path: root/docs
diff options
authorDavid Hu <david.hu@arm.com>2021-06-05 17:38:53 +0800
committerDavid Hu <david.hu@arm.com>2021-06-07 11:29:37 +0200
commiteaf9fc7995686cdf4d02801f79c65c91546a9de9 (patch)
tree7208762fbf23ca4a2c57b1b1283049b1813259b1 /docs
parentc8c616ef11bbe5960ada85a719b7a5b53e6aa42c (diff)
Attest: Support to retrieve Initial Attestation public key in runtime
Enable ATTEST_TEST_GET_PUBLIC_KEY flag in Musca-B1 and Musca-S1 with OTP enabled. Add Initial Attestation test service in manifest list. Change-Id: I8e982ee1a7c31548b4e7c74b937e17660cb0e89e Signed-off-by: David Hu <david.hu@arm.com>
Diffstat (limited to 'docs')
1 files changed, 22 insertions, 3 deletions
diff --git a/docs/integration_guide/services/tfm_attestation_integration_guide.rst b/docs/integration_guide/services/tfm_attestation_integration_guide.rst
index 311e97a2b..dfbcfe7d5 100644
--- a/docs/integration_guide/services/tfm_attestation_integration_guide.rst
+++ b/docs/integration_guide/services/tfm_attestation_integration_guide.rst
@@ -593,13 +593,15 @@ does not need to operate such a service.
+Regression test
The initial attestation token is verified by the attestation test suite in
``test/suites/attestation``. The test suite is responsible for verifying the
token signature and parsing the token to verify its encoding and the presence of
the mandatory claims. This test suite can be executed on the device. It is part
-of the regression test suite. When the user builds TF-M with any of the
-``ConfigRegression*.cmake`` configurations then this test is executed
-automatically. The test suite is configurable in the
+of the regression test suite. The test suite is configurable in the
``test/suites/attestation/attest_token_test_values.h`` header file. In this file
there are two attributes for each claim which are configurable (more details
in the header file):
@@ -608,6 +610,23 @@ in the header file):
- Expected value: Value check can be disabled or expected value can be provided
+For asymmetric initial attestation test, the **dummy** initial attestation
+public key is hard-coded in ``tfm_initial_attest_pub_key.c``, which is exported
+and built with initial attestation regresstion test when tests are enabled.
+Initial attestation regression test verifies the IAT generated by initial
+attestation service with the exported public key.
+Some develep boards are provisioned in runtime with a random initial attestation
+key pair, whose public key is unknown to regression test. Select test flag
+``ATTEST_TEST_GET_PUBLIC_KEY`` to enable a specific test secure partition to
+retrieve initial attestation public key for initial attestation test in runtime.
+``ATTEST_TEST_GET_PUBLIC_KEY`` shall be selected only when the initial
+attestation public key can only be retrieved in runtime.
+By default, ``ATTEST_TEST_GET_PUBLIC_KEY`` is ``OFF``.
There is another possibility to verify the attestation token. This addresses
the off-device testing when the token is already retrieved from the device and
verification is done on the requester side. There is a Python script for this