Open
Conversation
sangho2
added
the
must-not-merge:blocked-on-other-changes
sangho2
force-pushed
the
sanghle/optee/takey
branch
from
00958ed to
0848e41
Compare
sangho2
removed
the
must-not-merge:blocked-on-other-changes
sangho2
force-pushed
the
sanghle/optee/takey
branch
from
ab718a2 to
3381d56
Compare
sangho2
added
the
must-not-merge:undergoing-restructuring
sangho2
force-pushed
the
sanghle/optee/takey
branch
from
3381d56 to
851eae4
Compare
sangho2
removed
the
must-not-merge:undergoing-restructuring
There was a problem hiding this comment.
Pull request overview
This PR adds OP-TEE-compatible support for PTA_SYSTEM_DERIVE_TA_UNIQUE_KEY in the OP-TEE shim by deriving a TA-unique key from a platform-provided root key using an HMAC-SHA256-based KDF, and wiring up the necessary platform-side derived-key plumbing.
Changes:
- Implement TA-unique key derivation in
litebox_shim_opteeusingDerivedKeyProvider+ an HMAC-SHA256 shim-KDF callback. - Add common helpers/types needed by the derivation path (
UteeParams::has_types,TeeUuid::to_le_bytes,HukSubkeyUsage,HUK_SUBKEY_MAX_LEN). - Enable derived-key support across platforms/runners (LVBS
DerivedKeyProviderimpl; Linux userland runner boot-id initialization) and add required crypto dependencies.
Reviewed changes
Copilot reviewed 5 out of 6 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| litebox_shim_optee/src/syscalls/pta.rs | Implements DeriveTaUniqueKey using HUK-derived subkeys via DerivedKeyProvider and HMAC-SHA256. |
| litebox_shim_optee/Cargo.toml | Adds crypto deps (hmac/sha2/zeroize) and a new dev-dependency entry. |
| litebox_runner_optee_on_linux_userland/src/lib.rs | Initializes boot-specific KDF support on the Linux userland platform before running TAs. |
| litebox_platform_lvbs/src/host/lvbs_impl.rs | Implements DerivedKeyProvider for LVBS using the platform root key (PRK). |
| litebox_common_optee/src/lib.rs | Adds UteeParams::has_types, TeeUuid::to_le_bytes, and OP-TEE HUK subkey usage identifiers/constants. |
| Cargo.lock | Locks new dependency graph entries for added crypto crates. |
sangho2
added
the
must-not-merge:blocked-on-other-changes
Contributor
Author
|
This PR and #828 do have some common code. Minor fix is needed once both (or one of these) are approved. |
sangho2
removed
must-not-merge:blocked-on-other-changes
added 2 commits
May 5, 2026 22:51
sangho2
force-pushed
the
sanghle/optee/takey
branch
from
4db8629 to
5dd298f
Compare
|
🤖 SemverChecks 🤖 No breaking API changes detected Note: this does not mean API is unchanged, or even that there are no breaking changes; simply, none of the detections triggered. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR implements OP-TEE's
PTA_SYSTEM_DERIVE_TA_UNIQUE_KEY(https://github.com/OP-TEE/optee_os/blob/06c4e95e469c9c89e9ba4a6915d1be7bb8ea6fbc/core/pta/system.c#L62) for the OP-TEE shim.