aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJulian Hall <julian.hall@arm.com>2021-08-12 11:52:11 +0100
committerGyorgy Szing <Gyorgy.Szing@arm.com>2021-10-06 00:49:10 +0200
commitb2954bca46785a40acfe4a56160f7b3b2d0d5863 (patch)
treeda4b81468e7bf94ebd9f9379e4af2f80915dbe68
parentfad352150cffe6da68498481898c1f1cc73ee330 (diff)
downloadtrusted-services-b2954bca46785a40acfe4a56160f7b3b2d0d5863.tar.gz
Remove dependencies on deprecated PSA crypto functionality
The attestation key manager and platform inspect application were using some deprecated PSA Crypto API funcationality related to use of the psa_key_handle_t type and psa_open_key and psa_close_key. Also aligns Mbed TLS configuration for Posix builds to changes in entropy related defines introduced in Mbed TLS 3.0.0. Signed-off-by: Julian Hall <julian.hall@arm.com> Change-Id: Iba882c999470bf035f1d15d02ff90b43b63ac84e
-rw-r--r--components/app/platform-inspect/attest_report_fetcher.cpp18
-rw-r--r--components/app/platform-inspect/platform_inspect.cpp9
-rw-r--r--components/service/attestation/key_mngr/attest_key_mngr.h8
-rw-r--r--components/service/attestation/key_mngr/local/local_attest_key_mngr.c191
-rw-r--r--components/service/attestation/key_mngr/local/local_attest_key_mngr.h4
-rw-r--r--components/service/attestation/key_mngr/stub/stub_attest_key_mngr.c7
-rw-r--r--components/service/attestation/reporter/eat/eat_signer.c4
-rw-r--r--components/service/attestation/reporter/eat/eat_signer.h8
-rw-r--r--components/service/attestation/reporter/local/local_attest_report.c6
-rw-r--r--components/service/attestation/test/component/attestation_reporter_tests.cpp8
-rw-r--r--components/service/crypto/backend/mbedcrypto/config_mbedtls_user.h2
-rw-r--r--components/service/crypto/client/cpp/config_mbedtls_user.h12
12 files changed, 138 insertions, 139 deletions
diff --git a/components/app/platform-inspect/attest_report_fetcher.cpp b/components/app/platform-inspect/attest_report_fetcher.cpp
index d2277b4..4e43467 100644
--- a/components/app/platform-inspect/attest_report_fetcher.cpp
+++ b/components/app/platform-inspect/attest_report_fetcher.cpp
@@ -18,9 +18,9 @@
#include <t_cose/t_cose_sign1_verify.h>
static bool fetch_and_verify(std::vector<uint8_t> &report, std::string &error_msg);
-static bool fetch_iak_public_key(psa_key_handle_t &iak_handle, std::string &error_msg);
+static bool fetch_iak_public_key(psa_key_id_t &iak_id, std::string &error_msg);
static bool verify_token(std::vector<uint8_t> &report, const uint8_t *token, size_t token_len,
- psa_key_handle_t iak_handle, std::string &error_msg);
+ psa_key_id_t iak_id, std::string &error_msg);
bool fetch_attest_report(std::vector<uint8_t> &report, std::string &error_msg)
{
@@ -69,10 +69,10 @@ static bool fetch_and_verify(std::vector<uint8_t> &report, std::string &error_ms
bool success = false;
uint8_t token_buf[PSA_INITIAL_ATTEST_MAX_TOKEN_SIZE];
