SE050 Secure Element Storage Analysis
Overview
OP-TEE 提供了对 NXP SE050 系列安全元件的完整集成,实现硬件级安全存储和密码学处理。SE050 作为独立的硬件安全模块(HSM),为 TEE 环境提供额外的安全层,支持密钥存储、密码学操作和安全通信。SE050 Architecture Integration
系统架构层次
Copy
┌─────────────────────────────────────────────────────────────┐
│ TEE Application Layer │
│ (GP API + SE050-specific operations) │
├─────────────────────────────────────────────────────────────┤
│ TEE OS Crypto Framework │
│ • crypto_storage_obj_*() • crypto_se_do_apdu() │
├─────────────────────────────────────────────────────────────┤
│ SSS API Abstraction Layer │
│ • sss_se05x_session_*() • sss_se05x_key_store_*() │
├─────────────────────────────────────────────────────────────┤
│ SE050 Driver Implementation │
│ ┌─────────────────┐ ┌─────────────────────────────────────┐│
│ │ Session Mgmt │ │ Storage Operations ││
│ │ • SCP03 Auth │ │ • Object Lifecycle • Key Mgmt ││
│ │ • Key Rotation │ │ • Watermarking • OID Mgmt ││
│ └─────────────────┘ └─────────────────────────────────────┘│
├─────────────────────────────────────────────────────────────┤
│ APDU Communication Layer │
│ • ISO7816-4 Protocol • T=1 over I2C │
├─────────────────────────────────────────────────────────────┤
│ Hardware SE050 Secure Element │
│ • NVM Storage • Crypto Engine • SCP03 Protocol │
└─────────────────────────────────────────────────────────────┘
支持的 SE050 设备型号
Copy
// SE050 设备标识符
#define SE050A1_ID 0xA204 // SE050A1 - 基础版本
#define SE050A2_ID 0xA205 // SE050A2 - 增强版本
#define SE050B1_ID 0xA202 // SE050B1 - 商业版本
#define SE050B2_ID 0xA203 // SE050B2 - 商业增强版
#define SE050C1_ID 0xA200 // SE050C1 - 通用版本
#define SE050C2_ID 0xA201 // SE050C2 - 通用增强版
#define SE050F_ID 0xA92A // SE050F - FIPS 140-2认证版本
#define SE051A_ID 0xA920 // SE051A - 下一代版本
#define SE052F2_ID 0xB501 // SE052F2 - 高级FIPS版本
SSS (Secure Storage Service) API Integration
核心上下文结构
Copy
struct sss_se05x_ctx {
SE_Connect_Ctx_t open_ctx; // 连接上下文
sss_se05x_session_t session; // SE050会话
sss_se05x_key_store_t ks; // 密钥存储
// SCP03认证上下文
struct se050_auth_ctx {
NXSCP03_StaticCtx_t static_ctx; // 静态认证上下文
NXSCP03_DynCtx_t dynamic_ctx; // 动态认证上下文
} se05x_auth;
// 主机端会话和密钥存储
sss_user_impl_session_t host_session;
sss_key_store_t host_ks;
// SE050设备信息
struct se05x_se_info {
uint8_t applet[3]; // Applet版本
uint8_t oefid[2]; // 对象交换格式标识符
} se_info;
};
会话初始化和认证
Copy
sss_status_t se050_session_open(struct sss_se05x_ctx *ctx,
struct se050_scp_key *current_keys)
{
SE_Connect_Ctx_t *connect_ctx = &ctx->open_ctx;
sss_se05x_session_t *session = &ctx->session;
// 配置I2C连接类型
connect_ctx->connType = kType_SE_Conn_Type_T1oI2C;
