COSE: Switch tests over to upstream t_cose
Switch from TF-M's t_cose library fork to the upstream repo
being downloaded from https://github.com/laurencelundblade/t_cose.
Change-Id: I9e2a859c67e902c6ecc1dc5ab996241e3d33e4ab
Signed-off-by: Adam Kulesza <adam.kulesza@arm.com>
Signed-off-by: David Vincze <david.vincze@arm.com>
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
diff --git a/lib/ext/t_cose/0001-Add-t_cose_key_encode-API.patch b/lib/ext/t_cose/0001-Add-t_cose_key_encode-API.patch
new file mode 100644
index 0000000..adc5551
--- /dev/null
+++ b/lib/ext/t_cose/0001-Add-t_cose_key_encode-API.patch
@@ -0,0 +1,105 @@
+From 6f3f47d0370f9714baae195d4f2d7b9a38df29ab Mon Sep 17 00:00:00 2001
+From: Tamas Ban <tamas.ban@arm.com>
+Date: Thu, 19 Sep 2024 11:50:32 +0200
+Subject: [PATCH] Add t_cose_key_encode API
+
+Modelled based on this PR:
+https://github.com/laurencelundblade/t_cose/pull/285/commits/fc72e519
+
+Signed-off-by: Tamas Ban <tamas.ban@arm.com>
+Change-Id: I28af97dede81980c960ff43d08137be844935230
+---
+ inc/t_cose/t_cose_key.h | 4 +++
+ src/t_cose_key.c | 55 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 59 insertions(+)
+
+diff --git a/inc/t_cose/t_cose_key.h b/inc/t_cose/t_cose_key.h
+index a757e9e..cdf5557 100644
+--- a/inc/t_cose/t_cose_key.h
++++ b/inc/t_cose/t_cose_key.h
+@@ -227,6 +227,10 @@ t_cose_key_init_symmetric(int32_t cose_algorithm_id,
+ void
+ t_cose_key_free_symmetric(struct t_cose_key key);
+
++enum t_cose_err_t
++t_cose_key_encode(struct t_cose_key key,
++ struct q_useful_buf key_buf,
++ struct q_useful_buf_c *cbor_encoded);
+
+ #ifdef __cplusplus
+ }
+diff --git a/src/t_cose_key.c b/src/t_cose_key.c
+index 0ce88f5..6b134d1 100644
+--- a/src/t_cose_key.c
++++ b/src/t_cose_key.c
+@@ -8,8 +8,11 @@
+ *
+ * See BSD-3-Clause license in README.md
+ */
++#include "qcbor/qcbor_encode.h"
+ #include "t_cose/t_cose_key.h"
+ #include "t_cose_crypto.h"
++#include "t_cose_crypto.h"
++#include "t_cose_util.h"
+
+
+ /*
+@@ -35,3 +38,55 @@ t_cose_key_free_symmetric(struct t_cose_key key)
+ t_cose_crypto_free_symmetric_key(key);
+ }
+
++/*
++ * Public function. See t_cose_key.h
++ */
++enum t_cose_err_t
++t_cose_key_encode(struct t_cose_key key,
++ struct q_useful_buf key_buf,
++ struct q_useful_buf_c *cbor_encoded)
++{
++ enum t_cose_err_t result;
++ int32_t cose_curve;
++ MakeUsefulBufOnStack( x_coord_buf, T_COSE_BITS_TO_BYTES(T_COSE_ECC_MAX_CURVE_BITS));
++ MakeUsefulBufOnStack( y_coord_buf, T_COSE_BITS_TO_BYTES(T_COSE_ECC_MAX_CURVE_BITS));
++ struct q_useful_buf_c x_coord;
++ struct q_useful_buf_c y_coord;
++ bool y_sign;
++ QCBOREncodeContext cbor_encoder;
++ QCBORError qcbor_result;
++
++ result = t_cose_crypto_export_ec2_key(key,
