commit 482fd2fa697c8e3695a8b33e85de55fa33c2fd8e
author Julian Hall <julian.hall@arm.com> Mon May 17 16:34:48 2021 +0100
committer Gyorgy Szing <Gyorgy.Szing@arm.com> Mon Jul 05 12:43:51 2021 +0200
tree 7a393e1249b8b0ad1375d157235a6be66f32f88d
parent 700aa36408ceec03311bd7aa097c93d220371304

Add provisioning support to attestation service provider

Adds operations to enable the IAK to be provisioned into a device
during manufacture.  Two provisioning strategies are supported,
self-generate IAK on first run and import externally generated
IAK.  Test cases run through each provisioning flow.

Signed-off-by: Julian Hall <julian.hall@arm.com>
Change-Id: I6708b064b31ef7749d5ecac24c86af6411cdc7c2

protocols/service/attestation/packed-c/export_iak_public_key.h

diff --git a/protocols/service/attestation/packed-c/export_iak_public_key.h b/protocols/service/attestation/packed-c/export_iak_public_key.h
new file mode 100644
index 0000000..4ae553d
--- /dev/null
+++ b/protocols/service/attestation/packed-c/export_iak_public_key.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef TS_ATTESTATION_EXPORT_IAK_PUBLIC_KEY_H
+#define TS_ATTESTATION_EXPORT_IAK_PUBLIC_KEY_H
+
+/**
+ * Parameter definitions for the EXPORT_IAK_PUBLIC_KEY operation.
+ *
+ * Can be used during device provisioning to retrieve an
+ * imported or generated IAK public key.  The IAK public key
+ * may be used by a verifier as the identity for the device.
+ * This operation supports the provisioning flow where the
+ * IAK public key is read and stored in a central database.
+ * Note that exporting the IAK public key from a device that
+ * doesn't hold an IAK will trigger generation of a fresh
+ * IAK using the device's TRNG.
+ */
+
+/* Variable length output parameter tags */
+enum
+{
+    /* TLV tag to identify the IAK public key data parameter
+     */
+    TS_ATTESTATION_EXPORT_IAK_PUBLIC_KEY_OUT_TAG_DATA  = 1
+};
+
+#endif /* TS_ATTESTATION_EXPORT_IAK_PUBLIC_KEY_H */

protocols/service/attestation/packed-c/get_token.h

diff --git a/protocols/service/attestation/packed-c/get_token.h b/protocols/service/attestation/packed-c/get_token.h
index e02ed1e..bf16adc 100644
--- a/protocols/service/attestation/packed-c/get_token.h
+++ b/protocols/service/attestation/packed-c/get_token.h
@@ -6,6 +6,13 @@
 #ifndef TS_ATTESTATION_GET_TOKEN_H
 #define TS_ATTESTATION_GET_TOKEN_H
 
+/**
+ * Parameter definitions for the GET_TOKEN operation.
+ *
+ * Fetches a signed attestation token to allow device
+ * state to be remotely verified.
+ */
+
 /* Variable length input parameter tags */
 enum
 {

protocols/service/attestation/packed-c/get_token_size.h

diff --git a/protocols/service/attestation/packed-c/get_token_size.h b/protocols/service/attestation/packed-c/get_token_size.h
index c342541..c5716da 100644
--- a/protocols/service/attestation/packed-c/get_token_size.h
+++ b/protocols/service/attestation/packed-c/get_token_size.h
@@ -8,6 +8,13 @@
 
 #include <stdint.h>
 
+/**
+ * Parameter definitions for the GET_TOKEN_SIZE operation.
+ *
+ * Returns the expected size of an attestation token when
+ * a challenge of the specified length is presented.
+ */
+
 /* Mandatory fixed sized input parameters */
 struct __attribute__ ((__packed__)) ts_attestation_get_token_size_in
 {

protocols/service/attestation/packed-c/import_iak.h

diff --git a/protocols/service/attestation/packed-c/import_iak.h b/protocols/service/attestation/packed-c/import_iak.h
new file mode 100644
index 0000000..0fafd66
--- /dev/null
+++ b/protocols/service/attestation/packed-c/import_iak.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef TS_ATTESTATION_IMPORT_IAK_H
+#define TS_ATTESTATION_IMPORT_IAK_H
+
+/**
+ * Parameter definitions for the IMPORT_IAK operation.
+ *
+ * Used during device provisioning to load an externally
+ * generated IAK key-pair into a device.  An attempt to
+ * import an IAK when an IAK already exists will be rejected.
+ */
+
+/* Variable length input parameter tags */
+enum
+{
+    /* TLV tag to identify the IAK key-pair data parameter
+     */
+    TS_ATTESTATION_IMPORT_IAK_IN_TAG_DATA  = 1,
+};
+
+#endif /* TS_ATTESTATION_IMPORT_IAK_H */

protocols/service/attestation/packed-c/opcodes.h

diff --git a/protocols/service/attestation/packed-c/opcodes.h b/protocols/service/attestation/packed-c/opcodes.h
index 62a7617..3484e1b 100644
--- a/protocols/service/attestation/packed-c/opcodes.h
+++ b/protocols/service/attestation/packed-c/opcodes.h
@@ -9,8 +9,10 @@
 
 /* C/C++ definition of attestation service opcodes
  */
-#define TS_ATTESTATION_OPCODE_NOP                   (0x0000)
+
 #define TS_ATTESTATION_OPCODE_GET_TOKEN             (0x0001)
 #define TS_ATTESTATION_OPCODE_GET_TOKEN_SIZE        (0x0002)
+#define TS_ATTESTATION_OPCODE_EXPORT_IAK_PUBLIC_KEY (0x0003)
+#define TS_ATTESTATION_OPCODE_IMPORT_IAK            (0x0004)
 
 #endif /* TS_ATTESTATION_OPCODES_H */