aboutsummaryrefslogtreecommitdiff
path: root/components
diff options
context:
space:
mode:
authorjulhal01 <julian.hall@arm.com>2021-03-08 13:32:08 +0000
committerGyörgy Szing <gyorgy.szing@arm.com>2021-07-01 12:19:19 +0200
commit3a4207dc7d5be5a4723168b864e6957d526fa5e5 (patch)
tree88ddd84d43535745dd0bea4838d3834e8ddc7026 /components
parent7791cb1c9fa378c9394e77850d7f22cad1dbd043 (diff)
downloadtrusted-services-3a4207dc7d5be5a4723168b864e6957d526fa5e5.tar.gz
Add protected-storage and internal-trusted-storage deployments
Adds SP deployments for protected-storage and internal-trusted-storage, replacing the secure-storage deployment. Includes service-level tests based on PSA ITS and PS APIs. Amended to fix discovery bugs of storage sp from another sp. Signed-off-by: Julian Hall <julian.hall@arm.com> Change-Id: Ia1a8b6b1b694f00034c69b6d03018faa4b2588e6
Diffstat (limited to 'components')
-rw-r--r--components/service/crypto/client/test/mock/mock_crypto_client.cpp127
-rw-r--r--components/service/crypto/client/test/mock/mock_crypto_client.h49
-rw-r--r--components/service/crypto/client/test/standalone/standalone_crypto_client.cpp11
-rw-r--r--components/service/crypto/client/test/standalone/standalone_crypto_client.h2
-rw-r--r--components/service/crypto/provider/mbedcrypto/crypto_provider.c10
-rw-r--r--components/service/crypto/provider/mbedcrypto/crypto_provider.h5
-rw-r--r--components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp2
-rw-r--r--components/service/locator/linux/ffa/linuxffa_location_strategy.c7
-rw-r--r--components/service/locator/standalone/services/crypto/crypto_service_context.cpp54
-rw-r--r--components/service/locator/standalone/services/crypto/crypto_service_context.h9
-rw-r--r--components/service/locator/standalone/services/internal-trusted-storage/component.cmake14
-rw-r--r--components/service/locator/standalone/services/internal-trusted-storage/its_service_context.cpp34
-rw-r--r--components/service/locator/standalone/services/internal-trusted-storage/its_service_context.h29
-rw-r--r--components/service/locator/standalone/services/protected-storage/component.cmake (renamed from components/service/crypto/client/test/mock/component.cmake)4
-rw-r--r--components/service/locator/standalone/services/protected-storage/ps_service_context.cpp34
-rw-r--r--components/service/locator/standalone/services/protected-storage/ps_service_context.h29
-rw-r--r--components/service/locator/standalone/standalone_env.cpp10
-rw-r--r--components/service/secure_storage/backend/null_store/component.cmake14
-rw-r--r--components/service/secure_storage/backend/null_store/null_store.c136
-rw-r--r--components/service/secure_storage/backend/null_store/null_store.h37
-rw-r--r--components/service/secure_storage/factory/common/sfs/component.cmake14
-rw-r--r--components/service/secure_storage/factory/common/sfs/storage_factory.c30
-rw-r--r--components/service/secure_storage/factory/sp/optee_trusted_store/component.cmake14
-rw-r--r--components/service/secure_storage/factory/sp/optee_trusted_store/storage_factory.c102
-rw-r--r--components/service/secure_storage/factory/sp/rot_store/component.cmake14
-rw-r--r--components/service/secure_storage/factory/sp/rot_store/storage_factory.c149
-rw-r--r--components/service/secure_storage/factory/storage_factory.h85
-rw-r--r--components/service/secure_storage/test/service/component.cmake15
-rw-r--r--components/service/secure_storage/test/service/its_service_tests.cpp63
-rw-r--r--components/service/secure_storage/test/service/ps_service_tests.cpp77
30 files changed, 969 insertions, 211 deletions
diff --git a/components/service/crypto/client/test/mock/mock_crypto_client.cpp b/components/service/crypto/client/test/mock/mock_crypto_client.cpp
deleted file mode 100644
index 96195a8dc..000000000
--- a/components/service/crypto/client/test/mock/mock_crypto_client.cpp
+++ /dev/null
@@ -1,127 +0,0 @@
-/*
- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
- *
- * SPDX-License-Identifier: BSD-3-Clause
- */
-
-#include "mock_crypto_client.h"
-#include <service/crypto/provider/serializer/protobuf/pb_crypto_provider_serializer.h>
-#include <service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.h>
-
-mock_crypto_client::mock_crypto_client() :
- test_crypto_client(),
- m_crypto_provider(),
- m_storage_provider(),
- m_crypto_caller(),
- m_storage_caller()
-{
-
-}
-
-mock_crypto_client::~mock_crypto_client()
-{
-
-}
-
-bool mock_crypto_client::init()
-{
- bool should_do = test_crypto_client::init();
-
- if (should_do) {
-
- struct rpc_interface *storage_ep = mock_store_provider_init(&m_storage_provider);
- struct rpc_caller *storage_caller = direct_caller_init_default(&m_storage_caller,
- storage_ep);
-
- struct rpc_interface *crypto_ep = mbed_crypto_provider_init(&m_crypto_provider,
- storage_caller, 0);
- struct rpc_caller *crypto_caller = direct_caller_init_default(&m_crypto_caller,
- crypto_ep);
-
- mbed_crypto_provider_register_serializer(&m_crypto_provider,
- TS_RPC_ENCODING_PROTOBUF, pb_crypto_provider_serializer_instance());
-
- mbed_crypto_provider_register_serializer(&m_crypto_provider,
- TS_RPC_ENCODING_PACKED_C, packedc_crypto_provider_serializer_instance());
-
- rpc_caller_set_encoding_scheme(crypto_caller, TS_RPC_ENCODING_PROTOBUF);
-
- crypto_client::set_caller(crypto_caller);
- }
-
- return should_do;
-}
-
-bool mock_crypto_client::deinit()
-{
- bool should_do = test_crypto_client::deinit();
-
- if (should_do) {
-
- mbed_crypto_provider_deinit(&m_crypto_provider);
- mock_store_provider_deinit(&m_storage_provider);
-
- direct_caller_deinit(&m_storage_caller);
- direct_caller_deinit(&m_crypto_caller);
- }
-
- return should_do;
-}
-
-/* Test Methods */
-bool mock_crypto_client::keystore_reset_is_supported() const
-{
- return true;
-}
-
-void mock_crypto_client::keystore_reset()
-{
- mock_store_reset(&m_storage_provider);
-}
-
-bool mock_crypto_client::keystore_key_exists_is_supported() const
-{
- return true;
-}
-
-bool mock_crypto_client::keystore_key_exists(uint32_t id) const
-{
- return mock_store_exists(&m_storage_provider, id);
-}
-
-bool mock_crypto_client::keystore_keys_held_is_supported() const
-{
- return true;
-}
-
-size_t mock_crypto_client::keystore_keys_held() const
-{
- return mock_store_num_items(&m_storage_provider);
-}
-
-/* Factory for creating mock_crypto_client objects */
-class mock_crypto_client_factory : public test_crypto_client::factory
-{
-public:
- mock_crypto_client_factory() :
- test_crypto_client::factory()
- {
- test_crypto_client::register_factory(this);
- }
-
- ~mock_crypto_client_factory()
- {
- test_crypto_client::deregister_factory(this);
- }
-
- test_crypto_client *create()
- {
- return new mock_crypto_client;
- };
-};
-
-/*
- * Static construction causes this to be registered
- * as the default factory for constructing test_crypto_client objects.
