Attest: Remove test code from release build
Due to code size optimization reasons the test code is
removed from the TF-M release build. Some attestation test
cases (short-circuit signature, get minimal token, passing
option fields to attestation service) only available in
debug builds.
Change-Id: I17f44604bbd30b1d9098a7f6d13a1ca21d5c80ae
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
diff --git a/CommonConfig.cmake b/CommonConfig.cmake
index 15635e1..eff3005 100644
--- a/CommonConfig.cmake
+++ b/CommonConfig.cmake
@@ -343,6 +343,12 @@
set(ATTEST_INCLUDE_OPTIONAL_CLAIMS ON)
endif()
+if (CMAKE_BUILD_TYPE STREQUAL "Debug")
+ set(ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID ON)
+else()
+ set(ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID OFF)
+endif()
+
##Set mbedTLS compiler flags for BL2 bootloader
set(MBEDTLS_C_FLAGS_BL2 "-D__ARM_FEATURE_CMSE=${ARM_FEATURE_CMSE} -D__thumb2__ ${COMMON_COMPILE_FLAGS_STR} -DMBEDTLS_CONFIG_FILE=\\\\\\\"config-boot.h\\\\\\\" -I${CMAKE_CURRENT_LIST_DIR}/bl2/ext/mcuboot/include")
if (MCUBOOT_SIGNATURE_TYPE STREQUAL "RSA-3072")
diff --git a/docs/user_guides/services/tfm_attestation_integration_guide.rst b/docs/user_guides/services/tfm_attestation_integration_guide.rst
index 9a3464e..e9a15fd 100644
--- a/docs/user_guides/services/tfm_attestation_integration_guide.rst
+++ b/docs/user_guides/services/tfm_attestation_integration_guide.rst
@@ -430,6 +430,10 @@
- ``ATTEST_INCLUDE_OPTIONAL_CLAIMS``: Include also the optional claims to the
attestation token. Default value: True.
+- ``ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID``: Test code and COSE key-id from
+ unprotected token header is removed if it is False. Its value depends on the
+ build type. It is True if build type is ``Debug``, otherwise False (different
+ kind of ``Release`` builds).
************
Verification
diff --git a/lib/t_cose/CMakeLists.txt b/lib/t_cose/CMakeLists.txt
index 7113bc0..f7b065a 100644
--- a/lib/t_cose/CMakeLists.txt
+++ b/lib/t_cose/CMakeLists.txt
@@ -23,6 +23,10 @@
project(tfm_t_cose_verify LANGUAGES C)
embedded_project_fixup()
+if (NOT DEFINED ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID)
+ message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID is undefined. ")
+endif()
+
#Append all our source files to global lists.
list(APPEND ALL_SRC_C_SIGN
"${T_COSE_DIR}/src/t_cose_sign1_sign.c"
@@ -48,6 +52,11 @@
add_library(tfm_t_cose_sign OBJECT ${ALL_SRC_C_SIGN})
add_library(tfm_t_cose_verify OBJECT ${ALL_SRC_C_VERIFY})
+if (ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID)
+ embedded_set_target_compile_defines(TARGET tfm_t_cose_sign LANGUAGE C DEFINES INCLUDE_TEST_CODE_AND_KEY_ID APPEND)
+ embedded_set_target_compile_defines(TARGET tfm_t_cose_verify LANGUAGE C DEFINES INCLUDE_TEST_CODE_AND_KEY_ID APPEND)
+endif()
+
#Set common compiler flags
config_setting_shared_compiler_flags(tfm_t_cose_sign)
config_setting_shared_compiler_flags(tfm_t_cose_verify)
diff --git a/lib/t_cose/src/t_cose_sign1_sign.c b/lib/t_cose/src/t_cose_sign1_sign.c
index 1de28cb..0dd3252 100644
--- a/lib/t_cose/src/t_cose_sign1_sign.c
+++ b/lib/t_cose/src/t_cose_sign1_sign.c
@@ -21,7 +21,7 @@
* \brief This implements t_cose signing
*/
-
+#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
/**
* \brief Create a short-circuit signature
*
@@ -82,6 +82,7 @@
Done:
return return_value;
}
+#endif /* INCLUDE_TEST_CODE_AND_KEY_ID */
@@ -382,11 +383,15 @@
/* Get the key id because it goes into the headers that are about
to be made. */
+#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
if(short_circuit_sign) {
return_value = get_short_circuit_kid(buffer_for_kid, &kid);
} else {
+#endif
return_value = get_keyid(key_select, buffer_for_kid, &kid);
+#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
}
+#endif
if(return_value) {
goto Done;
}
@@ -483,18 +488,22 @@
* public key operation and requires no key. It is just a test
* mode that always works.
