1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
|
From b142f3c162fb1c28982d26b5ac2181ba79197a28 Mon Sep 17 00:00:00 2001
From: Rui Miguel Silva <rui.silva@linaro.org>
Date: Tue, 7 Dec 2021 11:50:00 +0000
Subject: [PATCH 10/20] Add psa ipc attestation to se proxy
Implement attestation client API as psa ipc and include it to
se proxy deployment.
Upstream-Status: Pending
Signed-off-by: Satish Kumar <satish.kumar01@arm.com>
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
---
.../client/psa_ipc/component.cmake | 13 +++
.../client/psa_ipc/iat_ipc_client.c | 86 +++++++++++++++++++
.../reporter/psa_ipc/component.cmake | 13 +++
.../reporter/psa_ipc/psa_ipc_attest_report.c | 45 ++++++++++
components/service/common/include/psa/sid.h | 4 +
.../se-proxy/common/service_proxy_factory.c | 6 ++
deployments/se-proxy/se-proxy.cmake | 7 +-
...ble-using-hard-coded-attestation-key.patch | 29 -------
external/psa_arch_tests/psa_arch_tests.cmake | 4 -
9 files changed, 171 insertions(+), 36 deletions(-)
create mode 100644 components/service/attestation/client/psa_ipc/component.cmake
create mode 100644 components/service/attestation/client/psa_ipc/iat_ipc_client.c
create mode 100644 components/service/attestation/reporter/psa_ipc/component.cmake
create mode 100644 components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c
delete mode 100644 external/psa_arch_tests/0001-Disable-using-hard-coded-attestation-key.patch
diff --git a/components/service/attestation/client/psa_ipc/component.cmake b/components/service/attestation/client/psa_ipc/component.cmake
new file mode 100644
index 000000000000..a5bc6b4a387e
--- /dev/null
+++ b/components/service/attestation/client/psa_ipc/component.cmake
@@ -0,0 +1,13 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+if (NOT DEFINED TGT)
+ message(FATAL_ERROR "mandatory parameter TGT is not defined.")
+endif()
+
+target_sources(${TGT} PRIVATE
+ "${CMAKE_CURRENT_LIST_DIR}/iat_ipc_client.c"
+ )
diff --git a/components/service/attestation/client/psa_ipc/iat_ipc_client.c b/components/service/attestation/client/psa_ipc/iat_ipc_client.c
new file mode 100644
index 000000000000..30bd0a13a385
--- /dev/null
+++ b/components/service/attestation/client/psa_ipc/iat_ipc_client.c
@@ -0,0 +1,86 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <stddef.h>
+#include <string.h>
+
+#include "../psa/iat_client.h"
+#include <protocols/rpc/common/packed-c/status.h>
+#include <psa/initial_attestation.h>
+#include <psa/client.h>
+#include <psa/sid.h>
+#include <service/common/client/service_client.h>
+
+/**
+ * @brief The singleton psa_iat_client instance
+ *
+ * The psa attestation C API assumes a single backend service provider.
