Attest: Align to use the updated PSA Crypto API
This patch updates the Attestation service to use the updated
PSA Crypto APIs.
Change-Id: I7260308326ee02b8b3a13ffab9d875ca03d85166
Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com>
diff --git a/lib/t_cose/src/t_cose_psa_crypto_sign.c b/lib/t_cose/src/t_cose_psa_crypto_sign.c
index 465343f..19b29bd 100644
--- a/lib/t_cose/src/t_cose_psa_crypto_sign.c
+++ b/lib/t_cose/src/t_cose_psa_crypto_sign.c
@@ -26,6 +26,7 @@
enum psa_attest_err_t attest_ret;
psa_status_t psa_ret;
const size_t sig_size = t_cose_signature_size(cose_alg_id);
+ psa_key_handle_t key_handle_private, key_handle_public;
ARG_UNUSED(key_select);
@@ -37,12 +38,13 @@
* Later crypto service is going to get the attestation key from
* platform layer.
*/
- attest_ret = attest_register_initial_attestation_key();
+ attest_ret = attest_register_initial_attestation_key(&key_handle_private,
+ &key_handle_public);
if (attest_ret != PSA_ATTEST_ERR_SUCCESS) {
return T_COSE_ERR_FAIL;
}
- psa_ret = psa_asymmetric_sign(ATTEST_PRIVATE_KEY_SLOT,
+ psa_ret = psa_asymmetric_sign(key_handle_private,
0, /* FixMe: algorithm ID */
hash_to_sign.ptr,
hash_to_sign.len,
@@ -56,7 +58,8 @@
signature->ptr = signature_buffer.ptr;
}
- attest_ret = attest_unregister_initial_attestation_key();
+ attest_ret = attest_unregister_initial_attestation_key(key_handle_private,
+ key_handle_public);
if (attest_ret != PSA_ATTEST_ERR_SUCCESS) {
return T_COSE_ERR_FAIL;
}
diff --git a/secure_fw/services/initial_attestation/attestation_key.c b/secure_fw/services/initial_attestation/attestation_key.c
index 386ac20..a2ad1de 100644
--- a/secure_fw/services/initial_attestation/attestation_key.c
+++ b/secure_fw/services/initial_attestation/attestation_key.c
@@ -8,9 +8,6 @@
#include "attestation_key.h"
#include <stdint.h>
#include <stddef.h>
-#include "tfm_crypto_defs.h"
-#include "psa_crypto.h"
-#include "psa_crypto_platform.h"
#include "psa_initial_attestation_api.h"
#include "platform/include/tfm_plat_defs.h"
#include "platform/include/tfm_plat_crypto_keys.h"
@@ -69,7 +66,8 @@
}
enum psa_attest_err_t
-attest_register_initial_attestation_key(void)
+attest_register_initial_attestation_key(psa_key_handle_t *key_handle_private,
+ psa_key_handle_t *key_handle_public)
{
enum tfm_plat_err_t plat_res;
psa_ecc_curve_t psa_curve;
@@ -86,6 +84,12 @@
return PSA_ATTEST_ERR_GENERAL;
}
+ /* Allocate a transient key for the private key in the Crypto service */
+ crypto_res = psa_allocate_key(key_handle_private);
+ if (crypto_res != PSA_SUCCESS) {
+ return PSA_ATTEST_ERR_GENERAL;
+ }
+
/* Get the initial attestation key */
plat_res = tfm_plat_get_initial_attest_key(key_buf, sizeof(key_buf),
&attest_key, &cose_curve);
@@ -103,8 +107,7 @@
/* Setup the key policy for private key */
psa_key_policy_set_usage(&policy, PSA_KEY_USAGE_SIGN, 0); /* FixMe: alg */
- crypto_res = psa_set_key_policy((psa_key_handle_t)ATTEST_PRIVATE_KEY_SLOT,
- &policy);
+ crypto_res = psa_set_key_policy(*key_handle_private, &policy);
if (crypto_res != PSA_SUCCESS) {
return PSA_ATTEST_ERR_GENERAL;
}
@@ -116,7 +119,7 @@
attest_key_type = PSA_KEY_TYPE_RAW_DATA;
/* Register private key to crypto service */
- crypto_res = psa_import_key((psa_key_handle_t)ATTEST_PRIVATE_KEY_SLOT,
+ crypto_res = psa_import_key(*key_handle_private,
attest_key_type,
attest_key.priv_key,
attest_key.priv_key_size);
@@ -126,6 +129,12 @@
}
private_key_registered = 1;
+ /* Allocate a transient key for the public key in the Crypto service */
+ crypto_res = psa_allocate_key(key_handle_public);
+ if (crypto_res != PSA_SUCCESS) {
+ return PSA_ATTEST_ERR_GENERAL;
+ }
+
/* Check whether public key is available, not mandatory */
