Allow alternative backends for attestation provider
Refactors attestation service components to allow alternative
reporting and key management backends to be added. This enables
alternative deployments to be supported that realize the
reporting function differently e.g. delegated to a seperate
secure enclave.
Signed-off-by: Julian Hall <julian.hall@arm.com>
Change-Id: I55f8886dd05071b33d8d2deddf0a4a1d5c7c77ae
diff --git a/components/service/attestation/key_mngr/attest_key_mngr.h b/components/service/attestation/key_mngr/attest_key_mngr.h
index 341a298..b27d92b 100644
--- a/components/service/attestation/key_mngr/attest_key_mngr.h
+++ b/components/service/attestation/key_mngr/attest_key_mngr.h
@@ -11,41 +11,21 @@
#include <stddef.h>
#include <psa/crypto.h>
-/* Key ID for a volatile IAK (for test) */
-#define ATTEST_KEY_MNGR_VOLATILE_IAK (0)
-
#ifdef __cplusplus
extern "C" {
#endif
/**
- * The attestation key manager manages creation and access
- * to the IAK. In real device deployments, the IAK will
- * either be provisioned during manufacture or generated
- * on first run. To accommodate both sceanrios and to support
- * testing without a persistent key store, the IAK is
- * genarated automatically if the corresponding persistent
- * key doesn't exist.
+ * The attestation key manager presents an interface for
+ * managing creation and access to the IAK. In production
+ * deployments, the IAK will either be provisioned during
+ * manufacture or generated on first run. To accommodate
+ * both scenarios and to support testing without a persistent
+ * key store, the IAK is genarated automatically if the
+ * corresponding persistent key doesn't exist.
*/
/**
- * \brief Initialize the attest_key_mngr
- *
- * Initializes the attest_key_mngr. The provided key id should
- * be used as the identifier for the IAK. If a key ID of zero
- * is passed, a volatile IAK will be generated. This is useful
- * for test purposes.
- *
- * \param[in] iak_id The key id for the IAK
- */
-void attest_key_mngr_init(psa_key_id_t iak_id);
-
-/**
- * \brief De-initialize the attest_key_mngr
- */
-void attest_key_mngr_deinit(void);
-
-/**
* \brief Get the IAK key handle
*
* If an IAK doesn't exist, one will be generated. This supports the
diff --git a/components/service/attestation/key_mngr/component.cmake b/components/service/attestation/key_mngr/local/component.cmake
similarity index 88%
copy from components/service/attestation/key_mngr/component.cmake
copy to components/service/attestation/key_mngr/local/component.cmake
index 722d4f5..59c5841 100644
--- a/components/service/attestation/key_mngr/component.cmake
+++ b/components/service/attestation/key_mngr/local/component.cmake
@@ -9,5 +9,5 @@
endif()
target_sources(${TGT} PRIVATE
- "${CMAKE_CURRENT_LIST_DIR}/attest_key_mngr.c"
+ "${CMAKE_CURRENT_LIST_DIR}/local_attest_key_mngr.c"
)
diff --git a/components/service/attestation/key_mngr/attest_key_mngr.c b/components/service/attestation/key_mngr/local/local_attest_key_mngr.c
similarity index 94%
rename from components/service/attestation/key_mngr/attest_key_mngr.c
rename to components/service/attestation/key_mngr/local/local_attest_key_mngr.c
index 3814710..d77bf4c 100644
--- a/components/service/attestation/key_mngr/attest_key_mngr.c
+++ b/components/service/attestation/key_mngr/local/local_attest_key_mngr.c
@@ -6,12 +6,13 @@
#include <stdbool.h>
#include <psa/crypto.h>
-#include "attest_key_mngr.h"
+#include <service/attestation/key_mngr/attest_key_mngr.h>
+#include "local_attest_key_mngr.h"
/**
- * The singleton attest_key_mngr instance.
+ * The singleton local_attest_key_mngr instance.
