Secure storage is a broad term that can refer to any storage, networking, or security discipline, technology, or methodology for the purpose of protecting and securing digital assets.

This topic describes how to provide integrity and confidentiality guarantees on data stored in persistent memory.

The most common way to provide these guarantees is by using authenticated encryption algorithms to protect the data. But because these algorithms require an encryption key, this method still does not solve the problem of how to store the key in a protected way.

In cases where user interaction is guaranteed, you can use a user-provided key (such as a fingerprint, password, or pattern). In embedded platforms, the most common case is that there is no user to provide the key. This problem is typically solved with specific hardware that provides mechanisms to protect the key, such as cryptochips or Trusted Platform Modules (TPMs).

Trusted Execution Environment

A Trusted Execution Environment (TEE) is a system that applies levels of trust to code and data, guaranteeing their confidentiality and integrity. In general terms, the TEE offers an execution space that provides a higher level of security for trusted applications (TAs) running on the device.

Digi Embedded Yocto supports secure storage using OP-TEE (Open Portable TEE). OP-TEE is designed as a companion to the Linux kernel to provide isolation from non-secure operating systems. Secure storage in OP-TEE is implemented according to the TEE Internal Core API specification, which states that data-storage actions must operate with atomicity. Atomicity means that the system only writes the data if the entire storage operation completes successfully.

TEE file structure

Digi Embedded Yocto uses, by default, the path /mnt/data/tee/ (in the data partition) as the secure storage directory in the Linux file system.

  • Each persistent object is assigned an internal identifier, saved as /mnt/data/tee/<number>.

  • A directory database file, /mnt/data/tee/dirf.db, contains a list of all objects currently in the secure storage.

You can change the default path of the TEE secure storage through the command line option --fs-parent-path of the tee-supplicant in the following configuration file:

/etc/default/tee-supplicant
OPTARGS="--fs-parent-path=/mnt/data/tee"

For the path change to take effect, restart the service:

# systemctl restart tee-supplicant
OP-TEE encrypts and protects the integrity of the files in the secure storage when accessed via the TEE supplicant. However, this directory and its files may be written or deleted with standard file system tools. Inadequate access or deletion effectively spoils the secure storage, which might lead to the loss of secure data.

Secure storage use case

The TEE secure storage is meant to store encrypted keys that give access to other encrypted storage, rather than to store large amounts of sensitive data.