diff options
Diffstat (limited to 'secure_fw/partitions/initial_attestation/attest_asymmetric_key.c')
-rw-r--r-- | secure_fw/partitions/initial_attestation/attest_asymmetric_key.c | 163 |
1 files changed, 36 insertions, 127 deletions
diff --git a/secure_fw/partitions/initial_attestation/attest_asymmetric_key.c b/secure_fw/partitions/initial_attestation/attest_asymmetric_key.c index 54dc041fe2..8046a3d41d 100644 --- a/secure_fw/partitions/initial_attestation/attest_asymmetric_key.c +++ b/secure_fw/partitions/initial_attestation/attest_asymmetric_key.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2019-2020, Arm Limited. All rights reserved. + * Copyright (c) 2019-2023, Arm Limited. All rights reserved. * Copyright (c) 2018-2019, Laurence Lundblade. * * SPDX-License-Identifier: BSD-3-Clause @@ -9,15 +9,16 @@ #include "attest_key.h" #include <stdint.h> #include <stddef.h> +#include "config_tfm.h" #include "tfm_plat_defs.h" -#include "tfm_plat_crypto_keys.h" #include "tfm_plat_device_id.h" #include "t_cose_standard_constants.h" #include "q_useful_buf.h" -#include "qcbor.h" -#include "tfm_memory_utils.h" +#include "qcbor/qcbor.h" +#include "tfm_crypto_defs.h" -#define ECC_P256_PUBLIC_KEY_SIZE PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(256) +#define ATTEST_ECC_PUBLIC_KEY_SIZE \ + PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(ATTEST_KEY_BITS) /** * The size of X and Y coordinate in 2 parameter style EC public @@ -29,136 +30,39 @@ */ #define ECC_P256_COORD_SIZE PSA_BITS_TO_BYTES(256) /* 256 bits -> 32 bytes */ -/* 0 is defined as an invalid handle in the PSA spec, so it is used here to - * indicate that the key isn't loaded. - */ -#define ATTEST_KEY_HANDLE_NOT_LOADED 0 - -/** - * Global key handle for the attestation key. Used to prevent keys having to be - * reloaded multiple times during a single token operation. - */ -static psa_key_handle_t attestation_key_handle = ATTEST_KEY_HANDLE_NOT_LOADED; - -/** - * The public key is kept loaded as it is both not required to be secret (and - * hence can be kept in attestation memory) and immutable. - */ -static uint8_t attestation_public_key[ECC_P256_PUBLIC_KEY_SIZE]; /* 65bytes */ +static uint8_t attestation_public_key[ATTEST_ECC_PUBLIC_KEY_SIZE]; static size_t attestation_public_key_len = 0; static psa_ecc_family_t attestation_key_curve; -#ifdef INCLUDE_COSE_KEY_ID -static uint8_t attestation_key_id[PSA_HASH_SIZE(PSA_ALG_SHA_256)]; /* 32bytes */ +#if ATTEST_INCLUDE_COSE_KEY_ID +/* 32bytes */ +static uint8_t attestation_key_id[PSA_HASH_LENGTH(PSA_ALG_SHA_256)]; #endif /* Instance ID for asymmetric IAK */ static uint8_t instance_id_buf[INSTANCE_ID_MAX_SIZE]; static size_t instance_id_len = 0U; -enum psa_attest_err_t -attest_register_initial_attestation_key() +static enum psa_attest_err_t attest_load_public_key(void) { - enum tfm_plat_err_t plat_res; - psa_ecc_family_t psa_curve; - struct ecc_key_t attest_key = {0}; - uint8_t key_buf[3 * ECC_P256_COORD_SIZE]; /* priv + x_coord + y_coord */ - psa_key_handle_t key_handle = ATTEST_KEY_HANDLE_NOT_LOADED; psa_status_t crypto_res; - psa_key_attributes_t key_attributes = psa_key_attributes_init(); - - if (attestation_key_handle != ATTEST_KEY_HANDLE_NOT_LOADED) { - return PSA_ATTEST_ERR_GENERAL; - } - - /* Get the initial attestation key */ - plat_res = tfm_plat_get_initial_attest_key(key_buf, sizeof(key_buf), - &attest_key, &psa_curve); - - /* Check the availability of the private key */ - if (plat_res != TFM_PLAT_ERR_SUCCESS || attest_key.priv_key == NULL) { - return PSA_ATTEST_ERR_GENERAL; - } - - /* Setup the key policy for private key */ - psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_SIGN); - psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDSA(PSA_ALG_SHA_256)); - psa_set_key_type(&key_attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(psa_curve)); - - /* Register private key to Crypto service */ - crypto_res = psa_import_key(&key_attributes, - attest_key.priv_key, - attest_key.priv_key_size, - &key_handle); - + psa_key_attributes_t attr; + psa_key_handle_t handle = TFM_BUILTIN_KEY_ID_IAK; + crypto_res = psa_get_key_attributes(handle, &attr); if (crypto_res != PSA_SUCCESS) { return PSA_ATTEST_ERR_GENERAL; } - attestation_key_handle = key_handle; - - /* If the public key length is 0 then it hasn't been loaded */ - if (attestation_public_key_len == 0) { - crypto_res = psa_export_public_key(key_handle, attestation_public_key, - ECC_P256_PUBLIC_KEY_SIZE, - &attestation_public_key_len); - if (crypto_res != PSA_SUCCESS) { - return PSA_ATTEST_ERR_GENERAL; - } - - attestation_key_curve = psa_curve; - } + attestation_key_curve = PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(&attr)); - return PSA_ATTEST_ERR_SUCCESS; -} - -enum psa_attest_err_t -attest_unregister_initial_attestation_key() -{ - psa_status_t crypto_res; - - if (attestation_key_handle == ATTEST_KEY_HANDLE_NOT_LOADED) { - return PSA_ATTEST_ERR_GENERAL; - } - - crypto_res = psa_destroy_key(attestation_key_handle); + crypto_res = psa_export_public_key(handle, attestation_public_key, + sizeof(attestation_public_key), + &attestation_public_key_len); if (crypto_res != PSA_SUCCESS) { return PSA_ATTEST_ERR_GENERAL; } - attestation_key_handle = ATTEST_KEY_HANDLE_NOT_LOADED; - - return PSA_ATTEST_ERR_SUCCESS; -} - -enum psa_attest_err_t -attest_get_signing_key_handle(psa_key_handle_t *handle) -{ - if (attestation_key_handle == ATTEST_KEY_HANDLE_NOT_LOADED) { - return PSA_ATTEST_ERR_GENERAL; - } - - *handle = attestation_key_handle; - - return PSA_ATTEST_ERR_SUCCESS; -} - -enum psa_attest_err_t -attest_get_initial_attestation_public_key(uint8_t **public_key, - size_t *public_key_len, - psa_ecc_family_t *public_key_curve) -{ - - /* If the public key length is 0 then it hasn't been loaded */ - if (attestation_public_key_len == 0) { - return PSA_ATTEST_ERR_GENERAL; - } - - *public_key = attestation_public_key; - *public_key_len = attestation_public_key_len; - *public_key_curve = attestation_key_curve; - return PSA_ATTEST_ERR_SUCCESS; } @@ -171,16 +75,13 @@ static enum psa_attest_err_t attest_calc_instance_id(void) { psa_status_t crypto_res; enum psa_attest_err_t attest_res; - uint8_t *public_key; - size_t key_len; - psa_ecc_family_t psa_curve; psa_hash_operation_t hash = psa_hash_operation_init(); - attest_res = attest_get_initial_attestation_public_key(&public_key, - &key_len, - &psa_curve); - if (attest_res != PSA_ATTEST_ERR_SUCCESS) { - return PSA_ATTEST_ERR_CLAIM_UNAVAILABLE; + if (attestation_public_key_len == 0U) { + attest_res = attest_load_public_key(); + if (attest_res != PSA_ATTEST_ERR_SUCCESS) { + return PSA_ATTEST_ERR_CLAIM_UNAVAILABLE; + } } crypto_res = psa_hash_setup(&hash, PSA_ALG_SHA_256); @@ -188,7 +89,8 @@ static enum psa_attest_err_t attest_calc_instance_id(void) return PSA_ATTEST_ERR_CLAIM_UNAVAILABLE; } - crypto_res = psa_hash_update(&hash, public_key, key_len); + crypto_res = psa_hash_update(&hash, attestation_public_key, + attestation_public_key_len); if (crypto_res != PSA_SUCCESS) { return PSA_ATTEST_ERR_CLAIM_UNAVAILABLE; } @@ -227,7 +129,7 @@ attest_get_instance_id(struct q_useful_buf_c *id_buf) return PSA_ATTEST_ERR_SUCCESS; } -#ifdef INCLUDE_COSE_KEY_ID +#if ATTEST_INCLUDE_COSE_KEY_ID #define MAX_ENCODED_COSE_KEY_SIZE \ 1 + /* 1 byte to encode map */ \ @@ -252,7 +154,7 @@ attest_map_psa_ecc_curve_to_cose_ecc_curve(psa_ecc_family_t psa_curve) /* Note: Mapping is not complete. */ switch (psa_curve) { - case PSA_ECC_CURVE_SECP256R1: + case PSA_ECC_FAMILY_SECP_R1: cose_curve = COSE_ELLIPTIC_CURVE_P_256; break; default: @@ -426,7 +328,14 @@ attest_get_initial_attestation_key_id(struct q_useful_buf_c *attest_key_id) struct q_useful_buf buffer_for_attest_key_id; buffer_for_attest_key_id.ptr = attestation_key_id; - buffer_for_attest_key_id.len = PSA_HASH_SIZE(PSA_ALG_SHA_256); + buffer_for_attest_key_id.len = PSA_HASH_LENGTH(PSA_ALG_SHA_256); + + if (attestation_public_key_len == 0U) { + attest_res = attest_load_public_key(); + if (attest_res != PSA_ATTEST_ERR_SUCCESS) { + return PSA_ATTEST_ERR_CLAIM_UNAVAILABLE; + } + } /* Needs to calculate only once */ if (attest_key_id_calculated == 0) { @@ -448,4 +357,4 @@ attest_get_initial_attestation_key_id(struct q_useful_buf_c *attest_key_id) return PSA_ATTEST_ERR_SUCCESS; } -#endif /* INCLUDE_COSE_KEY_ID */ +#endif /* ATTEST_INCLUDE_COSE_KEY_ID */ |