Test: Add attestation claim value check switch
Control checking for hard-coded claim values in the attestation suite
by introducing the 'ATTEST_CLAIM_VALUE_CHECK' flag. When set to 'ON',
the test will check if the claim values match the constant values found
in 'platform/ext/common/template/attest_hal.c'.
Signed-off-by: Balint Matyi <Balint.Matyi@arm.com>
Change-Id: I22ab1471609d6b931deaf97f31cb3a0dcd83fda0
diff --git a/CommonConfig.cmake b/CommonConfig.cmake
index 558dbe3..bf3228d 100644
--- a/CommonConfig.cmake
+++ b/CommonConfig.cmake
@@ -517,6 +517,10 @@
endif()
endif()
+if (NOT DEFINED ATTEST_CLAIM_VALUE_CHECK)
+ set(ATTEST_CLAIM_VALUE_CHECK OFF)
+endif()
+
##Set mbedTLS compiler flags for BL2 bootloader
set(MBEDCRYPTO_C_FLAGS_BL2 "${CMSE_FLAGS} -D__thumb2__ ${COMMON_COMPILE_FLAGS_STR} -DMBEDTLS_CONFIG_FILE=\\\\\\\"config-rsa.h\\\\\\\" -I${CMAKE_CURRENT_LIST_DIR}/bl2/ext/mcuboot/include")
if (MCUBOOT_SIGNATURE_TYPE STREQUAL "RSA-3072")
diff --git a/docs/user_guides/services/tfm_attestation_integration_guide.rst b/docs/user_guides/services/tfm_attestation_integration_guide.rst
index 16860de..364fbe4 100644
--- a/docs/user_guides/services/tfm_attestation_integration_guide.rst
+++ b/docs/user_guides/services/tfm_attestation_integration_guide.rst
@@ -445,6 +445,10 @@
- ``ATTEST_INCLUDE_COSE_KEY_ID``: COSE key-id is an optional field in the COSE
unprotected header. Key-id is calculated and added to the COSE header based
on the value of this flag. Default value: OFF.
+- ``ATTEST_CLAIM_VALUE_CHECK``: Check attestation claims against hard-coded
+ values found in ``platform/ext/common/template/attest_hal.c``. Default value
+ is OFF. Set to ON in a platform's CMake file if the attest HAL is not yet
+ properly ported to it.
Related compile time options
----------------------------
diff --git a/platform/ext/Mps2AN519.cmake b/platform/ext/Mps2AN519.cmake
index ba9e2e8..cffb137 100644
--- a/platform/ext/Mps2AN519.cmake
+++ b/platform/ext/Mps2AN519.cmake
@@ -133,6 +133,9 @@
endif()
endif()
+#Enable the checks of attestation claims against hard-coded values.
+set(ATTEST_CLAIM_VALUE_CHECK ON)
+
if (NOT DEFINED BUILD_TARGET_CFG)
message(FATAL_ERROR "Configuration variable BUILD_TARGET_CFG (true|false) is undefined!")
elseif(BUILD_TARGET_CFG)
diff --git a/platform/ext/Mps2AN521.cmake b/platform/ext/Mps2AN521.cmake
index 0156637..b37f1f3 100644
--- a/platform/ext/Mps2AN521.cmake
+++ b/platform/ext/Mps2AN521.cmake
@@ -134,6 +134,9 @@
endif()
endif()
+#Enable the checks of attestation claims against hard-coded values.
+set(ATTEST_CLAIM_VALUE_CHECK ON)
+
if (NOT DEFINED BUILD_TARGET_CFG)
message(FATAL_ERROR "Configuration variable BUILD_TARGET_CFG (true|false) is undefined!")
elseif(BUILD_TARGET_CFG)
diff --git a/platform/ext/Mps2AN539.cmake b/platform/ext/Mps2AN539.cmake
index 249a274..084f441 100644
--- a/platform/ext/Mps2AN539.cmake
+++ b/platform/ext/Mps2AN539.cmake
@@ -130,6 +130,9 @@
endif()
endif()
+#Enable the checks of attestation claims against hard-coded values.
