FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

OP-TEE key

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

OP-TEE key

Jump to solution
‎02-08-2021 07:53 AM
4,946 Views
antonio_santagi
Contributor IV

Hello,

I am using Yocto BSP for iMX8M mini. Not sure if this is the right place where to ask this question, in case not please let me know.

At https://source.codeaurora.org/external/imx/imx-optee-os/tree/documentation/porting_guidelines.md?h=i... 

I can read that 

 

## 9. Trusted Application private/public keypair
By default all Trusted Applications (TA's) are signed with the pre-generated
2048-bit RSA development key (private key). This key is located in the `keys`
folder (in the root of optee_os.git) and is named `default_ta.pem`. This key
**must** be replaced with your own key and you should **never ever** check-in
this private key in the source code tree when in use in a real product.  

and also at : 

https://optee.readthedocs.io/en/latest/building/trusted_applications.html#signing-of-tas 

Warning

"optee_os comes with a default private key in its source to facilitate easy development, testing, debugging and QA. Never deploy an optee_os binary with this key in production. Instead replace this key as soon as possible with a public key and keep the private part of the key offline, preferably on an HSM."

 

Right, then I generated a new keypair and extracted the public key. 

I have then put the extracted public key in the keys folder renaming it to default_ta.pem, overwriting the original default_ta.pem.

This means that there is only a public key now in default_ta.pem.

Now, optee-os-imx builds correctly but optee-test-imx raises error, this is understandable because it's a trusted app and therefore it needs the private key to be signed with.

So, my question is, if I replace the default_ta.pem with another KEYPAIR .pem file that I generated, is this secure ? optee-os-imx and optee-test-imx will build correctly but does the private key part of the key pair gets stripped from the optee-os binary file ? or does the default_ta.pem keypair gets embedded completely in the image ?

In this last case this would clash a bit with the instructions that suggest to not put any private key in the sources being built.

Can you point to the script that handles this part ?

thank you!

 

 

0 Kudos
Reply
1 Solution

Jump to solution
‎02-09-2021 03:38 PM
4,928 Views
antonio_santagi
Contributor IV

Yes, that's correct @IvanRuiz .

Only problem is that we build also imx-optee-test recipe and this requires optee-os and it tries to get the private key from the optee-os build folder. 

Anyway now I found that the private key is stripped out from the keypair before embedding into the tee image, it's done by this script : 

pem_to_pub_c.py

it generates a c file with information only about the public key extracted from the keypair.

that is what goes then in the tee.bin file.

We anyway will not commit the private key to the repository with the sources, as per your documentation. 

View solution in original post

0 Kudos
Reply
4 Replies

Jump to solution
‎11-05-2025 01:12 AM
655 Views
imx8mp_developer
Contributor I

Does anybody figure out what should be modified in order to sign using HSM in Yocto builds?

0 Kudos
Reply

Jump to solution
‎10-22-2025 01:46 AM
806 Views
imx8mp_developer
Contributor I

I am planning to implement a secure storage on imx93 with Yocto, I followed this post and it's clear how to implement it, but two things are not clear:
- is Hardware Unique Key (HUK) already present into TEE? So I should do nothing for this

- if I don't need to add any TA I still need to modify the default_ta.pem? Is there any guide for this? (Key generation + replace in yocto)


I assume there isn't any way to extract the HUK so I expect that the data cannot be decripted on another hardware (embededd or laptop) not even for debug purpose, right?

0 Kudos
Reply

Jump to solution
‎02-09-2021 03:38 PM
4,929 Views
antonio_santagi
Contributor IV

Yes, that's correct @IvanRuiz .

Only problem is that we build also imx-optee-test recipe and this requires optee-os and it tries to get the private key from the optee-os build folder. 

Anyway now I found that the private key is stripped out from the keypair before embedding into the tee image, it's done by this script : 

pem_to_pub_c.py

it generates a c file with information only about the public key extracted from the keypair.

that is what goes then in the tee.bin file.

We anyway will not commit the private key to the repository with the sources, as per your documentation. 

0 Kudos
Reply

Jump to solution
‎02-09-2021 11:13 AM
4,938 Views
IvanRuiz
NXP Employee
NXP Employee

Hello,

 

For security reasons it is not recommended to keep any private keys in keys/default_ta.pem and the recommendation according to documentation is to use the generated public key only since that will only be used for the encryption and the private key shall be stored preferably in an HSM. The TAs are signed using the sign_encrypt.py from OP-TEE as mentioned in the documentation.