uint8_t challenge[PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32];
- psa_key_handle_t iak_handle;
+ psa_key_id_t iak_id;
int status;
- if (!fetch_iak_public_key(iak_handle, error_msg)) {
+ if (!fetch_iak_public_key(iak_id, error_msg)) {
return false;
}
@@ -93,7 +93,7 @@ static bool fetch_and_verify(std::vector<uint8_t> &report, std::string &error_ms
if (status == PSA_SUCCESS) {
- success = verify_token(report, token_buf, token_size, iak_handle, error_msg);
+ success = verify_token(report, token_buf, token_size, iak_id, error_msg);
}
else {
@@ -103,7 +103,7 @@ static bool fetch_and_verify(std::vector<uint8_t> &report, std::string &error_ms
return success;
}
-static bool fetch_iak_public_key(psa_key_handle_t &iak_handle, std::string &error_msg)
+static bool fetch_iak_public_key(psa_key_id_t &iak_id, std::string &error_msg)
{
size_t iak_pub_key_len = 0;
uint8_t iak_pub_key_buf[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE];
@@ -122,7 +122,7 @@ static bool fetch_iak_public_key(psa_key_handle_t &iak_handle, std::string &erro
psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1));
psa_set_key_bits(&attributes, 256);
- status = psa_import_key(&attributes, iak_pub_key_buf, iak_pub_key_len, &iak_handle);
+ status = psa_import_key(&attributes, iak_pub_key_buf, iak_pub_key_len, &iak_id);
if (status != PSA_SUCCESS) {
@@ -141,12 +141,12 @@ static bool fetch_iak_public_key(psa_key_handle_t &iak_handle, std::string &erro
}
static bool verify_token(std::vector<uint8_t> &report, const uint8_t *token, size_t token_len,
- psa_key_handle_t iak_handle, std::string &error_msg)
+ psa_key_id_t iak_id, std::string &error_msg)
{
struct t_cose_sign1_verify_ctx verify_ctx;
struct t_cose_key key_pair;
- key_pair.k.key_handle = iak_handle;
+ key_pair.k.key_handle = iak_id;
key_pair.crypto_lib = T_COSE_CRYPTO_LIB_PSA;
UsefulBufC signed_cose;
UsefulBufC report_body;
diff --git a/components/app/platform-inspect/platform_inspect.cpp b/components/app/platform-inspect/platform_inspect.cpp
index fd0e05b..93c8f88 100644
--- a/components/app/platform-inspect/platform_inspect.cpp
+++ b/components/app/platform-inspect/platform_inspect.cpp
@@ -18,7 +18,14 @@ int main(int argc, char *argv[])
{
int rval = -1;
- psa_crypto_init();
+ psa_status_t psa_status = psa_crypto_init();
+
+ if (psa_status != PSA_SUCCESS) {
+
+ printf("psa_crypto_init failed: %d\n", psa_status);
+ return rval;
+ }
+
service_locator_init();
/* Fetch platform info */
diff --git a/components/service/attestation/key_mngr/attest_key_mngr.h b/components/service/attestation/key_mngr/attest_key_mngr.h
index b27d92b..f346b77 100644
--- a/components/service/attestation/key_mngr/attest_key_mngr.h
+++ b/components/service/attestation/key_mngr/attest_key_mngr.h
@@ -26,15 +26,15 @@ extern "C" {
*/
/**
- * \brief Get the IAK key handle
+ * \brief Get the IAK key id
*
* If an IAK doesn't exist, one will be generated. This supports the
* generate-on-first-run strategy.
*
- * \param[out] iak_handle The returned key handle
+ * \param[out] iak_id The returned key id
* \return Status
*/
-psa_status_t attest_key_mngr_get_iak_handle(psa_key_handle_t *iak_handle);
+psa_status_t attest_key_mngr_get_iak_id(psa_key_id_t *iak_id);
/**
* \brief Export the IAK public key
@@ -48,7 +48,7 @@ psa_status_t attest_key_mngr_get_iak_handle(psa_key_handle_t *iak_handle);
* \return Status
*/
psa_status_t attest_key_mngr_export_iak_public_key(uint8_t *data,
- size_t data_size, size_t *data_length);
+ size_t data_size, size_t *data_length);
/**
* \brief Import the IAK key-pair
diff --git a/components/service/attestation/key_mngr/local/local_attest_key_mngr.c b/components/service/attestation/key_mngr/local/local_attest_key_mngr.c
index 104d04f..d11d585 100644
--- a/components/service/attestation/key_mngr/local/local_attest_key_mngr.c
+++ b/components/service/attestation/key_mngr/local/local_attest_key_mngr.c
@@ -14,9 +14,8 @@
*/
static struct local_attest_key_mngr
{
- bool is_iak_open;
- psa_key_id_t iak_id;
- psa_key_handle_t iak_handle;
+ psa_key_id_t cfg_iak_id; /* The configured IAK key id (zero for volatile) */
+ psa_key_id_t iak_id; /* The actual IAK key id */
} instance;
/* Local defines */
@@ -26,20 +25,20 @@ static struct local_attest_key_mngr
* \brief Set the IAK key attributes
*
* \param[out] attribute Key attributes object to set
- * \param[in] key_id The IAK key id or zero for volatile key
+ * \param[in] cfg_iak_id The configured IAK key id or zero for volatile key
*/
-static void set_iak_attributes(psa_key_attributes_t *attributes, psa_key_id_t key_id)
+static void set_iak_attributes(psa_key_attributes_t *attributes, psa_key_id_t cfg_iak_id)
{
- if (key_id)
- psa_set_key_id(attributes, key_id);
- else
- psa_set_key_lifetime(attributes, PSA_KEY_LIFETIME_VOLATILE);
+ if (cfg_iak_id)
+ psa_set_key_id(attributes, cfg_iak_id);
+ else
+ psa_set_key_lifetime(attributes, PSA_KEY_LIFETIME_VOLATILE);
- psa_set_key_usage_flags(attributes, PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH);
+ psa_set_key_usage_flags(attributes, PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH);
- psa_set_key_algorithm(attributes, PSA_ALG_ECDSA(PSA_ALG_SHA_256));
- psa_set_key_type(attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1));
- psa_set_key_bits(attributes, IAK_KEY_BITS);
+ psa_set_key_algorithm(attributes, PSA_ALG_ECDSA(PSA_ALG_SHA_256));
+ psa_set_key_type(attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1));
+ psa_set_key_bits(attributes, IAK_KEY_BITS);
}
/**
@@ -48,146 +47,138 @@ static void set_iak_attributes(psa_key_attributes_t *attributes, psa_key_id_t ke
* If an IAK hasn't been provisioned during manufacture, there is the
* option to generate a persistent IAK on first run.
*
- * \param[in] key_id The IAK key id or zero for volatile key
- * \param[out] iak_handle The returned key handle
+ * \param[in] cfg_iak_id The configured IAK key id or zero for volatile key
+ * \param[out] iak_id The returned IAK key id
*
* \return Status
*/
-static psa_status_t generate_iak(psa_key_id_t key_id, psa_key_handle_t *iak_handle)
+static psa_status_t generate_iak(psa_key_id_t cfg_iak_id, psa_key_id_t *iak_id)
{
- psa_status_t status;
- psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_status_t status;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
- set_iak_attributes(&attributes, key_id);
- status = psa_generate_key(&attributes, iak_handle);
+ set_iak_attributes(&attributes, cfg_iak_id);
+ status = psa_generate_key(&attributes, iak_id);
- psa_reset_key_attributes(&attributes);
+ psa_reset_key_attributes(&attributes);
- return status;
+ return status;
}
-void local_attest_key_mngr_init(psa_key_id_t iak_id)
+void local_attest_key_mngr_init(psa_key_id_t cfg_iak_id)
{
- instance.is_iak_open = false;
- instance.iak_id = iak_id;
- instance.iak_handle = -1;
+ instance.cfg_iak_id = cfg_iak_id;
+ instance.iak_id = 0;
}
void local_attest_key_mngr_deinit(void)
{
- if (instance.is_iak_open && !instance.iak_id) {
+ if (!instance.cfg_iak_id && instance.iak_id) {
- /* Clean-up if IAK is volatile */
- psa_destroy_key(instance.iak_handle);
- instance.is_iak_open = false;
- }
+ /* Clean-up if IAK is volatile */
+ psa_destroy_key(instance.iak_id);
+ instance.iak_id = 0;
+ }
}
-psa_status_t attest_key_mngr_get_iak_handle(psa_key_handle_t *iak_handle)
+psa_status_t attest_key_mngr_get_iak_id(psa_key_id_t *iak_id)
{
- psa_status_t status = PSA_SUCCESS;
+ psa_status_t status = PSA_SUCCESS;
- if (!instance.is_iak_open) {
+ if (!instance.iak_id) {
- if (instance.iak_id) {
+ if (instance.cfg_iak_id) {
- /* A valid key id has been specified so treat as a persistent key
- * that will normally already exist.