+set(ATTEST_CLAIM_VALUE_CHECK ON)
+
if (NOT DEFINED BUILD_TARGET_CFG)
message(FATAL_ERROR "Configuration variable BUILD_TARGET_CFG (true|false) is undefined!")
elseif(BUILD_TARGET_CFG)
diff --git a/platform/ext/Mps3AN524.cmake b/platform/ext/Mps3AN524.cmake
index 7c3c584..6e7cac0 100644
--- a/platform/ext/Mps3AN524.cmake
+++ b/platform/ext/Mps3AN524.cmake
@@ -142,6 +142,9 @@
endif()
endif()
+#Enable the checks of attestation claims against hard-coded values.
+set(ATTEST_CLAIM_VALUE_CHECK ON)
+
if (NOT DEFINED BUILD_TARGET_CFG)
message(FATAL_ERROR "Configuration variable BUILD_TARGET_CFG (true|false) is undefined!")
elseif(BUILD_TARGET_CFG)
diff --git a/platform/ext/SSE-200_AWS.cmake b/platform/ext/SSE-200_AWS.cmake
index 4f32c17..a7e6b53 100644
--- a/platform/ext/SSE-200_AWS.cmake
+++ b/platform/ext/SSE-200_AWS.cmake
@@ -136,6 +136,9 @@
endif()
endif()
+#Enable the checks of attestation claims against hard-coded values.
+set(ATTEST_CLAIM_VALUE_CHECK ON)
+
if (NOT DEFINED BUILD_TARGET_CFG)
message(FATAL_ERROR "Configuration variable BUILD_TARGET_CFG (true|false) is undefined!")
elseif(BUILD_TARGET_CFG)
diff --git a/platform/ext/lpc55s69.cmake b/platform/ext/lpc55s69.cmake
index 49c00c0..52282c1 100644
--- a/platform/ext/lpc55s69.cmake
+++ b/platform/ext/lpc55s69.cmake
@@ -160,6 +160,9 @@
endif()
endif()
+#Enable the checks of attestation claims against hard-coded values.
+set(ATTEST_CLAIM_VALUE_CHECK ON)
+
if (NOT DEFINED BUILD_TARGET_CFG)
message(FATAL_ERROR "Configuration variable BUILD_TARGET_CFG (true|false) is undefined!")
elseif(BUILD_TARGET_CFG)
diff --git a/platform/ext/musca_a.cmake b/platform/ext/musca_a.cmake
index ad7c423..50c756a 100644
--- a/platform/ext/musca_a.cmake
+++ b/platform/ext/musca_a.cmake
@@ -128,6 +128,9 @@
endif()
endif()
+#Enable the checks of attestation claims against hard-coded values.
+set(ATTEST_CLAIM_VALUE_CHECK ON)
+
if (NOT DEFINED BUILD_TARGET_CFG)
message(FATAL_ERROR "Configuration variable BUILD_TARGET_CFG (true|false) is undefined!")
elseif(BUILD_TARGET_CFG)
diff --git a/platform/ext/musca_b1.cmake b/platform/ext/musca_b1.cmake
index 51401e9..3059240 100644
--- a/platform/ext/musca_b1.cmake
+++ b/platform/ext/musca_b1.cmake
@@ -134,6 +134,9 @@
endif()
endif()
+#Enable the checks of attestation claims against hard-coded values.
+set(ATTEST_CLAIM_VALUE_CHECK ON)
+
if (NOT DEFINED BUILD_TARGET_CFG)
message(FATAL_ERROR "Configuration variable BUILD_TARGET_CFG (true|false) is undefined!")
elseif (BUILD_TARGET_CFG)
diff --git a/platform/ext/musca_s1.cmake b/platform/ext/musca_s1.cmake
index 9e73604..b795ffc 100644
--- a/platform/ext/musca_s1.cmake
+++ b/platform/ext/musca_s1.cmake
@@ -126,6 +126,9 @@
endif()
endif()
+#Enable the checks of attestation claims against hard-coded values.
+set(ATTEST_CLAIM_VALUE_CHECK ON)
+
if (NOT DEFINED BUILD_TARGET_CFG)
message(FATAL_ERROR "Configuration variable BUILD_TARGET_CFG (true|false) is undefined!")
elseif (BUILD_TARGET_CFG)
diff --git a/platform/ext/psoc64.cmake b/platform/ext/psoc64.cmake
index d349079..b985001 100644
--- a/platform/ext/psoc64.cmake
+++ b/platform/ext/psoc64.cmake
@@ -190,6 +190,9 @@
endif()
endif()
+#Enable the checks of attestation claims against hard-coded values.
