Attest: Refine compile time build options

To have more granular config options for attestation
separate the test code and COSE key-id inclusion to be
dependent on different compile time options.

Change-Id: I351ce445f7beacf3378bbec4f740923bcd352f90
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
diff --git a/CommonConfig.cmake b/CommonConfig.cmake
index 9d5f175..fc4dd2d 100644
--- a/CommonConfig.cmake
+++ b/CommonConfig.cmake
@@ -1,5 +1,5 @@
 #-------------------------------------------------------------------------------
-# Copyright (c) 2018-2019, Arm Limited. All rights reserved.
+# Copyright (c) 2018-2020, Arm Limited. All rights reserved.
 #
 # SPDX-License-Identifier: BSD-3-Clause
 #
@@ -12,7 +12,7 @@
 elseif(NOT DEFINED TFM_LVL)
 	message(FATAL_ERROR "ERROR: Incomplete Configuration: TFM_LVL not defined, Include this file from a Config*.cmake")
 elseif(NOT DEFINED CORE_IPC)
-	message(FATAL_ERROR "ERROR: Incomplete Configuration: CORE_IPC not deinfed. Include this file from a Config*.cmake")
+	message(FATAL_ERROR "ERROR: Incomplete Configuration: CORE_IPC not defined. Include this file from a Config*.cmake")
 endif()
 
 if(NOT DEFINED COMPILER)
@@ -409,10 +409,16 @@
 	set(ATTEST_INCLUDE_OPTIONAL_CLAIMS ON)
 endif()
 
-if (CMAKE_BUILD_TYPE STREQUAL "debug")
-	set(ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID ON)
-else()
-	set(ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID OFF)
+if (NOT DEFINED ATTEST_INCLUDE_COSE_KEY_ID)
+	set(ATTEST_INCLUDE_COSE_KEY_ID OFF)
+endif()
+
+if (NOT DEFINED ATTEST_INCLUDE_TEST_CODE)
+	if (CMAKE_BUILD_TYPE STREQUAL "debug")
+		set(ATTEST_INCLUDE_TEST_CODE ON)
+	else()
+		set(ATTEST_INCLUDE_TEST_CODE OFF)
+	endif()
 endif()
 
 set(ATTEST_BOOT_INTERFACE "CBOR_ENCODED_CLAIMS" CACHE STRING "Set the format in which to pass the claims to the initial-attestation service.")
diff --git a/docs/user_guides/services/tfm_attestation_integration_guide.rst b/docs/user_guides/services/tfm_attestation_integration_guide.rst
index ffbec4c..eb5601f 100644
--- a/docs/user_guides/services/tfm_attestation_integration_guide.rst
+++ b/docs/user_guides/services/tfm_attestation_integration_guide.rst
@@ -437,10 +437,13 @@
 
 - ``ATTEST_INCLUDE_OPTIONAL_CLAIMS``: Include also the optional claims to the
   attestation token. Default value: True.
-- ``ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID``: Test code and COSE key-id from
-  unprotected token header is removed if it is False. Its value depends on the
-  build type. It is True if build type is ``Debug``, otherwise False (different
-  kind of ``Release`` builds).
+- ``ATTEST_INCLUDE_TEST_CODE``: Test code is removed from COSE library and from
+  attestation test suite if it is False. Its default value depends on the build
+  type. It is True if build type is ``Debug``, otherwise False (different kinds
+  of ``Release`` builds).
+- ``ATTEST_INCLUDE_COSE_KEY_ID``: COSE key-id is an optional field in the COSE
+  unprotected header. Key-id is calculated and added to the COSE header based
+  on the value of this flag. Default value: False.
 
 ************
 Verification
@@ -495,4 +498,4 @@
 
 --------------
 
-*Copyright (c) 2018-2019, Arm Limited. All rights reserved.*
+*Copyright (c) 2018-2020, Arm Limited. All rights reserved.*
diff --git a/lib/ext/t_cose/CMakeLists.txt b/lib/ext/t_cose/CMakeLists.txt
index 7ff82e5..540da91 100644
--- a/lib/ext/t_cose/CMakeLists.txt
+++ b/lib/ext/t_cose/CMakeLists.txt
@@ -22,8 +22,8 @@
 project(tfm_t_cose LANGUAGES C)
 embedded_project_fixup()
 
-if (NOT DEFINED ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID)
-	message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID is undefined. ")
+if (NOT DEFINED ATTEST_INCLUDE_TEST_CODE)
+	message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_TEST_CODE is undefined. ")
 endif()
 
