diff options
author | Tamas Ban <tamas.ban@arm.com> | 2020-01-15 13:29:25 +0000 |
---|---|---|
committer | Tamas Ban <tamas.ban@arm.com> | 2020-01-23 13:33:03 +0000 |
commit | abea89dd47fcc8a964559628b80607f9fa44a97c (patch) | |
tree | 50c9d23f0f50e21b5558131d7d651621740e1812 | |
parent | e66b2316c9ae4eeed24943f4c050acb5d0a95a7f (diff) | |
download | trusted-firmware-m-abea89dd47fcc8a964559628b80607f9fa44a97c.tar.gz |
Attest: Refine compile time build options
To have more granular config options for attestation
separate the test code and COSE key-id inclusion to be
dependent on different compile time options.
Change-Id: I351ce445f7beacf3378bbec4f740923bcd352f90
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
-rw-r--r-- | CommonConfig.cmake | 18 | ||||
-rw-r--r-- | docs/user_guides/services/tfm_attestation_integration_guide.rst | 13 | ||||
-rw-r--r-- | lib/ext/t_cose/CMakeLists.txt | 6 | ||||
-rw-r--r-- | secure_fw/services/initial_attestation/CMakeLists.inc | 25 | ||||
-rw-r--r-- | secure_fw/services/initial_attestation/attest_token.c | 6 | ||||
-rw-r--r-- | secure_fw/services/initial_attestation/attestation_core.c | 6 | ||||
-rw-r--r-- | secure_fw/services/initial_attestation/attestation_key.c | 6 | ||||
-rw-r--r-- | test/suites/attestation/CMakeLists.inc | 10 | ||||
-rw-r--r-- | test/suites/attestation/attest_token_test.c | 5 | ||||
-rw-r--r-- | test/suites/attestation/non_secure/attestation_ns_interface_testsuite.c | 10 | ||||
-rw-r--r-- | test/suites/attestation/secure/attestation_s_interface_testsuite.c | 10 |
11 files changed, 69 insertions, 46 deletions
diff --git a/CommonConfig.cmake b/CommonConfig.cmake index 9d5f17555d..fc4dd2d9df 100644 --- a/CommonConfig.cmake +++ b/CommonConfig.cmake @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------- -# Copyright (c) 2018-2019, Arm Limited. All rights reserved. +# Copyright (c) 2018-2020, Arm Limited. All rights reserved. # # SPDX-License-Identifier: BSD-3-Clause # @@ -12,7 +12,7 @@ elseif(NOT DEFINED CORE_TEST) elseif(NOT DEFINED TFM_LVL) message(FATAL_ERROR "ERROR: Incomplete Configuration: TFM_LVL not defined, Include this file from a Config*.cmake") elseif(NOT DEFINED CORE_IPC) - message(FATAL_ERROR "ERROR: Incomplete Configuration: CORE_IPC not deinfed. Include this file from a Config*.cmake") + message(FATAL_ERROR "ERROR: Incomplete Configuration: CORE_IPC not defined. Include this file from a Config*.cmake") endif() if(NOT DEFINED COMPILER) @@ -409,10 +409,16 @@ if (NOT DEFINED ATTEST_INCLUDE_OPTIONAL_CLAIMS) set(ATTEST_INCLUDE_OPTIONAL_CLAIMS ON) endif() -if (CMAKE_BUILD_TYPE STREQUAL "debug") - set(ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID ON) -else() - set(ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID OFF) +if (NOT DEFINED ATTEST_INCLUDE_COSE_KEY_ID) + set(ATTEST_INCLUDE_COSE_KEY_ID OFF) +endif() + +if (NOT DEFINED ATTEST_INCLUDE_TEST_CODE) + if (CMAKE_BUILD_TYPE STREQUAL "debug") + set(ATTEST_INCLUDE_TEST_CODE ON) + else() + set(ATTEST_INCLUDE_TEST_CODE OFF) + endif() endif() set(ATTEST_BOOT_INTERFACE "CBOR_ENCODED_CLAIMS" CACHE STRING "Set the format in which to pass the claims to the initial-attestation service.") diff --git a/docs/user_guides/services/tfm_attestation_integration_guide.rst b/docs/user_guides/services/tfm_attestation_integration_guide.rst index ffbec4cd77..eb5601f0bb 100644 --- a/docs/user_guides/services/tfm_attestation_integration_guide.rst +++ b/docs/user_guides/services/tfm_attestation_integration_guide.rst @@ -437,10 +437,13 @@ those flags. The list of flags are: - ``ATTEST_INCLUDE_OPTIONAL_CLAIMS``: Include also the optional claims to the attestation token. Default value: True. -- ``ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID``: Test code and COSE key-id from - unprotected token header is removed if it is False. Its value depends on the - build type. It is True if build type is ``Debug``, otherwise False (different - kind of ``Release`` builds). +- ``ATTEST_INCLUDE_TEST_CODE``: Test code is removed from COSE library and from + attestation test suite if it is False. Its default value depends on the build + type. It is True if build type is ``Debug``, otherwise False (different kinds + of ``Release`` builds). +- ``ATTEST_INCLUDE_COSE_KEY_ID``: COSE key-id is an optional field in the COSE + unprotected header. Key-id is calculated and added to the COSE header based + on the value of this flag. Default value: False. ************ Verification @@ -495,4 +498,4 @@ that user has license for DS-5 and FVP models: -------------- -*Copyright (c) 2018-2019, Arm Limited. All rights reserved.* +*Copyright (c) 2018-2020, Arm Limited. All rights reserved.* diff --git a/lib/ext/t_cose/CMakeLists.txt b/lib/ext/t_cose/CMakeLists.txt index 7ff82e5e08..540da91bf6 100644 --- a/lib/ext/t_cose/CMakeLists.txt +++ b/lib/ext/t_cose/CMakeLists.txt @@ -22,8 +22,8 @@ embedded_project_start(CONFIG "${TFM_ROOT_DIR}/configs/ConfigDefault.cmake") project(tfm_t_cose LANGUAGES C) embedded_project_fixup() -if (NOT DEFINED ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID) - message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID is undefined. ") +if (NOT DEFINED ATTEST_INCLUDE_TEST_CODE) + message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_TEST_CODE is undefined. ") endif() #Append all our source files to global lists. @@ -71,7 +71,7 @@ list(APPEND T_COSE_COMPILE_TIME_CONFIG "T_COSE_DISABLE_SIGN_VERIFY_TESTS" ) -if (NOT ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID) +if (NOT ATTEST_INCLUDE_TEST_CODE) list(APPEND T_COSE_COMPILE_TIME_CONFIG "T_COSE_DISABLE_SHORT_CIRCUIT_SIGN") endif() diff --git a/secure_fw/services/initial_attestation/CMakeLists.inc b/secure_fw/services/initial_attestation/CMakeLists.inc index 8abfae2286..bbc6b83a79 100644 --- a/secure_fw/services/initial_attestation/CMakeLists.inc +++ b/secure_fw/services/initial_attestation/CMakeLists.inc @@ -24,8 +24,16 @@ if (NOT DEFINED ATTEST_INCLUDE_OPTIONAL_CLAIMS) message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_OPTIONAL_CLAIMS is undefined.") endif() -if (NOT DEFINED ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID) - message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID is undefined.") +if (NOT DEFINED ATTEST_INCLUDE_TEST_CODE) + message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_TEST_CODE is undefined.") +endif() + +if (NOT DEFINED ATTEST_INCLUDE_COSE_KEY_ID) + message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_COSE_KEY_ID is undefined.") +endif() + +if (NOT DEFINED ATTEST_BOOT_INTERFACE) + message(FATAL_ERROR "Incomplete build configuration: ATTEST_BOOT_INTERFACE is undefined.") endif() list(APPEND ATTEST_C_SRC @@ -41,8 +49,12 @@ if (ATTEST_INCLUDE_OPTIONAL_CLAIMS) set_property(SOURCE ${ATTEST_C_SRC} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_OPTIONAL_CLAIMS) endif() -if (ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID) - set_property(SOURCE ${ATTEST_C_SRC} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_TEST_CODE_AND_KEY_ID) +if (ATTEST_INCLUDE_TEST_CODE) + set_property(SOURCE ${ATTEST_C_SRC} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_TEST_CODE) +endif() + +if (ATTEST_INCLUDE_COSE_KEY_ID) + set_property(SOURCE ${ATTEST_C_SRC} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_COSE_KEY_ID) endif() if (ATTEST_BOOT_INTERFACE STREQUAL "INDIVIDUAL_CLAIMS") @@ -52,8 +64,9 @@ endif() #Inform the user about attestation service features selected based on the cmake flags message("The Initial Attestation service compile configuration is as follows:") message("- ATTEST_INCLUDE_OPTIONAL_CLAIMS: ${ATTEST_INCLUDE_OPTIONAL_CLAIMS}") -message("- ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID: ${ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID}") -message("- ATTEST_BOOT_INTERFACE: ${ATTEST_BOOT_INTERFACE}") +message("- ATTEST_INCLUDE_TEST_CODE: ${ATTEST_INCLUDE_TEST_CODE}") +message("- ATTEST_INCLUDE_COSE_KEY_ID: ${ATTEST_INCLUDE_COSE_KEY_ID}") +message("- ATTEST_BOOT_INTERFACE: ${ATTEST_BOOT_INTERFACE}") #Setting include directories embedded_include_directories(PATH ${TFM_ROOT_DIR} ABSOLUTE) diff --git a/secure_fw/services/initial_attestation/attest_token.c b/secure_fw/services/initial_attestation/attest_token.c index 4e582ae1fe..c6a4ecde37 100644 --- a/secure_fw/services/initial_attestation/attest_token.c +++ b/secure_fw/services/initial_attestation/attest_token.c @@ -99,21 +99,21 @@ enum attest_token_err_t attest_token_start(struct attest_token_ctx *me, psa_key_handle_t private_key; struct q_useful_buf_c attest_key_id = NULL_Q_USEFUL_BUF_C; - /* Remember some of the configuration values */ me->opt_flags = opt_flags; me->key_select = key_select; -#ifdef INCLUDE_TEST_CODE_AND_KEY_ID + if (opt_flags & TOKEN_OPT_SHORT_CIRCUIT_SIGN) { t_cose_options |= T_COSE_OPT_SHORT_CIRCUIT_SIG; } else { +#ifdef INCLUDE_COSE_KEY_ID attest_ret = attest_get_initial_attestation_key_id(&attest_key_id); if (attest_ret != PSA_ATTEST_ERR_SUCCESS) { return ATTEST_TOKEN_ERR_GENERAL; } +#endif /* INCLUDE_COSE_KEY_ID */ } -#endif t_cose_sign1_sign_init(&(me->signer_ctx), t_cose_options, cose_alg_id); diff --git a/secure_fw/services/initial_attestation/attestation_core.c b/secure_fw/services/initial_attestation/attestation_core.c index 052107c02e..a37e5f4279 100644 --- a/secure_fw/services/initial_attestation/attestation_core.c +++ b/secure_fw/services/initial_attestation/attestation_core.c @@ -861,7 +861,7 @@ static enum psa_attest_err_t attest_verify_challenge_size(size_t challenge_size) return PSA_ATTEST_ERR_INVALID_INPUT; } -#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */ +#ifdef INCLUDE_TEST_CODE /* Remove them from release build */ /*! * \brief Static function to get the option flags from challenge object * @@ -912,7 +912,7 @@ static void attest_get_option_flags(struct q_useful_buf_c *challenge, *key_select = 0; } } -#endif /* INCLUDE_TEST_CODE_AND_KEY_ID */ +#endif /* INCLUDE_TEST_CODE */ /*! * \brief Static function to create the initial attestation token @@ -942,7 +942,7 @@ attest_create_token(struct q_useful_buf_c *challenge, goto error; } -#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */ +#ifdef INCLUDE_TEST_CODE /* Remove them from release build */ attest_get_option_flags(challenge, &option_flags, &key_select); #endif diff --git a/secure_fw/services/initial_attestation/attestation_key.c b/secure_fw/services/initial_attestation/attestation_key.c index 7dedd0b8f8..ead20c8610 100644 --- a/secure_fw/services/initial_attestation/attestation_key.c +++ b/secure_fw/services/initial_attestation/attestation_key.c @@ -47,7 +47,7 @@ static uint8_t attestation_public_key[ECC_P256_PUBLIC_KEY_SIZE]; /* 65bytes */ static