SST: Use get caller client ID API in SST
This change modifies SST service to use
tfm_core_get_caller_client_id(...), provided by the TF-M core, instead
of use the client ID provided by the dummy ID manager via the SST APIs.
The details of this change are:
- Remove client_id from the veneer API of SST (except for the read
operation, as referenced read is still possible)
- Remove the dummy ID manager
- Add documentation on how to integrate this new method to a NS
application
- Change Asset management to work with non-hardcoded secure
client ID
Change-Id: Ic97ea7aa5840d7e212adc009fa39c1c505440965
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
diff --git a/interface/include/tfm_api.h b/interface/include/tfm_api.h
index c450c7c..efe24e9 100644
--- a/interface/include/tfm_api.h
+++ b/interface/include/tfm_api.h
@@ -14,6 +14,26 @@
#include <stdint.h>
+#define TFM_INVALID_CLIENT_ID 0
+
+/**
+ * \brief Checks if the provided client ID is a secure client ID.
+ *
+ * \param[in] client_id Client ID to check
+ *
+ * \return Returns 1 if the client Id is secure. Otherwise, returns 0.
+ */
+#define TFM_CLIENT_ID_IS_S(client_id) ((client_id)>0)
+
+/**
+ * \brief Checks if the provided client ID is a non-secure client ID.
+ *
+ * \param[in] client_id Client ID to check
+ *
+ * \return Returns 1 if the client Id is non-secure. Otherwise, returns 0.
+ */
+#define TFM_CLIENT_ID_IS_NS(client_id) ((client_id)<0)
+
/* FixMe: sort out DEBUG compile option and limit return value options
* on external interfaces */
/* Note:
diff --git a/interface/include/tfm_id_mngr.h b/interface/include/tfm_id_mngr.h
deleted file mode 100644
index cb25225..0000000
--- a/interface/include/tfm_id_mngr.h
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Copyright (c) 2017-2018, Arm Limited. All rights reserved.
- *
- * SPDX-License-Identifier: BSD-3-Clause
- *
- */
-
-#ifndef __TFM_ID_MNGR_H__
-#define __TFM_ID_MNGR_H__
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#include <stdint.h>
-
-/**
- * \brief Gets SST current client ID
- *
- * \return Returns the SST current client ID
- */
-int32_t tfm_sst_get_cur_id(void);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* __TFM_ID_MNGR_H__ */
diff --git a/interface/include/tfm_sst_veneers.h b/interface/include/tfm_sst_veneers.h
index df62f75..6cfd5c1 100644
--- a/interface/include/tfm_sst_veneers.h
+++ b/interface/include/tfm_sst_veneers.h
@@ -18,7 +18,6 @@
* \brief Allocates space for the asset, referenced by asset UUID,
* without setting any data in the asset.
*
- * \param[in] client_id Client ID which calls the service
* \param[in] s_token Pointer to the asset's token \ref tfm_sst_token_t
* \param[in] asset_uuid Asset UUID \ref tfm_sst_asset_id_t
*
@@ -28,14 +27,12 @@
* PSA_SST_ERR_STORAGE_SYSTEM_FULL. If application id doesn't have the
* write rights, it returns PSA_SST_ERR_PERMS_NOT_ALLOWED.
*/
-enum psa_sst_err_t tfm_sst_veneer_create(int32_t client_id,
- uint32_t asset_uuid,
+enum psa_sst_err_t tfm_sst_veneer_create(uint32_t asset_uuid,
const struct tfm_sst_token_t *s_token);
/**
* \brief Gets asset's information referenced by asset UUID.
*
- * \param[in] client_id Client ID which calls the service
* \param[in] asset_uuid Asset UUID
* \param[in] s_token Pointer to the asset's token \ref tfm_sst_token_t
* \param[out] info Pointer to store the asset's information
@@ -43,15 +40,13 @@
*
* \return Returns error code as specified in \ref psa_sst_err_t
*/
-enum psa_sst_err_t tfm_sst_veneer_get_info(int32_t client_id,
- uint32_t asset_uuid,
+enum psa_sst_err_t tfm_sst_veneer_get_info(uint32_t asset_uuid,
const struct tfm_sst_token_t *s_token,
struct psa_sst_asset_info_t *info);
/**
* \brief Gets asset's attributes referenced by asset UUID.
*
- * \param[in] client_id Client ID which calls the service
* \param[in] asset_uuid Asset UUID
* \param[in] s_token Pointer to the asset's token \ref tfm_sst_token_t
* \param[out] attrs Pointer to store the asset's attributes
@@ -59,15 +54,13 @@
*
* \return Returns error code as specified in \ref psa_sst_err_t
*/
-enum psa_sst_err_t tfm_sst_veneer_get_attributes(int32_t client_id,
- uint32_t asset_uuid,
+enum psa_sst_err_t tfm_sst_veneer_get_attributes(uint32_t asset_uuid,
const struct tfm_sst_token_t *s_token,
struct psa_sst_asset_attrs_t *attrs);
/**
* \brief Sets asset's attributes referenced by asset UUID.
