aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJulian Hall <julian.hall@arm.com>2021-05-18 15:32:49 +0100
committerGyorgy Szing <Gyorgy.Szing@arm.com>2021-07-05 12:45:11 +0200
commit0446491a342f6dd9fc7b0b4b1afefa9e7c7c8400 (patch)
tree1945e49109699d380f0d760340561abcedeeb5da
parent482fd2fa697c8e3695a8b33e85de55fa33c2fd8e (diff)
downloadtrusted-services-0446491a342f6dd9fc7b0b4b1afefa9e7c7c8400.tar.gz
Add attestation claim sources for device claims
Adds claim sources that add device specific information to a generated attestation report. Different claim sources may be used for different deployments to accommodate platform differences. This commit contains derived work, the following files are copied from other projects: components/service/attestation/include/psa/lifecycle.h Origin: https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git interface/include/psa/lifecycle.h #9280ae9d898bffbb889e4796e51aab35a392ef82 Signed-off-by: Julian Hall <julian.hall@arm.com> Change-Id: I5a6e3782ff936a5b2db46c79e159524ae89b61c4
-rw-r--r--components/service/attestation/claims/claims_register.h4
-rw-r--r--components/service/attestation/claims/sources/boot_seed_generator/boot_seed_generator.c48
-rw-r--r--components/service/attestation/claims/sources/boot_seed_generator/boot_seed_generator.h49
-rw-r--r--components/service/attestation/claims/sources/boot_seed_generator/component.cmake13
-rw-r--r--components/service/attestation/claims/sources/event_log/event_log_claim_source.h6
-rw-r--r--components/service/attestation/claims/sources/instance_id/component.cmake13
-rw-r--r--components/service/attestation/claims/sources/instance_id/instance_id_claim_source.c97
-rw-r--r--components/service/attestation/claims/sources/instance_id/instance_id_claim_source.h50
-rw-r--r--components/service/attestation/claims/sources/null_lifecycle/component.cmake13
-rw-r--r--components/service/attestation/claims/sources/null_lifecycle/null_lifecycle_claim_source.c33
-rw-r--r--components/service/attestation/claims/sources/null_lifecycle/null_lifecycle_claim_source.h40
-rw-r--r--components/service/attestation/include/psa/lifecycle.h29
-rw-r--r--components/service/attestation/key_mngr/attest_key_mngr.c7
-rw-r--r--components/service/attestation/key_mngr/attest_key_mngr.h13
-rw-r--r--components/service/attestation/provider/attest_provider.c4
-rw-r--r--components/service/attestation/test/component/attestation_reporter_tests.cpp55
-rw-r--r--components/service/locator/standalone/services/attestation/attestation_service_context.cpp19
-rw-r--r--components/service/locator/standalone/services/attestation/attestation_service_context.h7
-rw-r--r--deployments/component-test/component-test.cmake4
-rw-r--r--deployments/libts/linux-pc/CMakeLists.txt4
20 files changed, 490 insertions, 18 deletions
diff --git a/components/service/attestation/claims/claims_register.h b/components/service/attestation/claims/claims_register.h
index 99536332c..b4029f0c5 100644
--- a/components/service/attestation/claims/claims_register.h
+++ b/components/service/attestation/claims/claims_register.h
@@ -55,8 +55,8 @@ void claims_register_add_claim_source(uint32_t category_map,
* Used by a report generator to obtain claims that correspond to
* a particular category.
