Attest: Refine compile time build options
To have more granular config options for attestation
separate the test code and COSE key-id inclusion to be
dependent on different compile time options.
Change-Id: I351ce445f7beacf3378bbec4f740923bcd352f90
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
diff --git a/CommonConfig.cmake b/CommonConfig.cmake
index 9d5f175..fc4dd2d 100644
--- a/CommonConfig.cmake
+++ b/CommonConfig.cmake
@@ -1,5 +1,5 @@
#-------------------------------------------------------------------------------
-# Copyright (c) 2018-2019, Arm Limited. All rights reserved.
+# Copyright (c) 2018-2020, Arm Limited. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@@ -12,7 +12,7 @@
elseif(NOT DEFINED TFM_LVL)
message(FATAL_ERROR "ERROR: Incomplete Configuration: TFM_LVL not defined, Include this file from a Config*.cmake")
elseif(NOT DEFINED CORE_IPC)
- message(FATAL_ERROR "ERROR: Incomplete Configuration: CORE_IPC not deinfed. Include this file from a Config*.cmake")
+ message(FATAL_ERROR "ERROR: Incomplete Configuration: CORE_IPC not defined. Include this file from a Config*.cmake")
endif()
if(NOT DEFINED COMPILER)
@@ -409,10 +409,16 @@
set(ATTEST_INCLUDE_OPTIONAL_CLAIMS ON)
endif()
-if (CMAKE_BUILD_TYPE STREQUAL "debug")
- set(ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID ON)
-else()
- set(ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID OFF)
+if (NOT DEFINED ATTEST_INCLUDE_COSE_KEY_ID)
+ set(ATTEST_INCLUDE_COSE_KEY_ID OFF)
+endif()
+
+if (NOT DEFINED ATTEST_INCLUDE_TEST_CODE)
+ if (CMAKE_BUILD_TYPE STREQUAL "debug")
+ set(ATTEST_INCLUDE_TEST_CODE ON)
+ else()
+ set(ATTEST_INCLUDE_TEST_CODE OFF)
+ endif()
endif()
set(ATTEST_BOOT_INTERFACE "CBOR_ENCODED_CLAIMS" CACHE STRING "Set the format in which to pass the claims to the initial-attestation service.")
diff --git a/docs/user_guides/services/tfm_attestation_integration_guide.rst b/docs/user_guides/services/tfm_attestation_integration_guide.rst
index ffbec4c..eb5601f 100644
--- a/docs/user_guides/services/tfm_attestation_integration_guide.rst
+++ b/docs/user_guides/services/tfm_attestation_integration_guide.rst
@@ -437,10 +437,13 @@
- ``ATTEST_INCLUDE_OPTIONAL_CLAIMS``: Include also the optional claims to the
attestation token. Default value: True.
-- ``ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID``: Test code and COSE key-id from
- unprotected token header is removed if it is False. Its value depends on the
- build type. It is True if build type is ``Debug``, otherwise False (different
- kind of ``Release`` builds).
+- ``ATTEST_INCLUDE_TEST_CODE``: Test code is removed from COSE library and from
+ attestation test suite if it is False. Its default value depends on the build
+ type. It is True if build type is ``Debug``, otherwise False (different kinds
+ of ``Release`` builds).
+- ``ATTEST_INCLUDE_COSE_KEY_ID``: COSE key-id is an optional field in the COSE
+ unprotected header. Key-id is calculated and added to the COSE header based
+ on the value of this flag. Default value: False.
************
Verification
@@ -495,4 +498,4 @@
--------------
-*Copyright (c) 2018-2019, Arm Limited. All rights reserved.*
+*Copyright (c) 2018-2020, Arm Limited. All rights reserved.*
diff --git a/lib/ext/t_cose/CMakeLists.txt b/lib/ext/t_cose/CMakeLists.txt
index 7ff82e5..540da91 100644
--- a/lib/ext/t_cose/CMakeLists.txt
+++ b/lib/ext/t_cose/CMakeLists.txt
@@ -22,8 +22,8 @@
project(tfm_t_cose LANGUAGES C)
embedded_project_fixup()
-if (NOT DEFINED ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID)
- message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID is undefined. ")
+if (NOT DEFINED ATTEST_INCLUDE_TEST_CODE)
+ message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_TEST_CODE is undefined. ")
endif()
#Append all our source files to global lists.
