| Subkey |
| ====== |
| |
| A TA or a subkey can be signed with a subkey instead of the root key. Here |
| we're trying to describe the relationship between the different subkeys and |
| keys used for the subkey test TAs. |
| |
| We start with a two level subkey hierachy to be able to test more when the |
| subkey chain consist of more than a single subkey signed with the root key. |
| |
| The relationship of the different subkeys and TAs are as follows: |
| root_key |
| |-- identity_subkey2 |
| | `-- subkey2_ta |
| `-- top_level_subkey |
| `-- mid_level_subkey |
| `-- subkey1_ta |
| |
| The keys themselves where generated using: |
| |
| openssl genrsa -out top_level_subkey.pem |
| openssl genrsa -out mid_level_subkey.pem |
| openssl genrsa -out identity_subkey2.pem |
| |
| The top level subkey is signed with the root key using (where the UUID is |
| generated): |
| |
| ../../optee_os/scripts/sign_encrypt.py sign-subkey \ |
| --uuid f04fa996-148a-453c-b037-1dcfbad120a6 \ |
| --key ../../optee_os/keys/default_ta.pem --in top_level_subkey.pem \ |
| --out top_level_subkey.bin --max-depth 4 --name-size 64 \ |
| --subkey-version 1 |
| |
| The mid level subkey has to have a UUID in the namespace of the top level |
| level subkey. The UUID is determined as |
| UUIDv5_SHA512(f04fa996-148a-453c-b037-1dcfbad120a6, "mid_level_subkey") = |
| 1a5948c5-1aa0-518c-86f4-be6f6a057b16 |
| where UUIDv5_SHA512() denotes the UUIDv5 scheme with SHA512 used instead of |
| SHA1 and truncated to 20 bytes |
| |
| The sign script can do this with: |
| |
| ../../optee_os/scripts/sign_encrypt.py subkey-uuid --in top_level_subkey.bin \ |
| --name mid_level_subkey |
| Subkey UUID: f04fa996-148a-453c-b037-1dcfbad120a6 |
| Next subkey UUID: 1a5948c5-1aa0-518c-86f4-be6f6a057b16 |
| |
| The mid level subkey is signed using: |
| |
| ../../optee_os/scripts/sign_encrypt.py sign-subkey \ |
| --uuid 1a5948c5-1aa0-518c-86f4-be6f6a057b16 \ |
| --key top_level_subkey.pem --subkey top_level_subkey.bin \ |
| --name-size 64 --subkey-version 1 \ |
| --name mid_level_subkey \ |
| --in mid_level_subkey.pem --out mid_level_subkey.bin |
| |
| The UUID of subkey1 TA is calculated using: |
| |
| ../../optee_os/scripts/sign_encrypt.py subkey-uuid --in mid_level_subkey.bin \ |
| --name subkey1_ta |
| Subkey UUID: f04fa996-148a-453c-b037-1dcfbad120a6 |
| Subkey UUID: 1a5948c5-1aa0-518c-86f4-be6f6a057b16 |
| Next subkey UUID: 5c206987-16a3-59cc-ab0f-64b9cfc9e758 |
| |
| Subkey1 TA is signed as part of the build process. |
| |
| The identity_subkey2 subkey is signed using (where the UUID is generated): |
| |
| ../../optee_os/scripts/sign_encrypt.py sign-subkey \ |
| --uuid a720ccbb-51da-417d-b82e-e5445d474a7a \ |
| --key ../../optee_os/keys/default_ta.pem --in identity_subkey2.pem \ |
| --out identity_subkey2.bin --max-depth 0 --name-size 0 \ |
| --subkey-version 1 |