dexter has uploaded this change for review. ( https://gerrit.osmocom.org/c/aram-applet/+/39781?usp=email )

Change subject: README.md document recently added lock/unlock feature ......................................................................

README.md document recently added lock/unlock feature

The ara-m applet now has a method to lock the store data command. This prevents unauthorized changes to the access rules.

Related: SYS#7245 Change-Id: I5a8db9c823a207842aa894485820d610d311c2e0 --- M README.md 1 file changed, 14 insertions(+), 0 deletions(-)

git pull ssh://gerrit.osmocom.org:29418/aram-applet refs/changes/81/39781/1

diff --git a/README.md b/README.md index e6fb5f3..816a5d5 100644 --- a/README.md +++ b/README.md @@ -46,10 +46,12 @@ - [x] delete REF-DO - [ ] delete REF-AR-DO - [x] update refresh tag +- [x] lock/unlock store data (protect against unauthorized access rule changes)

### Note

* store data can be accessed via install for personalization or via raw apdu STORE DATA +* when store data is locked, then store data can only be accessed via install for personalization * get data length is coded on **2 bytes** max * get specific is **not** compatible with get next * rules are not stored as data object but as plain apdu AR-DO @@ -127,6 +129,18 @@ gp -acr-delete -app D2760001180002FF49502589C0019B18 -acr-hash 1FA8CC6CE448894C7011E23BCF56DB9BD9097432 ```

+#### lock + +```bash +gp --key-enc $KIC --key-mac $KID --key-dek $KIK --secure-apdu 80e620000f000009a00000015141434c00000000 --secure-apdu 80E2900001A1 +``` + +#### unlock + +```bash +gp --key-enc $KIC --key-mac $KID --key-dek $KIK --secure-apdu 80e620000f000009a00000015141434c00000000 --secure-apdu 80E2900001A2 +``` + ### Raw APDU

#### list rules