Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Introduction

The commercial cryptography application is built upon the Kunpeng Security Computing Cryptographic Module (Kunpeng SCCM), delivering intrinsic commercial cryptographic services that comply with the commercial cryptography level-2 certification.

The Kunpeng SCCM is a suite developed based on the Huawei-developed trusted execution environment (TEE) OS. The module includes a trusted application (TA) built in the TEE OS, and a client application (CA) providing an API library and a key management tool. It aims to enable convenient and secure cryptographic algorithm capabilities for security services.

Application Scenarios

This cryptographic module complies with GM/T 0018-2012 and GM/T 0018-2023, and provides the general cryptographic service layer of public key infrastructure (PKI) applications with basic cryptographic services such as key generation, single-mode cryptographic operations, and file management. This cryptographic device is embedded in servers and can provide standard cryptographic APIs without adding any cryptographic cards or hardware security modules, achieving high reliability, low costs, and ease of use. Typical application scenarios include VPN gateways and application data encryption.

Software Architecture

The TEE OS is based on the TrustZone architecture. The cryptographic module management unit is loaded and runs once the TEE OS starts. Cryptographic operations are performed in the TEE, and standard SDF APIs are provided and called in the rich execution environment (REE).

Figure 1 Architecture of the Kunpeng SCCM

libsdf.so is deployed in the REE to provide standard SDF APIs. The cryptographic operation requests are forwarded from cryptographic applications to the cryptographic module management unit in the TEE OS for processing.

For details about the Huawei TEE OS architecture, see System Architecture.

Principles

The Kunpeng SCCM runs on the Huawei-developed secure TEE OS. The REE provides the API library file libsdf.so that complies with GM/T 0018-2012 and GM/T 0018-2023. After a user application calls an API in libsdf.so, the request is forwarded to the TEE, where the cryptographic module management unit processes the request, the algorithm service unit performs cryptographic operations within the TEE OS's secure hardware and software foundation, and the secure storage service unit encrypts and stores data.

Figure 2 SDF architecture

Basic Concepts

  • Device key and internal user keys
    • Internal user keys are managed by the Kunpeng SCCM, while external user keys are managed by users.
    • The device key can be generated or installed only during device initialization. Internal user keys can be generated or installed using the cryptographic device management tool.
    • The device key and internal user keys are stored in the key storage area. Their index numbers start from 0. Each index number corresponds to a signature key pair and an encryption key pair. The index number 0 indicates the device key. The index numbers starting from 1 indicate user keys.
  • Key encryption keys (KEKs)

    KEKs are generated or installed using the cryptographic device management tool, and stored in the key storage area with index numbers starting from 1. Their length is 128 bits.

Impact on the System

Customer programs call SDF APIs by integrating libsdf.so, and libsdf.so calls the Kunpeng SCCM in the TEE through the driver, which does not affect the system in the REE.