Update DeviceKey document after root of trust refactoring #1244
Conversation
tymoteuszblochmobica
requested review from
SeppoTakalo,
iriark01,
AnotherButler and
JammuKekkonen
docs/api/security/Devicekey.md
Outdated
| `device_inject_root_of_trust`: You must call this API once in the lifecycle of the device, before any call to key derivation, if the device does not support true random number generator (`DEVICE_TRNG` is not defined). | ||
| DeviceKey class needs ROT ready to use before derivation API first call. There are two options to achieve it: | ||
|
|
||
| -Create device key using built-in random number generator |
There was a problem hiding this comment.
@tymoteuszblochmobica tymoteuszblochmobicaI think you meant to have bulleted items, but instead the dash simply connects to the first word:
tymoteuszblochmobica
force-pushed
the
rot
branch
from
19fefc3 to
c895f86
Compare
docs/api/security/Devicekey.md
Outdated
| @@ -19,17 +19,49 @@ The characteristics required by this root of trust are: | |||
|
|
|||
| The DeviceKey feature keeps the root of trust key in internal storage, using the KVStore component. Internal storage provides protection from external physical attacks to the device. | |||
|
|
|||
| The root of trust is generated at the first use of DeviceKey if the true random number generator is available in the device. If no true random number generator is available, you must pass the injected root of trust key to the DeviceKey before you call the key derivation API. | |||
| The root of trust must be created before its first use. Otherwise key derivation API will fail. | |||
There was a problem hiding this comment.
Does the user need to create it?
There was a problem hiding this comment.
In development phase, probably yes. In production device it should be injected in the factory.
docs/api/security/Devicekey.md
Outdated
| //success | ||
| } else { | ||
| //error | ||
| } |
There was a problem hiding this comment.
This code block does not seem to be aligned correctly.
Can you use the backticks, so it can be properly aligned?
There was a problem hiding this comment.
Changed
tymoteuszblochmobica
force-pushed
the
rot
branch
from
c895f86 to
a6ad065
Compare
|
Oh.. you probably need to start the code snippets with ```C++ NOCI Because otherwise the CI will try to build those, and fail as they are not complete. |
tymoteuszblochmobica
force-pushed
the
rot
branch
from
a6ad065 to
ab7f37b
Compare
Edit file for active voice.
There was a problem hiding this comment.
I propose change to two sentences which are a bit misleading.
Otherwise looks OK.
Just a personal preference, do we need to shorten bits to just b? For example https://en.wikipedia.org/wiki/Advanced_Encryption_Standard uses AES is a variant of Rijndael which has a fixed block size of 128 bits, and a key size of 128, 192, or 256 bits. then later on, if they talk about key length they leave the bit out completely.
docs/api/security/Devicekey.md
Outdated
|
|
||
| The first way is used when device supports random number generator - ` DEVICE_TRNG` is defined. | ||
| Then `generate_root_of_trust` must be called only once. | ||
| Use this first method when the device supports a random number generator - when ` DEVICE_TRNG` is defined. Then, call `generate_root_of_trust` only once. |
There was a problem hiding this comment.
This is now misleading (as was the original as well). The Call of generate_root_of_trust() is the method of generating the key.
So maybe the sentence should be like:
When
DEVICE_TRNGis defined, the device supports a random number generator and you may generate the key by callinggenerate_root_of_trust().
The call succeed only if the key does not already exist. Subsequent calls will fail, without modifying the existing key.
docs/api/security/Devicekey.md
Outdated
| @@ -50,7 +47,7 @@ if(status == DEVICEKEY_SUCCESS) { | |||
| } | |||
| ``` | |||
|
|
|||
| If `DEVICE_TRNG` is not defined then key buffer must be filled manually and followed by `device_inject_root_of_trust` call. The example below shows an injection of a dummy key. | |||
| If `DEVICE_TRNG` is not defined, the key buffer must be filled manually and followed by `device_inject_root_of_trust` call. The example below shows an injection of a dummy key: | |||
There was a problem hiding this comment.
Similarly as above
If
DEVICE_TRNGis not defined, the key buffer must be filled manually by callingdevice_inject_root_of_trust(). The example below shows an injection of a dummy key:
Update phrasing as requested in comments for accuracy.
|
@SeppoTakalo Thanks for the review and suggested changes 👍 Does this look better? |
docs/api/security/Devicekey.md
Outdated
|
|
||
| Both cases requires injecting this key data to the KVStore reserved area. | ||
|
|
||
| When `DEVICE_TRNG` is defined, the device supports a random number generator, and you may generate the key by calling `generate_root_of_trust()`. The call succeeds only if the key does not already exist. Subsequent calls will fail if you don't modify the existing key. |
There was a problem hiding this comment.
Subsequent calls will fail if you don't modify the existing key.
Sorry, I was probably unclear here. There is no way to modify the key, this sentence needs rewrite.
I tried to impress that you can only generate the key once. Modifying it, or regenerating it is not possible.
So subsequent call to this API will fail. And those calls don't modify the key.
Would it be clearer with:
The call succeeds only if the key does not already exist. Existing key cannot be changed.
Update phrasing as requested in comments for accuracy.
|
Looks good now. Thanks @AnotherButler |
DeviceKey class has been modified to not allow automatic Root of trust generation.
This requires docs/api/security/Devicekey.md document update.