COSE: Switch tests over to upstream t_cose
Switch from TF-M's t_cose library fork to the upstream repo
being downloaded from https://github.com/laurencelundblade/t_cose.
Change-Id: I9e2a859c67e902c6ecc1dc5ab996241e3d33e4ab
Signed-off-by: Adam Kulesza <adam.kulesza@arm.com>
Signed-off-by: David Vincze <david.vincze@arm.com>
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
diff --git a/lib/ext/CMakeLists.txt b/lib/ext/CMakeLists.txt
index 5964d97..1d255cf 100644
--- a/lib/ext/CMakeLists.txt
+++ b/lib/ext/CMakeLists.txt
@@ -1,5 +1,5 @@
#-------------------------------------------------------------------------------
-# Copyright (c) 2023, Arm Limited. All rights reserved.
+# Copyright (c) 2023-2025, Arm Limited. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@@ -13,4 +13,8 @@
add_subdirectory(qcbor)
endif()
+if(TEST_NS_ATTESTATION OR TEST_NS_T_COSE)
+ add_subdirectory(t_cose)
+endif()
+
add_subdirectory(CMSIS)
diff --git a/lib/ext/t_cose/0001-Add-t_cose_key_encode-API.patch b/lib/ext/t_cose/0001-Add-t_cose_key_encode-API.patch
new file mode 100644
index 0000000..adc5551
--- /dev/null
+++ b/lib/ext/t_cose/0001-Add-t_cose_key_encode-API.patch
@@ -0,0 +1,105 @@
+From 6f3f47d0370f9714baae195d4f2d7b9a38df29ab Mon Sep 17 00:00:00 2001
+From: Tamas Ban <tamas.ban@arm.com>
+Date: Thu, 19 Sep 2024 11:50:32 +0200
+Subject: [PATCH] Add t_cose_key_encode API
+
+Modelled based on this PR:
+https://github.com/laurencelundblade/t_cose/pull/285/commits/fc72e519
+
+Signed-off-by: Tamas Ban <tamas.ban@arm.com>
+Change-Id: I28af97dede81980c960ff43d08137be844935230
+---
+ inc/t_cose/t_cose_key.h | 4 +++
+ src/t_cose_key.c | 55 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 59 insertions(+)
+
+diff --git a/inc/t_cose/t_cose_key.h b/inc/t_cose/t_cose_key.h
+index a757e9e..cdf5557 100644
+--- a/inc/t_cose/t_cose_key.h
++++ b/inc/t_cose/t_cose_key.h
+@@ -227,6 +227,10 @@ t_cose_key_init_symmetric(int32_t cose_algorithm_id,
+ void
+ t_cose_key_free_symmetric(struct t_cose_key key);
+
++enum t_cose_err_t
++t_cose_key_encode(struct t_cose_key key,
++ struct q_useful_buf key_buf,
++ struct q_useful_buf_c *cbor_encoded);
+
+ #ifdef __cplusplus
+ }
+diff --git a/src/t_cose_key.c b/src/t_cose_key.c
+index 0ce88f5..6b134d1 100644
+--- a/src/t_cose_key.c
++++ b/src/t_cose_key.c
+@@ -8,8 +8,11 @@
+ *
+ * See BSD-3-Clause license in README.md
+ */
++#include "qcbor/qcbor_encode.h"
+ #include "t_cose/t_cose_key.h"
+ #include "t_cose_crypto.h"
++#include "t_cose_crypto.h"
++#include "t_cose_util.h"
+
+
+ /*
+@@ -35,3 +38,55 @@ t_cose_key_free_symmetric(struct t_cose_key key)
+ t_cose_crypto_free_symmetric_key(key);
+ }
+
++/*
++ * Public function. See t_cose_key.h
++ */
++enum t_cose_err_t
++t_cose_key_encode(struct t_cose_key key,
++ struct q_useful_buf key_buf,
++ struct q_useful_buf_c *cbor_encoded)
++{
++ enum t_cose_err_t result;
++ int32_t cose_curve;
++ MakeUsefulBufOnStack( x_coord_buf, T_COSE_BITS_TO_BYTES(T_COSE_ECC_MAX_CURVE_BITS));
++ MakeUsefulBufOnStack( y_coord_buf, T_COSE_BITS_TO_BYTES(T_COSE_ECC_MAX_CURVE_BITS));
++ struct q_useful_buf_c x_coord;
++ struct q_useful_buf_c y_coord;
++ bool y_sign;
++ QCBOREncodeContext cbor_encoder;
++ QCBORError qcbor_result;
++
++ result = t_cose_crypto_export_ec2_key(key,
++ &cose_curve,
++ x_coord_buf,
++ &x_coord,
++ y_coord_buf,
++ &y_coord,
++ &y_sign);
++ if (result != T_COSE_SUCCESS) {
++ return result;
++ }
++
++ QCBOREncode_Init(&cbor_encoder, key_buf);
++
++ QCBOREncode_OpenMap(&cbor_encoder);
++
++ QCBOREncode_AddInt64ToMapN(&cbor_encoder, T_COSE_KEY_COMMON_KTY, T_COSE_KEY_TYPE_EC2);
++ QCBOREncode_AddInt64ToMapN(&cbor_encoder, T_COSE_KEY_PARAM_CRV, cose_curve);
++ QCBOREncode_AddBytesToMapN(&cbor_encoder, T_COSE_KEY_PARAM_X_COORDINATE, x_coord);
++ if (q_useful_buf_c_is_null(y_coord)) {
++ QCBOREncode_AddBoolToMapN(&cbor_encoder, T_COSE_KEY_PARAM_Y_COORDINATE, y_sign);
++ } else {
++ QCBOREncode_AddBytesToMapN(&cbor_encoder, T_COSE_KEY_PARAM_Y_COORDINATE, y_coord);
++ }
++
++ QCBOREncode_CloseMap(&cbor_encoder);
++
++ qcbor_result = QCBOREncode_Finish(&cbor_encoder, cbor_encoded);
++ if (qcbor_result != QCBOR_SUCCESS) {
++ /* Mainly means that the COSE_Key was too big for key_buf */
++ return qcbor_encode_error_to_t_cose_error(&cbor_encoder);
