Hi Poppy,

 

In the roadmap, provisioning service is noted incase there is any standard provisioning mechanism that PSA defines in future. There is no plans around provisioning at this point.

 

It is upto the platform to generate the keys and provision it securely on the device which TF-M can make use of. On Arm reference platforms, MuscaB1 and MuscaS1, the HUK, IAK are generated in Cryptocell-312.

HUK, IAK private keys and ROTPK are provisioned in the OTP of CC-312.

 

The hardcoding of keys in TF-M is just for development purposes and not to be used in production environment.

Provisioning the attestation key in the secure region of the embedded flash might be acceptable. Experts in the list can comment.

 

Regards,

Shebu

 

From: TF-M <tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Edward Yang via TF-M
Sent: Friday, May 14, 2021 10:04 AM
To: tf-m@lists.trustedfirmware.org
Subject: [TF-M] Factory provisioning with tf-m

 


Hi,

I would like to know about how to use tf-m with factory provisioning,for example,HUK,IAK,ROTPK these ROT assets should be injected to device via factory provisioning,besides,application specific certificates and private keys can also be injected during this procedure,in tf-m roadmap,there is a provision service,what's the functionality of this service?


In initial attestation service, attest_register_initial_attestation_key() calls tfm_plat_get_symmetric_iak() to get IAK, I found implementation template of tfm_plat_get_symmetric_iak() just copys hardcoded key value(for developer mode).
I think this is not allowed in production mode.Is there any recommended implementation of this API?

What if I stored IAK in a specific address of MCU embedded flash during factory provisioning, such as #define IAK_REGION  IAK_base_addr  in flash_layout.h,and then use flash.read get the key value

tfm_plat_get_symmetric_iak( )
{
 
  TFM_HAL_ITS_FLASH_DRIVER.ReadData(IAK_REGION, buff, size);
}



Best Regards,
Poppy Wu

Macronix Microelectronics (Suzhou) Co.,Ltd
Http: //www.mxic.com.cn

CONFIDENTIALITY NOTE:

This e-mail and any attachments may contain confidential information and/or personal data, which is protected by applicable laws. Please be reminded that duplication, disclosure, distribution, or use of this e-mail (and/or its attachments) or any part thereof is prohibited. If you receive this e-mail in error, please notify us immediately and delete this mail as well as its attachment(s) from your system. In addition, please be informed that collection, processing, and/or use of personal data is prohibited unless expressly permitted by personal data protection laws. Thank you for your attention and cooperation.

Macronix International Co., Ltd.

=====================================================================