aboutsummaryrefslogtreecommitdiff
path: root/secure_fw/partitions/initial_attestation/attest_asymmetric_key.c
diff options
context:
space:
mode:
Diffstat (limited to 'secure_fw/partitions/initial_attestation/attest_asymmetric_key.c')
-rw-r--r--secure_fw/partitions/initial_attestation/attest_asymmetric_key.c163
1 files changed, 36 insertions, 127 deletions
diff --git a/secure_fw/partitions/initial_attestation/attest_asymmetric_key.c b/secure_fw/partitions/initial_attestation/attest_asymmetric_key.c
index 54dc041fe2..8046a3d41d 100644
--- a/secure_fw/partitions/initial_attestation/attest_asymmetric_key.c
+++ b/secure_fw/partitions/initial_attestation/attest_asymmetric_key.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019-2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2019-2023, Arm Limited. All rights reserved.
* Copyright (c) 2018-2019, Laurence Lundblade.
*
* SPDX-License-Identifier: BSD-3-Clause
@@ -9,15 +9,16 @@
#include "attest_key.h"
#include <stdint.h>
#include <stddef.h>
+#include "config_tfm.h"
#include "tfm_plat_defs.h"
-#include "tfm_plat_crypto_keys.h"
#include "tfm_plat_device_id.h"
#include "t_cose_standard_constants.h"
#include "q_useful_buf.h"
-#include "qcbor.h"
-#include "tfm_memory_utils.h"
+#include "qcbor/qcbor.h"
+#include "tfm_crypto_defs.h"
-#define ECC_P256_PUBLIC_KEY_SIZE PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(256)
+#define ATTEST_ECC_PUBLIC_KEY_SIZE \
+ PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(ATTEST_KEY_BITS)
/**
* The size of X and Y coordinate in 2 parameter style EC public
@@ -29,136 +30,39 @@
*/
#define ECC_P256_COORD_SIZE PSA_BITS_TO_BYTES(256) /* 256 bits -> 32 bytes */
-/* 0 is defined as an invalid handle in the PSA spec, so it is used here to
- * indicate that the key isn't loaded.
- */
-#define ATTEST_KEY_HANDLE_NOT_LOADED 0
-
-/**
- * Global key handle for the attestation key. Used to prevent keys having to be
- * reloaded multiple times during a single token operation.
- */
-static psa_key_handle_t attestation_key_handle = ATTEST_KEY_HANDLE_NOT_LOADED;
-
-/**
- * The public key is kept loaded as it is both not required to be secret (and
- * hence can be kept in attestation memory) and immutable.
- */
-static uint8_t attestation_public_key[ECC_P256_PUBLIC_KEY_SIZE]; /* 65bytes */
+static uint8_t attestation_public_key[ATTEST_ECC_PUBLIC_KEY_SIZE];
static size_t attestation_public_key_len = 0;
static psa_ecc_family_t attestation_key_curve;
-#ifdef INCLUDE_COSE_KEY_ID
-static uint8_t attestation_key_id[PSA_HASH_SIZE(PSA_ALG_SHA_256)]; /* 32bytes */
+#if ATTEST_INCLUDE_COSE_KEY_ID
+/* 32bytes */
+static uint8_t attestation_key_id[PSA_HASH_LENGTH(PSA_ALG_SHA_256)];
#endif
/* Instance ID for asymmetric IAK */
static uint8_t instance_id_buf[INSTANCE_ID_MAX_SIZE];
static size_t instance_id_len = 0U;
-enum psa_attest_err_t
-attest_register_initial_attestation_key()
+static enum psa_attest_err_t attest_load_public_key(void)
{
- enum tfm_plat_err_t plat_res;
- psa_ecc_family_t psa_curve;
- struct ecc_key_t attest_key = {0};
- uint8_t key_buf[3 * ECC_P256_COORD_SIZE]; /* priv + x_coord + y_coord */
- psa_key_handle_t key_handle = ATTEST_KEY_HANDLE_NOT_LOADED;
psa_status_t crypto_res;
- psa_key_attributes_t key_attributes = psa_key_attributes_init();
-
- if (attestation_key_handle != ATTEST_KEY_HANDLE_NOT_LOADED) {
- return PSA_ATTEST_ERR_GENERAL;
- }
-
- /* Get the initial attestation key */
- plat_res = tfm_plat_get_initial_attest_key(key_buf, sizeof(key_buf),
- &attest_key, &psa_curve);
-
- /* Check the availability of the private key */
- if (plat_res != TFM_PLAT_ERR_SUCCESS || attest_key.priv_key == NULL) {
- return PSA_ATTEST_ERR_GENERAL;
- }
-
- /* Setup the key policy for private key */
- psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_SIGN);
- psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDSA(PSA_ALG_SHA_256));
- psa_set_key_type(&key_attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(psa_curve));
-
- /* Register private key to Crypto service */
- crypto_res = psa_import_key(&key_attributes,
- attest_key.priv_key,
- attest_key.priv_key_size,
- &key_handle);
-
+ psa_key_attributes_t attr;
+ psa_key_handle_t handle = TFM_BUILTIN_KEY_ID_IAK;
