aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjulhal01 <julian.hall@arm.com>2021-03-08 13:32:08 +0000
committerGy├Ârgy Szing <gyorgy.szing@arm.com>2021-07-01 12:19:19 +0200
commit3a4207dc7d5be5a4723168b864e6957d526fa5e5 (patch)
tree88ddd84d43535745dd0bea4838d3834e8ddc7026
parent7791cb1c9fa378c9394e77850d7f22cad1dbd043 (diff)
downloadtrusted-services-3a4207dc7d5be5a4723168b864e6957d526fa5e5.tar.gz
Add protected-storage and internal-trusted-storage deployments
Adds SP deployments for protected-storage and internal-trusted-storage, replacing the secure-storage deployment. Includes service-level tests based on PSA ITS and PS APIs. Amended to fix discovery bugs of storage sp from another sp. Signed-off-by: Julian Hall <julian.hall@arm.com> Change-Id: Ia1a8b6b1b694f00034c69b6d03018faa4b2588e6
-rw-r--r--components/service/crypto/client/test/mock/mock_crypto_client.cpp127
-rw-r--r--components/service/crypto/client/test/mock/mock_crypto_client.h49
-rw-r--r--components/service/crypto/client/test/standalone/standalone_crypto_client.cpp11
-rw-r--r--components/service/crypto/client/test/standalone/standalone_crypto_client.h2
-rw-r--r--components/service/crypto/provider/mbedcrypto/crypto_provider.c10
-rw-r--r--components/service/crypto/provider/mbedcrypto/crypto_provider.h5
-rw-r--r--components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp2
-rw-r--r--components/service/locator/linux/ffa/linuxffa_location_strategy.c7
-rw-r--r--components/service/locator/standalone/services/crypto/crypto_service_context.cpp54
-rw-r--r--components/service/locator/standalone/services/crypto/crypto_service_context.h9
-rw-r--r--components/service/locator/standalone/services/internal-trusted-storage/component.cmake14
-rw-r--r--components/service/locator/standalone/services/internal-trusted-storage/its_service_context.cpp34
-rw-r--r--components/service/locator/standalone/services/internal-trusted-storage/its_service_context.h29
-rw-r--r--components/service/locator/standalone/services/protected-storage/component.cmake (renamed from components/service/crypto/client/test/mock/component.cmake)4
-rw-r--r--components/service/locator/standalone/services/protected-storage/ps_service_context.cpp34
-rw-r--r--components/service/locator/standalone/services/protected-storage/ps_service_context.h29
-rw-r--r--components/service/locator/standalone/standalone_env.cpp10
-rw-r--r--components/service/secure_storage/backend/null_store/component.cmake14
-rw-r--r--components/service/secure_storage/backend/null_store/null_store.c136
-rw-r--r--components/service/secure_storage/backend/null_store/null_store.h37
-rw-r--r--components/service/secure_storage/factory/common/sfs/component.cmake14
-rw-r--r--components/service/secure_storage/factory/common/sfs/storage_factory.c30
-rw-r--r--components/service/secure_storage/factory/sp/optee_trusted_store/component.cmake14
-rw-r--r--components/service/secure_storage/factory/sp/optee_trusted_store/storage_factory.c102
-rw-r--r--components/service/secure_storage/factory/sp/rot_store/component.cmake14
-rw-r--r--components/service/secure_storage/factory/sp/rot_store/storage_factory.c149
-rw-r--r--components/service/secure_storage/factory/storage_factory.h85
-rw-r--r--components/service/secure_storage/test/service/component.cmake15
-rw-r--r--components/service/secure_storage/test/service/its_service_tests.cpp63
-rw-r--r--components/service/secure_storage/test/service/ps_service_tests.cpp77
-rw-r--r--deployments/component-test/component-test.cmake3
-rw-r--r--deployments/crypto/opteesp/CMakeLists.txt3
-rw-r--r--deployments/crypto/opteesp/crypto_sp.c39
-rw-r--r--deployments/internal-trusted-storage/opteesp/.gitignore (renamed from deployments/secure-storage/opteesp/.gitignore)0
-rw-r--r--deployments/internal-trusted-storage/opteesp/CMakeLists.txt (renamed from deployments/secure-storage/opteesp/CMakeLists.txt)33
-rw-r--r--deployments/internal-trusted-storage/opteesp/default_internal-trusted-storage.dts.in (renamed from deployments/secure-storage/opteesp/default_secure-storage.dts.in)2
-rw-r--r--deployments/internal-trusted-storage/opteesp/optee_sp_user_defines.h (renamed from deployments/secure-storage/opteesp/optee_sp_user_defines.h)0
-rw-r--r--deployments/internal-trusted-storage/opteesp/sp.c67
-rw-r--r--deployments/internal-trusted-storage/opteesp/sp.h (renamed from deployments/secure-storage/opteesp/sp.h)3
-rw-r--r--deployments/libts/linux-pc/CMakeLists.txt14
-rw-r--r--deployments/protected-storage/opteesp/CMakeLists.txt104
-rw-r--r--deployments/protected-storage/opteesp/default_protected-storage.dts.in19
-rw-r--r--deployments/protected-storage/opteesp/optee_sp_user_defines.h21
-rw-r--r--deployments/protected-storage/opteesp/sp.c (renamed from deployments/secure-storage/opteesp/sp.c)4
-rw-r--r--deployments/protected-storage/opteesp/sp.h19
-rw-r--r--deployments/ts-service-test/ts-service-test.cmake7
-rw-r--r--tools/b-test/test_data.yaml10
47 files changed, 1260 insertions, 268 deletions
diff --git a/components/service/crypto/client/test/mock/mock_crypto_client.cpp b/components/service/crypto/client/test/mock/mock_crypto_client.cpp
deleted file mode 100644
index 96195a8..0000000
--- a/components/service/crypto/client/test/mock/mock_crypto_client.cpp
+++ /dev/null
@@ -1,127 +0,0 @@
-/*
- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
- *
- * SPDX-License-Identifier: BSD-3-Clause
- */
-
-#include "mock_crypto_client.h"
-#include <service/crypto/provider/serializer/protobuf/pb_crypto_provider_serializer.h>
-#include <service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.h>
-
-mock_crypto_client::mock_crypto_client() :
- test_crypto_client(),
- m_crypto_provider(),
- m_storage_provider(),
- m_crypto_caller(),
- m_storage_caller()
-{
-
-}
-
-mock_crypto_client::~mock_crypto_client()
-{
-
-}
-
-bool mock_crypto_client::init()
-{
- bool should_do = test_crypto_client::init();
-
- if (should_do) {
-
- struct rpc_interface *storage_ep = mock_store_provider_init(&m_storage_provider);
- struct rpc_caller *storage_caller = direct_caller_init_default(&m_storage_caller,
- storage_ep);
-
- struct rpc_interface *crypto_ep = mbed_crypto_provider_init(&m_crypto_provider,
- storage_caller, 0);
- struct rpc_caller *crypto_caller = direct_caller_init_default(&m_crypto_caller,
- crypto_ep);
-
- mbed_crypto_provider_register_serializer(&m_crypto_provider,
- TS_RPC_ENCODING_PROTOBUF, pb_crypto_provider_serializer_instance());
-
- mbed_crypto_provider_register_serializer(&m_crypto_provider,
- TS_RPC_ENCODING_PACKED_C, packedc_crypto_provider_serializer_instance());
-
- rpc_caller_set_encoding_scheme(crypto_caller, TS_RPC_ENCODING_PROTOBUF);
-
- crypto_client::set_caller(crypto_caller);
- }
-
- return should_do;
-}
-
-bool mock_crypto_client::deinit()
-{
- bool should_do = test_crypto_client::deinit();
-
- if (should_do) {
-
- mbed_crypto_provider_deinit(&m_crypto_provider);
- mock_store_provider_deinit(&m_storage_provider);
-
- direct_caller_deinit(&m_storage_caller);
- direct_caller_deinit(&m_crypto_caller);
- }
-
- return should_do;
-}
-
-/* Test Methods */
-bool mock_crypto_client::keystore_reset_is_supported() const
-{
- return true;
-}
-
-void mock_crypto_client::keystore_reset()
-{
- mock_store_reset(&m_storage_provider);
-}
-
-bool mock_crypto_client::keystore_key_exists_is_supported() const
-{
- return true;
-}
-
-bool mock_crypto_client::keystore_key_exists(uint32_t id) const
-{
- return mock_store_exists(&m_storage_provider, id);
-}
-
-bool mock_crypto_client::keystore_keys_held_is_supported() const
-{
- return true;
-}
-
-size_t mock_crypto_client::keystore_keys_held() const
-{
- return mock_store_num_items(&m_storage_provider);
-}
-
-/* Factory for creating mock_crypto_client objects */
-class mock_crypto_client_factory : public test_crypto_client::factory
-{
-public:
- mock_crypto_client_factory() :
- test_crypto_client::factory()
- {
- test_crypto_client::register_factory(this);
- }
-
- ~mock_crypto_client_factory()
- {
- test_crypto_client::deregister_factory(this);
- }
-
- test_crypto_client *create()
- {
- return new mock_crypto_client;
- };
-};
-
-/*
- * Static construction causes this to be registered
- * as the default factory for constructing test_crypto_client objects.
- */
-static mock_crypto_client_factory default_factory;
diff --git a/components/service/crypto/client/test/mock/mock_crypto_client.h b/components/service/crypto/client/test/mock/mock_crypto_client.h
deleted file mode 100644
index 92ee6a9..0000000
--- a/components/service/crypto/client/test/mock/mock_crypto_client.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright (c) 2020, Arm Limited and Contributors. All rights reserved.
- *
- * SPDX-License-Identifier: BSD-3-Clause
- */
-
-#ifndef MOCK_CRYPTO_CLIENT_H
-#define MOCK_CRYPTO_CLIENT_H
-
-#include <service/crypto/client/test/test_crypto_client.h>
-#include <rpc/direct/direct_caller.h>
-#include <service/crypto/provider/mbedcrypto/crypto_provider.h>
-#include <service/secure_storage/provider/mock_store/mock_store_provider.h>
-
-/*
- * A specialization of the crypto_client class that extends it to add crypto
- * and storage providers to offer a viable crypto service from a single object.
- * The mock_store storage provider is used for persistent key storage.
- * This is only used for test purposes and should not be used for production
- * deployments. Provides methods used for inspecting service state that
- * support test.