- */
-static mock_crypto_client_factory default_factory;
diff --git a/components/service/crypto/client/test/mock/mock_crypto_client.h b/components/service/crypto/client/test/mock/mock_crypto_client.h
deleted file mode 100644
index 92ee6a993..000000000
--- a/components/service/crypto/client/test/mock/mock_crypto_client.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright (c) 2020, Arm Limited and Contributors. All rights reserved.
- *
- * SPDX-License-Identifier: BSD-3-Clause
- */
-
-#ifndef MOCK_CRYPTO_CLIENT_H
-#define MOCK_CRYPTO_CLIENT_H
-
-#include <service/crypto/client/test/test_crypto_client.h>
-#include <rpc/direct/direct_caller.h>
-#include <service/crypto/provider/mbedcrypto/crypto_provider.h>
-#include <service/secure_storage/provider/mock_store/mock_store_provider.h>
-
-/*
- * A specialization of the crypto_client class that extends it to add crypto
- * and storage providers to offer a viable crypto service from a single object.
- * The mock_store storage provider is used for persistent key storage.
- * This is only used for test purposes and should not be used for production
- * deployments. Provides methods used for inspecting service state that
- * support test.
- */
-class mock_crypto_client : public test_crypto_client
-{
-public:
- mock_crypto_client();
- virtual ~mock_crypto_client();
-
- bool init();
- bool deinit();
-
- /* Test support methods */
- bool keystore_reset_is_supported() const;
- void keystore_reset();
-
- bool keystore_key_exists_is_supported() const;
- bool keystore_key_exists(uint32_t id) const;
-
- bool keystore_keys_held_is_supported() const;
- size_t keystore_keys_held() const;
-
-private:
- struct mbed_crypto_provider m_crypto_provider;
- struct mock_store_provider m_storage_provider;
- struct direct_caller m_crypto_caller;
- struct direct_caller m_storage_caller;
-};
-
-#endif /* MOCK_CRYPTO_CLIENT_H */
diff --git a/components/service/crypto/client/test/standalone/standalone_crypto_client.cpp b/components/service/crypto/client/test/standalone/standalone_crypto_client.cpp
index c57cbba72..56d20c58a 100644
--- a/components/service/crypto/client/test/standalone/standalone_crypto_client.cpp
+++ b/components/service/crypto/client/test/standalone/standalone_crypto_client.cpp
@@ -15,6 +15,7 @@ standalone_crypto_client::standalone_crypto_client() :
test_crypto_client(),
m_crypto_provider(),
m_storage_provider(),
+ m_storage_client(),
m_crypto_caller(),
m_storage_caller(),
m_dummy_storage_caller()
@@ -54,10 +55,13 @@ bool standalone_crypto_client::init()
TS_RPC_CALL_ACCEPTED, PSA_ERROR_STORAGE_FAILURE);
}
+ struct storage_backend *client_storage_backend = secure_storage_client_init(&m_storage_client,
+ storage_caller);
+
struct rpc_interface *crypto_ep = mbed_crypto_provider_init(&m_crypto_provider,
- storage_caller, 0);
- struct rpc_caller *crypto_caller = direct_caller_init_default(&m_crypto_caller,
- crypto_ep);
+ client_storage_backend, 0);
+
+ struct rpc_caller *crypto_caller = direct_caller_init_default(&m_crypto_caller, crypto_ep);
mbed_crypto_provider_register_serializer(&m_crypto_provider,
TS_RPC_ENCODING_PROTOBUF, pb_crypto_provider_serializer_instance());
@@ -81,6 +85,7 @@ bool standalone_crypto_client::deinit()
mbed_crypto_provider_deinit(&m_crypto_provider);
secure_storage_provider_deinit(&m_storage_provider);
+ secure_storage_client_deinit(&m_storage_client);
direct_caller_deinit(&m_storage_caller);
direct_caller_deinit(&m_crypto_caller);
diff --git a/components/service/crypto/client/test/standalone/standalone_crypto_client.h b/components/service/crypto/client/test/standalone/standalone_crypto_client.h
index 8f156b0c9..1093a1029 100644
--- a/components/service/crypto/client/test/standalone/standalone_crypto_client.h
+++ b/components/service/crypto/client/test/standalone/standalone_crypto_client.h
@@ -12,6 +12,7 @@
#include <rpc/dummy/dummy_caller.h>
#include <service/crypto/provider/mbedcrypto/crypto_provider.h>
#include <service/secure_storage/frontend/secure_storage_provider/secure_storage_provider.h>
+#include <service/secure_storage/backend/secure_storage_client/secure_storage_client.h>
/*
* A specialization of the crypto_client class that extends it to add crypto
@@ -44,6 +45,7 @@ private:
struct mbed_crypto_provider m_crypto_provider;
struct secure_storage_provider m_storage_provider;
+ struct secure_storage_client m_storage_client;
struct direct_caller m_crypto_caller;
struct direct_caller m_storage_caller;
struct dummy_caller m_dummy_storage_caller;
diff --git a/components/service/crypto/provider/mbedcrypto/crypto_provider.c b/components/service/crypto/provider/mbedcrypto/crypto_provider.c
index b0f8be309..03e0ef1a1 100644
--- a/components/service/crypto/provider/mbedcrypto/crypto_provider.c
+++ b/components/service/crypto/provider/mbedcrypto/crypto_provider.c
@@ -45,7 +45,7 @@ static const struct service_handler handler_table[] = {
};
struct rpc_interface *mbed_crypto_provider_init(struct mbed_crypto_provider *context,
- struct rpc_caller *storage_caller,
+ struct storage_backend *storage_backend,
int trng_instance)
{
struct rpc_interface *rpc_interface = NULL;
@@ -57,7 +57,7 @@ struct rpc_interface *mbed_crypto_provider_init(struct mbed_crypto_provider *con
* is a mandatory feature of the crypto service, insist on a storage
* provider being available.
