commit 998a09aa6778e6c1790d9faef32aea9ae8622e7a
author Sergei Trofimov <sergei.trofimov@arm.com> Thu Apr 11 09:13:20 2019 +0100
committer Tamas Ban <tamas.ban@arm.com> Wed Jul 17 10:28:51 2019 +0000
tree e62850604fd1d54362a58e4142bd4f8525533ed9
parent ab000e8db2ef73101f15e7d9f2bbabf75434c34e

Tools: add IAT verifier.

Add a script for verifying the signatures and structure of Initial
Attestation Tokens.

Change-Id: Ic3649f25c32edd9b08793eb8a77c8b40dd71e8c8
Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>

tools/iat-verifier/dev_scripts/generate-sample-iat.py

diff --git a/tools/iat-verifier/dev_scripts/generate-sample-iat.py b/tools/iat-verifier/dev_scripts/generate-sample-iat.py
new file mode 100755
index 0000000..3d69a12
--- /dev/null
+++ b/tools/iat-verifier/dev_scripts/generate-sample-iat.py
@@ -0,0 +1,90 @@
+#!/usr/bin/env python3
+#-------------------------------------------------------------------------------
+# Copyright (c) 2019, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+
+import base64
+import struct
+
+import cbor
+from ecdsa import SigningKey
+from pycose.sign1message import Sign1Message
+
+from iatverifier import const
+from iatverifier.util import sign_eat
+
+
+# First byte indicates "GUID"
+GUID = b'\x01' + struct.pack('QQQQ', 0x0001020304050607, 0x08090A0B0C0D0E0F,
+                             0x1011121314151617, 0x18191A1B1C1D1E1F)
+NONCE = struct.pack('QQQQ', 0X0001020304050607, 0X08090A0B0C0D0E0F,
+                    0X1011121314151617, 0X18191A1B1C1D1E1F)
+ORIGIN = struct.pack('QQQQ', 0X0001020304050607, 0X08090A0B0C0D0E0F,
+                     0X1011121314151617, 0X18191A1B1C1D1E1F)
+BOOT_SEED = struct.pack('QQQQ', 0X0001020304050607, 0X08090A0B0C0D0E0F,
+                        0X1011121314151617, 0X18191A1B1C1D1E1F)
+SIGNER_ID = struct.pack('QQQQ', 0X0001020304050607, 0X08090A0B0C0D0E0F,
+                        0X1011121314151617, 0X18191A1B1C1D1E1F)
+MEASUREMENT = struct.pack('QQQQ', 0X0001020304050607, 0X08090A0B0C0D0E0F,
+                          0X1011121314151617, 0X18191A1B1C1D1E1F)
+
+token_map = {
+  const.INSTANCE_ID: GUID,
+  const.IMPLEMENTATION_ID: ORIGIN,
+  const.CHALLENGE: NONCE,
+  const.CLIENT_ID: 2,
+  const.SECURITY_LIFECYCLE: const.SL_PROVISIONED,
+  const.PROFILE_ID: 'http://example.com',
+  const.BOOT_SEED: BOOT_SEED,
+  const.SW_COMPONENTS: [
+        {
+            # bootloader
+            const.SW_COMPONENT_TYPE: 'BL',
+            const.SIGNER_ID: SIGNER_ID,
+            const.SW_COMPONENT_VERSION: '3.4.2',
+            const.EPOCH: 1,
+            const.MEASUREMENT_VALUE: MEASUREMENT,
+            const.MEASUREMENT_DESCRIPTION: 'TF-M_SHA256MemPreXIP',
+        },
+        {
+            # mod1
+            const.SW_COMPONENT_TYPE: 'M1',
+            const.SIGNER_ID: SIGNER_ID,
+            const.SW_COMPONENT_VERSION: '3.4.2',
+            const.EPOCH: 1,
+            const.MEASUREMENT_VALUE: MEASUREMENT,
+        },
+        {
+            # mod2
+            const.SW_COMPONENT_TYPE: 'M2',
+            const.SIGNER_ID: SIGNER_ID,
+            const.SW_COMPONENT_VERSION: '3.4.2',
+            const.EPOCH: 1,
+            const.MEASUREMENT_VALUE: MEASUREMENT,
+        },
+        {
+            # mod3
+            const.SW_COMPONENT_TYPE: 'M3',
+            const.SIGNER_ID: SIGNER_ID,
+            const.SW_COMPONENT_VERSION: '3.4.2',
+            const.EPOCH: 1,
+            const.MEASUREMENT_VALUE: MEASUREMENT,
+        },
+    ],
+}
+
+
+if __name__ == '__main__':
+    import sys
+    keyfile = sys.argv[1]
+    outfile = sys.argv[2]
+
+    sk = SigningKey.from_pem(open(keyfile, 'rb').read())
+    token = cbor.dumps(token_map)
+    signed_token = sign_eat(token, sk)
+
+    with open(outfile, 'wb') as wfh:
+        wfh.write(signed_token)