*
- * \param[in] client_id Client ID which calls the service
* \param[in] asset_uuid Asset UUID
* \param[in] s_token Pointer to the asset's token \ref tfm_sst_token_t
* \param[in] attrs Pointer to new the asset's attributes
@@ -75,8 +68,7 @@
*
* \return Returns error code as specified in \ref psa_sst_err_t
*/
-enum psa_sst_err_t tfm_sst_veneer_set_attributes(int32_t client_id,
- uint32_t asset_uuid,
+enum psa_sst_err_t tfm_sst_veneer_set_attributes(uint32_t asset_uuid,
const struct tfm_sst_token_t *s_token,
const struct psa_sst_asset_attrs_t *attrs);
@@ -105,7 +97,6 @@
/**
* \brief Writes data into an asset referenced by asset UUID.
*
- * \param[in] client_id Client ID which calls the service
* \param[in] asset_uuid Asset UUID
* \param[in] s_token Pointer to the asset's token \ref tfm_sst_token_t
* \param[in] data Pointer to data vector \ref tfm_sst_buf_t which
@@ -114,15 +105,13 @@
* \return Returns the number of bytes written or a castable \ref psa_sst_err_t
* value
*/
-enum psa_sst_err_t tfm_sst_veneer_write(int32_t client_id,
- uint32_t asset_uuid,
+enum psa_sst_err_t tfm_sst_veneer_write(uint32_t asset_uuid,
const struct tfm_sst_token_t *s_token,
struct tfm_sst_buf_t *data);
/**
* \brief Deletes the asset referenced by the asset UUID.
*
- * \param[in] client_id Client ID which calls the service
* \param[in] asset_uuid Asset UUID
* \param[in] s_token Pointer to the asset's token \ref tfm_sst_token_t
*
@@ -130,8 +119,7 @@
* to by this app ID. Returns PSA_SST_ERR_ASSET_REF_INVALID, if asset
* no longer exists. Otherwise, PSA_SST_ERR_SUCCESS.
*/
-enum psa_sst_err_t tfm_sst_veneer_delete(int32_t client_id,
- uint32_t asset_uuid,
+enum psa_sst_err_t tfm_sst_veneer_delete(uint32_t asset_uuid,
const struct tfm_sst_token_t *s_token);
#ifdef __cplusplus
}
diff --git a/interface/src/tfm_id_mngr_dummy.c b/interface/src/tfm_id_mngr_dummy.c
deleted file mode 100644
index 69fb4b7..0000000
--- a/interface/src/tfm_id_mngr_dummy.c
+++ /dev/null
@@ -1,73 +0,0 @@
-/*
- * Copyright (c) 2017-2018, Arm Limited. All rights reserved.
- *
- * SPDX-License-Identifier: BSD-3-Clause
- *
- */
-
-/* FIXME: this TFM ID manager is only a stub implementation. It is system
- * integrators responsibility to define a way of identifying the app id and
- * based on their non secure side of the threat model. The secure side only
- * checks if this is an ID belonging to NS side entities. The secure side
- * doesn't make any attempt to challenge the app id value, this is left for NS
- * side privileged code to implement.
- */
-
-#include "tfm_id_mngr.h"
-
-#include <string.h>
-#include "cmsis_os2.h"
-
-#define INVALID_CLIENT_ID 0
-
-/* FIXME: following two functions are meant to be internally
- * available to RTX. The header file containing prototype of
- * these functions has complex header inclusion which leads
- * to compiler specific paths in CMSIS, which currently doesn't have
- * clang variant. To simplify this, following functions are directly
- * declared here (as opposed to header inclusion). After clear
- * separation of S and NS builds this will require to be revisited
- */
-extern osThreadId_t svcRtxThreadGetId(void);
-extern const char *svcRtxThreadGetName(osThreadId_t thread_id);
-
-/* Translation table pair between OS threads and SST client IDs */
-struct thread_sst_clientid_pair {
- const char* t_name; /*!< Task/Thread name */
- int32_t client_id; /*!< Client ID used in assets definition */
-};
-
-static struct thread_sst_clientid_pair sst_ns_policy_table[] =
-{
- {"Thread_A", -9},
- {"Thread_B", -10},
- {"Thread_C", -11},
- {"Thread_D", -12},
-};
-
-static const char* get_active_task_name(void)
-{
- const char* thread_name;
-
- thread_name = svcRtxThreadGetName(svcRtxThreadGetId());
-
- return thread_name;
-}
-
-int32_t tfm_sst_get_cur_id(void)
-{
- uint32_t i;
- static uint32_t sst_table_size = (sizeof(sst_ns_policy_table) /
- sizeof(sst_ns_policy_table[0]));
- const char* p_thread_name;
-
- p_thread_name = get_active_task_name();
-
- for (i = 0; i < sst_table_size; i++) {
- if (strcmp(sst_ns_policy_table[i].t_name, p_thread_name) == 0) {
- return sst_ns_policy_table[i].client_id;
- }
- }
-
- return INVALID_CLIENT_ID;
-}
diff --git a/interface/src/tfm_sst_api.c b/interface/src/tfm_sst_api.c
index 8a3fec8..317032c 100644
--- a/interface/src/tfm_sst_api.c
+++ b/interface/src/tfm_sst_api.c
@@ -8,25 +8,25 @@
#include "tfm_sst_veneers.h"
#include "tfm_sst_defs.h"
#include "tfm_ns_lock.h"
-#include "tfm_id_mngr.h"
+
+/* This define uses the TF-M invalid client ID to specify a direct client read,
+ * as that it can not be used to identify a client.
