LVC21-215: PKCS#11 in OP-TEE

Session Abstract

The PKCS#11 standard defines a platform-independent API to cryptographic tokens such as hardware security modules (HSM) and smart cards. These API’s help software to use, create, modify and delete cryptographic objects, without ever exposing those objects to the application’s memory. Use of HSM’s in embedded/IoT products is not very common as it costs money but there is a need to provide secure storage for private keys in HSM. These may be needed for managing device identity, secure updates, TLS connections etc. Creating a PKCS#11 API for Linux application allows them to leverage OP-TEE secure enclave to handle secrets with a well established standard interface. In this session, we will give details on some implementation points, status of the work completed and the next planned steps.

Session Speakers

Etienne Carriere

STMicroelectronics (SW engineer)

Etienne Carrière is an embedded software engineer at STMicroelectronics currently assigned to the Linaro Security Working Group. He is working on boot and kernel layers on Linux based embedded systems since the beginning of the century and is involved in the OP-TEE project since 2013.

Ruchika Gupta

Linaro (Technical Lead SWG/Linaro)

Ruchika has spent most of the time in his professional career working with security for embedded devices. She is the lead for the Security Working Group in Linaro who are working with various upstream projects related to Security where OP-TEE is one of the key projects for that group.

The PKCS#11 standard defines a platform-independent API to cryptographic tokens such as hardware security modules (HSM) and smart cards. These API’s help software to use, create, modify and delete cryptographic objects, without ever exposing those objects to the application’s memory.

Use of HSM’s in embedded/IoT products is not very common as it costs money but there is a need to provide secure storage for private keys in HSM. These may be needed for managing device identity, secure updates, TLS connections etc. Creating a PKCS#11 API for Linux application allows them to leverage OP-TEE secure enclave to handle secrets with a well established standard interface.

In this session, we will give details on some implementation points, status of the work completed and the next planned steps.

comments powered by Disqus

Recent Posts

Other Posts

Sign up. Receive Updates. Stay informed.

Sign up to our mailing list to receive updates on the latest Linaro Connect news!