if (attest_key.pubx_key == NULL) {
return PSA_ATTEST_ERR_SUCCESS;
@@ -134,8 +143,7 @@
/* Setup the key policy for public key */
policy = psa_key_policy_init();
psa_key_policy_set_usage(&policy, PSA_KEY_USAGE_VERIFY, 0); /* FixMe: alg */
- crypto_res = psa_set_key_policy((psa_key_handle_t)ATTEST_PUBLIC_KEY_SLOT,
- &policy);
+ crypto_res = psa_set_key_policy(*key_handle_public, &policy);
if (crypto_res != PSA_SUCCESS) {
return PSA_ATTEST_ERR_GENERAL;
}
@@ -149,7 +157,7 @@
/* Register public key to crypto service */
public_key_size = attest_key.pubx_key_size + attest_key.puby_key_size;
- crypto_res = psa_import_key((psa_key_handle_t)ATTEST_PUBLIC_KEY_SLOT,
+ crypto_res = psa_import_key(*key_handle_public,
attest_key_type,
attest_key.pubx_key,
public_key_size);
@@ -163,7 +171,8 @@
}
enum psa_attest_err_t
-attest_unregister_initial_attestation_key(void)
+attest_unregister_initial_attestation_key(psa_key_handle_t key_handle_private,
+ psa_key_handle_t key_handle_public)
{
psa_status_t crypto_res;
@@ -172,14 +181,14 @@
return PSA_ATTEST_ERR_GENERAL;
}
- crypto_res = psa_destroy_key((psa_key_handle_t)ATTEST_PRIVATE_KEY_SLOT);
+ crypto_res = psa_destroy_key(key_handle_private);
if (crypto_res != PSA_SUCCESS) {
return PSA_ATTEST_ERR_GENERAL;
}
private_key_registered = 0;
if (public_key_registered) {
- crypto_res = psa_destroy_key((psa_key_handle_t)ATTEST_PUBLIC_KEY_SLOT);
+ crypto_res = psa_destroy_key(key_handle_public);
if (crypto_res != PSA_SUCCESS) {
return PSA_ATTEST_ERR_GENERAL;
}
diff --git a/secure_fw/services/initial_attestation/attestation_key.h b/secure_fw/services/initial_attestation/attestation_key.h
index c565752..08cb40a 100644
--- a/secure_fw/services/initial_attestation/attestation_key.h
+++ b/secure_fw/services/initial_attestation/attestation_key.h
@@ -9,51 +9,42 @@
#define __ATTESTATION_KEY_H__
#include "psa_initial_attestation_api.h"
+#include "psa_crypto.h"
#ifdef __cplusplus
extern "C" {
#endif
/**
- * \def ATTEST_PRIVATE_KEY_SLOT
- *
- * \brief Key slot number to store the initial attestation private key.
- *
- * Private key is used by initial attestation service to sign the
- * initial attestation token (IAT).
- */
-#define ATTEST_PRIVATE_KEY_SLOT (1u)
-
-/**
- * \def ATTEST_PUBLIC_KEY_SLOT
- *
- * \brief Key slot number to store the initial attestation public key.
- *
- * Public key is used by initial attestation test suit to verify the signature
- * of the initial attestation token (IAT).
- */
-#define ATTEST_PUBLIC_KEY_SLOT (2u)
-
-/**
* \brief Get the initial attestation key from platform layer and register it
* to crypto service for further usage (signing or verification).
*
+ * \param[out] key_handle_private Pointer to the key handle allocated for the
+ * private key
+ * \param[out] key_handle_public Pointer to the key handle allocated for the
+ * public key
+ *
* Private key MUST be present on the device, public key is optional.
*
* \retval PSA_ATTEST_ERR_SUCCESS Key(s) was registered.
* \retval PSA_ATTEST_ERR_GENERAL Key(s) could not be registered.
*/
-enum psa_attest_err_t attest_register_initial_attestation_key(void);
-
+enum psa_attest_err_t attest_register_initial_attestation_key(
+ psa_key_handle_t *key_handle_private,
+ psa_key_handle_t *key_handle_public);
/**
* \brief Unregister the initial attestation key(s) from crypto service to do
* not occupy key slot(s).
*
+ * \param[in] key_handle_private Key handle associated to the private key
+ * \param[in] key_handle_public Key handle associated to the public key
+ *
* \retval PSA_ATTEST_ERR_SUCCESS Key(s) was unregistered.
* \retval PSA_ATTEST_ERR_GENERAL Key(s) could not be unregistered.
