Test: Add ITS test for partition access control
Adds a test that checks ITS access control by setting a UID and then
attempting to get the same UID from the Secure Client 2 test partition.
Change-Id: I536bd1efe3176ce4e9b2d704db1ca1ecb858520f
Signed-off-by: Jamie Fox <jamie.fox@arm.com>
diff --git a/secure_fw/spm/tfm_spm_db.inc b/secure_fw/spm/tfm_spm_db.inc
index 43bd2bc..96d11bd 100644
--- a/secure_fw/spm/tfm_spm_db.inc
+++ b/secure_fw/spm/tfm_spm_db.inc
@@ -543,6 +543,13 @@
};
#endif /* TFM_PARTITION_TEST_SST */
+#ifdef TFM_PARTITION_TEST_SECURE_SERVICES
+static int32_t dependencies_TFM_SP_SECURE_CLIENT_2[] =
+{
+ TFM_ITS_GET_SID,
+};
+#endif /* TFM_PARTITION_TEST_SECURE_SERVICES */
+
/**************************************************************************/
/** The static data of the partition list */
/**************************************************************************/
@@ -784,8 +791,8 @@
,
.partition_priority = TFM_PRIORITY(NORMAL),
.partition_init = tfm_secure_client_2_init,
- .dependencies_num = 0,
- .p_dependencies = NULL,
+ .dependencies_num = 1,
+ .p_dependencies = dependencies_TFM_SP_SECURE_CLIENT_2,
},
#endif /* TFM_PARTITION_TEST_SECURE_SERVICES */
diff --git a/test/suites/its/secure/psa_its_s_interface_testsuite.c b/test/suites/its/secure/psa_its_s_interface_testsuite.c
index 6411730..cb9d4e4 100644
--- a/test/suites/its/secure/psa_its_s_interface_testsuite.c
+++ b/test/suites/its/secure/psa_its_s_interface_testsuite.c
@@ -8,13 +8,18 @@
#include "its_s_tests.h"
#include "psa/internal_trusted_storage.h"
#include "test/framework/test_framework_helpers.h"
+#include "test/test_services/tfm_secure_client_2/tfm_secure_client_2_api.h"
#include "../its_tests_common.h"
#include "tfm_memory_utils.h"
+/* UID to test partition access control */
+#define TEST_UID_ACCESS_CONTROL 42U
+
/* List of tests */
static void tfm_its_test_2020(struct test_result_t *ret);
static void tfm_its_test_2021(struct test_result_t *ret);
static void tfm_its_test_2022(struct test_result_t *ret);
+static void tfm_its_test_2023(struct test_result_t *ret);
static struct test_t psa_its_s_tests[] = {
{&tfm_its_test_common_001, "TFM_ITS_TEST_2001",
@@ -61,6 +66,8 @@
"Get interface with invalid data lengths and offsets"},
{&tfm_its_test_2022, "TFM_ITS_TEST_2022",
"Get info interface with NULL info pointer"},
+ {&tfm_its_test_2023, "TFM_ITS_TEST_2023",
+ "Attempt to get a UID set by a different partition"},
};
void register_testsuite_s_psa_its_interface(struct test_suite_t *p_test_suite)
@@ -235,3 +242,40 @@
ret->val = TEST_PASSED;
}
+
+/**
+ * \brief Attempt to get a UID set by a different partition.
+ *
+ * \param[out] ret Test result
+ */
+static void tfm_its_test_2023(struct test_result_t *ret)
+{
+ psa_status_t status;
+ const psa_storage_uid_t uid = TEST_UID_ACCESS_CONTROL;
+
+ /* Set the UID from this partition's context */
+ status = psa_its_set(uid, WRITE_DATA_SIZE, WRITE_DATA,
+ PSA_STORAGE_FLAG_NONE);
+ if (status != PSA_SUCCESS) {
+ TEST_FAIL("Set should not fail");
+ return;
+ }
+
+ /* Attempt to get the UID from the Secure Client 2 partition */
+ status = tfm_secure_client_2_call_test(
+ TFM_SECURE_CLIENT_2_ID_ITS_ACCESS_CTRL,
+ &uid, sizeof(uid));
+ if (status != PSA_ERROR_DOES_NOT_EXIST) {
+ TEST_FAIL("Get should not succeed from a different partition");
+ return;
+ }
+
+ /* Call remove to clean up storage for the next test */
+ status = psa_its_remove(uid);
+ if (status != PSA_SUCCESS) {
+ TEST_FAIL("Remove should not fail with valid UID");
+ return;
+ }
+
+ ret->val = TEST_PASSED;
+}
diff --git a/test/test_services/tfm_secure_client_2/tfm_secure_client_2.c b/test/test_services/tfm_secure_client_2/tfm_secure_client_2.c
index 48323d3..271b34c 100644
--- a/test/test_services/tfm_secure_client_2/tfm_secure_client_2.c
+++ b/test/test_services/tfm_secure_client_2/tfm_secure_client_2.c
@@ -5,6 +5,9 @@
*
*/
+#include "tfm_secure_client_2_api.h"
+#include "psa/internal_trusted_storage.h"
+
#ifdef TFM_PSA_API
#include "psa/service.h"
#include "psa_manifest/tfm_secure_client_2.h"
@@ -12,10 +15,29 @@
#include "psa/client.h"
#endif
+static psa_status_t secure_client_2_test_its_access_ctrl(const void *arg,
+ size_t arg_len)
+{
+ psa_storage_uid_t uid;
+ size_t p_data_length;
+ uint8_t data[1];
+
+ if (arg_len != sizeof(uid)) {
+ return PSA_ERROR_PROGRAMMER_ERROR;
+ }
+
+ uid = *((psa_storage_uid_t *)arg);
+
+ /* Attempt to get one byte from the UID and return the resulting status */
+ return psa_its_get(uid, 0, sizeof(data), data, &p_data_length);
+}
+
static psa_status_t secure_client_2_dispatch(int32_t id, const void *arg,
size_t arg_len)
{
switch (id) {
+ case TFM_SECURE_CLIENT_2_ID_ITS_ACCESS_CTRL:
+ return secure_client_2_test_its_access_ctrl(arg, arg_len);
default:
return PSA_ERROR_PROGRAMMER_ERROR;
}
diff --git a/test/test_services/tfm_secure_client_2/tfm_secure_client_2.yaml b/test/test_services/tfm_secure_client_2/tfm_secure_client_2.yaml
index 98020b7..df670b5 100644
--- a/test/test_services/tfm_secure_client_2/tfm_secure_client_2.yaml
+++ b/test/test_services/tfm_secure_client_2/tfm_secure_client_2.yaml
@@ -31,6 +31,7 @@
}
],
"dependencies": [
+ "TFM_ITS_GET"
],
"linker_pattern": {
"object_list": [
diff --git a/test/test_services/tfm_secure_client_2/tfm_secure_client_2_api.h b/test/test_services/tfm_secure_client_2/tfm_secure_client_2_api.h
index b155026..4387710 100644
--- a/test/test_services/tfm_secure_client_2/tfm_secure_client_2_api.h
+++ b/test/test_services/tfm_secure_client_2/tfm_secure_client_2_api.h
@@ -17,6 +17,8 @@
extern "C" {
#endif
+#define TFM_SECURE_CLIENT_2_ID_ITS_ACCESS_CTRL 1001
+
/**
* \brief Calls the test function with the supplied ID within the execution
* context of the Secure Client 2 partition and returns the resulting