diff options
Diffstat (limited to 'meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Add-psa-ipc-attestation-to-se-proxy.patch')
-rw-r--r-- | meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Add-psa-ipc-attestation-to-se-proxy.patch | 323 |
1 files changed, 0 insertions, 323 deletions
diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Add-psa-ipc-attestation-to-se-proxy.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Add-psa-ipc-attestation-to-se-proxy.patch deleted file mode 100644 index 2d0725cb24..0000000000 --- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0010-Add-psa-ipc-attestation-to-se-proxy.patch +++ /dev/null @@ -1,323 +0,0 @@ -From b142f3c162fb1c28982d26b5ac2181ba79197a28 Mon Sep 17 00:00:00 2001 -From: Rui Miguel Silva <rui.silva@linaro.org> -Date: Tue, 7 Dec 2021 11:50:00 +0000 -Subject: [PATCH 10/20] Add psa ipc attestation to se proxy - -Implement attestation client API as psa ipc and include it to -se proxy deployment. - -Upstream-Status: Pending -Signed-off-by: Satish Kumar <satish.kumar01@arm.com> -Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> ---- - .../client/psa_ipc/component.cmake | 13 +++ - .../client/psa_ipc/iat_ipc_client.c | 86 +++++++++++++++++++ - .../reporter/psa_ipc/component.cmake | 13 +++ - .../reporter/psa_ipc/psa_ipc_attest_report.c | 45 ++++++++++ - components/service/common/include/psa/sid.h | 4 + - .../se-proxy/common/service_proxy_factory.c | 6 ++ - deployments/se-proxy/se-proxy.cmake | 7 +- - ...ble-using-hard-coded-attestation-key.patch | 29 ------- - external/psa_arch_tests/psa_arch_tests.cmake | 4 - - 9 files changed, 171 insertions(+), 36 deletions(-) - create mode 100644 components/service/attestation/client/psa_ipc/component.cmake - create mode 100644 components/service/attestation/client/psa_ipc/iat_ipc_client.c - create mode 100644 components/service/attestation/reporter/psa_ipc/component.cmake - create mode 100644 components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c - delete mode 100644 external/psa_arch_tests/0001-Disable-using-hard-coded-attestation-key.patch - -diff --git a/components/service/attestation/client/psa_ipc/component.cmake b/components/service/attestation/client/psa_ipc/component.cmake -new file mode 100644 -index 000000000000..a5bc6b4a387e ---- /dev/null -+++ b/components/service/attestation/client/psa_ipc/component.cmake -@@ -0,0 +1,13 @@ -+#------------------------------------------------------------------------------- -+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+# -+# SPDX-License-Identifier: BSD-3-Clause -+# -+#------------------------------------------------------------------------------- -+if (NOT DEFINED TGT) -+ message(FATAL_ERROR "mandatory parameter TGT is not defined.") -+endif() -+ -+target_sources(${TGT} PRIVATE -+ "${CMAKE_CURRENT_LIST_DIR}/iat_ipc_client.c" -+ ) -diff --git a/components/service/attestation/client/psa_ipc/iat_ipc_client.c b/components/service/attestation/client/psa_ipc/iat_ipc_client.c -new file mode 100644 -index 000000000000..30bd0a13a385 ---- /dev/null -+++ b/components/service/attestation/client/psa_ipc/iat_ipc_client.c -@@ -0,0 +1,86 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+#include <stddef.h> -+#include <string.h> -+ -+#include "../psa/iat_client.h" -+#include <protocols/rpc/common/packed-c/status.h> -+#include <psa/initial_attestation.h> -+#include <psa/client.h> -+#include <psa/sid.h> -+#include <service/common/client/service_client.h> -+ -+/** -+ * @brief The singleton psa_iat_client instance -+ * -+ * The psa attestation C API assumes a single backend service provider. -+ */ -+static struct service_client instance; -+ -+ -+psa_status_t psa_iat_client_init(struct rpc_caller *caller) -+{ -+ return service_client_init(&instance, caller); -+} -+ -+void psa_iat_client_deinit(void) -+{ -+ service_client_deinit(&instance); -+} -+ -+int psa_iat_client_rpc_status(void) -+{ -+ return instance.rpc_status; -+} -+ -+psa_status_t psa_initial_attest_get_token(const uint8_t *auth_challenge, -+ size_t challenge_size, -+ uint8_t *token_buf, -+ size_t token_buf_size, -+ size_t *token_size) -+{ -+ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; -+ struct rpc_caller *caller = instance.caller; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_const_to_u32(auth_challenge), .len = challenge_size}, -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(token_buf), .len = token_buf_size}, -+ }; -+ -+ if (!token_buf || !token_buf_size) -+ return PSA_ERROR_INVALID_ARGUMENT; -+ -+ status = psa_call(caller, TFM_ATTESTATION_SERVICE_HANDLE, -+ TFM_ATTEST_GET_TOKEN, in_vec, IOVEC_LEN(in_vec), -+ out_vec, IOVEC_LEN(out_vec)); -+ if (status == PSA_SUCCESS) { -+ *token_size = out_vec[0].len; -+ } -+ -+ return status; -+} -+ -+psa_status_t psa_initial_attest_get_token_size(size_t challenge_size, -+ size_t *token_size) -+{ -+ struct rpc_caller *caller = instance.caller; -+ psa_status_t status; -+ struct psa_invec in_vec[] = { -+ { .base = psa_ptr_to_u32(&challenge_size), .len = sizeof(uint32_t)} -+ }; -+ struct psa_outvec out_vec[] = { -+ { .base = psa_ptr_to_u32(token_size), .len = sizeof(uint32_t)} -+ }; -+ -+ status = psa_call(caller, TFM_ATTESTATION_SERVICE_HANDLE, -+ TFM_ATTEST_GET_TOKEN_SIZE, -+ in_vec, IOVEC_LEN(in_vec), -+ out_vec, IOVEC_LEN(out_vec)); -+ -+ return status; -+} -diff --git a/components/service/attestation/reporter/psa_ipc/component.cmake b/components/service/attestation/reporter/psa_ipc/component.cmake -new file mode 100644 -index 000000000000..b37830c618fe ---- /dev/null -+++ b/components/service/attestation/reporter/psa_ipc/component.cmake -@@ -0,0 +1,13 @@ -+#------------------------------------------------------------------------------- -+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+# -+# SPDX-License-Identifier: BSD-3-Clause -+# -+#------------------------------------------------------------------------------- -+if (NOT DEFINED TGT) -+ message(FATAL_ERROR "mandatory parameter TGT is not defined.") -+endif() -+ -+target_sources(${TGT} PRIVATE -+ "${CMAKE_CURRENT_LIST_DIR}/psa_ipc_attest_report.c" -+ ) -diff --git a/components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c b/components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c -new file mode 100644 -index 000000000000..15805e8ed4b1 ---- /dev/null -+++ b/components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c -@@ -0,0 +1,45 @@ -+/* -+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. -+ * -+ * SPDX-License-Identifier: BSD-3-Clause -+ */ -+ -+/** -+ * A attestation reporter for psa ipc -+ */ -+ -+#include <stddef.h> -+#include <psa/error.h> -+#include <service/attestation/reporter/attest_report.h> -+#include <psa/initial_attestation.h> -+ -+#define TOKEN_BUF_SIZE 1024 -+ -+static uint8_t token_buf[TOKEN_BUF_SIZE]; -+ -+int attest_report_create(int32_t client_id, const uint8_t *auth_challenge_data, -+ size_t auth_challenge_len, const uint8_t **report, -+ size_t *report_len) -+{ -+ *report = token_buf; -+ psa_status_t ret; -+ size_t token_size = 0; -+ -+ ret = psa_initial_attest_get_token(auth_challenge_data, -+ auth_challenge_len, token_buf, -+ TOKEN_BUF_SIZE, &token_size); -+ if (ret != PSA_SUCCESS) { -+ *report = NULL; -+ *report_len = 0; -+ return ret; -+ } -+ -+ *report_len = token_size; -+ -+ return PSA_SUCCESS; -+} -+ -+void attest_report_destroy(const uint8_t *report) -+{ -+ (void)report; -+} -diff --git a/components/service/common/include/psa/sid.h b/components/service/common/include/psa/sid.h -index aaa973c6e987..833f5039425f 100644 ---- a/components/service/common/include/psa/sid.h -+++ b/components/service/common/include/psa/sid.h -@@ -50,6 +50,10 @@ extern "C" { - #define TFM_ATTESTATION_SERVICE_VERSION (1U) - #define TFM_ATTESTATION_SERVICE_HANDLE (0x40000103U) - -+/* Initial Attestation message types that distinguish Attest services. */ -+#define TFM_ATTEST_GET_TOKEN 1001 -+#define TFM_ATTEST_GET_TOKEN_SIZE 1002 -+ - /******** TFM_SP_FWU ********/ - #define TFM_FWU_WRITE_SID (0x000000A0U) - #define