*/
- if (context && storage_caller) {
+ if (context && storage_backend) {
for (size_t encoding = 0; encoding < TS_RPC_ENCODING_LIMIT; ++encoding)
context->serializers[encoding] = NULL;
@@ -65,11 +65,7 @@ struct rpc_interface *mbed_crypto_provider_init(struct mbed_crypto_provider *con
service_provider_init(&context->base_provider, context,
handler_table, sizeof(handler_table)/sizeof(struct service_handler));
- struct storage_backend *storage_backend =
- secure_storage_client_init(&context->secure_storage_client, storage_caller);
-
- if (storage_backend &&
- (psa_its_frontend_init(storage_backend) == PSA_SUCCESS) &&
+ if ((psa_its_frontend_init(storage_backend) == PSA_SUCCESS) &&
(psa_crypto_init() == PSA_SUCCESS)) {
rpc_interface = service_provider_get_rpc_interface(&context->base_provider);
diff --git a/components/service/crypto/provider/mbedcrypto/crypto_provider.h b/components/service/crypto/provider/mbedcrypto/crypto_provider.h
index 1f69396eb..3c0f8d897 100644
--- a/components/service/crypto/provider/mbedcrypto/crypto_provider.h
+++ b/components/service/crypto/provider/mbedcrypto/crypto_provider.h
@@ -10,7 +10,7 @@
#include <rpc/common/endpoint/rpc_interface.h>
#include <service/common/provider/service_provider.h>
#include <service/crypto/provider/serializer/crypto_provider_serializer.h>
-#include <service/secure_storage/backend/secure_storage_client/secure_storage_client.h>
+#include <service/secure_storage/backend/storage_backend.h>
#include <protocols/rpc/common/packed-c/encoding.h>
#ifdef __cplusplus
@@ -21,7 +21,6 @@ struct mbed_crypto_provider
{
struct service_provider base_provider;
const struct crypto_provider_serializer *serializers[TS_RPC_ENCODING_LIMIT];
- struct secure_storage_client secure_storage_client;
};
/*
@@ -31,7 +30,7 @@ struct mbed_crypto_provider
* backend.
*/
struct rpc_interface *mbed_crypto_provider_init(struct mbed_crypto_provider *context,
- struct rpc_caller *storage_caller,
+ struct storage_backend *storage_backend,
int trng_instance);
/*
diff --git a/components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp b/components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp
index 132bbc8ce..a6cbe314c 100644
--- a/components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp
+++ b/components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp
@@ -11,7 +11,7 @@
#include <CppUTest/TestHarness.h>
/*
- * Service-level tests that use the Protobuf access protocol serialization
+ * Service-level tests that use the packed-c access protocol serialization
*/
TEST_GROUP(CryptoServicePackedcTests)
{
diff --git a/components/service/locator/linux/ffa/linuxffa_location_strategy.c b/components/service/locator/linux/ffa/linuxffa_location_strategy.c
index 21468a97e..2469e86c5 100644
--- a/components/service/locator/linux/ffa/linuxffa_location_strategy.c
+++ b/components/service/locator/linux/ffa/linuxffa_location_strategy.c
@@ -88,9 +88,10 @@ static size_t suggest_tf_org_partition_uuids(const char *sn, struct uuid_canonic
}
partition_lookup[] =
{
- {"crypto", "d9df52d5-16a2-4bb2-9aa4-d26d3b84e8c0"},
- {"secure-storage", "dc1eef48-b17a-4ccf-ac8b-dfcff7711b14"},
- {"test-runner", "33c75baf-ac6a-4fe4-8ac7-e9909bee2d17"},
+ {"crypto", "d9df52d5-16a2-4bb2-9aa4-d26d3b84e8c0"},
+ {"internal-trusted-storage", "dc1eef48-b17a-4ccf-ac8b-dfcff7711b14"},
+ {"protected-storage", "751bf801-3dde-4768-a514-0f10aeed1790"},
+ {"test-runner", "33c75baf-ac6a-4fe4-8ac7-e9909bee2d17"},
{NULL, NULL}
};
diff --git a/components/service/locator/standalone/services/crypto/crypto_service_context.cpp b/components/service/locator/standalone/services/crypto/crypto_service_context.cpp
index 07829e227..2679ee3f9 100644
--- a/components/service/locator/standalone/services/crypto/crypto_service_context.cpp
+++ b/components/service/locator/standalone/services/crypto/crypto_service_context.cpp
@@ -7,13 +7,14 @@
#include "crypto_service_context.h"
#include <service/crypto/provider/serializer/protobuf/pb_crypto_provider_serializer.h>
#include <service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.h>
-#include <service/secure_storage/backend/secure_flash_store/secure_flash_store.h>
crypto_service_context::crypto_service_context(const char *sn) :
standalone_service_context(sn),
m_crypto_provider(),
- m_storage_provider(),
- m_storage_caller()
+ m_storage_client(),
+ m_null_store(),
+ m_storage_service_context(NULL),
+ m_storage_session_handle(NULL)
{
}
@@ -25,13 +26,32 @@ crypto_service_context::~crypto_service_context()
void crypto_service_context::do_init()
{
- struct storage_backend *storage_backend = sfs_init();
- struct rpc_interface *storage_ep = secure_storage_provider_init(&m_storage_provider,
- storage_backend);
- struct rpc_caller *storage_caller = direct_caller_init_default(&m_storage_caller,
- storage_ep);
- struct rpc_interface *crypto_ep = mbed_crypto_provider_init(&m_crypto_provider,
- storage_caller, 0);
+ struct storage_backend *storage_backend = NULL;
+ struct storage_backend *null_storage_backend = null_store_init(&m_null_store);
+ struct rpc_caller *storage_caller = NULL;
+ int status;
+
+ /* Locate and open RPC session with internal-trusted-storage service to provide a persistent keystore */
+ m_storage_service_context = service_locator_query("sn:trustedfirmware.org:internal-trusted-storage:0", &status);
+
+ if (m_storage_service_context) {
+
+ m_storage_session_handle = service_context_open(m_storage_service_context, TS_RPC_ENCODING_PACKED_C, &storage_caller);
+
+ if (m_storage_session_handle) {
+
+ storage_backend = secure_storage_client_init(&m_storage_client, storage_caller);
+ }
+ }
+
+ if (!storage_backend) {
+
+ /* Something has gone wrong with establishing a session with the storage service endpoint */
+ storage_backend = null_storage_backend;
+ }
+
+ /* Initialse the crypto service provider */
+ struct rpc_interface *crypto_ep = mbed_crypto_provider_init(&m_crypto_provider, storage_backend, 0);
mbed_crypto_provider_register_serializer(&m_crypto_provider,
TS_RPC_ENCODING_PROTOBUF, pb_crypto_provider_serializer_instance());
@@ -44,7 +64,17 @@ void crypto_service_context::do_init()
void crypto_service_context::do_deinit()
{
+ if (m_storage_session_handle) {
+ service_context_close(m_storage_service_context, m_storage_session_handle);
+ m_storage_session_handle = NULL;
+ }
+
+ if (m_storage_service_context) {
+ service_context_relinquish(m_storage_service_context);
+ m_storage_service_context = NULL;
+ }
+
mbed_crypto_provider_deinit(&m_crypto_provider);
- secure_storage_provider_deinit(&m_storage_provider);
- direct_caller_deinit(&m_storage_caller);
+ secure_storage_client_deinit(&m_storage_client);
+ null_store_deinit(&m_null_store);
}
diff --git a/components/service/locator/standalone/services/crypto/crypto_service_context.h b/components/service/locator/standalone/services/crypto/crypto_service_context.h
index 84360ba3f..8d815b52b 100644
--- a/components/service/locator/standalone/services/crypto/crypto_service_context.h
+++ b/components/service/locator/standalone/services/crypto/crypto_service_context.h
@@ -10,7 +10,8 @@
#include <service/locator/standalone/standalone_service_context.h>
#include <rpc/direct/direct_caller.h>
#include <service/crypto/provider/mbedcrypto/crypto_provider.h>
-#include <service/secure_storage/frontend/secure_storage_provider/secure_storage_provider.h>
+#include <service/secure_storage/backend/secure_storage_client/secure_storage_client.h>
+#include <service/secure_storage/backend/null_store/null_store.h>
class crypto_service_context : public standalone_service_context
{
@@ -24,8 +25,10 @@ private:
void do_deinit();
struct mbed_crypto_provider m_crypto_provider;
- struct secure_storage_provider m_storage_provider;
- struct direct_caller m_storage_caller;
+ struct secure_storage_client m_storage_client;
+ struct null_store m_null_store;
+ struct service_context *m_storage_service_context;
+ rpc_session_handle m_storage_session_handle;
};
#endif /* STANDALONE_CRYPTO_SERVICE_CONTEXT_H */
diff --git a/components/service/locator/standalone/services/internal-trusted-storage/component.cmake b/components/service/locator/standalone/services/internal-trusted-storage/component.cmake
new file mode 100644
index 000000000..1e193bab8
--- /dev/null
+++ b/components/service/locator/standalone/services/internal-trusted-storage/component.cmake
@@ -0,0 +1,14 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+if (NOT DEFINED TGT)
+ message(FATAL_ERROR "mandatory parameter TGT is not defined.")