- */
-class mock_crypto_client : public test_crypto_client
-{
-public:
- mock_crypto_client();
- virtual ~mock_crypto_client();
-
- bool init();
- bool deinit();
-
- /* Test support methods */
- bool keystore_reset_is_supported() const;
- void keystore_reset();
-
- bool keystore_key_exists_is_supported() const;
- bool keystore_key_exists(uint32_t id) const;
-
- bool keystore_keys_held_is_supported() const;
- size_t keystore_keys_held() const;
-
-private:
- struct mbed_crypto_provider m_crypto_provider;
- struct mock_store_provider m_storage_provider;
- struct direct_caller m_crypto_caller;
- struct direct_caller m_storage_caller;
-};
-
-#endif /* MOCK_CRYPTO_CLIENT_H */
diff --git a/components/service/crypto/client/test/standalone/standalone_crypto_client.cpp b/components/service/crypto/client/test/standalone/standalone_crypto_client.cpp
index c57cbba..56d20c5 100644
--- a/components/service/crypto/client/test/standalone/standalone_crypto_client.cpp
+++ b/components/service/crypto/client/test/standalone/standalone_crypto_client.cpp
@@ -15,6 +15,7 @@ standalone_crypto_client::standalone_crypto_client() :
test_crypto_client(),
m_crypto_provider(),
m_storage_provider(),
+ m_storage_client(),
m_crypto_caller(),
m_storage_caller(),
m_dummy_storage_caller()
@@ -54,10 +55,13 @@ bool standalone_crypto_client::init()
TS_RPC_CALL_ACCEPTED, PSA_ERROR_STORAGE_FAILURE);
}
+ struct storage_backend *client_storage_backend = secure_storage_client_init(&m_storage_client,
+ storage_caller);
+
struct rpc_interface *crypto_ep = mbed_crypto_provider_init(&m_crypto_provider,
- storage_caller, 0);
- struct rpc_caller *crypto_caller = direct_caller_init_default(&m_crypto_caller,
- crypto_ep);
+ client_storage_backend, 0);
+
+ struct rpc_caller *crypto_caller = direct_caller_init_default(&m_crypto_caller, crypto_ep);
mbed_crypto_provider_register_serializer(&m_crypto_provider,
TS_RPC_ENCODING_PROTOBUF, pb_crypto_provider_serializer_instance());
@@ -81,6 +85,7 @@ bool standalone_crypto_client::deinit()
mbed_crypto_provider_deinit(&m_crypto_provider);
secure_storage_provider_deinit(&m_storage_provider);
+ secure_storage_client_deinit(&m_storage_client);
direct_caller_deinit(&m_storage_caller);
direct_caller_deinit(&m_crypto_caller);
diff --git a/components/service/crypto/client/test/standalone/standalone_crypto_client.h b/components/service/crypto/client/test/standalone/standalone_crypto_client.h
index 8f156b0..1093a10 100644
--- a/components/service/crypto/client/test/standalone/standalone_crypto_client.h
+++ b/components/service/crypto/client/test/standalone/standalone_crypto_client.h
@@ -12,6 +12,7 @@
#include <rpc/dummy/dummy_caller.h>
#include <service/crypto/provider/mbedcrypto/crypto_provider.h>
#include <service/secure_storage/frontend/secure_storage_provider/secure_storage_provider.h>
+#include <service/secure_storage/backend/secure_storage_client/secure_storage_client.h>
/*
* A specialization of the crypto_client class that extends it to add crypto
@@ -44,6 +45,7 @@ private:
struct mbed_crypto_provider m_crypto_provider;
struct secure_storage_provider m_storage_provider;
+ struct secure_storage_client m_storage_client;
struct direct_caller m_crypto_caller;
struct direct_caller m_storage_caller;
struct dummy_caller m_dummy_storage_caller;
diff --git a/components/service/crypto/provider/mbedcrypto/crypto_provider.c b/components/service/crypto/provider/mbedcrypto/crypto_provider.c
index b0f8be3..03e0ef1 100644
--- a/components/service/crypto/provider/mbedcrypto/crypto_provider.c
+++ b/components/service/crypto/provider/mbedcrypto/crypto_provider.c
@@ -45,7 +45,7 @@ static const struct service_handler handler_table[] = {
};
struct rpc_interface *mbed_crypto_provider_init(struct mbed_crypto_provider *context,
- struct rpc_caller *storage_caller,
+ struct storage_backend *storage_backend,
int trng_instance)
{
struct rpc_interface *rpc_interface = NULL;
@@ -57,7 +57,7 @@ struct rpc_interface *mbed_crypto_provider_init(struct mbed_crypto_provider *con
* is a mandatory feature of the crypto service, insist on a storage
* provider being available.
*/
- if (context && storage_caller) {
+ if (context && storage_backend) {
for (size_t encoding = 0; encoding < TS_RPC_ENCODING_LIMIT; ++encoding)
context->serializers[encoding] = NULL;
@@ -65,11 +65,7 @@ struct rpc_interface *mbed_crypto_provider_init(struct mbed_crypto_provider *con
service_provider_init(&context->base_provider, context,
handler_table, sizeof(handler_table)/sizeof(struct service_handler));
- struct storage_backend *storage_backend =
- secure_storage_client_init(&context->secure_storage_client, storage_caller);
-
- if (storage_backend &&
- (psa_its_frontend_init(storage_backend) == PSA_SUCCESS) &&
+ if ((psa_its_frontend_init(storage_backend) == PSA_SUCCESS) &&
(psa_crypto_init() == PSA_SUCCESS)) {
rpc_interface = service_provider_get_rpc_interface(&context->base_provider);
diff --git a/components/service/crypto/provider/mbedcrypto/crypto_provider.h b/components/service/crypto/provider/mbedcrypto/crypto_provider.h
index 1f69396..3c0f8d8 100644
--- a/components/service/crypto/provider/mbedcrypto/crypto_provider.h
+++ b/components/service/crypto/provider/mbedcrypto/crypto_provider.h
@@ -10,7 +10,7 @@
#include <rpc/common/endpoint/rpc_interface.h>
#include <service/common/provider/service_provider.h>
#include <service/crypto/provider/serializer/crypto_provider_serializer.h>
-#include <service/secure_storage/backend/secure_storage_client/secure_storage_client.h>
+#include <service/secure_storage/backend/storage_backend.h>
#include <protocols/rpc/common/packed-c/encoding.h>
#ifdef __cplusplus
@@ -21,7 +21,6 @@ struct mbed_crypto_provider
{
struct service_provider base_provider;
const struct crypto_provider_serializer *serializers[TS_RPC_ENCODING_LIMIT];
- struct secure_storage_client secure_storage_client;
};
/*
@@ -31,7 +30,7 @@ struct mbed_crypto_provider
* backend.
*/
struct rpc_interface *mbed_crypto_provider_init(struct mbed_crypto_provider *context,
- struct rpc_caller *storage_caller,
+ struct storage_backend *storage_backend,
int trng_instance);
/*
diff --git a/components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp b/components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp
index 132bbc8..a6cbe31 100644
--- a/components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp
+++ b/components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp
@@ -11,7 +11,7 @@
#include <CppUTest/TestHarness.h>
/*
- * Service-level tests that use the Protobuf access protocol serialization
+ * Service-level tests that use the packed-c access protocol serialization
*/
TEST_GROUP(CryptoServicePackedcTests)
{
diff --git a/components/service/locator/linux/ffa/linuxffa_location_strategy.c b/components/service/locator/linux/ffa/linuxffa_location_strategy.c
index 21468a9..2469e86 100644
--- a/components/service/locator/linux/ffa/linuxffa_location_strategy.c
+++ b/components/service/locator/linux/ffa/linuxffa_location_strategy.c
@@ -88,9 +88,10 @@ static size_t suggest_tf_org_partition_uuids(const char *sn, struct uuid_canonic
}
partition_lookup[] =
{
- {"crypto", "d9df52d5-16a2-4bb2-9aa4-d26d3b84e8c0"},
- {"secure-storage", "dc1eef48-b17a-4ccf-ac8b-dfcff7711b14"},
- {"test-runner", "33c75baf-ac6a-4fe4-8ac7-e9909bee2d17"},
+ {"crypto", "d9df52d5-16a2-4bb2-9aa4-d26d3b84e8c0"},
+ {"internal-trusted-storage", "dc1eef48-b17a-4ccf-ac8b-dfcff7711b14"},
+ {"protected-storage", "751bf801-3dde-4768-a514-0f10aeed1790"},
+ {"test-runner", "33c75baf-ac6a-4fe4-8ac7-e9909bee2d17"},
{NULL, NULL}
};
diff --git a/components/service/locator/standalone/services/crypto/crypto_service_context.cpp b/components/service/locator/standalone/services/crypto/crypto_service_context.cpp
index 07829e2..2679ee3 100644
--- a/components/service/locator/standalone/services/crypto/crypto_service_context.cpp
+++ b/components/service/locator/standalone/services/crypto/crypto_service_context.cpp
@@ -7,13 +7,14 @@
#include "crypto_service_context.h"
#include <service/crypto/provider/serializer/protobuf/pb_crypto_provider_serializer.h>
#include <service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.h>
-#include <service/secure_storage/backend/secure_flash_store/secure_flash_store.h>
crypto_service_context::crypto_service_context(const char *sn) :
standalone_service_context(sn),
m_crypto_provider(),
- m_storage_provider(),
- m_storage_caller()
+ m_storage_client(),
+ m_null_store(),
+ m_storage_service_context(NULL),
+ m_storage_session_handle(NULL)
{
}
@@ -25,13 +26,32 @@ crypto_service_context::~crypto_service_context()
void crypto_service_context::do_init()
{
- struct storage_backend *storage_backend = sfs_init();
- struct rpc_interface *storage_ep = secure_storage_provider_init(&m_storage_provider,
- storage_backend);
- struct rpc_caller *storage_caller = direct_caller_init_default(&m_storage_caller,
- storage_ep);
- struct rpc_interface *crypto_ep = mbed_crypto_provider_init(&m_crypto_provider,
- storage_caller, 0);
+ struct storage_backend *storage_backend = NULL;
+ struct storage_backend *null_storage_backend = null_store_init(&m_null_store);
+ struct rpc_caller *storage_caller = NULL;
+ int status;
+
+ /* Locate and open RPC session with internal-trusted-storage service to provide a persistent keystore */
+ m_storage_service_context = service_locator_query("sn:trustedfirmware.org:internal-trusted-storage:0", &status);
+
+ if (m_storage_service_context) {
+
+ m_storage_session_handle = service_context_open(m_storage_service_context, TS_RPC_ENCODING_PACKED_C, &storage_caller);
+
+ if (m_storage_session_handle) {
+
+ storage_backend = secure_storage_client_init(&m_storage_client, storage_caller);
+ }
+ }
+
+ if (!storage_backend) {
+
+ /* Something has gone wrong with establishing a session with the storage service endpoint */
+ storage_backend = null_storage_backend;
+ }
+
+ /* Initialse the crypto service provider */
+ struct rpc_interface *crypto_ep = mbed_crypto_provider_init(&m_crypto_provider, storage_backend, 0);
mbed_crypto_provider_register_serializer(&m_crypto_provider,
TS_RPC_ENCODING_PROTOBUF, pb_crypto_provider_serializer_instance());
@@ -44,7 +64,17 @@ void crypto_service_context::do_init()
void crypto_service_context::do_deinit()
{
+ if (m_storage_session_handle) {
+ service_context_close(m_storage_service_context, m_storage_session_handle);
+ m_storage_session_handle = NULL;
+ }
+
+ if (m_storage_service_context) {
+ service_context_relinquish(m_storage_service_context);
+ m_storage_service_context = NULL;
+ }
+
mbed_crypto_provider_deinit(&m_crypto_provider);
- secure_storage_provider_deinit(&m_storage_provider);
- direct_caller_deinit(&m_storage_caller);
+ secure_storage_client_deinit(&m_storage_client);
+ null_store_deinit(&m_null_store);
}
diff --git a/components/service/locator/standalone/services/crypto/crypto_service_context.h b/components/service/locator/standalone/services/crypto/crypto_service_context.h
index 84360ba..8d815b5 100644
--- a/components/service/locator/standalone/services/crypto/crypto_service_context.h
+++ b/components/service/locator/standalone/services/crypto/crypto_service_context.h
@@ -10,7 +10,8 @@
#include <service/locator/standalone/standalone_service_context.h>
#include <rpc/direct/direct_caller.h>
#include <service/crypto/provider/mbedcrypto/crypto_provider.h>
-#include <service/secure_storage/frontend/secure_storage_provider/secure_storage_provider.h>
+#include <service/secure_storage/backend/secure_storage_client/secure_storage_client.h>
+#include <service/secure_storage/backend/null_store/null_store.h>
class crypto_service_context : public standalone_service_context
{
@@ -24,8 +25,10 @@ private:
void do_deinit();
struct mbed_crypto_provider m_crypto_provider;
- struct secure_storage_provider m_storage_provider;
- struct direct_caller m_storage_caller;
+ struct secure_storage_client m_storage_client;
+ struct null_store m_null_store;
+ struct service_context *m_storage_service_context;
+ rpc_session_handle m_storage_session_handle;
};
#endif /* STANDALONE_CRYPTO_SERVICE_CONTEXT_H */
diff --git a/components/service/locator/standalone/services/internal-trusted-storage/component.cmake b/components/service/locator/standalone/services/internal-trusted-storage/component.cmake
new file mode 100644
index 0000000..1e193ba
--- /dev/null
+++ b/components/service/locator/standalone/services/internal-trusted-storage/component.cmake
@@ -0,0 +1,14 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+if (NOT DEFINED TGT)
+ message(FATAL_ERROR "mandatory parameter TGT is not defined.")
