aboutsummaryrefslogtreecommitdiff
path: root/secure_fw/partitions
diff options
context:
space:
mode:
authorTamas Ban <tamas.ban@arm.com>2022-06-28 15:03:10 +0200
committerAnton Komlev <Anton.Komlev@arm.com>2022-07-27 23:10:24 +0200
commita7ef16b88c062994f5ee2a856b727c2557c53464 (patch)
tree54dd1491cf065447b210f34ccc0870cab6c243eb /secure_fw/partitions
parentfc318d7f644b52c1231cb51382c49ac981b6cbe4 (diff)
downloadtrusted-firmware-m-a7ef16b88c062994f5ee2a856b727c2557c53464.tar.gz
Attest: Introduce PSA 2.0.0 attestation profile
The attestation profile is evolving. The original implementation is based on this version: - https://www.ietf.org/archive/id/draft-tschofenig-rats-psa-token-05.html - Profile name in the config: PSA_IOT_1 An updated version is available: - https://www.ietf.org/archive/id/draft-tschofenig-rats-psa-token-09.html - Profile name in the config: PSA_2_0_0 This change (and some follow-up) addresses the differences between these and make the attestation profile configurable. Currently, both profile is supported. But in the long-term, the PSA_IOT_1 is planned to be deprecated and then later removed. Signed-off-by: Tamas Ban <tamas.ban@arm.com> Change-Id: Iebe584f22e05fa60a324e0a13126440cb6f936d5
Diffstat (limited to 'secure_fw/partitions')
-rw-r--r--secure_fw/partitions/initial_attestation/CMakeLists.txt6
-rw-r--r--secure_fw/partitions/initial_attestation/attest_core.c76
-rw-r--r--secure_fw/partitions/initial_attestation/attest_iat_defines.h34
3 files changed, 60 insertions, 56 deletions
diff --git a/secure_fw/partitions/initial_attestation/CMakeLists.txt b/secure_fw/partitions/initial_attestation/CMakeLists.txt
index d5a59eb0cc..eb1bce4720 100644
--- a/secure_fw/partitions/initial_attestation/CMakeLists.txt
+++ b/secure_fw/partitions/initial_attestation/CMakeLists.txt
@@ -74,6 +74,7 @@ target_compile_definitions(tfm_psa_rot_partition_attestation
$<$<BOOL:${ATTEST_INCLUDE_OPTIONAL_CLAIMS}>:INCLUDE_OPTIONAL_CLAIMS>
$<$<BOOL:${ATTEST_INCLUDE_COSE_KEY_ID}>:INCLUDE_COSE_KEY_ID>
$<$<NOT:$<BOOL:${PLATFORM_DEFAULT_ATTEST_HAL}>>:CLAIM_VALUE_CHECK>
+ ATTEST_TOKEN_PROFILE_${ATTEST_TOKEN_PROFILE}
)
########################### Attest defs ########################################
@@ -85,6 +86,11 @@ target_include_directories(tfm_attestation_defs
.
)
+target_compile_definitions(tfm_attestation_defs
+ INTERFACE
+ ATTEST_TOKEN_PROFILE_${ATTEST_TOKEN_PROFILE}
+)
+
############################ Secure API ########################################
target_sources(tfm_sprt
diff --git a/secure_fw/partitions/initial_attestation/attest_core.c b/secure_fw/partitions/initial_attestation/attest_core.c
index 4a74950c42..42587c5cd2 100644
--- a/secure_fw/partitions/initial_attestation/attest_core.c
+++ b/secure_fw/partitions/initial_attestation/attest_core.c
@@ -23,9 +23,7 @@
#define MAX_BOOT_STATUS 512
-/* Indicates how to encode SW components' measurements in the CBOR map */
-#define EAT_SW_COMPONENT_NESTED 1 /* Nested map */
-#define EAT_SW_COMPONENT_NOT_NESTED 0 /* Flat structure */
+#define ARRAY_LENGTH(array) (sizeof(array) / sizeof(*(array)))
/* The algorithm used in COSE */
#ifdef SYMMETRIC_INITIAL_ATTESTATION
@@ -713,6 +711,24 @@ static void attest_get_option_flags(struct q_useful_buf_c *challenge,
}
#endif /* INCLUDE_TEST_CODE */
+#if defined(ATTEST_TOKEN_PROFILE_PSA_IOT_1) || \
+ defined(ATTEST_TOKEN_PROFILE_PSA_2_0_0)
+ static enum psa_attest_err_t
+ (*claim_query_funcs[])(struct attest_token_encode_ctx *) = {
+ &attest_add_boot_seed_claim,
+ &attest_add_instance_id_claim,
+ &attest_add_implementation_id_claim,
+ &attest_add_caller_id_claim,
+ &attest_add_security_lifecycle_claim,
+ &attest_add_all_sw_components,
+#ifdef INCLUDE_OPTIONAL_CLAIMS
+ &attest_add_verification_service,
+ &attest_add_profile_definition,
+ &attest_add_cert_ref_claim
+#endif
+ };
+#endif
+
/*!
