dmcilvaney / optee_os Goto Github PK
View Code? Open in Web Editor NEWThis project forked from ms-iot/optee_os
License: Other
This project forked from ms-iot/optee_os
License: Other
Hey everyone,
Sorry for the long post (I've tried to keep it interesting).
Feel free to comment/ask questions about anything here (some specific questions at the bottom).
I've been going through the process of updating our OP-TEE to 3.6.0 in preparation for some pull requests with features we have been working on. While I'm working on them, I figured I would touch base and get some feedback before polishing everything up.
This is sort of a RFC, but mostly I want to start a bit of dialogue with you and some of our security experts.
We currently implementing attestation (something I've seen a few questions about here before) and firmware resiliency. Specifically, allowing a TA to provide a certificate chain rooted all the way down to a hardware root of trust.
i.e. SoC/ROM <- SPL <- OP-TEE <- User TA
This work is in service of a Trusted Computing Group specification: Hardware Requirements for a Device Identifier Composition Engine
See also: Cyber Resilient Technologies group
Obviously knowing if a device has been compromised with unknown firmware is very useful. If there is malicious firmware on the device the certificates will not match any known good versions and external systems can refuse to communicate with the TA.
A future feature we are very interested in: TA policy. In a large scale deployment of IoT devices it is important to have control of which TAs are allowed to run on a given device:
The computer controlling a robot arm should only run the robot arm TA, nothing else... but the factory has hundreds of identical devices. Safety critical systems should be locked down to only expected TAs, even if they all have the same owning entity as other devices on site.
The policy can also be included in the attestation, allowing the device to attest to its own current policy.
The certificate chains can be used to setup secure communication channels with external devices or the cloud.
The 30,000-foot view of the process is:
Note: Each loading stage is secured either with NXP's HAB, or a signing mechanism built into the previous firmware.
SPL Runs
ROM
code loads an immutable boot loader (currently SPL, would be nice to offload some of this in the future so we can patch SPL as well)SPL
acquires a secure, unique HW ID (We are working on NXP devices with a CAAM, so the OTPMK is our choice).SPL
hides that ID, obscuring it from all future firmware (requires hardware support)SPL
generates an identity based on this ID + the measurement of itself: --> Compound Device ID (CDI)SPL
generates a key pair based on the CDI: --> SPLPub/PriSPL
starts a certificate chain somewhere in memory and signs its own certificate with SPLPriOP-TEE Loading
SPL
verifies and loads the OP-TEE
binary, measuring it as it does so.SPL
creates a certificate describing the OP-TEE
binary and signs it with SPLPriSPL
takes its private identity (CDI), and hashes it together with the OP-TEE
measurement. It then generates a new key-pair for OP-TEE
: --> OP-TEEPub/PriSPL
destroys the CDI and SPLPriSPL
boots OP-TEE
, passing OP-TEEPub/Pri in a secure manner Would like some feedback here, see belowOP-TEE Runs
OP-TEE
now has its own key-pair OP-TEEPub/Pri. Each time a TA is loaded a hash is generated by hashing the TA binary and each of its dependenciesFor production devices the root of the certificate chain needs to be recorded by a trustworthy entity in a secure environment (i.e. manufacturer like NXP), and then cross-signed. This allows a 3rd party to determine if a certificate chain is valid or not.
Trusted Cyber-Physical Systems (TCPS) - High level goals
Cyber Resilient Platforms/Systems (CyReP/CyRes) See especially Device Identity with DICE and RIoT - Technical details on identity derivation etc.
NIST 800-193 - Guidelines we are trying to meet for resiliency
Our initial implementation was based on 3.4.0, and there have been some significant updates to the TA loading processes since then. As I had to re-work the flow a bit, I figured now was a good time to get some input.
I put together a commit with just the measurement portion here: 6d5168a
Currently it only targets user TAs loaded from the REE FS since that was our primary use case. I had to re-work it to mesh with the new ldelf changes, but it looks like its running fine with QEMU for both buffered and normal loads now.
@jforissier
I noticed OP-TEE/optee_os#3181 is in the works, I think ideally we would like the fingerprint of the TA to include any shared libraries it's using. Do you see any issues with that?We also have a certificate chain management PTA which is responsible for consuming the measurements and providing the attestation information when requested. You can see the old 3.4.0 version here: https://github.com/ms-iot/optee_os/blob/ms-iot-security/core/arch/arm/pta/pta_cyres.c It requires an external dependency and I'm not sure how well received that would be (RIoT identity derivation and crypto package). I haven't gone through to clean it up yet, but I can try and answer any questions about it.
We have some additional RPC features, but I'll leave that for another day.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.