Since Rockchip supplies OP-TEE in binary form only in its downstream implementation, they also provide tools for replacing their signing keypair with your own:
- The
change_puktool replaces the embedded public key in the TEE. - The
resign_ta.pytool replaces the signature on.tafiles (trusted applications).
These are supplied by Rockchip in the rk_tee_user repository. If you are using the
meta-rk3588 BSP layer in your builds, the
rk-signing-tools recipe in that layer supplies these tools as part of the SDK
it builds.
DIGSIGSERVER_RK_TOOLS_PATH: path to a directory containing the above-mentioned tools. This is the same variable used by the Rockchip bootloader signer.
The private and public keys are expected to be at:
${DIGSIGSERVER_KEYFILE_URI}/${machine}/rkopteesign/optee-signing-key.pem
${DIGSIGSERVER_KEYFILE_URI}/${machine}/rkopteesign/optee-signing-pubkey.pem
where ${machine} is the value of the machine= parameter included in the signing request.
Request type: POST
Endpoint: /sign/rkoptee-tee
Expected parameters:
machine=<machine>- a name for the device, used to locate the signing keysartifact=<body>- the contents of the TEE (typically the<chip>_bl32_<version>.binfile from rkbin)
Response: TEE with the updated public key
Example client:
$ curl --silent --fail -X POST -F "machine=idea3588" -F "artifact=@rk3588_bl32_v1.14.bin" --output bl32.signed http://127.0.0.1:9999/sign/rkoptee-tee
Request type: POST
Endpoint: /sign/rkoptee-ta
Expected parameters:
machine=<machine>- a name for the device, used to locate the signing keysartifact=<body>- gzip-compressed tarball containing a tree of<uuid>.tafiles
Response: gzip-compressed tarball containing the re-signed <uuid>.ta files
Example client:
$ find . -type f -name '*.ta' | xargs tar -czf ta-files.tar.gz
$ curl --silent --fail -X POST -F "machine=idea3588" -F "artifact=@ta-files.tar.gz" --output ta-files-resigned.tar.gz http://127.0.0.1:9999/sign/rkoptee-ta