diff options
author | julhal01 <julian.hall@arm.com> | 2021-03-08 13:32:08 +0000 |
---|---|---|
committer | György Szing <gyorgy.szing@arm.com> | 2021-07-01 12:19:19 +0200 |
commit | 3a4207dc7d5be5a4723168b864e6957d526fa5e5 (patch) | |
tree | 88ddd84d43535745dd0bea4838d3834e8ddc7026 | |
parent | 7791cb1c9fa378c9394e77850d7f22cad1dbd043 (diff) | |
download | trusted-services-3a4207dc7d5be5a4723168b864e6957d526fa5e5.tar.gz |
Add protected-storage and internal-trusted-storage deployments
Adds SP deployments for protected-storage and
internal-trusted-storage, replacing the secure-storage deployment.
Includes service-level tests based on PSA ITS and PS APIs.
Amended to fix discovery bugs of storage sp from another sp.
Signed-off-by: Julian Hall <julian.hall@arm.com>
Change-Id: Ia1a8b6b1b694f00034c69b6d03018faa4b2588e6
47 files changed, 1260 insertions, 268 deletions
diff --git a/components/service/crypto/client/test/mock/mock_crypto_client.cpp b/components/service/crypto/client/test/mock/mock_crypto_client.cpp deleted file mode 100644 index 96195a8dc..000000000 --- a/components/service/crypto/client/test/mock/mock_crypto_client.cpp +++ /dev/null @@ -1,127 +0,0 @@ -/* - * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved. - * - * SPDX-License-Identifier: BSD-3-Clause - */ - -#include "mock_crypto_client.h" -#include <service/crypto/provider/serializer/protobuf/pb_crypto_provider_serializer.h> -#include <service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.h> - -mock_crypto_client::mock_crypto_client() : - test_crypto_client(), - m_crypto_provider(), - m_storage_provider(), - m_crypto_caller(), - m_storage_caller() -{ - -} - -mock_crypto_client::~mock_crypto_client() -{ - -} - -bool mock_crypto_client::init() -{ - bool should_do = test_crypto_client::init(); - - if (should_do) { - - struct rpc_interface *storage_ep = mock_store_provider_init(&m_storage_provider); - struct rpc_caller *storage_caller = direct_caller_init_default(&m_storage_caller, - storage_ep); - - struct rpc_interface *crypto_ep = mbed_crypto_provider_init(&m_crypto_provider, - storage_caller, 0); - struct rpc_caller *crypto_caller = direct_caller_init_default(&m_crypto_caller, - crypto_ep); - - mbed_crypto_provider_register_serializer(&m_crypto_provider, - TS_RPC_ENCODING_PROTOBUF, pb_crypto_provider_serializer_instance()); - - mbed_crypto_provider_register_serializer(&m_crypto_provider, - TS_RPC_ENCODING_PACKED_C, packedc_crypto_provider_serializer_instance()); - - rpc_caller_set_encoding_scheme(crypto_caller, TS_RPC_ENCODING_PROTOBUF); - - crypto_client::set_caller(crypto_caller); - } - - return should_do; -} - -bool mock_crypto_client::deinit() -{ - bool should_do = test_crypto_client::deinit(); - - if (should_do) { - - mbed_crypto_provider_deinit(&m_crypto_provider); - mock_store_provider_deinit(&m_storage_provider); - - direct_caller_deinit(&m_storage_caller); - direct_caller_deinit(&m_crypto_caller); - } - - return should_do; -} - -/* Test Methods */ -bool mock_crypto_client::keystore_reset_is_supported() const -{ - return true; -} - -void mock_crypto_client::keystore_reset() -{ - mock_store_reset(&m_storage_provider); -} - -bool mock_crypto_client::keystore_key_exists_is_supported() const -{ - return true; -} - -bool mock_crypto_client::keystore_key_exists(uint32_t id) const -{ - return mock_store_exists(&m_storage_provider, id); -} - -bool mock_crypto_client::keystore_keys_held_is_supported() const -{ - return true; -} - -size_t mock_crypto_client::keystore_keys_held() const -{ - return mock_store_num_items(&m_storage_provider); -} - -/* Factory for creating mock_crypto_client objects */ -class mock_crypto_client_factory : public test_crypto_client::factory -{ -public: - mock_crypto_client_factory() : - test_crypto_client::factory() - { - test_crypto_client::register_factory(this); - } - - ~mock_crypto_client_factory() - { - test_crypto_client::deregister_factory(this); - } - - test_crypto_client *create() - { - return new mock_crypto_client; - }; -}; - -/* - * Static construction causes this to be registered - * as the default factory for constructing test_crypto_client objects. - */ -static mock_crypto_client_factory default_factory; diff --git a/components/service/crypto/client/test/mock/mock_crypto_client.h b/components/service/crypto/client/test/mock/mock_crypto_client.h deleted file mode 100644 index 92ee6a993..000000000 --- a/components/service/crypto/client/test/mock/mock_crypto_client.h +++ /dev/null @@ -1,49 +0,0 @@ -/* - * Copyright (c) 2020, Arm Limited and Contributors. All rights reserved. - * - * SPDX-License-Identifier: BSD-3-Clause - */ - -#ifndef MOCK_CRYPTO_CLIENT_H -#define MOCK_CRYPTO_CLIENT_H - -#include <service/crypto/client/test/test_crypto_client.h> -#include <rpc/direct/direct_caller.h> -#include <service/crypto/provider/mbedcrypto/crypto_provider.h> -#include <service/secure_storage/provider/mock_store/mock_store_provider.h> - -/* - * A specialization of the crypto_client class that extends it to add crypto - * and storage providers to offer a viable crypto service from a single object. - * The mock_store storage provider is used for persistent key storage. - * This is only used for test purposes and should not be used for production - * deployments. Provides methods used for inspecting service state that - * support test. - */ -class mock_crypto_client : public test_crypto_client -{ -public: - mock_crypto_client(); - virtual ~mock_crypto_client(); - - bool init(); - bool deinit(); - - /* Test support methods */ - bool keystore_reset_is_supported() const; - void keystore_reset(); - - bool keystore_key_exists_is_supported() const; - bool keystore_key_exists(uint32_t id) const; - - bool keystore_keys_held_is_supported() const; - size_t keystore_keys_held() const; - -private: - struct mbed_crypto_provider m_crypto_provider; - struct mock_store_provider m_storage_provider; - struct direct_caller m_crypto_caller; - struct direct_caller m_storage_caller; -}; - -#endif /* MOCK_CRYPTO_CLIENT_H */ diff --git a/components/service/crypto/client/test/standalone/standalone_crypto_client.cpp b/components/service/crypto/client/test/standalone/standalone_crypto_client.cpp index c57cbba72..56d20c58a 100644 --- a/components/service/crypto/client/test/standalone/standalone_crypto_client.cpp +++ b/components/service/crypto/client/test/standalone/standalone_crypto_client.cpp @@ -15,6 +15,7 @@ standalone_crypto_client::standalone_crypto_client() : test_crypto_client(), m_crypto_provider(), m_storage_provider(), + m_storage_client(), m_crypto_caller(), m_storage_caller(), m_dummy_storage_caller() @@ -54,10 +55,13 @@ bool standalone_crypto_client::init() TS_RPC_CALL_ACCEPTED, PSA_ERROR_STORAGE_FAILURE); } + struct storage_backend *client_storage_backend = secure_storage_client_init(&m_storage_client, + storage_caller); + struct rpc_interface *crypto_ep = mbed_crypto_provider_init(&m_crypto_provider, - storage_caller, 0); - struct rpc_caller *crypto_caller = direct_caller_init_default(&m_crypto_caller, - crypto_ep); + client_storage_backend, 0); + + struct rpc_caller *crypto_caller = direct_caller_init_default(&m_crypto_caller, crypto_ep); mbed_crypto_provider_register_serializer(&m_crypto_provider, TS_RPC_ENCODING_PROTOBUF, pb_crypto_provider_serializer_instance()); @@ -81,6 +85,7 @@ bool standalone_crypto_client::deinit() mbed_crypto_provider_deinit(&m_crypto_provider); secure_storage_provider_deinit(&m_storage_provider); + secure_storage_client_deinit(&m_storage_client); direct_caller_deinit(&m_storage_caller); direct_caller_deinit(&m_crypto_caller); diff --git a/components/service/crypto/client/test/standalone/standalone_crypto_client.h b/components/service/crypto/client/test/standalone/standalone_crypto_client.h index 8f156b0c9..1093a1029 100644 --- a/components/service/crypto/client/test/standalone/standalone_crypto_client.h +++ b/components/service/crypto/client/test/standalone/standalone_crypto_client.h @@ -12,6 +12,7 @@ #include <rpc/dummy/dummy_caller.h> #include <service/crypto/provider/mbedcrypto/crypto_provider.h> #include <service/secure_storage/frontend/secure_storage_provider/secure_storage_provider.h> +#include <service/secure_storage/backend/secure_storage_client/secure_storage_client.h> /* * A specialization of the crypto_client class that extends it to add crypto @@ -44,6 +45,7 @@ private: struct mbed_crypto_provider m_crypto_provider; struct secure_storage_provider m_storage_provider; + struct secure_storage_client m_storage_client; struct direct_caller m_crypto_caller; struct direct_caller m_storage_caller; struct dummy_caller m_dummy_storage_caller; diff --git a/components/service/crypto/provider/mbedcrypto/crypto_provider.c b/components/service/crypto/provider/mbedcrypto/crypto_provider.c index b0f8be309..03e0ef1a1 100644 --- a/components/service/crypto/provider/mbedcrypto/crypto_provider.c +++ b/components/service/crypto/provider/mbedcrypto/crypto_provider.c @@ -45,7 +45,7 @@ static const struct service_handler handler_table[] = { }; struct rpc_interface *mbed_crypto_provider_init(struct mbed_crypto_provider *context, - struct rpc_caller *storage_caller, + struct storage_backend *storage_backend, int trng_instance) { struct rpc_interface *rpc_interface = NULL; @@ -57,7 +57,7 @@ struct rpc_interface *mbed_crypto_provider_init(struct mbed_crypto_provider *con * is a mandatory feature of the crypto service, insist on a storage * provider being available. */ - if (context && storage_caller) { + if (context && storage_backend) { for (size_t encoding = 0; encoding < TS_RPC_ENCODING_LIMIT; ++encoding) context->serializers[encoding] = NULL; @@ -65,11 +65,7 @@ struct rpc_interface *mbed_crypto_provider_init(struct mbed_crypto_provider *con service_provider_init(&context->base_provider, context, handler_table, sizeof(handler_table)/sizeof(struct service_handler)); - struct storage_backend *storage_backend = - secure_storage_client_init(&context->secure_storage_client, storage_caller); - - if (storage_backend && - (psa_its_frontend_init(storage_backend) == PSA_SUCCESS) && + if ((psa_its_frontend_init(storage_backend) == PSA_SUCCESS) && (psa_crypto_init() == PSA_SUCCESS)) { rpc_interface = service_provider_get_rpc_interface(&context->base_provider); diff --git a/components/service/crypto/provider/mbedcrypto/crypto_provider.h b/components/service/crypto/provider/mbedcrypto/crypto_provider.h index 1f69396eb..3c0f8d897 100644 --- a/components/service/crypto/provider/mbedcrypto/crypto_provider.h +++ b/components/service/crypto/provider/mbedcrypto/crypto_provider.h @@ -10,7 +10,7 @@ #include <rpc/common/endpoint/rpc_interface.h> #include <service/common/provider/service_provider.h> #include <service/crypto/provider/serializer/crypto_provider_serializer.h> -#include <service/secure_storage/backend/secure_storage_client/secure_storage_client.h> +#include <service/secure_storage/backend/storage_backend.h> #include <protocols/rpc/common/packed-c/encoding.h> #ifdef __cplusplus @@ -21,7 +21,6 @@ struct mbed_crypto_provider { struct service_provider base_provider; const struct crypto_provider_serializer *serializers[TS_RPC_ENCODING_LIMIT]; - struct secure_storage_client secure_storage_client; }; /* @@ -31,7 +30,7 @@ struct mbed_crypto_provider * backend. */ struct rpc_interface *mbed_crypto_provider_init(struct mbed_crypto_provider *context, - struct rpc_caller *storage_caller, + struct storage_backend *storage_backend, int trng_instance); /* diff --git a/components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp b/components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp index 132bbc8ce..a6cbe314c 100644 --- a/components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp +++ b/components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp @@ -11,7 +11,7 @@ #include <CppUTest/TestHarness.h> /* - * Service-level tests that use the Protobuf access protocol serialization + * Service-level tests that use the packed-c access protocol serialization */ TEST_GROUP(CryptoServicePackedcTests) { diff --git a/components/service/locator/linux/ffa/linuxffa_location_strategy.c b/components/service/locator/linux/ffa/linuxffa_location_strategy.c index 21468a97e..2469e86c5 100644 --- a/components/service/locator/linux/ffa/linuxffa_location_strategy.c +++ b/components/service/locator/linux/ffa/linuxffa_location_strategy.c @@ -88,9 +88,10 @@ static size_t suggest_tf_org_partition_uuids(const char *sn, struct uuid_canonic } partition_lookup[] = { - {"crypto", "d9df52d5-16a2-4bb2-9aa4-d26d3b84e8c0"}, - {"secure-storage", "dc1eef48-b17a-4ccf-ac8b-dfcff7711b14"}, - {"test-runner", "33c75baf-ac6a-4fe4-8ac7-e9909bee2d17"}, + {"crypto", "d9df52d5-16a2-4bb2-9aa4-d26d3b84e8c0"}, + {"internal-trusted-storage", "dc1eef48-b17a-4ccf-ac8b-dfcff7711b14"}, + {"protected-storage", "751bf801-3dde-4768-a514-0f10aeed1790"}, + {"test-runner", "33c75baf-ac6a-4fe4-8ac7-e9909bee2d17"}, {NULL, NULL} }; diff --git a/components/service/locator/standalone/services/crypto/crypto_service_context.cpp b/components/service/locator/standalone/services/crypto/crypto_service_context.cpp index 07829e227..2679ee3f9 100644 --- a/components/service/locator/standalone/services/crypto/crypto_service_context.cpp +++ b/components/service/locator/standalone/services/crypto/crypto_service_context.cpp @@ -7,13 +7,14 @@ #include "crypto_service_context.h" #include <service/crypto/provider/serializer/protobuf/pb_crypto_provider_serializer.h> #include <service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.h> -#include <service/secure_storage/backend/secure_flash_store/secure_flash_store.h> crypto_service_context::crypto_service_context(const char *sn) : standalone_service_context(sn), m_crypto_provider(), - m_storage_provider(), - m_storage_caller() + m_storage_client(), + m_null_store(), + m_storage_service_context(NULL), + m_storage_session_handle(NULL) { } @@ -25,13 +26,32 @@ crypto_service_context::~crypto_service_context() void crypto_service_context::do_init() { - struct storage_backend *storage_backend = sfs_init(); - struct rpc_interface *storage_ep = secure_storage_provider_init(&m_storage_provider, - storage_backend); - struct rpc_caller *storage_caller = direct_caller_init_default(&m_storage_caller, - storage_ep); - struct rpc_interface *crypto_ep = mbed_crypto_provider_init(&m_crypto_provider, - storage_caller, 0); + struct storage_backend *storage_backend = NULL; + struct storage_backend *null_storage_backend = null_store_init(&m_null_store); + struct rpc_caller *storage_caller = NULL; + int status; + + /* Locate and open RPC session with internal-trusted-storage service to provide a persistent keystore */ + m_storage_service_context = service_locator_query("sn:trustedfirmware.org:internal-trusted-storage:0", &status); + + if (m_storage_service_context) { + + m_storage_session_handle = service_context_open(m_storage_service_context, TS_RPC_ENCODING_PACKED_C, &storage_caller); + + if (m_storage_session_handle) { + + storage_backend = secure_storage_client_init(&m_storage_client, storage_caller); + } + } + + if (!storage_backend) { + + /* Something has gone wrong with establishing a session with the storage service endpoint */ + storage_backend = null_storage_backend; + } + + /* Initialse the crypto service provider */ + struct rpc_interface *crypto_ep = mbed_crypto_provider_init(&m_crypto_provider, storage_backend, 0); mbed_crypto_provider_register_serializer(&m_crypto_provider, TS_RPC_ENCODING_PROTOBUF, pb_crypto_provider_serializer_instance()); @@ -44,7 +64,17 @@ void crypto_service_context::do_init() void crypto_service_context::do_deinit() { + if (m_storage_session_handle) { + service_context_close(m_storage_service_context, m_storage_session_handle); + m_storage_session_handle = NULL; + } + + if (m_storage_service_context) { + service_context_relinquish(m_storage_service_context); + m_storage_service_context = NULL; + } + mbed_crypto_provider_deinit(&m_crypto_provider); - secure_storage_provider_deinit(&m_storage_provider); - direct_caller_deinit(&m_storage_caller); + secure_storage_client_deinit(&m_storage_client); + null_store_deinit(&m_null_store); } diff --git a/components/service/locator/standalone/services/crypto/crypto_service_context.h b/components/service/locator/standalone/services/crypto/crypto_service_context.h index 84360ba3f..8d815b52b 100644 --- a/components/service/locator/standalone/services/crypto/crypto_service_context.h +++ b/components/service/locator/standalone/services/crypto/crypto_service_context.h @@ -10,7 +10,8 @@ #include <service/locator/standalone/standalone_service_context.h> #include <rpc/direct/direct_caller.h> #include <service/crypto/provider/mbedcrypto/crypto_provider.h> -#include <service/secure_storage/frontend/secure_storage_provider/secure_storage_provider.h> +#include <service/secure_storage/backend/secure_storage_client/secure_storage_client.h> +#include <service/secure_storage/backend/null_store/null_store.h> class crypto_service_context : public standalone_service_context { @@ -24,8 +25,10 @@ private: void do_deinit(); struct mbed_crypto_provider m_crypto_provider; - struct secure_storage_provider m_storage_provider; - struct direct_caller m_storage_caller; + struct secure_storage_client m_storage_client; + struct null_store m_null_store; + struct service_context *m_storage_service_context; + rpc_session_handle m_storage_session_handle; }; #endif /* STANDALONE_CRYPTO_SERVICE_CONTEXT_H */ diff --git a/components/service/locator/standalone/services/internal-trusted-storage/component.cmake b/components/service/locator/standalone/services/internal-trusted-storage/component.cmake new file mode 100644 index 000000000..1e193bab8 --- /dev/null +++ b/components/service/locator/standalone/services/internal-trusted-storage/component.cmake @@ -0,0 +1,14 @@ +#------------------------------------------------------------------------------- +# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. +# +# SPDX-License-Identifier: BSD-3-Clause +# +#------------------------------------------------------------------------------- +if (NOT DEFINED TGT) + message(FATAL_ERROR "mandatory parameter TGT is not defined.") +endif() + +target_sources(${TGT} PRIVATE + "${CMAKE_CURRENT_LIST_DIR}/its_service_context.cpp" + ) + diff --git a/components/service/locator/standalone/services/internal-trusted-storage/its_service_context.cpp b/components/service/locator/standalone/services/internal-trusted-storage/its_service_context.cpp new file mode 100644 index 000000000..72cc62ee1 --- /dev/null +++ b/components/service/locator/standalone/services/internal-trusted-storage/its_service_context.cpp @@ -0,0 +1,34 @@ +/* + * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include "its_service_context.h" + +its_service_context::its_service_context(const char *sn) : + standalone_service_context(sn), + m_storage_provider(), + m_mock_store() +{ + +} + +its_service_context::~its_service_context() +{ + +} + +void its_service_context::do_init() +{ + struct storage_backend *storage_backend = mock_store_init(&m_mock_store); + struct rpc_interface *storage_ep = secure_storage_provider_init(&m_storage_provider, storage_backend); + + standalone_service_context::set_rpc_interface(storage_ep); +} + +void its_service_context::do_deinit() +{ + secure_storage_provider_deinit(&m_storage_provider); + mock_store_deinit(&m_mock_store); +} diff --git a/components/service/locator/standalone/services/internal-trusted-storage/its_service_context.h b/components/service/locator/standalone/services/internal-trusted-storage/its_service_context.h new file mode 100644 index 000000000..713e0e914 --- /dev/null +++ b/components/service/locator/standalone/services/internal-trusted-storage/its_service_context.h @@ -0,0 +1,29 @@ +/* + * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef STANDALONE_ITS_SERVICE_CONTEXT_H +#define STANDALONE_ITS_SERVICE_CONTEXT_H + +#include <service/locator/standalone/standalone_service_context.h> +#include <service/secure_storage/frontend/secure_storage_provider/secure_storage_provider.h> +#include <service/secure_storage/backend/mock_store/mock_store.h> + +class its_service_context : public standalone_service_context +{ +public: + its_service_context(const char *sn); + virtual ~its_service_context(); + +private: + + void do_init(); + void do_deinit(); + + struct secure_storage_provider m_storage_provider; + struct mock_store m_mock_store; +}; + +#endif /* STANDALONE_ITS_SERVICE_CONTEXT_H */ diff --git a/components/service/crypto/client/test/mock/component.cmake b/components/service/locator/standalone/services/protected-storage/component.cmake index 8202578c5..ad1a6038d 100644 --- a/components/service/crypto/client/test/mock/component.cmake +++ b/components/service/locator/standalone/services/protected-storage/component.cmake @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------- -# Copyright (c) 2020, Arm Limited and Contributors. All rights reserved. +# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. # # SPDX-License-Identifier: BSD-3-Clause # @@ -9,6 +9,6 @@ if (NOT DEFINED TGT) endif() target_sources(${TGT} PRIVATE - "${CMAKE_CURRENT_LIST_DIR}/mock_crypto_client.cpp" + "${CMAKE_CURRENT_LIST_DIR}/ps_service_context.cpp" ) diff --git a/components/service/locator/standalone/services/protected-storage/ps_service_context.cpp b/components/service/locator/standalone/services/protected-storage/ps_service_context.cpp new file mode 100644 index 000000000..cda49f64b --- /dev/null +++ b/components/service/locator/standalone/services/protected-storage/ps_service_context.cpp @@ -0,0 +1,34 @@ +/* + * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include "ps_service_context.h" + +ps_service_context::ps_service_context(const char *sn) : + standalone_service_context(sn), + m_storage_provider(), + m_mock_store() +{ + +} + +ps_service_context::~ps_service_context() +{ + +} + +void ps_service_context::do_init() +{ + struct storage_backend *storage_backend = mock_store_init(&m_mock_store); + struct rpc_interface *storage_ep = secure_storage_provider_init(&m_storage_provider, storage_backend); + + standalone_service_context::set_rpc_interface(storage_ep); +} + +void ps_service_context::do_deinit() +{ + secure_storage_provider_deinit(&m_storage_provider); + mock_store_deinit(&m_mock_store); +} diff --git a/components/service/locator/standalone/services/protected-storage/ps_service_context.h b/components/service/locator/standalone/services/protected-storage/ps_service_context.h new file mode 100644 index 000000000..2e3c46edb --- /dev/null +++ b/components/service/locator/standalone/services/protected-storage/ps_service_context.h @@ -0,0 +1,29 @@ +/* + * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef STANDALONE_PS_SERVICE_CONTEXT_H +#define STANDALONE_PS_SERVICE_CONTEXT_H + +#include <service/locator/standalone/standalone_service_context.h> +#include <service/secure_storage/frontend/secure_storage_provider/secure_storage_provider.h> +#include <service/secure_storage/backend/mock_store/mock_store.h> + +class ps_service_context : public standalone_service_context +{ +public: + ps_service_context(const char *sn); + virtual ~ps_service_context(); + +private: + + void do_init(); + void do_deinit(); + + struct secure_storage_provider m_storage_provider; + struct mock_store m_mock_store; +}; + +#endif /* STANDALONE_PS_SERVICE_CONTEXT_H */ diff --git a/components/service/locator/standalone/standalone_env.cpp b/components/service/locator/standalone/standalone_env.cpp index 41dd206ab..132b6d56b 100644 --- a/components/service/locator/standalone/standalone_env.cpp +++ b/components/service/locator/standalone/standalone_env.cpp @@ -6,6 +6,8 @@ #include <service_locator.h> #include <service/locator/standalone/services/crypto/crypto_service_context.h> +#include <service/locator/standalone/services/internal-trusted-storage/its_service_context.h> +#include <service/locator/standalone/services/protected-storage/ps_service_context.h> #include <service/locator/standalone/services/test-runner/test_runner_service_context.h> #include "standalone_location_strategy.h" #include "standalone_service_registry.h" @@ -15,8 +17,14 @@ void service_locator_envinit(void) static crypto_service_context crypto_context("sn:trustedfirmware.org:crypto:0"); standalone_service_registry::instance()->regsiter_service_instance(&crypto_context); + static its_service_context its_service_context("sn:trustedfirmware.org:internal-trusted-storage:0"); + standalone_service_registry::instance()->regsiter_service_instance(&its_service_context); + + static ps_service_context ps_service_context("sn:trustedfirmware.org:protected-storage:0"); + standalone_service_registry::instance()->regsiter_service_instance(&ps_service_context); + static test_runner_service_context test_runner_context("sn:trustedfirmware.org:test-runner:0"); standalone_service_registry::instance()->regsiter_service_instance(&test_runner_context); service_locator_register_strategy(standalone_location_strategy()); -}
\ No newline at end of file +} diff --git a/components/service/secure_storage/backend/null_store/component.cmake b/components/service/secure_storage/backend/null_store/component.cmake new file mode 100644 index 000000000..19f88eee3 --- /dev/null +++ b/components/service/secure_storage/backend/null_store/component.cmake @@ -0,0 +1,14 @@ +#------------------------------------------------------------------------------- +# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. +# +# SPDX-License-Identifier: BSD-3-Clause +# +#------------------------------------------------------------------------------- +if (NOT DEFINED TGT) + message(FATAL_ERROR "mandatory parameter TGT is not defined.") +endif() + +target_sources(${TGT} PRIVATE + "${CMAKE_CURRENT_LIST_DIR}/null_store.c" + ) + diff --git a/components/service/secure_storage/backend/null_store/null_store.c b/components/service/secure_storage/backend/null_store/null_store.c new file mode 100644 index 000000000..479c58a52 --- /dev/null +++ b/components/service/secure_storage/backend/null_store/null_store.c @@ -0,0 +1,136 @@ +/* + * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include "null_store.h" +#include <protocols/service/psa/packed-c/status.h> +#include <stddef.h> + +static psa_status_t null_store_set(void *context, + uint32_t client_id, + uint64_t uid, + size_t data_length, + const void *p_data, + uint32_t create_flags) +{ + (void)context; + (void)client_id; + (void)uid; + (void)data_length; + (void)p_data; + (void)create_flags; + + return PSA_ERROR_STORAGE_FAILURE; +} + +static psa_status_t null_store_get(void *context, + uint32_t client_id, + uint64_t uid, + size_t data_offset, + size_t data_size, + void *p_data, + size_t *p_data_length) +{ + (void)context; + (void)client_id; + (void)uid; + (void)data_offset; + (void)data_size; + (void)p_data; + (void)p_data_length; + + return PSA_ERROR_STORAGE_FAILURE; +} + +static psa_status_t null_store_get_info(void *context, + uint32_t client_id, + uint64_t uid, + struct psa_storage_info_t *p_info) +{ + (void)context; + (void)client_id; + (void)uid; + (void)p_info; + + return PSA_ERROR_STORAGE_FAILURE; +} + +static psa_status_t null_store_remove(void *context, + uint32_t client_id, + uint64_t uid) +{ + (void)context; + (void)client_id; + (void)uid; + + return PSA_ERROR_STORAGE_FAILURE; +} + +static psa_status_t null_store_create(void *context, + uint32_t client_id, + uint64_t uid, + size_t capacity, + uint32_t create_flags) +{ + (void)context; + (void)client_id; + (void)uid; + (void)capacity; + (void)create_flags; + + return PSA_ERROR_STORAGE_FAILURE; +} + +static psa_status_t null_store_set_extended(void *context, + uint32_t client_id, + uint64_t uid, + size_t data_offset, + size_t data_length, + const void *p_data) +{ + (void)context; + (void)client_id; + (void)uid; + (void)data_offset; + (void)data_length; + (void)p_data; + + return PSA_ERROR_STORAGE_FAILURE; +} + +static uint32_t null_store_get_support(void *context, + uint32_t client_id) +{ + (void)context; + (void)client_id; + + return 0; +} + + +struct storage_backend *null_store_init(struct null_store *context) +{ + static const struct storage_backend_interface interface = + { + null_store_set, + null_store_get, + null_store_get_info, + null_store_remove, + null_store_create, + null_store_set_extended, + null_store_get_support + }; + + context->backend.context = context; + context->backend.interface = &interface; + + return &context->backend; +} + +void null_store_deinit(struct null_store *context) +{ + context->backend.context = NULL; + context->backend.interface = NULL; +} diff --git a/components/service/secure_storage/backend/null_store/null_store.h b/components/service/secure_storage/backend/null_store/null_store.h new file mode 100644 index 000000000..9da983b0b --- /dev/null +++ b/components/service/secure_storage/backend/null_store/null_store.h @@ -0,0 +1,37 @@ +/* + * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef NULL_STORE_H +#define NULL_STORE_H + +#include <service/secure_storage/backend/storage_backend.h> + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * The null_store is intended to be used when an error makes + * it impossible to initialise a real storage backend. The + * null_store provides handlers for the storage_backend + * interface but returns an error if any are called. Example + * error conditions where the null_store cab used are: + * - configuration error leading to a partition discovery failure + * - a hardware fault + */ +struct null_store +{ + struct storage_backend backend; +}; + +struct storage_backend *null_store_init(struct null_store *context); +void null_store_deinit(struct null_store *context); + +#ifdef __cplusplus +} /* extern "C" */ +#endif + +#endif /* NULL_STORE_H */ diff --git a/components/service/secure_storage/factory/common/sfs/component.cmake b/components/service/secure_storage/factory/common/sfs/component.cmake new file mode 100644 index 000000000..b06adb56a --- /dev/null +++ b/components/service/secure_storage/factory/common/sfs/component.cmake @@ -0,0 +1,14 @@ +#------------------------------------------------------------------------------- +# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. +# +# SPDX-License-Identifier: BSD-3-Clause +# +#------------------------------------------------------------------------------- +if (NOT DEFINED TGT) + message(FATAL_ERROR "mandatory parameter TGT is not defined.") +endif() + +target_sources(${TGT} PRIVATE + "${CMAKE_CURRENT_LIST_DIR}/storage_factory.c" + ) + diff --git a/components/service/secure_storage/factory/common/sfs/storage_factory.c b/components/service/secure_storage/factory/common/sfs/storage_factory.c new file mode 100644 index 000000000..81f708de5 --- /dev/null +++ b/components/service/secure_storage/factory/common/sfs/storage_factory.c @@ -0,0 +1,30 @@ +/* + * Copyright (c) 2021, Arm Limited. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + * + */ + +#include <rpc/ffarpc/caller/sp/ffarpc_caller.h> +#include <protocols/rpc/common/packed-c/status.h> +#include <service/secure_storage/backend/secure_flash_store/secure_flash_store.h> +#include <service/secure_storage/factory/storage_factory.h> + +/** + * \brief Constructs a secure flash store + * + * Can be used as a storage backend in any environment. However + * it doesn't actually provide persistent flash storage without + * platform specific hardware. + */ +struct storage_backend *storage_factory_create( + enum storage_factory_security_class security_class) +{ + (void)security_class; + return sfs_init(); +} + +void storage_factory_destroy(struct storage_backend *backend) +{ + (void)backend; +} diff --git a/components/service/secure_storage/factory/sp/optee_trusted_store/component.cmake b/components/service/secure_storage/factory/sp/optee_trusted_store/component.cmake new file mode 100644 index 000000000..b06adb56a --- /dev/null +++ b/components/service/secure_storage/factory/sp/optee_trusted_store/component.cmake @@ -0,0 +1,14 @@ +#------------------------------------------------------------------------------- +# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. +# +# SPDX-License-Identifier: BSD-3-Clause +# +#------------------------------------------------------------------------------- +if (NOT DEFINED TGT) + message(FATAL_ERROR "mandatory parameter TGT is not defined.") +endif() + +target_sources(${TGT} PRIVATE + "${CMAKE_CURRENT_LIST_DIR}/storage_factory.c" + ) + diff --git a/components/service/secure_storage/factory/sp/optee_trusted_store/storage_factory.c b/components/service/secure_storage/factory/sp/optee_trusted_store/storage_factory.c new file mode 100644 index 000000000..5423af685 --- /dev/null +++ b/components/service/secure_storage/factory/sp/optee_trusted_store/storage_factory.c @@ -0,0 +1,102 @@ +/* + * Copyright (c) 2021, Arm Limited. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + * + */ + +/** + * A storage factory that creates storage backends that communicate with an + * S-EL1 partition to access trusted storage provided by OPTEE. The S-EL1 + * partition is assumed to host a conventional secure storage provider + * that can be accessed using the secure storage access protocol. + * Uses a default UUID to discover the S-EL1 partition if no external + * configuration overrides this. + */ +#include <rpc/ffarpc/caller/sp/ffarpc_caller.h> +#include <protocols/rpc/common/packed-c/status.h> +#include <service/secure_storage/backend/secure_storage_client/secure_storage_client.h> +#include <service/secure_storage/backend/null_store/null_store.h> +#include <service/secure_storage/factory/storage_factory.h> +#include <ffa_api.h> +#include <stdbool.h> +#include <stddef.h> + +/* NOTE: this is the ITS partition UUID - should be changed when S-EL1 SP is ready */ +#define OPTEE_TRUSTED_STORE_UUID_BYTES \ + { 0xdc, 0x1e, 0xef, 0x48, 0xb1, 0x7a, 0x4c, 0xcf, \ + 0xac, 0x8b, 0xdf, 0xcf, 0xf7, 0x71, 0x1b, 0x14 } + +static const uint8_t default_optee_trusted_store_uuid[] = OPTEE_TRUSTED_STORE_UUID_BYTES; + +/* The storage backed specialization constructed by this factory */ +struct optee_trusted_store +{ + struct secure_storage_client secure_storage_client; + struct ffarpc_caller ffarpc_caller; + bool in_use; +}; + +/* Only supports construction of a single instance */ +static struct optee_trusted_store backend_instance = { .in_use = false }; + +/* Used on failure if no association with a storage provider is established */ +static struct null_store null_store; + + +struct storage_backend *storage_factory_create( + enum storage_factory_security_class security_class) +{ + struct rpc_caller *storage_caller; + uint16_t storage_sp_ids[1]; + struct optee_trusted_store *new_backend = &backend_instance; + struct storage_backend *result = NULL; + + if (!new_backend->in_use) { + + storage_caller = ffarpc_caller_init(&new_backend->ffarpc_caller); + + /* Try discovering candidate endpoints in preference order */ + if (ffarpc_caller_discover(default_optee_trusted_store_uuid, storage_sp_ids, + sizeof(storage_sp_ids)/sizeof(uint16_t))) { + + if (ffarpc_caller_open(&new_backend->ffarpc_caller, storage_sp_ids[0], 0) == 0) { + + result = secure_storage_client_init(&new_backend->secure_storage_client, + storage_caller); + } + } + + if (!result) { + + /* Failed to discover or open an RPC session with provider */ + ffarpc_caller_deinit(&new_backend->ffarpc_caller); + } + + new_backend->in_use = (result != NULL); + } + + if (!result) { + + /** + * Errors during SP initialisation can be difficult to handle so + * returns a valid storage_backend, albeit one that just returns + * an appropriate status code if any methods are called. This + * allows an error to be reported to a requesting client where + * it may be easier to handle. + */ + result = null_store_init(&null_store); + } + + return result; +} + +void storage_factory_destroy(struct storage_backend *backend) +{ + if (backend) { + + secure_storage_client_deinit(&backend_instance.secure_storage_client); + ffarpc_caller_deinit(&backend_instance.ffarpc_caller); + backend_instance.in_use = false; + } +} diff --git a/components/service/secure_storage/factory/sp/rot_store/component.cmake b/components/service/secure_storage/factory/sp/rot_store/component.cmake new file mode 100644 index 000000000..b06adb56a --- /dev/null +++ b/components/service/secure_storage/factory/sp/rot_store/component.cmake @@ -0,0 +1,14 @@ +#------------------------------------------------------------------------------- +# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. +# +# SPDX-License-Identifier: BSD-3-Clause +# +#------------------------------------------------------------------------------- +if (NOT DEFINED TGT) + message(FATAL_ERROR "mandatory parameter TGT is not defined.") +endif() + +target_sources(${TGT} PRIVATE + "${CMAKE_CURRENT_LIST_DIR}/storage_factory.c" + ) + diff --git a/components/service/secure_storage/factory/sp/rot_store/storage_factory.c b/components/service/secure_storage/factory/sp/rot_store/storage_factory.c new file mode 100644 index 000000000..9c37d4d03 --- /dev/null +++ b/components/service/secure_storage/factory/sp/rot_store/storage_factory.c @@ -0,0 +1,149 @@ +/* + * Copyright (c) 2021, Arm Limited. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + * + */ + +/** + * A storage factory that creates storage backends that may be used + * to access a secure storage partition from a separate SP within the + * device RoT. Defaults to using PSA storage partitions if no runtime + * configuration overrides the target service endpoint to use. If multiple + * candidate storage SPs are available, the one that matches the + * requested storage class is used. The availability of Internal Trusted + * and Protected stores will depend on the platform. + */ +#include <rpc/ffarpc/caller/sp/ffarpc_caller.h> +#include <protocols/rpc/common/packed-c/status.h> +#include <service/secure_storage/backend/secure_storage_client/secure_storage_client.h> +#include <service/secure_storage/backend/null_store/null_store.h> +#include <service/secure_storage/factory/storage_factory.h> +#include <ffa_api.h> +#include <stdbool.h> +#include <stddef.h> + +/* Defaults to using PSA storage partitions if no external configuration specified */ +#define ITS_STORE_UUID_BYTES \ + { 0xdc, 0x1e, 0xef, 0x48, 0xb1, 0x7a, 0x4c, 0xcf, \ + 0xac, 0x8b, 0xdf, 0xcf, 0xf7, 0x71, 0x1b, 0x14 } + +#define PS_STORE_UUID_BYTES \ + { 0x75, 0x1b, 0xf8, 0x01, 0x3d, 0xde, 0x47, 0x68, \ + 0xa5, 0x14, 0x0f, 0x10, 0xae, 0xed, 0x17, 0x90 } + +#define MAX_CANDIDATE_UUIDS (2) + +static const uint8_t default_internal_store_uuid[] = ITS_STORE_UUID_BYTES; +static const uint8_t default_protected_store_uuid[] = PS_STORE_UUID_BYTES; + +/* The storage backed specialization constructed by this factory */ +struct rot_store +{ + struct secure_storage_client secure_storage_client; + struct ffarpc_caller ffarpc_caller; + bool in_use; +}; + +/* Only supports construction of a single instance */ +static struct rot_store backend_instance = { .in_use = false }; + +/* Used on failure if no association with a storage provider is established */ +static struct null_store null_store; + +static int select_candidate_uuids(const uint8_t *candidates[], + int max_candidates, + enum storage_factory_security_class security_class); + + +struct storage_backend *storage_factory_create( + enum storage_factory_security_class security_class) +{ + struct rpc_caller *storage_caller; + uint16_t storage_sp_ids[1]; + struct rot_store *new_backend = &backend_instance; + const uint8_t *candidate_uuids[MAX_CANDIDATE_UUIDS]; + int num_candidate_uuids = select_candidate_uuids(candidate_uuids, + MAX_CANDIDATE_UUIDS, security_class); + + struct storage_backend *result = NULL; + + if (num_candidate_uuids && !new_backend->in_use) { + + storage_caller = ffarpc_caller_init(&new_backend->ffarpc_caller); + + for (int i = 0; i < num_candidate_uuids; i++) { + + /* Try discovering candidate endpoints in preference order */ + if (ffarpc_caller_discover(candidate_uuids[i], storage_sp_ids, + sizeof(storage_sp_ids)/sizeof(uint16_t))) { + + if (ffarpc_caller_open(&new_backend->ffarpc_caller, storage_sp_ids[0], 0) == 0) { + + result = secure_storage_client_init(&new_backend->secure_storage_client, + storage_caller); + } + + break; + } + } + + if (!result) { + + /* Failed to discover or open an RPC session with provider */ + ffarpc_caller_deinit(&new_backend->ffarpc_caller); + } + + new_backend->in_use = (result != NULL); + } + + if (!result) { + + /** + * Errors during SP initialisation can be difficult to handle so + * returns a valid storage_backend, albeit one that just returns + * an appropriate status code if any methods are called. This + * allows an error to be reported to a requesting client where + * it may be easier to handle. + */ + result = null_store_init(&null_store); + } + + return result; +} + +void storage_factory_destroy(struct storage_backend *backend) +{ + if (backend) { + + secure_storage_client_deinit(&backend_instance.secure_storage_client); + ffarpc_caller_deinit(&backend_instance.ffarpc_caller); + backend_instance.in_use = false; + } +} + +static int select_candidate_uuids(const uint8_t *candidates[], + int max_candidates, + enum storage_factory_security_class security_class) +{ + /* Runtime configuration not yet supported so fallback to using default UUIDs */ + int num_candidates = 0; + + if (max_candidates >= 2) { + + if (security_class == storage_factory_security_class_INTERNAL_TRUSTED) { + + candidates[0] = default_internal_store_uuid; + candidates[1] = default_protected_store_uuid; + } + else { + + candidates[0] = default_protected_store_uuid; + candidates[1] = default_internal_store_uuid; + } + + num_candidates = 2; + } + + return num_candidates; +}
\ No newline at end of file diff --git a/components/service/secure_storage/factory/storage_factory.h b/components/service/secure_storage/factory/storage_factory.h new file mode 100644 index 000000000..a36d0c46b --- /dev/null +++ b/components/service/secure_storage/factory/storage_factory.h @@ -0,0 +1,85 @@ +/* + * Copyright (c) 2021, Arm Limited. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + * + */ + +#ifndef STORAGE_FACTORY_H +#define STORAGE_FACTORY_H + +#include <service/secure_storage/backend/storage_backend.h> + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * Defines a common interface for creating storage backends to + * decouple a client from the environment and platform specifics + * of any particular storage backend. Allows new storage backends + * to be added without impacting client implementations. The + * factory method uses PSA storage classifications to allow a + * client to specify the security characteristics of the backend. + * How those security characteristics are realized will depend + * on the secure processing environment and platform. + * + * A concrete storage factory may exploit any of the following + * to influence how the storage backend is constructed: + * - Environment and platform specific factory component used in deployment + * - Runtime configuration e.g. from Device Tree + * - Client specified parameters + */ + +/** + * \brief Security characteristics of created backend + * + * Allows a client to request the security characteristics of + * a constructed backend, using PSA storage classification. How + * well a platform meets the requested security characteristics + * will depend on available hardware features. + */ +enum storage_factory_security_class { + + /** + * On-die or in-package persistent storage + * that is exclusively accessible from secure world. + */ + storage_factory_security_class_INTERNAL_TRUSTED, + + /** + * External persistent storage with security measures + * such as encryption, integrity protection and replay + * protection, based on device root-of-trust trust anchors. + */ + storage_factory_security_class_PROTECTED +}; + +/** + * \brief Factory method to create an initialised storage backend + * + * Should use the correseponding destroy method when the storage backend + * is no longer needed. + * + * \param[in] security_class The requested security class + * + * \return A pointer to the initialised storage_backend or NULL on failure + */ +struct storage_backend *storage_factory_create( + enum storage_factory_security_class security_class); + +/** + * \brief Destroys a created backend + * + * Allows a concrete factory to adopt its own allocation scheme for + * objects used to implement the created backend. + * + * \param[in] backend Storage backend to destroy + */ +void storage_factory_destroy(struct storage_backend *backend); + +#ifdef __cplusplus +} +#endif + +#endif /* STORAGE_FACTORY_H */ diff --git a/components/service/secure_storage/test/service/component.cmake b/components/service/secure_storage/test/service/component.cmake new file mode 100644 index 000000000..02a2b2c32 --- /dev/null +++ b/components/service/secure_storage/test/service/component.cmake @@ -0,0 +1,15 @@ +#------------------------------------------------------------------------------- +# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. +# +# SPDX-License-Identifier: BSD-3-Clause +# +#------------------------------------------------------------------------------- +if (NOT DEFINED TGT) + message(FATAL_ERROR "mandatory parameter TGT is not defined.") +endif() + +target_sources(${TGT} PRIVATE + "${CMAKE_CURRENT_LIST_DIR}/its_service_tests.cpp" + "${CMAKE_CURRENT_LIST_DIR}/ps_service_tests.cpp" + ) + diff --git a/components/service/secure_storage/test/service/its_service_tests.cpp b/components/service/secure_storage/test/service/its_service_tests.cpp new file mode 100644 index 000000000..b976d613a --- /dev/null +++ b/components/service/secure_storage/test/service/its_service_tests.cpp @@ -0,0 +1,63 @@ +/* + * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include <service/secure_storage/frontend/psa/its/its_frontend.h> +#include <service/secure_storage/frontend/psa/its/test/its_api_tests.h> +#include <service/secure_storage/backend/secure_storage_client/secure_storage_client.h> +#include <protocols/rpc/common/packed-c/encoding.h> +#include <service_locator.h> +#include <CppUTest/TestHarness.h> + +/* + * Service-level tests using the PSA Internal Trusted Storage API to + * access the secure storage service with the 