aboutsummaryrefslogtreecommitdiff
path: root/platform/include/tfm_plat_crypto_keys.h
AgeCommit message (Collapse)Author
2023-02-15Crypto: Refactor the tfm_builtin_key_loader and HAL interactionAntonio de Angelis
This patch refactors the entry points of the tfm_builtin_key_loader driver to simplify its interaction with crypto keys HAL layer and the rest of the TF-M Crypto service and PSA Crypto core layer. * Decouple as much as possible each module from mbed TLS specific types, and makes sure all library interactions are abstracted in the crypto_library module of the crypto service * Simplify the HAL requirements to provide platform builtin keys as described in tfm_plat_crypto_keys.h * Update the documentation to reflect the design change * Fix minor issues and typos, include paths, etc * Regenerate mbed TLS patches on top of 3.3.0 tag to be applied Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com> Change-Id: Id26ff0b88da87075490d17a4c8af8f209bb34a08
2022-12-22Crypto: Cleanup tfm_builtin_key_loaderAntonio de Angelis
The tfm_builtin_key_loader driver assumes that the underlying implementation is the one provided by mbed TLS. This patch aims to decouple as much as possible from it in view of possibly using it with different PSA Crypto core implementations. Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com> Change-Id: Ib8d262da2dff9ae9ad1f34b7641785d9b66b97f9
2022-08-07Crypto: Implement PSA builtin keysRaef Coles
Implement builtin key driver, and add HAL apis to load HUK and IAK into this driver. Add necessary funtions to route PSA crypto calls into this driver. Add fixed builtin key IDs into the interface, and a mechanism to allow platforms to add extra keys. Change-Id: I7ffc16eb14215dd6b323baeb53b40ccb1c0ce126 Signed-off-by: Raef Coles <raef.coles@arm.com>
2020-10-30Crypto: Align with Mbed TLS 2.24Summer Qin
Align the PSA Crypto header files in interface folder with Mbed TLS 2.24. Change-Id: I28a4e9789183bad3ad15b61480d6b8bb2151d4cb Signed-off-by: Summer Qin <summer.qin@arm.com>
2020-06-22Attest: Support kid parameter in COSE_Mac0 structure headerDavid Hu
Add a HAL API tfm_plat_get_symmetric_iak_id() to fetch kid from platform. Implement an example of this HAL API. Add attest_get_symmetric_iak_id() to pass the kid value to token generation of symmetric key algorithm based Initial Attestation. Change-Id: I642f7a03f1738c8fe77f11fc2ae91652fc01df29 Signed-off-by: David Hu <david.hu@arm.com>
2020-06-22Attest: Fetch symmetric Initial Attestation KeyDavid Hu
Implement attest_register_initial_attest_key() to fetch and register a symmetric Initial Attestation Key (IAK). Add tfm_plat_get_symmetric_iak() to receive the key raw data from platform. Add attest_get_signing_key_handle() to get the key handle of the initial attestation key for signing IAT. Replace attest_get_initial_attestation_private_key_handle() with attest_get_signing_key_handle(). Also add a binary symmetric IAK file for token verification in other tools. Change-Id: Id2e3647cc85abd0eacbf2a0e53b6d2cd927acaaf Signed-off-by: David Hu <david.hu@arm.com>
2020-01-23Attest: Add attest key id to the COSE headerTamas Ban
Key id is part of the unprotected COSE header and it is an optional field. Make key id inclusion optional with a compile time define. Change-Id: I5458c1f74c36015d433b5922e2a5038fb0ea31b7 Signed-off-by: Tamas Ban <tamas.ban@arm.com>
2020-01-23Attest: Replace crypto related size definitionsTamas Ban
Replace hard-coded values with the PSA Crypto macros to calculate the size of the ECC public key. Change-Id: I613e10d67eb968bd47a3f40c014b743003c9a9ed Signed-off-by: Tamas Ban <tamas.ban@arm.com>
2019-11-05Platform: Remove function to get HUKJamie Fox
