Add secure enclave proxy deployment
A new deployment called se-proxy is added to form the starting
point for developing a service level proxy for a remote
secure enclave running on a separate MCU. The proxy
combines service endpoints crypto, attestation and secure
storage service providers. New backends for each service
will need to replace the service backends initially
included in this deployment.
Signed-off-by: Julian Hall <julian.hall@arm.com>
Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
Change-Id: I96a3f71c690f885c8df8895546040efaad7bac41
diff --git a/components/rpc/common/demux/rpc_demux.c b/components/rpc/common/demux/rpc_demux.c
index efcc162..3460396 100644
--- a/components/rpc/common/demux/rpc_demux.c
+++ b/components/rpc/common/demux/rpc_demux.c
@@ -16,7 +16,7 @@
unsigned int iface_id = call_req_get_interface_id(req);
- if ((iface_id < RPC_DEMUX_MAX_OUTPUTS) && context->outputs[iface_id]) {
+ if (iface_id < RPC_DEMUX_MAX_OUTPUTS) {
rpc_status = rpc_interface_receive(context->outputs[iface_id], req);
}
diff --git a/components/rpc/ffarpc/caller/linux/ffarpc_caller.c b/components/rpc/ffarpc/caller/linux/ffarpc_caller.c
index d5db2c9..ee879a0 100644
--- a/components/rpc/ffarpc/caller/linux/ffarpc_caller.c
+++ b/components/rpc/ffarpc/caller/linux/ffarpc_caller.c
@@ -268,7 +268,7 @@
direct_msg.dst_id = s->dest_partition_id;
direct_msg.args[FFA_CALL_ARGS_IFACE_ID_OPCODE] =
- FFA_CALL_ARGS_COMBINE_IFACE_ID_OPCODE(s->dest_partition_id, opcode);
+ FFA_CALL_ARGS_COMBINE_IFACE_ID_OPCODE(s->dest_iface_id, opcode);
direct_msg.args[FFA_CALL_ARGS_REQ_DATA_LEN] = (uint64_t)s->req_len;
direct_msg.args[FFA_CALL_ARGS_ENCODING] = s->rpc_caller.encoding;
diff --git a/components/service/locator/linux/ffa/linuxffa_location_strategy.c b/components/service/locator/linux/ffa/linuxffa_location_strategy.c
index 8fce44e..a6ec465 100644
--- a/components/service/locator/linux/ffa/linuxffa_location_strategy.c
+++ b/components/service/locator/linux/ffa/linuxffa_location_strategy.c
@@ -9,6 +9,7 @@
#include <common/uuid/uuid.h>
#include <service/locator/service_name.h>
#include <rpc/ffarpc/caller/linux/ffarpc_caller.h>
+#include <deployments/se-proxy/se_proxy_interfaces.h>
#include <stddef.h>
#include <string.h>
#include <stdbool.h>
@@ -109,11 +110,18 @@
}
partition_lookup[] =
{
+ /* Services in dedicated SPs */
{"crypto", "d9df52d5-16a2-4bb2-9aa4-d26d3b84e8c0", 0},
{"internal-trusted-storage", "dc1eef48-b17a-4ccf-ac8b-dfcff7711b14", 0},
{"protected-storage", "751bf801-3dde-4768-a514-0f10aeed1790", 0},
{"test-runner", "33c75baf-ac6a-4fe4-8ac7-e9909bee2d17", 0},
{"attestation", "a1baf155-8876-4695-8f7c-54955e8db974", 0},
+
+ /* Secure Enclave proxy accessed services */
+ {"crypto", "46bb39d1-b4d9-45b5-88ff-040027dab249", SE_PROXY_INTERFACE_ID_CRYPTO},
+ {"internal-trusted-storage", "46bb39d1-b4d9-45b5-88ff-040027dab249", SE_PROXY_INTERFACE_ID_ITS},
+ {"protected-storage", "46bb39d1-b4d9-45b5-88ff-040027dab249", SE_PROXY_INTERFACE_ID_PS},
+ {"attestation", "46bb39d1-b4d9-45b5-88ff-040027dab249", SE_PROXY_INTERFACE_ID_ATTEST},
{NULL, NULL, 0}
};
diff --git a/deployments/se-proxy/opteesp/CMakeLists.txt b/deployments/se-proxy/opteesp/CMakeLists.txt
new file mode 100644
index 0000000..b071b7a
--- /dev/null
+++ b/deployments/se-proxy/opteesp/CMakeLists.txt
@@ -0,0 +1,178 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+cmake_minimum_required(VERSION 3.16)
+include(../../deployment.cmake REQUIRED)
+
+#-------------------------------------------------------------------------------
+# The CMakeLists.txt for building the se-proxy deployment for opteesp
+#
+# Builds proxy service providers that communicate with a separate secure element
+# that hosts a set of service endpoints. This deployment is for running in an
+# SEL0 secure partition hosted by OPTEE in the role of SPM.
