aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
8 hoursSupport removal of read-only constraintintegrationGabor Toth
UEFI specification doesn't specify whether read-only constraint can be removed from a variable or not. The EDK2 reference implementation supports it and we also should. Change-Id: I5894ea23b89a5667663f80ad724d05885debafe6 Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
8 hoursMake smm variable test cleanup more robustGabor Toth
Cleanup should not try removing unclearable variables and should report error if cleaning something failed. Variable cleanup is moved from the beginning of the tests to the end to avoid leaving trash in the store. Change-Id: If76a87e268345e93f1dd0f1e0b084ef489ccf61f Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
9 daysIntegrate RPMB components into the build systemImre Kis
Add RPMB block storage to host libts, component-test build and ts-service-test builds. Signed-off-by: Imre Kis <imre.kis@arm.com> Change-Id: Ife45ea753476e9014334b2ccec698337cd719654
9 daysAdd RPMB block store factoryImre Kis
Add component for creating RPMB based block store instance. Signed-off-by: Imre Kis <imre.kis@arm.com> Change-Id: I32dfe35f56220a676607c36a96464301ea7f66d8
9 daysAdd standalone RPMB service contextImre Kis
Add RPMB service context for standalone contexts. This service context uses the emulated RPMB backend. Signed-off-by: Imre Kis <imre.kis@arm.com> Change-Id: I0282c1462c518de0ff3c8b682441d2ecfdfae288
9 daysAdd RPMB block storeImre Kis
Implement block store interface using the RPMB frontend. Signed-off-by: Imre Kis <imre.kis@arm.com> Change-Id: I230f2294c0bbb94e04634dd6c32c103c39048747
9 daysAdd RPMB frontend testsImre Kis
Cover RPMB frontend with unit tests using the mock backend and platform. Signed-off-by: Imre Kis <imre.kis@arm.com> Change-Id: I69f91ebe5888186351e40d38d5b24c8d0d7ed126
9 daysImplement mock RPMB platformImre Kis
The platform uses CppUMock for enabling the testing of upper RPMB layers. Signed-off-by: Imre Kis <imre.kis@arm.com> Change-Id: Ib0a63eea30e43335ecd44674f18844c5310d9c47
9 daysImplement default RPMB platform for RPMB frontendImre Kis
The platform uses the PSA crypto API for calculating hashes and for generating random nonce values. For deriving the RPMB authentication key it uses a dummy HUK value. Signed-off-by: Imre Kis <imre.kis@arm.com> Change-Id: Ibb0598489300d15a2581d73321fb5c4d9d813682
9 daysImplement RPMB frontendImre Kis
The RPMB frontend provides a high level read/write interface for accessing the RPMB device and it does calls to the RPMB backend. This component contains the main RPMB logic, including: * Writing authentication key * Handling the write counter * Building and verifying RPMB data frames Signed-off-by: Imre Kis <imre.kis@arm.com> Change-Id: I2bd2589f4f99370381e1594beb4e04921c3fba36
9 daysImplement mock RPMB backendImre Kis
The backend uses CppUMock for enabling the testing of upper RPMB layers. Signed-off-by: Imre Kis <imre.kis@arm.com> Change-Id: I1289ffa335610a6558a6d133351b47005cb39b7d
9 daysImplement emulated RPMB backendImre Kis
The backend uses a memory allocated buffer for storing data and it emulates all the necessary data frame checks which makes it ideal for testing in host environment. Signed-off-by: Imre Kis <imre.kis@arm.com> Change-Id: I18600ad6ccf969e75b43029a04daf8c3524aec59
9 daysImplement RPMB clientImre Kis
Implement RPMB service client for accessing remote RPMB backends via the RPC layer. Signed-off-by: Imre Kis <imre.kis@arm.com> Change-Id: I4b4c6fd808864903653ed36620b51267c352d3d8
9 daysImplement RPMB providerImre Kis
Implement RPMB service provider to make remote RPMB backends accessible via the RPC layer. Signed-off-by: Imre Kis <imre.kis@arm.com> Change-Id: Id8d04a8cb12fb1d118e653022107207217a9800a
9 daysCreate RPMB backend interfaceImre Kis
Add RPMB backend layer and RPMB related definitions for providing an interface for RPMB hardware access. Signed-off-by: Imre Kis <imre.kis@arm.com> Change-Id: I64e253078171c4a8296e4125c53b22eed05e2092
2024-02-13Fix and extend SMM variable teststopics/rss_comms_v2Imre Kis
* Fix UEFI authenticated variable header generator script by including variable data. * Generate new authenticated variable test headers * Add test cases to cover various set/get scenarios * Add missing check to SMM variable client Signed-off-by: Imre Kis <imre.kis@arm.com> Change-Id: Iae28742aa4d8b8888a82dc9993d729fe0ccf6508
