Use libpsa in platform-inspect
Currently the demo applications use libts and reference the needed
extra components. Instead of the original solution libpsa is used
to hide the extra dependencies.
Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
Change-Id: I29db7a600f7a8cfa22af8fd8e0bbc13ef39b45ad
diff --git a/components/app/platform-inspect/attest_report_fetcher.cpp b/components/app/platform-inspect/attest_report_fetcher.cpp
index 33977b5..b99dc07 100644
--- a/components/app/platform-inspect/attest_report_fetcher.cpp
+++ b/components/app/platform-inspect/attest_report_fetcher.cpp
@@ -1,173 +1,120 @@
/*
- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2021-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
#include <cstring>
-#include <string>
-#include <vector>
-#include <service/attestation/client/psa/iat_client.h>
-#include <service/attestation/client/provision/attest_provision_client.h>
-#include <protocols/rpc/common/packed-c/encoding.h>
-#include <service_locator.h>
-#include <psa/crypto.h>
-#include <psa/initial_attestation.h>
#include <provision/attest_provision.h>
#include <qcbor/qcbor_spiffy_decode.h>
+#include <string>
#include <t_cose/t_cose_sign1_verify.h>
+#include <vector>
-static bool fetch_and_verify(std::vector<uint8_t> &report, std::string &error_msg);
+#include "libpsa.h"
+
static bool fetch_iak_public_key(psa_key_id_t &iak_id, std::string &error_msg);
static bool verify_token(std::vector<uint8_t> &report, const uint8_t *token, size_t token_len,
- psa_key_id_t iak_id, std::string &error_msg);
+ psa_key_id_t iak_id, std::string &error_msg);
-bool fetch_attest_report(std::vector<uint8_t> &report, std::string &error_msg)
+bool fetch_and_verify(std::vector<uint8_t> &report, std::string &error_msg)
{
- bool success = false;
- struct rpc_caller_session *rpc_session = NULL;
- struct service_context *attest_service_context = NULL;
+ bool result = true;
+ uint8_t token_buf[PSA_INITIAL_ATTEST_MAX_TOKEN_SIZE];
+ uint8_t challenge[PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32];
+ psa_key_id_t iak_id;
+ int status;
- attest_service_context =
- service_locator_query("sn:trustedfirmware.org:attestation:0");
+ if (!fetch_iak_public_key(iak_id, error_msg)) {
+ return false;
+ }
- if (attest_service_context) {
+ status = psa_generate_random(challenge, sizeof(challenge));
- rpc_session = service_context_open(attest_service_context);
+ if (status != PSA_SUCCESS) {
+ error_msg = "Failed to generate challenge";
+ result = false;
+ }
- if (rpc_session) {
+ if (result) {
+ size_t token_size;
- psa_iat_client_init(rpc_session);
- attest_provision_client_init(rpc_session);
+ status = psa_initial_attest_get_token(challenge, sizeof(challenge), token_buf,
+ sizeof(token_buf), &token_size);
- success = fetch_and_verify(report, error_msg);
- }
- else {
+ if (status == PSA_SUCCESS) {
+ result = verify_token(report, token_buf, token_size, iak_id, error_msg);
+ } else {
+ error_msg = "Failed to fetch attestation token";
+ }
+ }
- error_msg = "Failed to open RPC session";
- }
- }
- else {
+ psa_destroy_key(iak_id);
- error_msg = "Failed to discover attestation service provider";
- }
-
- /* Clean-up context */
- psa_iat_client_deinit();
- attest_provision_client_deinit();
- service_context_close(attest_service_context, rpc_session);
- service_context_relinquish(attest_service_context);
-
- return success;
-}
-
-static bool fetch_and_verify(std::vector<uint8_t> &report, std::string &error_msg)
-{
- bool success = false;
- uint8_t token_buf[PSA_INITIAL_ATTEST_MAX_TOKEN_SIZE];
- uint8_t challenge[PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32];
- psa_key_id_t iak_id;
- int status;
-
- if (!fetch_iak_public_key(iak_id, error_msg)) {
-
- return false;
- }
-
- status = psa_generate_random(challenge, sizeof(challenge));
-
- if (status != PSA_SUCCESS) {
-
- error_msg = "Failed to generate challenge";
- return false;
- }
-
- size_t token_size;
-
- status =
- psa_initial_attest_get_token(challenge, sizeof(challenge),
- token_buf, sizeof(token_buf), &token_size);
-
- if (status == PSA_SUCCESS) {
-
- success = verify_token(report, token_buf, token_size, iak_id, error_msg);
- }
- else {
-
- error_msg = "Failed to fetch attestation token";
- }
-
- return success;
+ return result;
}
static bool fetch_iak_public_key(psa_key_id_t &iak_id, std::string &error_msg)
{
- size_t iak_pub_key_len = 0;
