aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTamas Ban <tamas.ban@arm.com>2020-01-15 13:29:25 +0000
committerTamas Ban <tamas.ban@arm.com>2020-01-23 13:33:03 +0000
commitabea89dd47fcc8a964559628b80607f9fa44a97c (patch)
tree50c9d23f0f50e21b5558131d7d651621740e1812
parente66b2316c9ae4eeed24943f4c050acb5d0a95a7f (diff)
downloadtrusted-firmware-m-abea89dd47fcc8a964559628b80607f9fa44a97c.tar.gz
Attest: Refine compile time build options
To have more granular config options for attestation separate the test code and COSE key-id inclusion to be dependent on different compile time options. Change-Id: I351ce445f7beacf3378bbec4f740923bcd352f90 Signed-off-by: Tamas Ban <tamas.ban@arm.com>
-rw-r--r--CommonConfig.cmake18
-rw-r--r--docs/user_guides/services/tfm_attestation_integration_guide.rst13
-rw-r--r--lib/ext/t_cose/CMakeLists.txt6
-rw-r--r--secure_fw/services/initial_attestation/CMakeLists.inc25
-rw-r--r--secure_fw/services/initial_attestation/attest_token.c6
-rw-r--r--secure_fw/services/initial_attestation/attestation_core.c6
-rw-r--r--secure_fw/services/initial_attestation/attestation_key.c6
-rw-r--r--test/suites/attestation/CMakeLists.inc10
-rw-r--r--test/suites/attestation/attest_token_test.c5
-rw-r--r--test/suites/attestation/non_secure/attestation_ns_interface_testsuite.c10
-rw-r--r--test/suites/attestation/secure/attestation_s_interface_testsuite.c10
11 files changed, 69 insertions, 46 deletions
diff --git a/CommonConfig.cmake b/CommonConfig.cmake
index 9d5f17555d..fc4dd2d9df 100644
--- a/CommonConfig.cmake
+++ b/CommonConfig.cmake
@@ -1,5 +1,5 @@
#-------------------------------------------------------------------------------
-# Copyright (c) 2018-2019, Arm Limited. All rights reserved.
+# Copyright (c) 2018-2020, Arm Limited. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@@ -12,7 +12,7 @@ elseif(NOT DEFINED CORE_TEST)
elseif(NOT DEFINED TFM_LVL)
message(FATAL_ERROR "ERROR: Incomplete Configuration: TFM_LVL not defined, Include this file from a Config*.cmake")
elseif(NOT DEFINED CORE_IPC)
- message(FATAL_ERROR "ERROR: Incomplete Configuration: CORE_IPC not deinfed. Include this file from a Config*.cmake")
+ message(FATAL_ERROR "ERROR: Incomplete Configuration: CORE_IPC not defined. Include this file from a Config*.cmake")
endif()
if(NOT DEFINED COMPILER)
@@ -409,10 +409,16 @@ if (NOT DEFINED ATTEST_INCLUDE_OPTIONAL_CLAIMS)
set(ATTEST_INCLUDE_OPTIONAL_CLAIMS ON)
endif()
-if (CMAKE_BUILD_TYPE STREQUAL "debug")
- set(ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID ON)
-else()
- set(ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID OFF)
+if (NOT DEFINED ATTEST_INCLUDE_COSE_KEY_ID)
+ set(ATTEST_INCLUDE_COSE_KEY_ID OFF)
+endif()
+
+if (NOT DEFINED ATTEST_INCLUDE_TEST_CODE)
+ if (CMAKE_BUILD_TYPE STREQUAL "debug")
+ set(ATTEST_INCLUDE_TEST_CODE ON)
+ else()
+ set(ATTEST_INCLUDE_TEST_CODE OFF)
+ endif()
endif()
set(ATTEST_BOOT_INTERFACE "CBOR_ENCODED_CLAIMS" CACHE STRING "Set the format in which to pass the claims to the initial-attestation service.")
diff --git a/docs/user_guides/services/tfm_attestation_integration_guide.rst b/docs/user_guides/services/tfm_attestation_integration_guide.rst
index ffbec4cd77..eb5601f0bb 100644
--- a/docs/user_guides/services/tfm_attestation_integration_guide.rst
+++ b/docs/user_guides/services/tfm_attestation_integration_guide.rst
@@ -437,10 +437,13 @@ those flags. The list of flags are:
- ``ATTEST_INCLUDE_OPTIONAL_CLAIMS``: Include also the optional claims to the
attestation token. Default value: True.