++ }
++
++ return T_COSE_SUCCESS;
++}
+--
+2.34.1
+
diff --git a/lib/ext/t_cose/0002-Add-t_cose_key_decode-API.patch b/lib/ext/t_cose/0002-Add-t_cose_key_decode-API.patch
new file mode 100644
index 0000000..742ece9
--- /dev/null
+++ b/lib/ext/t_cose/0002-Add-t_cose_key_decode-API.patch
@@ -0,0 +1,126 @@
+From b666db4e745d39473aa93b44772588b191dc56fb Mon Sep 17 00:00:00 2001
+From: Tamas Ban <tamas.ban@arm.com>
+Date: Fri, 27 Sep 2024 12:53:58 +0200
+Subject: [PATCH 2/2] Add t_cose_key_decode API
+
+Copied from this PR:
+https://github.com/laurencelundblade/t_cose/pull/285/commits/fc72e519
+
+Signed-off-by: Tamas Ban <tamas.ban@arm.com>
+---
+ inc/t_cose/t_cose_key.h | 6 ++++
+ src/t_cose_key.c | 74 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 80 insertions(+)
+
+diff --git a/inc/t_cose/t_cose_key.h b/inc/t_cose/t_cose_key.h
+index cdf5557..86e5fed 100644
+--- a/inc/t_cose/t_cose_key.h
++++ b/inc/t_cose/t_cose_key.h
+@@ -227,6 +227,12 @@ t_cose_key_init_symmetric(int32_t cose_algorithm_id,
+ void
+ t_cose_key_free_symmetric(struct t_cose_key key);
+
++
++enum t_cose_err_t
++t_cose_key_decode(struct q_useful_buf_c cbor_encoded,
++ struct t_cose_key *key);
++
++
+ enum t_cose_err_t
+ t_cose_key_encode(struct t_cose_key key,
+ struct q_useful_buf key_buf,
+diff --git a/src/t_cose_key.c b/src/t_cose_key.c
+index 6b134d1..7b48a56 100644
+--- a/src/t_cose_key.c
++++ b/src/t_cose_key.c
+@@ -13,6 +13,8 @@
+ #include "t_cose_crypto.h"
+ #include "t_cose_crypto.h"
+ #include "t_cose_util.h"
++#include "qcbor/qcbor_spiffy_decode.h"
++#include "t_cose_crypto.h"
+
+
+ /*
+@@ -38,6 +40,78 @@ t_cose_key_free_symmetric(struct t_cose_key key)
+ t_cose_crypto_free_symmetric_key(key);
+ }
+
++
++enum t_cose_err_t
++t_cose_key_decode(struct q_useful_buf_c cbor_encoded,
++ struct t_cose_key *key)
++{
++ QCBORDecodeContext cbor_decoder;
++ int64_t kty;
++ int64_t curve;
++ struct q_useful_buf_c x;
++ struct q_useful_buf_c y_string;
++ bool y_bool;
++ QCBORItem y;
++ enum t_cose_err_t result;
++
++
++ QCBORDecode_Init(&cbor_decoder, cbor_encoded, 0);
++
++
++ QCBORDecode_EnterMap(&cbor_decoder, NULL);
++
++ QCBORDecode_GetInt64InMapN(&cbor_decoder, T_COSE_KEY_COMMON_KTY, &kty);
++ QCBORDecode_GetInt64InMapN(&cbor_decoder, T_COSE_KEY_PARAM_CRV, &curve);
++ QCBORDecode_GetByteStringInMapN(&cbor_decoder, T_COSE_KEY_PARAM_X_COORDINATE, &x);
++ QCBORDecode_GetItemInMapN(&cbor_decoder, T_COSE_KEY_PARAM_Y_COORDINATE, QCBOR_TYPE_ANY, &y);
++
++ QCBORDecode_ExitMap(&cbor_decoder);
++ if(QCBORDecode_GetError(&cbor_decoder)) {
++ return T_COSE_ERR_FAIL; // TODO: is this right?
++ }
++
++ // TODO: check kty
++
++ /* If y is a bool, then point compression is used and y is a boolean
++ * indicating the sign. If not then it is a byte string with the y.
++ * Anything else is an error. See RFC 9053 7.1.1.
++ */
++ switch(y.uDataType) {
++ case QCBOR_TYPE_BYTE_STRING:
++ y_string = y.val.string;
++ y_bool = true; /* Unused. Only here to avoid compiler warning */
++ break;
++
++ case QCBOR_TYPE_TRUE:
++ y_bool = true;
++ y_string = NULL_Q_USEFUL_BUF_C;
++ break;
++
++ case QCBOR_TYPE_FALSE:
++ y_bool = true;
++ y_string = NULL_Q_USEFUL_BUF_C;
++ break;
++
++ default:
++ return 77; // TODO: error code
++ }
++
++ /* Turn it into a t_cose_key that is imported into the library */
++
++ if(curve > INT32_MAX || curve < INT32_MIN) {
++ // Make sure cast is safe
++ return T_COSE_ERR_FAIL; // TODO: error
++ }
++ result = t_cose_crypto_import_ec2_pubkey((int32_t)curve,
++ x,
++ y_string,
++ y_bool,
++ key);
++
++ return result;
++}
++
++
+ /*
+ * Public function. See t_cose_key.h
+ */
+--
+2.34.1
+
diff --git a/lib/ext/t_cose/0003-Import-EC-keys-with-ECDSA-xxx-algo-rather-than-ECDH.patch b/lib/ext/t_cose/0003-Import-EC-keys-with-ECDSA-xxx-algo-rather-than-ECDH.patch
new file mode 100644
index 0000000..9bec776
--- /dev/null
+++ b/lib/ext/t_cose/0003-Import-EC-keys-with-ECDSA-xxx-algo-rather-than-ECDH.patch
@@ -0,0 +1,59 @@
+From 543f32dc625c905ddf98222270cdc23751ad4abe Mon Sep 17 00:00:00 2001
+From: Tamas Ban <tamas.ban@arm.com>
+Date: Mon, 30 Sep 2024 14:23:03 +0200
+Subject: [PATCH 3/3] Import EC keys with ECDSA(xxx) algo rather than ECDH
+
+To make the DPE certificate verification working
+with t_cose_key_dedode() API.