 #Append all our source files to global lists.
@@ -71,7 +71,7 @@
 	"T_COSE_DISABLE_SIGN_VERIFY_TESTS"
 	)
 
-if (NOT ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID)
+if (NOT ATTEST_INCLUDE_TEST_CODE)
 	list(APPEND T_COSE_COMPILE_TIME_CONFIG "T_COSE_DISABLE_SHORT_CIRCUIT_SIGN")
 endif()
 
diff --git a/secure_fw/services/initial_attestation/CMakeLists.inc b/secure_fw/services/initial_attestation/CMakeLists.inc
index 8abfae2..bbc6b83 100644
--- a/secure_fw/services/initial_attestation/CMakeLists.inc
+++ b/secure_fw/services/initial_attestation/CMakeLists.inc
@@ -24,8 +24,16 @@
 	message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_OPTIONAL_CLAIMS is undefined.")
 endif()
 
-if (NOT DEFINED ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID)
-	message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID is undefined.")
+if (NOT DEFINED ATTEST_INCLUDE_TEST_CODE)
+	message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_TEST_CODE is undefined.")
+endif()
+
+if (NOT DEFINED ATTEST_INCLUDE_COSE_KEY_ID)
+	message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_COSE_KEY_ID is undefined.")
+endif()
+
+if (NOT DEFINED ATTEST_BOOT_INTERFACE)
+	message(FATAL_ERROR "Incomplete build configuration: ATTEST_BOOT_INTERFACE is undefined.")
 endif()
 
 list(APPEND ATTEST_C_SRC
@@ -41,8 +49,12 @@
 	set_property(SOURCE ${ATTEST_C_SRC} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_OPTIONAL_CLAIMS)
 endif()
 
-if (ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID)
-	set_property(SOURCE ${ATTEST_C_SRC} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_TEST_CODE_AND_KEY_ID)
+if (ATTEST_INCLUDE_TEST_CODE)
+	set_property(SOURCE ${ATTEST_C_SRC} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_TEST_CODE)
+endif()
+
+if (ATTEST_INCLUDE_COSE_KEY_ID)
+	set_property(SOURCE ${ATTEST_C_SRC} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_COSE_KEY_ID)
 endif()
 
 if (ATTEST_BOOT_INTERFACE STREQUAL "INDIVIDUAL_CLAIMS")
@@ -52,8 +64,9 @@
 #Inform the user about attestation service features selected based on the cmake flags
 message("The Initial Attestation service compile configuration is as follows:")
 message("- ATTEST_INCLUDE_OPTIONAL_CLAIMS: ${ATTEST_INCLUDE_OPTIONAL_CLAIMS}")
-message("- ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID: ${ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID}")
-message("- ATTEST_BOOT_INTERFACE: ${ATTEST_BOOT_INTERFACE}")
+message("- ATTEST_INCLUDE_TEST_CODE:       ${ATTEST_INCLUDE_TEST_CODE}")
+message("- ATTEST_INCLUDE_COSE_KEY_ID:     ${ATTEST_INCLUDE_COSE_KEY_ID}")
+message("- ATTEST_BOOT_INTERFACE:          ${ATTEST_BOOT_INTERFACE}")
 
 #Setting include directories
 embedded_include_directories(PATH ${TFM_ROOT_DIR} ABSOLUTE)
diff --git a/secure_fw/services/initial_attestation/attest_token.c b/secure_fw/services/initial_attestation/attest_token.c
index 4e582ae..c6a4ecde 100644
--- a/secure_fw/services/initial_attestation/attest_token.c
+++ b/secure_fw/services/initial_attestation/attest_token.c
@@ -99,21 +99,21 @@
     psa_key_handle_t private_key;
     struct q_useful_buf_c attest_key_id = NULL_Q_USEFUL_BUF_C;
 
-
     /* Remember some of the configuration values */
     me->opt_flags  = opt_flags;
     me->key_select = key_select;
 
