From 715159e83b97e78a779bfeb38d634decd8e499fc Mon Sep 17 00:00:00 2001 From: Fredrik Thulin Date: Thu, 23 Jun 2016 16:41:38 +0200 Subject: Implement master key for wrapping keys in the keystore. The KEK (Key Encryption Key) is first fetched from the FPGA that gets it from the volatile Master Key Memory (that in theory has tamper*kek_len = len protection with wiping), and secondly from flash. The flash option is meant for development/evaluation use using an Alpha board where the Master Key Memory is not battery backed. For any serious use of an Alpha, an option is to enter the master key into the volatile MKM on each power-on as a way to unlock the keystore. --- ks_flash.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) (limited to 'ks_flash.c') diff --git a/ks_flash.c b/ks_flash.c index 09a9847..036e72e 100644 --- a/ks_flash.c +++ b/ks_flash.c @@ -40,6 +40,7 @@ #define HAL_OK CMIS_HAL_OK #include "stm-keystore.h" +#include "masterkey.h" #undef HAL_OK #include @@ -323,10 +324,16 @@ hal_error_t hal_ks_get_kek(uint8_t *kek, (kek_max < bitsToBytes(256)) ? bitsToBytes(192) : bitsToBytes(256)); - #warning Faking the Key Encryption Key - memset(kek, 4, len); + if (masterkey_volatile_read(kek, len) == HSM_MASTERKEY_SET) { + *kek_len = len; + return LIBHAL_OK; + } + if (masterkey_flash_read(kek, len) == HSM_MASTERKEY_SET) { + *kek_len = len; + return LIBHAL_OK; + } - return LIBHAL_OK; + return HAL_ERROR_KEYSTORE_ACCESS; } -- cgit v1.2.3