Due to limited efuse space, Tina supports the Keybox Secure Storage feature by default. This document describes how to customize and burn keyboxes, as well as read them.
1. Firmware Configuration
Prerequisite: Secure firmware is required. For secure firmware details, refer to 14-Secure Boot.
1.1 Customize Keybox List
U-Boot loads keys into Secure OS based on the keybox_list environment variable. Configure this variable in the env.cfg file using comma-separated key names.
Example: Add a custom key name xie:
--- a/device/config/chips/h618/configs/default/env.cfg
+++ b/device/config/chips/h618/configs/default/env.cfg
@@ -13,7 +13,7 @@ mac=
wifi_mac=
bt_mac=
specialstr=
-keybox_list=hdcpkey,widevine
+keybox_list=hdcpkey,widevine,xie
#set kernel cmdline if boot.img or recovery.img has no cmdline we will use this
setargs_nand=setenv bootargs earlyprintk=${earlyprintk} initcall_debug=${initcall_debug} console=${console} loglevel=${loglevel} root=${nand_root} init=${init} partitions=${partitions} cma=${cma} snum=${snum} mac_addr=${mac} wifi_mac=${wifi_mac} bt_mac=${bt_mac} selinux=${selinux} specialstr=${specialstr} gpt=1
setargs_mmc=setenv bootargs earlyprintk=${earlyprintk} initcall_debug=${initcall_debug} console=${console} loglevel=${loglevel} root=${mmc_root} rootwait init=${init} partitions=${partitions} cma=${cma} snum=${snum} mac_addr=${mac} wifi_mac=${wifi_mac} bt_mac=${bt_mac} selinux=${selinux} specialstr=${specialstr} gpt=1
1.2 Keybox Configuration Reading
Keybox reading uses Allwinner-provided APIs. Tina includes demo implementations for these APIs. Keybox access requires TA/CA interaction.
CA: A Linux user-space application dependent on optee-client libraries.
TA: A secure application compiled using TA dev-kit.
optee-efuse-read: Example for keybox reading.
optee-helloworld: Example to verify TA/CA environment.
Verify changes:
$ git diff target/allwinner/h618-p2/defconfig
diff --git a/target/allwinner/h618-p2/defconfig b/target/allwinner/h618-p2/defconfig
index c6c47b5f4..d3b2737eb 100755
--- a/target/allwinner/h618-p2/defconfig
+++ b/target/allwinner/h618-p2/defconfig
@@ -4232,10 +4232,10 @@ CONFIG_PACKAGE_wpa_supplicant_rtl=y
#
# CONFIG_PACKAGE_optee-aes-hmac is not set
# CONFIG_PACKAGE_optee-base64 is not set
-# CONFIG_PACKAGE_optee-client is not set
-# CONFIG_PACKAGE_optee-efuse-read is not set
-# CONFIG_PACKAGE_optee-helloworld is not set
-# CONFIG_PACKAGE_optee-os-dev-kit is not set
+CONFIG_PACKAGE_optee-client=y
+CONFIG_PACKAGE_optee-efuse-read=y
+CONFIG_PACKAGE_optee-helloworld=y
+CONFIG_PACKAGE_optee-os-dev-kit=y
# CONFIG_PACKAGE_optee-rotpk is not set
# CONFIG_PACKAGE_optee-secure-storage is not set
# CONFIG_PACKAGE_optee-test is not set
Add platform-specific dev-kit:
$ cd package/security/optee-os-dev-kit/dev_kit/
$ cp -rp arm-plat-sun50iw1p1 arm-plat-sun50iw9p1
1.2.2 Modifications for optee-efuse-read Demo
Add debug prints for keybox buffer:
--- a/package/security/optee-efuse-read/src/ta/efuse_read_demo_ta.c
+++ b/package/security/optee-efuse-read/src/ta/efuse_read_demo_ta.c
@@ -96,13 +96,16 @@ TEE_Result TA_InvokeCommandEntryPoint(void *pSessionContext,
memcpy(keyname,"testkey",sizeof("testkey"));
keyname[49]=0;
}
- i = utee_sunxi_keybox((const char*)keyname, rdbuf, 16);
+ printf("keyname: %s \n",keyname);
+ i = utee_sunxi_keybox((const char*)keyname, rdbuf, 128);
if (i != TEE_SUCCESS) {
printf("read key:%s from keybox failed with:%d\n",keyname,i);
return i;
} else {
- i = utee_sunxi_read_efuse("oem_secure", &rd_len,
- rdbuf + 16);
+ printf("keybox:\n");
+ dump(rdbuf, 128);
+ i = utee_sunxi_read_efuse("widevine", &rd_len,
+ rdbuf + 128);
if (i == TEE_SUCCESS) {
printf("read result:\n");
dump(rdbuf, rd_len + 16);
dump is a built-in hex print function.
128 corresponds to the key length.