*/
-static struct attest_key_mngr
+static struct local_attest_key_mngr
{
bool is_iak_open;
psa_key_id_t iak_id;
@@ -65,14 +66,14 @@
return status;
}
-void attest_key_mngr_init(psa_key_id_t iak_id)
+void local_attest_key_mngr_init(psa_key_id_t iak_id)
{
instance.is_iak_open = false;
instance.iak_id = iak_id;
instance.iak_handle = -1;
}
-void attest_key_mngr_deinit(void)
+void local_attest_key_mngr_deinit(void)
{
if (instance.is_iak_open && !instance.iak_id) {
diff --git a/components/service/attestation/key_mngr/local/local_attest_key_mngr.h b/components/service/attestation/key_mngr/local/local_attest_key_mngr.h
new file mode 100644
index 0000000..e327422
--- /dev/null
+++ b/components/service/attestation/key_mngr/local/local_attest_key_mngr.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef LOCAL_ATTEST_KEY_MNGR_H
+#define LOCAL_ATTEST_KEY_MNGR_H
+
+#include <psa/crypto.h>
+
+/* Key ID for a volatile IAK (for test) */
+#define LOCAL_ATTEST_KEY_MNGR_VOLATILE_IAK (0)
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * A local attestation key manager that manages the IAK on
+ * behalf of a local reporter. Used to support local signing
+ * of reports. The local_attest_key_mngr provides a
+ * realization of the public interface defined in
+ * attest_key_mngr.h.
+ */
+
+/**
+ * \brief Initialize the local_attest_key_mngr
+ *
+ * Initializes the local_attest_key_mngr. The provided key id should
+ * be used as the identifier for the IAK. If a key ID of zero
+ * is passed, a volatile IAK will be generated. This is useful
+ * for test purposes.
+ *
+ * \param[in] iak_id The key id for the IAK
+ */
+void local_attest_key_mngr_init(psa_key_id_t iak_id);
+
+/**
+ * \brief De-initialize the attest_key_mngr
+ */
+void local_attest_key_mngr_deinit(void);
+
+
+#ifdef __cplusplus
+} /* extern "C" */
+#endif
+
+#endif /* LOCAL_ATTEST_KEY_MNGR_H */
diff --git a/components/service/attestation/provider/attest_provider.c b/components/service/attestation/provider/attest_provider.c
index 7ebf833..990b875 100644
--- a/components/service/attestation/provider/attest_provider.c
+++ b/components/service/attestation/provider/attest_provider.c
@@ -28,7 +28,7 @@
{TS_ATTESTATION_OPCODE_IAK_EXISTS, iak_exists_handler}
};
-struct rpc_interface *attest_provider_init(struct attest_provider *context, psa_key_id_t iak_id)
+struct rpc_interface *attest_provider_init(struct attest_provider *context)
{
struct rpc_interface *rpc_interface = NULL;
@@ -40,8 +40,6 @@
service_provider_init(&context->base_provider, context,
handler_table, sizeof(handler_table)/sizeof(struct service_handler));
- attest_key_mngr_init(iak_id);
-
rpc_interface = service_provider_get_rpc_interface(&context->base_provider);
}
@@ -51,7 +49,6 @@
void attest_provider_deinit(struct attest_provider *context)
{
(void)context;
- attest_key_mngr_deinit();
}
void attest_provider_register_serializer(struct attest_provider *context,
@@ -88,28 +85,20 @@
if (rpc_status == TS_RPC_CALL_ACCEPTED) {
- psa_key_handle_t iak_handle;
- int opstatus = attest_key_mngr_get_iak_handle(&iak_handle);
+ const uint8_t *token = NULL;
+ size_t token_size = 0;
+
+ int opstatus = attest_report_create((int32_t)call_req_get_caller_id(req),
+ challenge, challenge_len,
+ &token, &token_size);
if (opstatus == PSA_SUCCESS) {
- const uint8_t *token = NULL;
- size_t token_size = 0;
-
- opstatus = attest_report_create(iak_handle,
- (int32_t)call_req_get_caller_id(req),
- challenge, challenge_len,
- &token, &token_size);
-
- if (opstatus == PSA_SUCCESS) {
-
- struct call_param_buf *resp_buf = call_req_get_resp_buf(req);
- rpc_status = serializer->serialize_get_token_resp(resp_buf, token, token_size);
- }
-
- attest_report_destroy(token);
+ struct call_param_buf *resp_buf = call_req_get_resp_buf(req);
+ rpc_status = serializer->serialize_get_token_resp(resp_buf, token, token_size);
}
+ attest_report_destroy(token);
call_req_set_opstatus(req, opstatus);
}
@@ -134,28 +123,20 @@
if (rpc_status == TS_RPC_CALL_ACCEPTED) {
- psa_key_handle_t iak_handle;
- int opstatus = attest_key_mngr_get_iak_handle(&iak_handle);
+ const uint8_t *token = NULL;
+ size_t token_size = 0;
+
+ int opstatus = attest_report_create((int32_t)call_req_get_caller_id(req),
+ challenge, challenge_len,
+ &token, &token_size);
if (opstatus == PSA_SUCCESS) {
- const uint8_t *token = NULL;
- size_t token_size = 0;
-
- opstatus = attest_report_create(iak_handle,
- (int32_t)call_req_get_caller_id(req),
- challenge, challenge_len,
- &token, &token_size);
-
- if (opstatus == PSA_SUCCESS) {
-
- struct call_param_buf *resp_buf = call_req_get_resp_buf(req);
- rpc_status = serializer->serialize_get_token_size_resp(resp_buf, token_size);
- }
-
- attest_report_destroy(token);
+ struct call_param_buf *resp_buf = call_req_get_resp_buf(req);
+ rpc_status = serializer->serialize_get_token_size_resp(resp_buf, token_size);
}
+ attest_report_destroy(token);
call_req_set_opstatus(req, opstatus);
}
diff --git a/components/service/attestation/provider/attest_provider.h b/components/service/attestation/provider/attest_provider.h
index ed3b59a..26f21b5 100644
--- a/components/service/attestation/provider/attest_provider.h
+++ b/components/service/attestation/provider/attest_provider.h
@@ -35,12 +35,10 @@
* that should be associated with a suitable rpc endpoint.
