Key Generation

This section describes how to generate and persist an AES key inside the Trusted Execution Environment (TEE).

  • Purpose: Generates a new AES key or retrieves an existing one from secure persistent storage.

  • Steps:

    1. Check for existing key: Uses TEE_OpenPersistentObject() to attempt opening the AES key object stored in TEE persistent storage.

      • If found, returns the key handle immediately.

      • If not found, proceeds to key generation.

    2. Allocate transient AES object: Creates a volatile AES key object with TEE_AllocateTransientObject(), specifying key size.

    3. Generate random AES key: Generates the actual AES key material using TEE_GenerateKey().

    4. Store key persistently: Saves the transient key object into persistent storage via TEE_CreatePersistentObject().

    5. Error handling: On any failure, logs the error and frees allocated resources.

  • Notes:

    • The key size is defined by AES_KEY_SIZE.

    • Persistent storage used is TEE_STORAGE_PRIVATE, ensuring the key is only accessible by the TA.

 1TEE_Result generate_aes_key(TEE_ObjectHandle *key_handle)
 2{
 3    TEE_Result res;
 4    TEE_ObjectHandle transient_key = TEE_HANDLE_NULL;
 5    TEE_ObjectHandle persistent_key = TEE_HANDLE_NULL;
 6    uint32_t flags = TEE_DATA_FLAG_ACCESS_READ; /* we only need read access */
 7
 8    /* Verify if the AES key already exists in secure storage */
 9    res = TEE_OpenPersistentObject(
10        TEE_STORAGE_PRIVATE,          /* storageID */
11        AES_KEY_STORAGE_NAME,         /* objectID */
12        strlen(AES_KEY_STORAGE_NAME), /* objectIDLen */
13        flags,                        /* flags */
14        key_handle                    /* object */
15    );
16    if (res == TEE_SUCCESS)
17    {
18        DMSG("AES key retrieved from persistent storage");
19        return TEE_SUCCESS;
20    }
21    if (res != TEE_ERROR_ITEM_NOT_FOUND)
22    {
23        EMSG("Failed to open AES key object: 0x%08x", res);
24        return res;
25    }
26
27    /* Key doesn't exist, generate a new one */
28    DMSG("Generating new AES key");
29
30    /* Allocate a transient object for AES */
31    res = TEE_AllocateTransientObject(TEE_TYPE_AES, AES_KEY_SIZE, &transient_key);
32    if (res != TEE_SUCCESS)
33    {
34        EMSG("Failed to allocate transient object for AES, res=0x%08x", res);
35        return res;
36    }
37
38    /* Generate a random AES key */
39    res = TEE_GenerateKey(transient_key, AES_KEY_SIZE, NULL, 0);
40    if (res != TEE_SUCCESS)
41    {
42        EMSG("Failed to generate AES key, res=0x%08x", res);
43        TEE_FreeTransientObject(transient_key);
44        return res;
45    }
46
47    /* Store the AES key in secure storage */
48    res = TEE_CreatePersistentObject(
49        TEE_STORAGE_PRIVATE,          /* storageID */
50        AES_KEY_STORAGE_NAME,         /* objectID */
51        strlen(AES_KEY_STORAGE_NAME), /* objectIDLen */
52        flags,                        /* flags */
53        transient_key,                /* attributes */
54        NULL, 0,                      /* initialData , initialDataLen */
55        &persistent_key               /* object */
56    );
57
58    TEE_FreeTransientObject(transient_key);
59
60    if (res != TEE_SUCCESS)
61    {
62        EMSG("Failed to store AES key, res=0x%08x", res);
63        return res;
64    }
65
66    *key_handle = persistent_key;
67
68    DMSG("AES key successfully generated and stored");
69    return TEE_SUCCESS;
70}