+
+The original code registers the keys with ECDH
+algorithm. In this case psa_has_verify() returns
+with PSA_ERROR_NOT_PERMITTED.
+
+Signed-off-by: Tamas Ban <tamas.ban@arm.com>
+---
+ crypto_adapters/t_cose_psa_crypto.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/crypto_adapters/t_cose_psa_crypto.c b/crypto_adapters/t_cose_psa_crypto.c
+index 16151c6..80d1961 100644
+--- a/crypto_adapters/t_cose_psa_crypto.c
++++ b/crypto_adapters/t_cose_psa_crypto.c
+@@ -1663,6 +1663,7 @@ t_cose_crypto_import_ec2_pubkey(int32_t cose_ec_curve_id,
+ psa_status_t status;
+ psa_key_attributes_t attributes;
+ psa_key_type_t type_public;
++ psa_algorithm_t alg;
+ struct q_useful_buf_c import;
+ // TODO: really make sure this size is right for the curve types supported
+ UsefulOutBuf_MakeOnStack (import_form, T_COSE_EXPORT_PUBLIC_KEY_MAX_SIZE + 5);
+@@ -1670,12 +1671,15 @@ t_cose_crypto_import_ec2_pubkey(int32_t cose_ec_curve_id,
+ switch (cose_ec_curve_id) {
+ case T_COSE_ELLIPTIC_CURVE_P_256:
+ type_public = PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1);
++ alg = PSA_ALG_ECDSA(PSA_ALG_SHA_256);
+ break;
+ case T_COSE_ELLIPTIC_CURVE_P_384:
+ type_public = PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1);
++ alg = PSA_ALG_ECDSA(PSA_ALG_SHA_384);
+ break;
+ case T_COSE_ELLIPTIC_CURVE_P_521:
+ type_public = PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1);
++ alg = PSA_ALG_ECDSA(PSA_ALG_SHA_512);
+ break;
+
+ default:
+@@ -1685,8 +1689,8 @@ t_cose_crypto_import_ec2_pubkey(int32_t cose_ec_curve_id,
+
+ // TODO: are these attributes right?
+ attributes = psa_key_attributes_init();
+- psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_COPY);
+- psa_set_key_algorithm(&attributes, PSA_ALG_ECDH);
++ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
++ psa_set_key_algorithm(&attributes, alg);
+ psa_set_key_type(&attributes, type_public);
+
+ /* This converts to a serialized representation of an EC Point
+--
+2.34.1
+
diff --git a/lib/ext/t_cose/0004-Remove-unused-EdDSA-calls-to-help-reduce-code-size.patch b/lib/ext/t_cose/0004-Remove-unused-EdDSA-calls-to-help-reduce-code-size.patch
new file mode 100644
index 0000000..5139ebb
--- /dev/null
+++ b/lib/ext/t_cose/0004-Remove-unused-EdDSA-calls-to-help-reduce-code-size.patch
@@ -0,0 +1,84 @@
+From 91cbc7bff52d51030c3163f30bc0e86333554ece Mon Sep 17 00:00:00 2001
+From: David Vincze <david.vincze@arm.com>
+Date: Mon, 25 Nov 2024 14:29:04 +0000
+Subject: [PATCH] Remove unused EdDSA calls to help reduce code size
+
+With the help of dead-code elimination and actual code removal
+in this patch it's possible to skip the complete EdDSA algorithm
+support from the build process.
+
+Remove EdDSA from sign verifier as it does not need to be covered
+by the tests. Remove it from the code so the build does not depend
+on it.
+
+---
+ src/t_cose_sign1_sign.c | 13 -------------
+ src/t_cose_sign1_verify.c | 8 --------
+ 2 files changed, 21 deletions(-)
+
+diff --git a/src/t_cose_sign1_sign.c b/src/t_cose_sign1_sign.c
+index ea0713e..fdf8efd 100644
+--- a/src/t_cose_sign1_sign.c
++++ b/src/t_cose_sign1_sign.c
+@@ -37,17 +37,10 @@ t_cose_sign1_sign_init(struct t_cose_sign1_sign_ctx *me,
+ // TODO: Translate any more options flags?
+ t_cose_sign_sign_init(&(me->me2), option_flags | T_COSE_OPT_MESSAGE_TYPE_SIGN1);
+
+- if(cose_algorithm_id == T_COSE_ALGORITHM_EDDSA) {
+- t_cose_signature_sign_eddsa_init(&(me->signer.eddsa));
+- t_cose_sign_add_signer(&(me->me2),
+- t_cose_signature_sign_from_eddsa(&(me->signer.eddsa)));
+- } else
+- {
+ t_cose_signature_sign_main_init(&(me->signer.general),
+ me->cose_algorithm_id);
+ t_cose_sign_add_signer(&(me->me2),
+ t_cose_signature_sign_from_main(&(me->signer.general)));
+- }
+ }
+
+
+@@ -58,15 +51,9 @@ t_cose_sign1_set_signing_key(struct t_cose_sign1_sign_ctx *me,
+ {
+ me->signing_key = signing_key; /* Used by make test message */
+ me->kid = kid; /* Used by make test message */
+- if(me->cose_algorithm_id == T_COSE_ALGORITHM_EDDSA) {
+- t_cose_signature_sign_eddsa_set_signing_key(&(me->signer.eddsa),
+- signing_key,
+- kid);
+- } else {
+ t_cose_signature_sign_main_set_signing_key(&(me->signer.general),
+ signing_key,
+ kid);
+- }
+ }
+
+
+diff --git a/src/t_cose_sign1_verify.c b/src/t_cose_sign1_verify.c
+index 0614bb0..a3fc221 100644
+--- a/src/t_cose_sign1_verify.c
++++ b/src/t_cose_sign1_verify.c
+@@ -34,10 +34,6 @@ t_cose_sign1_verify_init(struct t_cose_sign1_verify_ctx *me,
+ t_cose_signature_verify_main_init(&(me->main_verifier));
+ t_cose_sign_add_verifier(&(me->me2),
+ t_cose_signature_verify_from_main(&(me->main_verifier)));
+-
+- t_cose_signature_verify_eddsa_init(&(me->eddsa_verifier), option_flags);
+- t_cose_sign_add_verifier(&(me->me2),
+- t_cose_signature_verify_from_eddsa(&(me->eddsa_verifier)));
+ }
+
+
+@@ -49,10 +45,6 @@ t_cose_sign1_set_verification_key(struct t_cose_sign1_verify_ctx *me,
+ * until decoding the input. There is only one key in t_cose_sign1().
