生活随笔
收集整理的這篇文章主要介紹了
[optee]-TA的签名和验签
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
TA簽名驗簽
★★★ 友情鏈接 : 個人博客導讀首頁—點擊此處 ★★★
1、TA的簽名
在optee或sdk的目錄下,有一個default_ta.pem(RSA2048 priv key)和sign.py簽名腳本. 在編譯TA結束后,會使用這個腳本和key對TA進行簽名…
- export-ta_arm64/keys/default_ta.pem
- export-ta_arm64/scripts/sign.py
在編譯TA時,會調用到TA中的link.mk, 在該文件文件中可以看到rsakey和簽名腳本sign.py的引用和makefile的依賴關系.
- xxx.elf 是編譯后的二進制文件
- xxx.dump 是dump文件
- xxx.stripped.elf 是刪除符號表的二進制文件
- xxxx.ta 是簽名后的文件
(export
-ta_arm64
/mk
/link
.mk_SIGN
= $
(TA_DEV_KIT_DIR
)/scripts
/sign
.py
TA_SIGN_KEY
?= $
(TA_DEV_KIT_DIR
)/keys
/default_ta
.pem
......
$
(link
-script
-pp
): $
(link
-script
) $
(MAKEFILE_LIST
)@$
(cmd
-echo
-silent
) ' CPP $@'$
(q
)mkdir
-p $
(dir $@
)$
(q
)$
(CPP$
(sm
)) -Wp
,-P
,-MT
,$@
,-MD
,$
(link
-script
-dep
) \$
(link
-script
-cppflags
-$
(sm
)) $
< > $@$
(link
-out
-dir
)/$
(binary
).elf
: $
(objs
) $
(libdeps
) $
(link
-script
-pp
)@$
(cmd
-echo
-silent
) ' LD $@'$
(q
)$
(LD$
(sm
)) $
(ldargs
-$
(binary
).elf
) -o $@$
(link
-out
-dir
)/$
(binary
).dmp
: $
(link
-out
-dir
)/$
(binary
).elf@$
(cmd
-echo
-silent
) ' OBJDUMP $@'$
(q
)$
(OBJDUMP$
(sm
)) -l
-x
-d $
< > $@$
(link
-out
-dir
)/$
(binary
).stripped
.elf
: $
(link
-out
-dir
)/$
(binary
).elf@$
(cmd
-echo
-silent
) ' OBJCOPY $@'$
(q
)$
(OBJCOPY$
(sm
)) --strip
-unneeded $
< $@$
(link
-out
-dir
)/$
(binary
).ta
: $
(link
-out
-dir
)/$
(binary
).stripped
.elf \$
(TA_SIGN_KEY
)@echo
' SIGN $@'$
(q
)$
(SIGN
) --key $
(TA_SIGN_KEY
) --uuid $
(binary
) --version
0 \
2、TA的驗簽
在編譯optee_os時,pem_to_pub_c.py腳本中將default_ta.pem中解析出der格式rsa_pub公鑰,放到了ta_pub_key.c文件的ta_pub_key_modulus數組中
(optee_os
/core
/sub
.mk)
ifeq ($
(CFG_WITH_USER_TA
),y
)
gensrcs
-y
+= ta_pub_key
produce
-ta_pub_key
= ta_pub_key
.c
depends
-ta_pub_key
= $
(TA_SIGN_KEY
) scripts
/pem_to_pub_c
.py
recipe
-ta_pub_key
= scripts
/pem_to_pub_c
.py
--prefix ta_pub_key \
--key $
(TA_SIGN_KEY
) --out $
(sub
-dir
-out
)/ta_pub_key
.c
cleanfiles
+= $
(sub
-dir
-out
)/ta_pub_key
.c
endif
ta_pub_key.c文件是生成在out目錄的,編譯的時候會引用到.
