Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Applying for a TA Developer Certificate in a Debugging Environment

Before developing TA service code, apply to Huawei for the TA developer certificate and the config binary file. As the unique identifier of a TA, a TA developer certificate contains the TA UUID and name. The config binary file is used to manage the TEE resources available to the TA.

Create a configs.xml file.

  1. Based on manifest.txt, create a configs.xml file and edit it.

    An example of the configs.xml file:

    <?xml version="1.0" encoding="utf-8"?>
<ConfigInfo>
  <TA_Basic_Info>
      <service_name>rsa-demo</service_name>
    <uuid>f68fd704-6eb1-4d14-b218-722850eb3ef0</uuid>
  </TA_Basic_Info>
  <TA_Manifest_Info>
    <instance_keep_alive>false</instance_keep_alive>
    <stack_size>40960</stack_size>
    <heap_size>67928064</heap_size>
    <multi_command>false</multi_command>
    <multi_session>false</multi_session>
    <single_instance>true</single_instance>
    <mem_page_align>false</mem_page_align>
  </TA_Manifest_Info>
</ConfigInfo>
    • The uuid field specifies the TA service ID. Ensure that this ID is unique. On Linux, you can run the cat /proc/sys/kernel/random/uuid command to obtain the randomly generated UUID.
    • The stack_size and heap_size fields specify the available stack space (bytes) and maximum heap space (bytes) of the TA, respectively. Currently, the secure OS iTrustee supports a maximum of 128 concurrent threads for a TA. Therefore, a heap space of at least 256 KB x 2 x 128 must be reserved for a TA. For example, if an additional heap space of 4 KB is needed for planning TA functions, the value of heap_size is (256 x 2 x 128 + 4) x 1024 bytes. For the stack space stack_size, there is no such requirement.
    • By default, the unit of stack_size and heap_size is byte, the parsed data type is int, and the maximum value is 2 GB. If the TA heap space must be greater than 2 GB, set mem_page_align to true. The current values of stack_size and heap_size are both 4096 bytes. You need to recalculate the values and add gpd.ta.mem_page_align: true to the manifest.txt file.
  2. Modify the items in the configs.xml file to make them consistent with the manifest.txt file.

Applying for a TA Developer Certificate

  1. Generate a local key pair.
    1
    		 
    openssl genrsa -out private_key.pem 4096
  2. Generate a CSR request.
    1
    		 
    openssl req -new -key private_key.pem -out cert_req_01.csr -subj "/C=CN/O=Huawei/OU=Huawei iTrustee Production/CN=f68fd704-6eb1-4d14-b218-722850eb3ef0_rsa-demo"

    The value of the /CN field in the CSR request corresponds to uuid and service_name in the manifest.txt file. Replace uuid and service_name with the actual values and use an underscore (_) between them. The /CN field contains 1 to 64 characters.

  3. Send a PGP-encrypted email containing the cert_req_01.csr and configs.xml files to the Huawei Kunpeng service owner. You will receive the TA developer certificate (.pem) and the signed config binary file from Huawei.

    For details about how to send a PGP-encrypted email, see Installing GPG.

  4. Save the private_key.pem file generated in 1 to the specified directory.
    1
    		 
    mv private_key.pem iTrustee_cloud_SDK/test/TA/rsa_demo/cloud/TA_cert
  5. Save the config binary file obtained in 3 to a specified directory.
    1
    		 
    mv config iTrustee_cloud_SDK/test/TA/rsa_demo/cloud/signed_config
  6. In the config_cloud.ini file, configure the storage paths of the TA private key and config file.

To help independent software vendors (ISVs) quickly experience the development process, the preceding procedure is simplified for a debugging environment. In commercial development environments, ISV developers must design security solutions by themselves and take appropriate measures to protect their certificate signature keys.

Recommended security measures include but are not limited to:

  1. Employ a secure, tamper-proof, and encrypted manner, for example, by using a hardware security module (HSM).
  2. Physical security, which includes restricting physical access to the signing facility/platform and logins to the security module.
  3. Perform the signature process in a key management system (KMS) to avoid manual intervention.

Installing GPG

Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and more. The following operations explain how to send a PGP-encrypted email on Windows.

  1. Download the Gpg4win software from the official website.
  2. Install Kleopatra and GpgOL.
  3. Start Kleopatra and select the menu of creating an OpenPGP key pair.

    The window for creating a key is displayed.

  4. Enter the name, email address, and passphrase to create a key pair.
  5. Select the user whose public key needs to be exported, click Export, and select the target directory.

    The name extension of the exported public key file is asc.

    To send a PGP-encrypted email, the recipient needs to import the .asc public key provided by the sender to the Kleopatra software on the recipient side. Similarly, the sender also needs to import the .asc public key file provided by the recipient on the sender side.

  6. Open Outlook and write an email.
  7. On the toolbar, select the GpgOL plugin and select Encrypt and Sign, and send the email.

    The recipient will receive the encrypted and signed email.