+ * Also, t_cose_sign1 didn't do any kid matching, so it is NULL here.
+ */
+- t_cose_signature_verify_eddsa_set_key(&(me->eddsa_verifier),
+- verification_key,
+- // TODO: should this be NULL?
+- NULL_Q_USEFUL_BUF_C);
+ t_cose_signature_verify_main_set_key(&(me->main_verifier),
+ verification_key,
+ NULL_Q_USEFUL_BUF_C);
+--
+2.34.1
diff --git a/lib/ext/t_cose/0005-Remove-or-disable-unused-functions-in-PSA-Crypto-lay.patch b/lib/ext/t_cose/0005-Remove-or-disable-unused-functions-in-PSA-Crypto-lay.patch
new file mode 100644
index 0000000..82448ca
--- /dev/null
+++ b/lib/ext/t_cose/0005-Remove-or-disable-unused-functions-in-PSA-Crypto-lay.patch
@@ -0,0 +1,107 @@
+From 1052a755db3b99a52babcfbf4dae711da8e4fd16 Mon Sep 17 00:00:00 2001
+From: David Vincze <david.vincze@arm.com>
+Date: Wed, 15 Jan 2025 19:31:41 +0000
+Subject: [PATCH] Remove or disable unused functions in PSA Crypto layer
+
+- Remove unused HKDF function from the PSA Crypto adaptor
+ layer to prevent build errors due to disabled MbedTLS
+ support that it depends on. HKDF is currently not
+ supported properly by the PSA Crypto adaptor layer.
+- Disable unused functions to avoid unnecessary build
+ dependencies.
+
+---
+ crypto_adapters/t_cose_psa_crypto.c | 53 -----------------------------
+ crypto_adapter s/t_cose_psa_crypto.h | 6 ++--
+ 2 files changed, 3 insertions(+), 56 deletions(-)
+
+diff --git a/crypto_adapters/t_cose_psa_crypto.c b/crypto_adapters/t_cose_psa_crypto.c
+index 80d1961..2095002 100644
+--- a/crypto_adapters/t_cose_psa_crypto.c
++++ b/crypto_adapters/t_cose_psa_crypto.c
+@@ -43,9 +43,6 @@
+ #include <mbedtls/nist_kw.h>
+ #endif /* T_COSE_DISABLE_KEYWRAP */
+
+-#include <mbedtls/hkdf.h>
+-#include <mbedtls/md.h>
+-
+ #include "t_cose_util.h"
+ #include "t_cose_psa_crypto.h"
+
+@@ -1600,56 +1597,6 @@ t_cose_crypto_ecdh(struct t_cose_key private_key,
+
+
+
+-
+-/*
+- * See documentation in t_cose_crypto.h
+- */
+-enum t_cose_err_t
+-t_cose_crypto_hkdf(const int32_t cose_hash_algorithm_id,
+- const struct q_useful_buf_c salt,
+- const struct q_useful_buf_c ikm,
+- const struct q_useful_buf_c info,
+- const struct q_useful_buf okm_buffer)
+-{
+- int psa_result;
+- const mbedtls_md_info_t *md_info;
+- mbedtls_md_type_t hash_type;
+-
+- switch(cose_hash_algorithm_id) {
+- case T_COSE_ALGORITHM_SHA_256:
+- hash_type = MBEDTLS_MD_SHA256;
+- break;
+- case T_COSE_ALGORITHM_SHA_384:
+- hash_type = MBEDTLS_MD_SHA384;
+- break;
+- case T_COSE_ALGORITHM_SHA_512:
+- hash_type = MBEDTLS_MD_SHA512;
+- break;
+- default:
+- hash_type = MBEDTLS_MD_NONE;
+- break;
+- }
+-
+- md_info = mbedtls_md_info_from_type(hash_type);
+- if(md_info == NULL) {
+- return T_COSE_ERR_UNSUPPORTED_HASH;
+- }
+-
+- psa_result = mbedtls_hkdf(md_info,
+- salt.ptr, salt.len,
+- ikm.ptr, ikm.len,
+- info.ptr, info.len,
+- okm_buffer.ptr, okm_buffer.len);
+- if(psa_result != PSA_SUCCESS) {
+- return T_COSE_ERR_HKDF_FAIL;
+- }
+-
+- return T_COSE_SUCCESS;
+-}
+-
+-
+-
+-
+ /*
+ * See documentation in t_cose_crypto.h
+ */
+diff --git a/crypto_adapters/t_cose_psa_crypto.h b/crypto_adapters/t_cose_psa_crypto.h
+index bf4963c..5718f81 100644
+--- a/crypto_adapters/t_cose_psa_crypto.h
++++ b/crypto_adapters/t_cose_psa_crypto.h
+@@ -14,9 +14,9 @@
+
+ #include <psa/crypto.h>
+
+-#define PSA_CRYPTO_HAS_RESTARTABLE_SIGNING \
+- ((MBEDTLS_VERSION_MAJOR == 3 && MBEDTLS_VERSION_MINOR >= 4) || \
+- MBEDTLS_VERSION_MAJOR > 3)
++/* #define PSA_CRYPTO_HAS_RESTARTABLE_SIGNING \
++ * ((MBEDTLS_VERSION_MAJOR == 3 && MBEDTLS_VERSION_MINOR >= 4) || \
++ * MBEDTLS_VERSION_MAJOR > 3) */
+
+ #if PSA_CRYPTO_HAS_RESTARTABLE_SIGNING
+ struct t_cose_psa_crypto_context {
+--
+2.34.1
diff --git a/lib/ext/t_cose/0006-Disable-unnecessary-test-cases.patch b/lib/ext/t_cose/0006-Disable-unnecessary-test-cases.patch
new file mode 100644
index 0000000..979d440
--- /dev/null
+++ b/lib/ext/t_cose/0006-Disable-unnecessary-test-cases.patch
@@ -0,0 +1,66 @@
+From b8508adb8ce298ac2c4c2e6708acdb45f061fbd1 Mon Sep 17 00:00:00 2001
+From: David Vincze <david.vincze@arm.com>
+Date: Tue, 10 Dec 2024 14:52:50 +0000
+Subject: [PATCH] Disable unnecessary test cases
+
+- HKDF: not implemented properly by the PSA Crypto layer,
+- Encrypt/Decrypt: not needed to be covered (not relevant to TF-M).
+
+---
+ test/run_tests.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/test/run_tests.c b/test/run_tests.c
+index 17b3b49..510e981 100644
+--- a/test/run_tests.c
++++ b/test/run_tests.c
+@@ -49,19 +49,24 @@ static test_entry s_tests[] = {
+ TEST_ENTRY(kw_test),
+ TEST_ENTRY(decrypt_known_good_aeskw_non_aead_test),
+ #endif
+- TEST_ENTRY(hkdf_test),
++/*
++ * Disabled test case
++ * HKDF is not supported properly by the PSA Crypto adaptor layer
++ */
++ /* TEST_ENTRY(hkdf_test), */
+
+ #ifndef T_COSE_USE_B_CON_SHA256 /* test crypto doesn't support ECDH */
+
+ TEST_ENTRY(ecdh_test),
+ TEST_ENTRY(ec_import_export_test),
+
+- TEST_ENTRY(esdh_enc_dec_test),
+- TEST_ENTRY(decrypt_known_good),
+-
+- TEST_ENTRY(decrypt_known_bad),
+-
+- TEST_ENTRY(kdf_context_test),
++/*
++ * Disabled test cases
++ */
++ /* TEST_ENTRY(esdh_enc_dec_test), */
++ /* TEST_ENTRY(decrypt_known_good), */
++ /* TEST_ENTRY(decrypt_known_bad), */
++ /* TEST_ENTRY(kdf_context_test), */
+
+ #endif /* T_COSE_USE_B_CON_SHA256 */
+
+@@ -133,9 +138,12 @@ static test_entry s_tests[] = {
+ #endif /* T_COSE_DISABLE_HASH_FAIL_TEST */
+ #endif /* T_COSE_DISABLE_SHORT_CIRCUIT_SIGN */
+
+- TEST_ENTRY(param_test),
+- TEST_ENTRY(common_params_test),
+- TEST_ENTRY(base_encrypt_decrypt_test)
++/*
++ * Disabled test cases
++ */
++ /* TEST_ENTRY(param_test), */
++ /* TEST_ENTRY(common_params_test), */
++ /* TEST_ENTRY(base_encrypt_decrypt_test) */
+
+ };
+
+--
+2.34.1
diff --git a/lib/ext/t_cose/CMakeLists.txt b/lib/ext/t_cose/CMakeLists.txt
new file mode 100644
index 0000000..59e163b
--- /dev/null
+++ b/lib/ext/t_cose/CMakeLists.txt
@@ -0,0 +1,29 @@
+#-------------------------------------------------------------------------------
+# SPDX-License-Identifier: BSD-3-Clause
+# SPDX-FileCopyrightText: Copyright The TrustedFirmware-M Contributors
+#-------------------------------------------------------------------------------
+
+cmake_minimum_required(VERSION 3.21)
+
+if(NOT TEST_NS_ATTESTATION AND NOT TEST_NS_T_COSE)
+ return()
+endif()
+
+include(FetchContent)
+set(FETCHCONTENT_QUIET FALSE)
+
+# Default configuration of T_COSE repository
+set(T_COSE_PATH "DOWNLOAD" CACHE PATH "Path to t_cose (or DOWNLOAD to fetch automatically")
+set(T_COSE_VERSION "v2.0-alpha-2" CACHE STRING "The version of t_cose to use")
+
+fetch_remote_library(
+ LIB_NAME t_cose
+ LIB_SOURCE_PATH_VAR T_COSE_PATH
+ LIB_PATCH_DIR ${CMAKE_CURRENT_LIST_DIR}
+ LIB_BASE_DIR "${CMAKE_BINARY_DIR}/lib/ext"
+ FETCH_CONTENT_ARGS
+ GIT_REPOSITORY https://github.com/laurencelundblade/t_cose.git
+ GIT_TAG ${T_COSE_VERSION}
+ GIT_SHALLOW TRUE
+ GIT_PROGRESS TRUE
+)
diff --git a/tests_reg/spe/CMakeLists.txt b/tests_reg/spe/CMakeLists.txt
index 9c60a0f..b42233f 100644
--- a/tests_reg/spe/CMakeLists.txt
+++ b/tests_reg/spe/CMakeLists.txt
@@ -1,5 +1,5 @@
#-------------------------------------------------------------------------------
-# Copyright (c) 2023, Arm Limited. All rights reserved.
+# Copyright (c) 2023-2025, Arm Limited. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@@ -57,9 +57,3 @@
install(FILES ${CONFIG_TFM_SOURCE_PATH}/secure_fw/spm/include/boot/tfm_boot_status.h
DESTINATION ${CMAKE_BINARY_DIR}/api_ns/initial_attestation)
-
-install(DIRECTORY ${CONFIG_TFM_SOURCE_PATH}/lib/ext/t_cose
- DESTINATION ${CMAKE_BINARY_DIR}/api_ns)
-
-install(FILES ${CONFIG_TFM_SOURCE_PATH}/lib/ext/qcbor/q_useful_buf.h
- DESTINATION ${CMAKE_BINARY_DIR}/api_ns/qcbor/inc)
diff --git a/tests_reg/test/config/check_config.cmake b/tests_reg/test/config/check_config.cmake
index e4e4c20..dba39e4 100644
--- a/tests_reg/test/config/check_config.cmake
+++ b/tests_reg/test/config/check_config.cmake
@@ -1,5 +1,5 @@
#-------------------------------------------------------------------------------
-# Copyright (c) 2021-2023, Arm Limited. All rights reserved.
