Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Applying for a TA Developer Certificate in a Debugging Environment

Before developing TA service code, apply to Huawei for the TA developer certificate and the config binary file. As the unique identifier of a TA, a TA developer certificate contains the TA UUID and name. The config binary file is used to manage the TEE resources available to the TA.

Create a configs.xml file.

  1. Create the configs.xml file based on the following example, which indicates the TEE resource configuration information of the TA certificate.
    An example of the configs.xml file:
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
    <?xml version="1.0" encoding="utf-8"?>
<ConfigInfo>
  <TA_Basic_Info>
    <service_name>rsa-demo</service_name>
    <uuid>f68fd704-6eb1-4d14-b218-722850eb3ef0</uuid>
  </TA_Basic_Info>
  <TA_Manifest_Info>
    <instance_keep_alive>false</instance_keep_alive>
    <stack_size>40960</stack_size>
    <heap_size>67928064</heap_size>
    <multi_command>false</multi_command>
    <multi_session>false</multi_session>
    <single_instance>true</single_instance>
    <mem_page_align>false</mem_page_align>
  </TA_Manifest_Info>
</ConfigInfo>
  2. Change the values in the template based on your requirements and the description of the following fields.
    Table 1 TA's TEE resource configuration in the configs.xml file

    Item

    Description

    Configuration Item in manifest.txt

    service_name

    TA name, which needs to be customized. It can contain a maximum of 36 characters, which can be digits, letters, underscores (_), or hyphens (-).

    gpd.ta.service_name

    uuid

    TA identifier, which is used together with service_name to uniquely identify a TA.

    gpd.ta.appID

    instance_keep_alive

    Indicates whether the TA resides in the TEE memory. If the value is set to True, the TA will not be uninstalled after being loaded unless the environment is restarted or the TA breaks down.

    gpd.ta.instanceKeepAlive

    stack_size

    Size of the stack required by the TA. The maximum size is 8 MB.

    gpd.ta.stackSize

    heap_size

    Size of the heap required by the TA.

    gpd.ta.dataSize

    multi_session

    Indicates whether the TA requires multiple sessions for communication.

    gpd.ta.multiSession

    single_instance

    Indicates whether the TA has a single instance.

    gpd.ta.singleInstance

    mem_page_align

    Indicates whether page alignment is needed. If the value is true, the stack size unit is 4 KB. If the value is false, the stack size unit is byte.

    gpd.ta.mem_page_align

    sys_verify_ta

    Indicates whether the TA is a system TA. When you use a level-2 certificate, the common TA certificate issued by Huawei becomes invalid but the system TA can still be used.

    gpd.ta.sys_verify_ta
  • The uuid field specifies the TA service ID. Ensure that the UUID is unique. (The UUID provided in the template is already occupied. Generate a new one.) On Linux, you can run the cat /proc/sys/kernel/random/uuid command to obtain the randomly generated UUID.
  • The stack_size and heap_size fields specify the available stack space (bytes) and maximum heap space (bytes) of the TA, respectively. Currently, the secure OS iTrustee supports a maximum of 128 concurrent threads for a TA. Therefore, a heap space of at least 256 KB x 2 x 128 must be reserved for a TA. For example, if an additional heap space of 4 KB is needed for planning TA functions, the value of heap_size is (256 x 2 x 128 + 4) x 1024 bytes. This requirement does not apply to stack_size; however, stack_size cannot be greater than 8 MB.
  • By default, the unit of stack_size and heap_size is byte, the parsed data type is int, and the maximum value is 2 GB. If the TA heap space must be greater than 2 GB, set mem_page_align to true. The current values of stack_size and heap_size are both 4096 bytes. You need to recalculate the values and add gpd.ta.mem_page_align: true to the manifest.txt file.

Applying for a TA Developer Certificate

  1. Generate a local key pair.
    1
    openssl genrsa -out private_key.pem 4096
  2. Generate a CSR request.
    1
    openssl req -new -key private_key.pem -out cert_req_01.csr -subj "/C=CN/O=Huawei/OU=Huawei iTrustee Production/CN=f68fd704-6eb1-4d14-b218-722850eb3ef0_rsa-demo"
    • The value of the /CN field in the CSR request corresponds to uuid and service_name in the manifest.txt file. Replace uuid and service_name with the actual values and use an underscore (_) between them. (Do not use the UUID provided in the template. Generate a new one.) The /CN field contains 1 to 64 characters. The value of uuid must be in lowercase and the value of uuid_service_name must be unique.
    • The values of other fields in the subject must be the same as those in the command. That is, the value of /C=CN/O=Huawei/OU=Huawei iTrustee Production/CN= cannot be changed. You can run the following command to check whether the values are correct:
      openssl req -noout -text -in cert_req_01.csr
  3. Send a PGP-encrypted email containing the cert_req_01.csr and configs.xml files to the Huawei Kunpeng service owner. After your request is approved, you will receive the TA developer certificate (ta_cert.der) and the signed config binary file from Huawei.
    • For details about how to send a PGP-encrypted email, see Installing PGP. In a test, emails do not need to be encrypted using GPG.
    • If you do not know the email address of the Huawei Kunpeng owner, contact your Huawei contact person for email forwarding.
    • If you need to frequently obtain certificates or issue certificates by yourself, apply for the TA certificate of the level-2 certificate import tool by following instructions in TA Level-2 Certificate Import.
  4. Place the private_key.pem file generated in 1 and the signed config binary file obtained in 3 into the path specified in the TA compilation configuration file config_cloud.ini. Then you can compile the TA.

To help independent software vendors (ISVs) quickly experience the development process, the preceding procedure is simplified for a debugging environment. In commercial development environments, ISV developers must design security solutions by themselves and take appropriate measures to protect their certificate signature keys.

Recommended security measures include but are not limited to:

  1. Employ a secure, tamper-proof, and encrypted manner, for example, by using a hardware security module (HSM).
  2. Physical security, which includes restricting physical access to the signing facility/platform and logins to the security module.
  3. Perform the signature process in a key management system (KMS) to avoid manual intervention.

Installing PGP

Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and more. The following operations explain how to send a PGP-encrypted email on Windows.

  1. Download the Gpg4win software from the official website.
  2. Install Kleopatra and GpgOL.

  3. Start Kleopatra and select the menu of creating an OpenPGP key pair.

    The window for creating a key is displayed.

  4. Enter the name, email address, and passphrase to create a key pair.
  5. Select the user whose public key needs to be exported, click Export, and select the target directory.

    The name extension of the exported public key file is asc.

    To send a PGP-encrypted email, the recipient needs to import the .asc public key provided by the sender to the Kleopatra software on the recipient side. Similarly, the sender also needs to import the .asc public key file provided by the recipient on the sender side.

  6. Open Outlook and write an email.
  7. On the toolbar, select the GpgOL plugin and select Encrypt and Sign, and send the email.

    The recipient will receive the encrypted and signed email.