+endif()
+
+target_sources(${TGT} PRIVATE
+ "${CMAKE_CURRENT_LIST_DIR}/its_service_context.cpp"
+ )
+
diff --git a/components/service/locator/standalone/services/internal-trusted-storage/its_service_context.cpp b/components/service/locator/standalone/services/internal-trusted-storage/its_service_context.cpp
new file mode 100644
index 000000000..72cc62ee1
--- /dev/null
+++ b/components/service/locator/standalone/services/internal-trusted-storage/its_service_context.cpp
@@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include "its_service_context.h"
+
+its_service_context::its_service_context(const char *sn) :
+ standalone_service_context(sn),
+ m_storage_provider(),
+ m_mock_store()
+{
+
+}
+
+its_service_context::~its_service_context()
+{
+
+}
+
+void its_service_context::do_init()
+{
+ struct storage_backend *storage_backend = mock_store_init(&m_mock_store);
+ struct rpc_interface *storage_ep = secure_storage_provider_init(&m_storage_provider, storage_backend);
+
+ standalone_service_context::set_rpc_interface(storage_ep);
+}
+
+void its_service_context::do_deinit()
+{
+ secure_storage_provider_deinit(&m_storage_provider);
+ mock_store_deinit(&m_mock_store);
+}
diff --git a/components/service/locator/standalone/services/internal-trusted-storage/its_service_context.h b/components/service/locator/standalone/services/internal-trusted-storage/its_service_context.h
new file mode 100644
index 000000000..713e0e914
--- /dev/null
+++ b/components/service/locator/standalone/services/internal-trusted-storage/its_service_context.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef STANDALONE_ITS_SERVICE_CONTEXT_H
+#define STANDALONE_ITS_SERVICE_CONTEXT_H
+
+#include <service/locator/standalone/standalone_service_context.h>
+#include <service/secure_storage/frontend/secure_storage_provider/secure_storage_provider.h>
+#include <service/secure_storage/backend/mock_store/mock_store.h>
+
+class its_service_context : public standalone_service_context
+{
+public:
+ its_service_context(const char *sn);
+ virtual ~its_service_context();
+
+private:
+
+ void do_init();
+ void do_deinit();
+
+ struct secure_storage_provider m_storage_provider;
+ struct mock_store m_mock_store;
+};
+
+#endif /* STANDALONE_ITS_SERVICE_CONTEXT_H */
diff --git a/components/service/crypto/client/test/mock/component.cmake b/components/service/locator/standalone/services/protected-storage/component.cmake
index 8202578c5..ad1a6038d 100644
--- a/components/service/crypto/client/test/mock/component.cmake
+++ b/components/service/locator/standalone/services/protected-storage/component.cmake
@@ -1,5 +1,5 @@
#-------------------------------------------------------------------------------
-# Copyright (c) 2020, Arm Limited and Contributors. All rights reserved.
+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@@ -9,6 +9,6 @@ if (NOT DEFINED TGT)
endif()
target_sources(${TGT} PRIVATE
- "${CMAKE_CURRENT_LIST_DIR}/mock_crypto_client.cpp"
+ "${CMAKE_CURRENT_LIST_DIR}/ps_service_context.cpp"
)
diff --git a/components/service/locator/standalone/services/protected-storage/ps_service_context.cpp b/components/service/locator/standalone/services/protected-storage/ps_service_context.cpp
new file mode 100644
index 000000000..cda49f64b
--- /dev/null
+++ b/components/service/locator/standalone/services/protected-storage/ps_service_context.cpp
@@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include "ps_service_context.h"
+
+ps_service_context::ps_service_context(const char *sn) :
+ standalone_service_context(sn),
+ m_storage_provider(),
+ m_mock_store()
+{
+
+}
+
+ps_service_context::~ps_service_context()
+{
+
+}
+
+void ps_service_context::do_init()
+{
+ struct storage_backend *storage_backend = mock_store_init(&m_mock_store);
+ struct rpc_interface *storage_ep = secure_storage_provider_init(&m_storage_provider, storage_backend);
+
+ standalone_service_context::set_rpc_interface(storage_ep);
+}
+
+void ps_service_context::do_deinit()
+{
+ secure_storage_provider_deinit(&m_storage_provider);
+ mock_store_deinit(&m_mock_store);
+}
diff --git a/components/service/locator/standalone/services/protected-storage/ps_service_context.h b/components/service/locator/standalone/services/protected-storage/ps_service_context.h
new file mode 100644
index 000000000..2e3c46edb
--- /dev/null
+++ b/components/service/locator/standalone/services/protected-storage/ps_service_context.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef STANDALONE_PS_SERVICE_CONTEXT_H
+#define STANDALONE_PS_SERVICE_CONTEXT_H
+
+#include <service/locator/standalone/standalone_service_context.h>
+#include <service/secure_storage/frontend/secure_storage_provider/secure_storage_provider.h>
+#include <service/secure_storage/backend/mock_store/mock_store.h>
+
+class ps_service_context : public standalone_service_context
+{
+public:
+ ps_service_context(const char *sn);
+ virtual ~ps_service_context();
+
+private:
+
+ void do_init();
+ void do_deinit();
+
+ struct secure_storage_provider m_storage_provider;
+ struct mock_store m_mock_store;
+};
+
+#endif /* STANDALONE_PS_SERVICE_CONTEXT_H */
diff --git a/components/service/locator/standalone/standalone_env.cpp b/components/service/locator/standalone/standalone_env.cpp
index 41dd206ab..132b6d56b 100644
--- a/components/service/locator/standalone/standalone_env.cpp
+++ b/components/service/locator/standalone/standalone_env.cpp
@@ -6,6 +6,8 @@
#include <service_locator.h>
#include <service/locator/standalone/services/crypto/crypto_service_context.h>
+#include <service/locator/standalone/services/internal-trusted-storage/its_service_context.h>
+#include <service/locator/standalone/services/protected-storage/ps_service_context.h>
#include <service/locator/standalone/services/test-runner/test_runner_service_context.h>
#include "standalone_location_strategy.h"