++ &cose_curve,
++ x_coord_buf,
++ &x_coord,
++ y_coord_buf,
++ &y_coord,
++ &y_sign);
++ if (result != T_COSE_SUCCESS) {
++ return result;
++ }
++
++ QCBOREncode_Init(&cbor_encoder, key_buf);
++
++ QCBOREncode_OpenMap(&cbor_encoder);
++
++ QCBOREncode_AddInt64ToMapN(&cbor_encoder, T_COSE_KEY_COMMON_KTY, T_COSE_KEY_TYPE_EC2);
++ QCBOREncode_AddInt64ToMapN(&cbor_encoder, T_COSE_KEY_PARAM_CRV, cose_curve);
++ QCBOREncode_AddBytesToMapN(&cbor_encoder, T_COSE_KEY_PARAM_X_COORDINATE, x_coord);
++ if (q_useful_buf_c_is_null(y_coord)) {
++ QCBOREncode_AddBoolToMapN(&cbor_encoder, T_COSE_KEY_PARAM_Y_COORDINATE, y_sign);
++ } else {
++ QCBOREncode_AddBytesToMapN(&cbor_encoder, T_COSE_KEY_PARAM_Y_COORDINATE, y_coord);
++ }
++
++ QCBOREncode_CloseMap(&cbor_encoder);
++
++ qcbor_result = QCBOREncode_Finish(&cbor_encoder, cbor_encoded);
++ if (qcbor_result != QCBOR_SUCCESS) {
++ /* Mainly means that the COSE_Key was too big for key_buf */
++ return qcbor_encode_error_to_t_cose_error(&cbor_encoder);
++ }
++
++ return T_COSE_SUCCESS;
++}
+--
+2.34.1
+
diff --git a/lib/ext/t_cose/0002-Add-t_cose_key_decode-API.patch b/lib/ext/t_cose/0002-Add-t_cose_key_decode-API.patch
new file mode 100644
index 0000000..742ece9
--- /dev/null
+++ b/lib/ext/t_cose/0002-Add-t_cose_key_decode-API.patch
@@ -0,0 +1,126 @@
+From b666db4e745d39473aa93b44772588b191dc56fb Mon Sep 17 00:00:00 2001
+From: Tamas Ban <tamas.ban@arm.com>
+Date: Fri, 27 Sep 2024 12:53:58 +0200
+Subject: [PATCH 2/2] Add t_cose_key_decode API
+
+Copied from this PR:
+https://github.com/laurencelundblade/t_cose/pull/285/commits/fc72e519
+
+Signed-off-by: Tamas Ban <tamas.ban@arm.com>
+---
+ inc/t_cose/t_cose_key.h | 6 ++++
+ src/t_cose_key.c | 74 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 80 insertions(+)
+
+diff --git a/inc/t_cose/t_cose_key.h b/inc/t_cose/t_cose_key.h
+index cdf5557..86e5fed 100644
+--- a/inc/t_cose/t_cose_key.h
++++ b/inc/t_cose/t_cose_key.h
+@@ -227,6 +227,12 @@ t_cose_key_init_symmetric(int32_t cose_algorithm_id,
+ void
+ t_cose_key_free_symmetric(struct t_cose_key key);
+
++
++enum t_cose_err_t
++t_cose_key_decode(struct q_useful_buf_c cbor_encoded,
++ struct t_cose_key *key);
++
++
+ enum t_cose_err_t
+ t_cose_key_encode(struct t_cose_key key,
+ struct q_useful_buf key_buf,
+diff --git a/src/t_cose_key.c b/src/t_cose_key.c
+index 6b134d1..7b48a56 100644
+--- a/src/t_cose_key.c
++++ b/src/t_cose_key.c
+@@ -13,6 +13,8 @@
+ #include "t_cose_crypto.h"
+ #include "t_cose_crypto.h"
+ #include "t_cose_util.h"
++#include "qcbor/qcbor_spiffy_decode.h"
++#include "t_cose_crypto.h"
+
+
+ /*
+@@ -38,6 +40,78 @@ t_cose_key_free_symmetric(struct t_cose_key key)
+ t_cose_crypto_free_symmetric_key(key);
