[TRUSTY] - RSA Encryption / Decryption

Dear support,

I currently develop a Trusted Application on Trusty which implements RSA encryption and RSA decrypt. While RSA encryption works well, RSA decryption is not performed properly (please see details below).

My development platform is Jetson Xavier AGX, under JetPack 4.1. And I use openssl library for RSA encryption/decryption.

A key pair is stored in that TA:

static char publicKey4096[] =
"-----BEGIN PUBLIC KEY-----\n"
"MIICIjAN...
"-----END PUBLIC KEY-----";
static char privateKey4096[] = 
"-----BEGIN RSA PRIVATE KEY-----\n"
""MIIJKAIBAAKCA...
"-----END RSA PRIVATE KEY-----\n";

For RSA encryption/decryption, I use openssl library as follows:
Encryption code snippet

// Generate RSA struct
RSA *rsa = createRSA(publicKey4096, 1);
// Encrypt
int size_enc = RSA_public_encrypt(sizeof(data), data, result, rsa, padding);

Decryption code snippet

// Generate RSA struct
RSA *rsa = createRSA(privateKey4096, 0);
// Decrypt 
int size_dec = RSA_private_decrypt(payload_len, data, result, rsa, padding);

Prior to encryption/decryption, random number is initialised as follows:

// Init randomseed
RAND_seed(rnd_seed, sizeof rnd_seed);

RSA Encryption
As said, RSA Encryption works well. As shown below, input data is sent to the TA, encrypted on TA, and sent back to CA.


Call to RSA_public_encrypt returns the error code 0000000, which stands for success.
The returned buffer is stored in a encryptedfile

I check the encrypted outcome with Openssl, using the same public key, as follows:


RSA Encryption on TA is validated.

RSA Decryption
RSA Decryption on TA returns an erroneous data. As shown below, encrypted data is sent to the TA, decrypted on TA, and sent back to CA.


Call to RSA_private_decrypt returns the error code 0000000, which stands for success.

But while looking at the returned decrypted outcome, RSA decryption is not done properly. The previously encrypted data is not decrypted.

Would you have any advice/suggestion to have RSA decryption working?
If needed, I can provide the TA source, and RSA keys, in PM.

Thank you in advance for your help.
Best,
Lgiori.

hello lgiori ,

may I know what’s the security authentication types you’ve flashed. for example, SBKPKC - both SBK and PKC are enabled.

Hi JerryChang,

After TA compilation, I used the following command line for secureos flashing:
flash.sh -k secureos jetson-xavier mmcblk0p1

I probably flash with default authentication types (SBK+PKC?).
Otherwise, could you let me know how to determine set authentication type?

Thanks in advance!
Best,
Lgiori

hello lgiori ,

please refer to Secureboot chapter, it’s burning the fuse to program the keys,
for example,
PKC for sign: if PKC is burned, then the KEYFILE users provide is for signing the images.
SBK for encryption: if SBK is burned, then the SBKFILE users provide is for encrypting the images.

Hi JerryChang,

Looking at Secureboot documentation, we do not encrypt or sign the image. So far, we flash with zero-key signing.

As far as I understood, PKC is used for image signature, and SBK for image encryption only. So how could zero-key signing impact the use of openssl rsa library within a TA? Is there a link between use of PKC/SBK on images and the use of openssl library within TAs?

Thanks again.
Best,
Lgiori.

see-also topic, Is it possible to use Secure World without secure boot?

Dear JerryChang,

I actually solved my problem.
I can now perform RSA encryption/decryption within my TA.

The problem was rather on memory management within the TA, and not on the signature or encryption of TAs.
Anyway, thank you again for your support !

Best,
Lgiori.