Removes the tfm_plat_get_crypto_huk() function as it is no longer required and may not be possible to implement on some platforms. Change-Id: If1c1039ce287c373daf6519959cbe87ff47db5b3 Signed-off-by: Jamie Fox <jamie.fox@arm.com>
2019-11-05Platform: Add API to get key derived from HUKJamie Fox
Adds the tfm_plat_get_huk_derived_key() function to get key material that is derived from the HUK through a platform-defined implementation. Change-Id: I307597b7c9e280cc984ccac9dcf28b627367e5b5 Signed-off-by: Jamie Fox <jamie.fox@arm.com>
2019-11-05Platform: Use PSA ECC ID for attestation keyRaef Coles
Change from using a COSE curve ID to a PSA curve ID to simplify the loading of keys into the crypto service. Change-Id: Id67816810107ecd2e5f5be768363091dda7a9615 Signed-off-by: Raef Coles <raef.coles@arm.com>
2019-09-06Platform: Implement API to get ROTPKTamas Ban
PSA Trusted Boot and Firmware Update specification requires the support of at least one immutable root of trust public key (ROTPK) for firmware verification. This key is provisioned to the SoC during manufacturing. This API makes possible to the bootloader to get the hash of ROTPK in order to validate the public key which is present in the image manifest. This is a dummy implementation not suitable for use in production! Change-Id: Ibf4d3d376f9e6fceaaabc9a1f11a46ef20f07a16 Signed-off-by: Tamas Ban <tamas.ban@arm.com>
2019-09-06Platform: Define API to get ROTPKTamas Ban
PSA Trusted Boot and Firmware Update specification requires the support of at least one immutable root of trust public key (ROTPK) for firmware verification. This key is provisioned to the SoC during manufacturing. This API makes possible to the bootloader to get the hash of ROTPK from the SoC in order to validate the public key which is present in the image manifest. Change-Id: Ica8cb52417e5dc022800b04470dba64f4fe05b22 Signed-off-by: Tamas Ban <tamas.ban@arm.com>
2019-02-12Platform: Extend crypto key API with attestation keyTamas Ban
Details: - Add new functions to API to get the initial attestion key or its size - Add a new file, which contains an ECDSA P-256 key pair in hard coded raw format (without any encoding) - Add the orignal *.pem file, ASN.1 encoding - Create dummy implementation per target to retrive the hard coded key Change-Id: Ie7dfac9d6df631f87c50f755cb80ffc7f00f5cbd Signed-off-by: Tamas Ban <tamas.ban@arm.com>
2018-11-15PlatformSP: Add Platform serviceMarc Moreno Berengue
TF-M Platform service is a trusted service which allows secure partitions and non-secure applications to interact with some platform-specific components. There are a number of features which requires some interaction with platform-specific components which are at the same time essential for the security of the system. Therefore, those components need to be handled by a secure partition which is part of the trusted compute base. This patch adds the Platform service which provides the system reset as a first function. Change-Id: I68253328db22a45fb6a3d6820dd85b1e24ea96f0 Signed-off-by: Marc Moreno <marc.morenoberengue@arm.com>
2018-09-12Platform: Replace tfm_plat_errno by tfm_plat_errMarc Moreno Berengue
This patch replaces tfm_plat_errno_t by tfm_plat_err_t. Change-Id: I9c59de09c1a5cb3ee4309679cd45310db81a9e17 Signed-off-by: Marc Moreno <marc.morenoberengue@arm.com>
2018-09-12Platform: Add tfm_ prefix in the platform HALMarc Moreno Berengue
This patch adds the tfm_ prefix in all the platform HAL files, interfaces and HAL targets' implementation. It also aligns the files with the coding style. Change-Id: Ic1b1f80b20c1e8a19e6b8e56ee158b42c11df63c Signed-off-by: Marc Moreno <marc.morenoberengue@arm.com>