+endif()
+
+target_sources(${TGT} PRIVATE
+ "${CMAKE_CURRENT_LIST_DIR}/its_service_context.cpp"
+ )
+
diff --git a/components/service/locator/standalone/services/internal-trusted-storage/its_service_context.cpp b/components/service/locator/standalone/services/internal-trusted-storage/its_service_context.cpp
new file mode 100644
index 0000000..72cc62e
--- /dev/null
+++ b/components/service/locator/standalone/services/internal-trusted-storage/its_service_context.cpp
@@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include "its_service_context.h"
+
+its_service_context::its_service_context(const char *sn) :
+ standalone_service_context(sn),
+ m_storage_provider(),
+ m_mock_store()
+{
+
+}
+
+its_service_context::~its_service_context()
+{
+
+}
+
+void its_service_context::do_init()
+{
+ struct storage_backend *storage_backend = mock_store_init(&m_mock_store);
+ struct rpc_interface *storage_ep = secure_storage_provider_init(&m_storage_provider, storage_backend);
+
+ standalone_service_context::set_rpc_interface(storage_ep);
+}
+
+void its_service_context::do_deinit()
+{
+ secure_storage_provider_deinit(&m_storage_provider);
+ mock_store_deinit(&m_mock_store);
+}
diff --git a/components/service/locator/standalone/services/internal-trusted-storage/its_service_context.h b/components/service/locator/standalone/services/internal-trusted-storage/its_service_context.h
new file mode 100644
index 0000000..713e0e9
--- /dev/null
+++ b/components/service/locator/standalone/services/internal-trusted-storage/its_service_context.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef STANDALONE_ITS_SERVICE_CONTEXT_H
+#define STANDALONE_ITS_SERVICE_CONTEXT_H
+
+#include <service/locator/standalone/standalone_service_context.h>
+#include <service/secure_storage/frontend/secure_storage_provider/secure_storage_provider.h>
+#include <service/secure_storage/backend/mock_store/mock_store.h>
+
+class its_service_context : public standalone_service_context
+{
+public:
+ its_service_context(const char *sn);
+ virtual ~its_service_context();
+
+private:
+
+ void do_init();
+ void do_deinit();
+
+ struct secure_storage_provider m_storage_provider;
+ struct mock_store m_mock_store;
+};
+
+#endif /* STANDALONE_ITS_SERVICE_CONTEXT_H */
diff --git a/components/service/crypto/client/test/mock/component.cmake b/components/service/locator/standalone/services/protected-storage/component.cmake
index 8202578..ad1a603 100644
--- a/components/service/crypto/client/test/mock/component.cmake
+++ b/components/service/locator/standalone/services/protected-storage/component.cmake
@@ -1,5 +1,5 @@
#-------------------------------------------------------------------------------
-# Copyright (c) 2020, Arm Limited and Contributors. All rights reserved.
+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@@ -9,6 +9,6 @@ if (NOT DEFINED TGT)
endif()
target_sources(${TGT} PRIVATE
- "${CMAKE_CURRENT_LIST_DIR}/mock_crypto_client.cpp"
+ "${CMAKE_CURRENT_LIST_DIR}/ps_service_context.cpp"
)
diff --git a/components/service/locator/standalone/services/protected-storage/ps_service_context.cpp b/components/service/locator/standalone/services/protected-storage/ps_service_context.cpp
new file mode 100644
index 0000000..cda49f6
--- /dev/null
+++ b/components/service/locator/standalone/services/protected-storage/ps_service_context.cpp
@@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include "ps_service_context.h"
+
+ps_service_context::ps_service_context(const char *sn) :
+ standalone_service_context(sn),
+ m_storage_provider(),
+ m_mock_store()
+{
+
+}
+
+ps_service_context::~ps_service_context()
+{
+
+}
+
+void ps_service_context::do_init()
+{
+ struct storage_backend *storage_backend = mock_store_init(&m_mock_store);
+ struct rpc_interface *storage_ep = secure_storage_provider_init(&m_storage_provider, storage_backend);
+
+ standalone_service_context::set_rpc_interface(storage_ep);
+}
+
+void ps_service_context::do_deinit()
+{
+ secure_storage_provider_deinit(&m_storage_provider);
+ mock_store_deinit(&m_mock_store);
+}
diff --git a/components/service/locator/standalone/services/protected-storage/ps_service_context.h b/components/service/locator/standalone/services/protected-storage/ps_service_context.h
new file mode 100644
index 0000000..2e3c46e
--- /dev/null
+++ b/components/service/locator/standalone/services/protected-storage/ps_service_context.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef STANDALONE_PS_SERVICE_CONTEXT_H
+#define STANDALONE_PS_SERVICE_CONTEXT_H
+
+#include <service/locator/standalone/standalone_service_context.h>
+#include <service/secure_storage/frontend/secure_storage_provider/secure_storage_provider.h>
+#include <service/secure_storage/backend/mock_store/mock_store.h>
+
+class ps_service_context : public standalone_service_context
+{
+public:
+ ps_service_context(const char *sn);
+ virtual ~ps_service_context();
+
+private:
+
+ void do_init();
+ void do_deinit();
+
+ struct secure_storage_provider m_storage_provider;
+ struct mock_store m_mock_store;
+};
+
+#endif /* STANDALONE_PS_SERVICE_CONTEXT_H */
diff --git a/components/service/locator/standalone/standalone_env.cpp b/components/service/locator/standalone/standalone_env.cpp
index 41dd206..132b6d5 100644
--- a/components/service/locator/standalone/standalone_env.cpp
+++ b/components/service/locator/standalone/standalone_env.cpp
@@ -6,6 +6,8 @@
#include <service_locator.h>
#include <service/locator/standalone/services/crypto/crypto_service_context.h>
+#include <service/locator/standalone/services/internal-trusted-storage/its_service_context.h>
+#include <service/locator/standalone/services/protected-storage/ps_service_context.h>
#include <service/locator/standalone/services/test-runner/test_runner_service_context.h>
#include "standalone_location_strategy.h"
#include "standalone_service_registry.h"
@@ -15,8 +17,14 @@ void service_locator_envinit(void)
static crypto_service_context crypto_context("sn:trustedfirmware.org:crypto:0");
standalone_service_registry::instance()->regsiter_service_instance(&crypto_context);
+ static its_service_context its_service_context("sn:trustedfirmware.org:internal-trusted-storage:0");
+ standalone_service_registry::instance()->regsiter_service_instance(&its_service_context);
+
+ static ps_service_context ps_service_context("sn:trustedfirmware.org:protected-storage:0");
+ standalone_service_registry::instance()->regsiter_service_instance(&ps_service_context);
+
static test_runner_service_context test_runner_context("sn:trustedfirmware.org:test-runner:0");
standalone_service_registry::instance()->regsiter_service_instance(&test_runner_context);
service_locator_register_strategy(standalone_location_strategy());
-} \ No newline at end of file
+}
diff --git a/components/service/secure_storage/backend/null_store/component.cmake b/components/service/secure_storage/backend/null_store/component.cmake
new file mode 100644
index 0000000..19f88ee
--- /dev/null
+++ b/components/service/secure_storage/backend/null_store/component.cmake
@@ -0,0 +1,14 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+if (NOT DEFINED TGT)
+ message(FATAL_ERROR "mandatory parameter TGT is not defined.")