connect_ctx->portName = NULL;
if (!current_keys) {
// 明文连接模式
return sss_se05x_session_open(session, kType_SSS_SE_SE05x, 0,
kSSS_ConnectionType_Plain, connect_ctx);
}
// 配置SCP03认证加密连接
status = se050_configure_host(&ctx->host_session, &ctx->host_ks,
&ctx->open_ctx, &ctx->se05x_auth,
kSSS_AuthType_SCP03, current_keys);
if (status != kStatus_SSS_Success)
return status;
// 建立认证会话
return sss_se05x_session_open(session, kType_SSS_SE_SE05x, 0,
kSSS_ConnectionType_Encrypted, connect_ctx);
}
Object Management and Lifecycle
对象标识符管理
Copy
// OID (Object Identifier) 管理
#define OID_MIN 0x00000001
#define OID_MAX 0x7BFFFFFE
#define SE050_KEY_WATERMARK 0x57721566
#define WATERMARKED(x) ((uint64_t)(((uint64_t)SE050_KEY_WATERMARK) << 32) + (x))
// 瞬态存储器阈值
#define TRANSIENT_MEMORY_THRESHOLD 1000
对象生命周期管理
1. OID 生成和内存管理
Copy
sss_status_t se050_get_oid(uint32_t *val)
{
sss_status_t status = kStatus_SSS_Success;
SE05x_MemoryType_t mem_t = 0;
// 检查瞬态存储器可用性
status = se050_get_free_memory(&se050_session->s_ctx, &mem_t,
kSE05x_MemoryType_TRANSIENT_DESELECT);
if (status != kStatus_SSS_Success)
return status;
// 内存不足时清理瞬态对象
if (mem_t < TRANSIENT_MEMORY_THRESHOLD) {
DMSG("Low transient memory (%u), deleting transient objects", mem_t);
delete_transient_objects();
}
// 生成新的OID
return generate_oid(val);
}
static sss_status_t generate_oid(uint32_t *val)
{
// 使用硬件随机数生成器
if (crypto_rng_read(val, sizeof(*val)) != TEE_SUCCESS)
return kStatus_SSS_Fail;
// 确保OID在有效范围内
*val = (*val % (OID_MAX - OID_MIN + 1)) + OID_MIN;
return kStatus_SSS_Success;
}
2. 对象删除和水印验证
Copy
TEE_Result crypto_storage_obj_del(struct tee_obj *o)
{
TEE_Result res = TEE_ERROR_GENERIC;
uint8_t *buf = NULL;
size_t len = 0;
uint32_t val = 0;
bool found = false;
uint8_t *p = NULL;
// 读取对象内容
res = tee_obj_get(o, TEE_PROPSET_TEE_TA_OBJECT,
TEE_ATTR_OBJECT_VALUE, (void **)&buf, &len);
if (res != TEE_SUCCESS)
return res;
p = buf;
// 扫描水印标记
while (len >= sizeof(uint32_t) && !found) {
memcpy(&val, p, sizeof(val));
// 检查是否为SE050密钥水印
if (memcmp(p, &SE050_KEY_WATERMARK, sizeof(SE050_KEY_WATERMARK)) != 0) {
p++;
len--;
continue;
}
// 提取OID
if (len >= 2 * sizeof(uint32_t)) {
memcpy(&val, p + sizeof(uint32_t), sizeof(val));
found = true;
} else {
p++;
len--;
}
}
// 验证OID有效性并删除
if (found && val >= OID_MIN && val <= OID_MAX) {
sss_object_t k_object = { 0 };
sss_status_t status;
status = sss_se05x_key_object_init(&k_object, se050_kstore);
if (status != kStatus_SSS_Success)
return TEE_ERROR_GENERIC;
status = sss_se05x_key_object_allocate_handle(&k_object, val,
