dexter has uploaded this change for review. ( https://gerrit.osmocom.org/c/pysim/+/39780?usp=email )

Change subject: ara_m: add command to lock write access to the ARA-M rules. ......................................................................

ara_m: add command to lock write access to the ARA-M rules.

Recent versions of the ARA-M applet from Bertrand Martel can lock the write access to ARA-M rules. Let's add a command for that and some documentation.

Related: SYS#7245 Change-Id: I71581a0c9f146f9a0921093d9b53b053b4a8946c --- M docs/shell.rst M pySim/ara_m.py 2 files changed, 19 insertions(+), 0 deletions(-)

git pull ssh://gerrit.osmocom.org:29418/pysim refs/changes/80/39780/1

diff --git a/docs/shell.rst b/docs/shell.rst index 564f162..9c8eb9b 100644 --- a/docs/shell.rst +++ b/docs/shell.rst @@ -1006,6 +1006,21 @@ intended must be manually inserted again using :ref:`aram_store_ref_ar_do`

+aram_lock +~~~~~~~~~ +Newer versions (50f092037a) of the ara-m applet (Bertrand Martel) allow to lock +the access to the STORE DATA command. This renders all access rules stored within +the ARA-M applet effectively read-only. The lock can only be removed via a secure +channel to the security domain and is therefore suitable to prevent unauthorized +changes to ARA-M rules. + +Removal of the lock: +:: + + pySIM-shell (SCP02[01]:00:MF/ADF.ISD)> install_for_personalization A00000015141434C00 + pySIM-shell (SCP02[01]:00:MF/ADF.ISD)> apdu --expect-sw 9000 80E2900001A2 + + GlobalPlatform commands -----------------------

diff --git a/pySim/ara_m.py b/pySim/ara_m.py index 7a0f93f..f06acee 100644 --- a/pySim/ara_m.py +++ b/pySim/ara_m.py @@ -389,6 +389,10 @@ if res_do: self._cmd.poutput_json(res_do.to_dict())

+ def do_aram_lock(self, opts): + """Lock STORE DATA command to prevent unauthorized changes (use with caution!)""" + self._cmd.lchan.scc.send_apdu_checksw('80e2900001A1', '9000') +

# SEAC v1.1 Section 4.1.2.2 + 5.1.2.2 sw_aram = {