- */
- status = psa_open_key(instance.iak_id, &instance.iak_handle);
+ /* A valid key id has been configured so treat as a persistent key
+ * that will normally already exist.
+ */
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ status = psa_get_key_attributes(instance.cfg_iak_id, &attributes);
- if (status != PSA_SUCCESS) {
+ if (status == PSA_SUCCESS) {
- /* First run and no key has been provisioned */
- status = generate_iak(instance.iak_id, &instance.iak_handle);
- }
- }
- else {
+ /* A persistent key has already been provisioned */
+ instance.iak_id = psa_get_key_id(&attributes);
+ }
+ else {
- /* An invalid key id has been specified which indicates that a
- * volatile key should be generated. This is option is intended
- * for test purposes only.
- */
- status = generate_iak(instance.iak_id, &instance.iak_handle);
- }
+ /* First run and no key has been provisioned */
+ status = generate_iak(instance.iak_id, &instance.iak_id);
+ }
- instance.is_iak_open = (status == PSA_SUCCESS);
- }
+ psa_reset_key_attributes(&attributes);
+ }
+ else {
- *iak_handle = instance.iak_handle;
- return status;
+ /* An invalid key id has been specified which indicates that a
+ * volatile key should be generated. This is option is intended
+ * for test purposes only.
+ */
+ status = generate_iak(instance.cfg_iak_id, &instance.iak_id);
+ }
+ }
+
+ *iak_id = instance.iak_id;
+ return status;
}
-psa_status_t attest_key_mngr_export_iak_public_key(uint8_t *data,
- size_t data_size, size_t *data_length)
+psa_status_t attest_key_mngr_export_iak_public_key(
+ uint8_t *data, size_t data_size, size_t *data_length)
{
- psa_key_handle_t handle;
- psa_status_t status = attest_key_mngr_get_iak_handle(&handle);
+ psa_key_id_t id;
+ psa_status_t status = attest_key_mngr_get_iak_id(&id);
- if (status == PSA_SUCCESS) {
+ if (status == PSA_SUCCESS) {
- status = psa_export_public_key(handle, data, data_size, data_length);
- }
+ status = psa_export_public_key(id, data, data_size, data_length);
+ }
- return status;
+ return status;
}
size_t attest_key_mngr_max_iak_export_size(void)
{
- return PSA_EXPORT_KEY_OUTPUT_SIZE(
- PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)),
- IAK_KEY_BITS);
+ return PSA_EXPORT_KEY_OUTPUT_SIZE(
+ PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)),
+ IAK_KEY_BITS);
}
size_t attest_key_mngr_max_iak_import_size(void)
{
- return PSA_BITS_TO_BYTES(IAK_KEY_BITS);
+ return PSA_BITS_TO_BYTES(IAK_KEY_BITS);
}
psa_status_t attest_key_mngr_import_iak(const uint8_t *data, size_t data_length)
{
- psa_status_t status = PSA_ERROR_NOT_PERMITTED;
-
- if (!instance.is_iak_open) {
-
- psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
- set_iak_attributes(&attributes, instance.iak_id);
-
- if (instance.iak_id) {
+ psa_status_t status = PSA_ERROR_NOT_PERMITTED;
- /* A valid key id has been specified so only allow import
- * if no persistent key for the key id exists.