+endif()
+
+target_sources(${TGT} PRIVATE
+ "${CMAKE_CURRENT_LIST_DIR}/null_store.c"
+ )
+
diff --git a/components/service/secure_storage/backend/null_store/null_store.c b/components/service/secure_storage/backend/null_store/null_store.c
new file mode 100644
index 0000000..479c58a
--- /dev/null
+++ b/components/service/secure_storage/backend/null_store/null_store.c
@@ -0,0 +1,136 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include "null_store.h"
+#include <protocols/service/psa/packed-c/status.h>
+#include <stddef.h>
+
+static psa_status_t null_store_set(void *context,
+ uint32_t client_id,
+ uint64_t uid,
+ size_t data_length,
+ const void *p_data,
+ uint32_t create_flags)
+{
+ (void)context;
+ (void)client_id;
+ (void)uid;
+ (void)data_length;
+ (void)p_data;
+ (void)create_flags;
+
+ return PSA_ERROR_STORAGE_FAILURE;
+}
+
+static psa_status_t null_store_get(void *context,
+ uint32_t client_id,
+ uint64_t uid,
+ size_t data_offset,
+ size_t data_size,
+ void *p_data,
+ size_t *p_data_length)
+{
+ (void)context;
+ (void)client_id;
+ (void)uid;
+ (void)data_offset;
+ (void)data_size;
+ (void)p_data;
+ (void)p_data_length;
+
+ return PSA_ERROR_STORAGE_FAILURE;
+}
+
+static psa_status_t null_store_get_info(void *context,
+ uint32_t client_id,
+ uint64_t uid,
+ struct psa_storage_info_t *p_info)
+{
+ (void)context;
+ (void)client_id;
+ (void)uid;
+ (void)p_info;
+
+ return PSA_ERROR_STORAGE_FAILURE;
+}
+
+static psa_status_t null_store_remove(void *context,
+ uint32_t client_id,
+ uint64_t uid)
+{
+ (void)context;
+ (void)client_id;
+ (void)uid;
+
+ return PSA_ERROR_STORAGE_FAILURE;
+}
+
+static psa_status_t null_store_create(void *context,
+ uint32_t client_id,
+ uint64_t uid,
+ size_t capacity,
+ uint32_t create_flags)
+{
+ (void)context;
+ (void)client_id;
+ (void)uid;
+ (void)capacity;
+ (void)create_flags;
+
+ return PSA_ERROR_STORAGE_FAILURE;
+}
+
+static psa_status_t null_store_set_extended(void *context,
+ uint32_t client_id,
+ uint64_t uid,
+ size_t data_offset,
+ size_t data_length,
+ const void *p_data)
+{
+ (void)context;
+ (void)client_id;
+ (void)uid;
+ (void)data_offset;
+ (void)data_length;
+ (void)p_data;
+
+ return PSA_ERROR_STORAGE_FAILURE;
+}
+
+static uint32_t null_store_get_support(void *context,
+ uint32_t client_id)
+{
+ (void)context;
+ (void)client_id;
+
+ return 0;
+}
+
+
+struct storage_backend *null_store_init(struct null_store *context)
+{
+ static const struct storage_backend_interface interface =
+ {
+ null_store_set,
+ null_store_get,
+ null_store_get_info,
+ null_store_remove,
+ null_store_create,
+ null_store_set_extended,
+ null_store_get_support
+ };
+
+ context->backend.context = context;
+ context->backend.interface = &interface;
+
+ return &context->backend;
+}
+
+void null_store_deinit(struct null_store *context)
+{
+ context->backend.context = NULL;
+ context->backend.interface = NULL;
+}
diff --git a/components/service/secure_storage/backend/null_store/null_store.h b/components/service/secure_storage/backend/null_store/null_store.h
new file mode 100644
index 0000000..9da983b
--- /dev/null
+++ b/components/service/secure_storage/backend/null_store/null_store.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef NULL_STORE_H
+#define NULL_STORE_H
+
+#include <service/secure_storage/backend/storage_backend.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * The null_store is intended to be used when an error makes
+ * it impossible to initialise a real storage backend. The
+ * null_store provides handlers for the storage_backend
+ * interface but returns an error if any are called. Example
+ * error conditions where the null_store cab used are:
+ * - configuration error leading to a partition discovery failure
+ * - a hardware fault
+ */
+struct null_store
+{
+ struct storage_backend backend;
+};
+
+struct storage_backend *null_store_init(struct null_store *context);
+void null_store_deinit(struct null_store *context);
+
+#ifdef __cplusplus
+} /* extern "C" */
+#endif
+
+#endif /* NULL_STORE_H */
diff --git a/components/service/secure_storage/factory/common/sfs/component.cmake b/components/service/secure_storage/factory/common/sfs/component.cmake
new file mode 100644
index 0000000..b06adb5
--- /dev/null
+++ b/components/service/secure_storage/factory/common/sfs/component.cmake
@@ -0,0 +1,14 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+if (NOT DEFINED TGT)
+ message(FATAL_ERROR "mandatory parameter TGT is not defined.")
+endif()
+
+target_sources(${TGT} PRIVATE
+ "${CMAKE_CURRENT_LIST_DIR}/storage_factory.c"
+ )
+
diff --git a/components/service/secure_storage/factory/common/sfs/storage_factory.c b/components/service/secure_storage/factory/common/sfs/storage_factory.c
new file mode 100644
index 0000000..81f708d
--- /dev/null
+++ b/components/service/secure_storage/factory/common/sfs/storage_factory.c
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2021, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ */
+
+#include <rpc/ffarpc/caller/sp/ffarpc_caller.h>
+#include <protocols/rpc/common/packed-c/status.h>
+#include <service/secure_storage/backend/secure_flash_store/secure_flash_store.h>
+#include <service/secure_storage/factory/storage_factory.h>
+
+/**
+ * \brief Constructs a secure flash store
+ *
+ * Can be used as a storage backend in any environment. However
+ * it doesn't actually provide persistent flash storage without
+ * platform specific hardware.
+ */
+struct storage_backend *storage_factory_create(
+ enum storage_factory_security_class security_class)
+{
+ (void)security_class;
+ return sfs_init();
+}
+
+void storage_factory_destroy(struct storage_backend *backend)
+{
+ (void)backend;
+}
diff --git a/components/service/secure_storage/factory/sp/optee_trusted_store/component.cmake b/components/service/secure_storage/factory/sp/optee_trusted_store/component.cmake
new file mode 100644
index 0000000..b06adb5
--- /dev/null
+++ b/components/service/secure_storage/factory/sp/optee_trusted_store/component.cmake
@@ -0,0 +1,14 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+if (NOT DEFINED TGT)
+ message(FATAL_ERROR "mandatory parameter TGT is not defined.")
+endif()
+
+target_sources(${TGT} PRIVATE
+ "${CMAKE_CURRENT_LIST_DIR}/storage_factory.c"
+ )
+
diff --git a/components/service/secure_storage/factory/sp/optee_trusted_store/storage_factory.c b/components/service/secure_storage/factory/sp/optee_trusted_store/storage_factory.c
new file mode 100644
index 0000000..5423af6
--- /dev/null
+++ b/components/service/secure_storage/factory/sp/optee_trusted_store/storage_factory.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (c) 2021, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ */
+
+/**
+ * A storage factory that creates storage backends that communicate with an
+ * S-EL1 partition to access trusted storage provided by OPTEE. The S-EL1
+ * partition is assumed to host a conventional secure storage provider
+ * that can be accessed using the secure storage access protocol.
+ * Uses a default UUID to discover the S-EL1 partition if no external
+ * configuration overrides this.
+ */
+#include <rpc/ffarpc/caller/sp/ffarpc_caller.h>
+#include <protocols/rpc/common/packed-c/status.h>
+#include <service/secure_storage/backend/secure_storage_client/secure_storage_client.h>
+#include <service/secure_storage/backend/null_store/null_store.h>
+#include <service/secure_storage/factory/storage_factory.h>
+#include <ffa_api.h>
+#include <stdbool.h>
+#include <stddef.h>
+
+/* NOTE: this is the ITS partition UUID - should be changed when S-EL1 SP is ready */
+#define OPTEE_TRUSTED_STORE_UUID_BYTES \
+ { 0xdc, 0x1e, 0xef, 0x48, 0xb1, 0x7a, 0x4c, 0xcf, \
+ 0xac, 0x8b, 0xdf, 0xcf, 0xf7, 0x71, 0x1b, 0x14 }
+
+static const uint8_t default_optee_trusted_store_uuid[] = OPTEE_TRUSTED_STORE_UUID_BYTES;
+
+/* The storage backed specialization constructed by this factory */
+struct optee_trusted_store
+{
+ struct secure_storage_client secure_storage_client;
+ struct ffarpc_caller ffarpc_caller;
+ bool in_use;
+};
+
+/* Only supports construction of a single instance */
+static struct optee_trusted_store backend_instance = { .in_use = false };
+
+/* Used on failure if no association with a storage provider is established */
+static struct null_store null_store;
+
+
+struct storage_backend *storage_factory_create(
+ enum storage_factory_security_class security_class)
+{
+ struct rpc_caller *storage_caller;
+ uint16_t storage_sp_ids[1];
+ struct optee_trusted_store *new_backend = &backend_instance;
+ struct storage_backend *result = NULL;
+
+ if (!new_backend->in_use) {
+
+ storage_caller = ffarpc_caller_init(&new_backend->ffarpc_caller);
+
+ /* Try discovering candidate endpoints in preference order */
+ if (ffarpc_caller_discover(default_optee_trusted_store_uuid, storage_sp_ids,
+ sizeof(storage_sp_ids)/sizeof(uint16_t))) {
+
+ if (ffarpc_caller_open(&new_backend->ffarpc_caller, storage_sp_ids[0], 0) == 0) {
+
+ result = secure_storage_client_init(&new_backend->secure_storage_client,
+ storage_caller);
+ }
+ }
+
+ if (!result) {
+
+ /* Failed to discover or open an RPC session with provider */
+ ffarpc_caller_deinit(&new_backend->ffarpc_caller);
+ }
+
+ new_backend->in_use = (result != NULL);
+ }
+
+ if (!result) {
+
+ /**
+ * Errors during SP initialisation can be difficult to handle so
+ * returns a valid storage_backend, albeit one that just returns
+ * an appropriate status code if any methods are called. This
+ * allows an error to be reported to a requesting client where
+ * it may be easier to handle.
+ */
+ result = null_store_init(&null_store);
+ }
+
+ return result;
+}
+
+void storage_factory_destroy(struct storage_backend *backend)
+{
+ if (backend) {
+
+ secure_storage_client_deinit(&backend_instance.secure_storage_client);
+ ffarpc_caller_deinit(&backend_instance.ffarpc_caller);
+ backend_instance.in_use = false;
+ }
+}
diff --git a/components/service/secure_storage/factory/sp/rot_store/component.cmake b/components/service/secure_storage/factory/sp/rot_store/component.cmake
new file mode 100644
index 0000000..b06adb5
--- /dev/null
+++ b/components/service/secure_storage/factory/sp/rot_store/component.cmake
@@ -0,0 +1,14 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+if (NOT DEFINED TGT)
+ message(FATAL_ERROR "mandatory parameter TGT is not defined.")