kSSS_KeyPart_Default,
kSSS_CipherType_AES,
256, kKeyObject_Mode_Persistent);
if (status != kStatus_SSS_Success)
return TEE_ERROR_GENERIC;
// 从SE050硬件删除对象
status = sss_se05x_key_store_erase_key(se050_kstore, &k_object);
if (status != kStatus_SSS_Success)
EMSG("Failed to erase key from SE050: 0x%x", status);
}
return TEE_SUCCESS;
}
3. 瞬态对象清理机制
Copy
static void delete_transient_objects(void)
{
uint8_t list[1024] = { 0 };
size_t listlen = sizeof(list);
SE05x_Result_t result = kSE05x_Result_NA;
// 获取瞬态对象列表
result = Se05x_API_ReadIDList(&se050_session->s_ctx, 0x00, 0xFF,
kSE05x_INS_READ_With_TypeFilter,
kSE05x_SecObjTyp_TRANSIENT_OBJ,
list, &listlen);
if (result == kSE05x_Result_SUCCESS && listlen > 0) {
// 删除所有瞬态对象
for (size_t i = 0; i < listlen; i += 4) {
uint32_t id = 0;
memcpy(&id, &list[i], sizeof(id));
result = Se05x_API_DeleteSecureObject(&se050_session->s_ctx, id);
if (result == kSE05x_Result_SUCCESS)
DMSG("Deleted transient object 0x%08x", id);
}
}
}
SCP03 Security Protocol Implementation
SCP03 密钥结构
Copy
#define SE050_SCP03_KEY_SZ 16
struct se050_scp_key {
uint8_t enc[SE050_SCP03_KEY_SZ]; // 加密密钥 (AES-128)
uint8_t mac[SE050_SCP03_KEY_SZ]; // MAC密钥 (AES-128)
uint8_t dek[SE050_SCP03_KEY_SZ]; // 数据加密密钥 (AES-128)
};
// SCP03密钥来源
enum se050_scp03_ksrc {
SCP03_CFG, // 配置文件密钥
SCP03_DERIVED, // HUK派生密钥
SCP03_OFID // OEFID基密钥
};
SCP03 认证和加密通道建立
Copy
sss_status_t se050_configure_host(sss_user_impl_session_t *host_session,
sss_key_store_t *host_ks,
SE_Connect_Ctx_t *se05x_open_ctx,
struct se050_auth_ctx *auth_ctx,
uint32_t auth_type,
struct se050_scp_key *keys)
{
sss_status_t status = kStatus_SSS_Success;
// 初始化主机端会话
status = sss_user_impl_session_open(host_session, kType_SSS_Software, 0,
kSSS_ConnectionType_Plain, NULL);
if (status != kStatus_SSS_Success)
return status;
// 创建主机端密钥存储
status = sss_key_store_context_init(host_ks, host_session);
if (status != kStatus_SSS_Success)
goto cleanup_session;
status = sss_key_store_allocate(host_ks, __LINE__);
if (status != kStatus_SSS_Success)
goto cleanup_session;
// 配置SCP03静态上下文
se05x_open_ctx->auth.ctx.scp03.pStatic_ctx = &auth_ctx->static_ctx;
se05x_open_ctx->auth.ctx.scp03.pDyn_ctx = &auth_ctx->dynamic_ctx;
// 导入SCP03密钥到主机密钥存储
status = import_scp03_keys(host_ks, keys);
if (status != kStatus_SSS_Success)
goto cleanup_keystore;
return kStatus_SSS_Success;
cleanup_keystore:
sss_key_store_context_free(host_ks);
cleanup_session:
sss_user_impl_session_close(host_session);
return status;
}
SCP03 密钥轮换机制
Copy
sss_status_t se050_rotate_scp03_keys(struct sss_se05x_ctx *ctx)
{
struct se050_scp_key new_keys = { 0 };
sss_status_t status = kStatus_SSS_Success;
struct se050_scp03_rotate_cmd cmd = { 0 };
// 生成或派生新密钥
if (IS_ENABLED(CFG_CORE_SE05X_SCP03_PROVISION_WITH_FACTORY_KEYS)) {
status = se050_scp03_get_keys(&new_keys, SCP03_OFID);
} else {
status = se050_scp03_subkey_derive(&new_keys);
}
if (status != kStatus_SSS_Success) {
EMSG("Failed to derive new SCP03 keys");
return status;
}
// 准备密钥轮换命令
status = se050_scp03_prepare_rotate_cmd(ctx, &cmd, &new_keys);
if (status != kStatus_SSS_Success) {
EMSG("Failed to prepare key rotation command");
return status;
}
// 执行密钥轮换
status = se050_scp03_send_rotate_cmd(&ctx->session.s_ctx, &cmd);
if (status != kStatus_SSS_Success) {
EMSG("Failed to rotate SCP03 keys in SE050");
return status;
}
// 使用新密钥重新建立会话
status = se050_core_early_init(&new_keys);
if (status != kStatus_SSS_Success) {
EMSG("Failed to re-initialize with new keys");
return status;
}
DMSG("SCP03 key rotation completed successfully");
return kStatus_SSS_Success;
}
HUK 基密钥派生
Copy
static sss_status_t se050_scp03_subkey_derive(struct se050_scp_key *keys)
{
TEE_Result res = TEE_SUCCESS;
uint8_t huk[HUK_SIZE] = { 0 };
uint8_t salt[] = "SE050_SCP03_SUBKEY";
// 获取硬件唯一密钥
res = tee_otp_get_hw_unique_key(huk, sizeof(huk));
if (res != TEE_SUCCESS) {
EMSG("Failed to get HUK: 0x%x", res);
return kStatus_SSS_Fail;
}
// 使用HKDF派生SCP03密钥
res = hkdf_sha256_derive(huk, sizeof(huk),
salt, sizeof(salt) - 1,
NULL, 0, // 无info参数
(uint8_t *)keys, sizeof(*keys));
if (res != TEE_SUCCESS) {
EMSG("Failed to derive SCP03 keys: 0x%x", res);
return kStatus_SSS_Fail;
}
return kStatus_SSS_Success;
}
Advanced Cryptographic Features
对象访问策略定义
Copy
// 非对称密钥访问策略
static const sss_policy_u asym_key_policy = {
.type = KPolicy_Asym_Key,
.auth_obj_id = 0,
.policy = {
.asymmkey = {
.can_Sign = 1, // 数字签名
.can_Verify = 1, // 签名验证
.can_Encrypt = 1, // 非对称加密
.can_Decrypt = 1, // 非对称解密
.can_KD = 1, // 密钥派生
.can_Wrap = 1, // 密钥包装
.can_Write = 1, // 写入操作
.can_Gen = 1, // 密钥生成
.can_Import_Export = 1, // 导入/导出
.can_KA = 1, // 密钥协商
.can_Read = 1, // 读取操作
.can_Attest = 1, // 密钥证明
}
}
};
// 对称密钥访问策略
static const sss_policy_u sym_key_policy = {
.type = KPolicy_Sym_Key,
.auth_obj_id = 0,
.policy = {
.symmkey = {
.can_Encrypt = 1, // 对称加密
.can_Decrypt = 1, // 对称解密
.can_KD = 1, // 密钥派生
.can_Wrap = 1, // 密钥包装
.can_Write = 1, // 写入操作
.can_Gen = 1, // 密钥生成
.can_Import_Export = 1, // 导入/导出
.can_Read = 1, // 读取操作
}
}
};
支持的密码学算法
1. 非对称密码学
Copy
// RSA算法支持
static const struct crypto_rsa_keypair se050_rsa_keypairs[] = {
