Inconsistency of SSK-derived keys of different TAs in one device

Hey,

I am developing Trusted Applications in Trusty environment, according to the documentation, the SSK-derived key is unique on each device.
However I created two TAs in the same device and call get_ssk_dk() function in each TA, the SSK-derived keys are different. What could be the reason of this ?

Note that, I reuse the same key_mgnt.c for both TAs, which is defined in the original sample given in the device.
Additionally, I actually created three different TAs, two of them have same ssk_dk, only one of them is different.

Thanks a lot for your help !

Supplemental information that may help:

After testing several projects, I found that only the first TA calling key_mgnt_processing has a different specific SSK-derived key, the later TAs all get unique fixed SSK-derived key.
This bug could be solved by calling key_mgnt_processing twice in the first TA. But it doesn’t explain the reason.

Hi,
If you need multiple different keys for different TAs, please try

Use the ssk_dk which was derived during the Trusty init time. Then implement a query_key API with the label and context string as inputs.
In the API, you can use the nist_sp_800_108_with_cmac() API with ssk_dk, label, and context string as the input to generate different keys for different TAs.

Please always derive a new key for different TAs. The key_mgnt_processing API should be invoked once during init time.

Hi,
Actually, I need the same key for different TAs.
During Init Time, I did se_derive_root_key to generate a root key named ssk_rk, and used nist_sp_800_108_with_cmac() API to generate ssk_dk, with same label and context string. (The whole procedure is in key_mgnt_processing()API)
The Thing is : I repeated the exact procedure above for different TAs, and switched the order of TAs to compile and flash to the device for many times, the result is always the first executed TA in the boot time returns a different ssk_dk compared with others.

And calling key_mgnt_processing API twice “solved” this issue makes me more confused.

Hi,
Please run key_mgnt_processing only once in one TA which should be hwkey-agent TA. And other TA can query the key from it.