+#-------------------------------------------------------------------------------
+include(${TS_ROOT}/environments/opteesp/env.cmake)
+project(trusted-services LANGUAGES C ASM)
+add_executable(se-proxy)
+target_include_directories(se-proxy PRIVATE "${TOP_LEVEL_INCLUDE_DIRS}")
+set(SP_UUID "46bb39d1-b4d9-45b5-88ff-040027dab249")
+
+#-------------------------------------------------------------------------------
+# Include SP DEV KIT interface
+#
+#-------------------------------------------------------------------------------
+set(SP_DEV_KIT_INC_DIR ${CMAKE_CURRENT_LIST_DIR})
+list(APPEND CMAKE_MODULE_PATH "${TS_ROOT}/external/Spdevkit")
+find_package(Spdevkit REQUIRED)
+sp_dev_kit_configure_linking(TARGET se-proxy DEFINES ARM64=1)
+target_link_libraries(se-proxy PRIVATE ${SP_DEV_KIT_LIBRARIES})
+
+#-------------------------------------------------------------------------------
+# Default deployment specific configuration
+#
+#-------------------------------------------------------------------------------
+set(TS_NO_FLOAT_HW ON)
+
+#-------------------------------------------------------------------------------
+# Components that are specific to deployment in the opteesp environment.
+#
+#-------------------------------------------------------------------------------
+add_components(TARGET "se-proxy"
+ BASE_DIR ${TS_ROOT}
+ COMPONENTS
+ "protocols/rpc/common/packed-c"
+ "protocols/service/secure_storage/packed-c"
+ "protocols/service/crypto/protobuf"
+ "environments/opteesp"
+ "components/common/tlv"
+ "components/config/ramstore"
+ "components/config/loader/sp"
+ "components/messaging/ffa/libsp"
+ "components/rpc/ffarpc/endpoint"
+ "components/rpc/common/interface"
+ "components/rpc/common/demux"
+ "components/service/common/include"
+ "components/service/common/serializer/protobuf"
+ "components/service/common/provider"
+ "components/service/crypto/provider/mbedcrypto"
+ "components/service/crypto/provider/serializer/protobuf"
+ "components/service/crypto/provider/serializer/packed-c"
+ "components/service/secure_storage/include"
+ "components/service/secure_storage/frontend/secure_storage_provider"
+ "components/service/attestation/include"
+ "components/service/attestation/provider"
+ "components/service/attestation/provider/serializer/packed-c"
+
+ # Components that won't be in a proxy
+ "components/common/endian"
+ "components/service/attestation/claims"
+ "components/service/attestation/claims/sources/boot_seed_generator"
+ "components/service/attestation/claims/sources/null_lifecycle"
+ "components/service/attestation/claims/sources/instance_id"
+ "components/service/attestation/claims/sources/event_log"
+ "components/service/attestation/claims/sources/event_log/mock"
+ "components/service/attestation/reporter/psa"
+ "components/service/attestation/key_mngr"
+ "components/service/secure_storage/frontend/psa/its"
+ "components/service/secure_storage/backend/secure_flash_store"
+ "components/service/secure_storage/backend/secure_flash_store/flash_fs"
+ "components/service/secure_storage/backend/secure_flash_store/flash"
+ "components/service/crypto/provider/mbedcrypto/trng_adapter/platform"
+)
+
+target_sources(se-proxy PRIVATE
+ se_proxy_sp.c
+ service_proxy_factory.c
+)
+
+#-------------------------------------------------------------------------------
+# Use the selected platform to provide drivers needed by the deployment
+#
+#-------------------------------------------------------------------------------
+# temporarily force platform - with this change, the build interface to
+# an external builder such as a Yocto recipe is unchanged. Should remove
+# once the build interface is published.