- */
- if (psa_open_key(instance.iak_id, &instance.iak_handle) == PSA_ERROR_DOES_NOT_EXIST) {
+ if (!instance.iak_id) {
- /* Allow persistent key to be provisioned */
- status = psa_import_key(&attributes, data, data_length, &instance.iak_handle);
- }
- }
- else {
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ set_iak_attributes(&attributes, instance.cfg_iak_id);
- /* It's a volatile key so allow a once-per-boot import */
- status = psa_import_key(&attributes, data, data_length, &instance.iak_handle);
- }
+ status = psa_import_key(&attributes, data, data_length, &instance.iak_id);
- psa_reset_key_attributes(&attributes);
+ psa_reset_key_attributes(&attributes);
+ }
- instance.is_iak_open = (status == PSA_SUCCESS);
- }
-
- return status;
+ return status;
}
bool attest_key_mngr_iak_exists(void)
{
- if (!instance.is_iak_open && instance.iak_id) {
+ bool exists = false;
+
+ psa_key_id_t key_id = (instance.iak_id) ? instance.iak_id : instance.cfg_iak_id;
+
+ if (key_id) {
+
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_status_t status = psa_get_key_attributes(key_id, &attributes);
+ psa_reset_key_attributes(&attributes);
- /* A persistent key ID is specified so the key might
- * exist but has not been opened yet.
- */
- psa_status_t status = psa_open_key(instance.iak_id, &instance.iak_handle);
- instance.is_iak_open = (status == PSA_SUCCESS);
- }
+ exists = (status == PSA_SUCCESS);
+ }
- return instance.is_iak_open;
+ return exists;
}
diff --git a/components/service/attestation/key_mngr/local/local_attest_key_mngr.h b/components/service/attestation/key_mngr/local/local_attest_key_mngr.h
index e327422..4c356ae 100644
--- a/components/service/attestation/key_mngr/local/local_attest_key_mngr.h
+++ b/components/service/attestation/key_mngr/local/local_attest_key_mngr.h
@@ -32,9 +32,9 @@ extern "C" {
* is passed, a volatile IAK will be generated. This is useful
* for test purposes.
*
- * \param[in] iak_id The key id for the IAK
+ * \param[in] cfg_iak_id The configured IAK key id (zero for volatile)
*/
-void local_attest_key_mngr_init(psa_key_id_t iak_id);
+void local_attest_key_mngr_init(psa_key_id_t cfg_iak_id);
/**
* \brief De-initialize the attest_key_mngr
diff --git a/components/service/attestation/key_mngr/stub/stub_attest_key_mngr.c b/components/service/attestation/key_mngr/stub/stub_attest_key_mngr.c
index d07e804..7f86861 100644
--- a/components/service/attestation/key_mngr/stub/stub_attest_key_mngr.c
+++ b/components/service/attestation/key_mngr/stub/stub_attest_key_mngr.c
@@ -7,8 +7,8 @@
#include <psa/error.h>
#include <service/attestation/key_mngr/attest_key_mngr.h>
-psa_status_t attest_key_mngr_get_iak_handle(
- psa_key_handle_t *iak_handle)
+psa_status_t attest_key_mngr_get_iak_id(
+ psa_key_id_t *iak_id)
{
return PSA_ERROR_NOT_SUPPORTED;
}
@@ -29,7 +29,8 @@ size_t attest_key_mngr_max_iak_import_size(void)
return 0;
}
-psa_status_t attest_key_mngr_import_iak(const uint8_t *data, size_t data_length)