'internal-trusted-storage' + * designation. + */ +TEST_GROUP(ItsServiceTests) +{ + void setup() + { + struct rpc_caller *caller; + int status; + + m_rpc_session_handle = NULL; + m_its_service_context = NULL; + + service_locator_init(); + + m_its_service_context = service_locator_query("sn:trustedfirmware.org:internal-trusted-storage:0", &status); + CHECK(m_its_service_context); + + m_rpc_session_handle = service_context_open(m_its_service_context, TS_RPC_ENCODING_PACKED_C, &caller); + CHECK(m_rpc_session_handle); + + struct storage_backend *storage_backend = secure_storage_client_init(&m_storage_client, caller); + + psa_its_frontend_init(storage_backend); + } + + void teardown() + { + psa_its_frontend_init(NULL); + + service_context_close(m_its_service_context, m_rpc_session_handle); + m_rpc_session_handle = NULL; + + service_context_relinquish(m_its_service_context); + m_its_service_context = NULL; + + secure_storage_client_deinit(&m_storage_client); + } + + rpc_session_handle m_rpc_session_handle; + struct service_context *m_its_service_context; + struct secure_storage_client m_storage_client; +}; + +TEST(ItsServiceTests, storeNewItem) +{ + its_api_tests::storeNewItem(); +} diff --git a/components/service/secure_storage/test/service/ps_service_tests.cpp b/components/service/secure_storage/test/service/ps_service_tests.cpp new file mode 100644 index 000000000..fd19f08cc --- /dev/null +++ b/components/service/secure_storage/test/service/ps_service_tests.cpp @@ -0,0 +1,77 @@ +/* + * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include <service/secure_storage/frontend/psa/ps/ps_frontend.h> +#include <service/secure_storage/frontend/psa/ps/test/ps_api_tests.h> +#include <service/secure_storage/frontend/psa/its/its_frontend.h> +#include <service/secure_storage/frontend/psa/its/test/its_api_tests.h> +#include <service/secure_storage/backend/secure_storage_client/secure_storage_client.h> +#include <protocols/rpc/common/packed-c/encoding.h> +#include <service_locator.h> +#include <CppUTest/TestHarness.h> + +/* + * Service-level tests using the PSA Protected Storage and Internal + * Trusted Storage APIs to access the secure storage service with the + * 'protected-storage' designation. + */ +TEST_GROUP(PsServiceTests) +{ + void setup() + { + struct rpc_caller *caller; + int status; + + m_rpc_session_handle = NULL; + m_its_service_context = NULL; + + service_locator_init(); + + m_its_service_context = service_locator_query("sn:trustedfirmware.org:protected-storage:0", &status); + CHECK(m_its_service_context); + + m_rpc_session_handle = service_context_open(m_its_service_context, TS_RPC_ENCODING_PACKED_C, &caller); + CHECK(m_rpc_session_handle); + + struct storage_backend *storage_backend = secure_storage_client_init(&m_storage_client, caller); + + psa_ps_frontend_init(storage_backend); + psa_its_frontend_init(storage_backend); + } + + void teardown() + { + psa_ps_frontend_init(NULL); + psa_its_frontend_init(NULL); + + service_context_close(m_its_service_context, m_rpc_session_handle); + m_rpc_session_handle = NULL; + + service_context_relinquish(m_its_service_context); + m_its_service_context = NULL; + + secure_storage_client_deinit(&m_storage_client); + } + + rpc_session_handle m_rpc_session_handle; + struct service_context *m_its_service_context; + struct secure_storage_client m_storage_client; +}; + +TEST(PsServiceTests, storeNewItem) +{ + its_api_tests::storeNewItem(); +} + +TEST(PsServiceTests, createAndSet) +{ + ps_api_tests::createAndSet(); +} + +TEST(PsServiceTests, createAndSetExtended) +{ + ps_api_tests::createAndSetExtended(); +} diff --git a/deployments/component-test/component-test.cmake b/deployments/component-test/component-test.cmake index 130d82b6f..99a81146d 100644 --- a/deployments/component-test/component-test.cmake +++ b/deployments/component-test/component-test.cmake @@ -36,6 +36,8 @@ add_components( "components/service/locator/test" "components/service/locator/standalone" "components/service/locator/standalone/services/crypto" + "components/service/locator/standalone/services/internal-trusted-storage" + "components/service/locator/standalone/services/protected-storage" "components/service/locator/standalone/services/test-runner" "components/service/crypto/client/cpp" "components/service/crypto/client/cpp/protobuf" @@ -57,6 +59,7 @@ add_components( "components/service/secure_storage/frontend/secure_storage_provider" "components/service/secure_storage/backend/secure_storage_client" "components/service/secure_storage/backend/secure_storage_client/test" + "components/service/secure_storage/backend/null_store" "components/service/secure_storage/backend/mock_store" "components/service/secure_storage/backend/mock_store/test" "components/service/secure_storage/backend/secure_flash_store" diff --git a/deployments/crypto/opteesp/CMakeLists.txt b/deployments/crypto/opteesp/CMakeLists.txt index 108223aeb..f8ed17dd4 100644 --- a/deployments/crypto/opteesp/CMakeLists.txt +++ b/deployments/crypto/opteesp/CMakeLists.txt @@ -42,7 +42,6 @@ add_components(TARGET "crypto-sp" "components/rpc/ffarpc/caller/sp" "components/rpc/common/caller" "components/rpc/common/interface" - "components/rpc/dummy" "components/service/common" "components/service/common/serializer/protobuf" "components/service/common/provider" @@ -52,6 +51,8 @@ add_components(TARGET "crypto-sp" "components/service/crypto/provider/serializer/packed-c" "components/service/secure_storage/frontend/psa/its" "components/service/secure_storage/backend/secure_storage_client" + "components/service/secure_storage/backend/null_store" + "components/service/secure_storage/factory/sp/rot_store" "protocols/rpc/common/packed-c" "protocols/service/secure_storage/packed-c" "protocols/service/crypto/protobuf" diff --git a/deployments/crypto/opteesp/crypto_sp.c b/deployments/crypto/opteesp/crypto_sp.c index 2512eee0e..b9c1fb236 100644 --- a/deployments/crypto/opteesp/crypto_sp.c +++ b/deployments/crypto/opteesp/crypto_sp.c @@ -3,10 +3,9 @@ * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved. */ -#include <rpc/ffarpc/caller/sp/ffarpc_caller.h> + #include <rpc/ffarpc/endpoint/ffarpc_call_ep.h> -#include <rpc/dummy/dummy_caller.h> -#include <service/secure_storage/backend/secure_storage_client/secure_storage_client.h> +#include <service/secure_storage/factory/storage_factory.h> #include <service/crypto/provider/mbedcrypto/crypto_provider.h> #include <service/crypto/provider/serializer/protobuf/pb_crypto_provider_serializer.h> #include <service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.h> @@ -19,12 +18,7 @@ #include <trace.h> -#define SP_STORAGE_UUID_BYTES \ - { 0xdc, 0x1e, 0xef, 0x48, 0xb1, 0x7a, 0x4c, 0xcf, \ - 0xac, 0x8b, 0xdf, 0xcf, 0xf7, 0x71, 0x1b, 0x14, } - uint16_t own_id = 0; /* !!Needs refactoring as parameter to ffarpc_caller_init */ -static const uint8_t storage_uuid[] = SP_STORAGE_UUID_BYTES; static int sp_init(uint16_t *own_sp_id); @@ -34,38 +28,21 @@ void __noreturn sp_main(struct ffa_init_info *init_info) struct mbed_crypto_provider crypto_provider; struct ffa_call_ep ffarpc_call_ep; struct rpc_interface *crypto_iface; - struct ffarpc_caller ffarpc_caller; - struct dummy_caller dummy_caller; - struct rpc_caller *storage_caller; struct ffa_direct_msg req_msg; - uint16_t storage_sp_ids[1]; - - /* Boot */ - (void) init_info; + struct storage_backend *storage_backend; + /* Boot phase */ if (sp_init(&own_id) != 0) goto fatal_error; config_ramstore_init(); sp_config_load(init_info); - /* Establish RPC session with secure storage SP */ - storage_caller = ffarpc_caller_init(&ffarpc_caller); - - if (!ffarpc_caller_discover(storage_uuid, storage_sp_ids, - sizeof(storage_sp_ids)/sizeof(uint16_t)) || - ffarpc_caller_open(&ffarpc_caller, storage_sp_ids[0], 0)) { - /* - * Failed to establish session. To allow the crypto service - * to still be initialized, albeit with no persistent storage, - * initialise a dummy_caller that will safely - * handle rpc requests but will report an error. - */ - storage_caller = dummy_caller_init(&dummy_caller, - TS_RPC_CALL_ACCEPTED, PSA_ERROR_STORAGE_FAILURE); - } + /* Create a storage backend for persistent key storage - prefer ITS */ + storage_backend = storage_factory_create(storage_factory_security_class_INTERNAL_TRUSTED); + if (!storage_backend) goto fatal_error; /* Initialize the crypto service */ - crypto_iface = mbed_crypto_provider_init(&crypto_provider, storage_caller, 0); + crypto_iface = mbed_crypto_provider_init(&crypto_provider, storage_backend, 0); mbed_crypto_provider_register_serializer(&crypto_provider, TS_RPC_ENCODING_PROTOBUF, pb_crypto_provider_serializer_instance()); diff --git a/deployments/secure-storage/opteesp/.gitignore b/deployments/internal-trusted-storage/opteesp/.gitignore index 378eac25d..378eac25d 100644 --- a/deployments/secure-storage/opteesp/.gitignore +++ b/deployments/internal-trusted-storage/opteesp/.gitignore diff --git a/deployments/secure-storage/opteesp/CMakeLists.txt b/deployments/internal-trusted-storage/opteesp/CMakeLists.txt index 4bcbd17da..af0d932ca 100644 --- a/deployments/secure-storage/opteesp/CMakeLists.txt +++ b/deployments/internal-trusted-storage/opteesp/CMakeLists.txt @@ -8,15 +8,15 @@ cmake_minimum_required(VERSION 