Add support for using RPMB as a secure storage device #88
Conversation
The variable TDX_OPTEE_FS_RPMB can be used to enable support for using the eMMC RPMB partition as a secure storage device. Three operation modes are defined, which can be enabled via the TDX_OPTEE_FS_RPMB_MODE variable: - development: the RPMB partition is emulated in software by tee-supplicant. The emulation is done in memory, so the contents of the storage is lost after a reboot or when the tee-supplicant daemon is restarted. - factory: the eMMC RPMB partition is used, and OP-TEE is configured to program the RPMB key. The RPMB key is derived from the SoC's Hardware Unique Key (HUK). This mode is intended for secure factory provisioning environments, and it should never be used outside of a trusted, secure factory setup. - production: the eMMC RPMB partition is used, and it is assumed that the RPMB key has already been programmed into the RPMB partition. This mode is designed for production environments, where secure storage operations rely on a pre-provisioned RPMB key. Signed-off-by: Sergio Prado <[email protected]>
When RPMB is enabled, the additional data partition for storing persistent data becomes unnecessary, as OP-TEE utilizes the RPMB partition for this purpose. Signed-off-by: Sergio Prado <[email protected]>
Enable debug level messages in TEE supplicant if TDX_OPTEE_DEBUG is set. Signed-off-by: Sergio Prado <[email protected]>
|
|
||
| With this, one could use an OS image configured in `factory` mode during a secure provisioning process, then deploy an OS image configured in `production` mode to devices in the field. However, be aware that alternative RPMB key provisioning methods exist, and the approach should align with your threat model. | ||
|
|
||
| Another important aspect is how the key generation works. Because OP-TEE derives the RPMB authentication key from the SoC's HUK, if the RPMB key is provisioned while the device is in an "open" state (secure boot disabled), it becomes inaccessible once secure boot is enabled, because the HUK changes when the device transitions to a "closed" state. |
There was a problem hiding this comment.
@sergioprado For clarification, for Toradex modules I imagine the procedure for provisioning a device in factory would involve (at least for NXP modules):
- Installing a version of the OS built with
TDX_OPTEE_FS_RPMB_MODE=factorywith Toradex Easy Installer. - Booting that version (twice) to fuse and close the device.
- Booting that version again to write the private key to the RPMB partition. Btw, would this writing happen automatically?
- With the device closed, install a new version of the OS now built with
TDX_OPTEE_FS_RPMB_MODE=production.
Does this seem correct? If so, then I'd say customers would not be able to perform the last step easily since it would require either a signed version of Toradex Easy Installer (which we don't provide yet) or provisioning the device to the platform and performing a normal (possibly offline) update. Not that this is a major issue since everything on Secure Boot is a work in progress 🙂.
There was a problem hiding this comment.
@rborn-tx Alright, let me break this down and clarify the process for RPMB key provisioning.
To write to the RPMB partition, an authentication key must first be enrolled (written to the partition). This is a one-time operation - once the key is programmed, it cannot be changed or erased. After enrollment, only devices with the correct key can perform authenticated read and write operations to the RPMB.
There are multiple ways to handle RPMB key provisioning. You could, for example:
- Program the key during eMMC manufacturing.
- Use a specialized firmware for that.
- Create a custom OS image designed to write the key.
The specific method doesn't matter as long as it fits your requirements. Ultimately, it's up to the user to choose an approach that works within their production environment.
Anyway, for secure storage to function effectively, OP-TEE needs access to the RPMB authentication key. It's impractical (and insecure) to hard-code this key in OP-TEE. Instead, OP-TEE can derive the key from the SoC's Hardware Unique Key (HUK), which is securely stored within the chip. When the CFG_RPMB_WRITE_KEY configuration is enabled, OP-TEE automatically derives and programs the key at startup.
A crucial point to understand is that you don't want to do this in production. OP-TEE itself does not have direct access to the eMMC driver and therefore cannot send commands to the RPMB partition. It delegates this task to the TEE supplicant running in the normal (REE) world. If this key-writing functionality is left enabled in a production environment, there is a risk that an attacker could exploit this "window of opportunity" to compromise the key by intercepting commands sent through the normal world.
To mitigate this risk, I introduced the concept of factory and production modes:
- Factory Mode: This mode allows OP-TEE to derive and program the RPMB key. It is intended to be used only during secure provisioning, such as in a factory setting.
- Production mode: In this mode, OP-TEE assumes the RPMB key has already been enrolled. The system can securely access the RPMB partition but cannot write or overwrite the key. This mode is designed for field devices to prevent key exposure.
However, this is just one possible solution. There are other approaches to RPMB key provisioning, which is why I emphasized in the documentation:
Be aware that alternative RPMB key provisioning methods exist, and the approach should align with your threat model.
To summarize, the complete process would be:
- Fuse keys and close the device.
- Write the RPMB key (derived from the HUK) in a secure provisioning environment (e.g., using the factory image).
- Transition the device to production mode with key provisioning disabled.
Does this make sense? Please let me know if you have further questions.
Thanks for reviewing!
Signed-off-by: Sergio Prado <[email protected]>
sergioprado
force-pushed
the
optee-rpmb
branch
from
8d933e9 to
9238ba8
Compare
Tested on Verdin iMX8MP, Verdin iMX8MM and Verdin AM62.
You can view the documentation changes more clearly here: https://github.com/sergioprado/meta-toradex-security/blob/optee-rpmb/docs/README-optee.md