+psa_status_t attest_key_mngr_import_iak(
+ const uint8_t *data, size_t data_length)
{
return PSA_ERROR_NOT_SUPPORTED;
}
diff --git a/components/service/attestation/reporter/eat/eat_signer.c b/components/service/attestation/reporter/eat/eat_signer.c
index 08756e7..c021a38 100644
--- a/components/service/attestation/reporter/eat/eat_signer.c
+++ b/components/service/attestation/reporter/eat/eat_signer.c
@@ -13,7 +13,7 @@
static bool alloc_output_buf(struct q_useful_buf *buf, size_t input_len);
static int t_cose_to_psa_status(enum t_cose_err_t t_cose_status);
-int eat_sign(psa_key_handle_t key_handle,
+int eat_sign(psa_key_id_t key_id,
const uint8_t *unsigned_token, size_t unsigned_token_len,
const uint8_t **signed_token, size_t *signed_token_len)
{
@@ -33,7 +33,7 @@ int eat_sign(psa_key_handle_t key_handle,
return PSA_ERROR_INSUFFICIENT_MEMORY;
/* Initialize signing context */
- signing_key.k.key_handle = key_handle;
+ signing_key.k.key_handle = key_id;
signing_key.crypto_lib = T_COSE_CRYPTO_LIB_PSA;
t_cose_sign1_sign_init(&sign_ctx, 0, T_COSE_ALGORITHM_ES256);
t_cose_sign1_set_signing_key(&sign_ctx, signing_key, NULL_Q_USEFUL_BUF_C);
diff --git a/components/service/attestation/reporter/eat/eat_signer.h b/components/service/attestation/reporter/eat/eat_signer.h
index 421cbc2..4b1122a 100644
--- a/components/service/attestation/reporter/eat/eat_signer.h
+++ b/components/service/attestation/reporter/eat/eat_signer.h
@@ -18,7 +18,7 @@ extern "C" {
/**
* \brief Sign the serialized EAT token
*
- * \param[in] key_handle Signing key handle
+ * \param[in] key_id Signing key id
* \param[in] unsigned_token The token to sign
* \param[in] unsigned_token_len The token to sign
* \param[out] signed_token The signed token
@@ -26,9 +26,9 @@ extern "C" {
*
* \return Operation status
*/
-int eat_sign(psa_key_handle_t key_handle,
- const uint8_t *unsigned_token, size_t unsigned_token_len,
- const uint8_t **signed_token, size_t *signed_token_len);
+int eat_sign(psa_key_id_t key_id,
+ const uint8_t *unsigned_token, size_t unsigned_token_len,
+ const uint8_t **signed_token, size_t *signed_token_len);
#ifdef __cplusplus
diff --git a/components/service/attestation/reporter/local/local_attest_report.c b/components/service/attestation/reporter/local/local_attest_report.c
index 8da9d51..9a1830f 100644
--- a/components/service/attestation/reporter/local/local_attest_report.c
+++ b/components/service/attestation/reporter/local/local_attest_report.c
@@ -38,14 +38,14 @@ int attest_report_create(int32_t client_id,
psa_status_t status = PSA_ERROR_GENERIC_ERROR;
struct claim_vector device_claims;
struct claim_vector sw_claims;
- psa_key_handle_t key_handle;
+ psa_key_id_t key_id;
*report = NULL;
*report_len = 0;
if (!validate_challenge(auth_challenge_len)) return PSA_ERROR_INVALID_ARGUMENT;
- status = attest_key_mngr_get_iak_handle(&key_handle);
+ status = attest_key_mngr_get_iak_id(&key_id);
if (status != PSA_SUCCESS) return status;
claim_vector_init(&device_claims, MAX_DEVICE_CLAIMS);