*/
+#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
if (me->short_circuit_sign) {
return_value = short_circuit_sign(me->cose_algorithm_id,
tbs_hash,
buffer_for_signature,
&signature);
} else {
+#endif
return_value = t_cose_crypto_pub_key_sign(me->cose_algorithm_id,
me->key_select,
tbs_hash,
buffer_for_signature,
&signature);
+#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
}
+#endif
if (return_value) {
goto Done;
}
diff --git a/lib/t_cose/src/t_cose_sign1_verify.c b/lib/t_cose/src/t_cose_sign1_verify.c
index 27cb419..6d57b3f 100644
--- a/lib/t_cose/src/t_cose_sign1_verify.c
+++ b/lib/t_cose/src/t_cose_sign1_verify.c
@@ -25,7 +25,7 @@
* \brief \c COSE_Sign1 verification implementation.
*/
-
+#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
/**
* \brief Verify a short-circuit signature
*
@@ -64,7 +64,7 @@
Done:
return return_value;
}
-
+#endif /* INCLUDE_TEST_CODE_AND_KEY_ID */
@@ -181,9 +181,11 @@
T_COSE_CRYPTO_SHA256_SIZE);
struct q_useful_buf_c tbs_hash;
struct q_useful_buf_c signature;
+#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
Q_USEFUL_BUF_MAKE_STACK_UB (buf_for_short_circuit_kid,
T_COSE_SHORT_CIRCUIT_KID_SIZE);
struct q_useful_buf_c short_circuit_kid;
+#endif
*payload = NULL_Q_USEFUL_BUF_C;
@@ -256,7 +258,7 @@
goto Done;
}
-
+#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
/* -- Check for short-circuit signature and verify if it exists -- */
return_value = get_short_circuit_kid(buf_for_short_circuit_kid,
&short_circuit_kid);
@@ -271,6 +273,7 @@
signature);
goto Done;
}
+#endif
/* -- Verify the signature -- */
diff --git a/lib/t_cose/src/t_cose_util.c b/lib/t_cose/src/t_cose_util.c
index 3fa3572..6cf1b03 100644
--- a/lib/t_cose/src/t_cose_util.c
+++ b/lib/t_cose/src/t_cose_util.c
@@ -197,6 +197,7 @@
}
+#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
/*
* Public function. See t_cose_util.h
*/
@@ -231,3 +232,4 @@
T_COSE_ERR_KEY_BUFFER_SIZE :
T_COSE_SUCCESS;
}
+#endif /* INCLUDE_TEST_CODE_AND_KEY_ID */
diff --git a/secure_fw/services/initial_attestation/CMakeLists.inc b/secure_fw/services/initial_attestation/CMakeLists.inc
index 41ca3d9..7b9bec9 100644
--- a/secure_fw/services/initial_attestation/CMakeLists.inc
+++ b/secure_fw/services/initial_attestation/CMakeLists.inc
@@ -22,11 +22,11 @@
set(INITIAL_ATTESTATION_DIR ${CMAKE_CURRENT_LIST_DIR})
if (NOT DEFINED ATTEST_INCLUDE_OPTIONAL_CLAIMS)
- message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_OPTIONAL_CLAIMS is undefined. ")
+ message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_OPTIONAL_CLAIMS is undefined.")
endif()
-if (NOT DEFINED TFM_ROOT_DIR)
- message(FATAL_ERROR "Please set TFM_ROOT_DIR before including this file.")
+if (NOT DEFINED ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID)
+ message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID is undefined.")
endif()
list(APPEND ATTEST_C_SRC
@@ -42,9 +42,14 @@
set_property(SOURCE ${ATTEST_C_SRC} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_OPTIONAL_CLAIMS)
endif()
+if (ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID)
+ set_property(SOURCE ${ATTEST_C_SRC} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_TEST_CODE_AND_KEY_ID)
+endif()
+
#Inform the user about attestation service features selected based on the cmake flags
message("The Initial Attestation service compile configuration is as follows:")
message("- ATTEST_INCLUDE_OPTIONAL_CLAIMS: ${ATTEST_INCLUDE_OPTIONAL_CLAIMS}")
+message("- ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID: ${ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID}")
#Setting include directories
embedded_include_directories(PATH ${TFM_ROOT_DIR} ABSOLUTE)
diff --git a/secure_fw/services/initial_attestation/attestation_core.c b/secure_fw/services/initial_attestation/attestation_core.c
index ac53fd6..d8e8b97 100644
--- a/secure_fw/services/initial_attestation/attestation_core.c
+++ b/secure_fw/services/initial_attestation/attestation_core.c
@@ -803,6 +803,7 @@
return PSA_ATTEST_ERR_INVALID_INPUT;
}
+#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
/*!