*/
-enum psa_attest_err_t attest_unregister_initial_attestation_key(void);
-
+enum psa_attest_err_t attest_unregister_initial_attestation_key(
+ psa_key_handle_t key_handle_private,
+ psa_key_handle_t key_handle_public);
#ifdef __cplusplus
}
#endif
diff --git a/test/suites/attestation/non_secure/attestation_ns_interface_testsuite.c b/test/suites/attestation/non_secure/attestation_ns_interface_testsuite.c
index 6b45491..ff85025 100644
--- a/test/suites/attestation/non_secure/attestation_ns_interface_testsuite.c
+++ b/test/suites/attestation/non_secure/attestation_ns_interface_testsuite.c
@@ -12,11 +12,9 @@
#include "../attest_token_test_values.h"
#include "../attest_token_test.h"
-#if 0 /* FIXME: To be restored when Attestation is aligned to the new API */
static uint8_t token_buffer[TEST_TOKEN_SIZE];
static const uint8_t challenge_buffer[TEST_CHALLENGE_OBJ_SIZE] = {
TOKEN_TEST_NONCE_BYTES};
-#endif
/* Define test suite for attestation service tests */
/* List of tests */
@@ -80,7 +78,6 @@
*/
static void tfm_attest_test_2002(struct test_result_t *ret)
{
-#if 0 /* FIXME: To be restored when Attestation is aligned to the new API */
int32_t err;
err = minimal_get_size_test();
@@ -89,7 +86,7 @@
TEST_FAIL("Attest token minimal_get_size_test() has failed");
return;
}
-#endif
+
ret->val = TEST_PASSED;
}
@@ -125,7 +122,6 @@
*/
static void tfm_attest_test_2004(struct test_result_t *ret)
{
-#if 0 /* FIXME: To be restored when Attestation is aligned to the new API */
int32_t err;
err = decode_test_normal_sig();
@@ -134,7 +130,7 @@
TEST_FAIL("Attest token decode_test_normal_sig() has failed");
return;
}
-#endif
+
ret->val = TEST_PASSED;
}
@@ -148,7 +144,6 @@
*/
static void tfm_attest_test_2005(struct test_result_t *ret)
{
-#if 0 /* FIXME: To be restored when Attestation is aligned to the new API */
enum psa_attest_err_t err;
uint32_t token_size = TEST_TOKEN_SIZE;
@@ -174,6 +169,6 @@
TEST_FAIL("Attestation should fail with too small token buffer");
return;
}
-#endif
+
ret->val = TEST_PASSED;
}
diff --git a/test/suites/attestation/secure/attestation_s_interface_testsuite.c b/test/suites/attestation/secure/attestation_s_interface_testsuite.c
index 716eb10..c32c331 100644
--- a/test/suites/attestation/secure/attestation_s_interface_testsuite.c
+++ b/test/suites/attestation/secure/attestation_s_interface_testsuite.c
@@ -12,11 +12,9 @@
#include "../attest_token_test_values.h"
#include "../attest_token_test.h"
-#if 0 /* FIXME: To be restored when Attestation is aligned to the new API */
static uint8_t token_buffer[TEST_TOKEN_SIZE];
static const uint8_t challenge_buffer[TEST_CHALLENGE_OBJ_SIZE] = {
TOKEN_TEST_NONCE_BYTES};
-#endif
/* Define test suite for attestation service tests */
/* List of tests */
@@ -80,7 +78,6 @@
*/
static void tfm_attest_test_1002(struct test_result_t *ret)
{
-#if 0 /* FIXME: To be restored when Attestation is aligned to the new API */
int32_t err;
err = minimal_get_size_test();
@@ -89,7 +86,7 @@
TEST_FAIL("Attest token minimal_get_size_test() has failed");
return;
}
-#endif
+
ret->val = TEST_PASSED;
}
@@ -125,7 +122,6 @@
*/
static void tfm_attest_test_1004(struct test_result_t *ret)
{
-#if 0 /* FIXME: To be restored when Attestation is aligned to the new API */
int32_t err;
err = decode_test_normal_sig();
@@ -134,7 +130,7 @@
TEST_FAIL("Attest token decode_test_normal_sig() has failed");
return;
}
-#endif
+
ret->val = TEST_PASSED;
}
@@ -148,7 +144,6 @@
*/
static void tfm_attest_test_1005(struct test_result_t *ret)
{
-#if 0 /* FIXME: To be restored when Attestation is aligned to the new API */
enum psa_attest_err_t err;
uint32_t token_size = TEST_TOKEN_SIZE;
@@ -174,6 +169,6 @@
TEST_FAIL("Attestation should fail with too small token buffer");
return;
}
-#endif
+
ret->val = TEST_PASSED;
}