+endif()
+
+target_sources(${TGT} PRIVATE
+ "${CMAKE_CURRENT_LIST_DIR}/storage_factory.c"
+ )
+
diff --git a/components/service/secure_storage/factory/sp/rot_store/storage_factory.c b/components/service/secure_storage/factory/sp/rot_store/storage_factory.c
new file mode 100644
index 0000000..9c37d4d
--- /dev/null
+++ b/components/service/secure_storage/factory/sp/rot_store/storage_factory.c
@@ -0,0 +1,149 @@
+/*
+ * Copyright (c) 2021, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ */
+
+/**
+ * A storage factory that creates storage backends that may be used
+ * to access a secure storage partition from a separate SP within the
+ * device RoT. Defaults to using PSA storage partitions if no runtime
+ * configuration overrides the target service endpoint to use. If multiple
+ * candidate storage SPs are available, the one that matches the
+ * requested storage class is used. The availability of Internal Trusted
+ * and Protected stores will depend on the platform.
+ */
+#include <rpc/ffarpc/caller/sp/ffarpc_caller.h>
+#include <protocols/rpc/common/packed-c/status.h>
+#include <service/secure_storage/backend/secure_storage_client/secure_storage_client.h>
+#include <service/secure_storage/backend/null_store/null_store.h>
+#include <service/secure_storage/factory/storage_factory.h>
+#include <ffa_api.h>
+#include <stdbool.h>
+#include <stddef.h>
+
+/* Defaults to using PSA storage partitions if no external configuration specified */
+#define ITS_STORE_UUID_BYTES \
+ { 0xdc, 0x1e, 0xef, 0x48, 0xb1, 0x7a, 0x4c, 0xcf, \
+ 0xac, 0x8b, 0xdf, 0xcf, 0xf7, 0x71, 0x1b, 0x14 }
+
+#define PS_STORE_UUID_BYTES \
+ { 0x75, 0x1b, 0xf8, 0x01, 0x3d, 0xde, 0x47, 0x68, \
+ 0xa5, 0x14, 0x0f, 0x10, 0xae, 0xed, 0x17, 0x90 }
+
+#define MAX_CANDIDATE_UUIDS (2)
+
+static const uint8_t default_internal_store_uuid[] = ITS_STORE_UUID_BYTES;
+static const uint8_t default_protected_store_uuid[] = PS_STORE_UUID_BYTES;
+
+/* The storage backed specialization constructed by this factory */
+struct rot_store
+{
+ struct secure_storage_client secure_storage_client;
+ struct ffarpc_caller ffarpc_caller;
+ bool in_use;
+};
+
+/* Only supports construction of a single instance */
+static struct rot_store backend_instance = { .in_use = false };
+
+/* Used on failure if no association with a storage provider is established */
+static struct null_store null_store;
+
+static int select_candidate_uuids(const uint8_t *candidates[],
+ int max_candidates,
+ enum storage_factory_security_class security_class);
+
+
+struct storage_backend *storage_factory_create(
+ enum storage_factory_security_class security_class)
+{
+ struct rpc_caller *storage_caller;
+ uint16_t storage_sp_ids[1];
+ struct rot_store *new_backend = &backend_instance;
+ const uint8_t *candidate_uuids[MAX_CANDIDATE_UUIDS];
+ int num_candidate_uuids = select_candidate_uuids(candidate_uuids,
+ MAX_CANDIDATE_UUIDS, security_class);
+
+ struct storage_backend *result = NULL;
+
+ if (num_candidate_uuids && !new_backend->in_use) {
+
+ storage_caller = ffarpc_caller_init(&new_backend->ffarpc_caller);
+
+ for (int i = 0; i < num_candidate_uuids; i++) {
+
+ /* Try discovering candidate endpoints in preference order */
+ if (ffarpc_caller_discover(candidate_uuids[i], storage_sp_ids,
+ sizeof(storage_sp_ids)/sizeof(uint16_t))) {
+
+ if (ffarpc_caller_open(&new_backend->ffarpc_caller, storage_sp_ids[0], 0) == 0) {
+
+ result = secure_storage_client_init(&new_backend->secure_storage_client,
+ storage_caller);
+ }
+
+ break;
+ }
+ }
+
+ if (!result) {
+
+ /* Failed to discover or open an RPC session with provider */
+ ffarpc_caller_deinit(&new_backend->ffarpc_caller);
+ }
+
+ new_backend->in_use = (result != NULL);
+ }
+
+ if (!result) {
+
+ /**
+ * Errors during SP initialisation can be difficult to handle so
+ * returns a valid storage_backend, albeit one that just returns
+ * an appropriate status code if any methods are called. This
+ * allows an error to be reported to a requesting client where
+ * it may be easier to handle.
+ */
+ result = null_store_init(&null_store);
+ }
+
+ return result;
+}
+
+void storage_factory_destroy(struct storage_backend *backend)
+{
+ if (backend) {
+
+ secure_storage_client_deinit(&backend_instance.secure_storage_client);
+ ffarpc_caller_deinit(&backend_instance.ffarpc_caller);
+ backend_instance.in_use = false;
+ }
+}
+
+static int select_candidate_uuids(const uint8_t *candidates[],
+ int max_candidates,
+ enum storage_factory_security_class security_class)
+{
+ /* Runtime configuration not yet supported so fallback to using default UUIDs */
+ int num_candidates = 0;
+
+ if (max_candidates >= 2) {
+
+ if (security_class == storage_factory_security_class_INTERNAL_TRUSTED) {
+
+ candidates[0] = default_internal_store_uuid;
+ candidates[1] = default_protected_store_uuid;
+ }
+ else {
+
+ candidates[0] = default_protected_store_uuid;
+ candidates[1] = default_internal_store_uuid;
+ }
+
+ num_candidates = 2;
+ }
+
+ return num_candidates;
+} \ No newline at end of file
diff --git a/components/service/secure_storage/factory/storage_factory.h b/components/service/secure_storage/factory/storage_factory.h
new file mode 100644
index 0000000..a36d0c4
--- /dev/null
+++ b/components/service/secure_storage/factory/storage_factory.h
@@ -0,0 +1,85 @@
+/*
+ * Copyright (c) 2021, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ */
+
+#ifndef STORAGE_FACTORY_H
+#define STORAGE_FACTORY_H
+
+#include <service/secure_storage/backend/storage_backend.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Defines a common interface for creating storage backends to
+ * decouple a client from the environment and platform specifics
+ * of any particular storage backend. Allows new storage backends
+ * to be added without impacting client implementations. The
+ * factory method uses PSA storage classifications to allow a
+ * client to specify the security characteristics of the backend.
+ * How those security characteristics are realized will depend
+ * on the secure processing environment and platform.
+ *
+ * A concrete storage factory may exploit any of the following
+ * to influence how the storage backend is constructed:
+ * - Environment and platform specific factory component used in deployment
+ * - Runtime configuration e.g. from Device Tree
+ * - Client specified parameters
+ */
+
+/**
+ * \brief Security characteristics of created backend
+ *
+ * Allows a client to request the security characteristics of
+ * a constructed backend, using PSA storage classification. How
+ * well a platform meets the requested security characteristics
+ * will depend on available hardware features.
+ */
+enum storage_factory_security_class {
+
+ /**
+ * On-die or in-package persistent storage
+ * that is exclusively accessible from secure world.
+ */
+ storage_factory_security_class_INTERNAL_TRUSTED,
+
+ /**
+ * External persistent storage with security measures
+ * such as encryption, integrity protection and replay
+ * protection, based on device root-of-trust trust anchors.
+ */
+ storage_factory_security_class_PROTECTED
+};
+
+/**
+ * \brief Factory method to create an initialised storage backend
+ *
+ * Should use the correseponding destroy method when the storage backend
+ * is no longer needed.
+ *
+ * \param[in] security_class The requested security class
+ *
+ * \return A pointer to the initialised storage_backend or NULL on failure
+ */
+struct storage_backend *storage_factory_create(
+ enum storage_factory_security_class security_class);
+
+/**
+ * \brief Destroys a created backend
+ *
+ * Allows a concrete factory to adopt its own allocation scheme for
+ * objects used to implement the created backend.
+ *
+ * \param[in] backend Storage backend to destroy
+ */
+void storage_factory_destroy(struct storage_backend *backend);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* STORAGE_FACTORY_H */
diff --git a/components/service/secure_storage/test/service/component.cmake b/components/service/secure_storage/test/service/component.cmake
new file mode 100644
index 0000000..02a2b2c
--- /dev/null
+++ b/components/service/secure_storage/test/service/component.cmake
@@ -0,0 +1,15 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+if (NOT DEFINED TGT)
+ message(FATAL_ERROR "mandatory parameter TGT is not defined.")
+endif()
+
+target_sources(${TGT} PRIVATE
+ "${CMAKE_CURRENT_LIST_DIR}/its_service_tests.cpp"
+ "${CMAKE_CURRENT_LIST_DIR}/ps_service_tests.cpp"
+ )
+
diff --git a/components/service/secure_storage/test/service/its_service_tests.cpp b/components/service/secure_storage/test/service/its_service_tests.cpp
new file mode 100644
index 0000000..b976d61
--- /dev/null
+++ b/components/service/secure_storage/test/service/its_service_tests.cpp
@@ -0,0 +1,63 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <service/secure_storage/frontend/psa/its/its_frontend.h>
+#include <service/secure_storage/frontend/psa/its/test/its_api_tests.h>
+#include <service/secure_storage/backend/secure_storage_client/secure_storage_client.h>
+#include <protocols/rpc/common/packed-c/encoding.h>
+#include <service_locator.h>
+#include <CppUTest/TestHarness.h>
+
+/*
+ * Service-level tests using the PSA Internal Trusted Storage API to
+ * access the secure storage service with the 'internal-trusted-storage'
+ * designation.