#include "standalone_service_registry.h"
@@ -15,8 +17,14 @@ void service_locator_envinit(void)
static crypto_service_context crypto_context("sn:trustedfirmware.org:crypto:0");
standalone_service_registry::instance()->regsiter_service_instance(&crypto_context);
+ static its_service_context its_service_context("sn:trustedfirmware.org:internal-trusted-storage:0");
+ standalone_service_registry::instance()->regsiter_service_instance(&its_service_context);
+
+ static ps_service_context ps_service_context("sn:trustedfirmware.org:protected-storage:0");
+ standalone_service_registry::instance()->regsiter_service_instance(&ps_service_context);
+
static test_runner_service_context test_runner_context("sn:trustedfirmware.org:test-runner:0");
standalone_service_registry::instance()->regsiter_service_instance(&test_runner_context);
service_locator_register_strategy(standalone_location_strategy());
-} \ No newline at end of file
+}
diff --git a/components/service/secure_storage/backend/null_store/component.cmake b/components/service/secure_storage/backend/null_store/component.cmake
new file mode 100644
index 000000000..19f88eee3
--- /dev/null
+++ b/components/service/secure_storage/backend/null_store/component.cmake
@@ -0,0 +1,14 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+if (NOT DEFINED TGT)
+ message(FATAL_ERROR "mandatory parameter TGT is not defined.")
+endif()
+
+target_sources(${TGT} PRIVATE
+ "${CMAKE_CURRENT_LIST_DIR}/null_store.c"
+ )
+
diff --git a/components/service/secure_storage/backend/null_store/null_store.c b/components/service/secure_storage/backend/null_store/null_store.c
new file mode 100644
index 000000000..479c58a52
--- /dev/null
+++ b/components/service/secure_storage/backend/null_store/null_store.c
@@ -0,0 +1,136 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include "null_store.h"
+#include <protocols/service/psa/packed-c/status.h>
+#include <stddef.h>
+
+static psa_status_t null_store_set(void *context,
+ uint32_t client_id,
+ uint64_t uid,
+ size_t data_length,
+ const void *p_data,
+ uint32_t create_flags)
+{
+ (void)context;
+ (void)client_id;
+ (void)uid;
+ (void)data_length;
+ (void)p_data;
+ (void)create_flags;
+
+ return PSA_ERROR_STORAGE_FAILURE;
+}
+
+static psa_status_t null_store_get(void *context,
+ uint32_t client_id,
+ uint64_t uid,
+ size_t data_offset,
+ size_t data_size,
+ void *p_data,
+ size_t *p_data_length)
+{
+ (void)context;
+ (void)client_id;
+ (void)uid;
+ (void)data_offset;
+ (void)data_size;
+ (void)p_data;
+ (void)p_data_length;
+
+ return PSA_ERROR_STORAGE_FAILURE;
+}
+
+static psa_status_t null_store_get_info(void *context,
+ uint32_t client_id,
+ uint64_t uid,
+ struct psa_storage_info_t *p_info)
+{
+ (void)context;
+ (void)client_id;
+ (void)uid;
+ (void)p_info;
+
+ return PSA_ERROR_STORAGE_FAILURE;
+}
+
+static psa_status_t null_store_remove(void *context,
+ uint32_t client_id,
+ uint64_t uid)
+{
+ (void)context;
+ (void)client_id;
+ (void)uid;
+
+ return PSA_ERROR_STORAGE_FAILURE;
+}
+
+static psa_status_t null_store_create(void *context,
+ uint32_t client_id,
+ uint64_t uid,
+ size_t capacity,
+ uint32_t create_flags)
+{
+ (void)context;
+ (void)client_id;
+ (void)uid;
+ (void)capacity;
+ (void)create_flags;
+
+ return PSA_ERROR_STORAGE_FAILURE;
+}
+
+static psa_status_t null_store_set_extended(void *context,
+ uint32_t client_id,
+ uint64_t uid,
+ size_t data_offset,
+ size_t data_length,
+ const void *p_data)
+{
+ (void)context;
+ (void)client_id;
+ (void)uid;
+ (void)data_offset;
+ (void)data_length;
+ (void)p_data;
+
+ return PSA_ERROR_STORAGE_FAILURE;
+}
+
+static uint32_t null_store_get_support(void *context,
+ uint32_t client_id)
+{
+ (void)context;
+ (void)client_id;
+
+ return 0;
+}
+
+
+struct storage_backend *null_store_init(struct null_store *context)
+{
+ static const struct storage_backend_interface interface =
+ {
+ null_store_set,
+ null_store_get,
+ null_store_get_info,
+ null_store_remove,
+ null_store_create,
+ null_store_set_extended,
+ null_store_get_support
+ };
+
+ context->backend.context = context;
+ context->backend.interface = &interface;
+
+ return &context->backend;
+}
+
+void null_store_deinit(struct null_store *context)
+{
+ context->backend.context = NULL;
+ context->backend.interface = NULL;
+}
diff --git a/components/service/secure_storage/backend/null_store/null_store.h b/components/service/secure_storage/backend/null_store/null_store.h
new file mode 100644
index 000000000..9da983b0b
--- /dev/null
+++ b/components/service/secure_storage/backend/null_store/null_store.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef NULL_STORE_H
+#define NULL_STORE_H
+
+#include <service/secure_storage/backend/storage_backend.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * The null_store is intended to be used when an error makes
+ * it impossible to initialise a real storage backend. The
+ * null_store provides handlers for the storage_backend
+ * interface but returns an error if any are called. Example
+ * error conditions where the null_store cab used are:
+ * - configuration error leading to a partition discovery failure
+ * - a hardware fault
+ */
+struct null_store
+{
+ struct storage_backend backend;
+};
+
+struct storage_backend *null_store_init(struct null_store *context);
+void null_store_deinit(struct null_store *context);
+
+#ifdef __cplusplus
+} /* extern "C" */
+#endif
+
+#endif /* NULL_STORE_H */
diff --git a/components/service/secure_storage/factory/common/sfs/component.cmake b/components/service/secure_storage/factory/common/sfs/component.cmake
new file mode 100644
index 000000000..b06adb56a
--- /dev/null
+++ b/components/service/secure_storage/factory/common/sfs/component.cmake
@@ -0,0 +1,14 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+if (NOT DEFINED TGT)
+ message(FATAL_ERROR "mandatory parameter TGT is not defined.")