2024-02-13Do not store uefi authentication headerGabor Toth
After authentication the header is not used anymore so remove it instead of storing. Return EFI_SECURITY_VIOLATION if the authentication request can not be verified, because the parent variable does not exist. Signed-off-by: Gabor Toth <gabor.toth2@arm.com> Change-Id: If5b106a7dcfaacbdd05ecf0b3fc83fd5d45e194a
2024-02-07Set MBEDTLS_USER_CONFIG_FILE for env-testtopics/libpsaGabor Toth
The config path was removed from env-test by mistake. Signed-off-by: Gabor Toth <gabor.toth2@arm.com> Change-Id: Ie7aa05e6c68d3755cf3c57008bdc3059545f26ac
2024-02-07Add new config options to b-testGyorgy Szing
Change b-test to allow setting the log directory and the install directory on the command line. The aim is to allow relocating output files when executed in the CI. Signed-off-by: Gyorgy Szing <Gyorgy.Szing@arm.com> Change-Id: Idd1d82b4abbc6d1ed914c04573a3191183698d0b
2024-01-31Remove sfs-demoGabor Toth
sfs-demo deployment is obsolete, because the tested ITS functionality is covered by the psa-its-api-test. Signed-off-by: Gabor Toth <gabor.toth2@arm.com> Change-Id: I8e98eb52750b8fc00bb4f142898a1dfc7af683b4
2024-01-25Update Mbed TLS to 3.5.1Imre Kis
Commit ab5707185a9e ("Add a minimum rsa key size config to psa config") introduced a minimal RSA key size condition to prevent accidental misuse. The limit is set to 1024 bits and generating shorter RSA keys will result in PSA_ERROR_NOT_SUPPORTED. Increase key size crypto tests in TS service test to pass this check. Signed-off-by: Imre Kis <imre.kis@arm.com> Change-Id: I917d0bf572fbf763a68c6d479d23ba66e9da6c13
2024-01-25Fix PS component testsBalint Dobszay
The ps_api_tests::createAndSet() function has been renamed but the change wasn't reflected in some of the component tests, which made the component-test deployment fail to build. Fix this. Fixes: 7455c1a691de ("Remove psa_ps_create() support for secure flash store") Signed-off-by: Balint Dobszay <balint.dobszay@arm.com> Change-Id: Ib09e02c339ed667ec9a1a38338adcd0746b1f628
2024-01-25Fix: Eliminate warningsGabor Toth
Consider warnings as errors and correct them. Signed-off-by: Gabor Toth <gabor.toth2@arm.com> Change-Id: I2d777ee56b21750966b75147be6c4eb73229043f
2024-01-23Fix OP-TEE SPMC tests link in the documentationImre Kis
Signed-off-by: Imre Kis <imre.kis@arm.com> Change-Id: I02c825f4aeb7721b0f9b91a5477cffd5e25247ba
2024-01-23Update UEFI SMM services protocol documentationImre Kis
Update MM communicate register ABI documentation to match the implementation. Signed-off-by: Imre Kis <imre.kis@arm.com> Change-Id: Ica359521a265dba38124a8cab65b0e1739cf565a
2024-01-22Remove psa_ps_create() support for secure flash storeImre Kis
The secure flash store does not support the psa_ps_set_extended() call which is correctly reported by the psa_ps_get_support()'s return value. However SFS implements psa_ps_create() which is an optional call and it's intended use is to create an entry for future psa_ps_set_extended() calls. In cases where psa_ps_set_extended() is not implemented psa_ps_create() is redundant to psa_ps_set(). The PSA PS API tests expects psa_ps_create() to fail with PSA_ERROR_NOT_SUPPORTED if the PSA_STORAGE_SUPPORT_SET_EXTENDED flag is not reported by psa_ps_get_support(), so this change fixes test 414. Signed-off-by: Imre Kis <imre.kis@arm.com> Change-Id: I07f13a64793152e61094ef9e1642fb2b57269899
2024-01-19Merge UEFI Variable Authentication supportGyorgy Szing
This feature adds support for protecting UEFI variables from tampering using cryptographic means as defined by the standard. If the feature is enabled the SmmGW SP can rely on the PSA-Crypto SP to execute cryptographic operations or alternatively a crypto library instance can be hosted in the SP. For implementation details please refer to the updated documentation. Change-Id: I0686834166dac50cb4ea97bcd1d232e0ca271d48 Signed-Off-By: Gyorgy Szing <gyorgy szing@arm.com>
2024-01-18Enhance UEFI test codetopics/authenticated_variablesGyorgy Szing
