Platform: Use PSA ECC ID for attestation key
Change from using a COSE curve ID to a PSA curve ID to simplify the
loading of keys into the crypto service.
Change-Id: Id67816810107ecd2e5f5be768363091dda7a9615
Signed-off-by: Raef Coles <raef.coles@arm.com>
diff --git a/bl2/ext/mcuboot/CMakeLists.txt b/bl2/ext/mcuboot/CMakeLists.txt
index 603d511..02675e8 100644
--- a/bl2/ext/mcuboot/CMakeLists.txt
+++ b/bl2/ext/mcuboot/CMakeLists.txt
@@ -99,6 +99,7 @@
#Setting include directories
embedded_target_include_directories(TARGET ${PROJECT_NAME} PATH ${TFM_ROOT_DIR} ABSOLUTE APPEND)
+embedded_target_include_directories(TARGET ${PROJECT_NAME} PATH ${TFM_ROOT_DIR}/interface/include ABSOLUTE APPEND)
embedded_target_include_directories(TARGET ${PROJECT_NAME} PATH ${TFM_ROOT_DIR}/bl2/include ABSOLUTE APPEND)
embedded_target_include_directories(TARGET ${PROJECT_NAME} PATH ${TFM_ROOT_DIR}/bl2/ext/mcuboot/include ABSOLUTE APPEND)
embedded_target_include_directories(TARGET ${PROJECT_NAME} PATH ${TFM_ROOT_DIR}/bl2/ext/mcuboot/bootutil/include/ ABSOLUTE APPEND)
diff --git a/lib/t_cose/src/t_cose_psa_crypto_sign.c b/lib/t_cose/src/t_cose_psa_crypto_sign.c
index 3898d1a..85800f5 100644
--- a/lib/t_cose/src/t_cose_psa_crypto_sign.c
+++ b/lib/t_cose/src/t_cose_psa_crypto_sign.c
@@ -68,15 +68,13 @@
*
* \param[in] psa_curve PSA curve type definition \ref psa_ecc_curve_t.
*
- * \note Sibling function to \ref attest_map_elliptic_curve_type.
- *
- * \return Return COSE curve type according to \ref ecc_curve_t. If
+ * \return Return COSE curve type according to \ref cose_ecc_curve_t. If
* mapping is not possible then return with -1.
*/
-static inline enum ecc_curve_t
+static inline enum cose_ecc_curve_t
cose_map_psa_elliptic_curve_type(psa_ecc_curve_t psa_curve)
{
- enum ecc_curve_t cose_curve;
+ enum cose_ecc_curve_t cose_curve;
/* FixMe: Mapping is not complete, missing ones: ED25519, ED448 */
switch (psa_curve) {
diff --git a/platform/ext/common/tfm_initial_attestation_key_material.c b/platform/ext/common/tfm_initial_attestation_key_material.c
index 11eb35f..794eb71 100644
--- a/platform/ext/common/tfm_initial_attestation_key_material.c
+++ b/platform/ext/common/tfm_initial_attestation_key_material.c
@@ -8,6 +8,8 @@
#include <stdint.h>
#include "platform/include/tfm_plat_defs.h"
#include "platform/include/tfm_plat_crypto_keys.h"
+#include "psa/crypto_types.h"
+#include "psa/crypto_values.h"
/*
* This file contains the hard coded version of the ECDSA P-256 secret key in:
@@ -23,7 +25,7 @@
/* Type of the EC curve which the key belongs to, in PSA curve ID form */
TFM_LINK_SET_RO_IN_PARTITION_SECTION("TFM_SP_INITIAL_ATTESTATION")
-const enum ecc_curve_t initial_attestation_curve_type = P_256;
+const psa_ecc_curve_t initial_attestation_curve_type = PSA_ECC_CURVE_SECP256R1;
/* Initial attestation private key in raw format, without any encoding.