*
- * \param[in] category Claim category
- * \param[out] result Qualifying claims are added the result claim_vector
+ * \param[in] category Claim category
+ * \param[out] result Qualifying claims are added to the result claim_vector
*/
void claims_register_query_by_category(enum claim_category category,
struct claim_vector *result);
diff --git a/components/service/attestation/claims/sources/boot_seed_generator/boot_seed_generator.c b/components/service/attestation/claims/sources/boot_seed_generator/boot_seed_generator.c
new file mode 100644
index 000000000..53d4e7c55
--- /dev/null
+++ b/components/service/attestation/claims/sources/boot_seed_generator/boot_seed_generator.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <psa/crypto.h>
+#include <service/attestation/claims/claim.h>
+#include "boot_seed_generator.h"
+
+static bool boot_seed_generator_get_claim(void *context, struct claim *claim);
+
+
+struct claim_source *boot_seed_generator_init(struct boot_seed_generator *instance)
+{
+ instance->base.get_claim = boot_seed_generator_get_claim;
+ instance->base.context = instance;
+
+ instance->is_generated = false;
+
+ return &instance->base;
+}
+
+static bool boot_seed_generator_get_claim(void *context, struct claim *claim)
+{
+ struct boot_seed_generator *instance = (struct boot_seed_generator*)context;
+
+ /* Generate if no seed has been generated yet */
+ if (!instance->is_generated) {
+
+ psa_status_t status;
+ status = psa_generate_random(instance->boot_seed, sizeof(instance->boot_seed));
+ instance->is_generated = (status == PSA_SUCCESS);
+ }
+
+ if (instance->is_generated) {
+
+ claim->category = CLAIM_CATEGORY_DEVICE;
+ claim->subject_id = CLAIM_SUBJECT_ID_BOOT_SEED;
+ claim->variant_id = CLAIM_VARIANT_ID_BYTE_STRING;
+ claim->raw_data = NULL;
+
+ claim->variant.byte_string.bytes = instance->boot_seed;
+ claim->variant.byte_string.len = sizeof(instance->boot_seed);
+ }
+
+ return instance->is_generated;
+}
diff --git a/components/service/attestation/claims/sources/boot_seed_generator/boot_seed_generator.h b/components/service/attestation/claims/sources/boot_seed_generator/boot_seed_generator.h
new file mode 100644
index 000000000..4b470aaf7
--- /dev/null
+++ b/components/service/attestation/claims/sources/boot_seed_generator/boot_seed_generator.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef BOOT_SEED_GENERATOR_H
+#define BOOT_SEED_GENERATOR_H
+
+#include <stdbool.h>
+#include <stdint.h>
+#include <service/attestation/claims/claim_source.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * A claim source for generating and accessing a boot seed.
+ * The boot seed is a random number that forms an identifier for
+ * a particular boot session. On each re-boot, a new boot seed is
+ * generated. By including the boot seed in an attestation report,
+ * reports associated with the same boot session may be identified.
+ * Use this claim source in a deployment when no boot seed is passed
+ * forward by the boot loader or when no other authoritative source of
+ * boot seed is available.
+ */
+struct boot_seed_generator
+{
+ struct claim_source base;
+
+ bool is_generated;
+ uint8_t boot_seed[32];
+};
+
+/**
+ * \brief Initializes a struct boot_seed_generator
+ *
+ * \param[in] instance The instance to initialze
+ *
+ * \return The initialize base claim_source structure
+ */
+struct claim_source *boot_seed_generator_init(struct boot_seed_generator *instance);
+
+#ifdef __cplusplus
+} /* extern "C" */
+#endif
+
+#endif /* BOOT_SEED_GENERATOR_H */
diff --git a/components/service/attestation/claims/sources/boot_seed_generator/component.cmake b/components/service/attestation/claims/sources/boot_seed_generator/component.cmake
new file mode 100644
index 000000000..7e30defca
--- /dev/null
+++ b/components/service/attestation/claims/sources/boot_seed_generator/component.cmake
@@ -0,0 +1,13 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+if (NOT DEFINED TGT)
+ message(FATAL_ERROR "mandatory parameter TGT is not defined.")
+endif()
+
+target_sources(${TGT} PRIVATE
+ "${CMAKE_CURRENT_LIST_DIR}/boot_seed_generator.c"
+ )
diff --git a/components/service/attestation/claims/sources/event_log/event_log_claim_source.h b/components/service/attestation/claims/sources/event_log/event_log_claim_source.h
index 8e8516672..4a79e27bb 100644
--- a/components/service/attestation/claims/sources/event_log/event_log_claim_source.h
+++ b/components/service/attestation/claims/sources/event_log/event_log_claim_source.h
@@ -17,8 +17,10 @@ extern "C" {
#endif
/**
- * A claim source for accessing a TCG event log, stored as
- * a contiguous array of bytes.