+set(TS_PLATFORM "arm/fvp/fvp_base_revc-2xaemv8a" CACHE STRING "Overridden" FORCE)
+
+add_platform(TARGET "se-proxy")
+
+#-------------------------------------------------------------------------------
+# Components used from external projects
+#
+#-------------------------------------------------------------------------------
+
+# Nanopb
+list(APPEND NANOPB_EXTERNAL_INCLUDE_PATHS ${SP_DEV_KIT_INCLUDE_DIR})
+include(../../../external/nanopb/nanopb.cmake)
+target_link_libraries(se-proxy PRIVATE nanopb::protobuf-nanopb-static)
+protobuf_generate_all(TGT "se-proxy" NAMESPACE "protobuf" BASE_DIR "${TS_ROOT}/protocols")
+
+# Mbed TLS provides libmbedcrypto
+include(../../../external/MbedTLS/MbedTLS.cmake)
+target_link_libraries(se-proxy PRIVATE mbedcrypto)
+
+# Qcbor
+include(${TS_ROOT}/external/qcbor/qcbor.cmake)
+target_link_libraries(se-proxy PRIVATE qcbor)
+
+# t_cose
+include(${TS_ROOT}/external/t_cose/t_cose.cmake)
+target_link_libraries(se-proxy PRIVATE t_cose)
+
+#################################################################
+
+target_compile_definitions(se-proxy PRIVATE
+ ARM64=1
+)
+
+target_include_directories(se-proxy PRIVATE
+ ${TS_ROOT}
+ ${TS_ROOT}/components
+ ${TS_ROOT}/deployments/se-proxy/opteesp
+)
+
+if(CMAKE_C_COMPILER_ID STREQUAL "GNU")
+ target_compile_options(se-proxy PRIVATE
+ -fdiagnostics-show-option
+ -gdwarf-2
+ -mstrict-align
+ -O0
+ -std=c99
+ )
+
+ # Options for GCC that control linking
+ target_link_options(se-proxy PRIVATE
+ -zmax-page-size=4096
+ )
+ # Options directly for LD, these are not understood by GCC
+ target_link_options(se-proxy PRIVATE
+ -Wl,--as-needed
+ -Wl,--sort-section=alignment
+ # -Wl,--dynamic-list ${CMAKE_CURRENT_LIST_DIR}/dyn_list
+ )
+endif()
+
+compiler_generate_stripped_elf(TARGET se-proxy NAME "${SP_UUID}.stripped.elf" RES STRIPPED_ELF)
+
+######################################## install
+if (CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
+ set(CMAKE_INSTALL_PREFIX ${CMAKE_BINARY_DIR}/install CACHE PATH "location to install build output to." FORCE)
+endif()
+#TODO: api headers
+
+install(TARGETS se-proxy
+ PUBLIC_HEADER DESTINATION ${TS_ENV}/include
+ RUNTIME DESTINATION ${TS_ENV}/bin
+ )
+install(FILES ${STRIPPED_ELF} DESTINATION ${TS_ENV}/bin)
+
+get_property(_PROTO_FILES TARGET se-proxy PROPERTY PROTOBUF_FILES)
+install(FILES ${_PROTO_FILES} DESTINATION ${TS_ENV}/lib/protobuf)
+
+
+set(EXPORT_SP_NAME "se-proxy")
+set(EXPORT_SP_UUID ${SP_UUID})
+include(${TS_ROOT}/environments/opteesp/ExportSp.cmake)
diff --git a/deployments/se-proxy/opteesp/default_se-proxy.dts.in b/deployments/se-proxy/opteesp/default_se-proxy.dts.in
new file mode 100644
index 0000000..9f66eb1
--- /dev/null
+++ b/deployments/se-proxy/opteesp/default_se-proxy.dts.in
@@ -0,0 +1,31 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+@DTS_TAG@
+
+@DTS_NODE@ {
+ compatible = "arm,ffa-manifest-1.0";
+ ffa-version = <0x00010000>; /* 31:16 - Major, 15:0 - Minor */
+ uuid = <@EXPORT_SP_UUID_DT@>;
+ description = "SE Proxy";
+ execution-ctx-count = <1>;
+ exception-level = <1>; /* S-EL0 */
+ execution-state = <0>; /* AArch64 */
+ xlat-granule = <0>; /* 4KiB */
+ messaging-method = <0>; /* Direct messaging only */
+
+ /* Not needed when crypto proxy is added */
+ device-regions {
+ compatible = "arm,ffa-manifest-device-regions";
+
+ trng {
+ /* Armv8 A Foundation Platform values */