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID
+
     if (opt_flags & TOKEN_OPT_SHORT_CIRCUIT_SIGN) {
         t_cose_options |= T_COSE_OPT_SHORT_CIRCUIT_SIG;
     } else {
+#ifdef INCLUDE_COSE_KEY_ID
         attest_ret = attest_get_initial_attestation_key_id(&attest_key_id);
         if (attest_ret != PSA_ATTEST_ERR_SUCCESS) {
             return ATTEST_TOKEN_ERR_GENERAL;
         }
+#endif /* INCLUDE_COSE_KEY_ID */
     }
-#endif
 
     t_cose_sign1_sign_init(&(me->signer_ctx), t_cose_options, cose_alg_id);
 
diff --git a/secure_fw/services/initial_attestation/attestation_core.c b/secure_fw/services/initial_attestation/attestation_core.c
index 052107c..a37e5f4 100644
--- a/secure_fw/services/initial_attestation/attestation_core.c
+++ b/secure_fw/services/initial_attestation/attestation_core.c
@@ -861,7 +861,7 @@
     return PSA_ATTEST_ERR_INVALID_INPUT;
 }
 
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
+#ifdef INCLUDE_TEST_CODE /* Remove them from release build */
 /*!
  * \brief Static function to get the option flags from challenge object
  *
@@ -912,7 +912,7 @@
         *key_select = 0;
     }
 }
-#endif /* INCLUDE_TEST_CODE_AND_KEY_ID */
+#endif /* INCLUDE_TEST_CODE */
 
 /*!
  * \brief Static function to create the initial attestation token
@@ -942,7 +942,7 @@
         goto error;
     }
 
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
+#ifdef INCLUDE_TEST_CODE /* Remove them from release build */
     attest_get_option_flags(challenge, &option_flags, &key_select);
 #endif
 
diff --git a/secure_fw/services/initial_attestation/attestation_key.c b/secure_fw/services/initial_attestation/attestation_key.c
index 7dedd0b..ead20c8 100644
--- a/secure_fw/services/initial_attestation/attestation_key.c
+++ b/secure_fw/services/initial_attestation/attestation_key.c
@@ -47,7 +47,7 @@
 static size_t   attestation_public_key_len = 0;
 static psa_ecc_curve_t attestation_key_curve;
 
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID
+#ifdef INCLUDE_COSE_KEY_ID
 static uint8_t attestation_key_id[PSA_HASH_SIZE(PSA_ALG_SHA_256)]; /* 32bytes */
 #endif
 
@@ -171,7 +171,7 @@
 }
 
 
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID
+#ifdef INCLUDE_COSE_KEY_ID
 
 #define MAX_ENCODED_COSE_KEY_SIZE \
     1 + /* 1 byte to encode map */ \
@@ -392,4 +392,4 @@
 
     return PSA_ATTEST_ERR_SUCCESS;
 }
-#endif
+#endif /* INCLUDE_COSE_KEY_ID */
diff --git a/test/suites/attestation/CMakeLists.inc b/test/suites/attestation/CMakeLists.inc
index 38c0eb1..2eb344f 100644
--- a/test/suites/attestation/CMakeLists.inc
+++ b/test/suites/attestation/CMakeLists.inc
@@ -24,8 +24,8 @@
 	message(FATAL_ERROR "Please set TFM_ROOT_DIR before including this file.")
 endif()
 
-if (NOT DEFINED ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID)
-	message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID is undefined. ")
+if (NOT DEFINED ATTEST_INCLUDE_TEST_CODE)
+	message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_TEST_CODE is undefined. ")
 endif()
 
 if (NOT DEFINED ENABLE_ATTESTATION_SERVICE_TESTS)
@@ -47,9 +47,9 @@
 		"${TFM_ROOT_DIR}/lib/ext/qcbor/util/qcbor_util.c"
 	)
 
-	if (ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID)
-		set_property(SOURCE ${ATTEST_TEST_SRC_S}  APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_TEST_CODE_AND_KEY_ID)
-		set_property(SOURCE ${ATTEST_TEST_SRC_NS} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_TEST_CODE_AND_KEY_ID)
+	if (ATTEST_INCLUDE_TEST_CODE)
+		set_property(SOURCE ${ATTEST_TEST_SRC_S}  APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_TEST_CODE)
+		set_property(SOURCE ${ATTEST_TEST_SRC_NS} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_TEST_CODE)
 	endif()
 
 	#Setting include directories
diff --git a/test/suites/attestation/attest_token_test.c b/test/suites/attestation/attest_token_test.c
index dd0db4b..847f3e1 100644
--- a/test/suites/attestation/attest_token_test.c
+++ b/test/suites/attestation/attest_token_test.c
@@ -2,6 +2,7 @@
  * attest_token_test.c
  *
  * Copyright (c) 2018-2019, Laurence Lundblade.
+ * Copyright (c) 2020, Arm Limited.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  *
@@ -79,7 +80,7 @@
     return return_value;
 }
 