+ * A claim source for accessing a TCG event log, stored in a buffer.
+ * Use this claim source in deployments where the bootloader has peformed
+ * boot measurements and recorded them in an event log. Additional
+ * claims such as the boot seed may also be recorded in the event log.
*/
struct event_log_claim_source
{
diff --git a/components/service/attestation/claims/sources/instance_id/component.cmake b/components/service/attestation/claims/sources/instance_id/component.cmake
new file mode 100644
index 000000000..58e16ee25
--- /dev/null
+++ b/components/service/attestation/claims/sources/instance_id/component.cmake
@@ -0,0 +1,13 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+if (NOT DEFINED TGT)
+ message(FATAL_ERROR "mandatory parameter TGT is not defined.")
+endif()
+
+target_sources(${TGT} PRIVATE
+ "${CMAKE_CURRENT_LIST_DIR}/instance_id_claim_source.c"
+ )
diff --git a/components/service/attestation/claims/sources/instance_id/instance_id_claim_source.c b/components/service/attestation/claims/sources/instance_id/instance_id_claim_source.c
new file mode 100644
index 000000000..a1222eef1
--- /dev/null
+++ b/components/service/attestation/claims/sources/instance_id/instance_id_claim_source.c
@@ -0,0 +1,97 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <stdlib.h>
+#include <stdint.h>
+#include <psa/crypto.h>
+#include <service/attestation/claims/claim.h>
+#include <service/attestation/key_mngr/attest_key_mngr.h>
+#include "instance_id_claim_source.h"
+
+static bool instance_id_claim_source_get_claim(void *context, struct claim *claim);
+static bool prepare_instance_id(struct instance_id_claim_source *instance);
+static bool cal_iak_hash(struct instance_id_claim_source *instance,
+ const uint8_t *key_buf, size_t key_len);
+
+struct claim_source *instance_id_claim_source_init(struct instance_id_claim_source *instance)
+{
+ instance->base.get_claim = instance_id_claim_source_get_claim;
+ instance->base.context = instance;
+
+ instance->is_known = false;
+
+ return &instance->base;
+}
+
+static bool instance_id_claim_source_get_claim(void *context, struct claim *claim)
+{
+ struct instance_id_claim_source *instance = (struct instance_id_claim_source*)context;
+
+ if (!instance->is_known)
+ instance->is_known = prepare_instance_id(instance);
+
+ if (instance->is_known) {
+
+ claim->category = CLAIM_CATEGORY_DEVICE;
+ claim->subject_id = CLAIM_SUBJECT_ID_INSTANCE_ID;
+ claim->variant_id = CLAIM_VARIANT_ID_BYTE_STRING;
+ claim->raw_data = NULL;
+
+ claim->variant.byte_string.bytes = instance->instance_id;
+ claim->variant.byte_string.len = sizeof(instance->instance_id);
+ }
+
+ return instance->is_known;
+}
+
+static bool prepare_instance_id(struct instance_id_claim_source *instance)
+{
+ bool success = false;
+ size_t key_buf_size = attest_key_mngr_max_iak_export_size();
+ uint8_t *key_buf = malloc(key_buf_size);
+
+ if (key_buf) {
+
+ size_t key_len;
+ int status;
+
+ status = attest_key_mngr_export_iak_public_key(key_buf, key_buf_size, &key_len);
+
+ if (status == PSA_SUCCESS) {
+
+ success = cal_iak_hash(instance, key_buf, key_len);
+
+ /* Add the UEID type */
+ instance->instance_id[0] = 0x01;
+ }
+
+ free(key_buf);
+ }
+
+ return success;
+}
+
+static bool cal_iak_hash(struct instance_id_claim_source *instance,
+ const uint8_t *key_buf, size_t key_len)
+{
+ int status;
+ size_t hash_len;
+
+ psa_hash_operation_t op = psa_hash_operation_init();
+
+ status = psa_hash_setup(&op, PSA_ALG_SHA_256);
+ if (status != PSA_SUCCESS) return false;
+
+ status = psa_hash_update(&op, key_buf, key_len);
+ if (status != PSA_SUCCESS) return false;
+
+ status = psa_hash_finish(&op,
+ &instance->instance_id[1],
+ INSTANCE_ID_HASH_LEN,
+ &hash_len);
+
+ return (status == PSA_SUCCESS) && (hash_len == INSTANCE_ID_HASH_LEN);
+}
diff --git a/components/service/attestation/claims/sources/instance_id/instance_id_claim_source.h b/components/service/attestation/claims/sources/instance_id/instance_id_claim_source.h
