diff options
Diffstat (limited to 'meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Add-psa-ipc-attestation-to-se-proxy.patch')
-rw-r--r-- | meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Add-psa-ipc-attestation-to-se-proxy.patch | 266 |
1 files changed, 266 insertions, 0 deletions
diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Add-psa-ipc-attestation-to-se-proxy.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Add-psa-ipc-attestation-to-se-proxy.patch new file mode 100644 index 0000000000..d47b0decf5 --- /dev/null +++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Add-psa-ipc-attestation-to-se-proxy.patch @@ -0,0 +1,266 @@ +From afdeb8e098a1f2822adf2ea83ded8dd9e2d021ba Mon Sep 17 00:00:00 2001 +From: Rui Miguel Silva <rui.silva@linaro.org> +Date: Tue, 7 Dec 2021 11:50:00 +0000 +Subject: [PATCH 10/19] Add psa ipc attestation to se proxy + +Implement attestation client API as psa ipc and include it to +se proxy deployment. + +Upstream-Status: Pending +Signed-off-by: Satish Kumar <satish.kumar01@arm.com> +Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> +--- + .../client/psa_ipc/component.cmake | 13 +++ + .../client/psa_ipc/iat_ipc_client.c | 86 +++++++++++++++++++ + .../reporter/psa_ipc/component.cmake | 13 +++ + .../reporter/psa_ipc/psa_ipc_attest_report.c | 45 ++++++++++ + components/service/common/include/psa/sid.h | 4 + + .../se-proxy/common/service_proxy_factory.c | 6 ++ + deployments/se-proxy/se-proxy.cmake | 3 +- + 7 files changed, 169 insertions(+), 1 deletion(-) + create mode 100644 components/service/attestation/client/psa_ipc/component.cmake + create mode 100644 components/service/attestation/client/psa_ipc/iat_ipc_client.c + create mode 100644 components/service/attestation/reporter/psa_ipc/component.cmake + create mode 100644 components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c + +diff --git a/components/service/attestation/client/psa_ipc/component.cmake b/components/service/attestation/client/psa_ipc/component.cmake +new file mode 100644 +index 000000000000..a5bc6b4a387e +--- /dev/null ++++ b/components/service/attestation/client/psa_ipc/component.cmake +@@ -0,0 +1,13 @@ ++#------------------------------------------------------------------------------- ++# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++# ++# SPDX-License-Identifier: BSD-3-Clause ++# ++#------------------------------------------------------------------------------- ++if (NOT DEFINED TGT) ++ message(FATAL_ERROR "mandatory parameter TGT is not defined.") ++endif() ++ ++target_sources(${TGT} PRIVATE ++ "${CMAKE_CURRENT_LIST_DIR}/iat_ipc_client.c" ++ ) +diff --git a/components/service/attestation/client/psa_ipc/iat_ipc_client.c b/components/service/attestation/client/psa_ipc/iat_ipc_client.c +new file mode 100644 +index 000000000000..30bd0a13a385 +--- /dev/null ++++ b/components/service/attestation/client/psa_ipc/iat_ipc_client.c +@@ -0,0 +1,86 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#include <stddef.h> ++#include <string.h> ++ ++#include "../psa/iat_client.h" ++#include <protocols/rpc/common/packed-c/status.h> ++#include <psa/initial_attestation.h> ++#include <psa/client.h> ++#include <psa/sid.h> ++#include <service/common/client/service_client.h> ++ ++/** ++ * @brief The singleton psa_iat_client instance ++ * ++ * The psa attestation C API assumes a single backend service provider. ++ */ ++static struct service_client instance; ++ ++ ++psa_status_t psa_iat_client_init(struct rpc_caller *caller) ++{ ++ return service_client_init(&instance, caller); ++} ++ ++void psa_iat_client_deinit(void) ++{ ++ service_client_deinit(&instance); ++} ++ ++int psa_iat_client_rpc_status(void) ++{ ++ return instance.rpc_status; ++} ++ ++psa_status_t psa_initial_attest_get_token(const uint8_t *auth_challenge, ++ size_t challenge_size, ++ uint8_t *token_buf, ++ size_t token_buf_size, ++ size_t *token_size) ++{ ++ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; ++ struct rpc_caller *caller = instance.caller; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_const_to_u32(auth_challenge), .len = challenge_size}, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(token_buf), .len = token_buf_size}, ++ }; ++ ++ if (!token_buf || !token_buf_size) ++ return PSA_ERROR_INVALID_ARGUMENT; ++ ++ status = psa_call(caller, TFM_ATTESTATION_SERVICE_HANDLE, ++ TFM_ATTEST_GET_TOKEN, in_vec, IOVEC_LEN(in_vec), ++ out_vec, IOVEC_LEN(out_vec)); ++ if (status == PSA_SUCCESS) { ++ *token_size = out_vec[0].len; ++ } ++ ++ return status; ++} ++ ++psa_status_t psa_initial_attest_get_token_size(size_t challenge_size, ++ size_t *token_size) ++{ ++ struct rpc_caller *caller = instance.caller; ++ psa_status_t status; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&challenge_size), .len = sizeof(uint32_t)} ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(token_size), .len = sizeof(uint32_t)} ++ }; ++ ++ status = psa_call(caller, TFM_ATTESTATION_SERVICE_HANDLE, ++ TFM_ATTEST_GET_TOKEN_SIZE, ++ in_vec, IOVEC_LEN(in_vec), ++ out_vec, IOVEC_LEN(out_vec)); ++ ++ return status; ++} +diff --git a/components/service/attestation/reporter/psa_ipc/component.cmake b/components/service/attestation/reporter/psa_ipc/component.cmake +new file mode 100644 +index 000000000000..b37830c618fe +--- /dev/null ++++ b/components/service/attestation/reporter/psa_ipc/component.cmake +@@ -0,0 +1,13 @@ ++#------------------------------------------------------------------------------- ++# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++# ++# SPDX-License-Identifier: BSD-3-Clause ++# ++#------------------------------------------------------------------------------- ++if (NOT DEFINED TGT) ++ message(FATAL_ERROR "mandatory parameter TGT is not defined.") ++endif() ++ ++target_sources(${TGT} PRIVATE ++ "${CMAKE_CURRENT_LIST_DIR}/psa_ipc_attest_report.c" ++ ) +diff --git a/components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c b/components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c +new file mode 100644 +index 000000000000..15805e8ed4b1 +--- /dev/null ++++ b/components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c +@@ -0,0 +1,45 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++/** ++ * A attestation reporter for psa ipc ++ */ ++ ++#include <stddef.h> ++#include <psa/error.h> ++#include <service/attestation/reporter/attest_report.h> ++#include <psa/initial_attestation.h> ++ ++#define TOKEN_BUF_SIZE 1024 ++ ++static uint8_t token_buf[TOKEN_BUF_SIZE]; ++ ++int attest_report_create(int32_t client_id, const uint8_t *auth_challenge_data, ++ size_t auth_challenge_len, const uint8_t **report, ++ size_t *report_len) ++{ ++ *report = token_buf; ++ psa_status_t ret; ++ size_t token_size = 0; ++ ++ ret = psa_initial_attest_get_token(auth_challenge_data, ++ auth_challenge_len, token_buf, ++ TOKEN_BUF_SIZE, &token_size); ++ if (ret != PSA_SUCCESS) { ++ *report = NULL; ++ *report_len = 0; ++ return ret; ++ } ++ ++ *report_len = token_size; ++ ++ return PSA_SUCCESS; ++} ++ ++void attest_report_destroy(const uint8_t *report) ++{ ++ (void)report; ++} +diff --git a/components/service/common/include/psa/sid.h b/components/service/common/include/psa/sid.h +index aaa973c6e987..833f5039425f 100644 +--- a/components/service/common/include/psa/sid.h ++++ b/components/service/common/include/psa/sid.h +@@ -50,6 +50,10 @@ extern "C" { + #define TFM_ATTESTATION_SERVICE_VERSION (1U) + #define TFM_ATTESTATION_SERVICE_HANDLE (0x40000103U) + ++/* Initial Attestation message types that distinguish Attest services. */ ++#define TFM_ATTEST_GET_TOKEN 1001 ++#define TFM_ATTEST_GET_TOKEN_SIZE 1002 ++ + /******** TFM_SP_FWU ********/ + #define TFM_FWU_WRITE_SID (0x000000A0U) + #define TFM_FWU_WRITE_VERSION (1U) +diff --git a/deployments/se-proxy/common/service_proxy_factory.c b/deployments/se-proxy/common/service_proxy_factory.c +index 57290056d614..4b8cceccbe4d 100644 +--- a/deployments/se-proxy/common/service_proxy_factory.c ++++ b/deployments/se-proxy/common/service_proxy_factory.c +@@ -23,12 +23,18 @@ struct openamp_caller openamp; + struct rpc_interface *attest_proxy_create(void) + { + struct rpc_interface *attest_iface; ++ struct rpc_caller *attest_caller; + + /* Static objects for proxy instance */ + static struct attest_provider attest_provider; + ++ attest_caller = openamp_caller_init(&openamp); ++ if (!attest_caller) ++ return NULL; ++ + /* Initialize the service provider */ + attest_iface = attest_provider_init(&attest_provider); ++ psa_iat_client_init(&openamp.rpc_caller); + + attest_provider_register_serializer(&attest_provider, + TS_RPC_ENCODING_PACKED_C, packedc_attest_provider_serializer_instance()); +diff --git a/deployments/se-proxy/se-proxy.cmake b/deployments/se-proxy/se-proxy.cmake +index cd51460406ca..38d26821d44d 100644 +--- a/deployments/se-proxy/se-proxy.cmake ++++ b/deployments/se-proxy/se-proxy.cmake +@@ -49,12 +49,13 @@ add_components(TARGET "se-proxy" + "components/service/attestation/include" + "components/service/attestation/provider" + "components/service/attestation/provider/serializer/packed-c" ++ "components/service/attestation/reporter/psa_ipc" ++ "components/service/attestation/client/psa_ipc" + "components/rpc/openamp/caller/sp" + + # Stub service provider backends + "components/rpc/dummy" + "components/rpc/common/caller" +- "components/service/attestation/reporter/stub" + "components/service/attestation/key_mngr/stub" + "components/service/crypto/backend/stub" + "components/service/crypto/client/psa" +-- +2.38.0 + |