+ }
+
++
++enum t_cose_err_t
++t_cose_key_decode(struct q_useful_buf_c cbor_encoded,
++ struct t_cose_key *key)
++{
++ QCBORDecodeContext cbor_decoder;
++ int64_t kty;
++ int64_t curve;
++ struct q_useful_buf_c x;
++ struct q_useful_buf_c y_string;
++ bool y_bool;
++ QCBORItem y;
++ enum t_cose_err_t result;
++
++
++ QCBORDecode_Init(&cbor_decoder, cbor_encoded, 0);
++
++
++ QCBORDecode_EnterMap(&cbor_decoder, NULL);
++
++ QCBORDecode_GetInt64InMapN(&cbor_decoder, T_COSE_KEY_COMMON_KTY, &kty);
++ QCBORDecode_GetInt64InMapN(&cbor_decoder, T_COSE_KEY_PARAM_CRV, &curve);
++ QCBORDecode_GetByteStringInMapN(&cbor_decoder, T_COSE_KEY_PARAM_X_COORDINATE, &x);
++ QCBORDecode_GetItemInMapN(&cbor_decoder, T_COSE_KEY_PARAM_Y_COORDINATE, QCBOR_TYPE_ANY, &y);
++
++ QCBORDecode_ExitMap(&cbor_decoder);
++ if(QCBORDecode_GetError(&cbor_decoder)) {
++ return T_COSE_ERR_FAIL; // TODO: is this right?
++ }
++
++ // TODO: check kty
++
++ /* If y is a bool, then point compression is used and y is a boolean
++ * indicating the sign. If not then it is a byte string with the y.
++ * Anything else is an error. See RFC 9053 7.1.1.
++ */
++ switch(y.uDataType) {
++ case QCBOR_TYPE_BYTE_STRING:
++ y_string = y.val.string;
++ y_bool = true; /* Unused. Only here to avoid compiler warning */
++ break;
++
++ case QCBOR_TYPE_TRUE:
++ y_bool = true;
++ y_string = NULL_Q_USEFUL_BUF_C;
++ break;
++
++ case QCBOR_TYPE_FALSE:
++ y_bool = true;
++ y_string = NULL_Q_USEFUL_BUF_C;
++ break;
++
++ default:
++ return 77; // TODO: error code
++ }
++
++ /* Turn it into a t_cose_key that is imported into the library */
++
++ if(curve > INT32_MAX || curve < INT32_MIN) {
++ // Make sure cast is safe
++ return T_COSE_ERR_FAIL; // TODO: error
++ }
++ result = t_cose_crypto_import_ec2_pubkey((int32_t)curve,
++ x,
++ y_string,
++ y_bool,
++ key);
++
++ return result;
++}
++
++
+ /*
+ * Public function. See t_cose_key.h
+ */
+--
+2.34.1
+
diff --git a/lib/ext/t_cose/0003-Import-EC-keys-with-ECDSA-xxx-algo-rather-than-ECDH.patch b/lib/ext/t_cose/0003-Import-EC-keys-with-ECDSA-xxx-algo-rather-than-ECDH.patch
new file mode 100644
index 0000000..9bec776
--- /dev/null
+++ b/lib/ext/t_cose/0003-Import-EC-keys-with-ECDSA-xxx-algo-rather-than-ECDH.patch
@@ -0,0 +1,59 @@
+From 543f32dc625c905ddf98222270cdc23751ad4abe Mon Sep 17 00:00:00 2001
+From: Tamas Ban <tamas.ban@arm.com>
+Date: Mon, 30 Sep 2024 14:23:03 +0200
+Subject: [PATCH 3/3] Import EC keys with ECDSA(xxx) algo rather than ECDH
+
+To make the DPE certificate verification working
+with t_cose_key_dedode() API.
+
+The original code registers the keys with ECDH
+algorithm. In this case psa_has_verify() returns
+with PSA_ERROR_NOT_PERMITTED.
