| Jamie Fox | 9331960 | 2019-06-07 18:12:15 +0100 | [diff] [blame] | 1 | ===================================== |
| 2 | Secure Storage service key management |
| 3 | ===================================== |
| 4 | |
| 5 | :Author: Jamie Fox |
| 6 | :Organization: Arm Limited |
| 7 | :Contact: Jamie Fox <jamie.fox@arm.com> |
| 8 | :Status: Detailed |
| 9 | |
| 10 | Background |
| 11 | ========== |
| 12 | The PSA Protected Storage API requires confidentiality for external storage to |
| 13 | be provided by: |
| 14 | |
| 15 | **cryptographic ciphers using device-bound keys**, a tamper resistant |
| 16 | enclosure, or an inaccessible deployment location, depending on the threat |
| 17 | model of the deployed system. |
| 18 | |
| 19 | A TBSA-M-compliant device must embed a Hardware Unique Key (HUK), which provides |
| 20 | the root of trust (RoT) for confidentiality in the system. It must have at least |
| 21 | 128 bits of entropy (and a 128 bit data size), and be accessible only to Trusted |
| 22 | code or Trusted hardware that acts on behalf of Trusted code. [TBSA-M]_ |
| 23 | |
| 24 | In the current implementation, the Secure Storage (SST) service reads the HUK |
| 25 | directly and imports it into the Crypto partition for further use. This has |
| 26 | multiple drawbacks: |
| 27 | |
| 28 | - If there were a flaw in SST that allowed an attacker to obtain its key, then |
| 29 | the HUK would be exposed, and so the attacker would be able to decrypt not |
| 30 | just secure storage but also anything else encrypted with the HUK or a key |
| 31 | derived from the HUK. |
| 32 | - Using the same key for two or more different cryptographic algorithms may |
| 33 | reduce the security provided by one or more of them. |
| 34 | - It is not possible to re-key if the HUK is used directly, for example in the |
| 35 | case of a lost key. |
| 36 | - It is incompatible with devices where the HUK is in an enclave and cannot be |
| 37 | read directly. |
| 38 | |
| 39 | Proposal |
| 40 | ======== |
| 41 | Each time the system boots, SST will request that the Crypto service uses a key |
| 42 | derivation function (KDF) to derive a storage key from the HUK. The storage key |
| 43 | could be kept in on-chip volatile memory private to the Crypto partition, or it |
| 44 | could remain inside a secure element. Either way it will not be returned to SST. |
| 45 | |
| 46 | For each call to the PSA Protected Storage APIs, SST will make requests to the |
| 47 | Crypto service to perform AEAD encryption and/or decryption operations using the |
| 48 | storage key (providing a fresh nonce for each encryption). |
| 49 | |
| 50 | At no point will SST access the key material itself, only referring to the HUK |
| 51 | and storage key by their handles in the Crypto service. |
| 52 | |
| 53 | Key derivation |
| 54 | ============== |
| 55 | SST will make key derivation requests to the Crypto service with calls to the |
| 56 | PSA Crypto APIs. In order to derive the storage key, the following calls will be |
| 57 | made:: |
| 58 | |
| 59 | /* Open a handle to the HUK */ |
| 60 | psa_open_key(PSA_KEY_LIFETIME_PERSISTENT, |
| 61 | TFM_CRYPTO_KEY_ID_HUK, |
| 62 | &huk_key_handle) |
| 63 | |
| 64 | /* Set up a key derivation operation with the HUK as the input key */ |
| 65 | psa_key_derivation(&sst_key_generator, |
| 66 | huk_key_handle, |
| 67 | TFM_CRYPTO_ALG_HUK_DERIVATION, |
| 68 | SST_KEY_SALT, SST_KEY_SALT_LEN_BYTES, |
| 69 | SST_KEY_LABEL, SST_KEY_LABEL_LEN_BYTES, |
| 70 | SST_KEY_LEN_BYTES) |
| 71 | |
| 72 | /* Create the storage key from the key generator */ |
| 73 | psa_generator_import_key(sst_key_handle, |
| 74 | SST_KEY_TYPE, |
| 75 | PSA_BYTES_TO_BITS(SST_KEY_LEN_BYTES), |
| 76 | &sst_key_generator) |
| 77 | |
| 78 | .. note:: ``TFM_CRYPTO_KEY_ID_HUK`` is a PSA Crypto key ID that is assumed in |
| 79 | this design to identify the hardware unique key. |
| 80 | |
| 81 | ``sst_key_handle`` is a PSA Crypto key handle to a volatile key, set |
| 82 | up in the normal way. After the call to ``psa_generator_import_key``, |
| 83 | it contains the storage key. |
| 84 | |
| 85 | ``SST_KEY_SALT`` can be ``NULL``, as it is only used in the 'extract' |
| 86 | step of HKDF, which is redundant when the input key material is a |
| 87 | cryptographically strong key. [RFC5869]_ It must be constant so that |
| 88 | the same key can be derived each boot, to decrypt previously-stored |
| 89 | data. |
| 90 | |
| 91 | ``SST_KEY_LABEL`` can be any string that is independent of the input |
| 92 | key material and different to the label used in any other derivation |
| 93 | from the same input key. It prevents two different contexts from |
| 94 | deriving the same output key from the same input key. |
| 95 | |
| 96 | In the call to ``psa_key_derivation()``, ``TFM_CRYPTO_ALG_HUK_DERIVATION`` is |
