DPE: Use external label only for key derivation
Signed-off-by: Maulik Patel <maulik.patel@arm.com>
Change-Id: I1b0004892db305fcb86e0ca18a30bbc2db3469bb
diff --git a/partitions/dice_protection_environment/dpe_certificate.c b/partitions/dice_protection_environment/dpe_certificate.c
index a97457a..d3230e0 100644
--- a/partitions/dice_protection_environment/dpe_certificate.c
+++ b/partitions/dice_protection_environment/dpe_certificate.c
@@ -436,8 +436,8 @@
/* Add label claim */
add_label_claim(&dpe_cert_ctx,
- &layer_ctx->data.attest_key_label[0],
- layer_ctx->data.attest_key_label_len);
+ &layer_ctx->data.external_key_deriv_label[0],
+ layer_ctx->data.external_key_deriv_label_len);
/* Add public key claim */
add_public_key_claim(&dpe_cert_ctx,
diff --git a/partitions/dice_protection_environment/dpe_context_mngr.c b/partitions/dice_protection_environment/dpe_context_mngr.c
index e279b39..238c715 100644
--- a/partitions/dice_protection_environment/dpe_context_mngr.c
+++ b/partitions/dice_protection_environment/dpe_context_mngr.c
@@ -245,16 +245,6 @@
}
}
- if (layer_ctx_array[curr_layer_idx].data.attest_key_label_len != 0) {
-
- status = psa_hash_update(&hash_op,
- &layer_ctx_array[curr_layer_idx].data.attest_key_label[0],
- layer_ctx_array[curr_layer_idx].data.attest_key_label_len);
- if (status != PSA_SUCCESS) {
- return status;
- }
- }
-
status = psa_hash_finish(&hash_op,
&layer_ctx_array[curr_layer_idx].attest_cdi_hash_input[0],
sizeof(layer_ctx_array[curr_layer_idx].attest_cdi_hash_input),
@@ -810,7 +800,7 @@
layer_ctx->data.attest_pub_key_len = public_key_size;
/* If public key is provided, then provided label (if any) is ignored */
- layer_ctx->data.attest_key_label_len = 0;
+ layer_ctx->data.external_key_deriv_label_len = 0;
} else {
/* No external public key is provided */
@@ -818,13 +808,13 @@
if ((label_size > 0) && (label != NULL)) {
/* Copy the label provided */
- memcpy(&layer_ctx->data.attest_key_label[0],
+ memcpy(&layer_ctx->data.external_key_deriv_label[0],
label,
label_size);
- layer_ctx->data.attest_key_label_len = label_size;
+ layer_ctx->data.external_key_deriv_label_len = label_size;
} else {
- layer_ctx->data.attest_key_label_len = 0;
+ layer_ctx->data.external_key_deriv_label_len = 0;
}
}
@@ -869,8 +859,10 @@
component_ctx_array[input_ctx_idx].nonce = GET_NONCE(*new_context_handle);
/* Clear the context label and key contents */
- memset(&layer_ctx->data.attest_key_label[0], 0u, layer_ctx->data.attest_key_label_len);
- memset(&layer_ctx->data.attest_pub_key[0], 0u, layer_ctx->data.attest_pub_key_len);
+ memset(&layer_ctx->data.external_key_deriv_label[0], 0u,
+ layer_ctx->data.external_key_deriv_label_len);
+ memset(&layer_ctx->data.attest_pub_key[0], 0u,
+ layer_ctx->data.attest_pub_key_len);
return DPE_NO_ERROR;
}
diff --git a/partitions/dice_protection_environment/dpe_context_mngr.h b/partitions/dice_protection_environment/dpe_context_mngr.h
index cf16a7d..cd66952 100644
--- a/partitions/dice_protection_environment/dpe_context_mngr.h
+++ b/partitions/dice_protection_environment/dpe_context_mngr.h
@@ -78,8 +78,8 @@
psa_key_id_t attest_key_id;
uint8_t attest_pub_key[DPE_ATTEST_PUB_KEY_SIZE];
size_t attest_pub_key_len;
- uint8_t attest_key_label[DPE_EXTERNAL_LABEL_MAX_SIZE];
- size_t attest_key_label_len;
+ uint8_t external_key_deriv_label[DPE_EXTERNAL_LABEL_MAX_SIZE];
+ size_t external_key_deriv_label_len;
uint8_t cert_buf[DICE_CERT_SIZE];
size_t cert_buf_len;
};
diff --git a/partitions/dice_protection_environment/dpe_crypto_interface.c b/partitions/dice_protection_environment/dpe_crypto_interface.c
index 9a18d91..a56aaf8 100644
--- a/partitions/dice_protection_environment/dpe_crypto_interface.c
+++ b/partitions/dice_protection_environment/dpe_crypto_interface.c
@@ -16,7 +16,7 @@
static const char attest_cdi_label[] = DPE_ATTEST_CDI_LABEL;
static const char exported_attest_cdi_label[] = DPE_ATTEST_EXPORTED_CDI_LABEL;
-static const char attest_key_pair_label[] = DPE_ATTEST_KEY_PAIR_LABEL;
+static const char default_attest_key_deriv_label[] = DPE_ATTEST_KEY_PAIR_LABEL;
static const char id_label[] = DPE_ID_LABEL;
static const uint8_t attest_key_salt[] = DPE_ATTEST_KEY_SALT;
static const uint8_t id_salt[] = DPE_ID_SALT;
@@ -126,13 +126,27 @@
psa_set_key_usage_flags(&attest_key_attr, DPE_ATTEST_KEY_USAGE);
/* Perform key pair derivation */
- status = perform_derivation(layer_ctx->data.cdi_key_id,
- &attest_key_attr,
- (uint8_t *)&attest_key_pair_label[0],
- sizeof(attest_key_pair_label),
- attest_key_salt,
- sizeof(attest_key_salt),
- &layer_ctx->data.attest_key_id);
+
+ if (layer_ctx->data.external_key_deriv_label_len > 0) {
+ /* Use the external label provided for key derivation */
+ status = perform_derivation(layer_ctx->data.cdi_key_id,
+ &attest_key_attr,
+ &layer_ctx->data.external_key_deriv_label[0], /* External label */
+ layer_ctx->data.external_key_deriv_label_len,
+ attest_key_salt,
+ sizeof(attest_key_salt),
+ &layer_ctx->data.attest_key_id);
+ } else {
+ /* Use the default label for key derivation */
+ status = perform_derivation(layer_ctx->data.cdi_key_id,
+ &attest_key_attr,
+ (uint8_t *)&default_attest_key_deriv_label[0], /* Default label */
+ sizeof(default_attest_key_deriv_label),
+ attest_key_salt,
+ sizeof(attest_key_salt),
+ &layer_ctx->data.attest_key_id);
+ }
+
if (status != PSA_SUCCESS) {
return status;
}