new file mode 100644
index 000000000..e02ad5e5d
--- /dev/null
+++ b/components/service/attestation/claims/sources/instance_id/instance_id_claim_source.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef INSTANCE_ID_CLAIM_SOURCE_H
+#define INSTANCE_ID_CLAIM_SOURCE_H
+
+#include <stdbool.h>
+#include <stdint.h>
+#include <psa/crypto.h>
+#include <service/attestation/claims/claim_source.h>
+
+/* Instance ID defines */
+#define INSTANCE_ID_HASH_ALG PSA_ALG_SHA_256
+#define INSTANCE_ID_HASH_LEN PSA_HASH_SIZE(INSTANCE_ID_HASH_ALG)
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * A claim_source that provides an identifier for the device,
+ * comprising a hash of the IAK public key.
+ */
+struct instance_id_claim_source
+{
+ struct claim_source base;
+
+ bool is_known;
+
+ /* Space for the hashed key + a single type byte (see EAT) */
+ uint8_t instance_id[INSTANCE_ID_HASH_LEN + 1];
+};
+
+/**
+ * \brief Initializes a struct instance_id_claim_source
+ *
+ * \param[in] instance The instance to initialze
+ *
+ * \return The initialize base claim_source structure
+ */
+struct claim_source *instance_id_claim_source_init(struct instance_id_claim_source *instance);
+
+#ifdef __cplusplus
+} /* extern "C" */
+#endif
+
+#endif /* INSTANCE_ID_CLAIM_SOURCE_H */
diff --git a/components/service/attestation/claims/sources/null_lifecycle/component.cmake b/components/service/attestation/claims/sources/null_lifecycle/component.cmake
new file mode 100644
index 000000000..a2ce3f23e
--- /dev/null
+++ b/components/service/attestation/claims/sources/null_lifecycle/component.cmake
@@ -0,0 +1,13 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+if (NOT DEFINED TGT)
+ message(FATAL_ERROR "mandatory parameter TGT is not defined.")
+endif()
+
+target_sources(${TGT} PRIVATE
+ "${CMAKE_CURRENT_LIST_DIR}/null_lifecycle_claim_source.c"
+ )
diff --git a/components/service/attestation/claims/sources/null_lifecycle/null_lifecycle_claim_source.c b/components/service/attestation/claims/sources/null_lifecycle/null_lifecycle_claim_source.c
new file mode 100644
index 000000000..add8bf9b8
--- /dev/null
+++ b/components/service/attestation/claims/sources/null_lifecycle/null_lifecycle_claim_source.c
@@ -0,0 +1,33 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <service/attestation/claims/claim.h>
+#include <psa/lifecycle.h>
+#include "null_lifecycle_claim_source.h"
+
+static bool null_lifecycle_claim_source_get_claim(void *context, struct claim *claim);
+
+
+struct claim_source *null_lifecycle_claim_source_init(struct null_lifecycle_claim_source *instance)
+{
+ instance->base.get_claim = null_lifecycle_claim_source_get_claim;
+ instance->base.context = instance;
+
+ return &instance->base;
+}
+
+static bool null_lifecycle_claim_source_get_claim(void *context, struct claim *claim)
+{
+ (void)context;
+
+ claim->category = CLAIM_CATEGORY_DEVICE;
+ claim->subject_id = CLAIM_SUBJECT_ID_LIFECYCLE_STATE;
+ claim->variant_id = CLAIM_VARIANT_ID_INTEGER;
+ claim->raw_data = NULL;
+
+ claim->variant.integer.value = PSA_LIFECYCLE_UNKNOWN;
+ return true;
+}
diff --git a/components/service/attestation/claims/sources/null_lifecycle/null_lifecycle_claim_source.h b/components/service/attestation/claims/sources/null_lifecycle/null_lifecycle_claim_source.h
new file mode 100644
index 000000000..4780c8cad
--- /dev/null
+++ b/components/service/attestation/claims/sources/null_lifecycle/null_lifecycle_claim_source.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef NULL_LIFECYCLE_CLAIM_SOURCE_H
+#define NULL_LIFECYCLE_CLAIM_SOURCE_H
+
+#include <service/attestation/claims/claim_source.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Use this claim source in deployments where there is no hardware
+ * backed support for a device's lifecycle state. This claim
+ * source just returns a lifecycle state of 'unknown'.
