PROCESSOR-SDK-AM62X: 【OPTEE RPMB SECURE STORAFE】RPMB Verification Failure After AM62x SDK Upgrade (8.6 → 10.01) – DKEK Mismatch

xiaohui.zhang

Part Number: PROCESSOR-SDK-AM62X
Other Parts Discussed in Thread: AM62L

Tool/software:

Hi TI Community,

After upgrading the AM62x SDK from version 8.6 to 10.01, we encountered an OP-TEE RPMB secure storage error ("RPMB verification failed"). During debugging, we discovered that the DKEK values differ between the old and new SDKs, leading to the verification failure.

报错日志如下：

D/TC:? 0 ldelf_load_ldelf:110 ldelf load address 0x40007000
D/LD:  ldelf:142 Loading TS 8c2e0728-a3fb-4ccc-96b0-9a6498db1aec
F/TC:? 0 trace_syscall:147 syscall #3 (syscall_get_property)
F/TC:? 0 trace_syscall:147 syscall #5 (syscall_open_ta_session)
D/TC:? 0 ldelf_syscall_open_bin:163 Lookup user TA ELF 8c2e0728-a3fb-4ccc-96b0-9a6498db1aec (REE)
D/TC:? 0 ldelf_syscall_open_bin:167 res=0
F/TC:? 0 trace_syscall:147 syscall #7 (syscall_invoke_ta_command)
F/TC:? 0 trace_syscall:147 syscall #11 (syscall_mask_cancellation)
F/TC:? 0 trace_syscall:147 syscall #7 (syscall_invoke_ta_command)
F/TC:? 0 trace_syscall:147 syscall #3 (syscall_get_property)
F/TC:? 0 trace_syscall:147 syscall #8 (syscall_check_access_rights)
F/TC:? 0 trace_syscall:147 syscall #8 (syscall_check_access_rights)
D/TC:? 0 legacy_rpmb_init:1142 Trying legacy RPMB init
D/TC:? 0 rpmb_set_dev_info:1111 RPMB: Syncing device information
D/TC:? 0 rpmb_set_dev_info:1113 RPMB: RPMB size is 32*128 KB
D/TC:? 0 rpmb_set_dev_info:1114 RPMB: Reliable Write Sector Count is 1
D/TC:? 0 rpmb_set_dev_info:1116 RPMB: CID
D/TC:? 0 rpmb_set_dev_info:1117 000000009e8b0bd0  d6 01 03 38 38 41 33 39  38 11 eb bf d1 a0 1b 00
D/TC:? 0 legacy_rpmb_init:1162 RPMB INIT: Deriving key
I/TC: RPMB: Using generated key
F/TC:? 0 k3_sec_proxy_send:131 Verifying the thread
F/TC:? 0 k3_sec_proxy_verify_thread:71 Check for thread corruption
F/TC:? 0 k3_sec_proxy_verify_thread:88 Check for thread direction
F/TC:? 0 k3_sec_proxy_verify_thread:100 Check for thread queue
F/TC:? 0 k3_sec_proxy_verify_thread:113 Success
F/TC:? 0 k3_sec_proxy_recv:193 Verifying thread
F/TC:? 0 k3_sec_proxy_verify_thread:71 Check for thread corruption
F/TC:? 0 k3_sec_proxy_verify_thread:88 Check for thread direction
F/TC:? 0 k3_sec_proxy_verify_thread:100 Check for thread queue
F/TC:? 0 k3_sec_proxy_verify_thread:113 Success
I/TC: HUK Initialized
D/TC:? 0 legacy_rpmb_init:1176 RPMB INIT: Verifying Key
F/TC:? 0 plat_prng_add_jitter_entropy:68 0x89
D/TC:? 0 tee_rpmb_resp_unpack_verify:949 MAC mismatched:
E/TC:? 0 legacy_rpmb_init:1191 Verify key failed! 0xffff000f
E/TC:? 0 legacy_rpmb_init:1192 Make sure key here matches device key
E/LD:  copy_section_headers:1135 sys_copy_from_ta_bin
E/TC:? 0 ldelf_init_with_ldelf:152 ldelf failed with res: 0xffff000f
D/TC:? 0 tee_ta_open_session:696 init session failed 0xffff000f
TEEC_Opensession failed with code 0xffff000f origin 0x3

4 months ago

0 Hong Guan64 4 months ago

TI__Guru 68290 points

1/. There was TIFS update starting from Linux SDK 9.x (or Yocto Kirkstone) to fix the TIFS DKEK issue in Linux SDK 8.x (or Yocto Dunfell), where a “constant” DKEK in the TIFS in Linux SDK 8.x was returned when calling the TIFS DKEK API by OPTEE to get the HUK (HW Unique Key) to facilitate OPTEE secure storage operation.
A. The fix on the TIFS DKEK API (below) was added starting from TIFS 9.1.8 (Linux SDK 9.1.0.8).
https://software-dl.ti.com/tisci/esd/latest/2_tisci_msgs/security/dkek_management.html
B. Additionally two new TIFS APIs (as listed below) was added starting from TIFS 9.2.7 (Linux SDK 9.2.1.9).
The two new APIs are not published in the TISCI online guide yet.