* It belongs to the ECDSA P-256 curve.
diff --git a/platform/ext/target/mps2/an519/dummy_crypto_keys.c b/platform/ext/target/mps2/an519/dummy_crypto_keys.c
index 4e24ce0..9cb21e0 100644
--- a/platform/ext/target/mps2/an519/dummy_crypto_keys.c
+++ b/platform/ext/target/mps2/an519/dummy_crypto_keys.c
@@ -16,6 +16,7 @@
#include "platform/include/tfm_plat_crypto_keys.h"
#include <stddef.h>
+#include "psa/crypto_types.h"
/* FIXME: Functions in this file should be implemented by platform vendor. For
* the security of the storage system, it is critical to use a hardware unique
@@ -32,7 +33,7 @@
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, \
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F};
-extern const enum ecc_curve_t initial_attestation_curve_type;
+extern const psa_ecc_curve_t initial_attestation_curve_type;
extern const uint8_t initial_attestation_private_key[];
extern const uint32_t initial_attestation_private_key_size;
@@ -72,7 +73,7 @@
tfm_plat_get_initial_attest_key(uint8_t *key_buf,
uint32_t size,
struct ecc_key_t *ecc_key,
- enum ecc_curve_t *curve_type)
+ psa_ecc_curve_t *curve_type)
{
uint8_t *key_dst;
const uint8_t *key_src;
diff --git a/platform/ext/target/mps2/an521/dummy_crypto_keys.c b/platform/ext/target/mps2/an521/dummy_crypto_keys.c
index 0a4ba79..66d2c36 100644
--- a/platform/ext/target/mps2/an521/dummy_crypto_keys.c
+++ b/platform/ext/target/mps2/an521/dummy_crypto_keys.c
@@ -16,6 +16,7 @@
#include "platform/include/tfm_plat_crypto_keys.h"
#include <stddef.h>
+#include "psa/crypto_types.h"
/* FIXME: Functions in this file should be implemented by platform vendor. For
* the security of the storage system, it is critical to use a hardware unique
@@ -32,7 +33,7 @@
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, \
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F};
-extern const enum ecc_curve_t initial_attestation_curve_type;
+extern const psa_ecc_curve_t initial_attestation_curve_type;
extern const uint8_t initial_attestation_private_key[];
extern const uint32_t initial_attestation_private_key_size;
@@ -72,7 +73,7 @@
tfm_plat_get_initial_attest_key(uint8_t *key_buf,
uint32_t size,
struct ecc_key_t *ecc_key,
- enum ecc_curve_t *curve_type)
+ psa_ecc_curve_t *curve_type)
{
uint8_t *key_dst;
const uint8_t *key_src;
diff --git a/platform/ext/target/mps2/an539/dummy_crypto_keys.c b/platform/ext/target/mps2/an539/dummy_crypto_keys.c
index 1b2fa0b..ba7c860 100644
--- a/platform/ext/target/mps2/an539/dummy_crypto_keys.c
+++ b/platform/ext/target/mps2/an539/dummy_crypto_keys.c
@@ -16,6 +16,7 @@
#include "platform/include/tfm_plat_crypto_keys.h"
#include <stddef.h>
+#include "psa/crypto_types.h"
/* FIXME: Functions in this file should be implemented by platform vendor. For
* the security of the storage system, it is critical to use a hardware unique
@@ -29,7 +30,7 @@
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, \
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F};
-extern const enum ecc_curve_t initial_attestation_curve_type;
+extern const psa_ecc_curve_t initial_attestation_curve_type;
extern const uint8_t initial_attestation_private_key[];
extern const uint32_t initial_attestation_private_key_size;
@@ -69,7 +70,7 @@
tfm_plat_get_initial_attest_key(uint8_t *key_buf,
uint32_t size,
struct ecc_key_t *ecc_key,
- enum ecc_curve_t *curve_type)
+ psa_ecc_curve_t *curve_type)
{
uint8_t *key_dst;
const uint8_t *key_src;
diff --git a/platform/ext/target/mps3/an524/dummy_crypto_keys.c b/platform/ext/target/mps3/an524/dummy_crypto_keys.c
index 6de71e8..83cbd1c 100644
--- a/platform/ext/target/mps3/an524/dummy_crypto_keys.c
+++ b/platform/ext/target/mps3/an524/dummy_crypto_keys.c
@@ -16,6 +16,7 @@
#include "platform/include/tfm_plat_crypto_keys.h"
#include <stddef.h>
+#include "psa/crypto_types.h"