| 97 | supplied as the key derivation algorithm argument. This indicates that the key |
| 98 | derivation should be done from the HUK, and allows it to be implemented in a |
| 99 | platform-defined way (e.g. using a crypto accelerator). The system integrator |
| 100 | should choose the most optimal algorithm for the platform, or fall back to the |
| 101 | software implementation if none is available. |
| 102 | |
| 103 | When implemented in software, the key derivation function used by the crypto |
| 104 | service to derive the storage key will be HKDF, with SHA-256 as the underlying |
| 105 | hash function. HKDF is suitable because: |
| 106 | |
| 107 | - It is simple and efficient, requiring only two HMAC operations when the length |
| 108 | of the output key material is less than or equal to the hash length (as is the |
| 109 | case here). |
| 110 | - The trade-off is that HKDF is only suitable when the input key material has at |
| 111 | least as much entropy as required for the output key material. But this is the |
| 112 | case here, as the HUK has 128 bits of entropy, the same as required by SST. |
| 113 | - HKDF is standardised in RFC 5869 [RFC5869]_ and its security has been formally |
| 114 | analysed. [HKDF]_ |
| 115 | - It is supported by the TF-M Crypto service. |
| 116 | |
| 117 | The choice of underlying hash function is fairly straightforward: it needs to be |
| 118 | a modern standardised algorithm, considered to be secure and supported by TF-M |
| 119 | Crypto. This narrows it down to just the SHA-2 family. Of the hash functions in |
| 120 | the family, SHA-256 is the simplest and provides more than enough output length. |
| 121 | |
| 122 | Keeping the storage key private to SST |
| 123 | -------------------------------------- |
| 124 | The salt and label fields are not generally secret, so an Application RoT |
| 125 | service could request the Crypto service to derive the same storage key from the |
| 126 | HUK, which violates isolation between Application RoT partitions to some extent. |
| 127 | This could be fixed in a number of ways: |
| 128 | |
| 129 | - Only PSA RoT partitions can request Crypto to derive keys from the HUK. |
| 130 | |
| 131 | - But then either SST has to be in the PSA RoT or request a service in the PSA |
| 132 | RoT to do the derivation on its behalf. |
| 133 | |
| 134 | - SST has a secret (pseudo)random salt, accessible only to it, that it uses to |
| 135 | derive the storage key. |
| 136 | |
| 137 | - Where would this salt be stored? It cannot be generated fresh each boot |
| 138 | because the storage key must stay the same across reboots. |
| 139 | |
| 140 | - The Crypto service appends the partition ID to the label, so that no two |
| 141 | partitions can derive the same key. |
| 142 | |
| 143 | - Still need to make sure only PSA RoT partitions can directly access the HUK |
| 144 | or Secure Enclave. The label is not secret, so any actor that can access the |
| 145 | HUK could simply perform the derivation itself, rather than making a request |
| 146 | to the Crypto service. |
| 147 | |
| 148 | The third option would solve the issue with the fewest drawbacks, so this option |
| 149 | is the one that is proposed. |
| 150 | |
| 151 | Key use |
| 152 | ======= |
| 153 | To encrypt and decrypt data, SST will call the PSA Crypto AEAD APIs in the same |
| 154 | way as the current implementation, but ``sst_key_handle`` will refer to the |
| 155 | storage key, rather than the imported HUK. For each encryption operation, the |
| 156 | following call is made (and analogously for decryption):: |
| 157 | |
| 158 | psa_aead_encrypt(sst_key_handle, SST_CRYPTO_ALG, |
| 159 | crypto->ref.iv, SST_IV_LEN_BYTES, |
| 160 | add, add_len, |
| 161 | in, in_len, |
| 162 | out, out_size, out_len) |
| 163 | |
| 164 | Future changes |
| 165 | ============== |
| 166 | In the future, the client's partition ID and the asset's UID could be used to |
| 167 | derive a key that is unique to that asset, each time the Protected Storage APIs |
| 168 | are called (*key diversification*). To achieve this, the key derivation must use |
| 169 | a ``label`` parameter that is unique to each client ID, UID pair. |
| 170 | |
| 171 | References |
| 172 | ========== |
| 173 | .. [TBSA-M] Arm Platform Security Architecture Trusted Base System Architecture |
| 174 | for Armv6-M, Armv7-M and Armv8-M, version 1.0 |
| 175 | .. [HKDF] Hugo Krawczyk. 2010. Cryptographic extraction and key derivation: the |
| 176 | HKDF scheme. In Proceedings of the 30th annual conference on Advances in |
| 177 | cryptology (CRYPTO'10) |
| 178 | .. [RFC5869] IETF RFC 5869: HMAC-based Extract-and-Expand Key Derivation |
| 179 | Function (HKDF) |
| 180 | |
| 181 | -------------- |
| 182 | |
| 183 | *Copyright (c) 2019, Arm Limited. All rights reserved.* |