+ */
+TEST_GROUP(ItsServiceTests)
+{
+ void setup()
+ {
+ struct rpc_caller *caller;
+ int status;
+
+ m_rpc_session_handle = NULL;
+ m_its_service_context = NULL;
+
+ service_locator_init();
+
+ m_its_service_context = service_locator_query("sn:trustedfirmware.org:internal-trusted-storage:0", &status);
+ CHECK(m_its_service_context);
+
+ m_rpc_session_handle = service_context_open(m_its_service_context, TS_RPC_ENCODING_PACKED_C, &caller);
+ CHECK(m_rpc_session_handle);
+
+ struct storage_backend *storage_backend = secure_storage_client_init(&m_storage_client, caller);
+
+ psa_its_frontend_init(storage_backend);
+ }
+
+ void teardown()
+ {
+ psa_its_frontend_init(NULL);
+
+ service_context_close(m_its_service_context, m_rpc_session_handle);
+ m_rpc_session_handle = NULL;
+
+ service_context_relinquish(m_its_service_context);
+ m_its_service_context = NULL;
+
+ secure_storage_client_deinit(&m_storage_client);
+ }
+
+ rpc_session_handle m_rpc_session_handle;
+ struct service_context *m_its_service_context;
+ struct secure_storage_client m_storage_client;
+};
+
+TEST(ItsServiceTests, storeNewItem)
+{
+ its_api_tests::storeNewItem();
+}
diff --git a/components/service/secure_storage/test/service/ps_service_tests.cpp b/components/service/secure_storage/test/service/ps_service_tests.cpp
new file mode 100644
index 0000000..fd19f08
--- /dev/null
+++ b/components/service/secure_storage/test/service/ps_service_tests.cpp
@@ -0,0 +1,77 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <service/secure_storage/frontend/psa/ps/ps_frontend.h>
+#include <service/secure_storage/frontend/psa/ps/test/ps_api_tests.h>
+#include <service/secure_storage/frontend/psa/its/its_frontend.h>
+#include <service/secure_storage/frontend/psa/its/test/its_api_tests.h>
+#include <service/secure_storage/backend/secure_storage_client/secure_storage_client.h>
+#include <protocols/rpc/common/packed-c/encoding.h>
+#include <service_locator.h>
+#include <CppUTest/TestHarness.h>
+
+/*
+ * Service-level tests using the PSA Protected Storage and Internal
+ * Trusted Storage APIs to access the secure storage service with the
+ * 'protected-storage' designation.
+ */
+TEST_GROUP(PsServiceTests)
+{
+ void setup()
+ {
+ struct rpc_caller *caller;
+ int status;
+
+ m_rpc_session_handle = NULL;
+ m_its_service_context = NULL;
+
+ service_locator_init();
+
+ m_its_service_context = service_locator_query("sn:trustedfirmware.org:protected-storage:0", &status);
+ CHECK(m_its_service_context);
+
+ m_rpc_session_handle = service_context_open(m_its_service_context, TS_RPC_ENCODING_PACKED_C, &caller);
+ CHECK(m_rpc_session_handle);
+
+ struct storage_backend *storage_backend = secure_storage_client_init(&m_storage_client, caller);
+
+ psa_ps_frontend_init(storage_backend);
+ psa_its_frontend_init(storage_backend);
+ }
+
+ void teardown()
+ {
+ psa_ps_frontend_init(NULL);
+ psa_its_frontend_init(NULL);
+
+ service_context_close(m_its_service_context, m_rpc_session_handle);
+ m_rpc_session_handle = NULL;
+
+ service_context_relinquish(m_its_service_context);
+ m_its_service_context = NULL;
+
+ secure_storage_client_deinit(&m_storage_client);
+ }
+
+ rpc_session_handle m_rpc_session_handle;
+ struct service_context *m_its_service_context;
+ struct secure_storage_client m_storage_client;
+};
+
+TEST(PsServiceTests, storeNewItem)
+{
+ its_api_tests::storeNewItem();
+}
+
+TEST(PsServiceTests, createAndSet)
+{
+ ps_api_tests::createAndSet();
+}
+
+TEST(PsServiceTests, createAndSetExtended)
+{
+ ps_api_tests::createAndSetExtended();
+}
diff --git a/deployments/component-test/component-test.cmake b/deployments/component-test/component-test.cmake
index 130d82b..99a8114 100644
--- a/deployments/component-test/component-test.cmake
+++ b/deployments/component-test/component-test.cmake
@@ -36,6 +36,8 @@ add_components(
"components/service/locator/test"
"components/service/locator/standalone"
"components/service/locator/standalone/services/crypto"
+ "components/service/locator/standalone/services/internal-trusted-storage"
+ "components/service/locator/standalone/services/protected-storage"
"components/service/locator/standalone/services/test-runner"
"components/service/crypto/client/cpp"
"components/service/crypto/client/cpp/protobuf"
@@ -57,6 +59,7 @@ add_components(
"components/service/secure_storage/frontend/secure_storage_provider"
"components/service/secure_storage/backend/secure_storage_client"
"components/service/secure_storage/backend/secure_storage_client/test"
+ "components/service/secure_storage/backend/null_store"
"components/service/secure_storage/backend/mock_store"
"components/service/secure_storage/backend/mock_store/test"
"components/service/secure_storage/backend/secure_flash_store"
diff --git a/deployments/crypto/opteesp/CMakeLists.txt b/deployments/crypto/opteesp/CMakeLists.txt
index 108223a..f8ed17d 100644
--- a/deployments/crypto/opteesp/CMakeLists.txt
+++ b/deployments/crypto/opteesp/CMakeLists.txt
@@ -42,7 +42,6 @@ add_components(TARGET "crypto-sp"
"components/rpc/ffarpc/caller/sp"
"components/rpc/common/caller"
"components/rpc/common/interface"
- "components/rpc/dummy"
"components/service/common"
"components/service/common/serializer/protobuf"
"components/service/common/provider"
@@ -52,6 +51,8 @@ add_components(TARGET "crypto-sp"
"components/service/crypto/provider/serializer/packed-c"
"components/service/secure_storage/frontend/psa/its"
"components/service/secure_storage/backend/secure_storage_client"
+ "components/service/secure_storage/backend/null_store"
+ "components/service/secure_storage/factory/sp/rot_store"
"protocols/rpc/common/packed-c"
"protocols/service/secure_storage/packed-c"
"protocols/service/crypto/protobuf"
diff --git a/deployments/crypto/opteesp/crypto_sp.c b/deployments/crypto/opteesp/crypto_sp.c
index 2512eee..b9c1fb2 100644
--- a/deployments/crypto/opteesp/crypto_sp.c
+++ b/deployments/crypto/opteesp/crypto_sp.c
@@ -3,10 +3,9 @@
* Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
*/
-#include <rpc/ffarpc/caller/sp/ffarpc_caller.h>
+
#include <rpc/ffarpc/endpoint/ffarpc_call_ep.h>
-#include <rpc/dummy/dummy_caller.h>
-#include <service/secure_storage/backend/secure_storage_client/secure_storage_client.h>
+#include <service/secure_storage/factory/storage_factory.h>
#include <service/crypto/provider/mbedcrypto/crypto_provider.h>
#include <service/crypto/provider/serializer/protobuf/pb_crypto_provider_serializer.h>
#include <service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.h>
@@ -19,12 +18,7 @@
#include <trace.h>
-#define SP_STORAGE_UUID_BYTES \
- { 0xdc, 0x1e, 0xef, 0x48, 0xb1, 0x7a, 0x4c, 0xcf, \
- 0xac, 0x8b, 0xdf, 0xcf, 0xf7, 0x71, 0x1b, 0x14, }
-
uint16_t own_id = 0; /* !!Needs refactoring as parameter to ffarpc_caller_init */
-static const uint8_t storage_uuid[] = SP_STORAGE_UUID_BYTES;
static int sp_init(uint16_t *own_sp_id);
@@ -34,38 +28,21 @@ void __noreturn sp_main(struct ffa_init_info *init_info)
struct mbed_crypto_provider crypto_provider;
struct ffa_call_ep ffarpc_call_ep;
struct rpc_interface *crypto_iface;
- struct ffarpc_caller ffarpc_caller;
- struct dummy_caller dummy_caller;
- struct rpc_caller *storage_caller;
struct ffa_direct_msg req_msg;
- uint16_t storage_sp_ids[1];
-
- /* Boot */
- (void) init_info;
+ struct storage_backend *storage_backend;
+ /* Boot phase */
if (sp_init(&own_id) != 0) goto fatal_error;
config_ramstore_init();
sp_config_load(init_info);
- /* Establish RPC session with secure storage SP */
- storage_caller = ffarpc_caller_init(&ffarpc_caller);
-
- if (!ffarpc_caller_discover(storage_uuid, storage_sp_ids,
- sizeof(storage_sp_ids)/sizeof(uint16_t)) ||
- ffarpc_caller_open(&ffarpc_caller, storage_sp_ids[0], 0)) {
- /*
- * Failed to establish session. To allow the crypto service
- * to still be initialized, albeit with no persistent storage,
- * initialise a dummy_caller that will safely
- * handle rpc requests but will report an error.
- */
- storage_caller = dummy_caller_init(&dummy_caller,
- TS_RPC_CALL_ACCEPTED, PSA_ERROR_STORAGE_FAILURE);
- }
+ /* Create a storage backend for persistent key storage - prefer ITS */
+ storage_backend = storage_factory_create(storage_factory_security_class_INTERNAL_TRUSTED);
+ if (!storage_backend) goto fatal_error;
/* Initialize the crypto service */
- crypto_iface = mbed_crypto_provider_init(&crypto_provider, storage_caller, 0);
+ crypto_iface = mbed_crypto_provider_init(&crypto_provider, storage_backend, 0);
mbed_crypto_provider_register_serializer(&crypto_provider,
TS_RPC_ENCODING_PROTOBUF, pb_crypto_provider_serializer_instance());
diff --git a/deployments/secure-storage/opteesp/.gitignore b/deployments/internal-trusted-storage/opteesp/.gitignore
index 378eac2..378eac2 100644
--- a/deployments/secure-storage/opteesp/.gitignore
+++ b/deployments/internal-trusted-storage/opteesp/.gitignore
diff --git a/deployments/secure-storage/opteesp/CMakeLists.txt b/deployments/internal-trusted-storage/opteesp/CMakeLists.txt
index 4bcbd17..af0d932 100644
--- a/deployments/secure-storage/opteesp/CMakeLists.txt
+++ b/deployments/internal-trusted-storage/opteesp/CMakeLists.txt
@@ -8,15 +8,15 @@ cmake_minimum_required(VERSION 3.16)
include(../../deployment.cmake REQUIRED)
#-------------------------------------------------------------------------------
-# The CMakeLists.txt for building the secure-storage deployment for opteesp
+# The CMakeLists.txt for building the internal-trusted-storage deployment for opteesp