+# Copyright (c) 2021-2025, Arm Limited. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@@ -21,7 +21,6 @@
tfm_invalid_config(CONFIG_TFM_FLOAT_ABI STREQUAL "soft" AND (TEST_S_FPU OR TEST_NS_FPU))
tfm_invalid_config((NOT TFM_MULTI_CORE_TOPOLOGY) AND TEST_NS_MULTI_CORE)
-tfm_invalid_config(TEST_NS_T_COSE AND SYMMETRIC_INITIAL_ATTESTATION)
tfm_invalid_config((NOT TFM_NS_MANAGE_NSID) AND TEST_NS_MANAGE_NSID)
tfm_invalid_config(TFM_PXN_ENABLE AND PS_TEST_NV_COUNTERS)
diff --git a/tests_reg/test/secure_fw/suites/attestation/attest_token_decode.h b/tests_reg/test/secure_fw/suites/attestation/attest_token_decode.h
index e141eb9..42682f7 100644
--- a/tests_reg/test/secure_fw/suites/attestation/attest_token_decode.h
+++ b/tests_reg/test/secure_fw/suites/attestation/attest_token_decode.h
@@ -2,7 +2,7 @@
* attest_token_decode.h
*
* Copyright (c) 2019, Laurence Lundblade.
- * Copyright (c) 2020-2024, Arm Limited. All rights reserved.
+ * Copyright (c) 2020-2025, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -11,7 +11,7 @@
#ifndef __ATTEST_TOKEN_DECODE_H__
#define __ATTEST_TOKEN_DECODE_H__
-#include "q_useful_buf.h"
+#include "t_cose/q_useful_buf.h"
#include <stdbool.h>
#include "attest_token.h"
#include "tfm_attest_iat_defs.h"
@@ -897,7 +897,7 @@
return ATTEST_TOKEN_ERR_COSE_VALIDATION;
break;
- case T_COSE_ERR_SIGN1_FORMAT:
+ case T_COSE_ERR_SIGNATURE_FORMAT:
return ATTEST_TOKEN_ERR_COSE_FORMAT;
break;
@@ -934,6 +934,8 @@
case T_COSE_ERR_DUPLICATE_PARAMETER:
case T_COSE_ERR_PARAMETER_NOT_PROTECTED:
case T_COSE_ERR_CRIT_PARAMETER:
+ case T_COSE_ERR_TOO_MANY_TAGS:
+ case T_COSE_ERR_INVALID_PARAMETER_TYPE:
default:
return ATTEST_TOKEN_ERR_GENERAL;
}
diff --git a/tests_reg/test/secure_fw/suites/attestation/attest_token_decode_asymmetric.c b/tests_reg/test/secure_fw/suites/attestation/attest_token_decode_asymmetric.c
index d9829fe..d86a189 100644
--- a/tests_reg/test/secure_fw/suites/attestation/attest_token_decode_asymmetric.c
+++ b/tests_reg/test/secure_fw/suites/attestation/attest_token_decode_asymmetric.c
@@ -2,7 +2,7 @@
* attest_token_decode.c
*
* Copyright (c) 2019, Laurence Lundblade.
- * Copyright (c) 2020-2022, Arm Limited.
+ * Copyright (c) 2020-2025, Arm Limited.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -10,10 +10,9 @@
*/
#include "attest_token_decode.h"
-#include "t_cose_sign1_verify.h"
-#include "q_useful_buf.h"
+#include "t_cose/t_cose_sign1_verify.h"
+#include "t_cose/q_useful_buf.h"
#include "qcbor_util.h"
-#include "psa/crypto.h"
#include "attest.h"
#include "tfm_crypto_defs.h"
@@ -35,7 +34,6 @@
int32_t t_cose_options = 0;
struct t_cose_sign1_verify_ctx verify_ctx;
struct t_cose_key attest_key;
- psa_key_handle_t public_key = TFM_BUILTIN_KEY_ID_IAK;
/* Run the signature verification */
if(me->options & TOKEN_OPT_SHORT_CIRCUIT_SIGN) {
@@ -43,8 +41,7 @@
}
t_cose_sign1_verify_init(&verify_ctx, t_cose_options);
- attest_key.crypto_lib = T_COSE_CRYPTO_LIB_PSA;
- attest_key.k.key_handle = public_key;
+ attest_key.key.handle = TFM_BUILTIN_KEY_ID_IAK;
t_cose_sign1_set_verification_key(&verify_ctx, attest_key);
diff --git a/tests_reg/test/secure_fw/suites/attestation/attest_token_decode_common.c b/tests_reg/test/secure_fw/suites/attestation/attest_token_decode_common.c
index eacc5d8..b90ac03 100644
--- a/tests_reg/test/secure_fw/suites/attestation/attest_token_decode_common.c
+++ b/tests_reg/test/secure_fw/suites/attestation/attest_token_decode_common.c
@@ -2,7 +2,7 @@
* attest_token_decode_common.c
*
* Copyright (c) 2019, Laurence Lundblade.
- * Copyright (c) 2020-2022, Arm Limited. All rights reserved.
+ * Copyright (c) 2020-2025, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -11,7 +11,7 @@
#include "attest_token_decode.h"
#include "attest.h"
-#include "q_useful_buf.h"
+#include "t_cose/q_useful_buf.h"
#include "qcbor_util.h"
#include "config_tfm.h"
diff --git a/tests_reg/test/secure_fw/suites/attestation/attest_token_decode_symmetric.c b/tests_reg/test/secure_fw/suites/attestation/attest_token_decode_symmetric.c
index b97e612..72522fb 100644
--- a/tests_reg/test/secure_fw/suites/attestation/attest_token_decode_symmetric.c
+++ b/tests_reg/test/secure_fw/suites/attestation/attest_token_decode_symmetric.c
@@ -2,7 +2,7 @@
* attest_symmetric_iat_decode.c
*
* Copyright (c) 2019, Laurence Lundblade.
- * Copyright (c) 2020-2022, Arm Limited. All rights reserved.
