5.7.4. Using policies for secure objects

This demo is to demonstrate the use of policies for secure objects. Object policies such as can_Sign or can_Encrypt can be used to restrict operations other than the given policies. Objects inside the secure element are linked to a particular authentication object, based on communication authentication type selected. Objects inside the secure element linked with one authentication object cannot be used when session is open with another authentication type.

Authentication Object ID to be linked with secure object can be selected as

#if (SSS_HAVE_SE05X_AUTH_USERID) || (SSS_HAVE_SE05X_AUTH_USERID_PLATFSCP03) //UserID Session
#define EX_LOCAL_OBJ_AUTH_ID EX_SSS_AUTH_SE05X_UserID_AUTH_ID
#elif (SSS_HAVE_SE05X_AUTH_NONE) || (SSS_HAVE_SE05X_AUTH_PLATFSCP03) //No auth
#define EX_LOCAL_OBJ_AUTH_ID EX_SSS_AUTH_SE05X_NONE_AUTH_ID
#elif (SSS_HAVE_SE05X_AUTH_AESKEY) || (SSS_HAVE_SE05X_AUTH_AESKEY_PLATFSCP03) //AESKey
#define EX_LOCAL_OBJ_AUTH_ID EX_SSS_AUTH_SE05X_APPLETSCP_AUTH_ID
#elif (SSS_HAVE_SE05X_AUTH_ECKEY) || (SSS_HAVE_SE05X_AUTH_ECKEY_PLATFSCP03) //ECKey session
#define EX_LOCAL_OBJ_AUTH_ID EX_SSS_AUTH_SE05X_ECKEY_ECDSA_AUTH_ID
#endif

Note

Ensure that the authentication object ID in policy set matches the authentication type.

5.7.4.1. Sign Policy

Create a policy set using the authentication object ID


/*Logic to pass sign & verifypolicy*/
const int allow_sign = 1;
const int allow_verify = 0;

/* doc:start:allow-policy-sign-part1 */
/* Policies for key */
const sss_policy_u key_withPol = {
    .type = KPolicy_Asym_Key,
    /*Authentication object based on SE05X_AUTH*/
    .auth_obj_id = EX_LOCAL_OBJ_AUTH_ID,
    .policy = {
        /*Asymmetric key policy*/
        .asymmkey = {
            /*Policy for sign*/
            .can_Sign = allow_sign,
            /*Policy for verify*/
            .can_Verify = allow_verify,
            /*Policy for encrypt*/
            .can_Encrypt = 1,
            /*Policy for decrypt*/
            .can_Decrypt = 1,
            /*Policy for Key Derivation*/
            .can_KD = 1,
            /*Policy for wrapped object*/
            .can_Wrap = 1,
            /*Policy to re-write object*/
            .can_Write = 1,
            /*Policy for reading object*/
            .can_Read = 1,
            /*Policy to use object for attestation*/
            .can_Attest = 1,
        }
    }
};

/* Common rules */
const sss_policy_u common = {
    .type = KPolicy_Common,
    /*Authentication object based on SE05X_AUTH*/
    .auth_obj_id = EX_LOCAL_OBJ_AUTH_ID,
    .policy = {
    .common = {
    /*Secure Messaging*/
    .req_Sm = 0,
    /*Policy to Delete object*/
    .can_Delete = 1,
    /*Forbid all operations on object*/
    .forbid_All = 0,
}
}
};

/* create policy set */
sss_policy_t policy_for_ec_key = {
    .nPolicies = 2,
    .policies = { &key_withPol, &common }
};
/* doc:end:allow-policy-sign-part1 */

status    = sss_key_object_init(&object, &pCtx->ks);
if (status != kStatus_SSS_Success) {
    LOG_E("sss_key_object_init Failed!!!");
    goto exit;
}

status = sss_key_object_allocate_handle(
    &object, keyId, kSSS_KeyPart_Pair, kSSS_CipherType_EC_NIST_P, keylen, kKeyObject_Mode_Persistent);
if (status != kStatus_SSS_Success) {
    LOG_E("key_object_allocate_handle Failed!!!");
    goto exit;
}