- uint8_t iak_pub_key_buf[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE];
+ size_t iak_pub_key_len = 0;
+ uint8_t iak_pub_key_buf[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE];
- int status = attest_provision_export_iak_public_key(iak_pub_key_buf,
- sizeof(iak_pub_key_buf), &iak_pub_key_len);
+ int status = attest_provision_export_iak_public_key(
+ iak_pub_key_buf, sizeof(iak_pub_key_buf), &iak_pub_key_len);
- if (status == PSA_SUCCESS) {
+ if (status == PSA_SUCCESS) {
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
- psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_VOLATILE);
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
- psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_VOLATILE);
- psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
+ psa_set_key_algorithm(&attributes, PSA_ALG_ECDSA(PSA_ALG_SHA_256));
+ psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1));
+ psa_set_key_bits(&attributes, 256);
- psa_set_key_algorithm(&attributes, PSA_ALG_ECDSA(PSA_ALG_SHA_256));
- psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1));
- psa_set_key_bits(&attributes, 256);
+ status = psa_import_key(&attributes, iak_pub_key_buf, iak_pub_key_len, &iak_id);
- status = psa_import_key(&attributes, iak_pub_key_buf, iak_pub_key_len, &iak_id);
+ if (status != PSA_SUCCESS) {
+ printf("psa_import_key status: %d\n", status);
+ error_msg = "Failed to set-up IAK for verify";
+ }
- if (status != PSA_SUCCESS) {
+ psa_reset_key_attributes(&attributes);
+ } else {
+ error_msg = "Failed to export IAK public key";
+ }
- printf("psa_import_key status: %d\n", status);
- error_msg = "Failed to set-up IAK for verify";
- }
-
- psa_reset_key_attributes(&attributes);
- }
- else {
-
- error_msg = "Failed to export IAK public key";
- }
-
- return (status == PSA_SUCCESS);
+ return (status == PSA_SUCCESS);
}
static bool verify_token(std::vector<uint8_t> &report, const uint8_t *token, size_t token_len,
- psa_key_id_t iak_id, std::string &error_msg)
+ psa_key_id_t iak_id, std::string &error_msg)
{
- struct t_cose_sign1_verify_ctx verify_ctx;
- struct t_cose_key key_pair;
+ struct t_cose_sign1_verify_ctx verify_ctx;
+ struct t_cose_key key_pair;
- key_pair.k.key_handle = iak_id;
- key_pair.crypto_lib = T_COSE_CRYPTO_LIB_PSA;
- UsefulBufC signed_cose;
- UsefulBufC report_body;
+ key_pair.k.key_handle = iak_id;
+ key_pair.crypto_lib = T_COSE_CRYPTO_LIB_PSA;
+ UsefulBufC signed_cose;
+ UsefulBufC report_body;
- signed_cose.ptr = token;
- signed_cose.len = token_len;
+ signed_cose.ptr = token;
+ signed_cose.len = token_len;
- report_body.ptr = NULL;
- report_body.len = 0;
+ report_body.ptr = NULL;
+ report_body.len = 0;
- t_cose_sign1_verify_init(&verify_ctx, 0);
- t_cose_sign1_set_verification_key(&verify_ctx, key_pair);
+ t_cose_sign1_verify_init(&verify_ctx, 0);
+ t_cose_sign1_set_verification_key(&verify_ctx, key_pair);
- int status = t_cose_sign1_verify(&verify_ctx, signed_cose, &report_body, NULL);
+ int status = t_cose_sign1_verify(&verify_ctx, signed_cose, &report_body, NULL);
- if (status == T_COSE_SUCCESS) {
+ if (status == T_COSE_SUCCESS) {
+ report.resize(report_body.len);
+ memcpy(report.data(), report_body.ptr, report_body.len);
+ } else {
+ error_msg = "Attestation token failed to verify";
+ }
- report.resize(report_body.len);
- memcpy(report.data(), report_body.ptr, report_body.len);
- }
- else {
-
- error_msg = "Attestation token failed to verify";
- }
-
- return (status == T_COSE_SUCCESS);
+ return (status == T_COSE_SUCCESS);
}
diff --git a/components/app/platform-inspect/attest_report_fetcher.h b/components/app/platform-inspect/attest_report_fetcher.h
index 75d171b..51eaed6 100644
--- a/components/app/platform-inspect/attest_report_fetcher.h
+++ b/components/app/platform-inspect/attest_report_fetcher.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2021-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -7,9 +7,9 @@
#ifndef ATTEST_REPORT_FETCHER_H
#define ATTEST_REPORT_FETCHER_H
+#include <cstdint>
#include <string>
#include <vector>
-#include <cstdint>
/** \brief Fetch and verify an attestaton report
*
@@ -18,7 +18,6 @@
*
* \return Returns true if fetch successful
*/
-bool fetch_attest_report(std::vector<uint8_t> &report, std::string &error_msg);
-
+bool fetch_and_verify(std::vector<uint8_t> &report, std::string &error_msg);
#endif /* ATTEST_REPORT_FETCHER_H */