Changes: - variable_store_tests.cpp - eliminate duplicated string size calculation - simplify compare_variable_name(). The function is changed to fail if size of the two string is not matching. - There was a repeating pattern creating uint8_t msg_buffer on the stack. This is test code, but a large enough name + data could cause stack underrun. I added a vector and use it as a buffer. This moves allocation to the HEAP and the compiler will take care of cleaning up the memory when the variable goes out of scope. - variable_index_tests.cpp - eliminate duplicated string size calculation - convert null_name to a class member to remove code duplication Signed-off-by: Gyorgy Szing <Gyorgy.Szing@arm.com> Change-Id: Ieb108bf84dde21b7659c90452c42c8e7428909e0
2024-01-18smm_variable: remove duplicate string size calc.Gyorgy Szing
std::basic_string can not return the number of bytes needed to store the string. The size function returns the number of character values, which for multi byte strings is not the size but the length. As a solution the code needs to calculate the "real" size, which was done at multiple places with repeated code. Introduce a template function called string_get_length_in_bytes() to remove code duplication. Change-Id: I5d557558f9f9bb14b8905bd3afddee1faef8142a Signed-off-by: Gyorgy Szing <Gyorgy.Szing@arm.com>
2024-01-18Add option for internal mbedtls in smm-gatewayGabor Toth
Update the component to support the usage of internal mbedtls instance for signature verification instead of crypto SP. Change-Id: I24ae5e08930accbd61c2333caf31333db3560c98 Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
2024-01-18Make uefi-test compilable to linux-pcGabor Toth
Enable uefi variable authentication in libts and create uefi direct backend to provide signature verification API that would normally be accessible with using the crypto SP. Change-Id: I1d95981ef5b2b4ee75438565c1e4cf82eadbab40 Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
2024-01-18Update uefi tests to be able to run multiple timesGabor Toth
Separate enumerateStoreContents test to three separate cases to test enumeration, read-only variables and boot state handling and change them to be independent from each other. Also update all other tests to avoid using variables accessible only in boot state. Change-Id: I61a1f01aef71511bad192955e6a19ed5c795ad24 Signed-off-by: Gabor Toth <gabor.toth2@arm.com> Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
2024-01-18Update documentation with the UEFI changesGabor Toth
Adding UEFI authenticated variables related information to the documentation. Signed-off-by: Gabor Toth <gabor.toth2@arm.com> Change-Id: Ic4fd4b6d73994f8a1ddf0ce4e3a0706589f1fd54
2024-01-18Fix access of UEFI boot only variablesGabor Toth
Update uefi_variable_store_get_next_variable_name to avoid returning variables with boot-only access when boot phase is over. Signed-off-by: Gabor Toth <gabor.toth2@arm.com> Change-Id: If669b116df65f7a3552e4900e9e6a07b7ef17f54
2024-01-18Add tests for variable authenticationGabor Toth
Creating tests to verify the new authentication feature in the uefi service and updating the old tests to meet the changes. Also adding tool to generate all the inputs that are needed for the aforementioned functionality. Moreover remove UEFi tests as these are executed part of a dedicated test executable. Signed-off-by: Gabor Toth <gabor.toth2@arm.com> Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com> Change-Id: I7aa533dcad582f7300895a15bfacdb7d2f465041
2024-01-18Eliminate std::wstring occurrences from uefi codeGabor Toth
UEFI defines strings to use 16 bits wide code values. Use std::u16string instead of wstring in C++ code for better portability. Change-Id: Id8c2cdddb796a62a3aa14a5200038cd613ea1c17 Signed-off-by: Gabor Toth <gabor.toth2@arm.com> Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
2024-01-18Implement uefi variable authenticationJulian Hall
Variable authentication is a way to ensure the integrity and authenticity of certain UEFI variables. To modify or delete such variable the request has to be verified by other variables that store the keys. This change implements the aforementioned functionality. efi_image_authentication.h was copied from https://github.com/tianocore/edk2 repository: sha: c96b4da2a079eb837ab3af9aeb86a97078b3bde6 Original file: MdePkg/Include/Guid/ImageAuthentication.h Some lines were also added to this file from: MdePkg/Include/Protocol/Hash.h For details please refer to the comments in the source. Signed-off-by: Gabor Toth <gabor.toth2@arm.com> Change-Id: I05b8406834ebb77ab21c5fef61d0327625ec0e72
2024-01-17Add SPMC test documentationsImre Kis