+
+Signed-off-by: Tamas Ban <tamas.ban@arm.com>
+---
+ crypto_adapters/t_cose_psa_crypto.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/crypto_adapters/t_cose_psa_crypto.c b/crypto_adapters/t_cose_psa_crypto.c
+index 16151c6..80d1961 100644
+--- a/crypto_adapters/t_cose_psa_crypto.c
++++ b/crypto_adapters/t_cose_psa_crypto.c
+@@ -1663,6 +1663,7 @@ t_cose_crypto_import_ec2_pubkey(int32_t cose_ec_curve_id,
+ psa_status_t status;
+ psa_key_attributes_t attributes;
+ psa_key_type_t type_public;
++ psa_algorithm_t alg;
+ struct q_useful_buf_c import;
+ // TODO: really make sure this size is right for the curve types supported
+ UsefulOutBuf_MakeOnStack (import_form, T_COSE_EXPORT_PUBLIC_KEY_MAX_SIZE + 5);
+@@ -1670,12 +1671,15 @@ t_cose_crypto_import_ec2_pubkey(int32_t cose_ec_curve_id,
+ switch (cose_ec_curve_id) {
+ case T_COSE_ELLIPTIC_CURVE_P_256:
+ type_public = PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1);
++ alg = PSA_ALG_ECDSA(PSA_ALG_SHA_256);
+ break;
+ case T_COSE_ELLIPTIC_CURVE_P_384:
+ type_public = PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1);
++ alg = PSA_ALG_ECDSA(PSA_ALG_SHA_384);
+ break;
+ case T_COSE_ELLIPTIC_CURVE_P_521:
+ type_public = PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1);
++ alg = PSA_ALG_ECDSA(PSA_ALG_SHA_512);
+ break;
+
+ default:
+@@ -1685,8 +1689,8 @@ t_cose_crypto_import_ec2_pubkey(int32_t cose_ec_curve_id,
+
+ // TODO: are these attributes right?
+ attributes = psa_key_attributes_init();
+- psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_COPY);
+- psa_set_key_algorithm(&attributes, PSA_ALG_ECDH);
++ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
++ psa_set_key_algorithm(&attributes, alg);
+ psa_set_key_type(&attributes, type_public);
+
+ /* This converts to a serialized representation of an EC Point
+--
+2.34.1
+
diff --git a/lib/ext/t_cose/0004-Remove-unused-EdDSA-calls-to-help-reduce-code-size.patch b/lib/ext/t_cose/0004-Remove-unused-EdDSA-calls-to-help-reduce-code-size.patch
new file mode 100644
index 0000000..5139ebb
--- /dev/null
+++ b/lib/ext/t_cose/0004-Remove-unused-EdDSA-calls-to-help-reduce-code-size.patch
@@ -0,0 +1,84 @@
+From 91cbc7bff52d51030c3163f30bc0e86333554ece Mon Sep 17 00:00:00 2001
+From: David Vincze <david.vincze@arm.com>
+Date: Mon, 25 Nov 2024 14:29:04 +0000
+Subject: [PATCH] Remove unused EdDSA calls to help reduce code size
+
+With the help of dead-code elimination and actual code removal
+in this patch it's possible to skip the complete EdDSA algorithm
+support from the build process.
+
+Remove EdDSA from sign verifier as it does not need to be covered
+by the tests. Remove it from the code so the build does not depend
+on it.
+
+---
+ src/t_cose_sign1_sign.c | 13 -------------
+ src/t_cose_sign1_verify.c | 8 --------
+ 2 files changed, 21 deletions(-)
+
+diff --git a/src/t_cose_sign1_sign.c b/src/t_cose_sign1_sign.c
+index ea0713e..fdf8efd 100644
+--- a/src/t_cose_sign1_sign.c
++++ b/src/t_cose_sign1_sign.c
+@@ -37,17 +37,10 @@ t_cose_sign1_sign_init(struct t_cose_sign1_sign_ctx *me,
+ // TODO: Translate any more options flags?
