DPE: Get RoT CDI key through the Crypto interface
Instead of relying on a platform component to export the RoT
CDI key, do it directly from the Crypto interface of the DPE
Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com>
Change-Id: I194d798cd06067693b5c2c02636ed4065d923c13
diff --git a/partitions/dice_protection_environment/dpe_context_mngr.c b/partitions/dice_protection_environment/dpe_context_mngr.c
index 48cde1c..eab9db7 100644
--- a/partitions/dice_protection_environment/dpe_context_mngr.c
+++ b/partitions/dice_protection_environment/dpe_context_mngr.c
@@ -466,7 +466,6 @@
#ifdef DPE_TEST_MODE
uint8_t rot_cdi_input[DICE_CDI_SIZE] = TEST_ROT_CDI_VAL;
#else
- int ret;
uint8_t rot_cdi_input[DICE_CDI_SIZE];
#endif /* DPE_TEST_MODE */
psa_status_t status;
@@ -478,9 +477,8 @@
#ifndef DPE_TEST_MODE
/* Get the RoT CDI input for the RoT layer */
- ret = dpe_plat_get_rot_cdi(&rot_cdi_input[0],
- sizeof(rot_cdi_input));
- if (ret != 0) {
+ status = get_rot_cdi_input(&rot_cdi_input[0], sizeof(rot_cdi_input));
+ if (status != PSA_SUCCESS) {
return DPE_INTERNAL_ERROR;
}
#endif /* DPE_TEST_MODE */
diff --git a/partitions/dice_protection_environment/dpe_crypto_interface.c b/partitions/dice_protection_environment/dpe_crypto_interface.c
index bbd16ce..be8a403 100644
--- a/partitions/dice_protection_environment/dpe_crypto_interface.c
+++ b/partitions/dice_protection_environment/dpe_crypto_interface.c
@@ -13,6 +13,7 @@
#include "dpe_crypto_config.h"
#include "psa/crypto.h"
#include "tfm_crypto_defs.h"
+#include "dpe_plat.h"
static const char attest_cdi_label[] = DPE_ATTEST_CDI_LABEL;
static const char exported_attest_cdi_label[] = DPE_ATTEST_EXPORTED_CDI_LABEL;
@@ -319,3 +320,18 @@
return status;
}
+
+psa_status_t get_rot_cdi_input(uint8_t rot_cdi_input[DICE_CDI_SIZE], size_t rot_cdi_input_size)
+{
+ psa_status_t status;
+ size_t rot_cdi_input_actual_size;
+
+ status = psa_export_key(dpe_plat_get_rot_cdi_key_id(),
+ &rot_cdi_input[0],
+ rot_cdi_input_size,
+ &rot_cdi_input_actual_size);
+
+ assert(rot_cdi_input_actual_size == DICE_CDI_SIZE);
+
+ return status;
+}
diff --git a/partitions/dice_protection_environment/dpe_crypto_interface.h b/partitions/dice_protection_environment/dpe_crypto_interface.h
index 291295b..7234816 100644
--- a/partitions/dice_protection_environment/dpe_crypto_interface.h
+++ b/partitions/dice_protection_environment/dpe_crypto_interface.h
@@ -100,6 +100,16 @@
psa_status_t get_layer_cdi_value(const struct layer_context_t *layer_ctx,
uint8_t cdi_attest_buf[DICE_CDI_SIZE],
uint8_t cdi_seal_buf[DICE_CDI_SIZE]);
+/**
+ * @brief Get the RoT CDI input
+ *
+ * @param[out] rot_cdi_input Buffer to contain the retrieved RoT CDI key
+ * @param[in] rot_cdi_input_size Size in bytes of the \a rot_cdi_input buffer
+ *
+ * @return psa_status_t
+ */
+psa_status_t get_rot_cdi_input(uint8_t rot_cdi_input[DICE_CDI_SIZE],
+ size_t rot_cdi_input_size);
#ifdef __cplusplus
}
#endif