encrypt.py digest --uuid <UUID> --in path/to/<UUID>.stripped.elf --key path/to/<your-public-key>.pem --dig <UUID>.dig
- Then you sign the digest with the HSM using pkcs11-tool:
$ pkcs11-tool --id <your-key-id> -s --login -m RSA-PKCS-PSS --hash-algorithm SHA256 --mgf MGF1-SHA256 --input-file <UUID>.dig | base64
<UUID>.sig
- Finally to create the signed TA you use "sign_encrypt.py stitch"
$ sign_encrypt.py stitch --uuid <UUID> --in path/to/<UUID>.stripped.elf --key <your-public-key>.pem --sig <UUID>.sig --out <UUID>.ta
Make sure OP-TEE is built with "make TA_PBLIC_KEY=<your-public-key>.pem" as documented in mk/config.mk.
[1] https://optee.readthedocs.io/en/latest/building/trusted_applications.html#of...
HTH,
Jerome
On Wed, Nov 15, 2023 at 7:44 PM Jan Claußen jan.claussen10@web.de wrote:
I guess the pkcs11-tool is just an example for signing and I would have to come up with a way to calculate the digest and stitch everything back together myself, don’t I?
Am 15.11.2023 um 19:35 schrieb Jan Claußen jan.claussen10@web.de:
I had no luck today with the HSM signing. Neither with the described
solution using the pkcs11-tool or openssl with the pkcs11 engine. I also wonder if the header in the documentation will be the same in any case or if I have to prepend my own header. This part is not documented. Would be great if some could get back to me regarding this!
Am 15.11.2023 um 17:56 schrieb Jan Claußen jan.claussen10@web.de:
The example shell script for the pkcs11-tools does not work btw. This
could be fixed!
@Jérome You solution worked well. Thank you!
@Étienne It works for me now, so actually there is no need for me. I also think that for the sake of transparency, it is letting the signing step be done by official tools like openssl or pkcs11-tool is the better solution! It would just be great if the documentation could be changed accordingly. Make clear that the pubkey must be used for the digest and stitch steps Fix the pkcs11-tool command example
Maybe mention that the --ta-version flag must be set for some TAs e.g. oemcrypto. This has taken me quite a while to find out. Had to look at the make commands in Yocto.
Cheers, Jan
Hi Jan,
It works for me now..
This great news, glad to hear it's working for you!
It would just be great if the documentation could be changed accordingly.
Agreed, and this is where it would be great if you could help out. ;). It would be helpful if you could take this on since community docs are found to be most useful when the actual users contribute. If you would be willing, here's a couple suggestions: - First, post this as a docs issue here: https://github.com/OP-TEE/optee_docs/issues - And second, it would be awesome if you could create a Pull Request against that issue for the changes you'd recommend to the docs in that same repo.
Thanks in advance and feel free to reach out to me if you have any questions,
Don Harbin
TrustedFirmware Community Manager
don.harbin@linaro.org
On Thu, 16 Nov 2023 at 05:26, Jan Claußen jan.claussen10@web.de wrote:
@Jérome You solution worked well. Thank you!
@Étienne It works for me now, so actually there is no need for me. I also think that for the sake of transparency, it is letting the signing step be done by official tools like openssl or pkcs11-tool is the better solution! It would just be great if the documentation could be changed accordingly. Make clear that the pubkey must be used for the digest and stitch steps Fix the pkcs11-tool command example
Maybe mention that the --ta-version flag must be set for some TAs e.g. oemcrypto. This has taken me quite a while to find out. Had to look at the make commands in Yocto.
Cheers, Jan
Done
https://github.com/OP-TEE/optee_docs/pull/223 Regards, Jan
On Nov. 16 2023, at 4:14 pm, Don Harbin don.harbin@linaro.org wrote:
Hi Jan,
It works for me now..
This great news, glad to hear it's working for you!
It would just be great if the documentation could be changed accordingly.
Agreed, and this is where it would be great if you could help out. ;). It would be helpful if you could take this on since community docs are found to be most useful when the actual users contribute. If you would be willing, here's a couple suggestions:
- First, post this as a docs issue here:
https://github.com/OP-TEE/optee_docs/issues
- And second, it would be awesome if you could create a Pull Request
against that issue for the changes you'd recommend to the docs in that same repo.
Thanks in advance and feel free to reach out to me if you have any questions,
Don Harbin TrustedFirmware Community Manager don.harbin@linaro.org
On Thu, 16 Nov 2023 at 05:26, Jan Claußen jan.claussen10@web.de wrote:
@Jérome You solution worked well. Thank you!
@Étienne It works for me now, so actually there is no need for me. I also think that for the sake of transparency, it is letting the signing step be done by official tools like openssl or pkcs11-tool is the better solution! It would just be great if the documentation could be changed accordingly. Make clear that the pubkey must be used for the digest and stitch steps Fix the pkcs11-tool command example
Maybe mention that the --ta-version flag must be set for some TAs e.g. oemcrypto. This has taken me quite a while to find out. Had to look at the make commands in Yocto.
Cheers, Jan
op-tee@lists.trustedfirmware.org
-
Don Harbin -
Etienne CARRIERE - foss -
Jan Claußen -
Jérôme Forissier -
Sumit Garg