+ base-address = <0x00000000 0x7fe60000>;
+ pages-count = <1>;
+ attributes = <0x3>; /* read-write */
+ };
+ };
+};
diff --git a/deployments/se-proxy/opteesp/optee_sp_user_defines.h b/deployments/se-proxy/opteesp/optee_sp_user_defines.h
new file mode 100644
index 0000000..feb25e8
--- /dev/null
+++ b/deployments/se-proxy/opteesp/optee_sp_user_defines.h
@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef SP_HEADER_DEFINES_H
+#define SP_HEADER_DEFINES_H
+
+/* To get UUID definition */
+#include "se_proxy_sp.h"
+
+#define OPTEE_SP_UUID SE_PROXY_SP_UUID
+#define OPTEE_SP_FLAGS 0
+
+/* Provisioned stack size */
+#define OPTEE_SP_STACK_SIZE (64 * 1024)
+
+/* Provisioned heap size */
+#define OPTEE_SP_HEAP_SIZE (480 * 1024)
+
+#endif /* SP_HEADER_DEFINES_H */
diff --git a/deployments/se-proxy/opteesp/se_proxy_sp.c b/deployments/se-proxy/opteesp/se_proxy_sp.c
new file mode 100644
index 0000000..ef90d9e
--- /dev/null
+++ b/deployments/se-proxy/opteesp/se_proxy_sp.c
@@ -0,0 +1,94 @@
+// SPDX-License-Identifier: BSD-3-Clause
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ */
+
+#include <rpc/ffarpc/endpoint/ffarpc_call_ep.h>
+#include <rpc/common/demux/rpc_demux.h>
+#include <config/ramstore/config_ramstore.h>
+#include <config/loader/sp/sp_config_loader.h>
+#include <ffa_api.h>
+#include <sp_api.h>
+#include <sp_rxtx.h>
+#include <trace.h>
+#include "service_proxy_factory.h"
+#include "../se_proxy_interfaces.h"
+
+uint16_t own_id = 0; /* !!Needs refactoring as parameter to ffarpc_caller_init */
+
+
+static int sp_init(uint16_t *own_sp_id);
+
+void __noreturn sp_main(struct ffa_init_info *init_info)
+{
+ struct ffa_call_ep ffarpc_call_ep;
+ struct sp_msg req_msg;
+ struct rpc_demux rpc_demux;
+ struct rpc_interface *rpc_iface;
+
+ /* Boot phase */
+ if (sp_init(&own_id) != 0) goto fatal_error;
+
+ config_ramstore_init();
+ sp_config_load(init_info);
+
+ rpc_iface = rpc_demux_init(&rpc_demux);
+ ffa_call_ep_init(&ffarpc_call_ep, rpc_iface);
+
+ /* Create service proxies */
+ rpc_iface = its_proxy_create();
+ rpc_demux_attach(&rpc_demux, SE_PROXY_INTERFACE_ID_ITS, rpc_iface);
+
+ rpc_iface = ps_proxy_create();
+ rpc_demux_attach(&rpc_demux, SE_PROXY_INTERFACE_ID_PS, rpc_iface);
+
+ rpc_iface = crypto_proxy_create();
+ rpc_demux_attach(&rpc_demux, SE_PROXY_INTERFACE_ID_CRYPTO, rpc_iface);
+
+ rpc_iface = attest_proxy_create();
+ rpc_demux_attach(&rpc_demux, SE_PROXY_INTERFACE_ID_ATTEST, rpc_iface);
+
+ /* End of boot phase */
+ sp_msg_wait(&req_msg);
+
+ while (1) {
+
+ struct sp_msg resp_msg;
+
+ ffa_call_ep_receive(&ffarpc_call_ep, &req_msg, &resp_msg);
+
+ resp_msg.source_id = req_msg.destination_id;
+ resp_msg.destination_id = req_msg.source_id;
+
+ sp_msg_send_direct_resp(&resp_msg, &req_msg);
+ }
+
+fatal_error:
+ /* SP is not viable */
+ EMSG("SE proxy SP error");
+ while (1) {}
+}
+
+void sp_interrupt_handler(uint32_t interrupt_id)
+{
+ (void)interrupt_id;
+}
+
+static int sp_init(uint16_t *own_sp_id)
+{
+ int status = -1;
+ ffa_result ffa_res;
+ sp_result sp_res;
+ static uint8_t tx_buffer[4096] __aligned(4096);
+ static uint8_t rx_buffer[4096] __aligned(4096);
+
+ sp_res = sp_rxtx_buffer_map(tx_buffer, rx_buffer, sizeof(rx_buffer));
+ if (sp_res == SP_RESULT_OK) {
+ ffa_res = ffa_id_get(own_sp_id);
+ if (ffa_res == FFA_OK) {
+ status = 0;
+ }
+ }
+
+ return status;