-- ``ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID``: Test code and COSE key-id from
- unprotected token header is removed if it is False. Its value depends on the
- build type. It is True if build type is ``Debug``, otherwise False (different
- kind of ``Release`` builds).
+- ``ATTEST_INCLUDE_TEST_CODE``: Test code is removed from COSE library and from
+ attestation test suite if it is False. Its default value depends on the build
+ type. It is True if build type is ``Debug``, otherwise False (different kinds
+ of ``Release`` builds).
+- ``ATTEST_INCLUDE_COSE_KEY_ID``: COSE key-id is an optional field in the COSE
+ unprotected header. Key-id is calculated and added to the COSE header based
+ on the value of this flag. Default value: False.
************
Verification
@@ -495,4 +498,4 @@ that user has license for DS-5 and FVP models:
--------------
-*Copyright (c) 2018-2019, Arm Limited. All rights reserved.*
+*Copyright (c) 2018-2020, Arm Limited. All rights reserved.*
diff --git a/lib/ext/t_cose/CMakeLists.txt b/lib/ext/t_cose/CMakeLists.txt
index 7ff82e5e08..540da91bf6 100644
--- a/lib/ext/t_cose/CMakeLists.txt
+++ b/lib/ext/t_cose/CMakeLists.txt
@@ -22,8 +22,8 @@ embedded_project_start(CONFIG "${TFM_ROOT_DIR}/configs/ConfigDefault.cmake")
project(tfm_t_cose LANGUAGES C)
embedded_project_fixup()
-if (NOT DEFINED ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID)
- message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID is undefined. ")
+if (NOT DEFINED ATTEST_INCLUDE_TEST_CODE)
+ message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_TEST_CODE is undefined. ")
endif()
#Append all our source files to global lists.
@@ -71,7 +71,7 @@ list(APPEND T_COSE_COMPILE_TIME_CONFIG
"T_COSE_DISABLE_SIGN_VERIFY_TESTS"
)
-if (NOT ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID)
+if (NOT ATTEST_INCLUDE_TEST_CODE)
list(APPEND T_COSE_COMPILE_TIME_CONFIG "T_COSE_DISABLE_SHORT_CIRCUIT_SIGN")
endif()
diff --git a/secure_fw/services/initial_attestation/CMakeLists.inc b/secure_fw/services/initial_attestation/CMakeLists.inc
index 8abfae2286..bbc6b83a79 100644
--- a/secure_fw/services/initial_attestation/CMakeLists.inc
+++ b/secure_fw/services/initial_attestation/CMakeLists.inc
@@ -24,8 +24,16 @@ if (NOT DEFINED ATTEST_INCLUDE_OPTIONAL_CLAIMS)
message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_OPTIONAL_CLAIMS is undefined.")
endif()
-if (NOT DEFINED ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID)
- message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID is undefined.")
+if (NOT DEFINED ATTEST_INCLUDE_TEST_CODE)
+ message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_TEST_CODE is undefined.")
+endif()
+
+if (NOT DEFINED ATTEST_INCLUDE_COSE_KEY_ID)
+ message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_COSE_KEY_ID is undefined.")
+endif()
+
+if (NOT DEFINED ATTEST_BOOT_INTERFACE)
+ message(FATAL_ERROR "Incomplete build configuration: ATTEST_BOOT_INTERFACE is undefined.")
