OP-TEE is a secure world OS implementation, that adheres to the GlobalPlatform specifications   and is maintained by Linaro.
Trusted Applications (TAs) could initially only be verified with a single public root key so all TAs deployed on a system had to be signed with the same private root key. With multiple vendors being involved in products and wanting to deploy their own TAs, having a single signer doesn’t scale well. In this blog, we will describe how subkeys can be used to address this problem.
A single root key versus a subkey hierarchy
Subkeys support was introduced in OP-TEE version 3.20.0 (released January 20th, 2023) to provide a public key hierarchy allowing different actors to sign different TAs without sharing a private key.
Figure 1: Signing TAs with a common root key
The private key of the root key is needed when signing TA8 in the example in Figure 1.
Problem: if the private key of the root key leaks any of the TAs can be updated by someone with access to that key.
Figure 2: Signing TAs with a subkey
Only the private key of the Group 4 subkey is needed when signing TA7 and TA8 in the example in Figure 2. The private keys of the root key and Company B subkey can be kept safe offline. If the private key of the Group 4 subkey leaks, only TAs signed with that subkey can be updated by someone with access to that key. Since only a smaller group of people need access to that key it will be easier to keep it safe compared to the example in Figure 1 where everyone who needs to update a TA must have access to the root key.
In this blog we did a quick overview of subkeys, in the coming part 2 we will do a deep dive into the details.
- Subscribe to the OP-TEE mailing list firstname.lastname@example.org
- Join the Linaro OP-TEE Contributions (LOC) monthly meeting or check out the project page Linaro’s OP-TEE Contributions - Confluence
- Visit the OP-TEE page at trusted firmware.
Thank you for reading this far. If you have any questions or thoughts feel free to create an issue at https://github.com/OP-TEE/optee_os/issues or to reach out on the mailing list. You’re also welcome to join the LOC meetings.