laforge submitted this change.

View Change

Approvals: laforge: Looks good to me, approved Jenkins Builder: Verified 
ara_m: add command to lock write access to the ARA-M rules.

Recent versions of the ARA-M applet from Bertrand Martel can lock
the write access to ARA-M rules. Let's add a command for that and
some documentation.

Related: SYS#7245
Change-Id: I71581a0c9f146f9a0921093d9b53b053b4a8946c
---
M docs/shell.rst
M pySim/ara_m.py
2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/docs/shell.rst b/docs/shell.rst
index 564f162..0eb64ba 100644
--- a/docs/shell.rst
+++ b/docs/shell.rst
@@ -1,4 +1,4 @@
-pySim-shell
+pySim-shell
 ===========
 
 pySim-shell is an interactive command line shell for all kind of interactions with SIM cards,
@@ -1006,6 +1006,24 @@
 intended must be manually inserted again using :ref:`aram_store_ref_ar_do`
 
 
+aram_lock
+~~~~~~~~~
+This command allows to lock the access to the STORE DATA command. This renders
+all access rules stored within the ARA-M applet effectively read-only. The lock
+can only be removed via a secure channel to the security domain and is therefore
+suitable to prevent unauthorized changes to ARA-M rules.
+
+Removal of the lock:
+::
+
+  pySIM-shell (SCP02[01]:00:MF/ADF.ISD)> install_for_personalization A00000015141434C00
+  pySIM-shell (SCP02[01]:00:MF/ADF.ISD)> apdu --expect-sw 9000 80E2900001A2
+
+NOTE: ARA-M Locking is a proprietary feature that is specific to sysmocom's
+fork of Bertrand Martel's ARA-M implementation. ARA-M Locking is supported in
+newer (2025) applet versions from v0.1.0 onward.
+
+
 GlobalPlatform commands
 -----------------------
 
diff --git a/pySim/ara_m.py b/pySim/ara_m.py
index 7a0f93f..e10ae10 100644
--- a/pySim/ara_m.py
+++ b/pySim/ara_m.py
@@ -389,6 +389,11 @@
             if res_do:
                 self._cmd.poutput_json(res_do.to_dict())
 
+        def do_aram_lock(self, opts):
+            """Lock STORE DATA command to prevent unauthorized changes
+            (Proprietary feature that is specific to sysmocom's fork of Bertrand Martel’s ARA-M implementation.)"""
+            self._cmd.lchan.scc.send_apdu_checksw('80e2900001A1', '9000')
+
 
 # SEAC v1.1 Section 4.1.2.2 + 5.1.2.2
 sw_aram = {

To view, visit change 39780. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-MessageType: merged
Gerrit-Project: pysim
Gerrit-Branch: master
Gerrit-Change-Id: I71581a0c9f146f9a0921093d9b53b053b4a8946c
Gerrit-Change-Number: 39780
Gerrit-PatchSet: 5
Gerrit-Owner: dexter <pmaier@sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: laforge <laforge@osmocom.org>