{ .key_size_bits = 1024, .mgf_type = TEE_ALG_MGF1_SHA1 },
{ .key_size_bits = 2048, .mgf_type = TEE_ALG_MGF1_SHA256 },
{ .key_size_bits = 3072, .mgf_type = TEE_ALG_MGF1_SHA384 },
{ .key_size_bits = 4096, .mgf_type = TEE_ALG_MGF1_SHA512 },
};
// ECC曲线支持
static const struct crypto_ecc_curve se050_ecc_curves[] = {
// NIST曲线
{ .curve_id = TEE_ECC_CURVE_NIST_P192, .key_size_bytes = 24 },
{ .curve_id = TEE_ECC_CURVE_NIST_P224, .key_size_bytes = 28 },
{ .curve_id = TEE_ECC_CURVE_NIST_P256, .key_size_bytes = 32 },
{ .curve_id = TEE_ECC_CURVE_NIST_P384, .key_size_bytes = 48 },
{ .curve_id = TEE_ECC_CURVE_NIST_P521, .key_size_bytes = 66 },
// Brainpool曲线
{ .curve_id = TEE_ECC_CURVE_BP_P256R1, .key_size_bytes = 32 },
{ .curve_id = TEE_ECC_CURVE_BP_P384R1, .key_size_bytes = 48 },
{ .curve_id = TEE_ECC_CURVE_BP_P512R1, .key_size_bytes = 64 },
// Edwards曲线
{ .curve_id = TEE_ECC_CURVE_25519, .key_size_bytes = 32 },
{ .curve_id = TEE_ECC_CURVE_448, .key_size_bytes = 57 },
};
2. 对称密码学
Copy
// AES算法变体支持
enum se050_aes_mode {
SE050_AES_ECB = 0x01, // ECB模式
SE050_AES_CBC = 0x02, // CBC模式
SE050_AES_CFB = 0x04, // CFB模式
SE050_AES_OFB = 0x08, // OFB模式
SE050_AES_CTR = 0x10, // CTR模式
SE050_AES_GCM = 0x20, // GCM模式
SE050_AES_CCM = 0x40, // CCM模式
};
// 密钥长度支持
enum se050_key_length {
SE050_AES_128 = 128, // AES-128
SE050_AES_192 = 192, // AES-192
SE050_AES_256 = 256, // AES-256
SE050_DES_64 = 64, // DES
SE050_3DES_112 = 112, // 3DES-2KEY
SE050_3DES_168 = 168, // 3DES-3KEY
};
密钥证明和认证
Copy
TEE_Result se050_key_attestation(uint32_t key_id, uint8_t *cert, size_t *cert_len)
{
sss_status_t status = kStatus_SSS_Success;
sss_object_t key_obj = { 0 };
uint8_t challenge[32] = { 0 };
size_t challenge_len = sizeof(challenge);
// 生成随机挑战
if (crypto_rng_read(challenge, challenge_len) != TEE_SUCCESS)
return TEE_ERROR_GENERIC;
// 初始化密钥对象
status = sss_se05x_key_object_init(&key_obj, se050_kstore);
if (status != kStatus_SSS_Success)
return TEE_ERROR_GENERIC;
status = sss_se05x_key_object_get_handle(&key_obj, key_id);
if (status != kStatus_SSS_Success)
return TEE_ERROR_ITEM_NOT_FOUND;
// 执行密钥证明操作
status = sss_se05x_asymmetric_attest(&se050_session->s_ctx, &key_obj,
challenge, challenge_len,
cert, cert_len);
if (status != kStatus_SSS_Success)
return TEE_ERROR_GENERIC;
return TEE_SUCCESS;
}
PTA (Pseudo Trusted Application) Interfaces
APDU 接口 PTA
Copy
// PTA UUID: 3f3eb880-3639-11ec-9b9d-0f3fc9468f50
#define PTA_SE050_APDU_UUID \
{ 0x3f3eb880, 0x3639, 0x11ec, \
{ 0x9b, 0x9d, 0x0f, 0x3f, 0xc9, 0x46, 0x8f, 0x50 } }
#define PTA_CMD_TXRX_APDU_RAW_FRAME 0
// ISO7816-4 APDU处理
