Hi Poppy,
In the roadmap, provisioning service is noted incase there is any standard provisioning mechanism that PSA defines in future. There is no plans around provisioning at this point.
It is upto the platform to generate the keys and provision it securely on the device which TF-M can make use of. On Arm reference platforms, MuscaB1 and MuscaS1, the HUK, IAK are generated in Cryptocell-312. HUK, IAK private keys and ROTPK are provisioned in the OTP of CC-312.
The hardcoding of keys in TF-M is just for development purposes and not to be used in production environment. Provisioning the attestation key in the secure region of the embedded flash might be acceptable. Experts in the list can comment.
Regards, Shebu
From: TF-M tf-m-bounces@lists.trustedfirmware.org On Behalf Of Edward Yang via TF-M Sent: Friday, May 14, 2021 10:04 AM To: tf-m@lists.trustedfirmware.org Subject: [TF-M] Factory provisioning with tf-m
Hi,
I would like to know about how to use tf-m with factory provisioning,for example,HUK,IAK,ROTPK these ROT assets should be injected to device via factory provisioning,besides,application specific certificates and private keys can also be injected during this procedure,in tf-m roadmap,there is a provision service,what's the functionality of this service?
In initial attestation service, attest_register_initial_attestation_key() calls tfm_plat_get_symmetric_iak() to get IAK, I found implementation template of tfm_plat_get_symmetric_iak() just copys hardcoded key value(for developer mode). I think this is not allowed in production mode.Is there any recommended implementation of this API?
What if I stored IAK in a specific address of MCU embedded flash during factory provisioning, such as #define IAK_REGION IAK_base_addr in flash_layout.h,and then use flash.read get the key value?
tfm_plat_get_symmetric_iak( ) {
TFM_HAL_ITS_FLASH_DRIVER.ReadData(IAK_REGION, buff, size); }
Best Regards, Poppy Wu
Macronix Microelectronics (Suzhou) Co.,Ltd Http: //www.mxic.com.cn
CONFIDENTIALITY NOTE:
This e-mail and any attachments may contain confidential information and/or personal data, which is protected by applicable laws. Please be reminded that duplication, disclosure, distribution, or use of this e-mail (and/or its attachments) or any part thereof is prohibited. If you receive this e-mail in error, please notify us immediately and delete this mail as well as its attachment(s) from your system. In addition, please be informed that collection, processing, and/or use of personal data is prohibited unless expressly permitted by personal data protection laws. Thank you for your attention and cooperation.
Macronix International Co., Ltd.
=====================================================================