@@ -71,7 +71,7 @@
"T_COSE_DISABLE_SIGN_VERIFY_TESTS"
)
-if (NOT ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID)
+if (NOT ATTEST_INCLUDE_TEST_CODE)
list(APPEND T_COSE_COMPILE_TIME_CONFIG "T_COSE_DISABLE_SHORT_CIRCUIT_SIGN")
endif()
diff --git a/secure_fw/services/initial_attestation/CMakeLists.inc b/secure_fw/services/initial_attestation/CMakeLists.inc
index 8abfae2..bbc6b83 100644
--- a/secure_fw/services/initial_attestation/CMakeLists.inc
+++ b/secure_fw/services/initial_attestation/CMakeLists.inc
@@ -24,8 +24,16 @@
message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_OPTIONAL_CLAIMS is undefined.")
endif()
-if (NOT DEFINED ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID)
- message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID is undefined.")
+if (NOT DEFINED ATTEST_INCLUDE_TEST_CODE)
+ message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_TEST_CODE is undefined.")
+endif()
+
+if (NOT DEFINED ATTEST_INCLUDE_COSE_KEY_ID)
+ message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_COSE_KEY_ID is undefined.")
+endif()
+
+if (NOT DEFINED ATTEST_BOOT_INTERFACE)
+ message(FATAL_ERROR "Incomplete build configuration: ATTEST_BOOT_INTERFACE is undefined.")
endif()
list(APPEND ATTEST_C_SRC
@@ -41,8 +49,12 @@
set_property(SOURCE ${ATTEST_C_SRC} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_OPTIONAL_CLAIMS)
endif()
-if (ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID)
- set_property(SOURCE ${ATTEST_C_SRC} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_TEST_CODE_AND_KEY_ID)
+if (ATTEST_INCLUDE_TEST_CODE)
+ set_property(SOURCE ${ATTEST_C_SRC} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_TEST_CODE)
+endif()
+
+if (ATTEST_INCLUDE_COSE_KEY_ID)
+ set_property(SOURCE ${ATTEST_C_SRC} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_COSE_KEY_ID)
endif()
if (ATTEST_BOOT_INTERFACE STREQUAL "INDIVIDUAL_CLAIMS")
@@ -52,8 +64,9 @@
#Inform the user about attestation service features selected based on the cmake flags
message("The Initial Attestation service compile configuration is as follows:")
message("- ATTEST_INCLUDE_OPTIONAL_CLAIMS: ${ATTEST_INCLUDE_OPTIONAL_CLAIMS}")
-message("- ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID: ${ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID}")
-message("- ATTEST_BOOT_INTERFACE: ${ATTEST_BOOT_INTERFACE}")
+message("- ATTEST_INCLUDE_TEST_CODE: ${ATTEST_INCLUDE_TEST_CODE}")
+message("- ATTEST_INCLUDE_COSE_KEY_ID: ${ATTEST_INCLUDE_COSE_KEY_ID}")
+message("- ATTEST_BOOT_INTERFACE: ${ATTEST_BOOT_INTERFACE}")
#Setting include directories
embedded_include_directories(PATH ${TFM_ROOT_DIR} ABSOLUTE)
diff --git a/secure_fw/services/initial_attestation/attest_token.c b/secure_fw/services/initial_attestation/attest_token.c
index 4e582ae..c6a4ecde 100644
--- a/secure_fw/services/initial_attestation/attest_token.c
+++ b/secure_fw/services/initial_attestation/attest_token.c
@@ -99,21 +99,21 @@
psa_key_handle_t private_key;
struct q_useful_buf_c attest_key_id = NULL_Q_USEFUL_BUF_C;
-
/* Remember some of the configuration values */
me->opt_flags = opt_flags;
me->key_select = key_select;
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID
+
if (opt_flags & TOKEN_OPT_SHORT_CIRCUIT_SIGN) {
t_cose_options |= T_COSE_OPT_SHORT_CIRCUIT_SIG;
} else {
+#ifdef INCLUDE_COSE_KEY_ID
attest_ret = attest_get_initial_attestation_key_id(&attest_key_id);
if (attest_ret != PSA_ATTEST_ERR_SUCCESS) {
return ATTEST_TOKEN_ERR_GENERAL;
}
+#endif /* INCLUDE_COSE_KEY_ID */
}
-#endif
t_cose_sign1_sign_init(&(me->signer_ctx), t_cose_options, cose_alg_id);
diff --git a/secure_fw/services/initial_attestation/attestation_core.c b/secure_fw/services/initial_attestation/attestation_core.c
index 052107c..a37e5f4 100644
--- a/secure_fw/services/initial_attestation/attestation_core.c
+++ b/secure_fw/services/initial_attestation/attestation_core.c
@@ -861,7 +861,7 @@
return PSA_ATTEST_ERR_INVALID_INPUT;
}
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
+#ifdef INCLUDE_TEST_CODE /* Remove them from release build */
/*!