*
* \param[in] context The instance to initialize
- * \param[in] iak_id The key ID for the IAK
*
* \return An rpc_interface or NULL on failure
*/
-struct rpc_interface *attest_provider_init(struct attest_provider *context,
- psa_key_id_t iak_id);
+struct rpc_interface *attest_provider_init(struct attest_provider *context);
/**
* \brief Cleans up when the instance is no longer needed
diff --git a/components/service/attestation/reporter/attest_report.h b/components/service/attestation/reporter/attest_report.h
index f5c6fb0..ff7425b 100644
--- a/components/service/attestation/reporter/attest_report.h
+++ b/components/service/attestation/reporter/attest_report.h
@@ -10,7 +10,6 @@
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
-#include <psa/crypto.h>
#ifdef __cplusplus
extern "C" {
@@ -19,12 +18,9 @@
/**
* \brief Creates an attestation report
*
- * Using the view of the security state of the device provided by
- * the claims_register, a signed attestation report is created. On
- * success, a buffer is allocated for the signed report. The buffer
- * must be freed by calling attest_report_destroy().
+ * Common interface for creating an attestation report using the
+ * backend reporter incuded in a deployment.
*
- * \param[in] key_handle Signing key handle
* \param[in] client_id The requesting client id
* \param[in] auth_challenge_data The auth challenge from the requester
* \param[in] auth_challenge_len The auth challenge from the requester
@@ -33,7 +29,7 @@
*
* \return Operation status
*/
-int attest_report_create(psa_key_handle_t key_handle, int32_t client_id,
+int attest_report_create(int32_t client_id,
const uint8_t *auth_challenge_data, size_t auth_challenge_len,
const uint8_t **report, size_t *report_len);
diff --git a/components/service/attestation/reporter/psa/component.cmake b/components/service/attestation/reporter/eat/component.cmake
similarity index 90%
rename from components/service/attestation/reporter/psa/component.cmake
rename to components/service/attestation/reporter/eat/component.cmake
index 084c00f..f32ba89 100644
--- a/components/service/attestation/reporter/psa/component.cmake
+++ b/components/service/attestation/reporter/eat/component.cmake
@@ -9,7 +9,6 @@
endif()
target_sources(${TGT} PRIVATE
- "${CMAKE_CURRENT_LIST_DIR}/psa_attest_report.c"
"${CMAKE_CURRENT_LIST_DIR}/eat_serializer.c"
"${CMAKE_CURRENT_LIST_DIR}/eat_signer.c"
)
diff --git a/components/service/attestation/reporter/psa/eat_serializer.c b/components/service/attestation/reporter/eat/eat_serializer.c
similarity index 100%
rename from components/service/attestation/reporter/psa/eat_serializer.c
rename to components/service/attestation/reporter/eat/eat_serializer.c
diff --git a/components/service/attestation/reporter/psa/eat_serializer.h b/components/service/attestation/reporter/eat/eat_serializer.h
similarity index 100%
rename from components/service/attestation/reporter/psa/eat_serializer.h
rename to components/service/attestation/reporter/eat/eat_serializer.h
diff --git a/components/service/attestation/reporter/psa/eat_signer.c b/components/service/attestation/reporter/eat/eat_signer.c
similarity index 100%
rename from components/service/attestation/reporter/psa/eat_signer.c
rename to components/service/attestation/reporter/eat/eat_signer.c
diff --git a/components/service/attestation/reporter/psa/eat_signer.h b/components/service/attestation/reporter/eat/eat_signer.h
similarity index 100%
rename from components/service/attestation/reporter/psa/eat_signer.h
rename to components/service/attestation/reporter/eat/eat_signer.h
diff --git a/components/service/attestation/key_mngr/component.cmake b/components/service/attestation/reporter/local/component.cmake
similarity index 88%
