5.7.4. Using policies for secure objects¶
This demo is to demonstrate the use of policies for secure objects. Object policies such as can_Sign
or can_Encrypt
can be used to restrict operations other than the given policies. Objects inside the secure element are linked to a particular authentication object, based on communication authentication type selected. Objects inside the secure element linked with one authentication object cannot be used when session is open with another authentication type.
Authentication Object ID to be linked with secure object can be selected as
#if (SSS_HAVE_SE05X_AUTH_USERID) || (SSS_HAVE_SE05X_AUTH_USERID_PLATFSCP03) //UserID Session
#define EX_LOCAL_OBJ_AUTH_ID EX_SSS_AUTH_SE05X_UserID_AUTH_ID
#elif (SSS_HAVE_SE05X_AUTH_NONE) || (SSS_HAVE_SE05X_AUTH_PLATFSCP03) //No auth
#define EX_LOCAL_OBJ_AUTH_ID EX_SSS_AUTH_SE05X_NONE_AUTH_ID
#elif (SSS_HAVE_SE05X_AUTH_AESKEY) || (SSS_HAVE_SE05X_AUTH_AESKEY_PLATFSCP03) //AESKey
#define EX_LOCAL_OBJ_AUTH_ID EX_SSS_AUTH_SE05X_APPLETSCP_AUTH_ID
#elif (SSS_HAVE_SE05X_AUTH_ECKEY) || (SSS_HAVE_SE05X_AUTH_ECKEY_PLATFSCP03) //ECKey session
#define EX_LOCAL_OBJ_AUTH_ID EX_SSS_AUTH_SE05X_ECKEY_ECDSA_AUTH_ID
#endif
Note
Ensure that the authentication object ID in policy set matches the authentication type.
5.7.4.1. Sign Policy¶
Create a policy set using the authentication object ID
/*Logic to pass sign & verifypolicy*/
const int allow_sign = 1;
const int allow_verify = 0;
/* doc:start:allow-policy-sign-part1 */
/* Policies for key */
const sss_policy_u key_withPol = {
.type = KPolicy_Asym_Key,
/*Authentication object based on SE05X_AUTH*/
.auth_obj_id = EX_LOCAL_OBJ_AUTH_ID,
.policy = {
/*Asymmetric key policy*/
.asymmkey = {
/*Policy for sign*/
.can_Sign = allow_sign,
/*Policy for verify*/
.can_Verify = allow_verify,
/*Policy for encrypt*/
.can_Encrypt = 1,
/*Policy for decrypt*/
.can_Decrypt = 1,
/*Policy for Key Derivation*/
.can_KD = 1,
/*Policy for wrapped object*/
.can_Wrap = 1,
/*Policy to re-write object*/
.can_Write = 1,
/*Policy for reading object*/
.can_Read = 1,
/*Policy to use object for attestation*/
.can_Attest = 1,
}
}
};
/* Common rules */
const sss_policy_u common = {
.type = KPolicy_Common,
/*Authentication object based on SE05X_AUTH*/
.auth_obj_id = EX_LOCAL_OBJ_AUTH_ID,
.policy = {
.common = {
/*Secure Messaging*/
.req_Sm = 0,
/*Policy to Delete object*/
.can_Delete = 1,
/*Forbid all operations on object*/
.forbid_All = 0,
}
}
};
/* create policy set */
sss_policy_t policy_for_ec_key = {
.nPolicies = 2,
.policies = { &key_withPol, &common }
};
/* doc:end:allow-policy-sign-part1 */
status = sss_key_object_init(&object, &pCtx->ks);
if (status != kStatus_SSS_Success) {
LOG_E("sss_key_object_init Failed!!!");
goto exit;
}
status = sss_key_object_allocate_handle(
&object, keyId, kSSS_KeyPart_Pair, kSSS_CipherType_EC_NIST_P, keylen, kKeyObject_Mode_Persistent);
if (status != kStatus_SSS_Success) {
LOG_E("key_object_allocate_handle Failed!!!");
goto exit;
}
/* doc:start:allow-policy-sign-part2 */
status = sss_key_store_generate_key(
&pCtx->ks,
&object,
ECC_KEY_BIT_LEN,
&policy_for_ec_key);
/* doc:end:allow-policy-sign-part2 */
5.7.4.2. Using PCR Object¶
PCR is a special secure object which stores 32-byte data. A PCR object can be used to ensure that secure objects inside the SE cannot be used if the PCR object value is altered.
We can assign a PCR policy to a secure object as given in the following sample code
SSS_HAVE_SE05X_VER_GTE_06_00
uint8_t pcr_expected_value[] = { 0x87, 0xD3, 0xE3, 0x93, 0x19, 0x8F, 0x5C, 0x80, 0xE0, 0xBC, 0x9B, 0xC9, 0x82, 0x00, 0x1F, 0xB0, 0xEE, 0x20, 0x1C, 0x27, 0x0B, 0x6D, 0xC8, 0x84, 0x52, 0xE4, 0x13, 0xA3, 0x25, 0x56, 0x81, 0x75 };
e
uint8_t pcr_expected_value[] = { 0x89, 0x51, 0x56, 0x9f, 0x41, 0x5f, 0xeb, 0x4f, 0xb6, 0x37, 0x02, 0x86, 0xe7, 0xdd, 0xa0, 0x99, 0x33, 0x6c, 0x46, 0x36, 0xbc, 0xbb, 0x4c, 0x11, 0x04, 0x10, 0x0a, 0x86, 0x0d, 0x0c, 0xa4, 0x14 };
if
size_t pcr_expected_value_size = sizeof(pcr_expected_value);
LOG_I("Setting PCR Expected value as:");
LOG_AU8_I(pcr_expected_value, pcr_expected_value_size);
const sss_policy_u common = {
.type = KPolicy_Common,
.auth_obj_id = TST_LOCAL_OBJ_AUTH_ID,
.policy = {
.common = {
.req_Sm = 0,
.can_Delete = 1
}
}
};
const sss_policy_u file = {
.type = KPolicy_File,
.auth_obj_id = TST_LOCAL_OBJ_AUTH_ID,
.policy = {
.file = {
.can_Read = 1,
.can_Write = 1
}
}
};
sss_policy_u pcr1 = {
.type = KPolicy_Common_PCR_Value,
.auth_obj_id = TST_LOCAL_OBJ_AUTH_ID,
.policy = {
.common_pcr_value = {
.pcrObjId = 0x7fffffff,
}
}
};
memset(pcr1.policy.common_pcr_value.pcrExpectedValue,
0x00,
sizeof(pcr1.policy.common_pcr_value.pcrExpectedValue));
memcpy(pcr1.policy.common_pcr_value.pcrExpectedValue, pcr_expected_value, pcr_expected_value_size);
sss_policy_t policy_for_binary_object = {
.nPolicies = 3,
.policies = { &common, &pcr1, &file }
};
/* clang-format on */
NVM_RESET();
status = sss_key_store_set_key(>Ctx.ks,
>Ctx.key,
binary_object,
sizeof(binary_object),
sizeof(binary_object),
&policy_for_binary_object,
sizeof(policy_for_binary_object));
Note
Ensure that the pcrObjID
in PCR policy is the same object ID at which the PCR is stored.
5.7.4.3. Console output¶
If everything is successful, the output will be similar to:
App :INFO :This example is to demonstrate the use of policies for secure objects
App :INFO :Signing was succesful
App :INFO :Example Success
App :INFO :ex_sss Finished