[S] Change in pysim[master]: ara_m: add command to lock write access to the ARA-M rules. - gerrit-log

14 Apr 2025

laforge has submitted this change. ( https://gerrit.osmocom.org/c/pysim/+/39780?usp=email )
Change subject: ara_m: add command to lock write access to the ARA-M rules.
......................................................................
ara_m: add command to lock write access to the ARA-M rules.
Recent versions of the ARA-M applet from Bertrand Martel can lock
the write access to ARA-M rules. Let's add a command for that and
some documentation.
Related: SYS#7245
Change-Id: I71581a0c9f146f9a0921093d9b53b053b4a8946c
---
M docs/shell.rst
M pySim/ara_m.py
2 files changed, 24 insertions(+), 1 deletion(-)
Approvals:
  laforge: Looks good to me, approved
  Jenkins Builder: Verified

diff --git a/docs/shell.rst b/docs/shell.rst
index 564f162..0eb64ba 100644
--- a/docs/shell.rst
+++ b/docs/shell.rst
@@ -1,4 +1,4 @@
-pySim-shell
+pySim-shell
 ===========
pySim-shell is an interactive command line shell for all kind of interactions with SIM cards,
@@ -1006,6 +1006,24 @@
 intended must be manually inserted again using :ref:`aram_store_ref_ar_do`
+aram_lock
+~~~~~~~~~
+This command allows to lock the access to the STORE DATA command. This renders
+all access rules stored within the ARA-M applet effectively read-only. The lock
+can only be removed via a secure channel to the security domain and is therefore
+suitable to prevent unauthorized changes to ARA-M rules.
+
+Removal of the lock:
+::
+
+  pySIM-shell (SCP02[01]:00:MF/ADF.ISD)> install_for_personalization A00000015141434C00
+  pySIM-shell (SCP02[01]:00:MF/ADF.ISD)> apdu --expect-sw 9000 80E2900001A2
+
+NOTE: ARA-M Locking is a proprietary feature that is specific to sysmocom's
+fork of Bertrand Martel's ARA-M implementation. ARA-M Locking is supported in
+newer (2025) applet versions from v0.1.0 onward.
+
+
 GlobalPlatform commands
 -----------------------
diff --git a/pySim/ara_m.py b/pySim/ara_m.py
index 7a0f93f..e10ae10 100644
--- a/pySim/ara_m.py
+++ b/pySim/ara_m.py
@@ -389,6 +389,11 @@
             if res_do:
                 self._cmd.poutput_json(res_do.to_dict())
+        def do_aram_lock(self, opts):
+            """Lock STORE DATA command to prevent unauthorized changes
+            (Proprietary feature that is specific to sysmocom's fork of Bertrand Martel’s ARA-M implementation.)"""
+            self._cmd.lchan.scc.send_apdu_checksw('80e2900001A1', '9000')
+
# SEAC v1.1 Section 4.1.2.2 + 5.1.2.2
 sw_aram = {
-- 
To view, visit https://gerrit.osmocom.org/c/pysim/+/39780?usp=email
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email

Gerrit-MessageType: merged
Gerrit-Project: pysim
Gerrit-Branch: master
Gerrit-Change-Id: I71581a0c9f146f9a0921093d9b53b053b4a8946c
Gerrit-Change-Number: 39780
Gerrit-PatchSet: 5
Gerrit-Owner: dexter pmaier@sysmocom.de
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: laforge laforge@osmocom.org



    