TA Level-2 Certificate Import

The TrustZone TEE provides an executable environment that must be trusted. The source of a TA is unpredictable for an open server platform. To ensure that the TEE is trusted and to prevent malicious applications from snooping internal data, the TA identity and source must be verified. TEE OS 1.1.0 issues TA developer certificates to users and controls TA integrity verification.

On the cloud, TAs may be dynamically deployed, or even generated in real time. The existing process of issuing TA developer certificates by Huawei does not meet the requirements. Therefore, TEE OS 1.2.0 and later versions support the import of customers' TA developer root or level-2 certificates. Cloud providers can deploy their own Public Key Infrastructure (PKI) systems on the cloud to dynamically sign TAs. TEE OS 1.3.0 and later versions support the import of TA developer certificate revocation lists (CRLs), including CRLs issued by Huawei or customers' PKI systems.

For details about how to use this feature, see TA Level-2 Certificate Import.

• After the TA level-2 certificate is imported, the default Huawei public key for signature verification in the TEE becomes invalid. That is, TAs with TA certificates issued by Huawei cannot be loaded. Manage the certificates and keys properly.
• The TAs in the certificate import tool still require Huawei to issue TA certificates. Before applying for a Huawei TA certificate, sign the applicable disclaimer.
• A TA level-2 certificate imported by the customer is encrypted and permanently stored by the TEE OS. It is recommended that the TA level-2 certificate be automatically imported again upon system restart to prevent it from being damaged or modified.