+ */
+struct null_lifecycle_claim_source
+{
+ struct claim_source base;
+};
+
+/**
+ * \brief Initializes a struct null_lifecycle_claim_source
+ *
+ * \param[in] instance The instance to initialze
+ *
+ * \return The initialize base claim_source structure
+ */
+struct claim_source *null_lifecycle_claim_source_init(
+ struct null_lifecycle_claim_source *instance);
+
+#ifdef __cplusplus
+} /* extern "C" */
+#endif
+
+#endif /* NULL_LIFECYCLE_CLAIM_SOURCE_H */
diff --git a/components/service/attestation/include/psa/lifecycle.h b/components/service/attestation/include/psa/lifecycle.h
new file mode 100644
index 000000000..02dcafa42
--- /dev/null
+++ b/components/service/attestation/include/psa/lifecycle.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (c) 2020-2021, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ */
+
+#ifndef __PSA_LIFECYCLE_H__
+#define __PSA_LIFECYCLE_H__
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define PSA_LIFECYCLE_PSA_STATE_MASK (0xff00u)
+#define PSA_LIFECYCLE_IMP_STATE_MASK (0x00ffu)
+#define PSA_LIFECYCLE_UNKNOWN (0x0000u)
+#define PSA_LIFECYCLE_ASSEMBLY_AND_TEST (0x1000u)
+#define PSA_LIFECYCLE_PSA_ROT_PROVISIONING (0x2000u)
+#define PSA_LIFECYCLE_SECURED (0x3000u)
+#define PSA_LIFECYCLE_NON_PSA_ROT_DEBUG (0x4000u)
+#define PSA_LIFECYCLE_RECOVERABLE_PSA_ROT_DEBUG (0x5000u)
+#define PSA_LIFECYCLE_DECOMMISSIONED (0x6000u)
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __PSA_LIFECYCLE_H__ */
diff --git a/components/service/attestation/key_mngr/attest_key_mngr.c b/components/service/attestation/key_mngr/attest_key_mngr.c
index 783d08fd9..cff1dcf6e 100644
--- a/components/service/attestation/key_mngr/attest_key_mngr.c
+++ b/components/service/attestation/key_mngr/attest_key_mngr.c
@@ -131,13 +131,18 @@ psa_status_t attest_key_mngr_export_iak_public_key(uint8_t *data,
return status;
}
-size_t attest_key_mngr_max_iak_key_size(void)
+size_t attest_key_mngr_max_iak_export_size(void)
{
return PSA_KEY_EXPORT_MAX_SIZE(
PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_SECP256R1)),
IAK_KEY_BITS);
}
+size_t attest_key_mngr_max_iak_import_size(void)
+{
+ return PSA_BITS_TO_BYTES(IAK_KEY_BITS);
+ }
+
psa_status_t attest_key_mngr_import_iak(const uint8_t *data, size_t data_length)
{
psa_status_t status = PSA_ERROR_NOT_PERMITTED;
diff --git a/components/service/attestation/key_mngr/attest_key_mngr.h b/components/service/attestation/key_mngr/attest_key_mngr.h
index f61619a39..0600be8b3 100644
--- a/components/service/attestation/key_mngr/attest_key_mngr.h
+++ b/components/service/attestation/key_mngr/attest_key_mngr.h
@@ -67,11 +67,18 @@ psa_status_t attest_key_mngr_export_iak_public_key(uint8_t *data,
size_t data_size, size_t *data_length);
/**
- * \brief Return maximum size of an IAK key-pair
+ * \brief Return maximum size of an exported IAK public key
*
- * \return Maximum size
+ * \return Maximum export size
*/
-size_t attest_key_mngr_max_iak_key_size(void);
+size_t attest_key_mngr_max_iak_export_size(void);
+
+/**
+ * \brief Return maximum size of an imported IAK key
+ *
+ * \return Maximum import size
+ */
+size_t attest_key_mngr_max_iak_import_size(void);
/**
* \brief Import the IAK key-pair
diff --git a/components/service/attestation/provider/attest_provider.c b/components/service/attestation/provider/attest_provider.c