+ t_cose_sign_sign_init(&(me->me2), option_flags | T_COSE_OPT_MESSAGE_TYPE_SIGN1);
+
+- if(cose_algorithm_id == T_COSE_ALGORITHM_EDDSA) {
+- t_cose_signature_sign_eddsa_init(&(me->signer.eddsa));
+- t_cose_sign_add_signer(&(me->me2),
+- t_cose_signature_sign_from_eddsa(&(me->signer.eddsa)));
+- } else
+- {
+ t_cose_signature_sign_main_init(&(me->signer.general),
+ me->cose_algorithm_id);
+ t_cose_sign_add_signer(&(me->me2),
+ t_cose_signature_sign_from_main(&(me->signer.general)));
+- }
+ }
+
+
+@@ -58,15 +51,9 @@ t_cose_sign1_set_signing_key(struct t_cose_sign1_sign_ctx *me,
+ {
+ me->signing_key = signing_key; /* Used by make test message */
+ me->kid = kid; /* Used by make test message */
+- if(me->cose_algorithm_id == T_COSE_ALGORITHM_EDDSA) {
+- t_cose_signature_sign_eddsa_set_signing_key(&(me->signer.eddsa),
+- signing_key,
+- kid);
+- } else {
+ t_cose_signature_sign_main_set_signing_key(&(me->signer.general),
+ signing_key,
+ kid);
+- }
+ }
+
+
+diff --git a/src/t_cose_sign1_verify.c b/src/t_cose_sign1_verify.c
+index 0614bb0..a3fc221 100644
+--- a/src/t_cose_sign1_verify.c
++++ b/src/t_cose_sign1_verify.c
+@@ -34,10 +34,6 @@ t_cose_sign1_verify_init(struct t_cose_sign1_verify_ctx *me,
+ t_cose_signature_verify_main_init(&(me->main_verifier));
+ t_cose_sign_add_verifier(&(me->me2),
+ t_cose_signature_verify_from_main(&(me->main_verifier)));
+-
+- t_cose_signature_verify_eddsa_init(&(me->eddsa_verifier), option_flags);
+- t_cose_sign_add_verifier(&(me->me2),
+- t_cose_signature_verify_from_eddsa(&(me->eddsa_verifier)));
+ }
+
+
+@@ -49,10 +45,6 @@ t_cose_sign1_set_verification_key(struct t_cose_sign1_verify_ctx *me,
+ * until decoding the input. There is only one key in t_cose_sign1().
+ * Also, t_cose_sign1 didn't do any kid matching, so it is NULL here.
+ */
+- t_cose_signature_verify_eddsa_set_key(&(me->eddsa_verifier),
+- verification_key,
+- // TODO: should this be NULL?
+- NULL_Q_USEFUL_BUF_C);
+ t_cose_signature_verify_main_set_key(&(me->main_verifier),
+ verification_key,
+ NULL_Q_USEFUL_BUF_C);
+--
+2.34.1
diff --git a/lib/ext/t_cose/0005-Remove-or-disable-unused-functions-in-PSA-Crypto-lay.patch b/lib/ext/t_cose/0005-Remove-or-disable-unused-functions-in-PSA-Crypto-lay.patch
new file mode 100644
index 0000000..82448ca
--- /dev/null
+++ b/lib/ext/t_cose/0005-Remove-or-disable-unused-functions-in-PSA-Crypto-lay.patch
@@ -0,0 +1,107 @@
+From 1052a755db3b99a52babcfbf4dae711da8e4fd16 Mon Sep 17 00:00:00 2001
+From: David Vincze <david.vincze@arm.com>
+Date: Wed, 15 Jan 2025 19:31:41 +0000
+Subject: [PATCH] Remove or disable unused functions in PSA Crypto layer
+
+- Remove unused HKDF function from the PSA Crypto adaptor
+ layer to prevent build errors due to disabled MbedTLS
+ support that it depends on. HKDF is currently not
+ supported properly by the PSA Crypto adaptor layer.
+- Disable unused functions to avoid unnecessary build
+ dependencies.