endif()
list(APPEND ATTEST_C_SRC
@@ -41,8 +49,12 @@ if (ATTEST_INCLUDE_OPTIONAL_CLAIMS)
set_property(SOURCE ${ATTEST_C_SRC} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_OPTIONAL_CLAIMS)
endif()
-if (ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID)
- set_property(SOURCE ${ATTEST_C_SRC} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_TEST_CODE_AND_KEY_ID)
+if (ATTEST_INCLUDE_TEST_CODE)
+ set_property(SOURCE ${ATTEST_C_SRC} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_TEST_CODE)
+endif()
+
+if (ATTEST_INCLUDE_COSE_KEY_ID)
+ set_property(SOURCE ${ATTEST_C_SRC} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_COSE_KEY_ID)
endif()
if (ATTEST_BOOT_INTERFACE STREQUAL "INDIVIDUAL_CLAIMS")
@@ -52,8 +64,9 @@ endif()
#Inform the user about attestation service features selected based on the cmake flags
message("The Initial Attestation service compile configuration is as follows:")
message("- ATTEST_INCLUDE_OPTIONAL_CLAIMS: ${ATTEST_INCLUDE_OPTIONAL_CLAIMS}")
-message("- ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID: ${ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID}")
-message("- ATTEST_BOOT_INTERFACE: ${ATTEST_BOOT_INTERFACE}")
+message("- ATTEST_INCLUDE_TEST_CODE: ${ATTEST_INCLUDE_TEST_CODE}")
+message("- ATTEST_INCLUDE_COSE_KEY_ID: ${ATTEST_INCLUDE_COSE_KEY_ID}")
+message("- ATTEST_BOOT_INTERFACE: ${ATTEST_BOOT_INTERFACE}")
#Setting include directories
embedded_include_directories(PATH ${TFM_ROOT_DIR} ABSOLUTE)
diff --git a/secure_fw/services/initial_attestation/attest_token.c b/secure_fw/services/initial_attestation/attest_token.c
index 4e582ae1fe..c6a4ecde37 100644
--- a/secure_fw/services/initial_attestation/attest_token.c
+++ b/secure_fw/services/initial_attestation/attest_token.c
@@ -99,21 +99,21 @@ enum attest_token_err_t attest_token_start(struct attest_token_ctx *me,
psa_key_handle_t private_key;
struct q_useful_buf_c attest_key_id = NULL_Q_USEFUL_BUF_C;
-
/* Remember some of the configuration values */
me->opt_flags = opt_flags;
me->key_select = key_select;
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID
+
if (opt_flags & TOKEN_OPT_SHORT_CIRCUIT_SIGN) {
t_cose_options |= T_COSE_OPT_SHORT_CIRCUIT_SIG;
} else {
+#ifdef INCLUDE_COSE_KEY_ID
attest_ret = attest_get_initial_attestation_key_id(&attest_key_id);
if (attest_ret != PSA_ATTEST_ERR_SUCCESS) {
return ATTEST_TOKEN_ERR_GENERAL;
}
+#endif /* INCLUDE_COSE_KEY_ID */
}
-#endif
t_cose_sign1_sign_init(&(me->signer_ctx), t_cose_options, cose_alg_id);
diff --git a/secure_fw/services/initial_attestation/attestation_core.c b/secure_fw/services/initial_attestation/attestation_core.c
index 052107c02e..a37e5f4279 100644
--- a/secure_fw/services/initial_attestation/attestation_core.c
+++ b/secure_fw/services/initial_attestation/attestation_core.c
@@ -861,7 +861,7 @@ static enum psa_attest_err_t attest_verify_challenge_size(size_t challenge_size)
return PSA_ATTEST_ERR_INVALID_INPUT;
}
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
+#ifdef INCLUDE_TEST_CODE /* Remove them from release build */
/*!
* \brief Static function to get the option flags from challenge object
*
@@ -912,7 +912,7 @@ static void attest_get_option_flags(struct q_useful_buf_c *challenge,
*key_select = 0;
}
}
-#endif /* INCLUDE_TEST_CODE_AND_KEY_ID */
+#endif /* INCLUDE_TEST_CODE */
/*!
