feat(lib/t_cose): EL3 based crypto
Add a t_cose crypto adapter that is used by the RMM to hook crypto and
redirect it to the EL3. By default, the RMM uses the PSA crypto adapter,
but in order to support delegated attestation where the RMM does not
have access to the attestation private key, we need the ability to
redirect signing requests to the EL3 instead of PSA crypto. EL3 may then
handle the request itself or forward to an agent like HES.
During the redirect, the adapter queues attestation requests into a
global EL3 queue via registered callback during library initialization.
The main idea is to patch the psa crypto adapter in t_cose so that it
forwards the sign call(s) if ATTEST_EL3_TOKEN_SIGN is defined.
As not all the functions that use the crypto_context are redirected (and
even if they were, new functions can be added by upstream t_cose) this
patch need to make sure that casting the crypto_context to
t_cose_psa_crypto_context still works. So t_cose_rmm_el3_ctx is updated
to have t_cose_psa_crypto_context as its first member.
Change-Id: Ie9fefdfa3297e05406d7c06f82d9550c5c2d2474
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
Signed-off-by: Raghu Krishnamurthy <raghupathyk@nvidia.com>
diff --git a/docs/getting_started/build-options.rst b/docs/getting_started/build-options.rst
index 42c798d..929b1f6 100644
--- a/docs/getting_started/build-options.rst
+++ b/docs/getting_started/build-options.rst
@@ -293,6 +293,7 @@
RMM_CCA_DA ,ON | OFF ,OFF ,"Enable Device Assignment support in RMM (experimental)"
ATTEST_PLAT_TOKEN_SIZE , ,0x1000 ,"Maximum size in bytes expected for the Attestation platform token"
PLAT_ARM_MAX_DRAM_BANKS , ,2 ,"Maximum number of DRAM banks allowed in Arm platform layer"
+ ATTEST_EL3_TOKEN_SIGN ,ON|OFF ,OFF ,"Use EL3 service to sign realm attestation token."
.. _llvm_build: