commit 10eddf66d63a77460b33bf3fb86cccd3c8ba80eb
author David Hu <david.hu@arm.com> Fri Jan 17 15:12:13 2020 +0800
committer David Hu <david.hu@arm.com> Mon Jun 22 02:33:00 2020 +0000
tree 31e35bb58bace5caec84d464108742e007f4ddf7
parent ed4502fe935caff061174bb8e0dfb15d1f7c97cb

Attest: Fetch symmetric Initial Attestation Key

Implement attest_register_initial_attest_key() to fetch and register a
symmetric Initial Attestation Key (IAK).
Add tfm_plat_get_symmetric_iak() to receive the key raw data from
platform.

Add attest_get_signing_key_handle() to get the key handle of the
initial attestation key for signing IAT.
Replace attest_get_initial_attestation_private_key_handle() with
attest_get_signing_key_handle().

Also add a binary symmetric IAK file for token verification in
other tools.

Change-Id: Id2e3647cc85abd0eacbf2a0e53b6d2cd927acaaf
Signed-off-by: David Hu <david.hu@arm.com>

platform/ext/common/template/crypto_keys.c

diff --git a/platform/ext/common/template/crypto_keys.c b/platform/ext/common/template/crypto_keys.c
index c5564e5..e005205 100644
--- a/platform/ext/common/template/crypto_keys.c
+++ b/platform/ext/common/template/crypto_keys.c
@@ -30,9 +30,15 @@
              {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, \
               0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F};
 
+#ifdef SYMMETRIC_INITIAL_ATTESTATION
+extern const psa_algorithm_t tfm_attest_hmac_sign_alg;
+extern const uint8_t initial_attestation_hmac_sha256_key[];
+extern const size_t initial_attestation_hmac_sha256_key_size;
+#else /* SYMMETRIC_INITIAL_ATTESTATION */
 extern const psa_ecc_curve_t initial_attestation_curve_type;
 extern const uint8_t  initial_attestation_private_key[];
 extern const uint32_t initial_attestation_private_key_size;
+#endif /* SYMMETRIC_INITIAL_ATTESTATION */
 
 extern const struct tfm_plat_rotpk_t device_rotpk[];
 extern const uint32_t rotpk_key_cnt;
@@ -77,6 +83,33 @@
     return TFM_PLAT_ERR_SUCCESS;
 }
 
+#ifdef SYMMETRIC_INITIAL_ATTESTATION
+enum tfm_plat_err_t tfm_plat_get_symmetric_iak(uint8_t *key_buf,
+                                               size_t buf_len,
+                                               size_t *key_len,
+                                               psa_algorithm_t *key_alg)
+{
+    if (!key_buf || !key_len || !key_alg) {
+        return TFM_PLAT_ERR_INVALID_INPUT;
+    }
+
+    if (buf_len < initial_attestation_hmac_sha256_key_size) {
+        return TFM_PLAT_ERR_INVALID_INPUT;
+    }
+
+    /*
+     * Actual implementation may derive a key with other input, other than
+     * directly providing provisioned symmetric initial attestation key.
+     */
+    copy_key(key_buf, initial_attestation_hmac_sha256_key,
+             initial_attestation_hmac_sha256_key_size);
+
+    *key_alg = tfm_attest_hmac_sign_alg;
+    *key_len = initial_attestation_hmac_sha256_key_size;
+
+    return TFM_PLAT_ERR_SUCCESS;
+}
+#else /* SYMMETRIC_INITIAL_ATTESTATION */
 enum tfm_plat_err_t
 tfm_plat_get_initial_attest_key(uint8_t          *key_buf,
                                 uint32_t          size,
@@ -110,6 +143,7 @@
 
     return TFM_PLAT_ERR_SUCCESS;
 }
+#endif /* SYMMETRIC_INITIAL_ATTESTATION */
 
 #ifdef BL2
 enum tfm_plat_err_t