+
+---
+ crypto_adapters/t_cose_psa_crypto.c | 53 -----------------------------
+ crypto_adapter s/t_cose_psa_crypto.h | 6 ++--
+ 2 files changed, 3 insertions(+), 56 deletions(-)
+
+diff --git a/crypto_adapters/t_cose_psa_crypto.c b/crypto_adapters/t_cose_psa_crypto.c
+index 80d1961..2095002 100644
+--- a/crypto_adapters/t_cose_psa_crypto.c
++++ b/crypto_adapters/t_cose_psa_crypto.c
+@@ -43,9 +43,6 @@
+ #include <mbedtls/nist_kw.h>
+ #endif /* T_COSE_DISABLE_KEYWRAP */
+
+-#include <mbedtls/hkdf.h>
+-#include <mbedtls/md.h>
+-
+ #include "t_cose_util.h"
+ #include "t_cose_psa_crypto.h"
+
+@@ -1600,56 +1597,6 @@ t_cose_crypto_ecdh(struct t_cose_key private_key,
+
+
+
+-
+-/*
+- * See documentation in t_cose_crypto.h
+- */
+-enum t_cose_err_t
+-t_cose_crypto_hkdf(const int32_t cose_hash_algorithm_id,
+- const struct q_useful_buf_c salt,
+- const struct q_useful_buf_c ikm,
+- const struct q_useful_buf_c info,
+- const struct q_useful_buf okm_buffer)
+-{
+- int psa_result;
+- const mbedtls_md_info_t *md_info;
+- mbedtls_md_type_t hash_type;
+-
+- switch(cose_hash_algorithm_id) {
+- case T_COSE_ALGORITHM_SHA_256:
+- hash_type = MBEDTLS_MD_SHA256;
+- break;
+- case T_COSE_ALGORITHM_SHA_384:
+- hash_type = MBEDTLS_MD_SHA384;
+- break;
+- case T_COSE_ALGORITHM_SHA_512:
+- hash_type = MBEDTLS_MD_SHA512;
+- break;
+- default:
+- hash_type = MBEDTLS_MD_NONE;
+- break;
+- }
+-
+- md_info = mbedtls_md_info_from_type(hash_type);
+- if(md_info == NULL) {
+- return T_COSE_ERR_UNSUPPORTED_HASH;
+- }
+-
+- psa_result = mbedtls_hkdf(md_info,
+- salt.ptr, salt.len,
+- ikm.ptr, ikm.len,
+- info.ptr, info.len,
+- okm_buffer.ptr, okm_buffer.len);
+- if(psa_result != PSA_SUCCESS) {
+- return T_COSE_ERR_HKDF_FAIL;
+- }
+-
+- return T_COSE_SUCCESS;
+-}
+-
+-
+-
+-
+ /*
+ * See documentation in t_cose_crypto.h
+ */
+diff --git a/crypto_adapters/t_cose_psa_crypto.h b/crypto_adapters/t_cose_psa_crypto.h
+index bf4963c..5718f81 100644
+--- a/crypto_adapters/t_cose_psa_crypto.h
++++ b/crypto_adapters/t_cose_psa_crypto.h
+@@ -14,9 +14,9 @@
+
+ #include <psa/crypto.h>
+
+-#define PSA_CRYPTO_HAS_RESTARTABLE_SIGNING \
+- ((MBEDTLS_VERSION_MAJOR == 3 && MBEDTLS_VERSION_MINOR >= 4) || \
+- MBEDTLS_VERSION_MAJOR > 3)
++/* #define PSA_CRYPTO_HAS_RESTARTABLE_SIGNING \
++ * ((MBEDTLS_VERSION_MAJOR == 3 && MBEDTLS_VERSION_MINOR >= 4) || \
++ * MBEDTLS_VERSION_MAJOR > 3) */
+
+ #if PSA_CRYPTO_HAS_RESTARTABLE_SIGNING
+ struct t_cose_psa_crypto_context {
+--
+2.34.1
diff --git a/lib/ext/t_cose/0006-Disable-unnecessary-test-cases.patch b/lib/ext/t_cose/0006-Disable-unnecessary-test-cases.patch
new file mode 100644
index 0000000..979d440
--- /dev/null
+++ b/lib/ext/t_cose/0006-Disable-unnecessary-test-cases.patch
@@ -0,0 +1,66 @@
+From b8508adb8ce298ac2c4c2e6708acdb45f061fbd1 Mon Sep 17 00:00:00 2001
+From: David Vincze <david.vincze@arm.com>
+Date: Tue, 10 Dec 2024 14:52:50 +0000
+Subject: [PATCH] Disable unnecessary test cases
+
+- HKDF: not implemented properly by the PSA Crypto layer,
+- Encrypt/Decrypt: not needed to be covered (not relevant to TF-M).