 

Hope it helps!

 

BR,

Ivan.

Reply
%3CLINGO-SUB%20id%3D%22lingo-sub-1228041%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3EOP-TEE%20key%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1228041%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EI%20am%20using%20Yocto%20BSP%20for%20iMX8M%20mini.%20Not%20sure%20if%20this%20is%20the%20right%20place%20where%20to%20ask%20this%20question%2C%20in%20case%20not%20please%20let%20me%20know.%3C%2FP%3E%3CP%3EAt%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsource.codeaurora.org%2Fexternal%2Fimx%2Fimx-optee-os%2Ftree%2Fdocumentation%2Fporting_guidelines.md%3Fh%3Dimx_4.19.35_1.1.0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fsource.codeaurora.org%2Fexternal%2Fimx%2Fimx-optee-os%2Ftree%2Fdocumentation%2Fporting_guidelines.md%3Fh%3Dimx_4.19.35_1.1.0%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20read%20that%26nbsp%3B%3C%2FP%3E%3CBR%20%2F%3E%3CPRE%3E%3CSPAN%20class%3D%22gu%22%3E%23%23%3C%2FSPAN%3E%209.%20Trusted%20Application%20private%2Fpublic%20keypair%0ABy%20default%20all%20Trusted%20Applications%20(TA's)%20are%20signed%20with%20the%20pre-generated%0A2048-bit%20RSA%20development%20key%20(private%20key).%20This%20key%20is%20located%20in%20the%20%3CSPAN%20class%3D%22sb%22%3E%60keys%60%3C%2FSPAN%3E%0Afolder%20(in%20the%20root%20of%20optee_os.git)%20and%20is%20named%20%3CSPAN%20class%3D%22sb%22%3E%60default_ta.pem%60%3C%2FSPAN%3E.%20This%20key%0A%3CSPAN%20class%3D%22gs%22%3E**must**%20be%20replaced%20with%20your%20own%20key%20and%20you%20should%20**never%20ever**%3C%2FSPAN%3E%20check-in%0Athis%20private%20key%20in%20the%20source%20code%20tree%20when%20in%20use%20in%20a%20real%20product.%26nbsp%3B%26nbsp%3B%3C%2FPRE%3E%3CP%3Eand%20also%20at%20%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Foptee.readthedocs.io%2Fen%2Flatest%2Fbuilding%2Ftrusted_applications.html%23signing-of-tas%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Foptee.readthedocs.io%2Fen%2Flatest%2Fbuilding%2Ftrusted_applications.html%23signing-of-tas%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22admonition%20warning%22%3E%3CP%20class%3D%22first%20admonition-title%22%3EWarning%3C%2FP%3E%3CP%20class%3D%22last%22%3E%3CEM%3E%3CA%20href%3D%22https%3A%2F%2Foptee.readthedocs.io%2Fen%2Flatest%2Fbuilding%2Fgits%2Foptee_os.html%23optee-os%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20class%3D%22std%20std-ref%22%3E%22optee_os%3C%2FSPAN%3E%3C%2FA%3E%26nbsp%3Bcomes%20with%20a%20default%26nbsp%3B%3CSTRONG%3Eprivate%3C%2FSTRONG%3E%26nbsp%3Bkey%20in%20its%20source%20to%20facilitate%20easy%20development%2C%20testing%2C%20debugging%20and%20QA.%20Never%20deploy%20an%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Foptee.readthedocs.io%2Fen%2Flatest%2Fbuilding%2Fgits%2Foptee_os.html%23optee-os%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20class%3D%22std%20std-ref%22%3Eoptee_os%3C%2FSPAN%3E%3C%2FA%3E%26nbsp%3Bbinary%20with%20this%20key%20in%20production.%20Instead%20%3CSTRONG%3Ereplace%20this%20key%20as%20soon%20as%20possible%20with%20a%20public%20key%20and%20keep%20the%20private%20part%20of%20the%20key%20offline%3C%2FSTRONG%3E%2C%20preferably%20on%20an%20HSM.%22%3C%2FEM%3E%3C%2FP%3E%3CP%20class%3D%22last%22%3E%26nbsp%3B%3C%2FP%3E%3C%2FDIV%3E%3CP%3ERight%2C%20then%20I%20generated%20a%20new%20keypair%20and%20extracted%20the%20public%20key.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20then%20put%20the%20extracted%20public%20key%20in%20the%20keys%20folder%20renaming%20it%20to%20default_ta.pem%2C%20overwriting%20the%20original%20default_ta.pem.