* \brief Static function to get the option flags from challenge object
*
@@ -912,7 +912,7 @@
*key_select = 0;
}
}
-#endif /* INCLUDE_TEST_CODE_AND_KEY_ID */
+#endif /* INCLUDE_TEST_CODE */
/*!
* \brief Static function to create the initial attestation token
@@ -942,7 +942,7 @@
goto error;
}
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
+#ifdef INCLUDE_TEST_CODE /* Remove them from release build */
attest_get_option_flags(challenge, &option_flags, &key_select);
#endif
diff --git a/secure_fw/services/initial_attestation/attestation_key.c b/secure_fw/services/initial_attestation/attestation_key.c
index 7dedd0b..ead20c8 100644
--- a/secure_fw/services/initial_attestation/attestation_key.c
+++ b/secure_fw/services/initial_attestation/attestation_key.c
@@ -47,7 +47,7 @@
static size_t attestation_public_key_len = 0;
static psa_ecc_curve_t attestation_key_curve;
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID
+#ifdef INCLUDE_COSE_KEY_ID
static uint8_t attestation_key_id[PSA_HASH_SIZE(PSA_ALG_SHA_256)]; /* 32bytes */
#endif
@@ -171,7 +171,7 @@
}
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID
+#ifdef INCLUDE_COSE_KEY_ID
#define MAX_ENCODED_COSE_KEY_SIZE \
1 + /* 1 byte to encode map */ \
@@ -392,4 +392,4 @@
return PSA_ATTEST_ERR_SUCCESS;
}
-#endif
+#endif /* INCLUDE_COSE_KEY_ID */
diff --git a/test/suites/attestation/CMakeLists.inc b/test/suites/attestation/CMakeLists.inc
index 38c0eb1..2eb344f 100644
--- a/test/suites/attestation/CMakeLists.inc
+++ b/test/suites/attestation/CMakeLists.inc
@@ -24,8 +24,8 @@
message(FATAL_ERROR "Please set TFM_ROOT_DIR before including this file.")
endif()
-if (NOT DEFINED ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID)
- message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID is undefined. ")
+if (NOT DEFINED ATTEST_INCLUDE_TEST_CODE)
+ message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_TEST_CODE is undefined. ")
endif()
if (NOT DEFINED ENABLE_ATTESTATION_SERVICE_TESTS)
@@ -47,9 +47,9 @@
"${TFM_ROOT_DIR}/lib/ext/qcbor/util/qcbor_util.c"
)
- if (ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID)
- set_property(SOURCE ${ATTEST_TEST_SRC_S} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_TEST_CODE_AND_KEY_ID)
- set_property(SOURCE ${ATTEST_TEST_SRC_NS} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_TEST_CODE_AND_KEY_ID)
+ if (ATTEST_INCLUDE_TEST_CODE)
+ set_property(SOURCE ${ATTEST_TEST_SRC_S} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_TEST_CODE)
+ set_property(SOURCE ${ATTEST_TEST_SRC_NS} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_TEST_CODE)
endif()
#Setting include directories
diff --git a/test/suites/attestation/attest_token_test.c b/test/suites/attestation/attest_token_test.c
index dd0db4b..847f3e1 100644
--- a/test/suites/attestation/attest_token_test.c
+++ b/test/suites/attestation/attest_token_test.c
@@ -2,6 +2,7 @@
* attest_token_test.c
*
* Copyright (c) 2018-2019, Laurence Lundblade.
