1,359
edits
Changes
Jump to navigation
Jump to search
Line 64:
Line 64: + + + + + + + + +
no edit summary
| 0xC3000012 || [2.0.0+] GenerateRsaKek || ||
| 0xC3000012 || [2.0.0+] GenerateRsaKek || ||
|}
|}
The overall concept here is the following:
* All key material (AES and RSA) is stored in userspace, but it's encrypted with random AES kek's ("key encryption key").
* Each kek is generated as a function of an access key (picked at random).
* The kek is generated differently depending on the [[#CryptoUsecase]] the key is used for.
** This means: Each key is "locked" to the [[#CryptoUsecase]] it was designated for.
** You can use a key for a different usecase, but you will only get garbage output.
* After the kek has been generated, it is wrapped with a session-specific key and given back to userspace.
** This means: Plaintext kek keys never leave TrustZone.
=== GenerateAesKek ===
=== GenerateAesKek ===