Attest: Support kid parameter in COSE_Mac0 structure header
Add a HAL API tfm_plat_get_symmetric_iak_id() to fetch kid from
platform.
Implement an example of this HAL API.
Add attest_get_symmetric_iak_id() to pass the kid value to token
generation of symmetric key algorithm based Initial Attestation.
Change-Id: I642f7a03f1738c8fe77f11fc2ae91652fc01df29
Signed-off-by: David Hu <david.hu@arm.com>
diff --git a/platform/ext/common/template/crypto_keys.c b/platform/ext/common/template/crypto_keys.c
index e005205..d4d755c 100644
--- a/platform/ext/common/template/crypto_keys.c
+++ b/platform/ext/common/template/crypto_keys.c
@@ -14,9 +14,11 @@
* limitations under the License.
*/
-#include "tfm_plat_crypto_keys.h"
#include <stddef.h>
+#include <string.h>
+
#include "psa/crypto_types.h"
+#include "tfm_plat_crypto_keys.h"
/* FIXME: Functions in this file should be implemented by platform vendor. For
* the security of the storage system, it is critical to use a hardware unique
@@ -34,6 +36,7 @@
extern const psa_algorithm_t tfm_attest_hmac_sign_alg;
extern const uint8_t initial_attestation_hmac_sha256_key[];
extern const size_t initial_attestation_hmac_sha256_key_size;
+extern const char *initial_attestation_kid;
#else /* SYMMETRIC_INITIAL_ATTESTATION */
extern const psa_ecc_curve_t initial_attestation_curve_type;
extern const uint8_t initial_attestation_private_key[];
@@ -109,6 +112,23 @@
return TFM_PLAT_ERR_SUCCESS;
}
+
+enum tfm_plat_err_t tfm_plat_get_symmetric_iak_id(void *kid_buf,
+ size_t buf_len,
+ size_t *kid_len)
+{
+ /* kid is string in this example. '\0' is ignore. */
+ size_t len = strlen(initial_attestation_kid);
+
+ if (!kid_buf || !kid_len || (buf_len < len)) {
+ return TFM_PLAT_ERR_INVALID_INPUT;
+ }
+
+ copy_key(kid_buf, (const uint8_t *)initial_attestation_kid, len);
+ *kid_len = len;
+
+ return TFM_PLAT_ERR_SUCCESS;
+}
#else /* SYMMETRIC_INITIAL_ATTESTATION */
enum tfm_plat_err_t
tfm_plat_get_initial_attest_key(uint8_t *key_buf,
diff --git a/platform/ext/common/template/tfm_initial_attestation_key_material.c b/platform/ext/common/template/tfm_initial_attestation_key_material.c
index 25dec5c..c7ba7fb 100644
--- a/platform/ext/common/template/tfm_initial_attestation_key_material.c
+++ b/platform/ext/common/template/tfm_initial_attestation_key_material.c
@@ -42,6 +42,9 @@
TFM_LINK_SET_RO_IN_PARTITION_SECTION("TFM_SP_INITIAL_ATTESTATION")
const size_t initial_attestation_hmac_sha256_key_size =
sizeof(initial_attestation_hmac_sha256_key);
+
+TFM_LINK_SET_RO_IN_PARTITION_SECTION("TFM_SP_INITIAL_ATTESTATION")
+const char *initial_attestation_kid = "kid@trustedfirmware.example";
#else /* SYMMETRIC_INITIAL_ATTESTATION */
/*
* This file contains the hard coded version of the ECDSA P-256 secret key in:
diff --git a/platform/include/tfm_plat_crypto_keys.h b/platform/include/tfm_plat_crypto_keys.h
index f9934cd..035fd38 100644
--- a/platform/include/tfm_plat_crypto_keys.h
+++ b/platform/include/tfm_plat_crypto_keys.h
@@ -104,6 +104,25 @@
size_t buf_len,
size_t *key_len,
psa_algorithm_t *key_alg);
+
+#ifdef INCLUDE_COSE_KEY_ID
+/**
+ * \brief Get the key identifier of the symmetric Initial Attestation Key as the
+ * 'kid' parameter in COSE Header.
+ *
+ * \note This `kid` parameter is included in COSE Header. Please don't confuse
+ * it with that `kid` in COSE_Key structure.
+ *
+ * \param[out] kid_buf The buffer to be written with key id
+ * \param[in] buf_len The length of kid_buf
+ * \param[out] kid_len The length of key id
+ *
+ * \return Returns error code specified in \ref tfm_plat_err_t.
+ */
+enum tfm_plat_err_t tfm_plat_get_symmetric_iak_id(void *kid_buf,
+ size_t buf_len,
+ size_t *kid_len);
+#endif
#else /* SYMMETRIC_INITIAL_ATTESTATION */
/**
* \brief Get the initial attestation key