index 460a6d065..9669ed606 100644
--- a/components/service/attestation/provider/attest_provider.c
+++ b/components/service/attestation/provider/attest_provider.c
@@ -168,7 +168,7 @@ static rpc_status_t export_iak_public_key_handler(void *context, struct call_req
if (serializer) {
- size_t max_key_size = attest_key_mngr_max_iak_key_size();
+ size_t max_key_size = attest_key_mngr_max_iak_export_size();
uint8_t *key_buffer = malloc(max_key_size);
@@ -207,7 +207,7 @@ static rpc_status_t import_iak_handler(void *context, struct call_req* req)
if (serializer) {
- size_t key_data_len = attest_key_mngr_max_iak_key_size();
+ size_t key_data_len = attest_key_mngr_max_iak_import_size();
uint8_t *key_buffer = malloc(key_data_len);
if (key_buffer) {
diff --git a/components/service/attestation/test/component/attestation_reporter_tests.cpp b/components/service/attestation/test/component/attestation_reporter_tests.cpp
index c83dc3c19..984af994f 100644
--- a/components/service/attestation/test/component/attestation_reporter_tests.cpp
+++ b/components/service/attestation/test/component/attestation_reporter_tests.cpp
@@ -5,18 +5,22 @@
*/
#include <psa/error.h>
+#include <psa/crypto.h>
+#include <psa/lifecycle.h>
#include <qcbor/qcbor_spiffy_decode.h>
#include <t_cose/t_cose_sign1_verify.h>
#include <service/attestation/claims/claims_register.h>
#include <service/attestation/claims/sources/event_log/event_log_claim_source.h>
#include <service/attestation/claims/sources/event_log/mock/mock_event_log.h>
-#include <service/attestation/claims/sources/preloaded/preloaded_claim_source.h>
+#include <service/attestation/claims/sources/boot_seed_generator/boot_seed_generator.h>
+#include <service/attestation/claims/sources/null_lifecycle/null_lifecycle_claim_source.h>
+#include <service/attestation/claims/sources/instance_id/instance_id_claim_source.h>
#include <service/attestation/reporter/attest_report.h>
#include <service/attestation/key_mngr/attest_key_mngr.h>
#include <service/attestation/test/common/report_dump.h>
#include <protocols/service/attestation/packed-c/eat.h>
#include <CppUTest/TestHarness.h>
-#include <psa/crypto.h>
+
TEST_GROUP(AttestationReporterTests)
{
@@ -36,10 +40,22 @@ TEST_GROUP(AttestationReporterTests)
*/
claims_register_init();
- /* Boot measurement source */
+ /* Boot measurement claim source */
claim_source = event_log_claim_source_init(&event_log_claim_source,
mock_event_log_start(), mock_event_log_size());
claims_register_add_claim_source(CLAIM_CATEGORY_BOOT_MEASUREMENT, claim_source);
+
+ /* Boot seed claim source */
+ claim_source = boot_seed_generator_init(&boot_seed_claim_source);
+ claims_register_add_claim_source(CLAIM_CATEGORY_DEVICE, claim_source);
+
+ /* Lifecycle state claim source */
+ claim_source = null_lifecycle_claim_source_init(&lifecycle_claim_source);
+ claims_register_add_claim_source(CLAIM_CATEGORY_DEVICE, claim_source);
+
+ /* Instance ID claim source */
+ claim_source = instance_id_claim_source_init(&instance_id_claim_source);
+ claims_register_add_claim_source(CLAIM_CATEGORY_DEVICE, claim_source);
}
void teardown()
@@ -50,6 +66,9 @@ TEST_GROUP(AttestationReporterTests)
}
struct event_log_claim_source event_log_claim_source;