TEE_Result crypto_se_do_apdu(enum crypto_apdu_type type,
uint8_t *hdr, size_t hdr_len,
uint8_t *src_data, size_t src_len,
uint8_t *dst_data, size_t *dst_len)
{
TEE_Result res = TEE_SUCCESS;
uint8_t case_type = 0;
// 根据ISO7816-4确定APDU case类型
if (src_len == 0 && *dst_len == 0) {
case_type = 1; // Case 1: 无数据传输
} else if (src_len == 0 && *dst_len > 0) {
case_type = 2; // Case 2: 从卡读取数据
} else if (src_len > 0 && *dst_len == 0) {
case_type = 3; // Case 3: 向卡发送数据
} else {
case_type = 4; // Case 4: 双向数据传输
}
// 执行APDU交易
switch (type) {
case CRYPTO_APDU_RAW:
res = se050_apdu_raw_frame(hdr, hdr_len, src_data, src_len,
dst_data, dst_len, case_type);
break;
case CRYPTO_APDU_SECURE:
res = se050_apdu_secure_frame(hdr, hdr_len, src_data, src_len,
dst_data, dst_len, case_type);
break;
default:
res = TEE_ERROR_NOT_SUPPORTED;
}
return res;
}
SCP03 管理 PTA
Copy
// PTA UUID: be0e5821-e718-4f77-ab3e-8e6c73a9c735
#define PTA_SE050_SCP03_UUID \
{ 0xbe0e5821, 0xe718, 0x4f77, \
{ 0xab, 0x3e, 0x8e, 0x6c, 0x73, 0xa9, 0xc7, 0x35 } }
#define PTA_CMD_ENABLE_SCP03 0
#define PTA_SCP03_SESSION_CURRENT_KEYS 0
#define PTA_SCP03_SESSION_ROTATE_KEYS 1
TEE_Result crypto_se_enable_scp03(bool rotate_keys)
{
struct sss_se05x_ctx *ctx = &se050_ctx;
struct se050_scp_key current_keys = { 0 };
TEE_Result res = TEE_SUCCESS;
if (rotate_keys) {
// 轮换SCP03密钥
if (se050_rotate_scp03_keys(ctx) != kStatus_SSS_Success) {
EMSG("SCP03 key rotation failed");
return TEE_ERROR_GENERIC;
}
DMSG("SCP03 key rotation completed");
} else {
// 使用当前密钥启用SCP03
res = se050_scp03_get_current_keys(¤t_keys);
if (res != TEE_SUCCESS) {
EMSG("Failed to get current SCP03 keys");
return res;
}
if (se050_session_open(ctx, ¤t_keys) != kStatus_SSS_Success) {
EMSG("Failed to enable SCP03 with current keys");
return TEE_ERROR_GENERIC;
}
}
return TEE_SUCCESS;
}
Configuration and Build System
核心配置选项
Copy
# SCP03 Security Configuration
CFG_CORE_SCP03_ONLY ?= n # 仅SCP03模式
CFG_CORE_SE05X_SCP03_PROVISION_ON_INIT ?= n # 初始化时密钥轮换
CFG_CORE_SE05X_SCP03_PROVISION ?= n # PTA密钥轮换支持
CFG_CORE_SE05X_SCP03_PROVISION_WITH_FACTORY_KEYS ?= n # 使用出厂密钥
# Debugging Options (生产环境应禁用)
CFG_CORE_SE05X_DISPLAY_SCP03_KEYS ?= n # 显示SCP03密钥 (安全风险)
CFG_CORE_SE05X_DISPLAY_INFO ?= y # 显示设备信息
# Security Features
CFG_CORE_SE05X_SCP03_EARLY ?= y # 早期SCP03启用
CFG_CORE_SE05X_INIT_NVM ?= n # NVM出厂重置
CFG_CORE_SE05X_BLOCK_OBJ_DEL_ON_ERROR ?= n # 错误时阻止删除
# I2C Communication Configuration
CFG_CORE_SE05X_BAUDRATE ?= 3400000 # I2C波特率
CFG_CORE_SE05X_I2C_BUS ?= 2 # I2C总线选择
CFG_CORE_SE05X_I2C_TRAMPOLINE ?= y # REE I2C访问
密码学驱动启用