/* FIXME: Functions in this file should be implemented by platform vendor. For
* the security of the storage system, it is critical to use a hardware unique
@@ -29,7 +30,7 @@
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, \
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F};
-extern const enum ecc_curve_t initial_attestation_curve_type;
+extern const psa_ecc_curve_t initial_attestation_curve_type;
extern const uint8_t initial_attestation_private_key[];
extern const uint32_t initial_attestation_private_key_size;
@@ -69,7 +70,7 @@
tfm_plat_get_initial_attest_key(uint8_t *key_buf,
uint32_t size,
struct ecc_key_t *ecc_key,
- enum ecc_curve_t *curve_type)
+ psa_ecc_curve_t *curve_type)
{
uint8_t *key_dst;
const uint8_t *key_src;
diff --git a/platform/ext/target/musca_a/dummy_crypto_keys.c b/platform/ext/target/musca_a/dummy_crypto_keys.c
index c9f820b..3bf1f99 100644
--- a/platform/ext/target/musca_a/dummy_crypto_keys.c
+++ b/platform/ext/target/musca_a/dummy_crypto_keys.c
@@ -16,6 +16,7 @@
#include "platform/include/tfm_plat_crypto_keys.h"
#include <stddef.h>
+#include "psa/crypto_types.h"
/* FIXME: Functions in this file should be implemented by platform vendor. For
* the security of the storage system, it is critical to use a hardware unique
@@ -32,7 +33,7 @@
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, \
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F};
-extern const enum ecc_curve_t initial_attestation_curve_type;
+extern const psa_ecc_curve_t initial_attestation_curve_type;
extern const uint8_t initial_attestation_private_key[];
extern const uint32_t initial_attestation_private_key_size;
@@ -72,7 +73,7 @@
tfm_plat_get_initial_attest_key(uint8_t *key_buf,
uint32_t size,
struct ecc_key_t *ecc_key,
- enum ecc_curve_t *curve_type)
+ psa_ecc_curve_t *curve_type)
{
uint8_t *key_dst;
const uint8_t *key_src;
diff --git a/platform/ext/target/musca_b1/dummy_crypto_keys.c b/platform/ext/target/musca_b1/dummy_crypto_keys.c
index 6de71e8..83cbd1c 100644
--- a/platform/ext/target/musca_b1/dummy_crypto_keys.c
+++ b/platform/ext/target/musca_b1/dummy_crypto_keys.c
@@ -16,6 +16,7 @@
#include "platform/include/tfm_plat_crypto_keys.h"
#include <stddef.h>
+#include "psa/crypto_types.h"
/* FIXME: Functions in this file should be implemented by platform vendor. For
* the security of the storage system, it is critical to use a hardware unique
@@ -29,7 +30,7 @@
{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, \
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F};
-extern const enum ecc_curve_t initial_attestation_curve_type;
+extern const psa_ecc_curve_t initial_attestation_curve_type;
extern const uint8_t initial_attestation_private_key[];
extern const uint32_t initial_attestation_private_key_size;
@@ -69,7 +70,7 @@
tfm_plat_get_initial_attest_key(uint8_t *key_buf,
uint32_t size,
struct ecc_key_t *ecc_key,
- enum ecc_curve_t *curve_type)
+ psa_ecc_curve_t *curve_type)
{
uint8_t *key_dst;
const uint8_t *key_src;
diff --git a/platform/include/tfm_plat_crypto_keys.h b/platform/include/tfm_plat_crypto_keys.h
index 59b438b..81c54a7 100644
--- a/platform/include/tfm_plat_crypto_keys.h
+++ b/platform/include/tfm_plat_crypto_keys.h
@@ -14,6 +14,7 @@
#include <stdint.h>
#include "tfm_plat_defs.h"
+#include "psa/crypto.h"
#ifdef __cplusplus
extern "C" {
@@ -23,7 +24,7 @@
* Elliptic curve key type identifiers according to RFC8152 (COSE encoding)
* https://www.iana.org/assignments/cose/cose.xhtml#elliptic-curves
*/
-enum ecc_curve_t {
+enum cose_ecc_curve_t {
P_256 = 1, /* NIST P-256 also known as secp256r1 */
P_384 = 2, /* NIST P-384 also known as secp384r1 */
P_521 = 3, /* NIST P-521 also known as secp521r1 */
@@ -110,7 +111,7 @@
* about the initial attestation key, which is
* stored in key_buf.
