Hi Andrej,
Key derivation should be deterministic - given the same input parameters, tfm_plat_get_huk_derived_key() should always derive the same key.
Each platform needs to implement tfm_plat_get_huk_derived_key() to use a key derivation function (KDF) to derive keys from the hardware unique key (HUK) that is kept in some one time programmable (OTP) memory on the chip. Depending on the platform, the key derivation might be done with a crypto accelerator, or it might be done with a software implementation of a KDF if no accelerator is available. You can use the Musca-B1 implementation as an example (https://git.trustedfirmware.org/trusted-firmware-m.git/tree/platform/ext/tar...), which uses CryptoCell-312 to derive keys from the HUK. Other Arm platforms only have dummy implementations of this function.
In general, users of this API will keep their derived keys in volatile memory and redo the key derivation on each boot, as the cost of key derivation is low.
Kind regards, Jamie
From: TF-M tf-m-bounces@lists.trustedfirmware.org On Behalf Of Andrej Butok via TF-M Sent: 09 April 2020 11:49 To: tf-m@lists.trustedfirmware.org Subject: [TF-M] Using tfm_plat_get_huk_derived_key(), TFM key-storage?
Hello,
Could you clarify: 1) Must the tfm_plat_get_huk_derived_key() function to return the same key per each call (as it's done now), or it may return randomized key (per each call) derived from HUK? 2) If tfm_plat_get_huk_derived_key() may return a different key per call, the generated key must be stored in persistent storage. Is this key persistent storage already implemented (using the default parameters) for example in ITS, or the key-storage must be implemented additionally? It looks like the current TFM key storage is placed in RAM, or I have missed something?
Thank you, Andrej Butok
Hi Jamie, Thank you for the clarification.
We do not have the CryptoCell-312-like HW derivation functionality. May we use the dummy approach used for other platforms - just copy the key-content (probably placed in OTP) to the output key-buffer? Is it OK for PSA certification? If not, could you suggest a proper derivation SW implementation?
Thank you, Andrej
From: Jamie Fox Jamie.Fox@arm.com Sent: Thursday, April 9, 2020 1:23 PM To: Andrej Butok andrey.butok@nxp.com; tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: RE: Using tfm_plat_get_huk_derived_key(), TFM key-storage?
Hi Andrej,
Key derivation should be deterministic - given the same input parameters, tfm_plat_get_huk_derived_key() should always derive the same key.
Each platform needs to implement tfm_plat_get_huk_derived_key() to use a key derivation function (KDF) to derive keys from the hardware unique key (HUK) that is kept in some one time programmable (OTP) memory on the chip. Depending on the platform, the key derivation might be done with a crypto accelerator, or it might be done with a software implementation of a KDF if no accelerator is available. You can use the Musca-B1 implementation as an example (https://git.trustedfirmware.org/trusted-firmware-m.git/tree/platform/ext/tar...https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.trustedfirmware.org%2Ftrusted-firmware-m.git%2Ftree%2Fplatform%2Fext%2Ftarget%2Fmusca_b1%2Fdummy_crypto_keys.c%23n68&data=02%7C01%7Candrey.butok%40nxp.com%7Ccc6c633d24664e8f561908d7dc787142%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C637220282165290972&sdata=%2BkENr4jTNg6%2BngdoFuhglIQjbc3Nw3DdmbDmGWAyBr0%3D&reserved=0), which uses CryptoCell-312 to derive keys from the HUK. Other Arm platforms only have dummy implementations of this function.
In general, users of this API will keep their derived keys in volatile memory and redo the key derivation on each boot, as the cost of key derivation is low.
Kind regards, Jamie
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Andrej Butok via TF-M Sent: 09 April 2020 11:49 To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: [TF-M] Using tfm_plat_get_huk_derived_key(), TFM key-storage?
Hello,
Could you clarify: 1) Must the tfm_plat_get_huk_derived_key() function to return the same key per each call (as it's done now), or it may return randomized key (per each call) derived from HUK? 2) If tfm_plat_get_huk_derived_key() may return a different key per call, the generated key must be stored in persistent storage. Is this key persistent storage already implemented (using the default parameters) for example in ITS, or the key-storage must be implemented additionally? It looks like the current TFM key storage is placed in RAM, or I have missed something?
Thank you, Andrej Butok
tf-m@lists.trustedfirmware.org