+ crypto_res = psa_get_key_attributes(handle, &attr);
if (crypto_res != PSA_SUCCESS) {
return PSA_ATTEST_ERR_GENERAL;
}
- attestation_key_handle = key_handle;
-
- /* If the public key length is 0 then it hasn't been loaded */
- if (attestation_public_key_len == 0) {
- crypto_res = psa_export_public_key(key_handle, attestation_public_key,
- ECC_P256_PUBLIC_KEY_SIZE,
- &attestation_public_key_len);
- if (crypto_res != PSA_SUCCESS) {
- return PSA_ATTEST_ERR_GENERAL;
- }
-
- attestation_key_curve = psa_curve;
- }
+ attestation_key_curve = PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(&attr));
- return PSA_ATTEST_ERR_SUCCESS;
-}
-
-enum psa_attest_err_t
-attest_unregister_initial_attestation_key()
-{
- psa_status_t crypto_res;
-
- if (attestation_key_handle == ATTEST_KEY_HANDLE_NOT_LOADED) {
- return PSA_ATTEST_ERR_GENERAL;
- }
-
- crypto_res = psa_destroy_key(attestation_key_handle);
+ crypto_res = psa_export_public_key(handle, attestation_public_key,
+ sizeof(attestation_public_key),
+ &attestation_public_key_len);
if (crypto_res != PSA_SUCCESS) {
return PSA_ATTEST_ERR_GENERAL;
}
- attestation_key_handle = ATTEST_KEY_HANDLE_NOT_LOADED;
-
- return PSA_ATTEST_ERR_SUCCESS;
-}
-
-enum psa_attest_err_t
-attest_get_signing_key_handle(psa_key_handle_t *handle)
-{
- if (attestation_key_handle == ATTEST_KEY_HANDLE_NOT_LOADED) {
- return PSA_ATTEST_ERR_GENERAL;
- }
-
- *handle = attestation_key_handle;
-
- return PSA_ATTEST_ERR_SUCCESS;
-}
-
-enum psa_attest_err_t
-attest_get_initial_attestation_public_key(uint8_t **public_key,
- size_t *public_key_len,
- psa_ecc_family_t *public_key_curve)
-{
-
- /* If the public key length is 0 then it hasn't been loaded */
- if (attestation_public_key_len == 0) {
- return PSA_ATTEST_ERR_GENERAL;
- }
-
- *public_key = attestation_public_key;
- *public_key_len = attestation_public_key_len;
- *public_key_curve = attestation_key_curve;
-
return PSA_ATTEST_ERR_SUCCESS;
}
@@ -171,16 +75,13 @@ static enum psa_attest_err_t attest_calc_instance_id(void)
{
psa_status_t crypto_res;
enum psa_attest_err_t attest_res;
- uint8_t *public_key;
- size_t key_len;
- psa_ecc_family_t psa_curve;
psa_hash_operation_t hash = psa_hash_operation_init();
- attest_res = attest_get_initial_attestation_public_key(&public_key,
- &key_len,
- &psa_curve);
- if (attest_res != PSA_ATTEST_ERR_SUCCESS) {
- return PSA_ATTEST_ERR_CLAIM_UNAVAILABLE;
+ if (attestation_public_key_len == 0U) {
+ attest_res = attest_load_public_key();
+ if (attest_res != PSA_ATTEST_ERR_SUCCESS) {
+ return PSA_ATTEST_ERR_CLAIM_UNAVAILABLE;
+ }
}
crypto_res = psa_hash_setup(&hash, PSA_ALG_SHA_256);
@@ -188,7 +89,8 @@ static enum psa_attest_err_t attest_calc_instance_id(void)
return PSA_ATTEST_ERR_CLAIM_UNAVAILABLE;
}
- crypto_res = psa_hash_update(&hash, public_key, key_len);
+ crypto_res = psa_hash_update(&hash, attestation_public_key,
+ attestation_public_key_len);
if (crypto_res != PSA_SUCCESS) {
return PSA_ATTEST_ERR_CLAIM_UNAVAILABLE;
}
@@ -227,7 +129,7 @@ attest_get_instance_id(struct q_useful_buf_c *id_buf)
return PSA_ATTEST_ERR_SUCCESS;
}
-#ifdef INCLUDE_COSE_KEY_ID
+#if ATTEST_INCLUDE_COSE_KEY_ID
#define MAX_ENCODED_COSE_KEY_SIZE \
1 + /* 1 byte to encode map */ \
@@ -252,7 +154,7 @@ attest_map_psa_ecc_curve_to_cose_ecc_curve(psa_ecc_family_t psa_curve)
/* Note: Mapping is not complete. */
switch (psa_curve) {
- case PSA_ECC_CURVE_SECP256R1:
+ case PSA_ECC_FAMILY_SECP_R1:
cose_curve = COSE_ELLIPTIC_CURVE_P_256;
break;
default:
@@ -426,7 +328,14 @@ attest_get_initial_attestation_key_id(struct q_useful_buf_c *attest_key_id)
struct q_useful_buf buffer_for_attest_key_id;
buffer_for_attest_key_id.ptr = attestation_key_id;
- buffer_for_attest_key_id.len = PSA_HASH_SIZE(PSA_ALG_SHA_256);
+ buffer_for_attest_key_id.len = PSA_HASH_LENGTH(PSA_ALG_SHA_256);
+
+ if (attestation_public_key_len == 0U) {
+ attest_res = attest_load_public_key();
+ if (attest_res != PSA_ATTEST_ERR_SUCCESS) {
+ return PSA_ATTEST_ERR_CLAIM_UNAVAILABLE;
+ }
+ }
/* Needs to calculate only once */
if (attest_key_id_calculated == 0) {
@@ -448,4 +357,4 @@ attest_get_initial_attestation_key_id(struct q_useful_buf_c *attest_key_id)
return PSA_ATTEST_ERR_SUCCESS;
}
-#endif /* INCLUDE_COSE_KEY_ID */
+#endif /* ATTEST_INCLUDE_COSE_KEY_ID */