cat ./optee_os/out/arm-plat-xxxx/core/ta_pub_key.c
#include <stdint.h>
#include <stddef.h>const uint32_t ta_pub_key_exponent
= 65537;const uint8_t ta_pub_key_modulus
[] = {
0xa6, 0x5a, 0x18, 0xad, 0xc0, 0xb3, 0xce, 0xe3,
0x0c, 0x90, 0x2b, 0x7d, 0x40, 0x9b, 0xac, 0xbb,
0x5a, 0x49, 0x88, 0x42, 0x0a, 0xb1, 0xe0, 0x92,
0xc0, 0x86, 0x91, 0xe6, 0x9e, 0xef, 0xa0, 0xe1,
0xf1, 0x2f, 0x90, 0xf6, 0x66, 0xdd, 0xea, 0x15,
0x5a, 0xc0, 0x28, 0xb4, 0x9d, 0xdf, 0x52, 0x0c,
0x6e, 0xa5, 0xc6, 0x19, 0x43, 0xac, 0x69, 0xa8,
0xf2, 0x5f, 0xfe, 0x60, 0x00, 0xa5, 0xd2, 0x3a,
0xcc, 0x12, 0x01, 0xf3, 0x5b, 0xba, 0x0c, 0x51,
0x1c, 0x2c, 0xf4, 0xb0, 0x77, 0xb9, 0xd6, 0x72,
0x35, 0x1c, 0x0f, 0x73, 0xcd, 0x2f, 0x16, 0xf9,
0xba, 0x89, 0x84, 0xa0, 0x9b, 0xbf, 0x8b, 0x5b,
0x7f, 0xe8, 0x8b, 0x8b, 0x9f, 0xc8, 0x71, 0xea,
0x1c, 0x6c, 0x1f, 0x00, 0xa0, 0xee, 0xca, 0x3e,
0xbf, 0x18, 0x8e, 0x57, 0x9b, 0x48, 0x66, 0xeb,
0x8b, 0xd4, 0x40, 0x51, 0xae, 0x86, 0xa1, 0x86,
0xf8, 0xd0, 0x0b, 0xfa, 0xb6, 0x2e, 0x25, 0x2e,
0x05, 0xff, 0x76, 0x01, 0x46, 0xd7, 0x3d, 0xeb,
0x1f, 0x7c, 0xfc, 0xdf, 0x1e, 0x82, 0x8b, 0x5e,
0xb0, 0xca, 0xa3, 0xea, 0x16, 0xbe, 0x2d, 0x6e,
0x54, 0x50, 0x9c, 0xb8, 0x41, 0xef, 0x17, 0xc7,
0x7f, 0x60, 0x54, 0xaa, 0xf9, 0x70, 0xa0, 0xf8,
0x98, 0x2e, 0x82, 0xf9, 0x8c, 0x5f, 0xfb, 0x9c,
0x88, 0x8e, 0x77, 0xb0, 0x32, 0x72, 0x99, 0x1a,
0xe0, 0x04, 0x5e, 0xbf, 0x1d, 0xaa, 0xf7, 0xf0,
0x05, 0x3c, 0xb4, 0x95, 0xdd, 0x4d, 0xba, 0x3a,
0x71, 0xa1, 0xf8, 0x72, 0x8e, 0x1d, 0x98, 0xe3,
0x13, 0xba, 0xca, 0xb0, 0x27, 0xbf, 0x87, 0x59,
0x54, 0x27, 0xf8, 0xe8, 0xec, 0xc6, 0x85, 0x37,
0xd2, 0x3a, 0x95, 0xe4, 0xa5, 0x09, 0x9a, 0xd0,
0x1f, 0xa3, 0x86, 0xb0, 0x92, 0xd8, 0x02, 0x1e,
0x33, 0x75, 0xdb, 0x26, 0xbf, 0x27, 0xfc, 0x35,
};
const size_t ta_pub_key_modulus_size
= sizeof(ta_pub_key_modulus
);
在open_ta時,會調用到shdr_verify_signature對TA進行驗簽。我們可以看到在crypto_bignum_bin2bn(ta_pub_key_modulus, ta_pub_key_modulus_size,
key.n)中讀取了公鑰數組,然后調用rsa_verify
TEE_Result
shdr_verify_signature(const struct shdr *shdr
)
{struct rsa_public_key key
;TEE_Result res
;uint32_t e
= TEE_U32_TO_BIG_ENDIAN(ta_pub_key_exponent
);size_t hash_size
;if (shdr
->magic
!= SHDR_MAGIC
)return TEE_ERROR_SECURITY
;if (TEE_ALG_GET_MAIN_ALG(shdr
->algo
) != TEE_MAIN_ALGO_RSA
)return TEE_ERROR_SECURITY
;res
= tee_hash_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(shdr
->algo
),&hash_size
);if (res
)return TEE_ERROR_SECURITY
;if (hash_size
!= shdr
->hash_size
)return TEE_ERROR_SECURITY
;res
= crypto_acipher_alloc_rsa_public_key(&key
, shdr
->sig_size
);if (res
)return TEE_ERROR_SECURITY
;res
= crypto_bignum_bin2bn((uint8_t *)&e
, sizeof(e
), key
.e
);if (res
)goto out
;res
= crypto_bignum_bin2bn(ta_pub_key_modulus
, ta_pub_key_modulus_size
,key
.n
);if (res
)goto out
;res
= crypto_acipher_rsassa_verify(shdr
->algo
, &key
, -1,SHDR_GET_HASH(shdr
), shdr
->hash_size
,SHDR_GET_SIG(shdr
), shdr
->sig_size
);
out
:crypto_acipher_free_rsa_public_key(&key
);if (res
)return TEE_ERROR_SECURITY
;return TEE_SUCCESS
;
}
總結
以上是生活随笔為你收集整理的[optee]-TA的签名和验签的全部內容,希望文章能夠幫你解決所遇到的問題。
如果覺得生活随笔網站內容還不錯,歡迎將生活随笔推薦給好友。