+}
diff --git a/deployments/se-proxy/opteesp/se_proxy_sp.h b/deployments/se-proxy/opteesp/se_proxy_sp.h
new file mode 100644
index 0000000..74bbde4
--- /dev/null
+++ b/deployments/se-proxy/opteesp/se_proxy_sp.h
@@ -0,0 +1,18 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef SE_PROXY_SP_H
+#define SE_PROXY_SP_H
+
+#define SE_PROXY_SP_UUID \
+ {0x46bb39d1, 0xb4d9, 0x45b5, \
+ {0x88, 0xff, 0x04, 0x00, 0x27, 0xda, 0xb2, 0x49}}
+
+#define SE_PROXY_SP_UUID_BYTES \
+ {0x46, 0xbb, 0x39, 0xd1, 0xb4, 0xd9, 0x45, 0xb5, \
+ 0x88, 0xff, 0x04, 0x00, 0x27, 0xda, 0xb2, 0x49}
+
+#endif /* SE_PROXY_SP_H */
diff --git a/deployments/se-proxy/opteesp/service_proxy_factory.c b/deployments/se-proxy/opteesp/service_proxy_factory.c
new file mode 100644
index 0000000..4af5a48
--- /dev/null
+++ b/deployments/se-proxy/opteesp/service_proxy_factory.c
@@ -0,0 +1,105 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <stddef.h>
+#include <rpc/common/endpoint/rpc_interface.h>
+#include <service/attestation/provider/attest_provider.h>
+#include <service/attestation/provider/serializer/packed-c/packedc_attest_provider_serializer.h>
+#include <service/crypto/provider/mbedcrypto/crypto_provider.h>
+#include <service/crypto/provider/serializer/protobuf/pb_crypto_provider_serializer.h>
+#include <service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.h>
+#include <components/service/secure_storage/frontend/secure_storage_provider/secure_storage_provider.h>
+
+/* Not needed once proxy backends added */
+#include <service/attestation/claims/claims_register.h>
+#include <service/attestation/claims/sources/event_log/event_log_claim_source.h>
+#include <service/attestation/claims/sources/boot_seed_generator/boot_seed_generator.h>
+#include <service/attestation/claims/sources/null_lifecycle/null_lifecycle_claim_source.h>
+#include <service/attestation/claims/sources/instance_id/instance_id_claim_source.h>
+#include <service/secure_storage/backend/secure_flash_store/secure_flash_store.h>
+
+
+/* A shared storage backend - should be removed when proxy backends are added */
+static struct storage_backend *shared_storage_backend = NULL;
+
+
+struct rpc_interface *attest_proxy_create(void)
+{
+ struct rpc_interface *attest_iface;
+ struct claim_source *claim_source;
+
+ /* Static objects for proxy instance */
+ static struct attest_provider attest_provider;
+
+ /* Claim sources for deployment */
+ static struct event_log_claim_source event_log_claim_source;
+ static struct boot_seed_generator boot_seed_claim_source;
+ static struct null_lifecycle_claim_source lifecycle_claim_source;
+ static struct instance_id_claim_source instance_id_claim_source;
+
+ /* Register claim sources for deployment */
+ claims_register_init();
+
+ /* Boot measurement claim source */
+ claim_source = event_log_claim_source_init_from_config(&event_log_claim_source);
+ claims_register_add_claim_source(CLAIM_CATEGORY_BOOT_MEASUREMENT, claim_source);
+
+ /* Boot seed claim source */
+ claim_source = boot_seed_generator_init(&boot_seed_claim_source);
+ claims_register_add_claim_source(CLAIM_CATEGORY_DEVICE, claim_source);
+
+ /* Lifecycle state claim source */
+ claim_source = null_lifecycle_claim_source_init(&lifecycle_claim_source);
+ claims_register_add_claim_source(CLAIM_CATEGORY_DEVICE, claim_source);
+
+ /* Instance ID claim source */