+ * Copyright (c) 2020-2025, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -12,10 +12,10 @@
#include "attest_token_decode.h"
#include "attest.h"
#include "psa/crypto.h"
-#include "q_useful_buf.h"
+#include "t_cose/q_useful_buf.h"
#include "qcbor_util.h"
-#include "t_cose_common.h"
-#include "t_cose_mac0_verify.h"
+#include "t_cose/t_cose_common.h"
+#include "t_cose/t_cose_mac_validate.h"
#include "tfm_crypto_defs.h"
/* Only support HMAC as MAC algorithm in COSE_Mac0 so far */
@@ -25,7 +25,7 @@
/*
* Public function. See attest_token_decode.h
* It is not allowed to let NS side fetch the symmetric IAK and perform the MAC
- * verification.
+ * validation.
*/
enum attest_token_err_t
attest_token_decode_validate_token(struct attest_token_decode_context *me,
@@ -33,20 +33,25 @@
{
enum t_cose_err_t t_cose_error;
enum attest_token_err_t return_value;
- /* Decode only without signature verification */
+ /* Decode only without authentication tag validation */
int32_t t_cose_options = T_COSE_OPT_DECODE_ONLY;
- struct t_cose_mac0_verify_ctx verify_ctx;
- struct t_cose_key attest_key = T_COSE_NULL_KEY;
+ struct t_cose_mac_validate_ctx validate_ctx;
+ struct t_cose_key attest_key;
- t_cose_mac0_verify_init(&verify_ctx, t_cose_options);
+ t_cose_mac_validate_init(&validate_ctx, t_cose_options);
- t_cose_mac0_set_verify_key(&verify_ctx, attest_key);
+ /* Initialising key with invalid identifier; however with the
+ * T_COSE_OPT_DECODE_ONLY option the validation step will be skipped
+ * and the key won't be used.
+ */
+ attest_key.key.handle = (uint64_t)PSA_KEY_ID_NULL;
+ t_cose_mac_set_validate_key(&validate_ctx, attest_key);
- t_cose_error = t_cose_mac0_verify(&verify_ctx,
- token, /* COSE to verify */
- &me->payload, /* Payload from token */
- NULL
- );
+ t_cose_error = t_cose_mac_validate(&validate_ctx,
+ token, /* COSE to validate */
+ NULL_Q_USEFUL_BUF_C,
+ &me->payload, /* Payload from token */
+ NULL);
return_value = map_t_cose_errors(t_cose_error);
me->last_error = return_value;
@@ -58,8 +63,8 @@
/*
* Public function. See attest_token_decode.h
- * Decode the received COSE_Mac0 structure and verify the tag. Authentication
- * tag verification in tests is for debug purpose only. The symmetric Initial
+ * Decode the received COSE_Mac0 structure and validate the tag. Authentication
+ * tag validation in tests is for debug purpose only. The symmetric Initial
* Attestation key (IAK) should not be able to be used by anything other than
* the Attestation partition in real products.
*/
@@ -67,27 +72,27 @@
attest_token_decode_validate_token(struct attest_token_decode_context *me,
struct q_useful_buf_c token)
{
- enum t_cose_err_t t_cose_error;
- enum attest_token_err_t return_value;
- int32_t t_cose_options = 0;
- struct t_cose_mac0_verify_ctx verify_ctx;
- struct t_cose_key attest_key;
- psa_key_handle_t key_handle = TFM_BUILTIN_KEY_ID_IAK;
+ enum t_cose_err_t t_cose_error;
+ enum attest_token_err_t return_value;
+ int32_t t_cose_options = 0;
+ struct t_cose_mac_validate_ctx validate_ctx;
+ struct t_cose_key attest_key;
+ psa_key_handle_t key_handle = TFM_BUILTIN_KEY_ID_IAK;
if (me->options & TOKEN_OPT_SHORT_CIRCUIT_SIGN) {
t_cose_options |= T_COSE_OPT_ALLOW_SHORT_CIRCUIT;
}
- t_cose_mac0_verify_init(&verify_ctx, t_cose_options);
+ t_cose_mac_validate_init(&validate_ctx, t_cose_options);
- attest_key.crypto_lib = T_COSE_CRYPTO_LIB_PSA;
- attest_key.k.key_handle = (uint64_t)key_handle;
- t_cose_mac0_set_verify_key(&verify_ctx, attest_key);
+ attest_key.key.handle = (uint64_t)key_handle;
+ t_cose_mac_set_validate_key(&validate_ctx, attest_key);
- t_cose_error = t_cose_mac0_verify(&verify_ctx,
- token, /* COSE to verify */
- &me->payload, /* Payload from token */
- NULL);
+ t_cose_error = t_cose_mac_validate(&validate_ctx,
+ token, /* COSE to validate */
+ NULL_Q_USEFUL_BUF_C,
+ &me->payload, /* Payload from token */
+ NULL);
return_value = map_t_cose_errors(t_cose_error);
me->last_error = return_value;
diff --git a/tests_reg/test/secure_fw/suites/attestation/attest_token_test.c b/tests_reg/test/secure_fw/suites/attestation/attest_token_test.c
index d5c75fe..22eeb50 100644
--- a/tests_reg/test/secure_fw/suites/attestation/attest_token_test.c
+++ b/tests_reg/test/secure_fw/suites/attestation/attest_token_test.c
@@ -2,7 +2,7 @@
* attest_token_test.c
*
* Copyright (c) 2018-2019, Laurence Lundblade.
- * Copyright (c) 2020-2022, Arm Limited.
+ * Copyright (c) 2020-2025, Arm Limited.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -10,11 +10,10 @@
*/
#include "attest_token_test.h"
-#include "q_useful_buf.h"
+#include "t_cose/q_useful_buf.h"
#include "psa/initial_attestation.h"
#include "attest_token_decode.h"
#include "attest_token_test_values.h"
-#include "psa/crypto.h"
#include "test_log.h"
diff --git a/tests_reg/test/secure_fw/suites/attestation/ext/qcbor_util/qcbor_util.h b/tests_reg/test/secure_fw/suites/attestation/ext/qcbor_util/qcbor_util.h
index 1b5a034..11ef11b 100644
--- a/tests_reg/test/secure_fw/suites/attestation/ext/qcbor_util/qcbor_util.h
+++ b/tests_reg/test/secure_fw/suites/attestation/ext/qcbor_util/qcbor_util.h
@@ -13,7 +13,7 @@
#include "qcbor/qcbor.h"
-#include "q_useful_buf.h"
+#include "t_cose/q_useful_buf.h"
#include "attest_token.h" /* For error codes */
#ifdef __cplusplus
diff --git a/tests_reg/test/secure_fw/suites/t_cose/non_secure/CMakeLists.txt b/tests_reg/test/secure_fw/suites/t_cose/non_secure/CMakeLists.txt
index 5ec5ddb..01fda5c 100644
--- a/tests_reg/test/secure_fw/suites/t_cose/non_secure/CMakeLists.txt
+++ b/tests_reg/test/secure_fw/suites/t_cose/non_secure/CMakeLists.txt
@@ -1,5 +1,5 @@
#-------------------------------------------------------------------------------
-# Copyright (c) 2020-2024, Arm Limited. All rights reserved.