+ * Copyright (c) 2020, Arm Limited.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -79,7 +80,7 @@
return return_value;
}
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
+#ifdef INCLUDE_TEST_CODE /* Remove them from release build */
/**
* This is the expected output for the minimal test. It is the result
* of creating a token with \ref TOKEN_OPT_SHORT_CIRCUIT_SIGN and \ref
@@ -230,7 +231,7 @@
return return_value;
}
-#endif /* INCLUDE_TEST_CODE_AND_KEY_ID */
+#endif /* INCLUDE_TEST_CODE */
/**
diff --git a/test/suites/attestation/non_secure/attestation_ns_interface_testsuite.c b/test/suites/attestation/non_secure/attestation_ns_interface_testsuite.c
index 3d78532..fae87ac 100644
--- a/test/suites/attestation/non_secure/attestation_ns_interface_testsuite.c
+++ b/test/suites/attestation/non_secure/attestation_ns_interface_testsuite.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018-2019, Arm Limited. All rights reserved.
+ * Copyright (c) 2018-2020, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -18,7 +18,7 @@
/* Define test suite for attestation service tests */
/* List of tests */
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
+#ifdef INCLUDE_TEST_CODE /* Remove them from release build */
static void tfm_attest_test_2001(struct test_result_t *ret);
static void tfm_attest_test_2002(struct test_result_t *ret);
static void tfm_attest_test_2003(struct test_result_t *ret);
@@ -27,7 +27,7 @@
static void tfm_attest_test_2005(struct test_result_t *ret);
static struct test_t attestation_interface_tests[] = {
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
+#ifdef INCLUDE_TEST_CODE /* Remove them from release build */
{&tfm_attest_test_2001, "TFM_ATTEST_TEST_2001",
"Minimal token test of attest token", {0} },
{&tfm_attest_test_2002, "TFM_ATTEST_TEST_2002",
@@ -54,7 +54,7 @@
attestation_interface_tests, list_size, p_test_suite);
}
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
+#ifdef INCLUDE_TEST_CODE /* Remove them from release build */
/*!
* \brief Get minimal token, only include a hard coded challenge, but omit the
* rest of the claims
@@ -115,7 +115,7 @@
ret->val = TEST_PASSED;
}
-#endif /* INCLUDE_TEST_CODE_AND_KEY_ID */
+#endif /* INCLUDE_TEST_CODE */
/*!
* \brief Get an IAT with proper ECDSA signature. Parse the token, validate
diff --git a/test/suites/attestation/secure/attestation_s_interface_testsuite.c b/test/suites/attestation/secure/attestation_s_interface_testsuite.c
index 2bd171c..9c911a3 100644
--- a/test/suites/attestation/secure/attestation_s_interface_testsuite.c
+++ b/test/suites/attestation/secure/attestation_s_interface_testsuite.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018-2019, Arm Limited. All rights reserved.
+ * Copyright (c) 2018-2020, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -18,7 +18,7 @@
/* Define test suite for attestation service tests */
/* List of tests */
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
+#ifdef INCLUDE_TEST_CODE /* Remove them from release build */
static void tfm_attest_test_1001(struct test_result_t *ret);
static void tfm_attest_test_1002(struct test_result_t *ret);
static void tfm_attest_test_1003(struct test_result_t *ret);
@@ -27,7 +27,7 @@
static void tfm_attest_test_1005(struct test_result_t *ret);
static struct test_t attestation_interface_tests[] = {
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
+#ifdef INCLUDE_TEST_CODE /* Remove them from release build */
{&tfm_attest_test_1001, "TFM_ATTEST_TEST_1001",
"Minimal token test of attest token", {0} },
{&tfm_attest_test_1002, "TFM_ATTEST_TEST_1002",
@@ -54,7 +54,7 @@
attestation_interface_tests, list_size, p_test_suite);
}
-#ifdef INCLUDE_TEST_CODE_AND_KEY_ID /* Remove them from release build */
+#ifdef INCLUDE_TEST_CODE /* Remove them from release build */
/*!
* \brief Get minimal token, only include a hard coded challenge, but omit the
* rest of the claims
@@ -115,7 +115,7 @@
ret->val = TEST_PASSED;
}
-#endif /* INCLUDE_TEST_CODE_AND_KEY_ID */
+#endif /* INCLUDE_TEST_CODE */
/*!
* \brief Get an IAT with proper ECDSA signature. Parse the token, validate