+
+---
+ test/run_tests.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/test/run_tests.c b/test/run_tests.c
+index 17b3b49..510e981 100644
+--- a/test/run_tests.c
++++ b/test/run_tests.c
+@@ -49,19 +49,24 @@ static test_entry s_tests[] = {
+ TEST_ENTRY(kw_test),
+ TEST_ENTRY(decrypt_known_good_aeskw_non_aead_test),
+ #endif
+- TEST_ENTRY(hkdf_test),
++/*
++ * Disabled test case
++ * HKDF is not supported properly by the PSA Crypto adaptor layer
++ */
++ /* TEST_ENTRY(hkdf_test), */
+
+ #ifndef T_COSE_USE_B_CON_SHA256 /* test crypto doesn't support ECDH */
+
+ TEST_ENTRY(ecdh_test),
+ TEST_ENTRY(ec_import_export_test),
+
+- TEST_ENTRY(esdh_enc_dec_test),
+- TEST_ENTRY(decrypt_known_good),
+-
+- TEST_ENTRY(decrypt_known_bad),
+-
+- TEST_ENTRY(kdf_context_test),
++/*
++ * Disabled test cases
++ */
++ /* TEST_ENTRY(esdh_enc_dec_test), */
++ /* TEST_ENTRY(decrypt_known_good), */
++ /* TEST_ENTRY(decrypt_known_bad), */
++ /* TEST_ENTRY(kdf_context_test), */
+
+ #endif /* T_COSE_USE_B_CON_SHA256 */
+
+@@ -133,9 +138,12 @@ static test_entry s_tests[] = {
+ #endif /* T_COSE_DISABLE_HASH_FAIL_TEST */
+ #endif /* T_COSE_DISABLE_SHORT_CIRCUIT_SIGN */
+
+- TEST_ENTRY(param_test),
+- TEST_ENTRY(common_params_test),
+- TEST_ENTRY(base_encrypt_decrypt_test)
++/*
++ * Disabled test cases
++ */
++ /* TEST_ENTRY(param_test), */
++ /* TEST_ENTRY(common_params_test), */
++ /* TEST_ENTRY(base_encrypt_decrypt_test) */
+
+ };
+
+--
+2.34.1
diff --git a/lib/ext/t_cose/CMakeLists.txt b/lib/ext/t_cose/CMakeLists.txt
new file mode 100644
index 0000000..59e163b
--- /dev/null
+++ b/lib/ext/t_cose/CMakeLists.txt
@@ -0,0 +1,29 @@
+#-------------------------------------------------------------------------------
+# SPDX-License-Identifier: BSD-3-Clause
+# SPDX-FileCopyrightText: Copyright The TrustedFirmware-M Contributors
+#-------------------------------------------------------------------------------
+
+cmake_minimum_required(VERSION 3.21)
+
+if(NOT TEST_NS_ATTESTATION AND NOT TEST_NS_T_COSE)
+ return()
+endif()
+
+include(FetchContent)
+set(FETCHCONTENT_QUIET FALSE)
+
+# Default configuration of T_COSE repository
+set(T_COSE_PATH "DOWNLOAD" CACHE PATH "Path to t_cose (or DOWNLOAD to fetch automatically")
+set(T_COSE_VERSION "v2.0-alpha-2" CACHE STRING "The version of t_cose to use")
+
+fetch_remote_library(
+ LIB_NAME t_cose
+ LIB_SOURCE_PATH_VAR T_COSE_PATH
+ LIB_PATCH_DIR ${CMAKE_CURRENT_LIST_DIR}
+ LIB_BASE_DIR "${CMAKE_BINARY_DIR}/lib/ext"
+ FETCH_CONTENT_ARGS
+ GIT_REPOSITORY https://github.com/laurencelundblade/t_cose.git
+ GIT_TAG ${T_COSE_VERSION}
+ GIT_SHALLOW TRUE
+ GIT_PROGRESS TRUE
+)