Add build and run instructions for the SPMC test. Document the structure of the SPMC test environment and the implemented test cases. Signed-off-by: Imre Kis <imre.kis@arm.com> Change-Id: I5139f36dc78a2c37c3000f15f74722f945ab738f
2024-01-16Fix NWd and SWd substitution in the documentationImre Kis
Fix global substitution declarations by adding missing colons. Signed-off-by: Imre Kis <imre.kis@arm.com> Change-Id: Ia552bc7891f6bfceff03a3d6106056956faf176b
2024-01-08ADD FFA_MEM_PERM_GET/SET SPMC testsJelle Sels
Add FFA_MEM_PERM_GET/SET test to the SPMC test SPs. Signed-off-by: Gabor Toth <gabor.toth2@arm.com> Signed-off-by: Jelle Sels <jelle.sels@arm.com> Change-Id: I538478f09ce0d3c4f27552db25ec005bd764744e
2024-01-07Remove obsolete dependency from uefi-testGabor Toth
Remove nanopb dependency from uefi-test deployment, because it does not use protobuf. Change-Id: I3195797a6d3c1e7b014cf7a499a78ab8b0784a3c Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
2024-01-07Add missing const modifiers to smm_variablesGabor Toth
There are many missing const modifiers from variable store functions resulting in warnings. Signed-off-by: Gabor Toth <gabor.toth2@arm.com> Change-Id: I1d19eb8794cb368a64309f4649bfbfaebd00ede6
2024-01-07Use mbedtls from Crypto SP in SMMGWGabor Toth
Crypto SP provides hash calculation and signature verification API-s that will be used by the uefi service in SMMGW SP. Signed-off-by: Gabor Toth <gabor.toth2@arm.com> Change-Id: I03e2862662734275221481784d82d8498c6f08af
2024-01-07Make flash area size configurableGabor Toth
UEFI tests require more space for the authenticated variable tests so the flash size is changed to be configurable. On FVP it will have an increased size. Signed-off-by: Gabor Toth <gabor.toth2@arm.com> Change-Id: Ifac6b98cdb241474fd3f61411a546efd540496fb
2024-01-07Extend crypto SP to support signature verificationGabor Toth
The UEFI service of SMM gateway needs pkcs7 signature verification to authorize variable accesses. Instead of duplicating the mbedtls entities, crypto SP will provide an interface to do the signature verification. Signed-off-by: Gabor Toth <gabor.toth2@arm.com> Change-Id: I7b0472435ac1620c4fe42d0592e1c64faaf10df7
2023-11-15Correct checkpatch findings in uefi serviceGabor Toth
UEFI service has a huge amount of checkpatch findings. This commit eliminates them before the implementation of the new feature is started. Change-Id: I211c52339660cd9b0d906c52669095df322bf4aa Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
2023-11-15Introduce uefi service componentJulian Hall
In preparation for adding authenticated variable support, this commit adds a service/uefi directory to act as a parent for uefi related service components. The auth support that will be added has broader scope than just uefi variables and may also be used for capsule verification. Because of this, it will live in its own directory. Signed-off-by: Julian Hall <julian.hall@arm.com> Signed-off-by: Gabor Toth <gabor.toth2@arm.com> Change-Id: Ie58f6537a8e105dfcf0904c8a80a27bdf219502a
2023-11-15Support per-deployment configuration of MbedTLSJulian Hall
Up until now, only libmbedcrypto has been used for builds of the MbedTLS external component. In preparation for using other libraries produced by MbedTLS (e.g. libmbedx509), this change moves the build configuration to be defined by a deployment that depends on MbedTLS in some way. This allows a deployment specific configuration to be applied that impacts the complete set of mbedTLS library dependencies. To allow for reuse of common configurations, a new config directory has been added under external/MbedTLS to provide a home for reusable config header files. Signed-off-by: Julian Hall <julian.hall@arm.com> Signed-off-by: Gabor Toth <gabor.toth2@arm.com> Change-Id: Icfdeb796d9bda185c30f68e525f7644f1edd4770
2023-09-28Fix: make libts version handling dynamicHEADv1.0.0_rc1v1.0.0mainGyorgy
Change cmake scripts to use same source of truth when building and when searching for libts. Change-Id: I75d8be110b6b4dc601a9eaedc603214bf566b91a Signed-off-by: Gyorgy Szing <Gyorgy.Szing@arm.com>
2023-09-28Bump version number and update changelogv1.0.0_rc0Gyorgy Szing
Update the release notes & changelog page, and bump version numbers. Change-Id: Ie90f46a8dbd9742fe34fe4bda7180b03731c3e8a Signed-off-by: Gyorgy Szing <Gyorgy.Szing@arm.com>