Age | Commit message (Collapse) | Author |
|
This patch refactors the entry points of the tfm_builtin_key_loader
driver to simplify its interaction with crypto keys HAL layer and
the rest of the TF-M Crypto service and PSA Crypto core layer.
* Decouple as much as possible each module from mbed TLS specific
types, and makes sure all library interactions are abstracted in
the crypto_library module of the crypto service
* Simplify the HAL requirements to provide platform builtin keys
as described in tfm_plat_crypto_keys.h
* Update the documentation to reflect the design change
* Fix minor issues and typos, include paths, etc
* Regenerate mbed TLS patches on top of 3.3.0 tag to be applied
Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com>
Change-Id: Id26ff0b88da87075490d17a4c8af8f209bb34a08
|
|
The tfm_builtin_key_loader driver assumes that the underlying
implementation is the one provided by mbed TLS. This patch aims
to decouple as much as possible from it in view of possibly using
it with different PSA Crypto core implementations.
Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com>
Change-Id: Ib8d262da2dff9ae9ad1f34b7641785d9b66b97f9
|
|
Implement builtin key driver, and add HAL apis to load HUK and IAK into
this driver. Add necessary funtions to route PSA crypto calls into this
driver. Add fixed builtin key IDs into the interface, and a mechanism to
allow platforms to add extra keys.
Change-Id: I7ffc16eb14215dd6b323baeb53b40ccb1c0ce126
Signed-off-by: Raef Coles <raef.coles@arm.com>
|
|
Align the PSA Crypto header files in interface folder
with Mbed TLS 2.24.
Change-Id: I28a4e9789183bad3ad15b61480d6b8bb2151d4cb
Signed-off-by: Summer Qin <summer.qin@arm.com>
|
|
Add a HAL API tfm_plat_get_symmetric_iak_id() to fetch kid from
platform.
Implement an example of this HAL API.
Add attest_get_symmetric_iak_id() to pass the kid value to token
generation of symmetric key algorithm based Initial Attestation.
Change-Id: I642f7a03f1738c8fe77f11fc2ae91652fc01df29
Signed-off-by: David Hu <david.hu@arm.com>
|
|
Implement attest_register_initial_attest_key() to fetch and register a
symmetric Initial Attestation Key (IAK).
Add tfm_plat_get_symmetric_iak() to receive the key raw data from
platform.
Add attest_get_signing_key_handle() to get the key handle of the
initial attestation key for signing IAT.
Replace attest_get_initial_attestation_private_key_handle() with
attest_get_signing_key_handle().
Also add a binary symmetric IAK file for token verification in
other tools.
Change-Id: Id2e3647cc85abd0eacbf2a0e53b6d2cd927acaaf
Signed-off-by: David Hu <david.hu@arm.com>
|
|
Key id is part of the unprotected COSE header and
it is an optional field. Make key id inclusion optional
with a compile time define.
Change-Id: I5458c1f74c36015d433b5922e2a5038fb0ea31b7
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
|
|
Replace hard-coded values with the PSA Crypto macros
to calculate the size of the ECC public key.
Change-Id: I613e10d67eb968bd47a3f40c014b743003c9a9ed
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
|
|
Removes the tfm_plat_get_crypto_huk() function as it is no longer
required and may not be possible to implement on some platforms.
Change-Id: If1c1039ce287c373daf6519959cbe87ff47db5b3
Signed-off-by: Jamie Fox <jamie.fox@arm.com>
|
|
Adds the tfm_plat_get_huk_derived_key() function to get key material
that is derived from the HUK through a platform-defined implementation.
Change-Id: I307597b7c9e280cc984ccac9dcf28b627367e5b5
Signed-off-by: Jamie Fox <jamie.fox@arm.com>
|
|
Change from using a COSE curve ID to a PSA curve ID to simplify the
loading of keys into the crypto service.
Change-Id: Id67816810107ecd2e5f5be768363091dda7a9615
Signed-off-by: Raef Coles <raef.coles@arm.com>
|
|
PSA Trusted Boot and Firmware Update specification requires
the support of at least one immutable root of trust public key
(ROTPK) for firmware verification. This key is provisioned to
the SoC during manufacturing. This API makes possible to
the bootloader to get the hash of ROTPK in order to validate the
public key which is present in the image manifest.
This is a dummy implementation not suitable for use in production!
Change-Id: Ibf4d3d376f9e6fceaaabc9a1f11a46ef20f07a16
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
|
|
PSA Trusted Boot and Firmware Update specification requires
the support of at least one immutable root of trust public key
(ROTPK) for firmware verification. This key is provisioned to
the SoC during manufacturing. This API makes possible to
the bootloader to get the hash of ROTPK from the SoC in order
to validate the public key which is present in the image manifest.
Change-Id: Ica8cb52417e5dc022800b04470dba64f4fe05b22
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
|
|
Details:
- Add new functions to API to get the initial attestion key
or its size
- Add a new file, which contains an ECDSA P-256 key pair
in hard coded raw format (without any encoding)
- Add the orignal *.pem file, ASN.1 encoding
- Create dummy implementation per target to retrive the
hard coded key
Change-Id: Ie7dfac9d6df631f87c50f755cb80ffc7f00f5cbd
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
|
|
TF-M Platform service is a trusted service which allows secure
partitions and non-secure applications to interact with some
platform-specific components. There are a number of features which
requires some interaction with platform-specific components which
are at the same time essential for the security of the system.
Therefore, those components need to be handled by a secure partition
which is part of the trusted compute base.
This patch adds the Platform service which provides the system reset
as a first function.
Change-Id: I68253328db22a45fb6a3d6820dd85b1e24ea96f0
Signed-off-by: Marc Moreno <marc.morenoberengue@arm.com>
|
|
This patch replaces tfm_plat_errno_t by tfm_plat_err_t.
Change-Id: I9c59de09c1a5cb3ee4309679cd45310db81a9e17
Signed-off-by: Marc Moreno <marc.morenoberengue@arm.com>
|
|
This patch adds the tfm_ prefix in all the platform HAL files,
interfaces and HAL targets' implementation.
It also aligns the files with the coding style.
Change-Id: Ic1b1f80b20c1e8a19e6b8e56ee158b42c11df63c
Signed-off-by: Marc Moreno <marc.morenoberengue@arm.com>
|