-
Notifications
You must be signed in to change notification settings - Fork 10
KeyPolicies
This document describes the policies for keys managed by the provisioning infrastructure.
Transport keys are used to export SKU-specific assets from offline to SPM HSMs.
Key used to wrap the SKU specific wrapping key generated by the offline HSM.
| Labels |
spm-rsa-wrap.pub, spm-rsa-wrap.priv
|
|---|
Note: Use the
hsm_spm_wrapping_keymacro to define this key.hsm_spm_wrapping_key( name = "spm-rsa-wrap-v0", )
Private Key
The private key is not extractable from the SPM HSM. This is to make sure that the key cannot be extracted to initialize SPM HSMs that have not been approved by the SKU owner.
| Attribute | SPM | Offline |
|---|---|---|
| CKA_DECRYPT | True | N/A |
| CKA_EXTRACTABLE | False | N/A |
| CKA_SENSITIVE | True | N/A |
| CKA_SIGN | True | N/A |
| CKA_TOKEN | True | N/A |
Public Key
| Attribute | SPM | Offline |
|---|---|---|
| CKA_ENCRYPT | True | True |
| CKA_TOKEN | True | True |
| CKA_VERIFY | True | True |
Key used to wrap SKU CKA_PRIVATE and CKA_SECRET assets.
| Labels | <sku>-aes-wrap |
|---|
Note: Use the
hsm_sku_wrapping_keymacro to define this key.
Wrapping Configuration
- Recommended mechanism:
RsaPkcsOaep - Wrapping key:
Asymmetric SPM Wrapping Key
Offline HSM Configuration
The key is configured as extractable so that it can be imported into the SPM HSM.
SPM Configuration
The key is configured as not extractable to avoid enabling the provisioning of
unauthorized HSMs. Similarly, CKA_ENCRYPT and CKA_WRAP is disabled as this
is strictly not required to initialize the SPM HSM.
| Attribute | SPM | Offline |
|---|---|---|
| CKA_DECRYPT | True | True |
| CKA_ENCRYPT | False | True |
| CKA_EXTRACTABLE | False | True |
| CKA_SENSITIVE | True | True |
| CKA_TOKEN | True | True |
| CKA_UNWRAP | True | True |
| CKA_WRAP | False | True |
Offline Root Certificate Authority. Used to endorse Intermediate Certificate Authority keys.
Note: Use the
hsm_certificate_authority_rootmacro to define this key.
Private Key
The private key is not extractable from the Offline HSM. This is to make sure the key cannot be used to endorse unauthorized intermediate CA keys.
| Attribute | SPM | Offline |
|---|---|---|
| CKA_DECRYPT | N/A | False |
| CKA_EXTRACTABLE | N/A | False |
| CKA_SENSITIVE | N/A | True |
| CKA_SIGN | N/A | True |
| CKA_TOKEN | N/A | True |
Public Key
| Attribute | SPM | Offline |
|---|---|---|
| CKA_ENCRYPT | False | False |
| CKA_TOKEN | True | True |
| CKA_VERIFY | True | True |
Intermediate Certificate Authority. Used to endorse Device Under Test (DUT) generated payloads. This key is generated directly in the SPM HSM.
Note: Use the
hsm_certificate_authority_intermediatemacro to define this key.
Key Generation
The private key is generated directly in the SPM HSM and is not extractable. The CSR is generated in the SPM HSM and signed by the Root CA in the Offline HSM.
Private Key
The private key is not extractable from the SPM HSM. This is to make sure that the key cannot be extracted to endorse DUT payloads outside of the authorized provisioning environment.
| Attribute | SPM | Offline |
|---|---|---|
| CKA_DECRYPT | False | N/A |
| CKA_EXTRACTABLE | False | N/A |
| CKA_SENSITIVE | True | N/A |
| CKA_SIGN | True | N/A |
| CKA_TOKEN | True | N/A |
Public Key
| Attribute | SPM | Offline |
|---|---|---|
| CKA_ENCRYPT | False | False |
| CKA_TOKEN | True | True |
| CKA_VERIFY | True | True |
Generic secrets are used to generate tokens in the SPM HSM.
Note: Use the
hsm_generic_secretmacro to define this key.
The key is not extractable from the SPM HSM. This is to make sure it is not possible to re-generate tokens outside of the authorized provisioning environment.
| Attribute | SPM | Offline |
|---|---|---|
| CKA_DECRYPT | False | False |
| CKA_DERIVE | True | True |
| CKA_ENCRYPT | False | False |
| CKA_EXTRACTABLE | False | True |
| CKA_SENSITIVE | True | True |
| CKA_SIGN | True | True |
| CKA_TOKEN | True | True |
| CKA_UNWRAP | False | False |
| CKA_WRAP | False | False |
The RMA key is used to wrapped RMA unlock tokens. RMA unlocked tokens are unique per Device Under Test, and can only be unwrapped inside a secure environment.
Note: Use the
hsm_sku_rma_keymacro to define this key.
Wrapping Configuration
Exporting of the private key is not allowed.
Private Key
The private key is not extractable from the Offline HSM. This is to make sure that key cannot be used to unwrap RMA tokens outside the manufacture's secure environment.
| Attribute | SPM | Offline |
|---|---|---|
| CKA_DECRYPT | N/A | True |
| CKA_EXTRACTABLE | N/A | False |
| CKA_SENSITIVE | N/A | True |
| CKA_SIGN | N/A | False |
| CKA_TOKEN | N/A | True |
Public Key
| Attribute | SPM | Offline |
|---|---|---|
| CKA_ENCRYPT | True | True |
| CKA_TOKEN | True | True |
| CKA_VERIFY | False | False |
The SPM Identity Key is used to sign SPM operations performed during provisioning. Registry intake services can verify the signature to ensure the Device Under Test record was generated by an authorized SPM HSM.
This key must be generated inside the SPM HSM.
Private Key
The private key is not extractable from the SPM HSM. This is to make sure that the key cannot be extracted to endorse DUT payloads outside of the authorized provisioning environment.
| Attribute | SPM | Offline |
|---|---|---|
| CKA_DECRYPT | False | N/A |
| CKA_EXTRACTABLE | False | N/A |
| CKA_SENSITIVE | True | N/A |
| CKA_SIGN | True | N/A |
| CKA_TOKEN | True | N/A |
Public Key
| Attribute | SPM | Offline |
|---|---|---|
| CKA_ENCRYPT | False | False |
| CKA_TOKEN | True | True |
| CKA_VERIFY | True | True |