* \brief Static function to get the option flags from challenge object
*
@@ -853,6 +854,7 @@
*key_select = 0;
}
}
+#endif /* INCLUDE_TEST_CODE_AND_KEY_ID */
/*!
* \brief Static function to create the initial attestation token
@@ -874,10 +876,12 @@
enum psa_attest_err_t attest_err = PSA_ATTEST_ERR_SUCCESS;
enum attest_token_err_t token_err;
struct attest_token_ctx attest_token_ctx;
- int32_t key_select;
- uint32_t option_flags;
+ int32_t key_select = 0;
+ uint32_t option_flags = 0;
+#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
attest_get_option_flags(challenge, &option_flags, &key_select);
+#endif
/* Get started creating the token. This sets up the CBOR and COSE contexts
* which causes the COSE headers to be constructed.
diff --git a/test/suites/attestation/CMakeLists.inc b/test/suites/attestation/CMakeLists.inc
index b485222..9b6d828 100644
--- a/test/suites/attestation/CMakeLists.inc
+++ b/test/suites/attestation/CMakeLists.inc
@@ -24,10 +24,14 @@
message(FATAL_ERROR "Please set TFM_ROOT_DIR before including this file.")
endif()
+if (NOT DEFINED ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID)
+ message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID is undefined. ")
+endif()
+
if (NOT DEFINED ENABLE_ATTESTATION_SERVICE_TESTS)
message(FATAL_ERROR "Incomplete build configuration: ENABLE_ATTESTATION_SERVICE_TESTS is undefined. ")
elseif(ENABLE_ATTESTATION_SERVICE_TESTS)
- list(APPEND ALL_SRC_C_S
+ list(APPEND ATTEST_TEST_SRC_S
"${ATTESTATION_TEST_DIR}/secure/attestation_s_interface_testsuite.c"
"${ATTESTATION_TEST_DIR}/attest_token_test.c"
"${ATTESTATION_TEST_DIR}/attest_token_decode.c"
@@ -35,7 +39,7 @@
"${TFM_ROOT_DIR}/lib/ext/qcbor/util/qcbor_util.c"
)
- list(APPEND ALL_SRC_C_NS
+ list(APPEND ATTEST_TEST_SRC_NS
"${ATTESTATION_TEST_DIR}/non_secure/attestation_ns_interface_testsuite.c"
"${ATTESTATION_TEST_DIR}/attest_token_test.c"
"${ATTESTATION_TEST_DIR}/attest_token_decode.c"
@@ -43,6 +47,11 @@
"${TFM_ROOT_DIR}/lib/ext/qcbor/util/qcbor_util.c"
)
+ if (ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID)
+ set_property(SOURCE ${ATTEST_TEST_SRC_S} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_TEST_CODE_AND_KEY_ID)
+ set_property(SOURCE ${ATTEST_TEST_SRC_NS} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_TEST_CODE_AND_KEY_ID)
+ endif()
+
#Setting include directories
embedded_include_directories(PATH ${TFM_ROOT_DIR} ABSOLUTE)
embedded_include_directories(PATH ${TFM_ROOT_DIR}/interface/include ABSOLUTE)
@@ -50,4 +59,10 @@
embedded_include_directories(PATH ${TFM_ROOT_DIR}/lib/ext/qcbor/inc ABSOLUTE)
embedded_include_directories(PATH ${TFM_ROOT_DIR}/lib/ext/qcbor/util ABSOLUTE)
embedded_include_directories(PATH ${TFM_ROOT_DIR}/lib/t_cose/inc ABSOLUTE)
+
+ #Append all our source files to global lists.