#
# Builds the secure storage service provider for running in an SEL0 secure
# partition hosted by OPTEE in the role of SPM.
#-------------------------------------------------------------------------------
include(${TS_ROOT}/environments/opteesp/env.cmake)
project(trusted-services LANGUAGES C ASM)
-add_executable(secure-storage)
-target_include_directories(secure-storage PRIVATE "${TOP_LEVEL_INCLUDE_DIRS}")
+add_executable(internal-trusted-storage)
+target_include_directories(internal-trusted-storage PRIVATE "${TOP_LEVEL_INCLUDE_DIRS}")
set(SP_UUID "dc1eef48-b17a-4ccf-ac8b-dfcff7711b14")
@@ -25,10 +25,10 @@ set(SP_DEV_KIT_INC_DIR ${CMAKE_CURRENT_LIST_DIR})
list(APPEND CMAKE_MODULE_PATH "${TS_ROOT}/external/Spdevkit")
find_package(Spdevkit COMPONENTS SP_HEADER interface)
-sp_dev_kit_configure_linking(TARGET secure-storage DEFINES ARM64=1)
-target_link_libraries(secure-storage ${SP_DEV_KIT_LIBRARIES})
+sp_dev_kit_configure_linking(TARGET internal-trusted-storage DEFINES ARM64=1)
+target_link_libraries(internal-trusted-storage ${SP_DEV_KIT_LIBRARIES})
-add_components(TARGET "secure-storage"
+add_components(TARGET "internal-trusted-storage"
BASE_DIR ${TS_ROOT}
COMPONENTS
components/messaging/ffa/libsp
@@ -40,27 +40,28 @@ add_components(TARGET "secure-storage"
components/service/secure_storage/backend/secure_flash_store
components/service/secure_storage/backend/secure_flash_store/flash_fs
components/service/secure_storage/backend/secure_flash_store/flash
+ components/service/secure_storage/factory/common/sfs
protocols/rpc/common/packed-c
protocols/service/secure_storage/packed-c
environments/opteesp
)
-target_sources(secure-storage PRIVATE
+target_sources(internal-trusted-storage PRIVATE
sp.c
)
-target_compile_definitions(secure-storage PRIVATE
+target_compile_definitions(internal-trusted-storage PRIVATE
ARM64=1
)
-target_include_directories(secure-storage PRIVATE
+target_include_directories(internal-trusted-storage PRIVATE
${TS_ROOT}
${TS_ROOT}/components
- ${TS_ROOT}/deployments/secure-storage/opteesp
+ ${TS_ROOT}/deployments/internal-trusted-storage/opteesp
)
if(CMAKE_C_COMPILER_ID STREQUAL "GNU")
- target_compile_options(secure-storage PRIVATE
+ target_compile_options(internal-trusted-storage PRIVATE
-fdiagnostics-show-option
-fpic
-gdwarf-2
@@ -70,7 +71,7 @@ if(CMAKE_C_COMPILER_ID STREQUAL "GNU")
)
# Options for GCC that control linking
- target_link_options(secure-storage PRIVATE
+ target_link_options(internal-trusted-storage PRIVATE
-e __sp_entry
-fno-lto
-nostdlib
@@ -78,25 +79,25 @@ if(CMAKE_C_COMPILER_ID STREQUAL "GNU")
-zmax-page-size=4096
)
# Options directly for LD, these are not understood by GCC
- target_link_options(secure-storage PRIVATE
+ target_link_options(internal-trusted-storage PRIVATE
-Wl,--as-needed
-Wl,--sort-section=alignment
# -Wl,--dynamic-list ${CMAKE_CURRENT_LIST_DIR}/dyn_list
)
endif()
-compiler_generate_stripped_elf(TARGET secure-storage NAME "${SP_UUID}.stripped.elf" RES STRIPPED_ELF)
+compiler_generate_stripped_elf(TARGET internal-trusted-storage NAME "${SP_UUID}.stripped.elf" RES STRIPPED_ELF)
######################################## install
if (CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
set(CMAKE_INSTALL_PREFIX ${CMAKE_BINARY_DIR}/install CACHE PATH "location to install build output to." FORCE)
endif()
-install(TARGETS secure-storage
+install(TARGETS internal-trusted-storage
PUBLIC_HEADER DESTINATION ${TS_ENV}/include
RUNTIME DESTINATION ${TS_ENV}/bin
)
install(FILES ${STRIPPED_ELF} DESTINATION ${TS_ENV}/bin)
-set(EXPORT_SP_NAME "secure-storage")
+set(EXPORT_SP_NAME "internal-trusted-storage")
set(EXPORT_SP_UUID ${SP_UUID})
include(${TS_ROOT}/environments/opteesp/ExportSp.cmake)
diff --git a/deployments/secure-storage/opteesp/default_secure-storage.dts.in b/deployments/internal-trusted-storage/opteesp/default_internal-trusted-storage.dts.in
index 1a8d6a3..3ce8dd6 100644
--- a/deployments/secure-storage/opteesp/default_secure-storage.dts.in
+++ b/deployments/internal-trusted-storage/opteesp/default_internal-trusted-storage.dts.in
@@ -10,7 +10,7 @@
compatible = "arm,ffa-manifest-1.0";
ffa-version = <0x00010000>; /* 31:16 - Major, 15:0 - Minor */
uuid = <@EXPORT_SP_UUID_DT@>;
- description = "Secure Storage";
+ description = "ITS";
execution-ctx-count = <1>;
exception-level = <1>; /* S-EL0 */
execution-state = <0>; /* AArch64 */
diff --git a/deployments/secure-storage/opteesp/optee_sp_user_defines.h b/deployments/internal-trusted-storage/opteesp/optee_sp_user_defines.h
index e773055..e773055 100644
--- a/deployments/secure-storage/opteesp/optee_sp_user_defines.h
+++ b/deployments/internal-trusted-storage/opteesp/optee_sp_user_defines.h
diff --git a/deployments/internal-trusted-storage/opteesp/sp.c b/deployments/internal-trusted-storage/opteesp/sp.c
new file mode 100644
index 0000000..626c2d4
--- /dev/null
+++ b/deployments/internal-trusted-storage/opteesp/sp.c
@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include "sp.h"
+#include <ffa_api.h>
+#include <components/rpc/common/endpoint/rpc_interface.h>
+#include <components/rpc/ffarpc/endpoint/ffarpc_call_ep.h>
+#include <components/service/secure_storage/factory/storage_factory.h>
+#include <components/service/secure_storage/frontend/secure_storage_provider/secure_storage_provider.h>
+#include <sp_api.h>
+#include <sp_rxtx.h>
+#include <trace.h>
+
+uint16_t own_id = 0;
+static uint8_t tx_buffer[4096] __aligned(4096);
+static uint8_t rx_buffer[4096] __aligned(4096);
+
+void sp_main(struct ffa_init_info *init_info)
+{
+ ffa_result ffa_res;
+ sp_result sp_res;
+ struct rpc_interface *secure_storage_iface;
+ struct ffa_call_ep ffa_call_ep;
+ struct ffa_direct_msg req_msg;
+ struct ffa_direct_msg resp_msg;
+ struct secure_storage_provider secure_storage_provider;
+ struct storage_backend *storage_backend;
+
+ /* Boot */
+ (void) init_info;
+
+ ffa_res = ffa_id_get(&own_id);
+ if (ffa_res != FFA_OK) {
+ EMSG("id get error: %d", ffa_res);
+ }
+
+ sp_res = sp_rxtx_buffer_map(tx_buffer, rx_buffer, sizeof(rx_buffer));
+ if (sp_res != SP_RESULT_OK) {
+ EMSG("rxtx map error: %d", sp_res);
+ }
+
+ storage_backend = storage_factory_create(storage_factory_security_class_INTERNAL_TRUSTED);
+ secure_storage_iface = secure_storage_provider_init(&secure_storage_provider, storage_backend);
+ ffa_call_ep_init(&ffa_call_ep, secure_storage_iface);
+
+ /* End of boot phase */
+ ffa_msg_wait(&req_msg);
+
+ while (1) {
+ if (req_msg.function_id == FFA_MSG_SEND_DIRECT_REQ_32) {
+ ffa_call_ep_receive(&ffa_call_ep, &req_msg, &resp_msg);
+
+ ffa_msg_send_direct_resp(req_msg.destination_id,
+ req_msg.source_id, resp_msg.args[0], resp_msg.args[1],
+ resp_msg.args[2], resp_msg.args[3], resp_msg.args[4],
+ &req_msg);
+ }
+ }
+}
+
+void sp_interrupt_handler(uint32_t interrupt_id)
+{
+ (void)interrupt_id;
+}
diff --git a/deployments/secure-storage/opteesp/sp.h b/deployments/internal-trusted-storage/opteesp/sp.h
index 299c95e..5aa76c3 100644
--- a/deployments/secure-storage/opteesp/sp.h
+++ b/deployments/internal-trusted-storage/opteesp/sp.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2020, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -7,6 +7,7 @@
#ifndef SP_H
#define SP_H
+/* UUID for the Internal Trusted Store */
#define OPTEE_SP_UUID \
{ 0xdc1eef48, 0xb17a, 0x4ccf, \
{ 0xac, 0x8b, 0xdf, 0xcf, 0xf7, 0x71, 0x1b, 0x14 } }
diff --git a/deployments/libts/linux-pc/CMakeLists.txt b/deployments/libts/linux-pc/CMakeLists.txt
index 3378ee3..9beecac 100644
--- a/deployments/libts/linux-pc/CMakeLists.txt
+++ b/deployments/libts/linux-pc/CMakeLists.txt
@@ -36,6 +36,8 @@ add_components(
"components/service/common/provider"
"components/service/locator/standalone"
"components/service/locator/standalone/services/crypto"
+ "components/service/locator/standalone/services/internal-trusted-storage"
+ "components/service/locator/standalone/services/protected-storage"
"components/service/locator/standalone/services/test-runner"
"components/service/crypto/provider/mbedcrypto"
"components/service/crypto/provider/mbedcrypto/trng_adapter/linux"
@@ -44,9 +46,8 @@ add_components(
"components/service/secure_storage/frontend/psa/its"
"components/service/secure_storage/frontend/secure_storage_provider"
"components/service/secure_storage/backend/secure_storage_client"
- "components/service/secure_storage/backend/secure_flash_store"
- "components/service/secure_storage/backend/secure_flash_store/flash_fs"
- "components/service/secure_storage/backend/secure_flash_store/flash"
+ "components/service/secure_storage/backend/mock_store"
+ "components/service/secure_storage/backend/null_store"
"components/service/test_runner/provider"
"components/service/test_runner/provider/serializer/packed-c"
"components/service/test_runner/provider/backend/mock"
@@ -92,6 +93,13 @@ add_components(
COMPONENTS
"components/app/test-runner"
"components/common/tlv"
+ "components/service/common"
+ "components/service/secure_storage/test/service"
+ "components/service/secure_storage/frontend/psa/its"
+ "components/service/secure_storage/frontend/psa/its/test"
+ "components/service/secure_storage/frontend/psa/ps"
+ "components/service/secure_storage/frontend/psa/ps/test"
+ "components/service/secure_storage/backend/secure_storage_client"
"components/service/crypto/test/service"
"components/service/crypto/test/service/protobuf"
"components/service/crypto/test/service/packed-c"
diff --git a/deployments/protected-storage/opteesp/CMakeLists.txt b/deployments/protected-storage/opteesp/CMakeLists.txt
new file mode 100644
index 0000000..c4f0fd5
--- /dev/null
+++ b/deployments/protected-storage/opteesp/CMakeLists.txt
@@ -0,0 +1,104 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+cmake_minimum_required(VERSION 3.16)
+include(../../deployment.cmake REQUIRED)
+
+#-------------------------------------------------------------------------------
+# The CMakeLists.txt for building the protected-storage deployment for opteesp
+#
+# Builds the secure storage service provider for running in an SEL0 secure
+# partition hosted by OPTEE in the role of SPM.
