Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/openwide-ingenierie/tls-client-key-secure-tee

Securing BoringSSL client private key with OP-TEE
https://github.com/openwide-ingenierie/tls-client-key-secure-tee

Last synced: about 2 months ago
JSON representation

Securing BoringSSL client private key with OP-TEE

Host: GitHub
URL: https://github.com/openwide-ingenierie/tls-client-key-secure-tee
Owner: Openwide-Ingenierie
Created: 2023-07-11T14:02:11.000Z (over 1 year ago)
Default Branch: main
Last Pushed: 2023-07-21T13:42:39.000Z (over 1 year ago)
Last Synced: 2024-11-05T23:19:40.040Z (3 months ago)
Language: C++
Size: 35.2 KB
Stars: 3
Watchers: 3
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

        # Demonstration : TLS secure key into OP-TEE

**➡️ Please first read this Linux Embedded article : \**



This demonstration is inspired by [this article](https://www.amongbytes.com/post/201904-tee-sign-delegator/) from Krys Kwiatkowski.\

This version aims to show how to implement a TLS client-server with BoringSSL on QEMU ARMv8 emulator. Then how to delegate to OP-TEE the signing of the client's private RSA key.

## Build demo

### Initial setup

This demonstration needs the official OP-TEE QEMUv8 emulator and BoringSSL built for host PC and ARMv8 target. Just execute the following script (may take an hour):

```bash

./initial_setup.sh

```

It also prepare needed files for TLS server and client.

### Generate key-pairs

The following script will generate all necessary key-pairs :

```bash

./generate_keys.sh

```

### Build 

Several ARMv8 binaries are needed :

- the client program

- the trusted application (TA)

- the admin program

Then please execute the following script :

```bash

./build_programs.sh

```

## Run demonstration

### Setup the system

Run the following script to import all needed files into QEMU :

```bash

./qemu_import.sh

```

Then start the QEMU environment in a terminal :

```bash

cd optee-qemuv8/build

make \

 QEMU_VIRTFS_ENABLE=y \

 QEMU_VIRTFS_HOST_DIR=$PWD/../../qemu_hostfs/ \

 run-only

(qemu) c

```

`c` command will popup two terminals, please connect to the normal world Linux with `root` user (no password).

In the normal world install the encrypted Trusted Application :

```bash

cd /mnt/host

mv a3a8cd17-4156-41f5-8a66-fe2643a1c93e.ta /lib/optee_armtz

```

### Install private key

As the administrator you can install the client private key into the TEE :

```bash

./admin put

```

Then the administrator leave the device !

```bash

rm admin client.key

```

### Test the client

On computer side launch the server (port 55555) in a terminal :

```bash

cd server

ifconfig

./server.sh

```

Back into QEMU normal world you can now try the client :

```bash

cd /mnt/host

./client :55555

```