Copy
# Cryptographic Driver Configuration
CFG_NXP_SE05X_RSA_DRV ?= y # RSA操作支持
CFG_NXP_SE05X_ECC_DRV ?= y # ECC操作支持
CFG_NXP_SE05X_CTR_DRV ?= y # CTR模式密码支持
CFG_NXP_SE05X_RNG_DRV ?= y # 硬件随机数生成器
CFG_NXP_SE05X_DIEID_DRV ?= y # Die ID支持
CFG_NXP_SE05X_SCP03_DRV ?= y # SCP03协议支持
CFG_NXP_SE05X_APDU_DRV ?= y # 原始APDU支持
Device Information and Diagnostics
SE050 设备信息检索
Copy
sss_status_t se050_get_se_info(sss_se05x_session_t *session, bool display)
{
smStatus_t ret = SM_NOT_OK;
SE05x_Result_t result = kSE05x_Result_NA;
size_t applet_versionLen = 0;
uint8_t applet_version[MAX_VERSION_INFO_LEN] = { 0 };
sss_se05x_ctx_t *ctx = &se050_ctx;
// 获取Applet版本信息
ret = Se05x_API_GetVersion(&session->s_ctx, applet_version, &applet_versionLen);
if (ret != SM_OK) {
EMSG("Failed to get SE050 applet version");
return kStatus_SSS_Fail;
}
// 提取版本信息
memcpy(ctx->se_info.applet, applet_version, 3);
if (display) {
DMSG("SE050 Applet Version: %02X.%02X.%02X",
applet_version[0], applet_version[1], applet_version[2]);
}
// 获取JCOP平台信息
ret = jcop4_get_id(session->s_ctx.conn_ctx, display);
if (ret != SM_OK) {
EMSG("Failed to get JCOP platform information");
return kStatus_SSS_Fail;
}
// 获取配置和OEFID信息
SE05x_LockIndicator_t lockStatus;
SE05x_LockState_t lockState;
result = Se05x_API_GetLockState(&session->s_ctx, &lockStatus, &lockState);
if (result == kSE05x_Result_SUCCESS && display) {
DMSG("SE050 Lock Status: Indicator=0x%02X, State=0x%02X",
lockStatus, lockState);
}
// 提取OEFID (Object Exchange Format Identifier)
if (applet_versionLen >= 5) {
memcpy(ctx->se_info.oefid, &applet_version[3], 2);
if (display) {
DMSG("SE050 OEFID: %02X%02X",
ctx->se_info.oefid[0], ctx->se_info.oefid[1]);
}
}
return kStatus_SSS_Success;
}
内存和资源监控
Copy
sss_status_t se050_get_free_memory(Se05xSession_t *pSession,
SE05x_MemoryType_t *memory_type,
SE05x_MemoryType_t memory_type_to_check)
{
SE05x_Result_t result = kSE05x_Result_NA;
uint16_t transient_memory = 0;
uint16_t persistent_memory = 0;
// 查询瞬态存储器使用情况
result = Se05x_API_GetFreeMemory(pSession, kSE05x_MemoryType_TRANSIENT_RESET,
&transient_memory);
if (result != kSE05x_Result_SUCCESS) {
EMSG("Failed to get transient memory status");
return kStatus_SSS_Fail;
}
// 查询持久化存储器使用情况
result = Se05x_API_GetFreeMemory(pSession, kSE05x_MemoryType_PERSISTENT,
&persistent_memory);
if (result != kSE05x_Result_SUCCESS) {
EMSG("Failed to get persistent memory status");
return kStatus_SSS_Fail;
}
DMSG("SE050 Memory Status - Transient: %u bytes, Persistent: %u bytes",
transient_memory, persistent_memory);
// 返回请求的内存类型使用情况