rename from components/service/attestation/key_mngr/component.cmake
rename to components/service/attestation/reporter/local/component.cmake
index 722d4f5..6bcd261 100644
--- a/components/service/attestation/key_mngr/component.cmake
+++ b/components/service/attestation/reporter/local/component.cmake
@@ -9,5 +9,5 @@
endif()
target_sources(${TGT} PRIVATE
- "${CMAKE_CURRENT_LIST_DIR}/attest_key_mngr.c"
+ "${CMAKE_CURRENT_LIST_DIR}/local_attest_report.c"
)
diff --git a/components/service/attestation/reporter/psa/psa_attest_report.c b/components/service/attestation/reporter/local/local_attest_report.c
similarity index 86%
rename from components/service/attestation/reporter/psa/psa_attest_report.c
rename to components/service/attestation/reporter/local/local_attest_report.c
index 1f4ed0e..8da9d51 100644
--- a/components/service/attestation/reporter/psa/psa_attest_report.c
+++ b/components/service/attestation/reporter/local/local_attest_report.c
@@ -5,10 +5,10 @@
*/
/**
- * An attestation reporter that creates PSA compliant attestation
- * reports. The report content is specified by the PSA Attestation
- * specification. Reports are serialized using CBOR and signed using
- * COSE.
+ * An attestation reporter that creates attestation reports using claims
+ * collected from claim sources registered with the local claims regsiter.
+ * Reports are serialized using CBOR and signed using COSE in-line with
+ * EAT conventions.
*/
#include <stdlib.h>
@@ -17,8 +17,9 @@
#include <psa/initial_attestation.h>
#include <service/attestation/reporter/attest_report.h>
#include <service/attestation/claims/claims_register.h>
-#include "eat_serializer.h"
-#include "eat_signer.h"
+#include <service/attestation/reporter/eat/eat_serializer.h>
+#include <service/attestation/reporter/eat/eat_signer.h>
+#include <service/attestation/key_mngr/attest_key_mngr.h>
/* Local defines */
#define MAX_DEVICE_CLAIMS (50)
@@ -30,19 +31,23 @@
static void add_no_sw_claim(struct claim_vector *v);
-int attest_report_create(psa_key_handle_t key_handle, int32_t client_id,
+int attest_report_create(int32_t client_id,
const uint8_t *auth_challenge_data, size_t auth_challenge_len,
const uint8_t **report, size_t *report_len)
{
psa_status_t status = PSA_ERROR_GENERIC_ERROR;
struct claim_vector device_claims;
struct claim_vector sw_claims;
+ psa_key_handle_t key_handle;
*report = NULL;
*report_len = 0;
if (!validate_challenge(auth_challenge_len)) return PSA_ERROR_INVALID_ARGUMENT;
+ status = attest_key_mngr_get_iak_handle(&key_handle);
+ if (status != PSA_SUCCESS) return status;
+
claim_vector_init(&device_claims, MAX_DEVICE_CLAIMS);
claim_vector_init(&sw_claims, MAX_SW_CLAIMS);
diff --git a/components/service/attestation/test/component/attestation_reporter_tests.cpp b/components/service/attestation/test/component/attestation_reporter_tests.cpp
index d0d0948..0ef31c2 100644
--- a/components/service/attestation/test/component/attestation_reporter_tests.cpp
+++ b/components/service/attestation/test/component/attestation_reporter_tests.cpp
@@ -18,6 +18,7 @@
#include <service/attestation/reporter/attest_report.h>
#include <service/attestation/reporter/dump/raw/raw_report_dump.h>
#include <service/attestation/key_mngr/attest_key_mngr.h>
+#include <service/attestation/key_mngr/local/local_attest_key_mngr.h>
#include <protocols/service/attestation/packed-c/eat.h>
#include <CppUTest/TestHarness.h>
@@ -32,7 +33,7 @@
report_len;
psa_crypto_init();
- attest_key_mngr_init(ATTEST_KEY_MNGR_VOLATILE_IAK);
+ local_attest_key_mngr_init(LOCAL_ATTEST_KEY_MNGR_VOLATILE_IAK);
/* The set of registered claim_sources determines the content
* of a generated attestation source. The set and type of
@@ -62,7 +63,7 @@
{
attest_report_destroy(report);
claims_register_deinit();
- attest_key_mngr_deinit();
+ local_attest_key_mngr_deinit();
}
struct event_log_claim_source event_log_claim_source;
@@ -90,7 +91,7 @@
LONGS_EQUAL(PSA_SUCCESS, status);
/* Create a report */
- status = attest_report_create(iak_handle, client_id,
+ status = attest_report_create(client_id,
auth_challenge, sizeof(auth_challenge),
&report, &report_len);
diff --git a/components/service/locator/standalone/services/attestation/attestation_service_context.cpp b/components/service/locator/standalone/services/attestation/attestation_service_context.cpp
index a00295c..0090cf7 100644
--- a/components/service/locator/standalone/services/attestation/attestation_service_context.cpp
+++ b/components/service/locator/standalone/services/attestation/attestation_service_context.cpp
@@ -9,6 +9,7 @@
#include <service/attestation/claims/claims_register.h>
#include <service/attestation/claims/sources/event_log/event_log_claim_source.h>
#include <service/attestation/claims/sources/event_log/mock/mock_event_log.h>
+#include <service/attestation/key_mngr/local/local_attest_key_mngr.h>
#include <config/ramstore/config_ramstore.h>
#include <config/interface/config_store.h>
#include <config/interface/config_blob.h>
@@ -80,8 +81,8 @@
claims_register_add_claim_source(CLAIM_CATEGORY_DEVICE, claim_source);
/* Initialize the attestation service provider */
- struct rpc_interface *attest_ep =
- attest_provider_init(&m_attest_provider, ATTEST_KEY_MNGR_VOLATILE_IAK);
+ local_attest_key_mngr_init(LOCAL_ATTEST_KEY_MNGR_VOLATILE_IAK);
+ struct rpc_interface *attest_ep = attest_provider_init(&m_attest_provider);
attest_provider_register_serializer(&m_attest_provider,
TS_RPC_ENCODING_PACKED_C, packedc_attest_provider_serializer_instance());
@@ -94,4 +95,5 @@
attest_provider_deinit(&m_attest_provider);
claims_register_deinit();
config_ramstore_deinit();
+ local_attest_key_mngr_deinit();
}
diff --git a/deployments/attestation/opteesp/CMakeLists.txt b/deployments/attestation/opteesp/CMakeLists.txt
index cd54450..5cd47d7 100644
--- a/deployments/attestation/opteesp/CMakeLists.txt
+++ b/deployments/attestation/opteesp/CMakeLists.txt
@@ -58,8 +58,9 @@
"components/service/attestation/claims/sources/instance_id"
"components/service/attestation/claims/sources/event_log"
"components/service/attestation/claims/sources/event_log/mock"
- "components/service/attestation/reporter/psa"
- "components/service/attestation/key_mngr"
+ "components/service/attestation/reporter/local"
+ "components/service/attestation/reporter/eat"
+ "components/service/attestation/key_mngr/local"
"components/service/attestation/provider"
"components/service/attestation/provider/serializer/packed-c"
"protocols/rpc/common/packed-c"
diff --git a/deployments/attestation/opteesp/attestation_sp.c b/deployments/attestation/opteesp/attestation_sp.c
index c891f4d..0bb5fa2 100644
--- a/deployments/attestation/opteesp/attestation_sp.c
+++ b/deployments/attestation/opteesp/attestation_sp.c
@@ -16,6 +16,7 @@
#include <service/attestation/claims/sources/boot_seed_generator/boot_seed_generator.h>
#include <service/attestation/claims/sources/null_lifecycle/null_lifecycle_claim_source.h>
#include <service/attestation/claims/sources/instance_id/instance_id_claim_source.h>
+#include <service/attestation/key_mngr/local/local_attest_key_mngr.h>
#include <ffa_api.h>
#include <sp_api.h>
#include <sp_rxtx.h>
@@ -80,7 +81,8 @@
*/
psa_crypto_init(); /* temporary */
- attest_iface = attest_provider_init(&attest_provider, ATTEST_KEY_MNGR_VOLATILE_IAK);
+ local_attest_key_mngr_init(LOCAL_ATTEST_KEY_MNGR_VOLATILE_IAK);
+ attest_iface = attest_provider_init(&attest_provider);
attest_provider_register_serializer(&attest_provider,
TS_RPC_ENCODING_PACKED_C, packedc_attest_provider_serializer_instance());
diff --git a/deployments/component-test/component-test.cmake b/deployments/component-test/component-test.cmake
index 9b6dcf8..7c82cb7 100644
--- a/deployments/component-test/component-test.cmake
+++ b/deployments/component-test/component-test.cmake
@@ -51,9 +51,10 @@
"components/service/attestation/claims/sources/event_log"
"components/service/attestation/claims/sources/event_log/mock"
"components/service/attestation/claims/sources/event_log/test"
- "components/service/attestation/reporter/psa"
+ "components/service/attestation/reporter/local"
+ "components/service/attestation/reporter/eat"
"components/service/attestation/reporter/dump/raw"
- "components/service/attestation/key_mngr"
+ "components/service/attestation/key_mngr/local"
"components/service/attestation/provider"
"components/service/attestation/provider/serializer/packed-c"
"components/service/attestation/client/psa"
diff --git a/deployments/libts/linux-pc/CMakeLists.txt b/deployments/libts/linux-pc/CMakeLists.txt
index 3f0bbcf..f8ab349 100644
--- a/deployments/libts/linux-pc/CMakeLists.txt
+++ b/deployments/libts/linux-pc/CMakeLists.txt
@@ -49,8 +49,9 @@
"components/service/attestation/claims/sources/instance_id"
"components/service/attestation/claims/sources/event_log"
"components/service/attestation/claims/sources/event_log/mock"
- "components/service/attestation/reporter/psa"
- "components/service/attestation/key_mngr"
+ "components/service/attestation/reporter/local"
+ "components/service/attestation/reporter/eat"
+ "components/service/attestation/key_mngr/local"
"components/service/attestation/provider"
"components/service/attestation/provider/serializer/packed-c"
"components/service/crypto/provider"
diff --git a/deployments/se-proxy/opteesp/CMakeLists.txt b/deployments/se-proxy/opteesp/CMakeLists.txt
index 4ab8906..29d2edc 100644
--- a/deployments/se-proxy/opteesp/CMakeLists.txt
+++ b/deployments/se-proxy/opteesp/CMakeLists.txt
@@ -74,8 +74,9 @@
"components/service/attestation/claims/sources/instance_id"
"components/service/attestation/claims/sources/event_log"
"components/service/attestation/claims/sources/event_log/mock"
- "components/service/attestation/reporter/psa"
- "components/service/attestation/key_mngr"
+ "components/service/attestation/reporter/local"
+ "components/service/attestation/reporter/eat"
+ "components/service/attestation/key_mngr/local"
"components/service/secure_storage/frontend/psa/its"
"components/service/secure_storage/backend/secure_flash_store"
"components/service/secure_storage/backend/secure_flash_store/flash_fs"
diff --git a/deployments/se-proxy/opteesp/service_proxy_factory.c b/deployments/se-proxy/opteesp/service_proxy_factory.c
index 303ff0f..6bbee65 100644
--- a/deployments/se-proxy/opteesp/service_proxy_factory.c
+++ b/deployments/se-proxy/opteesp/service_proxy_factory.c
@@ -21,6 +21,7 @@
#include <service/attestation/claims/sources/instance_id/instance_id_claim_source.h>
#include <service/secure_storage/backend/secure_flash_store/secure_flash_store.h>
#include <service/crypto/backend/mbedcrypto/mbedcrypto_backend.h>
+#include <service/attestation/key_mngr/local/local_attest_key_mngr.h>
/* A shared storage backend - should be removed when proxy backends are added */
@@ -61,7 +62,8 @@
claims_register_add_claim_source(CLAIM_CATEGORY_DEVICE, claim_source);
/* Initialize the service provider */
- attest_iface = attest_provider_init(&attest_provider, ATTEST_KEY_MNGR_VOLATILE_IAK);
+ local_attest_key_mngr_init(LOCAL_ATTEST_KEY_MNGR_VOLATILE_IAK);
+ attest_iface = attest_provider_init(&attest_provider);
attest_provider_register_serializer(&attest_provider,
TS_RPC_ENCODING_PACKED_C, packedc_attest_provider_serializer_instance());