/** Message to derive a constant DKEK and set SA2UL DKEK register */
#define TISCI_MSG_SA2UL_SET_DKEK_CONST          (0x902AU)
 
/** Message to derive a constant DKEK and return it via TISCI */
#define TISCI_MSG_SA2UL_GET_DKEK_CONST          (0x902BU)

2/. one proposal to work around the issue
- upgrade to the latest TIFS (TIFS 9.2.7 or newer)
- use the two APIs (1B) to get the old “constant” DKEK, and the HUK for OPTEE secure storage operations (i.e. decryption)
- use the two DKEK APIs (1A) to get the correct DKEK, and HUK for OPTEE secure storage operations (i.e. re-encryption)

Best,
-Hong

0 xiaohui.zhang 4 months ago in reply to Hong Guan64

Prodigy 60 points

Thank you for your response. However, I have some follow-up questions:

We have already upgraded to SDK 10.1, which should include the latest TIFS version with the following DKEK APIs, correct?

/** Message to derive a KEK and return it via TISCI  (SDK 9.1.0.8) */
TISCI_MSG_CRYPTO_GET_DKEK         (0x9029U)

/** Message to derive a constant DKEK and set SA2UL DKEK register (SDK 9.2.1.9) */
#define TISCI_MSG_SA2UL_SET_DKEK_CONST          (0x902AU)
 
/** Message to derive a constant DKEK and return it via TISCI (SDK 9.2.1.9) */
#define TISCI_MSG_SA2UL_GET_DKEK_CONST          (0x902BU)

Questions:

Why does OP-TEE 4.4 in SDK 10.1 still use the older TI_SCI_MSG_SA2UL_GET_DKEK (0x9029) instead of the newer TISCI_MSG_CRYPTO_GET_DKEK (also 0x9029) for DKEK retrieval?

optee_os/core/arch/arm/plat-k3/drivers/ti_sci.c
int ti_sci_get_dkek(uint8_t sa2ul_instance,
		    const char *context, const char *label,
		    uint8_t dkek[SA2UL_DKEK_KEY_LEN])
{
	struct ti_sci_msg_req_sa2ul_get_dkek req = { };
	struct ti_sci_msg_resp_sa2ul_get_dkek resp = { };
	struct ti_sci_xfer xfer = { };
	int ret = 0;

	ret = ti_sci_setup_xfer(TI_SCI_MSG_SA2UL_GET_DKEK, 0,
				&req, sizeof(req), &resp, sizeof(resp), &xfer);
	if (ret)
		return ret;

	req.sa2ul_instance = sa2ul_instance;
	req.kdf_label_len = strlen(label);
	req.kdf_context_len = strlen(context);
	if (req.kdf_label_len + req.kdf_context_len >
	    KDF_LABEL_AND_CONTEXT_LEN_MAX) {
		EMSG("Context and Label too long");
		return TEE_ERROR_BAD_PARAMETERS;
	}
	memcpy(req.kdf_label_and_context, label, strlen(label));
	memcpy(req.kdf_label_and_context + strlen(label), context,
	       strlen(context));

	ret = ti_sci_do_xfer(&xfer);
	if (ret)
		return ret;

	memcpy(dkek, resp.dkek, sizeof(resp.dkek));
	memzero_explicit(&resp, sizeof(resp));
	return 0;
}

is it sufficient to modify OP-TEE to use TISCI_MSG_SA2UL_GET_DKEK_CONST instead of TI_SCI_MSG_SA2UL_GET_DKEK(in fuction ti_sci_get_dkek)
Functional Differences:
- What are the differences between the old and new DKEK APIs?What advantages does the new DKEK ？Are there drawbacks to the old DKEK ?
- Can dual-DKEK verification (If the new dkek verification fails, use the old dkek) be implemented for backward compatibility?

0 xiaohui.zhang 4 months ago in reply to xiaohui.zhang

Prodigy 60 points

Hi ,

I posted my question some time ago and I'm still waiting for a response.

Could you please check and see when I can expect a reply? If there's anything else you need from me to help you address my question, feel free to let me know.

Thank you for your attention to this matter.

Best regards,

xiaohui

0 Zekun Bai 4 months ago in reply to xiaohui.zhang

TI__Expert 3535 points

Hi Hong

Could you prioritize this internally as this has get customer stuck for their project moving forward. Thanks.

