How to encrypt a .ta file?

[andreas-brix]

Hello,

I created a trusted application using optee_examples and added my application there in the same way. I tested it using the qemu emulator and it works as expected. If I understand correctly, the optee_examples refer to user mode trusted applications. I read in the documentation, that "they consist of a ELF file, signed and optionally encrypted, named from the UUID of the TA and the suffix .ta."

For possible deployment, I want to protect my algorithms inside the TEE since they are intellectual property, so I would like to use the optional encryption. Is there any documentation how this can be done? Is it correct, that the .ta file would then reside in an encrypted form in the REE and would only be decrypted and executed in the TEE if I use scripts/sign_encrypt.py properly? Is there anything to be changed in the trusted application such that I can use that encryption?

Any help would be appreciated and if I have mistakes in my understanding, please point them out.

Thank you very much.

[jforissier]

Hello @andreas-brix,

TA encryption uses the --enc-key argument to sign_encrypt.py. The key is derived fron the Hardware Unique Key. To try this out with the default key, just rebuild your TA with CFG_ENCRYPT_TA=y.
You may then customize the key by doing the following:

1. Change the HUK (hardware unique key) in tee_otp_get_hw_unique_key() in core/kernel/otp_stubs.c (if that files applies to your platform, i.e., you don't have a true HUK)
2. Print out the content of subkey_bbuf in system_derive_ta_unique_key(). You may use the DHEXDUMP() macro for instance with TEE_CORE_LOG_LEVEL=3 (DEBUG). The value in subkey_bbuf is what you should set in TA_ENC_KEY when rebuilding the TA (make CFG_ENCRYPT_TA=y TA_ENC_KEY=<hex_key>).

HTH.