+endif()
+
+target_sources(${TGT} PRIVATE
+ "${CMAKE_CURRENT_LIST_DIR}/storage_factory.c"
+ )
+
diff --git a/components/service/secure_storage/factory/common/sfs/storage_factory.c b/components/service/secure_storage/factory/common/sfs/storage_factory.c
new file mode 100644
index 000000000..81f708de5
--- /dev/null
+++ b/components/service/secure_storage/factory/common/sfs/storage_factory.c
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2021, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ */
+
+#include <rpc/ffarpc/caller/sp/ffarpc_caller.h>
+#include <protocols/rpc/common/packed-c/status.h>
+#include <service/secure_storage/backend/secure_flash_store/secure_flash_store.h>
+#include <service/secure_storage/factory/storage_factory.h>
+
+/**
+ * \brief Constructs a secure flash store
+ *
+ * Can be used as a storage backend in any environment. However
+ * it doesn't actually provide persistent flash storage without
+ * platform specific hardware.
+ */
+struct storage_backend *storage_factory_create(
+ enum storage_factory_security_class security_class)
+{
+ (void)security_class;
+ return sfs_init();
+}
+
+void storage_factory_destroy(struct storage_backend *backend)
+{
+ (void)backend;
+}
diff --git a/components/service/secure_storage/factory/sp/optee_trusted_store/component.cmake b/components/service/secure_storage/factory/sp/optee_trusted_store/component.cmake
new file mode 100644
index 000000000..b06adb56a
--- /dev/null
+++ b/components/service/secure_storage/factory/sp/optee_trusted_store/component.cmake
@@ -0,0 +1,14 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+if (NOT DEFINED TGT)
+ message(FATAL_ERROR "mandatory parameter TGT is not defined.")
+endif()
+
+target_sources(${TGT} PRIVATE
+ "${CMAKE_CURRENT_LIST_DIR}/storage_factory.c"
+ )
+
diff --git a/components/service/secure_storage/factory/sp/optee_trusted_store/storage_factory.c b/components/service/secure_storage/factory/sp/optee_trusted_store/storage_factory.c
new file mode 100644
index 000000000..5423af685
--- /dev/null
+++ b/components/service/secure_storage/factory/sp/optee_trusted_store/storage_factory.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (c) 2021, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ */
+
+/**
+ * A storage factory that creates storage backends that communicate with an
+ * S-EL1 partition to access trusted storage provided by OPTEE. The S-EL1
+ * partition is assumed to host a conventional secure storage provider
+ * that can be accessed using the secure storage access protocol.
+ * Uses a default UUID to discover the S-EL1 partition if no external
+ * configuration overrides this.
+ */
+#include <rpc/ffarpc/caller/sp/ffarpc_caller.h>
+#include <protocols/rpc/common/packed-c/status.h>
+#include <service/secure_storage/backend/secure_storage_client/secure_storage_client.h>
+#include <service/secure_storage/backend/null_store/null_store.h>
+#include <service/secure_storage/factory/storage_factory.h>
+#include <ffa_api.h>
+#include <stdbool.h>
+#include <stddef.h>
+
+/* NOTE: this is the ITS partition UUID - should be changed when S-EL1 SP is ready */
+#define OPTEE_TRUSTED_STORE_UUID_BYTES \
+ { 0xdc, 0x1e, 0xef, 0x48, 0xb1, 0x7a, 0x4c, 0xcf, \
+ 0xac, 0x8b, 0xdf, 0xcf, 0xf7, 0x71, 0x1b, 0x14 }
+
+static const uint8_t default_optee_trusted_store_uuid[] = OPTEE_TRUSTED_STORE_UUID_BYTES;
+
+/* The storage backed specialization constructed by this factory */
+struct optee_trusted_store
+{
+ struct secure_storage_client secure_storage_client;
+ struct ffarpc_caller ffarpc_caller;
+ bool in_use;
+};
+
+/* Only supports construction of a single instance */
+static struct optee_trusted_store backend_instance = { .in_use = false };
+
+/* Used on failure if no association with a storage provider is established */
+static struct null_store null_store;
+
+
+struct storage_backend *storage_factory_create(
+ enum storage_factory_security_class security_class)
+{
+ struct rpc_caller *storage_caller;
+ uint16_t storage_sp_ids[1];
+ struct optee_trusted_store *new_backend = &backend_instance;
+ struct storage_backend *result = NULL;
+
+ if (!new_backend->in_use) {
+
+ storage_caller = ffarpc_caller_init(&new_backend->ffarpc_caller);
+
+ /* Try discovering candidate endpoints in preference order */
+ if (ffarpc_caller_discover(default_optee_trusted_store_uuid, storage_sp_ids,
+ sizeof(storage_sp_ids)/sizeof(uint16_t))) {
+
+ if (ffarpc_caller_open(&new_backend->ffarpc_caller, storage_sp_ids[0], 0) == 0) {
+
+ result = secure_storage_client_init(&new_backend->secure_storage_client,
+ storage_caller);
+ }
+ }
+
+ if (!result) {
+
+ /* Failed to discover or open an RPC session with provider */
+ ffarpc_caller_deinit(&new_backend->ffarpc_caller);
+ }
+
+ new_backend->in_use = (result != NULL);
+ }
+
+ if (!result) {
+
+ /**
+ * Errors during SP initialisation can be difficult to handle so
+ * returns a valid storage_backend, albeit one that just returns
+ * an appropriate status code if any methods are called. This
+ * allows an error to be reported to a requesting client where
+ * it may be easier to handle.
+ */
+ result = null_store_init(&null_store);
+ }
+
+ return result;
+}
+
+void storage_factory_destroy(struct storage_backend *backend)
+{
+ if (backend) {
+
+ secure_storage_client_deinit(&backend_instance.secure_storage_client);
+ ffarpc_caller_deinit(&backend_instance.ffarpc_caller);
+ backend_instance.in_use = false;
+ }
+}
diff --git a/components/service/secure_storage/factory/sp/rot_store/component.cmake b/components/service/secure_storage/factory/sp/rot_store/component.cmake
new file mode 100644
index 000000000..b06adb56a
--- /dev/null
+++ b/components/service/secure_storage/factory/sp/rot_store/component.cmake
@@ -0,0 +1,14 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+if (NOT DEFINED TGT)
+ message(FATAL_ERROR "mandatory parameter TGT is not defined.")