size_t attestation_public_key_len = 0; static psa_ecc_curve_t attestation_key_curve; -#ifdef INCLUDE_TEST_CODE_AND_KEY_ID +#ifdef INCLUDE_COSE_KEY_ID static uint8_t attestation_key_id[PSA_HASH_SIZE(PSA_ALG_SHA_256)]; /* 32bytes */ #endif @@ -171,7 +171,7 @@ attest_get_initial_attestation_public_key(uint8_t **public_key, } -#ifdef INCLUDE_TEST_CODE_AND_KEY_ID +#ifdef INCLUDE_COSE_KEY_ID #define MAX_ENCODED_COSE_KEY_SIZE \ 1 + /* 1 byte to encode map */ \ @@ -392,4 +392,4 @@ attest_get_initial_attestation_key_id(struct q_useful_buf_c *attest_key_id) return PSA_ATTEST_ERR_SUCCESS; } -#endif +#endif /* INCLUDE_COSE_KEY_ID */ diff --git a/test/suites/attestation/CMakeLists.inc b/test/suites/attestation/CMakeLists.inc index 38c0eb1df0..2eb344f3a7 100644 --- a/test/suites/attestation/CMakeLists.inc +++ b/test/suites/attestation/CMakeLists.inc @@ -24,8 +24,8 @@ if(NOT DEFINED TFM_ROOT_DIR) message(FATAL_ERROR "Please set TFM_ROOT_DIR before including this file.") endif() -if (NOT DEFINED ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID) - message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID is undefined. ") +if (NOT DEFINED ATTEST_INCLUDE_TEST_CODE) + message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_TEST_CODE is undefined. ") endif() if (NOT DEFINED ENABLE_ATTESTATION_SERVICE_TESTS) @@ -47,9 +47,9 @@ elseif(ENABLE_ATTESTATION_SERVICE_TESTS) "${TFM_ROOT_DIR}/lib/ext/qcbor/util/qcbor_util.c" ) - if (ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID) - set_property(SOURCE ${ATTEST_TEST_SRC_S} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_TEST_CODE_AND_KEY_ID) - set_property(SOURCE ${ATTEST_TEST_SRC_NS} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_TEST_CODE_AND_KEY_ID) + if (ATTEST_INCLUDE_TEST_CODE) + set_property(SOURCE ${ATTEST_TEST_SRC_S} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_TEST_CODE) + set_property(SOURCE ${ATTEST_TEST_SRC_NS} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_TEST_CODE) endif() #Setting include directories diff --git a/test/suites/attestation/attest_token_test.c b/test/suites/attestation/attest_token_test.c index dd0db4ba13..847f3e184c 100644 --- a/test/suites/attestation/attest_token_test.c +++ b/test/suites/attestation/attest_token_test.c @@ -2,6 +2,7 @@ * attest_token_test.c * * Copyright (c) 2018-2019, Laurence Lundblade. + * Copyright (c) 2020, Arm Limited. * * SPDX-License-Identifier: BSD-3-Clause * @@ -79,7 +80,7 @@ int token_main_alt(uint32_t option_flags, return return_value; } -#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */ +#ifdef INCLUDE_TEST_CODE /* Remove them from release build */ /** * This is the expected output for the minimal test. It is the result * of creating a token with \ref TOKEN_OPT_SHORT_CIRCUIT_SIGN and \ref @@ -230,7 +231,7 @@ int_fast16_t buffer_too_small_test() return return_value; } -#endif /* INCLUDE_TEST_CODE_AND_KEY_ID */ +#endif /* INCLUDE_TEST_CODE */ /** diff --git a/test/suites/attestation/non_secure/attestation_ns_interface_testsuite.c b/test/suites/attestation/non_secure/attestation_ns_interface_testsuite.c index 3d78532ccd..fae87ac374 100644 --- a/test/suites/attestation/non_secure/attestation_ns_interface_testsuite.c +++ b/test/suites/attestation/non_secure/attestation_ns_interface_testsuite.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018-2019, Arm Limited. All rights reserved. + * Copyright (c) 2018-2020, Arm Limited. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause * @@ -18,7 +18,7 @@ static const uint8_t challenge_buffer[TEST_CHALLENGE_OBJ_SIZE] = { /* Define test suite for attestation service tests */ /* List of tests */ -#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */ +#ifdef INCLUDE_TEST_CODE /* Remove them from release build */ static void tfm_attest_test_2001(struct test_result_t *ret); static void tfm_attest_test_2002(struct test_result_t *ret); static void tfm_attest_test_2003(struct test_result_t *ret); @@ -27,7 +27,7 @@ static void tfm_attest_test_2004(struct test_result_t *ret); static void tfm_attest_test_2005(struct test_result_t *ret); static struct test_t attestation_interface_tests[] = { -#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */ +#ifdef INCLUDE_TEST_CODE /* Remove them from release build */ {&tfm_attest_test_2001, "TFM_ATTEST_TEST_2001", "Minimal token test of attest token", {0} }, {&tfm_attest_test_2002, "TFM_ATTEST_TEST_2002", @@ -54,7 +54,7 @@ register_testsuite_ns_attestation_interface(struct test_suite_t *p_test_suite) attestation_interface_tests, list_size, p_test_suite); } -#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */ +#ifdef INCLUDE_TEST_CODE /* Remove them from release build */ /*! * \brief Get minimal token, only include a hard coded challenge, but omit the * rest of the claims @@ -115,7 +115,7 @@ static void tfm_attest_test_2003(struct test_result_t *ret) ret->val = TEST_PASSED; } -#endif /* INCLUDE_TEST_CODE_AND_KEY_ID */ +#endif /* INCLUDE_TEST_CODE */ /*! * \brief Get an IAT with proper ECDSA signature. Parse the token, validate diff --git a/test/suites/attestation/secure/attestation_s_interface_testsuite.c b/test/suites/attestation/secure/attestation_s_interface_testsuite.c index 2bd171cc27..9c911a3a68 100644 --- a/test/suites/attestation/secure/attestation_s_interface_testsuite.c +++ b/test/suites/attestation/secure/attestation_s_interface_testsuite.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018-2019, Arm Limited. All rights reserved. + * Copyright (c) 2018-2020, Arm Limited. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause * @@ -18,7 +18,7 @@ static const uint8_t challenge_buffer[TEST_CHALLENGE_OBJ_SIZE] = { /* Define test suite for attestation service tests */ /* List of tests */ -#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */ +#ifdef INCLUDE_TEST_CODE /* Remove them from release build */ static void tfm_attest_test_1001(struct test_result_t *ret); static void tfm_attest_test_1002(struct test_result_t *ret); static void tfm_attest_test_1003(struct test_result_t *ret); @@ -27,7 +27,7 @@ static void tfm_attest_test_1004(struct test_result_t *ret); static void tfm_attest_test_1005(struct test_result_t *ret); static struct test_t attestation_interface_tests[] = { -#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */ +#ifdef INCLUDE_TEST_CODE /* Remove them from release build */ {&tfm_attest_test_1001, "TFM_ATTEST_TEST_1001", "Minimal token test of attest token", {0} }, {&tfm_attest_test_1002, "TFM_ATTEST_TEST_1002", @@ -54,7 +54,7 @@ register_testsuite_s_attestation_interface(struct test_suite_t *p_test_suite) attestation_interface_tests, list_size, p_test_suite); } -#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */ +#ifdef INCLUDE_TEST_CODE /* Remove them from release build */ /*! * \brief Get minimal token, only include a hard coded challenge, but omit the * rest of the claims @@ -115,7 +115,7 @@ static void tfm_attest_test_1003(struct test_result_t *ret) ret->val = TEST_PASSED; } -#endif /* INCLUDE_TEST_CODE_AND_KEY_ID */ +#endif /* INCLUDE_TEST_CODE */ /*! * \brief Get an IAT with proper ECDSA signature. Parse the token, validate |