+# Copyright (c) 2020-2025, Arm Limited. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@@ -9,54 +9,92 @@
return()
endif()
-set(T_COSE_SRC_DIR ${CONFIG_SPE_PATH}/t_cose)
+############################ Non Secure t_cose defs ############################
+add_library(tfm_t_cose_ns_defs INTERFACE)
-include(${T_COSE_SRC_DIR}/tfm_t_cose.cmake)
+target_compile_definitions(tfm_t_cose_ns_defs
+ INTERFACE
+ T_COSE_USE_PSA_CRYPTO
+ T_COSE_DISABLE_CONTENT_TYPE
+ T_COSE_DISABLE_COSE_SIGN
+ T_COSE_DISABLE_KEYWRAP
+ T_COSE_DISABLE_PS256
+ T_COSE_DISABLE_PS384
+ T_COSE_DISABLE_PS512
+ T_COSE_DISABLE_SHORT_CIRCUIT_SIGN
+ $<$<OR:$<NOT:$<STREQUAL:${ATTEST_KEY_BITS},384>>,$<BOOL:${SYMMETRIC_INITIAL_ATTESTATION}>>:T_COSE_DISABLE_ES384>
+ $<$<OR:$<NOT:$<STREQUAL:${ATTEST_KEY_BITS},521>>,$<BOOL:${SYMMETRIC_INITIAL_ATTESTATION}>>:T_COSE_DISABLE_ES512>
+ $<$<BOOL:${SYMMETRIC_INITIAL_ATTESTATION}>:T_COSE_DISABLE_SIGN_VERIFY_TESTS>
+)
-############################ t_cose non secure #################################
+target_include_directories(tfm_t_cose_ns_defs
+ INTERFACE
+ $<BUILD_INTERFACE:${T_COSE_PATH}/inc>
+ $<BUILD_INTERFACE:${T_COSE_PATH}/src>
+)
+
+############################ Non Secure t_cose #################################
add_library(tfm_t_cose_ns STATIC EXCLUDE_FROM_ALL)
+target_sources(tfm_t_cose_ns
+ PRIVATE
+ ${T_COSE_PATH}/src/t_cose_mac_compute.c
+ ${T_COSE_PATH}/src/t_cose_mac_validate.c
+ ${T_COSE_PATH}/src/t_cose_sign_sign.c
+ ${T_COSE_PATH}/src/t_cose_sign1_sign.c
+ ${T_COSE_PATH}/src/t_cose_signature_sign_main.c
+ ${T_COSE_PATH}/src/t_cose_sign_verify.c
+ ${T_COSE_PATH}/src/t_cose_sign1_verify.c
+ ${T_COSE_PATH}/src/t_cose_signature_verify_main.c
+ ${T_COSE_PATH}/src/t_cose_key.c
+ ${T_COSE_PATH}/src/t_cose_parameters.c
+ ${T_COSE_PATH}/src/t_cose_util.c
+ ${T_COSE_PATH}/crypto_adapters/t_cose_psa_crypto.c
+)
+
target_link_libraries(tfm_t_cose_ns
PUBLIC
- tfm_t_cose_defs
+ tfm_t_cose_ns_defs
PRIVATE
- tfm_t_cose_common
- tfm_qcbor_ns
tfm_api_ns
+ tfm_qcbor_ns
)
if (NOT TEST_NS_T_COSE)
return()
endif()
-############################ t_cose test #######################################
+############################ t_cose test library ###############################
add_library(tfm_t_cose_test STATIC EXCLUDE_FROM_ALL)
target_sources(tfm_t_cose_test
PRIVATE
- ${T_COSE_SRC_DIR}/test/run_tests.c
- ${T_COSE_SRC_DIR}/test/t_cose_make_psa_test_key.c
- ${T_COSE_SRC_DIR}/test/t_cose_make_test_messages.c
- ${T_COSE_SRC_DIR}/test/t_cose_sign_verify_test.c
- ${T_COSE_SRC_DIR}/test/t_cose_test.c
+ ${T_COSE_PATH}/test/run_tests.c
+ ${T_COSE_PATH}/test/t_cose_test.c
+ ${T_COSE_PATH}/test/t_cose_compute_validate_mac_test.c
+ $<$<NOT:$<BOOL:${SYMMETRIC_INITIAL_ATTESTATION}>>:${T_COSE_PATH}/test/t_cose_sign_verify_test.c>
+ ${T_COSE_PATH}/test/t_cose_crypto_test.c
+ ${T_COSE_PATH}/examples/example_keys.c
+ ${T_COSE_PATH}/examples/init_keys_psa.c
)
target_include_directories(tfm_t_cose_test
PUBLIC
- $<BUILD_INTERFACE:${T_COSE_SRC_DIR}/inc>
- $<BUILD_INTERFACE:${T_COSE_SRC_DIR}/test>
+ $<BUILD_INTERFACE:${T_COSE_PATH}/test>
+ PRIVATE
+ $<BUILD_INTERFACE:${T_COSE_PATH}/examples>
)
target_link_libraries(tfm_t_cose_test
PRIVATE
+ tfm_api_ns
tfm_t_cose_ns
tfm_qcbor_ns
- tfm_api_ns
)
-####################### Non Secure #############################################
+####################### Non Secure test ########################################
add_library(tfm_test_suite_t_cose_ns STATIC EXCLUDE_FROM_ALL)