+ struct boot_seed_generator boot_seed_claim_source;
+ struct null_lifecycle_claim_source lifecycle_claim_source;
+ struct instance_id_claim_source instance_id_claim_source;
const uint8_t *report;
size_t report_len;
};
@@ -126,6 +145,36 @@ TEST(AttestationReporterTests, createReport)
UNSIGNED_LONGS_EQUAL(sizeof(auth_challenge), auth_challenge_buf.len);
MEMCMP_EQUAL(auth_challenge, auth_challenge_buf.ptr, sizeof(auth_challenge));
+ /* Check the boot seed */
+ UsefulBufC boot_seed_buf;
+ boot_seed_buf.ptr = NULL;
+ boot_seed_buf.len = 0;
+ QCBORDecode_GetByteStringInMapN(&decode_ctx,
+ EAT_ARM_PSA_CLAIM_ID_BOOT_SEED, &boot_seed_buf);
+
+ LONGS_EQUAL(QCBOR_SUCCESS, QCBORDecode_GetError(&decode_ctx));
+ CHECK_TRUE(boot_seed_buf.ptr);
+ UNSIGNED_LONGS_EQUAL(sizeof(boot_seed_claim_source.boot_seed), boot_seed_buf.len);
+
+ /* Check the lifecycle state */
+ int64_t decoded_lifecycle_state = 0;
+ QCBORDecode_GetInt64InMapN(&decode_ctx,
+ EAT_ARM_PSA_CLAIM_ID_SECURITY_LIFECYCLE, &decoded_lifecycle_state);
+
+ LONGS_EQUAL(QCBOR_SUCCESS, QCBORDecode_GetError(&decode_ctx));
+ LONGS_EQUAL(PSA_LIFECYCLE_UNKNOWN, decoded_lifecycle_state);
+
+ /* Check the instance ID */
+ UsefulBufC instance_id_buf;
+ instance_id_buf.ptr = NULL;
+ instance_id_buf.len = 0;
+ QCBORDecode_GetByteStringInMapN(&decode_ctx,
+ EAT_ARM_PSA_CLAIM_ID_INSTANCE_ID, &instance_id_buf);
+
+ LONGS_EQUAL(QCBOR_SUCCESS, QCBORDecode_GetError(&decode_ctx));
+ CHECK_TRUE(instance_id_buf.ptr);
+ UNSIGNED_LONGS_EQUAL(sizeof(instance_id_claim_source.instance_id), instance_id_buf.len);
+
/* Shouldn't expect to see the 'NO_SW_COMPONENTS' claim */
int64_t no_sw = 0;
QCBORDecode_GetInt64InMapN(&decode_ctx, EAT_ARM_PSA_CLAIM_ID_NO_SW_COMPONENTS, &no_sw);
diff --git a/components/service/locator/standalone/services/attestation/attestation_service_context.cpp b/components/service/locator/standalone/services/attestation/attestation_service_context.cpp
index 302a536db..c23bf5c06 100644
--- a/components/service/locator/standalone/services/attestation/attestation_service_context.cpp
+++ b/components/service/locator/standalone/services/attestation/attestation_service_context.cpp
@@ -13,7 +13,10 @@
attestation_service_context::attestation_service_context(const char *sn) :
standalone_service_context(sn),
m_attest_provider(),
- m_event_log_claim_source()
+ m_event_log_claim_source(),
+ m_boot_seed_claim_source(),
+ m_lifecycle_claim_source(),
+ m_instance_id_claim_source()
{
}
@@ -36,11 +39,23 @@ void attestation_service_context::do_init()
*/
claims_register_init();
- /* Boot measurement source - uses mock event log */
+ /* Boot measurement claim source - uses mock event log */
claim_source = event_log_claim_source_init(&m_event_log_claim_source,
mock_event_log_start(), mock_event_log_size());
claims_register_add_claim_source(CLAIM_CATEGORY_BOOT_MEASUREMENT, claim_source);
+ /* Boot seed claim source */
+ claim_source = boot_seed_generator_init(&m_boot_seed_claim_source);
+ claims_register_add_claim_source(CLAIM_CATEGORY_DEVICE, claim_source);
+
+ /* Lifecycle state claim source */
+ claim_source = null_lifecycle_claim_source_init(&m_lifecycle_claim_source);
+ claims_register_add_claim_source(CLAIM_CATEGORY_DEVICE, claim_source);
+
+ /* Instance ID claim source */
+ claim_source = instance_id_claim_source_init(&m_instance_id_claim_source);