+ */
+static struct service_client instance;
+
+
+psa_status_t psa_iat_client_init(struct rpc_caller *caller)
+{
+ return service_client_init(&instance, caller);
+}
+
+void psa_iat_client_deinit(void)
+{
+ service_client_deinit(&instance);
+}
+
+int psa_iat_client_rpc_status(void)
+{
+ return instance.rpc_status;
+}
+
+psa_status_t psa_initial_attest_get_token(const uint8_t *auth_challenge,
+ size_t challenge_size,
+ uint8_t *token_buf,
+ size_t token_buf_size,
+ size_t *token_size)
+{
+ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
+ struct rpc_caller *caller = instance.caller;
+ struct psa_invec in_vec[] = {
+ { .base = psa_ptr_const_to_u32(auth_challenge), .len = challenge_size},
+ };
+ struct psa_outvec out_vec[] = {
+ { .base = psa_ptr_to_u32(token_buf), .len = token_buf_size},
+ };
+
+ if (!token_buf || !token_buf_size)
+ return PSA_ERROR_INVALID_ARGUMENT;
+
+ status = psa_call(caller, TFM_ATTESTATION_SERVICE_HANDLE,
+ TFM_ATTEST_GET_TOKEN, in_vec, IOVEC_LEN(in_vec),
+ out_vec, IOVEC_LEN(out_vec));
+ if (status == PSA_SUCCESS) {
+ *token_size = out_vec[0].len;
+ }
+
+ return status;
+}
+
+psa_status_t psa_initial_attest_get_token_size(size_t challenge_size,
+ size_t *token_size)
+{
+ struct rpc_caller *caller = instance.caller;
+ psa_status_t status;
+ struct psa_invec in_vec[] = {
+ { .base = psa_ptr_to_u32(&challenge_size), .len = sizeof(uint32_t)}
+ };
+ struct psa_outvec out_vec[] = {
+ { .base = psa_ptr_to_u32(token_size), .len = sizeof(uint32_t)}
+ };
+
+ status = psa_call(caller, TFM_ATTESTATION_SERVICE_HANDLE,
+ TFM_ATTEST_GET_TOKEN_SIZE,
+ in_vec, IOVEC_LEN(in_vec),
+ out_vec, IOVEC_LEN(out_vec));
+
+ return status;
+}
diff --git a/components/service/attestation/reporter/psa_ipc/component.cmake b/components/service/attestation/reporter/psa_ipc/component.cmake
new file mode 100644
index 000000000000..b37830c618fe
--- /dev/null
+++ b/components/service/attestation/reporter/psa_ipc/component.cmake
@@ -0,0 +1,13 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+if (NOT DEFINED TGT)
+ message(FATAL_ERROR "mandatory parameter TGT is not defined.")
+endif()
+
+target_sources(${TGT} PRIVATE
+ "${CMAKE_CURRENT_LIST_DIR}/psa_ipc_attest_report.c"
+ )
diff --git a/components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c b/components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c
new file mode 100644
index 000000000000..15805e8ed4b1
--- /dev/null
+++ b/components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+/**
+ * A attestation reporter for psa ipc
+ */
+
+#include <stddef.h>
+#include <psa/error.h>
+#include <service/attestation/reporter/attest_report.h>
+#include <psa/initial_attestation.h>
+
+#define TOKEN_BUF_SIZE 1024
+
+static uint8_t token_buf[TOKEN_BUF_SIZE];
+
+int attest_report_create(int32_t client_id, const uint8_t *auth_challenge_data,
+ size_t auth_challenge_len, const uint8_t **report,
+ size_t *report_len)
+{
+ *report = token_buf;
+ psa_status_t ret;
+ size_t token_size = 0;
+
+ ret = psa_initial_attest_get_token(auth_challenge_data,
+ auth_challenge_len, token_buf,
+ TOKEN_BUF_SIZE, &token_size);
+ if (ret != PSA_SUCCESS) {
+ *report = NULL;
+ *report_len = 0;
+ return ret;
+ }
+
+ *report_len = token_size;
+
+ return PSA_SUCCESS;
+}
+
+void attest_report_destroy(const uint8_t *report)
+{
+ (void)report;
+}
diff --git a/components/service/common/include/psa/sid.h b/components/service/common/include/psa/sid.h
index aaa973c6e987..833f5039425f 100644
--- a/components/service/common/include/psa/sid.h
+++ b/components/service/common/include/psa/sid.h
@@ -50,6 +50,10 @@ extern "C" {
#define TFM_ATTESTATION_SERVICE_VERSION (1U)
#define TFM_ATTESTATION_SERVICE_HANDLE (0x40000103U)
+/* Initial Attestation message types that distinguish Attest services. */
+#define TFM_ATTEST_GET_TOKEN 1001
+#define TFM_ATTEST_GET_TOKEN_SIZE 1002
+
/******** TFM_SP_FWU ********/