diff --git a/components/app/platform-inspect/component.cmake b/components/app/platform-inspect/component.cmake
index 07200a9..d948657 100644
--- a/components/app/platform-inspect/component.cmake
+++ b/components/app/platform-inspect/component.cmake
@@ -1,5 +1,5 @@
#-------------------------------------------------------------------------------
-# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+# Copyright (c) 2021-2023, Arm Limited and Contributors. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
diff --git a/components/app/platform-inspect/platform_inspect.cpp b/components/app/platform-inspect/platform_inspect.cpp
index 93c8f88..903e6a6 100644
--- a/components/app/platform-inspect/platform_inspect.cpp
+++ b/components/app/platform-inspect/platform_inspect.cpp
@@ -1,45 +1,52 @@
/*
- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2021-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
#include <cstdint>
#include <cstdio>
+#include <service/attestation/reporter/dump/pretty/pretty_report_dump.h>
#include <string>
#include <vector>
-#include <psa/crypto.h>
-#include <service_locator.h>
-#include <service/attestation/reporter/dump/raw/raw_report_dump.h>
-#include <service/attestation/reporter/dump/pretty/pretty_report_dump.h>
+
#include "attest_report_fetcher.h"
+#include "libpsa.h"
-int main(int argc, char *argv[])
+int main(void)
{
- int rval = -1;
+ psa_status_t psa_status = PSA_ERROR_GENERIC_ERROR;
+ int rval = -1;
+ std::string error_msg;
+ std::vector<uint8_t> attest_report;
- psa_status_t psa_status = psa_crypto_init();
+ psa_status = libpsa_init_crypto_context("sn:trustedfirmware.org:crypto:0");
+ if (psa_status) {
+ printf("libpsa_init_crypto_context failed: %d\n", psa_status);
+ goto cleanup;
+ }
- if (psa_status != PSA_SUCCESS) {
+ psa_status = libpsa_init_attestation_context("sn:trustedfirmware.org:attestation:0");
+ if (psa_status) {
+ printf("libpsa_init_crypto_context failed: %d\n", psa_status);
+ goto cleanup;
+ }
- printf("psa_crypto_init failed: %d\n", psa_status);
- return rval;
- }
+ psa_status = psa_crypto_init();
+ if (psa_status) {
+ printf("psa_crypto_init failed: %d\n", psa_status);
+ goto cleanup;
+ }
- service_locator_init();
+ /* Fetch platform info */
+ if (fetch_and_verify(attest_report, error_msg))
+ rval = pretty_report_dump(attest_report.data(), attest_report.size());
+ else
+ printf("%s\n", error_msg.c_str());
- /* Fetch platform info */
- std::string error_msg;
- std::vector<uint8_t> attest_report;
+cleanup:
+ libpsa_deinit_crypto_context();
+ libpsa_deinit_attestation_context();
- if (fetch_attest_report(attest_report, error_msg)) {
-
- rval = pretty_report_dump(attest_report.data(), attest_report.size());
- }
- else {
-
- printf("%s\n", error_msg.c_str());
- }
-
- return rval;
+ return rval;
}
diff --git a/deployments/platform-inspect/platform-inspect.cmake b/deployments/platform-inspect/platform-inspect.cmake
index aa3c523..9290367 100644
--- a/deployments/platform-inspect/platform-inspect.cmake
+++ b/deployments/platform-inspect/platform-inspect.cmake
@@ -11,12 +11,11 @@
#-------------------------------------------------------------------------------
#-------------------------------------------------------------------------------
-# Use libts for locating and accessing trusted services. An appropriate version
-# of libts will be imported for the environment in which platform-inspect is
-# built.
+# Use libpsa for locating PSA services. An appropriate version of
+# libpsa will be imported for the environment.
#-------------------------------------------------------------------------------
-include(${TS_ROOT}/deployments/libts/libts-import.cmake)
-target_link_libraries(platform-inspect PRIVATE libts::ts)
+include(${TS_ROOT}/deployments/libpsa/libpsa-import.cmake)
+target_link_libraries(platform-inspect PRIVATE libpsa::psa)
#-------------------------------------------------------------------------------
# Components that are common across all deployments
@@ -29,11 +28,6 @@
"components/app/platform-inspect"
"components/common/tlv"
"components/common/cbor_dump"
- "components/service/common/client"
- "components/service/common/include"
- "components/service/attestation/include"
- "components/service/attestation/client/psa"
- "components/service/attestation/client/provision"
"components/service/attestation/reporter/dump/raw"
"components/service/attestation/reporter/dump/pretty"
)