* \param[out] curve_type The type of the EC curve, which the key belongs
- * to according to \ref ecc_curve_t
+ * to according to \ref psa_ecc_curve_t
*
* \return Returns error code specified in \ref tfm_plat_err_t
*/
@@ -118,7 +119,7 @@
tfm_plat_get_initial_attest_key(uint8_t *key_buf,
uint32_t size,
struct ecc_key_t *ecc_key,
- enum ecc_curve_t *curve_type);
+ psa_ecc_curve_t *curve_type);
/**
* \brief Get the hash of the corresponding Root of Trust Public Key for
diff --git a/secure_fw/services/initial_attestation/attestation_key.c b/secure_fw/services/initial_attestation/attestation_key.c
index 35ddaca..25f9761 100644
--- a/secure_fw/services/initial_attestation/attestation_key.c
+++ b/secure_fw/services/initial_attestation/attestation_key.c
@@ -31,50 +31,11 @@
static size_t attestation_public_key_len = 0;
static psa_ecc_curve_t attestation_key_curve;
-/**
- * \brief Map the curve type definition by RFC8152 (COSE) to PSA curve
- * types.
- *
- * \param[in] cose_curve COSE curve type definition \ref ecc_curve_t.
- *
- * \return Return PSA curve type according to \ref psa_ecc_curve_t. If
- * mapping is not possible then return with USHRT_MAX.
- */
-static inline psa_ecc_curve_t
-attest_map_elliptic_curve_type(enum ecc_curve_t cose_curve)
-{
- psa_ecc_curve_t psa_curve;
-
- /*FixMe: Mapping is not complete, missing ones: ED25519, ED448 */
- switch (cose_curve) {
- case P_256:
- psa_curve = PSA_ECC_CURVE_SECP256R1;
- break;
- case P_384:
- psa_curve = PSA_ECC_CURVE_SECP384R1;
- break;
- case P_521:
- psa_curve = PSA_ECC_CURVE_SECP521R1;
- break;
- case X25519:
- psa_curve = PSA_ECC_CURVE_CURVE25519;
- break;
- case X448:
- psa_curve = PSA_ECC_CURVE_CURVE448;
- break;
- default:
- psa_curve = USHRT_MAX;
- }
-
- return psa_curve;
-}
-
enum psa_attest_err_t
attest_register_initial_attestation_key()
{
enum tfm_plat_err_t plat_res;
psa_ecc_curve_t psa_curve;
- enum ecc_curve_t cose_curve;
struct ecc_key_t attest_key = {0};
uint8_t key_buf[ECC_P_256_KEY_SIZE];
psa_key_type_t attest_key_type;
@@ -94,19 +55,13 @@
/* Get the initial attestation key */
plat_res = tfm_plat_get_initial_attest_key(key_buf, sizeof(key_buf),
- &attest_key, &cose_curve);
+ &attest_key, &psa_curve);
/* Check the availability of the private key */
if (plat_res != TFM_PLAT_ERR_SUCCESS || attest_key.priv_key == NULL) {
return PSA_ATTEST_ERR_GENERAL;
}
- /* Mapping of COSE curve type to PSA curve types */
- psa_curve = attest_map_elliptic_curve_type(cose_curve);
- if (psa_curve == USHRT_MAX) {
- return PSA_ATTEST_ERR_GENERAL;
- }
-
/* Setup the key policy for private key */
psa_key_policy_set_usage(&policy,
PSA_KEY_USAGE_SIGN,