1Subkey 2====== 3 4A TA or a subkey can be signed with a subkey instead of the root key. Here 5we're trying to describe the relationship between the different subkeys and 6keys used for the subkey test TAs. 7 8We start with a two level subkey hierachy to be able to test more when the 9subkey chain consist of more than a single subkey signed with the root key. 10 11The relationship of the different subkeys and TAs are as follows: 12root_key 13|-- identity_subkey2 14| `-- subkey2_ta 15`-- top_level_subkey 16 `-- mid_level_subkey 17 `-- subkey1_ta 18 19The keys themselves where generated using: 20 21openssl genrsa -out top_level_subkey.pem 22openssl genrsa -out mid_level_subkey.pem 23openssl genrsa -out identity_subkey2.pem 24 25The top level subkey is signed with the root key using (where the UUID is 26generated): 27 28../../optee_os/scripts/sign_encrypt.py sign-subkey \ 29 --uuid f04fa996-148a-453c-b037-1dcfbad120a6 \ 30 --key ../../optee_os/keys/default_ta.pem --in top_level_subkey.pem \ 31 --out top_level_subkey.bin --max-depth 4 --name-size 64 \ 32 --subkey-version 1 33 34The mid level subkey has to have a UUID in the namespace of the top level 35level subkey. The UUID is determined as 36UUIDv5_SHA512(f04fa996-148a-453c-b037-1dcfbad120a6, "mid_level_subkey") = 371a5948c5-1aa0-518c-86f4-be6f6a057b16 38where UUIDv5_SHA512() denotes the UUIDv5 scheme with SHA512 used instead of 39SHA1 and truncated to 20 bytes 40 41The sign script can do this with: 42 43../../optee_os/scripts/sign_encrypt.py subkey-uuid --in top_level_subkey.bin \ 44 --name mid_level_subkey 45Subkey UUID: f04fa996-148a-453c-b037-1dcfbad120a6 46Next subkey UUID: 1a5948c5-1aa0-518c-86f4-be6f6a057b16 47 48The mid level subkey is signed using: 49 50../../optee_os/scripts/sign_encrypt.py sign-subkey \ 51 --uuid 1a5948c5-1aa0-518c-86f4-be6f6a057b16 \ 52 --key top_level_subkey.pem --subkey top_level_subkey.bin \ 53 --name-size 64 --subkey-version 1 \ 54 --name mid_level_subkey \ 55 --in mid_level_subkey.pem --out mid_level_subkey.bin 56 57The UUID of subkey1 TA is calculated using: 58 59../../optee_os/scripts/sign_encrypt.py subkey-uuid --in mid_level_subkey.bin \ 60 --name subkey1_ta 61Subkey UUID: f04fa996-148a-453c-b037-1dcfbad120a6 62Subkey UUID: 1a5948c5-1aa0-518c-86f4-be6f6a057b16 63Next subkey UUID: 5c206987-16a3-59cc-ab0f-64b9cfc9e758 64 65Subkey1 TA is signed as part of the build process. 66 67The identity_subkey2 subkey is signed using (where the UUID is generated): 68 69../../optee_os/scripts/sign_encrypt.py sign-subkey \ 70 --uuid a720ccbb-51da-417d-b82e-e5445d474a7a \ 71 --key ../../optee_os/keys/default_ta.pem --in identity_subkey2.pem \ 72 --out identity_subkey2.bin --max-depth 0 --name-size 0 \ 73 --subkey-version 1 74