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
+#ifdef INCLUDE_TEST_CODE /* Remove them from release build */
 /**
  * This is the expected output for the minimal test. It is the result
  * of creating a token with \ref TOKEN_OPT_SHORT_CIRCUIT_SIGN and \ref
@@ -230,7 +231,7 @@
 
     return return_value;
 }
-#endif /* INCLUDE_TEST_CODE_AND_KEY_ID */
+#endif /* INCLUDE_TEST_CODE */
 
 
 /**
diff --git a/test/suites/attestation/non_secure/attestation_ns_interface_testsuite.c b/test/suites/attestation/non_secure/attestation_ns_interface_testsuite.c
index 3d78532..fae87ac 100644
--- a/test/suites/attestation/non_secure/attestation_ns_interface_testsuite.c
+++ b/test/suites/attestation/non_secure/attestation_ns_interface_testsuite.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018-2019, Arm Limited. All rights reserved.
+ * Copyright (c) 2018-2020, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  *
@@ -18,7 +18,7 @@
 
 /* Define test suite for attestation service tests */
 /* List of tests */
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
+#ifdef INCLUDE_TEST_CODE /* Remove them from release build */
 static void tfm_attest_test_2001(struct test_result_t *ret);
 static void tfm_attest_test_2002(struct test_result_t *ret);
 static void tfm_attest_test_2003(struct test_result_t *ret);
@@ -27,7 +27,7 @@
 static void tfm_attest_test_2005(struct test_result_t *ret);
 
 static struct test_t attestation_interface_tests[] = {
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
+#ifdef INCLUDE_TEST_CODE /* Remove them from release build */
     {&tfm_attest_test_2001, "TFM_ATTEST_TEST_2001",
      "Minimal token test of attest token", {0} },
     {&tfm_attest_test_2002, "TFM_ATTEST_TEST_2002",
@@ -54,7 +54,7 @@
                   attestation_interface_tests, list_size, p_test_suite);
 }
 
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
+#ifdef INCLUDE_TEST_CODE /* Remove them from release build */
 /*!
  * \brief Get minimal token, only include a hard coded challenge, but omit the
  *        rest of the claims
@@ -115,7 +115,7 @@
 
     ret->val = TEST_PASSED;
 }
-#endif /* INCLUDE_TEST_CODE_AND_KEY_ID */
+#endif /* INCLUDE_TEST_CODE */
 
 /*!
  * \brief Get an IAT with proper ECDSA signature. Parse the token, validate
diff --git a/test/suites/attestation/secure/attestation_s_interface_testsuite.c b/test/suites/attestation/secure/attestation_s_interface_testsuite.c
index 2bd171c..9c911a3 100644
--- a/test/suites/attestation/secure/attestation_s_interface_testsuite.c
+++ b/test/suites/attestation/secure/attestation_s_interface_testsuite.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018-2019, Arm Limited. All rights reserved.
+ * Copyright (c) 2018-2020, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  *
@@ -18,7 +18,7 @@
 
 /* Define test suite for attestation service tests */
 /* List of tests */
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
+#ifdef INCLUDE_TEST_CODE /* Remove them from release build */
 static void tfm_attest_test_1001(struct test_result_t *ret);
 static void tfm_attest_test_1002(struct test_result_t *ret);
 static void tfm_attest_test_1003(struct test_result_t *ret);
@@ -27,7 +27,7 @@
 static void tfm_attest_test_1005(struct test_result_t *ret);
 
 static struct test_t attestation_interface_tests[] = {
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
+#ifdef INCLUDE_TEST_CODE /* Remove them from release build */
     {&tfm_attest_test_1001, "TFM_ATTEST_TEST_1001",
      "Minimal token test of attest token", {0} },
     {&tfm_attest_test_1002, "TFM_ATTEST_TEST_1002",
@@ -54,7 +54,7 @@
                   attestation_interface_tests, list_size, p_test_suite);
 }
 
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
+#ifdef INCLUDE_TEST_CODE /* Remove them from release build */
 /*!
  * \brief Get minimal token, only include a hard coded challenge, but omit the
  *        rest of the claims
@@ -115,7 +115,7 @@
 
     ret->val = TEST_PASSED;
 }
-#endif /* INCLUDE_TEST_CODE_AND_KEY_ID */
+#endif /* INCLUDE_TEST_CODE */
 
 /*!
  * \brief Get an IAT with proper ECDSA signature. Parse the token, validate