feat(mec): Add MEC policy to Realm claims
The Realm token now contains the MEC policy: private or shared context.
Change-Id: Ib0fc0c9827ab052f9ceb231e934266fb71c139ef
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
diff --git a/lib/attestation/include/attestation_token.h b/lib/attestation/include/attestation_token.h
index c49946b..67f4159 100644
--- a/lib/attestation/include/attestation_token.h
+++ b/lib/attestation/include/attestation_token.h
@@ -186,6 +186,7 @@
* num_measurements - Number of measurements to add to the token.
* rpv_buf - Pointer to the Realm Personalization value
* rpv_len - Length of the Realm Personalization value
+ * private_mec - The Realm MEC policy, private or shared
* ctx - Token sign context, used for signing.
* realm_token_buf - Buffer where to assemble the attestation token.
* realm_token_buf_size - size of the buffer where to assemble the attestation
@@ -199,6 +200,7 @@
unsigned int num_measurements,
const void *rpv_buf,
size_t rpv_len,
+ bool private_mec,
const void *challenge_buf,
size_t challenge_len,
struct token_sign_cntxt *ctx,
diff --git a/lib/attestation/src/attestation_defs_priv.h b/lib/attestation/src/attestation_defs_priv.h
index a787844..de51e03 100644
--- a/lib/attestation/src/attestation_defs_priv.h
+++ b/lib/attestation/src/attestation_defs_priv.h
@@ -18,6 +18,8 @@
#define CCA_REALM_INITIAL_MEASUREMENT (44238)
#define CCA_REALM_EXTENSIBLE_MEASUREMENTS (44239)
#define CCA_REALM_PUB_KEY_HASH_ALGO_ID (44240)
+// FIXME: aliases CCA_REALM_DELEGATED_TOKEN. OK because different namespace?
+#define CCA_REALM_MEC_POLICY (44241)
#define CCA_REALM_PROFILE (265)
#define TAG_CCA_TOKEN (399)
diff --git a/lib/attestation/src/attestation_token.c b/lib/attestation/src/attestation_token.c
index 7d22193..10a2580 100644
--- a/lib/attestation/src/attestation_token.c
+++ b/lib/attestation/src/attestation_token.c
@@ -45,6 +45,15 @@
}
}
+static void attest_get_mec_policy_text(bool private_mec,
+ struct q_useful_buf_c *policy_text)
+{
+ if (private_mec)
+ *policy_text = UsefulBuf_FromSZ("private");
+ else
+ *policy_text = UsefulBuf_FromSZ("shared");
+}
+
/*
* Outline of token creation. Much of this occurs inside
* t_cose_sign1_encode_parameters() and t_cose_sign1_encode_signature().
@@ -260,6 +269,7 @@
* - Realm Challenge
* - Realm Personalization Value
* - Realm Hash Algorithm Id
+ * - Realm MEC policy
* - Realm Public Key
* - Realm Public Key Hash Algorithm Id
* - Realm Initial Measurement
@@ -270,6 +280,7 @@
unsigned int num_measurements,
const void *rpv_buf,
size_t rpv_len,
+ bool private_mec,
const void *challenge_buf,
size_t challenge_len,
struct token_sign_cntxt *ctx,
@@ -337,6 +348,11 @@
CCA_REALM_PUB_KEY_HASH_ALGO_ID,
buf);
+ attest_get_mec_policy_text(private_mec, &buf);
+ QCBOREncode_AddTextToMapN(&(ctx->ctx.cbor_enc_ctx),
+ CCA_REALM_MEC_POLICY,
+ buf);
+
QCBOREncode_AddTextToMapN(&(ctx->ctx.cbor_enc_ctx),
CCA_REALM_PROFILE,
UsefulBuf_FromSZ(CCA_REALM_PROFILE_STR));
diff --git a/runtime/core/mec.c b/runtime/core/mec.c
index 6e5755f..67fa4f8 100644
--- a/runtime/core/mec.c
+++ b/runtime/core/mec.c
@@ -169,6 +169,14 @@
return true;
}
+bool mecid_is_private(unsigned int mecid)
+{
+ if (!is_feat_mec_present()) {
+ return false;
+ }
+ return mecid != shared_mec;
+}
+
void mec_init_mmu(void)
{
uint16_t mecid;
diff --git a/runtime/include/mec.h b/runtime/include/mec.h
index bc25ec8..6bac8ec 100644
--- a/runtime/include/mec.h
+++ b/runtime/include/mec.h
@@ -10,5 +10,6 @@
unsigned int mecid_max(void);
bool mec_assign(unsigned int mecid);
bool mec_unassign(unsigned int mecid);
+bool mecid_is_private(unsigned int mecid);
#endif
diff --git a/runtime/rsi/realm_attest.c b/runtime/rsi/realm_attest.c
index b9543c5..1b93b8c 100644
--- a/runtime/rsi/realm_attest.c
+++ b/runtime/rsi/realm_attest.c
@@ -8,6 +8,7 @@
#include <debug.h>
#include <granule.h>
#include <measurement.h>
+#include <mec.h>
#include <realm.h>
#include <rsi-handler.h>
#include <smc-rsi.h>
@@ -181,6 +182,7 @@
MEASUREMENT_SLOT_NR,
rpv_ptr,
rpv_len,
+ mecid_is_private(rd->mecid),
(const void *)&rec->regs[1],
ATTEST_CHALLENGE_SIZE,
&attest_data->token_sign_ctx,