+set(ATTEST_CLAIM_VALUE_CHECK ON)
+
if (NOT DEFINED BUILD_TARGET_CFG)
message(FATAL_ERROR "Configuration variable BUILD_TARGET_CFG (true|false) is undefined!")
elseif(BUILD_TARGET_CFG)
diff --git a/secure_fw/partitions/initial_attestation/CMakeLists.inc b/secure_fw/partitions/initial_attestation/CMakeLists.inc
index 351e728..ae61037 100644
--- a/secure_fw/partitions/initial_attestation/CMakeLists.inc
+++ b/secure_fw/partitions/initial_attestation/CMakeLists.inc
@@ -32,6 +32,10 @@
message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_COSE_KEY_ID is undefined.")
endif()
+if (NOT DEFINED ATTEST_CLAIM_VALUE_CHECK)
+ message(FATAL_ERROR "Incomplete build configuration: ATTEST_CLAIM_VALUE_CHECK is undefined.")
+endif()
+
list(APPEND ATTEST_C_SRC
"${INITIAL_ATTESTATION_DIR}/tfm_attestation_secure_api.c"
"${INITIAL_ATTESTATION_DIR}/tfm_attestation.c"
@@ -58,6 +62,7 @@
message("- ATTEST_INCLUDE_OPTIONAL_CLAIMS: ${ATTEST_INCLUDE_OPTIONAL_CLAIMS}")
message("- ATTEST_INCLUDE_TEST_CODE: ${ATTEST_INCLUDE_TEST_CODE}")
message("- ATTEST_INCLUDE_COSE_KEY_ID: ${ATTEST_INCLUDE_COSE_KEY_ID}")
+message("- ATTEST_CLAIM_VALUE_CHECK: ${ATTEST_CLAIM_VALUE_CHECK}")
#Setting include directories
embedded_include_directories(PATH ${TFM_ROOT_DIR} ABSOLUTE)
diff --git a/test/suites/attestation/CMakeLists.inc b/test/suites/attestation/CMakeLists.inc
index 76935fa..4c9478f 100644
--- a/test/suites/attestation/CMakeLists.inc
+++ b/test/suites/attestation/CMakeLists.inc
@@ -28,6 +28,10 @@
message(FATAL_ERROR "Incomplete build configuration: ATTEST_INCLUDE_TEST_CODE is undefined. ")
endif()
+if (NOT DEFINED ATTEST_CLAIM_VALUE_CHECK)
+ message(FATAL_ERROR "Incomplete build configuration: ATTEST_CLAIM_VALUE_CHECK is undefined. ")
+endif()
+
if (NOT DEFINED ENABLE_ATTESTATION_SERVICE_TESTS)
message(FATAL_ERROR "Incomplete build configuration: ENABLE_ATTESTATION_SERVICE_TESTS is undefined. ")
elseif(ENABLE_ATTESTATION_SERVICE_TESTS)
@@ -52,6 +56,11 @@
set_property(SOURCE ${ATTEST_TEST_SRC_NS} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_TEST_CODE)
endif()
+ if (ATTEST_CLAIM_VALUE_CHECK)
+ set_property(SOURCE ${ATTEST_TEST_SRC_S} APPEND PROPERTY COMPILE_DEFINITIONS CLAIM_VALUE_CHECK)
+ set_property(SOURCE ${ATTEST_TEST_SRC_NS} APPEND PROPERTY COMPILE_DEFINITIONS CLAIM_VALUE_CHECK)
+ endif()
+
#Setting include directories
embedded_include_directories(PATH ${TFM_ROOT_DIR} ABSOLUTE)
embedded_include_directories(PATH ${TFM_ROOT_DIR}/interface/include ABSOLUTE)
diff --git a/test/suites/attestation/attest_token_test_values.h b/test/suites/attestation/attest_token_test_values.h
index 5910524..c8ecb21 100644
--- a/test/suites/attestation/attest_token_test_values.h
+++ b/test/suites/attestation/attest_token_test_values.h
@@ -2,7 +2,7 @@
* attest_token_test_values.h
*
* Copyright (c) 2019, Laurence Lundblade.
- * Copyright (c) 2019, Arm Limited.
+ * Copyright (c) 2019-2020, Arm Limited.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -107,6 +107,11 @@
*/
#define TOKEN_TEST_REQUIRE_UEID true /* Mandatory claim */
+/* If defined, check for the constant values defined in
+ * platform/ext/common/template/attest_hal.c
+ */
+#ifdef CLAIM_VALUE_CHECK
+
/* A 32 byte mostly random value. Binary.