Regards

Zekun

0 Mukul Bhatnagar 3 months ago in reply to Zekun Bai

TI__Guru* 83745 points

Hello Zekun

Hong is currently on a medical leave of absence. Reponses on this thread maybe delayed for another week or so. Will evaluate if this can be reassigned to someone else while Hong is out of office

0 Mukul Bhatnagar 3 months ago in reply to Mukul Bhatnagar

TI__Guru* 83745 points

Hello

Here is some guidance after discussing with development team while Hong is out

Why does OP-TEE 4.4 in SDK 10.1 still use the older TI_SCI_MSG_SA2UL_GET_DKEK (0x9029) instead of the newer TISCI_MSG_CRYPTO_GET_DKEK (also 0x9029) for DKEK retrieval?
is it sufficient to modify OP-TEE to use TISCI_MSG_SA2UL_GET_DKEK_CONST instead of TI_SCI_MSG_SA2UL_GET_DKEK(in fuction ti_sci_get_dkek)
Functional Differences:

What are the differences between the old and new DKEK APIs?What advantages does the new DKEK ？Are there drawbacks to the old DKEK ?
Can dual-DKEK verification (If the new dkek verification fails, use the old dkek) be implemented for backward compatibility?

On #1, they are the same APIs, No difference in behavior, The API was renamed to make the service name generic. We kept the old name also to not break any compatibility.

The rename of crypto related messages from SA2UL to CRYPTO was done to make the service generic without the crypto accelerator name in the message. We moved from SA2UL to DTHe for AM62L and plan to use same TISCI messages.

TI_SCI_MSG_SA2UL_GET_DKEK == TISCI_MSG_CRYPTO_GET_DKEK

Derived KEK TISCI Description — TISCI User Guide

On #2, TISCI_MSG_SA2UL_GET_DKEK_CONST was a temporary solution for customers who already used the previous API.

On #3 a) We recommend and encourage to move to the latest API and SDK 10.1

On #3 b) can you clarify further on why you need this? Do you have units deployed in field etc?

0 xiaohui.zhang 3 months ago in reply to Mukul Bhatnagar

Prodigy 60 points

We want a compatibility solution.As you suggested, your team recommends using the latest API. Retrieving the legacy DKEK is only intended as a temporary solution. Our specific requirements are: for new core boards that have not yet been programmed with RPMB keys, we want them to validate against the new DKEK, while maintaining compatibility with core boards already programmed with the legacy DKEK. Therefore, we need a dual-DKEK compatibility solution where the system automatically falls back to the legacy DKEK if validation with the new DKEK fails. This approach ensures that core boards with the legacy DKEK can pass verification, while new core boards will use the new DKEK for validation.

0 Mukul Bhatnagar 3 months ago in reply to xiaohui.zhang

TI__Guru* 83745 points

Hi Xiaohui

Thanks for the additional background. Unfortunately due to various reasons we are not able to support the dual-DKEK compatiblity request

The old DKEK is available only for helping with migrating to the new one. One should not fallback to using it for backwards compatibility, the new API is what is more robust and what we plan to support long term.

Regards

Mukul

0 Hong Guan64 3 months ago in reply to Mukul Bhatnagar

TI__Guru 68290 points

Hi Xiaohui,
The two legacy DKEK APIs in Linux SDK 8.x (+early ones) should not be used in any system due to the DKEK security issue.
a/. For the system deployed with Linux SDK 8.x (+ early ones), system update is needed as noted in my first reply.
- Upgrade to the latest TIFS (TIFS 9.2.7 or newer)
- Use the two APIs (B) to get the old “constant” DKEK, and the HUK for OPTEE secure storage operations (i.e. decryption)
(TISCI_MSG_SA2UL_SET_DKEK_CONST/TISCI_MSG_SA2UL_GET_DKEK_CONST)
- Use the two DKEK APIs (A) to get the correct DKEK, and HUK for OPTEE secure storage operations (i.e. re-encryption)
(TISCI_MSG_SA2UL_SET_DKEK/TISCI_MSG_SA2UL_GET_DKEK)
b/. For the new system with SDK 9.x or newer (TIFS 9.2.7 or newer),
- Use the two DKEK APIs (A) to get the correct DKEK, and HUK for OPTEE secure storage operation
(TISCI_MSG_SA2UL_SET_DKEK/TISCI_MSG_SA2UL_GET_DKEK)
Best,
-Hong

Processors

Processors forum

PROCESSOR-SDK-AM62X: 【OPTEE RPMB SECURE STORAFE】RPMB Verification Failure After AM62x SDK Upgrade (8.6 → 10.01) – DKEK Mismatch