+ list(APPEND ALL_SRC_C_S ${ATTEST_TEST_SRC_S})
+ list(APPEND ALL_SRC_C_NS ${ATTEST_TEST_SRC_NS})
+ unset(ATTEST_TEST_SRC_S)
+ unset(ATTEST_TEST_SRC_NS)
endif()
diff --git a/test/suites/attestation/attest_token_test.c b/test/suites/attestation/attest_token_test.c
index f1dbc52..88d6528 100644
--- a/test/suites/attestation/attest_token_test.c
+++ b/test/suites/attestation/attest_token_test.c
@@ -14,6 +14,7 @@
#include "attest_token_decode.h"
#include "attest_token_test_values.h"
+
/**
* \file attest_token_test.c
*
@@ -78,6 +79,7 @@
return return_value;
}
+#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
/**
* This is the expected output for the minimal test. It is the result
* of creating a token with \ref TOKEN_OPT_SHORT_CIRCUIT_SIGN and \ref
@@ -228,6 +230,7 @@
return return_value;
}
+#endif /* INCLUDE_TEST_CODE_AND_KEY_ID */
/**
diff --git a/test/suites/attestation/non_secure/attestation_ns_interface_testsuite.c b/test/suites/attestation/non_secure/attestation_ns_interface_testsuite.c
index 02a129f..3d78532 100644
--- a/test/suites/attestation/non_secure/attestation_ns_interface_testsuite.c
+++ b/test/suites/attestation/non_secure/attestation_ns_interface_testsuite.c
@@ -18,19 +18,23 @@
/* Define test suite for attestation service tests */
/* List of tests */
+#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
static void tfm_attest_test_2001(struct test_result_t *ret);
static void tfm_attest_test_2002(struct test_result_t *ret);
static void tfm_attest_test_2003(struct test_result_t *ret);
+#endif
static void tfm_attest_test_2004(struct test_result_t *ret);
static void tfm_attest_test_2005(struct test_result_t *ret);
static struct test_t attestation_interface_tests[] = {
+#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
{&tfm_attest_test_2001, "TFM_ATTEST_TEST_2001",
"Minimal token test of attest token", {0} },
{&tfm_attest_test_2002, "TFM_ATTEST_TEST_2002",
"Minimal token size test of attest token", {0} },
{&tfm_attest_test_2003, "TFM_ATTEST_TEST_2003",
"Short circuit signature test of attest token", {0} },
+#endif
{&tfm_attest_test_2004, "TFM_ATTEST_TEST_2004",
"ECDSA signature test of attest token", {0} },
{&tfm_attest_test_2005, "TFM_ATTEST_TEST_2005",
@@ -50,6 +54,7 @@
attestation_interface_tests, list_size, p_test_suite);
}
+#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
/*!
* \brief Get minimal token, only include a hard coded challenge, but omit the
* rest of the claims
@@ -110,6 +115,7 @@
ret->val = TEST_PASSED;
}
+#endif /* INCLUDE_TEST_CODE_AND_KEY_ID */
/*!
* \brief Get an IAT with proper ECDSA signature. Parse the token, validate
diff --git a/test/suites/attestation/secure/attestation_s_interface_testsuite.c b/test/suites/attestation/secure/attestation_s_interface_testsuite.c
index 288f0a7..2bd171c 100644
--- a/test/suites/attestation/secure/attestation_s_interface_testsuite.c
+++ b/test/suites/attestation/secure/attestation_s_interface_testsuite.c
@@ -18,19 +18,23 @@
/* Define test suite for attestation service tests */
/* List of tests */
+#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
static void tfm_attest_test_1001(struct test_result_t *ret);
static void tfm_attest_test_1002(struct test_result_t *ret);
static void tfm_attest_test_1003(struct test_result_t *ret);
+#endif
static void tfm_attest_test_1004(struct test_result_t *ret);
static void tfm_attest_test_1005(struct test_result_t *ret);
static struct test_t attestation_interface_tests[] = {
+#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
{&tfm_attest_test_1001, "TFM_ATTEST_TEST_1001",
"Minimal token test of attest token", {0} },
{&tfm_attest_test_1002, "TFM_ATTEST_TEST_1002",
"Minimal token size test of attest token", {0} },
{&tfm_attest_test_1003, "TFM_ATTEST_TEST_1003",
"Short circuit signature test of attest token", {0} },
+#endif
{&tfm_attest_test_1004, "TFM_ATTEST_TEST_1004",
"ECDSA signature test of attest token", {0} },
{&tfm_attest_test_1005, "TFM_ATTEST_TEST_1005",
@@ -50,6 +54,7 @@
attestation_interface_tests, list_size, p_test_suite);
}
+#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
/*!
* \brief Get minimal token, only include a hard coded challenge, but omit the
* rest of the claims
@@ -110,6 +115,7 @@
ret->val = TEST_PASSED;
}
+#endif /* INCLUDE_TEST_CODE_AND_KEY_ID */
/*!
* \brief Get an IAT with proper ECDSA signature. Parse the token, validate