Suppose we want to store cryptographic keys inside Trusty on behalf of applications running outside Trusty. We don’t want an arbitrary limit on the number of keys, so instead of storing them inside Trusty we might store them outside Trusty but encrypted with a key that is derived from the fuses and kept safely inside Trusty. Problem solved? Not quite, because we might want to securely destroy a particular key. It’s not possible to destroy all copies of the encrypted key because it may have been copied all over the place outside Trusty. Unless Trusty has a way of permanently recording the fact that a particular key has been “destroyed” then an attacker can always supply a copy of the encrypted key to the trusted application and say “use this key”.
The secure storage service solves this problem, and does a lot more, by providing an encrypted and tamper-proof file system, with atomic transactions, and, if I’ve understood correctly how it works, it does this by having two superblocks inside Trusty while the rest of the data, in the form of a tree of blocks, is kept outside Trusty. This would be great if it runs on the Xavier, but it’s not clear to me whether it has been ported. It’s also not clear to me where those two superblocks would be stored on the Xavier. Is there a secure block device that I could myself access from a trusted application, if I did want to directly store a bounded number of keys, for example?
Thanks for any help with this