3.16) include(../../deployment.cmake REQUIRED) #------------------------------------------------------------------------------- -# The CMakeLists.txt for building the secure-storage deployment for opteesp +# The CMakeLists.txt for building the internal-trusted-storage deployment for opteesp # # Builds the secure storage service provider for running in an SEL0 secure # partition hosted by OPTEE in the role of SPM. #------------------------------------------------------------------------------- include(${TS_ROOT}/environments/opteesp/env.cmake) project(trusted-services LANGUAGES C ASM) -add_executable(secure-storage) -target_include_directories(secure-storage PRIVATE "${TOP_LEVEL_INCLUDE_DIRS}") +add_executable(internal-trusted-storage) +target_include_directories(internal-trusted-storage PRIVATE "${TOP_LEVEL_INCLUDE_DIRS}") set(SP_UUID "dc1eef48-b17a-4ccf-ac8b-dfcff7711b14") @@ -25,10 +25,10 @@ set(SP_DEV_KIT_INC_DIR ${CMAKE_CURRENT_LIST_DIR}) list(APPEND CMAKE_MODULE_PATH "${TS_ROOT}/external/Spdevkit") find_package(Spdevkit COMPONENTS SP_HEADER interface) -sp_dev_kit_configure_linking(TARGET secure-storage DEFINES ARM64=1) -target_link_libraries(secure-storage ${SP_DEV_KIT_LIBRARIES}) +sp_dev_kit_configure_linking(TARGET internal-trusted-storage DEFINES ARM64=1) +target_link_libraries(internal-trusted-storage ${SP_DEV_KIT_LIBRARIES}) -add_components(TARGET "secure-storage" +add_components(TARGET "internal-trusted-storage" BASE_DIR ${TS_ROOT} COMPONENTS components/messaging/ffa/libsp @@ -40,27 +40,28 @@ add_components(TARGET "secure-storage" components/service/secure_storage/backend/secure_flash_store components/service/secure_storage/backend/secure_flash_store/flash_fs components/service/secure_storage/backend/secure_flash_store/flash + components/service/secure_storage/factory/common/sfs protocols/rpc/common/packed-c protocols/service/secure_storage/packed-c environments/opteesp ) -target_sources(secure-storage PRIVATE +target_sources(internal-trusted-storage PRIVATE sp.c ) -target_compile_definitions(secure-storage PRIVATE +target_compile_definitions(internal-trusted-storage PRIVATE ARM64=1 ) -target_include_directories(secure-storage PRIVATE +target_include_directories(internal-trusted-storage PRIVATE ${TS_ROOT} ${TS_ROOT}/components - ${TS_ROOT}/deployments/secure-storage/opteesp + ${TS_ROOT}/deployments/internal-trusted-storage/opteesp ) if(CMAKE_C_COMPILER_ID STREQUAL "GNU") - target_compile_options(secure-storage PRIVATE + target_compile_options(internal-trusted-storage PRIVATE -fdiagnostics-show-option -fpic -gdwarf-2 @@ -70,7 +71,7 @@ if(CMAKE_C_COMPILER_ID STREQUAL "GNU") ) # Options for GCC that control linking - target_link_options(secure-storage PRIVATE + target_link_options(internal-trusted-storage PRIVATE -e __sp_entry -fno-lto -nostdlib @@ -78,25 +79,25 @@ if(CMAKE_C_COMPILER_ID STREQUAL "GNU") -zmax-page-size=4096 ) # Options directly for LD, these are not understood by GCC - target_link_options(secure-storage PRIVATE + target_link_options(internal-trusted-storage PRIVATE -Wl,--as-needed -Wl,--sort-section=alignment # -Wl,--dynamic-list ${CMAKE_CURRENT_LIST_DIR}/dyn_list ) endif() -compiler_generate_stripped_elf(TARGET secure-storage NAME "${SP_UUID}.stripped.elf" RES STRIPPED_ELF) +compiler_generate_stripped_elf(TARGET internal-trusted-storage NAME "${SP_UUID}.stripped.elf" RES STRIPPED_ELF) ######################################## install if (CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT) set(CMAKE_INSTALL_PREFIX ${CMAKE_BINARY_DIR}/install CACHE PATH "location to install build output to." FORCE) endif() -install(TARGETS secure-storage +install(TARGETS internal-trusted-storage PUBLIC_HEADER DESTINATION ${TS_ENV}/include RUNTIME DESTINATION ${TS_ENV}/bin ) install(FILES ${STRIPPED_ELF} DESTINATION ${TS_ENV}/bin) -set(EXPORT_SP_NAME "secure-storage") +set(EXPORT_SP_NAME "internal-trusted-storage") set(EXPORT_SP_UUID ${SP_UUID}) include(${TS_ROOT}/environments/opteesp/ExportSp.cmake) diff --git a/deployments/secure-storage/opteesp/default_secure-storage.dts.in b/deployments/internal-trusted-storage/opteesp/default_internal-trusted-storage.dts.in index 1a8d6a327..3ce8dd6da 100644 --- a/deployments/secure-storage/opteesp/default_secure-storage.dts.in +++ b/deployments/internal-trusted-storage/opteesp/default_internal-trusted-storage.dts.in @@ -10,7 +10,7 @@ compatible = "arm,ffa-manifest-1.0"; ffa-version = <0x00010000>; /* 31:16 - Major, 15:0 - Minor */ uuid = <@EXPORT_SP_UUID_DT@>; - description = "Secure Storage"; + description = "ITS"; execution-ctx-count = <1>; exception-level = <1>; /* S-EL0 */ execution-state = <0>; /* AArch64 */ diff --git a/deployments/secure-storage/opteesp/optee_sp_user_defines.h b/deployments/internal-trusted-storage/opteesp/optee_sp_user_defines.h index e773055c4..e773055c4 100644 --- a/deployments/secure-storage/opteesp/optee_sp_user_defines.h +++ b/deployments/internal-trusted-storage/opteesp/optee_sp_user_defines.h diff --git a/deployments/internal-trusted-storage/opteesp/sp.c b/deployments/internal-trusted-storage/opteesp/sp.c new file mode 100644 index 000000000..626c2d4f6 --- /dev/null +++ b/deployments/internal-trusted-storage/opteesp/sp.c @@ -0,0 +1,67 @@ +/* + * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include "sp.h" +#include <ffa_api.h> +#include <components/rpc/common/endpoint/rpc_interface.h> +#include <components/rpc/ffarpc/endpoint/ffarpc_call_ep.h> +#include <components/service/secure_storage/factory/storage_factory.h> +#include <components/service/secure_storage/frontend/secure_storage_provider/secure_storage_provider.h> +#include <sp_api.h> +#include <sp_rxtx.h> +#include <trace.h> + +uint16_t own_id = 0; +static uint8_t tx_buffer[4096] __aligned(4096); +static uint8_t rx_buffer[4096] __aligned(4096); + +void sp_main(struct ffa_init_info *init_info) +{ + ffa_result ffa_res; + sp_result sp_res; + struct rpc_interface *secure_storage_iface; + struct ffa_call_ep ffa_call_ep; + struct ffa_direct_msg req_msg; + struct ffa_direct_msg resp_msg; + struct secure_storage_provider secure_storage_provider; + struct storage_backend *storage_backend; + + /* Boot */ + (void) init_info; + + ffa_res = ffa_id_get(&own_id); + if (ffa_res != FFA_OK) { + EMSG("id get error: %d", ffa_res); + } + + sp_res = sp_rxtx_buffer_map(tx_buffer, rx_buffer, sizeof(rx_buffer)); + if (sp_res != SP_RESULT_OK) { + EMSG("rxtx map error: %d", sp_res); + } + + storage_backend = storage_factory_create(storage_factory_security_class_INTERNAL_TRUSTED); + secure_storage_iface = secure_storage_provider_init(&secure_storage_provider, storage_backend); + ffa_call_ep_init(&ffa_call_ep, secure_storage_iface); + + /* End of boot phase */ + ffa_msg_wait(&req_msg); + + while (1) { + if (req_msg.function_id == FFA_MSG_SEND_DIRECT_REQ_32) { + ffa_call_ep_receive(&ffa_call_ep, &req_msg, &resp_msg); + + ffa_msg_send_direct_resp(req_msg.destination_id, + req_msg.source_id, resp_msg.args[0], resp_msg.args[1], + resp_msg.args[2], resp_msg.args[3], resp_msg.args[4], + &req_msg); + } + } +} + +void sp_interrupt_handler(uint32_t interrupt_id) +{ + (void)interrupt_id; +} diff --git a/deployments/secure-storage/opteesp/sp.h b/deployments/internal-trusted-storage/opteesp/sp.h index 299c95e9c..5aa76c3c4 100644 --- a/deployments/secure-storage/opteesp/sp.h +++ b/deployments/internal-trusted-storage/opteesp/sp.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2020, Arm Limited and Contributors. All rights reserved. + * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -7,6 +7,7 @@ #ifndef SP_H #define SP_H +/* UUID for the Internal Trusted Store */ #define OPTEE_SP_UUID \ { 0xdc1eef48, 0xb17a, 0x4ccf, \ { 0xac, 0x8b, 0xdf, 0xcf, 0xf7, 0x71, 0x1b, 0x14 } } diff --git a/deployments/libts/linux-pc/CMakeLists.txt b/deployments/libts/linux-pc/CMakeLists.txt index 3378ee3f3..9beecac0c 100644 --- a/deployments/libts/linux-pc/CMakeLists.txt +++ b/deployments/libts/linux-pc/CMakeLists.txt @@ -36,6 +36,8 @@ add_components( "components/service/common/provider" "components/service/locator/standalone" "components/service/locator/standalone/services/crypto" + "components/service/locator/standalone/services/internal-trusted-storage" + "components/service/locator/standalone/services/protected-storage" "components/service/locator/standalone/services/test-runner" "components/service/crypto/provider/mbedcrypto" "components/service/crypto/provider/mbedcrypto/trng_adapter/linux" @@ -44,9 +46,8 @@ add_components( "components/service/secure_storage/frontend/psa/its" "components/service/secure_storage/frontend/secure_storage_provider" "components/service/secure_storage/backend/secure_storage_client" - "components/service/secure_storage/backend/secure_flash_store" - "components/service/secure_storage/backend/secure_flash_store/flash_fs" - "components/service/secure_storage/backend/secure_flash_store/flash" + "components/service/secure_storage/backend/mock_store" + "components/service/secure_storage/backend/null_store" "components/service/test_runner/provider" "components/service/test_runner/provider/serializer/packed-c" "components/service/test_runner/provider/backend/mock" @@ -92,6 +93,13 @@ add_components( COMPONENTS "components/app/test-runner" "components/common/tlv" + "components/service/common" + "components/service/secure_storage/test/service" + "components/service/secure_storage/frontend/psa/its" + "components/service/secure_storage/frontend/psa/its/test" + "components/service/secure_storage/frontend/psa/ps" + "components/service/secure_storage/frontend/psa/ps/test" + "components/service/secure_storage/backend/secure_storage_client" "components/service/crypto/test/service" "components/service/crypto/test/service/protobuf" "components/service/crypto/test/service/packed-c" diff --git a/deployments/protected-storage/opteesp/CMakeLists.txt b/deployments/protected-storage/opteesp/CMakeLists.txt new file mode 100644 index 000000000..c4f0fd5a6 --- /dev/null +++ b/deployments/protected-storage/opteesp/CMakeLists.txt @@ -0,0 +1,104 @@ +#------------------------------------------------------------------------------- +# Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved. +# +# SPDX-License-Identifier: BSD-3-Clause +# +#------------------------------------------------------------------------------- +cmake_minimum_required(VERSION 3.16) +include(../../deployment.cmake REQUIRED) + +#------------------------------------------------------------------------------- +# The CMakeLists.txt for building the protected-storage deployment for opteesp +# +# Builds the secure storage service provider for running in an SEL0 secure +# partition hosted by OPTEE in the role of SPM. +#------------------------------------------------------------------------------- +include(${TS_ROOT}/environments/opteesp/env.cmake) +project(trusted-services LANGUAGES C ASM) +add_executable(protected-storage) +target_include_directories(protected-storage PRIVATE "${TOP_LEVEL_INCLUDE_DIRS}") +set(SP_UUID "751bf801-3dde-4768-a514-0f10aeed1790") + + +# Include SP DEV KIT interface +set(SP_DEV_KIT_INC_DIR ${CMAKE_CURRENT_LIST_DIR}) +list(APPEND CMAKE_MODULE_PATH "${TS_ROOT}/external/Spdevkit") +find_package(Spdevkit COMPONENTS SP_HEADER interface) + +sp_dev_kit_configure_linking(TARGET protected-storage DEFINES ARM64=1) +target_link_libraries(protected-storage ${SP_DEV_KIT_LIBRARIES}) + +add_components(TARGET "protected-storage" + BASE_DIR ${TS_ROOT} + COMPONENTS + components/messaging/ffa/libsp + components/rpc/ffarpc/endpoint + components/rpc/common/interface + components/rpc/ffarpc/caller/sp + components/rpc/common/caller + components/service/common + components/service/common/provider + components/service/secure_storage/frontend/secure_storage_provider + components/service/secure_storage/backend/secure_storage_client + components/service/secure_storage/backend/null_store + components/service/secure_storage/factory/sp/optee_trusted_store + protocols/rpc/common/packed-c + protocols/service/secure_storage/packed-c + environments/opteesp +) + +target_sources(protected-storage PRIVATE + sp.c +) + +target_compile_definitions(protected-storage PRIVATE + ARM64=1 +) + +target_include_directories(protected-storage PRIVATE + ${TS_ROOT} + ${TS_ROOT}/components + ${TS_ROOT}/deployments/protected-storage/opteesp +) + +if(CMAKE_C_COMPILER_ID STREQUAL "GNU") + target_compile_options(protected-storage PRIVATE + -fdiagnostics-show-option + -fpic + -gdwarf-2 + -mstrict-align + -O0 + -std=gnu99 + ) + + # Options for GCC that control linking + target_link_options(protected-storage PRIVATE + -e __sp_entry + -fno-lto + -nostdlib + -pie + -zmax-page-size=4096 + ) + # Options directly for LD, these are not understood by GCC + target_link_options(protected-storage PRIVATE + -Wl,--as-needed + -Wl,--sort-section=alignment + # -Wl,--dynamic-list ${CMAKE_CURRENT_LIST_DIR}/dyn_list + ) +endif() + +compiler_generate_stripped_elf(TARGET protected-storage NAME "${SP_UUID}.stripped.elf" RES STRIPPED_ELF) + +######################################## install +if (CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT) + set(CMAKE_INSTALL_PREFIX ${CMAKE_BINARY_DIR}/install CACHE PATH "location to install build output to." FORCE) +endif() +install(TARGETS protected-storage + PUBLIC_HEADER DESTINATION ${TS_ENV}/include + RUNTIME DESTINATION ${TS_ENV}/bin + ) +install(FILES ${STRIPPED_ELF} DESTINATION ${TS_ENV}/bin) + +set(EXPORT_SP_NAME "protected-storage") +set(EXPORT_SP_UUID ${SP_UUID}) +include(${TS_ROOT}/environments/opteesp/ExportSp.cmake) diff --git a/deployments/protected-storage/opteesp/default_protected-storage.dts.in b/deployments/protected-storage/opteesp/default_protected-storage.dts.in new file mode 100644 index 000000000..1047a4c94 --- /dev/null +++ b/deployments/protected-storage/opteesp/default_protected-storage.dts.in @@ -0,0 +1,19 @@ +/* + * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +@DTS_TAG@ + +@DTS_NODE@ { + compatible = "arm,ffa-manifest-1.0"; + ffa-version = <0x00010000>; /* 31:16 - Major, 15:0 - Minor */ + uuid = <@EXPORT_SP_UUID_DT@>; + description = "PS"; + execution-ctx-count = <1>; + exception-level = <1>; /* S-EL0 */ + execution-state = <0>; /* AArch64 */ + xlat-granule = <0>; /* 4KiB */ + messaging-method = <0>; /* Direct messaging only */ +}; diff --git a/deployments/protected-storage/opteesp/optee_sp_user_defines.h b/deployments/protected-storage/opteesp/optee_sp_user_defines.h new file mode 100644 index 000000000..e773055c4 --- /dev/null +++ b/deployments/protected-storage/opteesp/optee_sp_user_defines.h @@ -0,0 +1,21 @@ +/* + * Copyright (c) 2020, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef SP_HEADER_DEFINES_H +#define SP_HEADER_DEFINES_H + +/* To get UUID definition */ +#include "sp.h" + +#define OPTEE_SP_FLAGS 0 + +/* Provisioned stack size */ +#define OPTEE_SP_STACK_SIZE (64 * 1024) + +/* Provisioned heap size */ +#define OPTEE_SP_HEAP_SIZE (32 * 1024) + +#endif /* SP_HEADER_DEFINES_H */ diff --git a/deployments/secure-storage/opteesp/sp.c b/deployments/protected-storage/opteesp/sp.c index c3bc94aff..3bf3f1d5f 100644 --- a/deployments/secure-storage/opteesp/sp.c +++ b/deployments/protected-storage/opteesp/sp.c @@ -8,7 +8,7 @@ #include <ffa_api.h> #include <components/rpc/common/endpoint/rpc_interface.h> #include <components/rpc/ffarpc/endpoint/ffarpc_call_ep.h> -#include <components/service/secure_storage/backend/secure_flash_store/secure_flash_store.h> +#include <components/service/secure_storage/factory/storage_factory.h> #include <components/service/secure_storage/frontend/secure_storage_provider/secure_storage_provider.h> #include <sp_api.h> #include <sp_rxtx.h> @@ -42,7 +42,7 @@ void sp_main(struct ffa_init_info *init_info) EMSG("rxtx map error: %d", sp_res); } - storage_backend = sfs_init(); + storage_backend = storage_factory_create(storage_factory_security_class_PROTECTED); secure_storage_iface = secure_storage_provider_init(&secure_storage_provider, storage_backend); ffa_call_ep_init(&ffa_call_ep, secure_storage_iface); diff --git a/deployments/protected-storage/opteesp/sp.h b/deployments/protected-storage/opteesp/sp.h new file mode 100644 index 000000000..3bb4484ed --- /dev/null +++ b/deployments/protected-storage/opteesp/sp.h @@ -0,0 +1,19 @@ +/* + * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef SP_H +#define SP_H + +/* UUID for the Protected Store */ +#define OPTEE_SP_UUID \ + { 0x751bf801, 0x3dde, 0x4768, \ + { 0xa5, 0x14, 0x0f, 0x10, 0xae, 0xed, 0x17, 0x90 } } + +#define SP_UUID_BYTES \ + { 0x75, 0x1b, 0xf8, 0x01, 0x3d, 0xde, 0x47, 0x68, \ + 0xa5, 0x14, 0x0f, 0x10, 0xae, 0xed, 0x17, 0x90 } + +#endif /* SP_H */ diff --git a/deployments/ts-service-test/ts-service-test.cmake b/deployments/ts-service-test/ts-service-test.cmake index 4bd8c717e..04b02665b 100644 --- a/deployments/ts-service-test/ts-service-test.cmake +++ b/deployments/ts-service-test/ts-service-test.cmake @@ -28,6 +28,7 @@ add_components( BASE_DIR ${TS_ROOT} COMPONENTS "components/common/tlv" + "components/service/common" "components/service/crypto/test/service" "components/service/crypto/test/service/protobuf" "components/service/crypto/test/service/packed-c" @@ -37,6 +38,12 @@ add_components( "components/service/common/serializer/protobuf" "protocols/service/crypto/protobuf" "protocols/service/crypto/packed-c" + "components/service/secure_storage/test/service" + "components/service/secure_storage/frontend/psa/its" + "components/service/secure_storage/frontend/psa/its/test" + "components/service/secure_storage/frontend/psa/ps" + "components/service/secure_storage/frontend/psa/ps/test" + "components/service/secure_storage/backend/secure_storage_client" ) #------------------------------------------------------------------------------- diff --git a/tools/b-test/test_data.yaml b/tools/b-test/test_data.yaml index 74cf29ebe..06afe8929 100644 --- a/tools/b-test/test_data.yaml +++ b/tools/b-test/test_data.yaml @@ -26,8 +26,8 @@ data: os_id : "GNU/Linux" params: - "-GUnix Makefiles" - - name: "secure-storage-optee-arm" - src: "$TS_ROOT/deployments/secure-storage/opteesp" + - name: "protected-storage-optee-arm" + src: "$TS_ROOT/deployments/protected-storage/opteesp" params: - "-GUnix Makefiles" - "-DSP_DEV_KIT_DIR=$SP_DEV_KIT_DIR" @@ -72,3 +72,9 @@ data: os_id : "GNU/Linux" params: - "-GUnix Makefiles" + - name: "internal-trusted-storage-optee-arm" + src: "$TS_ROOT/deployments/internal-trusted-storage/opteesp" + params: + - "-GUnix Makefiles" + - "-DSP_DEV_KIT_DIR=$SP_DEV_KIT_DIR" + - "-DCMAKE_VERBOSE_MAKEFILE=y" |