aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBalint Matyi <Balint.Matyi@arm.com>2020-06-08 13:14:07 +0100
committerDavid Hu <david.hu@arm.com>2020-06-22 02:46:24 +0000
commit9fc0b5de33c1b16836d45de029792d12d1edc88d (patch)
tree029ca14cc0b5ea0ad3b0517ff3d5a99caefc0eac
parentff3bb58e93656f83f031377ad4dbe8060617dd64 (diff)
downloadtrusted-firmware-m-9fc0b5de33c1b16836d45de029792d12d1edc88d.tar.gz
Attest: Calculate Instance ID only once
Instance ID is computed every time when get_token API is called. Modify this behaviour to compute only at the first time when get_token API is called and store it in a static buffer. Next time just read it from static buffer and include it to the token. Signed-off-by: Balint Matyi <Balint.Matyi@arm.com> Change-Id: I2f9ccb70aba5cf401fcd7c5c7fa7a9d358283631
-rw-r--r--secure_fw/partitions/initial_attestation/attestation_core.c67
-rw-r--r--secure_fw/partitions/initial_attestation/attestation_key.c70
2 files changed, 70 insertions, 67 deletions
diff --git a/secure_fw/partitions/initial_attestation/attestation_core.c b/secure_fw/partitions/initial_attestation/attestation_core.c
index 9cf32325d..f5059b9dd 100644
--- a/secure_fw/partitions/initial_attestation/attestation_core.c
+++ b/secure_fw/partitions/initial_attestation/attestation_core.c
@@ -379,7 +379,6 @@ attest_add_boot_seed_claim(struct attest_token_ctx *token_ctx)
return PSA_ATTEST_ERR_SUCCESS;
}
-#ifdef SYMMETRIC_INITIAL_ATTESTATION
/*!
* \brief Static function to add instance id claim to attestation token.
*
@@ -408,72 +407,6 @@ attest_add_instance_id_claim(struct attest_token_ctx *token_ctx)
return PSA_ATTEST_ERR_SUCCESS;
}
-#else /* SYMMETRIC_INITIAL_ATTESTATION */
-/*!
- * \brief Static function to add instance id claim to attestation token.
- *
- * \param[in] token_ctx Token encoding context
- *
- * \note This mandatory claim represents the unique identifier of the instance.
- * In the PSA definition it is a hash of the public attestation key of the
- * instance. The claim will be represented by the EAT standard claim UEID
- * of type GUID. The EAT definition of a GUID type is that it will be
- * between 128 & 256 bits but this implementation will use the full 256
- * bits to accommodate a hash result.
- *
- * \return Returns error code as specified in \ref psa_attest_err_t
- */
-static enum psa_attest_err_t
-attest_add_instance_id_claim(struct attest_token_ctx *token_ctx)
-{
- psa_status_t crypto_res;
- enum psa_attest_err_t attest_res;
- uint8_t instance_id[INSTANCE_ID_MAX_SIZE];
- size_t instance_id_len;
- struct q_useful_buf_c claim_value;
- uint8_t *public_key;
- size_t key_len;
- psa_ecc_curve_t psa_curve;
- psa_hash_operation_t hash = psa_hash_operation_init();
-
- attest_res = attest_get_initial_attestation_public_key(&public_key,
- &key_len,
- &psa_curve);
- if (attest_res != PSA_ATTEST_ERR_SUCCESS) {
- return PSA_ATTEST_ERR_CLAIM_UNAVAILABLE;
- }
-
- crypto_res = psa_hash_setup(&hash, PSA_ALG_SHA_256);
- if (crypto_res != PSA_SUCCESS) {
- return PSA_ATTEST_ERR_CLAIM_UNAVAILABLE;
- }
-
- crypto_res = psa_hash_update(&hash, public_key, key_len);
- if (crypto_res != PSA_SUCCESS) {
- return PSA_ATTEST_ERR_CLAIM_UNAVAILABLE;
- }
-
- /* The hash starts from the second byte, leaving the first free. */
- crypto_res = psa_hash_finish(&hash, instance_id + 1,
- INSTANCE_ID_MAX_SIZE - 1,
- &instance_id_len);
- if (crypto_res != PSA_SUCCESS) {
- return PSA_ATTEST_ERR_CLAIM_UNAVAILABLE;
- }
-
- /* First byte indicates the type: 0x01 indicates GUID */
- instance_id[0] = 0x01;
- instance_id_len += 1;
-
- claim_value.ptr = instance_id;
- claim_value.len = instance_id_len;
- attest_token_add_bstr(token_ctx,
- EAT_CBOR_ARM_LABEL_UEID,
- &claim_value);
-
- return PSA_ATTEST_ERR_SUCCESS;
-}
-#endif /* SYMMETRIC_INITIAL_ATTESTATION */
/*!