* \brief Static function to create the initial attestation token
@@ -942,7 +942,7 @@ attest_create_token(struct q_useful_buf_c *challenge,
goto error;
}
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
+#ifdef INCLUDE_TEST_CODE /* Remove them from release build */
attest_get_option_flags(challenge, &option_flags, &key_select);
#endif
diff --git a/secure_fw/services/initial_attestation/attestation_key.c b/secure_fw/services/initial_attestation/attestation_key.c
index 7dedd0b8f8..ead20c8610 100644
--- a/secure_fw/services/initial_attestation/attestation_key.c
+++ b/secure_fw/services/initial_attestation/attestation_key.c
@@ -47,7 +47,7 @@ static uint8_t attestation_public_key[ECC_P256_PUBLIC_KEY_SIZE]; /* 65bytes */
static size_t attestation_public_key_len = 0;
static psa_ecc_curve_t attestation_key_curve;
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID
+#ifdef INCLUDE_COSE_KEY_ID
static uint8_t attestation_key_id[PSA_HASH_SIZE(PSA_ALG_SHA_256)]; /* 32bytes */
#endif
@@ -171,7 +171,7 @@ attest_get_initial_attestation_public_key(uint8_t **public_key,
}
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID
+#ifdef INCLUDE_COSE_KEY_ID
#define MAX_ENCODED_COSE_KEY_SIZE \
1 + /* 1 byte to encode map */ \
@@ -392,4 +392,4 @@ attest_get_initial_attestation_key_id(struct q_useful_buf_c *attest_key_id)
return PSA_ATTEST_ERR_SUCCESS;
}
-#endif
+#endif /* INCLUDE_COSE_KEY_ID */
diff --git a/test/suites/attestation/CMakeLists.inc b/test/suites/attestation/CMakeLists.inc
index 38c0eb1df0..2eb344f3a7 100644
--- a/test/suites/attestation/CMakeLists.inc
+++ b/test/suites/attestation/CMakeLists.inc
@@ -24,8 +24,8 @@ if(NOT DEFINED TFM_ROOT_DIR)
message(FATAL_ERROR "Please set TFM_ROOT_DIR before including this file.")
endif()
-if (NOT DEFINED ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID)
- message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID is undefined. ")
+if (NOT DEFINED ATTEST_INCLUDE_TEST_CODE)
+ message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_TEST_CODE is undefined. ")
endif()
if (NOT DEFINED ENABLE_ATTESTATION_SERVICE_TESTS)
@@ -47,9 +47,9 @@ elseif(ENABLE_ATTESTATION_SERVICE_TESTS)
"${TFM_ROOT_DIR}/lib/ext/qcbor/util/qcbor_util.c"
)
- if (ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID)
- set_property(SOURCE ${ATTEST_TEST_SRC_S} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_TEST_CODE_AND_KEY_ID)
- set_property(SOURCE ${ATTEST_TEST_SRC_NS} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_TEST_CODE_AND_KEY_ID)
+ if (ATTEST_INCLUDE_TEST_CODE)
+ set_property(SOURCE ${ATTEST_TEST_SRC_S} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_TEST_CODE)
+ set_property(SOURCE ${ATTEST_TEST_SRC_NS} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_TEST_CODE)
endif()
#Setting include directories
diff --git a/test/suites/attestation/attest_token_test.c b/test/suites/attestation/attest_token_test.c
index dd0db4ba13..847f3e184c 100644
--- a/test/suites/attestation/attest_token_test.c
+++ b/test/suites/attestation/attest_token_test.c
@@ -2,6 +2,7 @@
* attest_token_test.c
*
* Copyright (c) 2018-2019, Laurence Lundblade.
+ * Copyright (c) 2020, Arm Limited.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -79,7 +80,7 @@ int token_main_alt(uint32_t option_flags,
return return_value;
}
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
+#ifdef INCLUDE_TEST_CODE /* Remove them from release build */
/**
* This is the expected output for the minimal test. It is the result
* of creating a token with \ref TOKEN_OPT_SHORT_CIRCUIT_SIGN and \ref
@@ -230,7 +231,7 @@ int_fast16_t buffer_too_small_test()
return return_value;
}
-#endif /* INCLUDE_TEST_CODE_AND_KEY_ID */
+#endif /* INCLUDE_TEST_CODE */
/**
diff --git a/test/suites/attestation/non_secure/attestation_ns_interface_testsuite.c b/test/suites/attestation/non_secure/attestation_ns_interface_testsuite.c
index 3d78532ccd..fae87ac374 100644
--- a/test/suites/attestation/non_secure/attestation_ns_interface_testsuite.c
+++ b/test/suites/attestation/non_secure/attestation_ns_interface_testsuite.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018-2019, Arm Limited. All rights reserved.
