Hi Shebu,
Thanks for your reply.I would like to
know is there any reference usage example of tf-m available now?
Best Regards,
Poppy Wu
Macronix Microelectronics (Suzhou) Co.,Ltd
Http: //www.mxic.com.cn
----- Forwarded by Edward
Yang/CHINA/MXIC on 2021/05/17 11:56 -----
| Shebu Varghese Kuriakose
<Shebu.VargheseKuriakose@arm.com>
2021/05/15 01:19
|
|
To
| Edward Yang <EdwardYang@mxic.com.cn>,
"tf-m@lists.trustedfirmware.org" <tf-m@lists.trustedfirmware.org>
|
|
cc
| nd <nd@arm.com>
|
|
Subject
| RE: [TF-M] Factory provisioning with
tf-m |
|
Hi Poppy,
In the roadmap, provisioning service is
noted incase there is any standard provisioning mechanism that PSA defines
in future. There is no plans around provisioning at this point.
It is upto the platform to generate the
keys and provision it securely on the device which TF-M can make use of.
On Arm reference platforms, MuscaB1 and MuscaS1, the HUK, IAK are generated
in Cryptocell-312.
HUK, IAK private keys and ROTPK are provisioned
in the OTP of CC-312.
The hardcoding of keys in TF-M is just
for development purposes and not to be used in production environment.
Provisioning the attestation key in the
secure region of the embedded flash might be acceptable. Experts in the
list can comment.
Regards,
Shebu
From: TF-M <tf-m-bounces@lists.trustedfirmware.org>
On Behalf Of Edward Yang via TF-M
Sent: Friday, May 14, 2021 10:04 AM
To: tf-m@lists.trustedfirmware.org
Subject: [TF-M] Factory provisioning with tf-m
Hi,
I would like to know about how to use tf-m with factory provisioning,for
example,HUK,IAK,ROTPK these ROT assets should be injected to device via
factory provisioning,besides,application specific certificates and private
keys can also be injected during this procedure,in tf-m roadmap,there is
a provision service,what's the functionality of this service?
In initial attestation service, attest_register_initial_attestation_key()
calls tfm_plat_get_symmetric_iak() to get IAK, I found implementation
template of tfm_plat_get_symmetric_iak() just copys hardcoded key
value(for developer mode).
I think this is not allowed in production mode.Is there any recommended
implementation of this API?
What if I stored IAK in a specific address of MCU embedded flash during
factory provisioning, such as #define IAK_REGION IAK_base_addr in
flash_layout.h,and then use flash.read get the key value?
tfm_plat_get_symmetric_iak( )
{
TFM_HAL_ITS_FLASH_DRIVER.ReadData(IAK_REGION, buff, size);
}
Best Regards,
Poppy Wu
Macronix Microelectronics (Suzhou) Co.,Ltd
Http: //www.mxic.com.cn
CONFIDENTIALITY NOTE:
This e-mail and any attachments may contain
confidential information and/or personal data, which is protected by applicable
laws. Please be reminded that duplication, disclosure, distribution, or
use of this e-mail (and/or its attachments) or any part thereof is prohibited.
If you receive this e-mail in error, please notify us immediately and delete
this mail as well as its attachment(s) from your system. In addition, please
be informed that collection, processing, and/or use of personal data is
prohibited unless expressly permitted by personal data protection laws.
Thank you for your attention and cooperation.
Macronix International Co., Ltd.
=====================================================================
CONFIDENTIALITY NOTE:
This e-mail and any attachments may contain confidential information and/or personal data, which is protected by applicable laws. Please be reminded that duplication, disclosure, distribution, or use of this e-mail (and/or its attachments) or any part thereof is prohibited. If you receive this e-mail in error, please notify us immediately and delete this mail as well as it attachments from your system. In addition, please be informed that collection, processing, and/or use of personal data is prohibited unless expressly permitted by personal data protection laws. Thank you for your attention and cooperation.
Macronix International Co., Ltd.
=====================================================================