switch (memory_type_to_check) {
case kSE05x_MemoryType_TRANSIENT_RESET:
case kSE05x_MemoryType_TRANSIENT_DESELECT:
*memory_type = transient_memory;
break;
case kSE05x_MemoryType_PERSISTENT:
*memory_type = persistent_memory;
break;
default:
return kStatus_SSS_Fail;
}
return kStatus_SSS_Success;
}
Security Considerations and Best Practices
1. 密钥管理安全
最佳实践:- 使用 HUK 派生 SCP03 密钥,避免硬编码
- 定期轮换 SCP03 密钥以减少密钥泄露风险
- 在生产环境中禁用密钥显示功能
- 使用硬件随机数生成器生成密钥
Copy
// 生产环境推荐配置
#if defined(CFG_PRODUCTION_BUILD)
#define CFG_CORE_SE05X_DISPLAY_SCP03_KEYS 0 // 禁用密钥显示
#define CFG_CORE_SE05X_SCP03_PROVISION_ON_INIT 1 // 启用自动密钥轮换
#define CFG_CORE_SCP03_ONLY 1 // 强制SCP03模式
#endif
2. 对象生命周期安全
水印验证机制:- 使用 SE050_KEY_WATERMARK 标记 SE050 对象
- 删除前验证水印以防止误删除
- 实施引用计数防止悬空指针
- 监控瞬态存储器使用情况
- 定期清理不需要的瞬态对象
- 实施对象访问策略限制操作权限
3. 通信安全
SCP03 通道保护:- 所有敏感操作通过 SCP03 加密通道
- 实施消息认证码 (MAC) 验证
- 使用会话密钥提供前向安全性
- 实施安全的错误处理,避免信息泄露
- 在认证失败时实施适当的重试和锁定机制
- 记录安全事件用于审计
4. 平台集成安全
I2C 通信保护:- 使用专用 I2C 总线减少攻击面
- 实施总线访问控制和仲裁
- 监控总线通信异常
- SE050 提供侧信道攻击防护
- 支持防止总线嗅探的硬件安全措施
- 实施防篡改检测
Performance Optimization
1. 批量操作优化
Copy
static TEE_Result se050_batch_operations(struct crypto_op_batch *batch)
{
sss_status_t status = kStatus_SSS_Success;
// 开始批量操作会话
status = Se05x_API_SetBatchMode(&se050_session->s_ctx, true);
if (status != kStatus_SSS_Success)
return TEE_ERROR_GENERIC;
// 执行批量操作
for (size_t i = 0; i < batch->count; i++) {
status = execute_crypto_operation(&batch->ops[i]);
if (status != kStatus_SSS_Success) {
// 出错时取消批量操作
Se05x_API_SetBatchMode(&se050_session->s_ctx, false);
return TEE_ERROR_GENERIC;
}
}
// 提交批量操作
status = Se05x_API_SetBatchMode(&se050_session->s_ctx, false);
return (status == kStatus_SSS_Success) ? TEE_SUCCESS : TEE_ERROR_GENERIC;
}
2. 缓存和预取优化
Copy
#define SE050_OBJECT_CACHE_SIZE 32
struct se050_object_cache {
struct {
uint32_t oid;
sss_object_t obj;
uint64_t access_time;
bool valid;
} entries[SE050_OBJECT_CACHE_SIZE];
struct mutex cache_mutex;
uint64_t lru_counter;
};
static struct se050_object_cache obj_cache = {
.cache_mutex = MUTEX_INITIALIZER,
.lru_counter = 0
};
Compliance and Certification
1. 认证标准支持
- Common Criteria EAL6+: SE050 硬件安全认证
- FIPS 140-2 Level 3: 密码学模块认证 (SE050F)
- EMVCo: 支付行业安全标准
- GSMA: 移动设备安全标准
2. 行业标准合规
- ISO/IEC 15408: 信息技术安全评估准则
- ISO/IEC 19790: 密码学模块安全要求
- NIST SP 800-57: 密钥管理建议
- GlobalPlatform 2.3: 安全元件规范
Summary
SE050 安全元件集成为 OP-TEE 存储系统提供了硬件级安全保护,具有以下关键特性:核心优势
- 硬件安全: 专用安全芯片提供物理攻击防护
- 认证加密: SCP03 协议确保通信安全
- 密钥隔离: 硬件密钥存储和访问控制
- 高性能: 专用密码学处理单元
- 标准合规: 符合多项国际安全认证标准
适用场景
- 高安全性要求的金融支付应用
- 身份认证和数字签名
- 密钥管理和保护
- 安全启动和设备证明
- 企业级安全存储