/* doc:start:allow-policy-sign-part2 */
status = sss_key_store_generate_key(
    &pCtx->ks,
    &object,
    ECC_KEY_BIT_LEN,
    &policy_for_ec_key);
/* doc:end:allow-policy-sign-part2 */

5.7.4.2. Using PCR Object

PCR is a special secure object which stores 32-byte data. A PCR object can be used to ensure that secure objects inside the SE cannot be used if the PCR object value is altered.

We can assign a PCR policy to a secure object as given in the following sample code

#if SSS_HAVE_SE05X_VER_GTE_06_00
    uint8_t pcr_expected_value[] = { 0x87, 0xD3, 0xE3, 0x93, 0x19, 0x8F, 0x5C, 0x80, 0xE0, 0xBC, 0x9B, 0xC9, 0x82, 0x00, 0x1F, 0xB0, 0xEE, 0x20, 0x1C, 0x27, 0x0B, 0x6D, 0xC8, 0x84, 0x52, 0xE4, 0x13, 0xA3, 0x25, 0x56, 0x81, 0x75 };
#else
    uint8_t pcr_expected_value[] = { 0x89, 0x51, 0x56, 0x9f, 0x41, 0x5f, 0xeb, 0x4f, 0xb6, 0x37, 0x02, 0x86, 0xe7, 0xdd, 0xa0, 0x99, 0x33, 0x6c, 0x46, 0x36, 0xbc, 0xbb, 0x4c, 0x11, 0x04, 0x10, 0x0a, 0x86, 0x0d, 0x0c, 0xa4, 0x14 };
#endif

    size_t pcr_expected_value_size = sizeof(pcr_expected_value);
    LOG_I("Setting PCR Expected value as:");
    LOG_AU8_I(pcr_expected_value, pcr_expected_value_size);

    const sss_policy_u common = {
        .type = KPolicy_Common,
        .auth_obj_id = TST_LOCAL_OBJ_AUTH_ID,
        .policy = {
            .common = {
                .req_Sm = 0,
                .can_Delete = 1
            }
        }
    };

    const sss_policy_u file = {
        .type = KPolicy_File,
        .auth_obj_id = TST_LOCAL_OBJ_AUTH_ID,
        .policy = {
            .file = {
                .can_Read = 1,
                .can_Write = 1
            }
        }
    };

    sss_policy_u pcr1 = {
        .type = KPolicy_Common_PCR_Value,
        .auth_obj_id = TST_LOCAL_OBJ_AUTH_ID,
        .policy = {
            .common_pcr_value = {
                .pcrObjId = 0x7fffffff,
            }
        }
    };
    memset(pcr1.policy.common_pcr_value.pcrExpectedValue,
        0x00,
        sizeof(pcr1.policy.common_pcr_value.pcrExpectedValue));
    memcpy(pcr1.policy.common_pcr_value.pcrExpectedValue, pcr_expected_value, pcr_expected_value_size);

    sss_policy_t policy_for_binary_object = {
        .nPolicies = 3,
        .policies = { &common, &pcr1, &file }
    };
    /* clang-format on */
    NVM_RESET();

    status = sss_key_store_set_key(&gtCtx.ks,
        &gtCtx.key,
        binary_object,
        sizeof(binary_object),
        sizeof(binary_object),
        &policy_for_binary_object,
        sizeof(policy_for_binary_object));

Note

Ensure that the pcrObjID in PCR policy is the same object ID at which the PCR is stored.

5.7.4.3. Console output

If everything is successful, the output will be similar to:

App   :INFO :This example is to demonstrate the use of policies for secure objects
App   :INFO :Signing was succesful
App   :INFO :Example Success
App   :INFO :ex_sss Finished