diff options
| author | Victor Chong <victor.chong@linaro.org> | 2021-01-25 14:36:43 +0900 |
|---|---|---|
| committer | vchong <7334750+vchong@users.noreply.github.com> | 2021-02-05 02:09:39 +0900 |
| commit | b0d1da3a3e8e094319f8bc823e2d884909f06b43 (patch) | |
| tree | 3813ab93a38e95f171eafab97804f031f6dcb8bf | |
| parent | d129eb53d66bbf11e5ac783a88e00a98bdd3ab55 (diff) | |
| download | apps-b0d1da3a3e8e094319f8bc823e2d884909f06b43.tar.gz | |
km: ta: mbedtls_proxy: use REE time for cert gen
Since optee_os core doesn't have an absolute time, only relative, we're
not able to derive the current date using the System (TEE) time and
hence not able to generate a valid certificate for testing. An invalid
certificate will cause the TA to panic.
Use the REE time for certificate generation. Obviously this isn't fully
secure, but since this code path is used for development and testing
only, we allow it and print a warning to let the user know what to do
instead in actual platforms or products.
Signed-off-by: Victor Chong <victor.chong@linaro.org>
Acked-by: Ruchika Gupta <ruchika.gupta@linaro.org>
| -rw-r--r-- | keymaster/ta/mbedtls_proxy.c | 25 |
1 files changed, 23 insertions, 2 deletions
diff --git a/keymaster/ta/mbedtls_proxy.c b/keymaster/ta/mbedtls_proxy.c index 45a05ca..e8ce022 100644 --- a/keymaster/ta/mbedtls_proxy.c +++ b/keymaster/ta/mbedtls_proxy.c @@ -272,6 +272,7 @@ static keymaster_error_t convert_epoch_to_date_str(uint32_t sec, snprintf((char *)(t_str + 8), 3, "%02u", ntp_hour); snprintf((char *)(t_str + 10), 3, "%02u", ntp_minute); snprintf((char *)(t_str + 12), 3, "%02u", ntp_second); + DMSG("seconds since epoch: %" PRIu32, sec); DMSG("Date string: %s", t_str); return KM_ERROR_OK; @@ -885,7 +886,17 @@ static TEE_Result mbedTLS_gen_root_cert(mbedtls_pk_context *issuer_key, goto out; } - TEE_GetSystemTime(&sys_t); + IMSG("########################################################"); + IMSG("# CAUTION:"); + IMSG("# REE time used for root cert generation!"); + IMSG("# This is for development and testing ONLY!"); + IMSG("# Platforms should define CFG_ATTESTATION_PROVISIONING"); + IMSG("# and invoke the KM_SET_ATTESTATION_KEY and"); + IMSG("# KM_APPEND_ATTESTATION_CERT_CHAIN commands to send a"); + IMSG("# verified cert (chain) to secure persistent storage"); + IMSG("# during provisioning!"); + IMSG("########################################################"); + TEE_GetREETime(&sys_t); ret = convert_epoch_to_date_str(sys_t.seconds, dfl_not_before, sizeof(dfl_not_before)); if (ret) { @@ -1161,7 +1172,17 @@ static TEE_Result mbedTLS_attest_key_cert(mbedtls_pk_context *issuer_key, goto out; } - TEE_GetSystemTime(&sys_t); + IMSG("########################################################"); + IMSG("# CAUTION:"); + IMSG("# REE time used for attestation cert generation!"); + IMSG("# This is for development and testing ONLY!"); + IMSG("# Platforms should define CFG_ATTESTATION_PROVISIONING"); + IMSG("# and invoke the KM_SET_ATTESTATION_KEY and"); + IMSG("# KM_APPEND_ATTESTATION_CERT_CHAIN commands to send a"); + IMSG("# verified cert (chain) to secure persistent storage"); + IMSG("# during provisioning!"); + IMSG("########################################################"); + TEE_GetREETime(&sys_t); ret = convert_epoch_to_date_str(sys_t.seconds, dfl_not_before, sizeof(dfl_not_before)); if (ret) { |