+ */
+#define SST_DIRECT_CLIENT_READ TFM_INVALID_CLIENT_ID
enum psa_sst_err_t psa_sst_create(uint32_t asset_uuid, const uint8_t *token,
uint32_t token_size)
{
struct tfm_sst_token_t s_token;
- int32_t client_id;
/* Pack the token information in the token structure */
s_token.token = token;
s_token.token_size = token_size;
- client_id = tfm_sst_get_cur_id();
-
return tfm_ns_lock_dispatch((veneer_fn)tfm_sst_veneer_create,
- client_id,
asset_uuid,
(uint32_t)&s_token,
- 0);
+ 0, 0);
}
enum psa_sst_err_t psa_sst_get_info(uint32_t asset_uuid,
@@ -35,19 +35,16 @@
struct psa_sst_asset_info_t *info)
{
struct tfm_sst_token_t s_token;
- int32_t client_id;
/* Pack the token information in the token structure */
s_token.token = token;
s_token.token_size = token_size;
- client_id = tfm_sst_get_cur_id();
-
return tfm_ns_lock_dispatch((veneer_fn)tfm_sst_veneer_get_info,
- client_id,
asset_uuid,
(uint32_t)&s_token,
- (uint32_t)info);
+ (uint32_t)info,
+ 0);
}
enum psa_sst_err_t psa_sst_get_attributes(uint32_t asset_uuid,
@@ -56,19 +53,16 @@
struct psa_sst_asset_attrs_t *attrs)
{
struct tfm_sst_token_t s_token;
- int32_t client_id;
/* Pack the token information in the token structure */
s_token.token = token;
s_token.token_size = token_size;
- client_id = tfm_sst_get_cur_id();
-
return tfm_ns_lock_dispatch((veneer_fn)tfm_sst_veneer_get_attributes,
- client_id,
asset_uuid,
(uint32_t)&s_token,
- (uint32_t)attrs);
+ (uint32_t)attrs,
+ 0);
}
enum psa_sst_err_t psa_sst_set_attributes(uint32_t asset_uuid,
@@ -77,19 +71,16 @@
const struct psa_sst_asset_attrs_t *attrs)
{
struct tfm_sst_token_t s_token;
- int32_t client_id;
/* Pack the token information in the token structure */
s_token.token = token;
s_token.token_size = token_size;
- client_id = tfm_sst_get_cur_id();
-
return tfm_ns_lock_dispatch((veneer_fn)tfm_sst_veneer_set_attributes,
- client_id,
asset_uuid,
(uint32_t)&s_token,
- (uint32_t)attrs);
+ (uint32_t)attrs,
+ 0);
}
enum psa_sst_err_t psa_sst_read(uint32_t asset_uuid,
@@ -101,7 +92,6 @@
{
struct tfm_sst_token_t s_token;
struct tfm_sst_buf_t s_data;
- int32_t client_id;
/* Pack the token information in the token structure */
s_token.token = token;
@@ -112,10 +102,8 @@
s_data.offset = offset;
s_data.data = data;
- client_id = tfm_sst_get_cur_id();
-
return tfm_ns_lock_dispatch((veneer_fn)tfm_sst_veneer_read,
- client_id,
+ SST_DIRECT_CLIENT_READ,
asset_uuid,
(uint32_t)&s_token,
(uint32_t)&s_data);
@@ -130,7 +118,6 @@
{
struct tfm_sst_token_t s_token;
struct tfm_sst_buf_t s_data;
- int32_t client_id;
/* Pack the token information in the token structure */
s_token.token = token;
@@ -141,13 +128,11 @@
s_data.offset = offset;
s_data.data = (uint8_t *)data;
- client_id = tfm_sst_get_cur_id();
-
return tfm_ns_lock_dispatch((veneer_fn)tfm_sst_veneer_write,
- client_id,
asset_uuid,
(uint32_t)&s_token,
- (uint32_t)&s_data);
+ (uint32_t)&s_data,
+ 0);
}
enum psa_sst_err_t psa_sst_delete(uint32_t asset_uuid,
@@ -155,17 +140,13 @@
uint32_t token_size)
{
struct tfm_sst_token_t s_token;
- int32_t client_id;
/* Pack the token information in the token structure */
s_token.token = token;
s_token.token_size = token_size;
- client_id = tfm_sst_get_cur_id();
-
return tfm_ns_lock_dispatch((veneer_fn)tfm_sst_veneer_delete,
- client_id,
asset_uuid,
(uint32_t)&s_token,
- 0);
+ 0, 0);
}