+endif()
+
+target_sources(${TGT} PRIVATE
+ "${CMAKE_CURRENT_LIST_DIR}/storage_factory.c"
+ )
+
diff --git a/components/service/secure_storage/factory/sp/rot_store/storage_factory.c b/components/service/secure_storage/factory/sp/rot_store/storage_factory.c
new file mode 100644
index 000000000..9c37d4d03
--- /dev/null
+++ b/components/service/secure_storage/factory/sp/rot_store/storage_factory.c
@@ -0,0 +1,149 @@
+/*
+ * Copyright (c) 2021, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ */
+
+/**
+ * A storage factory that creates storage backends that may be used
+ * to access a secure storage partition from a separate SP within the
+ * device RoT. Defaults to using PSA storage partitions if no runtime
+ * configuration overrides the target service endpoint to use. If multiple
+ * candidate storage SPs are available, the one that matches the
+ * requested storage class is used. The availability of Internal Trusted
+ * and Protected stores will depend on the platform.
+ */
+#include <rpc/ffarpc/caller/sp/ffarpc_caller.h>
+#include <protocols/rpc/common/packed-c/status.h>
+#include <service/secure_storage/backend/secure_storage_client/secure_storage_client.h>
+#include <service/secure_storage/backend/null_store/null_store.h>
+#include <service/secure_storage/factory/storage_factory.h>
+#include <ffa_api.h>
+#include <stdbool.h>
+#include <stddef.h>
+
+/* Defaults to using PSA storage partitions if no external configuration specified */
+#define ITS_STORE_UUID_BYTES \
+ { 0xdc, 0x1e, 0xef, 0x48, 0xb1, 0x7a, 0x4c, 0xcf, \
+ 0xac, 0x8b, 0xdf, 0xcf, 0xf7, 0x71, 0x1b, 0x14 }
+
+#define PS_STORE_UUID_BYTES \
+ { 0x75, 0x1b, 0xf8, 0x01, 0x3d, 0xde, 0x47, 0x68, \
+ 0xa5, 0x14, 0x0f, 0x10, 0xae, 0xed, 0x17, 0x90 }
+
+#define MAX_CANDIDATE_UUIDS (2)
+
+static const uint8_t default_internal_store_uuid[] = ITS_STORE_UUID_BYTES;
+static const uint8_t default_protected_store_uuid[] = PS_STORE_UUID_BYTES;
+
+/* The storage backed specialization constructed by this factory */
+struct rot_store
+{
+ struct secure_storage_client secure_storage_client;
+ struct ffarpc_caller ffarpc_caller;
+ bool in_use;
+};
+
+/* Only supports construction of a single instance */
+static struct rot_store backend_instance = { .in_use = false };
+
+/* Used on failure if no association with a storage provider is established */
+static struct null_store null_store;
+
+static int select_candidate_uuids(const uint8_t *candidates[],
+ int max_candidates,
+ enum storage_factory_security_class security_class);
+
+
+struct storage_backend *storage_factory_create(
+ enum storage_factory_security_class security_class)
+{
+ struct rpc_caller *storage_caller;
+ uint16_t storage_sp_ids[1];
+ struct rot_store *new_backend = &backend_instance;
+ const uint8_t *candidate_uuids[MAX_CANDIDATE_UUIDS];
+ int num_candidate_uuids = select_candidate_uuids(candidate_uuids,
+ MAX_CANDIDATE_UUIDS, security_class);
+
+ struct storage_backend *result = NULL;
+
+ if (num_candidate_uuids && !new_backend->in_use) {
+
+ storage_caller = ffarpc_caller_init(&new_backend->ffarpc_caller);
+
+ for (int i = 0; i < num_candidate_uuids; i++) {
+
+ /* Try discovering candidate endpoints in preference order */
+ if (ffarpc_caller_discover(candidate_uuids[i], storage_sp_ids,
+ sizeof(storage_sp_ids)/sizeof(uint16_t))) {
+
+ if (ffarpc_caller_open(&new_backend->ffarpc_caller, storage_sp_ids[0], 0) == 0) {
+
+ result = secure_storage_client_init(&new_backend->secure_storage_client,
+ storage_caller);
+ }
+
+ break;
+ }
+ }
+
+ if (!result) {
+
+ /* Failed to discover or open an RPC session with provider */
+ ffarpc_caller_deinit(&new_backend->ffarpc_caller);
+ }
+
+ new_backend->in_use = (result != NULL);
+ }
+
+ if (!result) {
+
+ /**
+ * Errors during SP initialisation can be difficult to handle so
+ * returns a valid storage_backend, albeit one that just returns
+ * an appropriate status code if any methods are called. This
+ * allows an error to be reported to a requesting client where
+ * it may be easier to handle.
+ */
+ result = null_store_init(&null_store);
+ }
+
+ return result;
+}
+
+void storage_factory_destroy(struct storage_backend *backend)
+{
+ if (backend) {
+
+ secure_storage_client_deinit(&backend_instance.secure_storage_client);
+ ffarpc_caller_deinit(&backend_instance.ffarpc_caller);
+ backend_instance.in_use = false;
+ }
+}
+
+static int select_candidate_uuids(const uint8_t *candidates[],
+ int max_candidates,
+ enum storage_factory_security_class security_class)
+{
+ /* Runtime configuration not yet supported so fallback to using default UUIDs */
+ int num_candidates = 0;
+
+ if (max_candidates >= 2) {
+
+ if (security_class == storage_factory_security_class_INTERNAL_TRUSTED) {
+
+ candidates[0] = default_internal_store_uuid;
+ candidates[1] = default_protected_store_uuid;
+ }
+ else {
+
+ candidates[0] = default_protected_store_uuid;
+ candidates[1] = default_internal_store_uuid;
+ }
+
+ num_candidates = 2;
+ }
+
+ return num_candidates;
+} \ No newline at end of file
diff --git a/components/service/secure_storage/factory/storage_factory.h b/components/service/secure_storage/factory/storage_factory.h
new file mode 100644
index 000000000..a36d0c46b
--- /dev/null
+++ b/components/service/secure_storage/factory/storage_factory.h
@@ -0,0 +1,85 @@
+/*
+ * Copyright (c) 2021, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ */
+
+#ifndef STORAGE_FACTORY_H
+#define STORAGE_FACTORY_H
+
+#include <service/secure_storage/backend/storage_backend.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Defines a common interface for creating storage backends to
+ * decouple a client from the environment and platform specifics
+ * of any particular storage backend. Allows new storage backends
+ * to be added without impacting client implementations. The
+ * factory method uses PSA storage classifications to allow a
+ * client to specify the security characteristics of the backend.
+ * How those security characteristics are realized will depend
+ * on the secure processing environment and platform.
+ *
+ * A concrete storage factory may exploit any of the following
+ * to influence how the storage backend is constructed:
+ * - Environment and platform specific factory component used in deployment
+ * - Runtime configuration e.g. from Device Tree
+ * - Client specified parameters
+ */
+
+/**
+ * \brief Security characteristics of created backend
+ *
+ * Allows a client to request the security characteristics of
+ * a constructed backend, using PSA storage classification. How
+ * well a platform meets the requested security characteristics
+ * will depend on available hardware features.