* \brief Static function to add implementation id claim to attestation token.
diff --git a/secure_fw/partitions/initial_attestation/attestation_key.c b/secure_fw/partitions/initial_attestation/attestation_key.c
index f0e7e99dd..c60776dca 100644
--- a/secure_fw/partitions/initial_attestation/attestation_key.c
+++ b/secure_fw/partitions/initial_attestation/attestation_key.c
@@ -12,9 +12,11 @@
#include <stddef.h>
#include "tfm_plat_defs.h"
#include "tfm_plat_crypto_keys.h"
+#include "tfm_plat_device_id.h"
#include "t_cose_standard_constants.h"
#include "q_useful_buf.h"
#include "qcbor.h"
+#include "tfm_memory_utils.h"
#define ECC_P256_PUBLIC_KEY_SIZE PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(256)
@@ -51,6 +53,10 @@ static psa_ecc_curve_t attestation_key_curve;
static uint8_t attestation_key_id[PSA_HASH_SIZE(PSA_ALG_SHA_256)]; /* 32bytes */
#endif
+/* Instance ID for asymmetric IAK */
+static uint8_t instance_id_buf[INSTANCE_ID_MAX_SIZE];
+static size_t instance_id_len = 0U;
+
enum psa_attest_err_t
attest_register_initial_attestation_key()
{
@@ -157,6 +163,70 @@ attest_get_initial_attestation_public_key(uint8_t **public_key,
return PSA_ATTEST_ERR_SUCCESS;
}
+/*!
+ * \brief Static function to calculate instance id.
+ *
+ * \return Returns error code as specified in \ref psa_attest_err_t
+ */
+static enum psa_attest_err_t attest_calc_instance_id(void)
+{
+ psa_status_t crypto_res;
+ enum psa_attest_err_t attest_res;
+ uint8_t *public_key;
+ size_t key_len;
+ psa_ecc_curve_t psa_curve;
+ psa_hash_operation_t hash = psa_hash_operation_init();
+
+ attest_res = attest_get_initial_attestation_public_key(&public_key,
+ &key_len,
+ &psa_curve);
+ if (attest_res != PSA_ATTEST_ERR_SUCCESS) {
+ return PSA_ATTEST_ERR_CLAIM_UNAVAILABLE;
+ }
+
+ crypto_res = psa_hash_setup(&hash, PSA_ALG_SHA_256);
+ if (crypto_res != PSA_SUCCESS) {
+ return PSA_ATTEST_ERR_CLAIM_UNAVAILABLE;
+ }
+
+ crypto_res = psa_hash_update(&hash, public_key, key_len);
+ if (crypto_res != PSA_SUCCESS) {
+ return PSA_ATTEST_ERR_CLAIM_UNAVAILABLE;
+ }
+
+ /* The hash starts from the second byte, leaving the first free. */
+ crypto_res = psa_hash_finish(&hash, instance_id_buf + 1,
+ INSTANCE_ID_MAX_SIZE - 1,
+ &instance_id_len);
+ if (crypto_res != PSA_SUCCESS) {
+ return PSA_ATTEST_ERR_CLAIM_UNAVAILABLE;
+ }
+
+ /* Add UEID type byte 0x01 */
+ instance_id_buf[0] = 0x01;
+ instance_id_len = instance_id_len + 1;
+
+ return PSA_ATTEST_ERR_SUCCESS;
+}
+
+enum psa_attest_err_t
+attest_get_instance_id(struct q_useful_buf_c *id_buf)
+{
+ if (instance_id_len == 0U) {
+ if (attest_calc_instance_id() != PSA_ATTEST_ERR_SUCCESS) {
+ return PSA_ATTEST_ERR_CLAIM_UNAVAILABLE;
+ }
+ }
+
+ if (id_buf == NULL) {
+ return PSA_ATTEST_ERR_GENERAL;
+ }
+
+ id_buf->ptr = instance_id_buf;
+ id_buf->len = instance_id_len;
+
+ return PSA_ATTEST_ERR_SUCCESS;
+}
#ifdef INCLUDE_COSE_KEY_ID