+ claims_register_add_claim_source(CLAIM_CATEGORY_DEVICE, claim_source);
+
/* Initialize the attestation service provider */
struct rpc_interface *attest_ep =
attest_provider_init(&m_attest_provider, ATTEST_KEY_MNGR_VOLATILE_IAK);
diff --git a/components/service/locator/standalone/services/attestation/attestation_service_context.h b/components/service/locator/standalone/services/attestation/attestation_service_context.h
index ad8d0eea8..8ccd93858 100644
--- a/components/service/locator/standalone/services/attestation/attestation_service_context.h
+++ b/components/service/locator/standalone/services/attestation/attestation_service_context.h
@@ -11,7 +11,9 @@
#include <rpc/direct/direct_caller.h>
#include <service/attestation/provider/attest_provider.h>
#include <service/attestation/claims/sources/event_log/event_log_claim_source.h>
-
+#include <service/attestation/claims/sources/boot_seed_generator/boot_seed_generator.h>
+#include <service/attestation/claims/sources/null_lifecycle/null_lifecycle_claim_source.h>
+#include <service/attestation/claims/sources/instance_id/instance_id_claim_source.h>
class attestation_service_context : public standalone_service_context
{
@@ -26,6 +28,9 @@ private:
struct attest_provider m_attest_provider;
struct event_log_claim_source m_event_log_claim_source;
+ struct boot_seed_generator m_boot_seed_claim_source;
+ struct null_lifecycle_claim_source m_lifecycle_claim_source;
+ struct instance_id_claim_source m_instance_id_claim_source;
};
#endif /* STANDALONE_ATTESTATION_SERVICE_CONTEXT_H */
diff --git a/deployments/component-test/component-test.cmake b/deployments/component-test/component-test.cmake
index a4ee13ed7..2a8556a0d 100644
--- a/deployments/component-test/component-test.cmake
+++ b/deployments/component-test/component-test.cmake
@@ -44,7 +44,9 @@ add_components(
"components/service/locator/standalone/services/attestation"
"components/service/attestation/include"
"components/service/attestation/claims"
- "components/service/attestation/claims/sources/preloaded"
+ "components/service/attestation/claims/sources/boot_seed_generator"
+ "components/service/attestation/claims/sources/null_lifecycle"
+ "components/service/attestation/claims/sources/instance_id"
"components/service/attestation/claims/sources/event_log"
"components/service/attestation/claims/sources/event_log/mock"
"components/service/attestation/claims/sources/event_log/test"
diff --git a/deployments/libts/linux-pc/CMakeLists.txt b/deployments/libts/linux-pc/CMakeLists.txt
index d1a96ae87..842f70245 100644
--- a/deployments/libts/linux-pc/CMakeLists.txt
+++ b/deployments/libts/linux-pc/CMakeLists.txt
@@ -43,7 +43,9 @@ add_components(
"components/service/locator/standalone/services/attestation"
"components/service/attestation/include"
"components/service/attestation/claims"
- "components/service/attestation/claims/sources/preloaded"
+ "components/service/attestation/claims/sources/boot_seed_generator"
+ "components/service/attestation/claims/sources/null_lifecycle"
+ "components/service/attestation/claims/sources/instance_id"
"components/service/attestation/claims/sources/event_log"
"components/service/attestation/claims/sources/event_log/mock"
"components/service/attestation/reporter/psa"