dexter has uploaded this change for review.

View Change

ara_m: add command to lock write access to the ARA-M rules.

Recent versions of the ARA-M applet from Bertrand Martel can lock
the write access to ARA-M rules. Let's add a command for that and
some documentation.

Related: SYS#7245
Change-Id: I71581a0c9f146f9a0921093d9b53b053b4a8946c
---
M docs/shell.rst
M pySim/ara_m.py
2 files changed, 19 insertions(+), 0 deletions(-)

git pull ssh://gerrit.osmocom.org:29418/pysim refs/changes/80/39780/1

diff --git a/docs/shell.rst b/docs/shell.rst
index 564f162..9c8eb9b 100644
--- a/docs/shell.rst
+++ b/docs/shell.rst
@@ -1006,6 +1006,21 @@
 intended must be manually inserted again using :ref:`aram_store_ref_ar_do`
 
 
+aram_lock
+~~~~~~~~~
+Newer versions (50f092037a) of the ara-m applet (Bertrand Martel) allow to lock
+the access to the STORE DATA command. This renders all access rules stored within
+the ARA-M applet effectively read-only. The lock can only be removed via a secure
+channel to the security domain and is therefore suitable to prevent unauthorized
+changes to ARA-M rules.
+
+Removal of the lock:
+::
+
+  pySIM-shell (SCP02[01]:00:MF/ADF.ISD)> install_for_personalization A00000015141434C00
+  pySIM-shell (SCP02[01]:00:MF/ADF.ISD)> apdu --expect-sw 9000 80E2900001A2
+
+
 GlobalPlatform commands
 -----------------------
 
diff --git a/pySim/ara_m.py b/pySim/ara_m.py
index 7a0f93f..f06acee 100644
--- a/pySim/ara_m.py
+++ b/pySim/ara_m.py
@@ -389,6 +389,10 @@
             if res_do:
                 self._cmd.poutput_json(res_do.to_dict())
 
+        def do_aram_lock(self, opts):
+            """Lock STORE DATA command to prevent unauthorized changes (use with caution!)"""
+            self._cmd.lchan.scc.send_apdu_checksw('80e2900001A1', '9000')
+
 
 # SEAC v1.1 Section 4.1.2.2 + 5.1.2.2
 sw_aram = {

To view, visit change 39780. To unsubscribe, or for help writing mail filters, visit settings.