+ * Copyright (c) 2018-2020, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -18,7 +18,7 @@ static const uint8_t challenge_buffer[TEST_CHALLENGE_OBJ_SIZE] = {
/* Define test suite for attestation service tests */
/* List of tests */
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
+#ifdef INCLUDE_TEST_CODE /* Remove them from release build */
static void tfm_attest_test_2001(struct test_result_t *ret);
static void tfm_attest_test_2002(struct test_result_t *ret);
static void tfm_attest_test_2003(struct test_result_t *ret);
@@ -27,7 +27,7 @@ static void tfm_attest_test_2004(struct test_result_t *ret);
static void tfm_attest_test_2005(struct test_result_t *ret);
static struct test_t attestation_interface_tests[] = {
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
+#ifdef INCLUDE_TEST_CODE /* Remove them from release build */
{&tfm_attest_test_2001, "TFM_ATTEST_TEST_2001",
"Minimal token test of attest token", {0} },
{&tfm_attest_test_2002, "TFM_ATTEST_TEST_2002",
@@ -54,7 +54,7 @@ register_testsuite_ns_attestation_interface(struct test_suite_t *p_test_suite)
attestation_interface_tests, list_size, p_test_suite);
}
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
+#ifdef INCLUDE_TEST_CODE /* Remove them from release build */
/*!
* \brief Get minimal token, only include a hard coded challenge, but omit the
* rest of the claims
@@ -115,7 +115,7 @@ static void tfm_attest_test_2003(struct test_result_t *ret)
ret->val = TEST_PASSED;
}
-#endif /* INCLUDE_TEST_CODE_AND_KEY_ID */
+#endif /* INCLUDE_TEST_CODE */
/*!
* \brief Get an IAT with proper ECDSA signature. Parse the token, validate
diff --git a/test/suites/attestation/secure/attestation_s_interface_testsuite.c b/test/suites/attestation/secure/attestation_s_interface_testsuite.c
index 2bd171cc27..9c911a3a68 100644
--- a/test/suites/attestation/secure/attestation_s_interface_testsuite.c
+++ b/test/suites/attestation/secure/attestation_s_interface_testsuite.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018-2019, Arm Limited. All rights reserved.
+ * Copyright (c) 2018-2020, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -18,7 +18,7 @@ static const uint8_t challenge_buffer[TEST_CHALLENGE_OBJ_SIZE] = {
/* Define test suite for attestation service tests */
/* List of tests */
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
+#ifdef INCLUDE_TEST_CODE /* Remove them from release build */
static void tfm_attest_test_1001(struct test_result_t *ret);
static void tfm_attest_test_1002(struct test_result_t *ret);
static void tfm_attest_test_1003(struct test_result_t *ret);
@@ -27,7 +27,7 @@ static void tfm_attest_test_1004(struct test_result_t *ret);
static void tfm_attest_test_1005(struct test_result_t *ret);
static struct test_t attestation_interface_tests[] = {
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
+#ifdef INCLUDE_TEST_CODE /* Remove them from release build */
{&tfm_attest_test_1001, "TFM_ATTEST_TEST_1001",
"Minimal token test of attest token", {0} },
{&tfm_attest_test_1002, "TFM_ATTEST_TEST_1002",
@@ -54,7 +54,7 @@ register_testsuite_s_attestation_interface(struct test_suite_t *p_test_suite)
attestation_interface_tests, list_size, p_test_suite);
}
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
+#ifdef INCLUDE_TEST_CODE /* Remove them from release build */
/*!
* \brief Get minimal token, only include a hard coded challenge, but omit the
* rest of the claims
@@ -115,7 +115,7 @@ static void tfm_attest_test_1003(struct test_result_t *ret)
ret->val = TEST_PASSED;
}
-#endif /* INCLUDE_TEST_CODE_AND_KEY_ID */
+#endif /* INCLUDE_TEST_CODE */
/*!
* \brief Get an IAT with proper ECDSA signature. Parse the token, validate