Reset or Erase Secure Storage

Secure Storage Reset Overview

Reset secure storage means bringing the secure storage to an uninitialized, unused state, with no filesystem initialized. On an unfused board (FUSE_SECURITY_MODE_0 is 0), it is possible to reset the secure storage to a state like brand new.

Note: Resetting secure storage does not change the secure storage NOR to an unprovisioned state. The NOR is still provisioned and good to use, but all existing objects are erased.

To erase all objects, the secure storage must be in a functional state (such as C_Initialize succeeds). Sometimes this is not possible because the internal state of the persistent storage is already garbled. For example, assume a scenario where the secure storage has 1000 objects in token 1. If the developer re-configures the token 1 capacity to be 500, the secure storage will detect an error and become non-functional.

Reset Secure Storage on an Unfused Board (FUSE_SECURITY_MODE_0 is 0)

Developers who need to reset the secure storage can scp the tzvault_testing_client into the GuestOS.

It's also required to start testing service resmgr:


 
tzvault_testing_client --gtest_also_run_disabled_tests --gtest_filter=*testPscSecureStorageClearAllObjectsInNor

// Expected log in TZ:

[TestingService TA] Setting Up PscSecureStorageTestRoutine

[TestingService TA] Running PscSecureStorageTestRoutine

[testing-service] PSCFW reset secure storage is success

[TestingService TA] CleanUp PscSecureStorageTestRoutine
Note: After running the previous command, reset the board.

Erase Secure Storage on Prod Board (FUSE_SECURITY_MODE_0 is 1)

On an ODM prod fused board, resetting secure storage is not allowed. You can erase all objects if secure storage is still functional.

Write a program using the PKCS#11 APIs, such as C_FindObjectsInit, C_FindObjects, C_FindObjectsFinal, and C_DestroyObject). Or call ./tzvault_testing_client --gtest_also_run_disabled_tests --gtest_filter=*testPscSecureStorageClearAllObjectsInNor, which looks up and erases all objects one by one.

// Expected log in TZ:

[TestingService TA] Setting Up PscSecureStorageTestRoutine

[TestingService TA] Running PscSecureStorageTestRoutine

[testing-service] [testing-service] PSCFW erase secure storage object is success

[testing-service] [testing-service] PSCFW flush object group: 0x[1-10] is success