Changes

The overall concept here is the following:

The overall concept here is the following:

* All key material (AES and RSA) is stored in userspace, but it's encrypted with random AES kek's ("key encryption key").

* All key material (AES and RSA) is stored in userspace, but it's encrypted with random AES kek's ("key encryption keys").

* Each kek is generated as a function of an access key (picked at random).

* Each kek is generated as a function of an access key (picked at random).

* The kek is generated differently depending on the [[#CryptoUsecase]] the key is used for.

* The kek is generated differently depending on the [[#CryptoUsecase]] the key is used for.

* After the kek has been generated, it is wrapped with a session-specific key and given back to userspace.

* After the kek has been generated, it is wrapped with a session-specific key and given back to userspace.

** This means: Plaintext kek keys never leave TrustZone.

** This means: Plaintext kek keys never leave TrustZone.

=== GenerateAesKek ===

=== GenerateAesKek ===

| 3 || CryptoUsecase_RsaWrappedAesKey

| 3 || CryptoUsecase_RsaWrappedAesKey

|}

|}

== Id 1 ==

== Id 1 ==