%3C%2FP%3E%3CP%3EThis%20means%20that%20there%20is%20only%20a%20public%20key%20now%20in%20default_ta.pem.%3C%2FP%3E%3CP%3ENow%2C%20optee-os-imx%20builds%20correctly%20but%20optee-test-imx%20raises%20error%2C%20this%20is%20understandable%20because%20it's%20a%20trusted%20app%20and%20therefore%20it%20needs%20the%20private%20key%20to%20be%20signed%20with.%3C%2FP%3E%3CP%3ESo%2C%20my%20question%20is%2C%20if%20I%20replace%20the%20default_ta.pem%20with%20another%20KEYPAIR%20.pem%20file%20that%20I%20generated%2C%20is%20this%20secure%20%3F%20optee-os-imx%20and%20optee-test-imx%20will%20build%20correctly%20but%20does%20the%20private%20key%20part%20of%20the%20key%20pair%20gets%20stripped%20from%20the%20optee-os%20binary%20file%20%3F%20or%20does%20the%20default_ta.pem%20keypair%20gets%20embedded%20completely%20in%20the%20image%20%3F%3C%2FP%3E%3CP%3EIn%20this%20last%20case%20this%20would%20clash%20a%20bit%20with%20the%20instructions%20that%20suggest%20to%20not%20put%20any%20private%20key%20in%20the%20sources%20being%20built.%3C%2FP%3E%3CP%3ECan%20you%20point%20to%20the%20script%20that%20handles%20this%20part%20%3F%3C%2FP%3E%3CP%3Ethank%20you!%3C%2FP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1229031%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20OP-TEE%20key%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1229031%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EYes%2C%20that's%20correct%20%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F166773%22%20target%3D%22_blank%22%3E%40IvanRuiz%3C%2FA%3E%26nbsp%3B.%3C%2FP%3E%3CP%3EOnly%20problem%20is%20that%20we%20build%20also%20imx-optee-test%20recipe%20and%20this%20requires%20optee-os%20and%20it%20tries%20to%20get%20the%20private%20key%20from%20the%20optee-os%20build%20folder.%26nbsp%3B%3C%2FP%3E%3CP%3EAnyway%20now%20I%20found%20that%20the%20private%20key%20is%20stripped%20out%20from%20the%20keypair%20before%20embedding%20into%20the%20tee%20image%2C%20it's%20done%20by%20this%20script%20%3A%26nbsp%3B%3C%2FP%3E%3CP%3Epem_to_pub_c.py%3C%2FP%3E%3CP%3Eit%20generates%20a%20c%20file%20with%20information%20only%20about%20the%20public%20key%20extracted%20from%20the%20keypair.%3C%2FP%3E%3CP%3Ethat%20is%20what%20goes%20then%20in%20the%20tee.bin%20file.%3C%2FP%3E%3CP%3EWe%20anyway%20will%20not%20commit%20the%20private%20key%20to%20the%20repository%20with%20the%20sources%2C%20as%20per%20your%20documentation.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1228938%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20OP-TEE%20key%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1228938%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHello%2C%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3EFor%20security%20reasons%20it%20is%20not%20recommended%20to%20keep%20any%20private%20keys%20in%26nbsp%3B%3CSTRONG%3Ekeys%2Fdefault_ta.pem%3C%2FSTRONG%3E%20and%20the%20recommendation%20according%20to%20documentation%20is%20to%20use%20the%20generated%20public%20key%20only%20since%20that%20will%20only%20be%20used%20for%20the%20encryption%20and%20the%20private%20key%20shall%20be%20stored%20preferably%20in%20an%20HSM.%20The%20TAs%20are%20signed%20using%20the%26nbsp%3B%3CSPAN%3E%3CSTRONG%3Esign_encrypt.py%3C%2FSTRONG%3E%20from%20OP-TEE%20as%20mentioned%20in%20the%20documentation.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3E%3CSPAN%3EHope%20it%20helps!%3C%2FSPAN%3E%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3E%3CSPAN%3EBR%2C%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIvan.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E