CA and TA APIs

Secure Storage

• Since confidential OS 1.7.1, users can configure the data block encryption size when calling the following trusted storage APIs to create persistent objects. The flags | TEE_DATA_FLAG_LARGE_CRYPTO_UNIT setting specifies that the size of encrypted blocks for secure storage is 3 KB. If flag is not specified, encrypted blocks are 1 KB by default.

  TEE_Result TEE_CreatePersistentObject(uint32_t storageID, const void *objectID, size_t objectIDLen, uint32_t flags, TEE_ObjectHandle attributes, const void *initialData, size_t initialDataLen, TEE_ObjectHandle *object);
  TEE_Result TEE_OpenPersistentObject(uint32_t storageID, const void *objectID, size_t objectIDLen, uint32_t flags, TEE_ObjectHandle *object);

  The TEE OS version uses the following encrypted blocks:

  1. The default block encryption size is 1 KB for the iTrustee OS and confidential OS 1.7.1 (and later).
  2. For confidential OS 1.7.0 and earlier, the block encryption size is 3 KB.

  If you need to migrate the secure storage files generated on the iTrustee OS to the confidential OS, use confidential OS 1.7.1 or later.

  If you need to migrate the secure storage files generated on confidential OS 1.7.0 or earlier to a later version, add the 3 KB flag configuration to the API.

  Configuration details:

  #define TEE_DATA_FLAG_LARGE_CRYPTO_UNIT 0x80000000
  ret = TEE_OpenPersistentObject(storageID, objectID, objectIDLen, flags | TEE_DATA_FLAG_LARGE_CRYPTO_UNIT, &object);