+ */
+enum storage_factory_security_class {
+
+ /**
+ * On-die or in-package persistent storage
+ * that is exclusively accessible from secure world.
+ */
+ storage_factory_security_class_INTERNAL_TRUSTED,
+
+ /**
+ * External persistent storage with security measures
+ * such as encryption, integrity protection and replay
+ * protection, based on device root-of-trust trust anchors.
+ */
+ storage_factory_security_class_PROTECTED
+};
+
+/**
+ * \brief Factory method to create an initialised storage backend
+ *
+ * Should use the correseponding destroy method when the storage backend
+ * is no longer needed.
+ *
+ * \param[in] security_class The requested security class
+ *
+ * \return A pointer to the initialised storage_backend or NULL on failure
+ */
+struct storage_backend *storage_factory_create(
+ enum storage_factory_security_class security_class);
+
+/**
+ * \brief Destroys a created backend
+ *
+ * Allows a concrete factory to adopt its own allocation scheme for
+ * objects used to implement the created backend.
+ *
+ * \param[in] backend Storage backend to destroy
+ */
+void storage_factory_destroy(struct storage_backend *backend);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* STORAGE_FACTORY_H */
diff --git a/components/service/secure_storage/test/service/component.cmake b/components/service/secure_storage/test/service/component.cmake
new file mode 100644
index 000000000..02a2b2c32
--- /dev/null
+++ b/components/service/secure_storage/test/service/component.cmake
@@ -0,0 +1,15 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+if (NOT DEFINED TGT)
+ message(FATAL_ERROR "mandatory parameter TGT is not defined.")
+endif()
+
+target_sources(${TGT} PRIVATE
+ "${CMAKE_CURRENT_LIST_DIR}/its_service_tests.cpp"
+ "${CMAKE_CURRENT_LIST_DIR}/ps_service_tests.cpp"
+ )
+
diff --git a/components/service/secure_storage/test/service/its_service_tests.cpp b/components/service/secure_storage/test/service/its_service_tests.cpp
new file mode 100644
index 000000000..b976d613a
--- /dev/null
+++ b/components/service/secure_storage/test/service/its_service_tests.cpp
@@ -0,0 +1,63 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <service/secure_storage/frontend/psa/its/its_frontend.h>
+#include <service/secure_storage/frontend/psa/its/test/its_api_tests.h>
+#include <service/secure_storage/backend/secure_storage_client/secure_storage_client.h>
+#include <protocols/rpc/common/packed-c/encoding.h>
+#include <service_locator.h>
+#include <CppUTest/TestHarness.h>
+
+/*
+ * Service-level tests using the PSA Internal Trusted Storage API to
+ * access the secure storage service with the 'internal-trusted-storage'
+ * designation.
+ */
+TEST_GROUP(ItsServiceTests)
+{
+ void setup()
+ {
+ struct rpc_caller *caller;
+ int status;
+
+ m_rpc_session_handle = NULL;
+ m_its_service_context = NULL;
+
+ service_locator_init();
+
+ m_its_service_context = service_locator_query("sn:trustedfirmware.org:internal-trusted-storage:0", &status);
+ CHECK(m_its_service_context);
+
+ m_rpc_session_handle = service_context_open(m_its_service_context, TS_RPC_ENCODING_PACKED_C, &caller);
+ CHECK(m_rpc_session_handle);
+
+ struct storage_backend *storage_backend = secure_storage_client_init(&m_storage_client, caller);
+
+ psa_its_frontend_init(storage_backend);
+ }
+
+ void teardown()
+ {
+ psa_its_frontend_init(NULL);
+
+ service_context_close(m_its_service_context, m_rpc_session_handle);
+ m_rpc_session_handle = NULL;
+
+ service_context_relinquish(m_its_service_context);
+ m_its_service_context = NULL;
+
+ secure_storage_client_deinit(&m_storage_client);
+ }
+
+ rpc_session_handle m_rpc_session_handle;
+ struct service_context *m_its_service_context;
+ struct secure_storage_client m_storage_client;
+};
+
+TEST(ItsServiceTests, storeNewItem)
+{
+ its_api_tests::storeNewItem();
+}
diff --git a/components/service/secure_storage/test/service/ps_service_tests.cpp b/components/service/secure_storage/test/service/ps_service_tests.cpp
new file mode 100644
index 000000000..fd19f08cc
--- /dev/null
+++ b/components/service/secure_storage/test/service/ps_service_tests.cpp
@@ -0,0 +1,77 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <service/secure_storage/frontend/psa/ps/ps_frontend.h>
+#include <service/secure_storage/frontend/psa/ps/test/ps_api_tests.h>
+#include <service/secure_storage/frontend/psa/its/its_frontend.h>
+#include <service/secure_storage/frontend/psa/its/test/its_api_tests.h>
+#include <service/secure_storage/backend/secure_storage_client/secure_storage_client.h>
+#include <protocols/rpc/common/packed-c/encoding.h>
+#include <service_locator.h>
+#include <CppUTest/TestHarness.h>
+
+/*
+ * Service-level tests using the PSA Protected Storage and Internal
+ * Trusted Storage APIs to access the secure storage service with the
+ * 'protected-storage' designation.
+ */
+TEST_GROUP(PsServiceTests)
+{
+ void setup()
+ {
+ struct rpc_caller *caller;
+ int status;
+
+ m_rpc_session_handle = NULL;
+ m_its_service_context = NULL;
+
+ service_locator_init();
+
+ m_its_service_context = service_locator_query("sn:trustedfirmware.org:protected-storage:0", &status);
+ CHECK(m_its_service_context);
+
+ m_rpc_session_handle = service_context_open(m_its_service_context, TS_RPC_ENCODING_PACKED_C, &caller);
+ CHECK(m_rpc_session_handle);
+
+ struct storage_backend *storage_backend = secure_storage_client_init(&m_storage_client, caller);
+
+ psa_ps_frontend_init(storage_backend);
+ psa_its_frontend_init(storage_backend);
+ }
+
+ void teardown()
+ {
+ psa_ps_frontend_init(NULL);
+ psa_its_frontend_init(NULL);
+
+ service_context_close(m_its_service_context, m_rpc_session_handle);
+ m_rpc_session_handle = NULL;
+
+ service_context_relinquish(m_its_service_context);
+ m_its_service_context = NULL;
+
+ secure_storage_client_deinit(&m_storage_client);
+ }
+
+ rpc_session_handle m_rpc_session_handle;
+ struct service_context *m_its_service_context;
+ struct secure_storage_client m_storage_client;
+};
+
+TEST(PsServiceTests, storeNewItem)
+{
+ its_api_tests::storeNewItem();
+}
+
+TEST(PsServiceTests, createAndSet)
+{
+ ps_api_tests::createAndSet();
+}
+
+TEST(PsServiceTests, createAndSetExtended)
+{
+ ps_api_tests::createAndSetExtended();
+}