* platform/ext/common/template/attest_hal.c
*/
@@ -120,13 +125,11 @@
},\
32\
}
-#define TOKEN_TEST_REQUIRE_BOOT_SEED true /* Mandatory claim */
/* A text string in EAN 13 format
* platform/ext/common/template/attest_hal.c
*/
#define TOKEN_TEST_VALUE_HW_VERSION "060456527282910010" /* Hard-coded value */
-#define TOKEN_TEST_REQUIRE_HW_VERSION false /* Optional claim */
/* A 32 byte mostly random value. Binary.
* platform/ext/common/template/attest_hal.c
@@ -141,29 +144,45 @@
},\
32\
}
-#define TOKEN_TEST_REQUIRE_IMPLEMENTATION_ID true /* Mandatory claim */
-
-/* A small unsigned integer
- * platform/ext/common/template/attest_hal.c
- */
-#define TOKEN_TEST_VALUE_SECURITY_LIFECYCLE INT32_MAX /* Value not checked */
-#define TOKEN_TEST_REQUIRE_SECURITY_LIFECYCLE true /* Mandatory claim */
-
-/* An integer (can be positive or negative */
-#define TOKEN_TEST_VALUE_CLIENT_ID 0 /* Invalid value to trigger check */
-#define TOKEN_TEST_REQUIRE_CLIENT_ID true /* Mandatory claim */
/* Text string naming the profile definition:
* platform/ext/common/template/attest_hal.c
*/
#define TOKEN_TEST_VALUE_PROFILE_DEFINITION "PSA_IOT_PROFILE_1"
-#define TOKEN_TEST_REQUIRE_PROFILE_DEFINITION false /* Optional field */
/* Text string with verification URL or similar
* platform/ext/common/template/attest_hal.c
*/
#define TOKEN_TEST_VALUE_ORIGINATION "www.trustedfirmware.org"
-#define TOKEN_TEST_REQUIRE_ORIGINATION false /* Optional field */
+
+/* A small unsigned integer
+ * platform/ext/common/template/attest_hal.c
+ */
+#define TOKEN_TEST_VALUE_SECURITY_LIFECYCLE 0x3000u
+#else
+/* Do not check for the constant values defined in
+ * platform/ext/common/template/attest_hal.c
+ */
+
+#define TOKEN_TEST_VALUE_BOOT_SEED NULL_Q_USEFUL_BUF_C
+#define TOKEN_TEST_VALUE_HW_VERSION NULL
+#define TOKEN_TEST_VALUE_IMPLEMENTATION_ID NULL_Q_USEFUL_BUF_C
+#define TOKEN_TEST_VALUE_PROFILE_DEFINITION NULL
+#define TOKEN_TEST_VALUE_ORIGINATION NULL
+#define TOKEN_TEST_VALUE_SECURITY_LIFECYCLE INT32_MAX
+
+#endif /* CLAIM_VALUE_CHECK */
+
+#define TOKEN_TEST_REQUIRE_BOOT_SEED true /* Mandatory claim */
+#define TOKEN_TEST_REQUIRE_HW_VERSION false /* Optional claim */
+#define TOKEN_TEST_REQUIRE_IMPLEMENTATION_ID true /* Mandatory claim */
+#define TOKEN_TEST_REQUIRE_PROFILE_DEFINITION false /* Optional field */
+#define TOKEN_TEST_REQUIRE_ORIGINATION false /* Optional field */
+#define TOKEN_TEST_REQUIRE_SECURITY_LIFECYCLE true /* Mandatory claim */
+
+/* An integer (can be positive or negative) */
+#define TOKEN_TEST_VALUE_CLIENT_ID 0 /* Invalid value to trigger check */
+#define TOKEN_TEST_REQUIRE_CLIENT_ID true /* Mandatory claim */
/**
* \c TOKEN_TEST_REQUIRED_NUM_SWC can be either 0, 1, 2 or \c
@@ -260,7 +279,6 @@
*/
#define TOKEN_TEST_REQUIRE_SWC2_MEASUREMENT_VAL true /* Mandatory field */
-
/* Text string */
#define TOKEN_TEST_VALUE_SWC2_VERSION NULL /* Value not checked */
/* This field must be mandatory to ensure PSA compliance -