@@ -70,7 +70,7 @@ int attest_report_create(int32_t client_id,
&unsigned_token, &unsigned_token_len);
if (status == PSA_SUCCESS) {
- status = eat_sign(key_handle,
+ status = eat_sign(key_id,
unsigned_token, unsigned_token_len,
report, report_len);
}
diff --git a/components/service/attestation/test/component/attestation_reporter_tests.cpp b/components/service/attestation/test/component/attestation_reporter_tests.cpp
index 0ef31c2..ed5ac14 100644
--- a/components/service/attestation/test/component/attestation_reporter_tests.cpp
+++ b/components/service/attestation/test/component/attestation_reporter_tests.cpp
@@ -85,9 +85,9 @@ TEST(AttestationReporterTests, createReport)
17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32
};
- /* Retrieve the IAK handle */
- psa_key_handle_t iak_handle;
- status = attest_key_mngr_get_iak_handle(&iak_handle);
+ /* Retrieve the IAK id */
+ psa_key_id_t iak_id;
+ status = attest_key_mngr_get_iak_id(&iak_id);
LONGS_EQUAL(PSA_SUCCESS, status);
/* Create a report */
@@ -106,7 +106,7 @@ TEST(AttestationReporterTests, createReport)
struct t_cose_sign1_verify_ctx verify_ctx;
struct t_cose_key key_pair;
- key_pair.k.key_handle = iak_handle;
+ key_pair.k.key_handle = iak_id;
key_pair.crypto_lib = T_COSE_CRYPTO_LIB_PSA;
UsefulBufC signed_cose;
UsefulBufC report_body;
diff --git a/components/service/crypto/backend/mbedcrypto/config_mbedtls_user.h b/components/service/crypto/backend/mbedcrypto/config_mbedtls_user.h
index aa2a7d2..95b6a3a 100644
--- a/components/service/crypto/backend/mbedcrypto/config_mbedtls_user.h
+++ b/components/service/crypto/backend/mbedcrypto/config_mbedtls_user.h
@@ -19,8 +19,8 @@
#define MBEDTLS_NO_UDBL_DIVISION
#undef MBEDTLS_HAVE_TIME
#undef MBEDTLS_HAVE_TIME_DATE
-#define MBEDTLS_ENTROPY_HARDWARE_ALT
#undef MBEDTLS_FS_IO
+#define MBEDTLS_ENTROPY_HARDWARE_ALT
#define MBEDTLS_NO_PLATFORM_ENTROPY
#undef MBEDTLS_SELF_TEST
#undef MBEDTLS_PLATFORM_C
diff --git a/components/service/crypto/client/cpp/config_mbedtls_user.h b/components/service/crypto/client/cpp/config_mbedtls_user.h
index 5adc4b2..7b3134e 100644
--- a/components/service/crypto/client/cpp/config_mbedtls_user.h
+++ b/components/service/crypto/client/cpp/config_mbedtls_user.h
@@ -7,18 +7,18 @@
#ifndef CONFIG_MBEDTLS_USER_H
#define CONFIG_MBEDTLS_USER_H
-/* Configuration for crypto client component */
-
+/* Mbed TLS configuration for using libmbedcrypto in
+ * a Posix environment. Supported crypto operations
+ * are configured separately via the PSA crypto build
+ * interface (PSA_WANT_xxx).
+ */
+#define MBEDTLS_PSA_CRYPTO_CONFIG
#define MBEDTLS_NO_UDBL_DIVISION
#undef MBEDTLS_HAVE_TIME
#undef MBEDTLS_HAVE_TIME_DATE
-#define MBEDTLS_TEST_NULL_ENTROPY
#undef MBEDTLS_FS_IO
-#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
-#define MBEDTLS_NO_PLATFORM_ENTROPY
#undef MBEDTLS_SELF_TEST
#undef MBEDTLS_AESNI_C
-#define MBEDTLS_CMAC_C
#undef MBEDTLS_PADLOCK_C
#undef MBEDTLS_PLATFORM_C
#undef MBEDTLS_PSA_CRYPTO_STORAGE_C