+#-------------------------------------------------------------------------------
+include(${TS_ROOT}/environments/opteesp/env.cmake)
+project(trusted-services LANGUAGES C ASM)
+add_executable(protected-storage)
+target_include_directories(protected-storage PRIVATE "${TOP_LEVEL_INCLUDE_DIRS}")
+set(SP_UUID "751bf801-3dde-4768-a514-0f10aeed1790")
+
+
+# Include SP DEV KIT interface
+set(SP_DEV_KIT_INC_DIR ${CMAKE_CURRENT_LIST_DIR})
+list(APPEND CMAKE_MODULE_PATH "${TS_ROOT}/external/Spdevkit")
+find_package(Spdevkit COMPONENTS SP_HEADER interface)
+
+sp_dev_kit_configure_linking(TARGET protected-storage DEFINES ARM64=1)
+target_link_libraries(protected-storage ${SP_DEV_KIT_LIBRARIES})
+
+add_components(TARGET "protected-storage"
+ BASE_DIR ${TS_ROOT}
+ COMPONENTS
+ components/messaging/ffa/libsp
+ components/rpc/ffarpc/endpoint
+ components/rpc/common/interface
+ components/rpc/ffarpc/caller/sp
+ components/rpc/common/caller
+ components/service/common
+ components/service/common/provider
+ components/service/secure_storage/frontend/secure_storage_provider
+ components/service/secure_storage/backend/secure_storage_client
+ components/service/secure_storage/backend/null_store
+ components/service/secure_storage/factory/sp/optee_trusted_store
+ protocols/rpc/common/packed-c
+ protocols/service/secure_storage/packed-c
+ environments/opteesp
+)
+
+target_sources(protected-storage PRIVATE
+ sp.c
+)
+
+target_compile_definitions(protected-storage PRIVATE
+ ARM64=1
+)
+
+target_include_directories(protected-storage PRIVATE
+ ${TS_ROOT}
+ ${TS_ROOT}/components
+ ${TS_ROOT}/deployments/protected-storage/opteesp
+)
+
+if(CMAKE_C_COMPILER_ID STREQUAL "GNU")
+ target_compile_options(protected-storage PRIVATE
+ -fdiagnostics-show-option
+ -fpic
+ -gdwarf-2
+ -mstrict-align
+ -O0
+ -std=gnu99
+ )
+
+ # Options for GCC that control linking
+ target_link_options(protected-storage PRIVATE
+ -e __sp_entry
+ -fno-lto
+ -nostdlib
+ -pie
+ -zmax-page-size=4096
+ )
+ # Options directly for LD, these are not understood by GCC
+ target_link_options(protected-storage PRIVATE
+ -Wl,--as-needed
+ -Wl,--sort-section=alignment
+ # -Wl,--dynamic-list ${CMAKE_CURRENT_LIST_DIR}/dyn_list
+ )
+endif()
+
+compiler_generate_stripped_elf(TARGET protected-storage NAME "${SP_UUID}.stripped.elf" RES STRIPPED_ELF)
+
+######################################## install
+if (CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
+ set(CMAKE_INSTALL_PREFIX ${CMAKE_BINARY_DIR}/install CACHE PATH "location to install build output to." FORCE)
+endif()
+install(TARGETS protected-storage
+ PUBLIC_HEADER DESTINATION ${TS_ENV}/include
+ RUNTIME DESTINATION ${TS_ENV}/bin
+ )
+install(FILES ${STRIPPED_ELF} DESTINATION ${TS_ENV}/bin)
+
+set(EXPORT_SP_NAME "protected-storage")
+set(EXPORT_SP_UUID ${SP_UUID})
+include(${TS_ROOT}/environments/opteesp/ExportSp.cmake)
diff --git a/deployments/protected-storage/opteesp/default_protected-storage.dts.in b/deployments/protected-storage/opteesp/default_protected-storage.dts.in
new file mode 100644
index 0000000..1047a4c
--- /dev/null
+++ b/deployments/protected-storage/opteesp/default_protected-storage.dts.in
@@ -0,0 +1,19 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+@DTS_TAG@
+
+@DTS_NODE@ {
+ compatible = "arm,ffa-manifest-1.0";
+ ffa-version = <0x00010000>; /* 31:16 - Major, 15:0 - Minor */
+ uuid = <@EXPORT_SP_UUID_DT@>;
+ description = "PS";
+ execution-ctx-count = <1>;
+ exception-level = <1>; /* S-EL0 */
+ execution-state = <0>; /* AArch64 */
+ xlat-granule = <0>; /* 4KiB */
+ messaging-method = <0>; /* Direct messaging only */
+};
diff --git a/deployments/protected-storage/opteesp/optee_sp_user_defines.h b/deployments/protected-storage/opteesp/optee_sp_user_defines.h
new file mode 100644
index 0000000..e773055
--- /dev/null
+++ b/deployments/protected-storage/opteesp/optee_sp_user_defines.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2020, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef SP_HEADER_DEFINES_H
+#define SP_HEADER_DEFINES_H
+
+/* To get UUID definition */
+#include "sp.h"
+
+#define OPTEE_SP_FLAGS 0
+
+/* Provisioned stack size */
+#define OPTEE_SP_STACK_SIZE (64 * 1024)
+
+/* Provisioned heap size */
+#define OPTEE_SP_HEAP_SIZE (32 * 1024)
+
+#endif /* SP_HEADER_DEFINES_H */
diff --git a/deployments/secure-storage/opteesp/sp.c b/deployments/protected-storage/opteesp/sp.c
index c3bc94a..3bf3f1d 100644
--- a/deployments/secure-storage/opteesp/sp.c
+++ b/deployments/protected-storage/opteesp/sp.c
@@ -8,7 +8,7 @@
#include <ffa_api.h>
#include <components/rpc/common/endpoint/rpc_interface.h>
#include <components/rpc/ffarpc/endpoint/ffarpc_call_ep.h>
-#include <components/service/secure_storage/backend/secure_flash_store/secure_flash_store.h>
+#include <components/service/secure_storage/factory/storage_factory.h>
#include <components/service/secure_storage/frontend/secure_storage_provider/secure_storage_provider.h>
#include <sp_api.h>
#include <sp_rxtx.h>
@@ -42,7 +42,7 @@ void sp_main(struct ffa_init_info *init_info)
EMSG("rxtx map error: %d", sp_res);
}
- storage_backend = sfs_init();
+ storage_backend = storage_factory_create(storage_factory_security_class_PROTECTED);
secure_storage_iface = secure_storage_provider_init(&secure_storage_provider, storage_backend);
ffa_call_ep_init(&ffa_call_ep, secure_storage_iface);
diff --git a/deployments/protected-storage/opteesp/sp.h b/deployments/protected-storage/opteesp/sp.h
new file mode 100644
index 0000000..3bb4484
--- /dev/null
+++ b/deployments/protected-storage/opteesp/sp.h
@@ -0,0 +1,19 @@
+/*
+ * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef SP_H
+#define SP_H
+
+/* UUID for the Protected Store */
+#define OPTEE_SP_UUID \
+ { 0x751bf801, 0x3dde, 0x4768, \
+ { 0xa5, 0x14, 0x0f, 0x10, 0xae, 0xed, 0x17, 0x90 } }
+
+#define SP_UUID_BYTES \
+ { 0x75, 0x1b, 0xf8, 0x01, 0x3d, 0xde, 0x47, 0x68, \
+ 0xa5, 0x14, 0x0f, 0x10, 0xae, 0xed, 0x17, 0x90 }
+
+#endif /* SP_H */
diff --git a/deployments/ts-service-test/ts-service-test.cmake b/deployments/ts-service-test/ts-service-test.cmake
index 4bd8c71..04b0266 100644
--- a/deployments/ts-service-test/ts-service-test.cmake
+++ b/deployments/ts-service-test/ts-service-test.cmake
@@ -28,6 +28,7 @@ add_components(
BASE_DIR ${TS_ROOT}
COMPONENTS
"components/common/tlv"
+ "components/service/common"
"components/service/crypto/test/service"
"components/service/crypto/test/service/protobuf"
"components/service/crypto/test/service/packed-c"
@@ -37,6 +38,12 @@ add_components(
"components/service/common/serializer/protobuf"
"protocols/service/crypto/protobuf"
"protocols/service/crypto/packed-c"
+ "components/service/secure_storage/test/service"
+ "components/service/secure_storage/frontend/psa/its"
+ "components/service/secure_storage/frontend/psa/its/test"
+ "components/service/secure_storage/frontend/psa/ps"
+ "components/service/secure_storage/frontend/psa/ps/test"
+ "components/service/secure_storage/backend/secure_storage_client"
)
#-------------------------------------------------------------------------------
diff --git a/tools/b-test/test_data.yaml b/tools/b-test/test_data.yaml
index 74cf29e..06afe89 100644
--- a/tools/b-test/test_data.yaml
+++ b/tools/b-test/test_data.yaml
@@ -26,8 +26,8 @@ data:
os_id : "GNU/Linux"
params:
- "-GUnix Makefiles"
- - name: "secure-storage-optee-arm"
- src: "$TS_ROOT/deployments/secure-storage/opteesp"
+ - name: "protected-storage-optee-arm"
+ src: "$TS_ROOT/deployments/protected-storage/opteesp"
params:
- "-GUnix Makefiles"
- "-DSP_DEV_KIT_DIR=$SP_DEV_KIT_DIR"
@@ -72,3 +72,9 @@ data:
os_id : "GNU/Linux"
params:
- "-GUnix Makefiles"
+ - name: "internal-trusted-storage-optee-arm"
+ src: "$TS_ROOT/deployments/internal-trusted-storage/opteesp"
+ params:
+ - "-GUnix Makefiles"
+ - "-DSP_DEV_KIT_DIR=$SP_DEV_KIT_DIR"
+ - "-DCMAKE_VERBOSE_MAKEFILE=y"