#define TFM_FWU_WRITE_SID (0x000000A0U)
#define TFM_FWU_WRITE_VERSION (1U)
diff --git a/deployments/se-proxy/common/service_proxy_factory.c b/deployments/se-proxy/common/service_proxy_factory.c
index 57290056d614..4b8cceccbe4d 100644
--- a/deployments/se-proxy/common/service_proxy_factory.c
+++ b/deployments/se-proxy/common/service_proxy_factory.c
@@ -23,12 +23,18 @@ struct openamp_caller openamp;
struct rpc_interface *attest_proxy_create(void)
{
struct rpc_interface *attest_iface;
+ struct rpc_caller *attest_caller;
/* Static objects for proxy instance */
static struct attest_provider attest_provider;
+ attest_caller = openamp_caller_init(&openamp);
+ if (!attest_caller)
+ return NULL;
+
/* Initialize the service provider */
attest_iface = attest_provider_init(&attest_provider);
+ psa_iat_client_init(&openamp.rpc_caller);
attest_provider_register_serializer(&attest_provider,
TS_RPC_ENCODING_PACKED_C, packedc_attest_provider_serializer_instance());
diff --git a/deployments/se-proxy/se-proxy.cmake b/deployments/se-proxy/se-proxy.cmake
index cd51460406ca..3dbbc36c968d 100644
--- a/deployments/se-proxy/se-proxy.cmake
+++ b/deployments/se-proxy/se-proxy.cmake
@@ -49,14 +49,15 @@ add_components(TARGET "se-proxy"
"components/service/attestation/include"
"components/service/attestation/provider"
"components/service/attestation/provider/serializer/packed-c"
+ "components/service/attestation/reporter/psa_ipc"
+ "components/service/attestation/client/psa_ipc"
"components/rpc/openamp/caller/sp"
# Stub service provider backends
"components/rpc/dummy"
"components/rpc/common/caller"
- "components/service/attestation/reporter/stub"
- "components/service/attestation/key_mngr/stub"
- "components/service/crypto/backend/stub"
+ "components/service/attestation/key_mngr/local"
+ "components/service/crypto/backend/psa_ipc"
"components/service/crypto/client/psa"
"components/service/secure_storage/backend/mock_store"
)
diff --git a/external/psa_arch_tests/0001-Disable-using-hard-coded-attestation-key.patch b/external/psa_arch_tests/0001-Disable-using-hard-coded-attestation-key.patch
deleted file mode 100644
index 6664961ab662..000000000000
--- a/external/psa_arch_tests/0001-Disable-using-hard-coded-attestation-key.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From dbd25f94eb62a9855bf342dd97503a49ea50f83e Mon Sep 17 00:00:00 2001
-From: Gyorgy Szing <Gyorgy.Szing@arm.com>
-Date: Tue, 8 Feb 2022 17:06:37 +0000
-Subject: [PATCH 1/1] Disable using hard-coded attestation key
-
-Modify platform config to disable using a hard-coded attestation
-key.
-
-Signed-off-by: Gyorgy Szing <Gyorgy.Szing@arm.com>
----
- api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_config.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_config.h b/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_config.h
-index 6112ba7..1cdf581 100755
---- a/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_config.h
-+++ b/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_config.h
-@@ -60,7 +60,7 @@ typedef uint32_t cfg_id_t;
- #define CRYPTO_VERSION_BETA3
-
- /* Use hardcoded public key */
--#define PLATFORM_OVERRIDE_ATTEST_PK
-+//#define PLATFORM_OVERRIDE_ATTEST_PK
-
- /*
- * Include of PSA defined Header files
---
-2.17.1
-
diff --git a/external/psa_arch_tests/psa_arch_tests.cmake b/external/psa_arch_tests/psa_arch_tests.cmake
index a8b77a1fc05e..1995df3e0b49 100644
--- a/external/psa_arch_tests/psa_arch_tests.cmake
+++ b/external/psa_arch_tests/psa_arch_tests.cmake
@@ -15,10 +15,6 @@ set(GIT_OPTIONS
GIT_REPOSITORY ${PSA_ARCH_TESTS_URL}
GIT_TAG ${PSA_ARCH_TESTS_REFSPEC}
GIT_SHALLOW FALSE
- PATCH_COMMAND git stash
- COMMAND git tag -f ts-before-am
- COMMAND git am ${CMAKE_CURRENT_LIST_DIR}/0001-Disable-using-hard-coded-attestation-key.patch
- COMMAND git reset ts-before-am
)
# Ensure list of defines is separated correctly
--
2.38.1
|
