laforge submitted this change.
README.md document recently added lock/unlock feature
The ara-m applet now has a method to lock the store data command.
This prevents unauthorized changes to the access rules.
Related: SYS#7245
Change-Id: I5a8db9c823a207842aa894485820d610d311c2e0
---
M README.md
1 file changed, 14 insertions(+), 0 deletions(-)
diff --git a/README.md b/README.md
index e6fb5f3..816a5d5 100644
--- a/README.md
+++ b/README.md
@@ -46,10 +46,12 @@
- [x] delete REF-DO
- [ ] delete REF-AR-DO
- [x] update refresh tag
+- [x] lock/unlock store data (protect against unauthorized access rule changes)
### Note
* store data can be accessed via install for personalization or via raw apdu STORE DATA
+* when store data is locked, then store data can only be accessed via install for personalization
* get data length is coded on **2 bytes** max
* get specific is **not** compatible with get next
* rules are not stored as data object but as plain apdu AR-DO
@@ -127,6 +129,18 @@
gp -acr-delete -app D2760001180002FF49502589C0019B18 -acr-hash 1FA8CC6CE448894C7011E23BCF56DB9BD9097432
```
+#### lock
+
+```bash
+gp --key-enc $KIC --key-mac $KID --key-dek $KIK --secure-apdu 80e620000f000009a00000015141434c00000000 --secure-apdu 80E2900001A1
+```
+
+#### unlock
+
+```bash
+gp --key-enc $KIC --key-mac $KID --key-dek $KIK --secure-apdu 80e620000f000009a00000015141434c00000000 --secure-apdu 80E2900001A2
+```
+
### Raw APDU
#### list rules
To view, visit change 39781. To unsubscribe, or for help writing mail filters, visit settings.