TFM_FWU_WRITE_VERSION (1U) -diff --git a/deployments/se-proxy/common/service_proxy_factory.c b/deployments/se-proxy/common/service_proxy_factory.c -index 57290056d614..4b8cceccbe4d 100644 ---- a/deployments/se-proxy/common/service_proxy_factory.c -+++ b/deployments/se-proxy/common/service_proxy_factory.c -@@ -23,12 +23,18 @@ struct openamp_caller openamp; - struct rpc_interface *attest_proxy_create(void) - { - struct rpc_interface *attest_iface; -+ struct rpc_caller *attest_caller; - - /* Static objects for proxy instance */ - static struct attest_provider attest_provider; - -+ attest_caller = openamp_caller_init(&openamp); -+ if (!attest_caller) -+ return NULL; -+ - /* Initialize the service provider */ - attest_iface = attest_provider_init(&attest_provider); -+ psa_iat_client_init(&openamp.rpc_caller); - - attest_provider_register_serializer(&attest_provider, - TS_RPC_ENCODING_PACKED_C, packedc_attest_provider_serializer_instance()); -diff --git a/deployments/se-proxy/se-proxy.cmake b/deployments/se-proxy/se-proxy.cmake -index cd51460406ca..3dbbc36c968d 100644 ---- a/deployments/se-proxy/se-proxy.cmake -+++ b/deployments/se-proxy/se-proxy.cmake -@@ -49,14 +49,15 @@ add_components(TARGET "se-proxy" - "components/service/attestation/include" - "components/service/attestation/provider" - "components/service/attestation/provider/serializer/packed-c" -+ "components/service/attestation/reporter/psa_ipc" -+ "components/service/attestation/client/psa_ipc" - "components/rpc/openamp/caller/sp" - - # Stub service provider backends - "components/rpc/dummy" - "components/rpc/common/caller" -- "components/service/attestation/reporter/stub" -- "components/service/attestation/key_mngr/stub" -- "components/service/crypto/backend/stub" -+ "components/service/attestation/key_mngr/local" -+ "components/service/crypto/backend/psa_ipc" - "components/service/crypto/client/psa" - "components/service/secure_storage/backend/mock_store" - ) -diff --git a/external/psa_arch_tests/0001-Disable-using-hard-coded-attestation-key.patch b/external/psa_arch_tests/0001-Disable-using-hard-coded-attestation-key.patch -deleted file mode 100644 -index 6664961ab662..000000000000 ---- a/external/psa_arch_tests/0001-Disable-using-hard-coded-attestation-key.patch -+++ /dev/null -@@ -1,29 +0,0 @@ --From dbd25f94eb62a9855bf342dd97503a49ea50f83e Mon Sep 17 00:00:00 2001 --From: Gyorgy Szing <Gyorgy.Szing@arm.com> --Date: Tue, 8 Feb 2022 17:06:37 +0000 --Subject: [PATCH 1/1] Disable using hard-coded attestation key -- --Modify platform config to disable using a hard-coded attestation --key. -- --Signed-off-by: Gyorgy Szing <Gyorgy.Szing@arm.com> ----- -- api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_config.h | 2 +- -- 1 file changed, 1 insertion(+), 1 deletion(-) -- --diff --git a/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_config.h b/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_config.h --index 6112ba7..1cdf581 100755 ----- a/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_config.h --+++ b/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_config.h --@@ -60,7 +60,7 @@ typedef uint32_t cfg_id_t; -- #define CRYPTO_VERSION_BETA3 -- -- /* Use hardcoded public key */ ---#define PLATFORM_OVERRIDE_ATTEST_PK --+//#define PLATFORM_OVERRIDE_ATTEST_PK -- -- /* -- * Include of PSA defined Header files ---- --2.17.1 -- -diff --git a/external/psa_arch_tests/psa_arch_tests.cmake b/external/psa_arch_tests/psa_arch_tests.cmake -index a8b77a1fc05e..1995df3e0b49 100644 ---- a/external/psa_arch_tests/psa_arch_tests.cmake -+++ b/external/psa_arch_tests/psa_arch_tests.cmake -@@ -15,10 +15,6 @@ set(GIT_OPTIONS - GIT_REPOSITORY ${PSA_ARCH_TESTS_URL} - GIT_TAG ${PSA_ARCH_TESTS_REFSPEC} - GIT_SHALLOW FALSE -- PATCH_COMMAND git stash -- COMMAND git tag -f ts-before-am -- COMMAND git am ${CMAKE_CURRENT_LIST_DIR}/0001-Disable-using-hard-coded-attestation-key.patch -- COMMAND git reset ts-before-am - ) - - # Ensure list of defines is separated correctly --- -2.38.1 - |