* \brief Static function to create the initial attestation token
*
@@ -735,6 +751,7 @@ attest_create_token(struct q_useful_buf_c *challenge,
struct attest_token_encode_ctx attest_token_ctx;
int32_t key_select = 0;
uint32_t option_flags = 0;
+ int i;
attest_err = attest_register_initial_attestation_key();
if (attest_err != PSA_ATTEST_ERR_SUCCESS) {
@@ -766,54 +783,13 @@ attest_create_token(struct q_useful_buf_c *challenge,
}
if (!(option_flags & TOKEN_OPT_OMIT_CLAIMS)) {
- /* Mandatory claims in IAT token */
- attest_err = attest_add_boot_seed_claim(&attest_token_ctx);
- if (attest_err != PSA_ATTEST_ERR_SUCCESS) {
- goto error;
- }
-
- attest_err = attest_add_instance_id_claim(&attest_token_ctx);
- if (attest_err != PSA_ATTEST_ERR_SUCCESS) {
- goto error;
- }
-
- attest_err = attest_add_implementation_id_claim(&attest_token_ctx);
- if (attest_err != PSA_ATTEST_ERR_SUCCESS) {
- goto error;
- }
-
- attest_err = attest_add_caller_id_claim(&attest_token_ctx);
- if (attest_err != PSA_ATTEST_ERR_SUCCESS) {
- goto error;
- }
-
- attest_err = attest_add_security_lifecycle_claim(&attest_token_ctx);
- if (attest_err != PSA_ATTEST_ERR_SUCCESS) {
- goto error;
- }
-
- attest_err = attest_add_all_sw_components(&attest_token_ctx);
- if (attest_err != PSA_ATTEST_ERR_SUCCESS) {
- goto error;
- }
-
-#ifdef INCLUDE_OPTIONAL_CLAIMS
- /* Optional claims in IAT token, remove them from release build */
- attest_err = attest_add_verification_service(&attest_token_ctx);
- if (attest_err != PSA_ATTEST_ERR_SUCCESS) {
- goto error;
- }
-
- attest_err = attest_add_profile_definition(&attest_token_ctx);
- if (attest_err != PSA_ATTEST_ERR_SUCCESS) {
- goto error;
- }
-
- attest_err = attest_add_cert_ref_claim(&attest_token_ctx);
- if (attest_err != PSA_ATTEST_ERR_SUCCESS) {
- goto error;
+ for (i = 0; i < ARRAY_LENGTH(claim_query_funcs); ++i) {
+ /* Calling the attest_add_XXX_claim functions */
+ attest_err = claim_query_funcs[i](&attest_token_ctx);
+ if (attest_err != PSA_ATTEST_ERR_SUCCESS) {
+ goto error;
+ }
}
-#endif /* INCLUDE_OPTIONAL_CLAIMS */
}
/* Finish up creating the token. This is where the actual signature
diff --git a/secure_fw/partitions/initial_attestation/attest_iat_defines.h b/secure_fw/partitions/initial_attestation/attest_iat_defines.h
index 45eb601974..57e286fbfa 100644
--- a/secure_fw/partitions/initial_attestation/attest_iat_defines.h
+++ b/secure_fw/partitions/initial_attestation/attest_iat_defines.h
@@ -12,6 +12,9 @@
extern "C" {
#endif
+#if defined(ATTEST_TOKEN_PROFILE_PSA_IOT_1)
+
+/* In case of the original PSA_IOT_PROFILE_1 */
#define IAT_ARM_RANGE_BASE (-75000)
#define IAT_PROFILE_DEFINITION (IAT_ARM_RANGE_BASE - 0)
#define IAT_CLIENT_ID (IAT_ARM_RANGE_BASE - 1)
@@ -25,6 +28,31 @@ extern "C" {
#define IAT_INSTANCE_ID (IAT_ARM_RANGE_BASE - 9)
#define IAT_VERIFICATION_SERVICE (IAT_ARM_RANGE_BASE - 10)
+/* Indicates that the boot status intentionally (i.e. the bootloader is not
+ * capable of producing it) does not contain any SW components' measurement.
+ * Required integer value for claim labeled IAT_NO_SW_COMPONENTS.
+ */
+#define NO_SW_COMPONENT_FIXED_VALUE 1
+
+#elif defined(ATTEST_TOKEN_PROFILE_PSA_2_0_0)
+
+/* In case of PSA_2_0_0 (updated PSA profile ) */
+#define IAT_NONCE 10 /* EAT nonce */
+#define IAT_INSTANCE_ID 256 /* EAT ueid */
+#define IAT_PROFILE_DEFINITION 265 /* EAT eat_profile */
+#define IAT_ARM_RANGE_BASE (2393)
+#define IAT_CLIENT_ID (IAT_ARM_RANGE_BASE + 1)
+#define IAT_SECURITY_LIFECYCLE (IAT_ARM_RANGE_BASE + 2)
+#define IAT_IMPLEMENTATION_ID (IAT_ARM_RANGE_BASE + 3)
+#define IAT_BOOT_SEED (IAT_ARM_RANGE_BASE + 4)
+#define IAT_CERTIFICATION_REFERENCE (IAT_ARM_RANGE_BASE + 5)
+#define IAT_SW_COMPONENTS (IAT_ARM_RANGE_BASE + 6)
+#define IAT_VERIFICATION_SERVICE (IAT_ARM_RANGE_BASE + 7)
+
+#else
+#error "Attestation token profile is incorrect"
+#endif
+
#define IAT_SW_COMPONENT_MEASUREMENT_TYPE (1)
#define IAT_SW_COMPONENT_MEASUREMENT_VALUE (2)
/* Reserved (3) */
@@ -32,12 +60,6 @@ extern "C" {
#define IAT_SW_COMPONENT_SIGNER_ID (5)
#define IAT_SW_COMPONENT_MEASUREMENT_DESC (6)
-/* Indicates that the boot status intentionally (i.e. boot loader does not
- * capable to produce it) does not contain any SW components' measurement.
- * Required integer value for claim labeled IAT_NO_SW_COMPONENTS.
- */
-#define NO_SW_COMPONENT_FIXED_VALUE 1
-
#ifdef __cplusplus
}
#endif