TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-M / trusted-firmware-m.git / 10eddf66d63a77460b33bf3fb86cccd3c8ba80eb^! / . / platform / include
commit10eddf66d63a77460b33bf3fb86cccd3c8ba80eb[log] [tgz]
authorDavid Hu <david.hu@arm.com>Fri Jan 17 15:12:13 2020 +0800
committerDavid Hu <david.hu@arm.com>Mon Jun 22 02:33:00 2020 +0000
tree31e35bb58bace5caec84d464108742e007f4ddf7
parented4502fe935caff061174bb8e0dfb15d1f7c97cb [diff]
Attest: Fetch symmetric Initial Attestation Key

Implement attest_register_initial_attest_key() to fetch and register a
symmetric Initial Attestation Key (IAK).
Add tfm_plat_get_symmetric_iak() to receive the key raw data from
platform.

Add attest_get_signing_key_handle() to get the key handle of the
initial attestation key for signing IAT.
Replace attest_get_initial_attestation_private_key_handle() with
attest_get_signing_key_handle().

Also add a binary symmetric IAK file for token verification in
other tools.

Change-Id: Id2e3647cc85abd0eacbf2a0e53b6d2cd927acaaf
Signed-off-by: David Hu <david.hu@arm.com>

diff --git a/platform/include/tfm_plat_crypto_keys.h b/platform/include/tfm_plat_crypto_keys.h
index 7ee9570..f9934cd 100644
--- a/platform/include/tfm_plat_crypto_keys.h
+++ b/platform/include/tfm_plat_crypto_keys.h

@@ -82,6 +82,29 @@
                                                  uint8_t *key,
                                                  size_t key_size);
 
+#ifdef SYMMETRIC_INITIAL_ATTESTATION
+/**
+ * \brief Get the symmetric Initial Attestation Key (IAK)
+ *
+ * The device MUST contain a symmetric IAK, which is used to sign the token.
+ * So far only HMAC is supported in symmetric key algorithm based Initial
+ * Attestation.
+ * Keys must be provided in raw format, just binary data without any encoding
+ * (DER, COSE). Caller provides a buffer to copy all the raw data.
+ *
+ * \param[out]  key_buf     Buffer to store the initial attestation key.
+ * \param[in]   buf_len     The length of buffer.
+ * \param[out]  key_len     Buffer to carry the length of the initial
+ *                          attestation key.
+ * \param[out]  key_alg     The key algorithm. Only HMAC is supported so far.
+ *
+ * \return Returns error code specified in \ref tfm_plat_err_t
+ */
+enum tfm_plat_err_t tfm_plat_get_symmetric_iak(uint8_t *key_buf,
+                                               size_t buf_len,
+                                               size_t *key_len,
+                                               psa_algorithm_t *key_alg);
+#else /* SYMMETRIC_INITIAL_ATTESTATION */
 /**
  * \brief Get the initial attestation key
  *
@@ -115,6 +138,7 @@
                                 uint32_t          size,
                                 struct ecc_key_t *ecc_key,
                                 psa_ecc_curve_t  *curve_type);
+#endif /* SYMMETRIC_INITIAL_ATTESTATION */
 
 /**
  * \brief Get the hash of the corresponding Root of Trust Public Key for