+ claim_source = instance_id_claim_source_init(&instance_id_claim_source);
+ claims_register_add_claim_source(CLAIM_CATEGORY_DEVICE, claim_source);
+
+ /* Initialize the service provider */
+ attest_iface = attest_provider_init(&attest_provider, ATTEST_KEY_MNGR_VOLATILE_IAK);
+
+ attest_provider_register_serializer(&attest_provider,
+ TS_RPC_ENCODING_PACKED_C, packedc_attest_provider_serializer_instance());
+
+ return attest_iface;
+}
+
+struct rpc_interface *crypto_proxy_create(void)
+{
+ struct rpc_interface *crypto_iface;
+
+ /* Static objects for proxy instance */
+ static struct mbed_crypto_provider crypto_provider;
+
+ crypto_iface = mbed_crypto_provider_init(&crypto_provider, shared_storage_backend, 0);
+
+ mbed_crypto_provider_register_serializer(&crypto_provider,
+ TS_RPC_ENCODING_PROTOBUF, pb_crypto_provider_serializer_instance());
+
+ mbed_crypto_provider_register_serializer(&crypto_provider,
+ TS_RPC_ENCODING_PACKED_C, packedc_crypto_provider_serializer_instance());
+
+ return crypto_iface;
+}
+
+struct rpc_interface *ps_proxy_create(void)
+{
+ if (!shared_storage_backend) shared_storage_backend = sfs_init();
+
+ static struct secure_storage_provider ps_provider;
+
+ return secure_storage_provider_init(&ps_provider, shared_storage_backend);
+}
+
+struct rpc_interface *its_proxy_create(void)
+{
+ if (!shared_storage_backend) shared_storage_backend = sfs_init();
+
+ static struct secure_storage_provider its_provider;
+
+ return secure_storage_provider_init(&its_provider, shared_storage_backend);
+}
diff --git a/deployments/se-proxy/opteesp/service_proxy_factory.h b/deployments/se-proxy/opteesp/service_proxy_factory.h
new file mode 100644
index 0000000..298d407
--- /dev/null
+++ b/deployments/se-proxy/opteesp/service_proxy_factory.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef SERVICE_PROXY_FACTORY_H
+#define SERVICE_PROXY_FACTORY_H
+
+#include <rpc/common/endpoint/rpc_interface.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct rpc_interface *attest_proxy_create(void);
+struct rpc_interface *crypto_proxy_create(void);
+struct rpc_interface *ps_proxy_create(void);
+struct rpc_interface *its_proxy_create(void);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* SERVICE_PROXY_FACTORY_H */
diff --git a/deployments/se-proxy/se_proxy_interfaces.h b/deployments/se-proxy/se_proxy_interfaces.h
new file mode 100644
index 0000000..48908f8
--- /dev/null
+++ b/deployments/se-proxy/se_proxy_interfaces.h
@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef SE_PROXY_INTERFACES_H
+#define SE_PROXY_INTERFACES_H
+
+/* Interface IDs from service endpoints available from an se-proxy deployment */
+#define SE_PROXY_INTERFACE_ID_ITS (0)
+#define SE_PROXY_INTERFACE_ID_PS (1)
+#define SE_PROXY_INTERFACE_ID_CRYPTO (2)
+#define SE_PROXY_INTERFACE_ID_ATTEST (3)
+
+#endif /* SE_PROXY_INTERFACES_H */
diff --git a/tools/b-test/test_data.yaml b/tools/b-test/test_data.yaml
index 6a1201e..5c86866 100644
--- a/tools/b-test/test_data.yaml
+++ b/tools/b-test/test_data.yaml
@@ -37,6 +37,11 @@
- "-GUnix Makefiles"
- "-DSP_DEV_KIT_DIR=$SP_DEV_KIT_DIR"
- "-DCMAKE_VERBOSE_MAKEFILE=y"
+ - name: "se-proxy-optee-arm"
+ src: "$TS_ROOT/deployments/se-proxy/opteesp"
+ params:
+ - "-GUnix Makefiles"
+ - "-DSP_DEV_KIT_DIR=$SP_DEV_KIT_DIR"
- name: "sfs-demo-optee-arm"
src: "$TS_ROOT/deployments/sfs-demo/opteesp"
params: