Align to PSA Attestation API tests
Fixes psa-api-test/initial_attestation deployments for linux_pc
and arm-linux. Also includes changes to enable tests to obtain
the public IAK and fetch and verify attestation token. The
attestation psa arch test currently fails because of a
hard-coded expectation that the attestation token only
contains a single sw component. On Linux platforms, there
are multiple sw components. Other verification checks on
the attestation token pass.
Signed-off-by: Julian Hall <julian.hall@arm.com>
Change-Id: I7b380b8d1478bc340b5a4b133799c231f64942ff
diff --git a/components/app/platform-inspect/attest_report_fetcher.cpp b/components/app/platform-inspect/attest_report_fetcher.cpp
index a600ca4..d2277b4 100644
--- a/components/app/platform-inspect/attest_report_fetcher.cpp
+++ b/components/app/platform-inspect/attest_report_fetcher.cpp
@@ -17,8 +17,6 @@
#include <qcbor/qcbor_spiffy_decode.h>
#include <t_cose/t_cose_sign1_verify.h>
-#define IAK_KEY_BITS (256)
-
static bool fetch_and_verify(std::vector<uint8_t> &report, std::string &error_msg);
static bool fetch_iak_public_key(psa_key_handle_t &iak_handle, std::string &error_msg);
static bool verify_token(std::vector<uint8_t> &report, const uint8_t *token, size_t token_len,
@@ -108,10 +106,7 @@
static bool fetch_iak_public_key(psa_key_handle_t &iak_handle, std::string &error_msg)
{
size_t iak_pub_key_len = 0;
- uint8_t iak_pub_key_buf[PSA_KEY_EXPORT_MAX_SIZE(
- PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(
- PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_SECP256R1)),
- IAK_KEY_BITS)];
+ uint8_t iak_pub_key_buf[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE];
int status = attest_provision_export_iak_public_key(iak_pub_key_buf,
sizeof(iak_pub_key_buf), &iak_pub_key_len);
@@ -124,8 +119,8 @@
psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
psa_set_key_algorithm(&attributes, PSA_ALG_ECDSA(PSA_ALG_SHA_256));
- psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_CURVE_SECP256R1));
- psa_set_key_bits(&attributes, IAK_KEY_BITS);
+ psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1));
+ psa_set_key_bits(&attributes, 256);
status = psa_import_key(&attributes, iak_pub_key_buf, iak_pub_key_len, &iak_handle);
diff --git a/components/service/attestation/claims/sources/implementation_id/component.cmake b/components/service/attestation/claims/sources/implementation_id/component.cmake
new file mode 100644
index 0000000..43c1903
--- /dev/null
+++ b/components/service/attestation/claims/sources/implementation_id/component.cmake
@@ -0,0 +1,13 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+if (NOT DEFINED TGT)
+ message(FATAL_ERROR "mandatory parameter TGT is not defined.")
+endif()
+
+target_sources(${TGT} PRIVATE
+ "${CMAKE_CURRENT_LIST_DIR}/implementation_id_claim_source.c"
+ )
diff --git a/components/service/attestation/claims/sources/implementation_id/implementation_id_claim_source.c b/components/service/attestation/claims/sources/implementation_id/implementation_id_claim_source.c
new file mode 100644
index 0000000..3610c07
--- /dev/null
+++ b/components/service/attestation/claims/sources/implementation_id/implementation_id_claim_source.c
@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <string.h>
+#include <service/attestation/claims/claim.h>
+#include "implementation_id_claim_source.h"
+
+static bool get_claim(void *context, struct claim *claim);
+
+struct claim_source *implementation_id_claim_source_init(
+ struct implementation_id_claim_source *instance,
+ const char *id_string)
+{
+ instance->base.get_claim = get_claim;
+ instance->base.context = instance;
+
+ instance->id_string = id_string;
+
+ return &instance->base;
+}
+
+static bool get_claim(void *context, struct claim *claim)
+{
+ struct implementation_id_claim_source *instance = (struct implementation_id_claim_source*)context;
+
+ if (instance->id_string) {
+
+ claim->category = CLAIM_CATEGORY_DEVICE;
+ claim->subject_id = CLAIM_SUBJECT_ID_IMPLEMENTATION_ID;
+ claim->variant_id = CLAIM_VARIANT_ID_BYTE_STRING;
+ claim->raw_data = NULL;
+
+ claim->variant.byte_string.bytes = instance->id_string;
+ claim->variant.byte_string.len = strlen(instance->id_string);
+ }
+
+ return instance->id_string;
+}
diff --git a/components/service/attestation/claims/sources/implementation_id/implementation_id_claim_source.h b/components/service/attestation/claims/sources/implementation_id/implementation_id_claim_source.h
new file mode 100644
index 0000000..0b7015d
--- /dev/null
+++ b/components/service/attestation/claims/sources/implementation_id/implementation_id_claim_source.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef IMPLENTATION_ID_CLAIM_SOURCE_H
+#define IMPLENTATION_ID_CLAIM_SOURCE_H
+
+#include <service/attestation/claims/claim_source.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * A claim_source that provides an identifier for the
+ * root of trust implementation.
+ */
+struct implementation_id_claim_source
+{
+ struct claim_source base;
+ const char *id_string;
+};
+
+/**
+ * \brief Initializes a struct implementation_id_claim_source
+ *
+ * \param[in] instance The instance to initialze
+ * \param[in] id_string The id string
+ *
+ * \return The initialize base claim_source structure
+ */
+struct claim_source *implementation_id_claim_source_init(
+ struct implementation_id_claim_source *instance,
+ const char *id_string);
+
+#ifdef __cplusplus
+} /* extern "C" */
+#endif
+
+#endif /* IMPLENTATION_ID_CLAIM_SOURCE_H */
diff --git a/components/service/attestation/client/provision/attest_provision_client.c b/components/service/attestation/client/provision/attest_provision_client.c
index 5aca130..90fe04d 100644
--- a/components/service/attestation/client/provision/attest_provision_client.c
+++ b/components/service/attestation/client/provision/attest_provision_client.c
@@ -8,6 +8,7 @@
#include <string.h>
#include "attest_provision_client.h"
#include <common/tlv/tlv.h>
+#include <psa/initial_attestation.h>
#include <provision/attest_provision.h>
#include <protocols/service/attestation/packed-c/export_iak_public_key.h>
#include <protocols/service/attestation/packed-c/import_iak.h>
@@ -174,3 +175,20 @@
return psa_status;
}
+
+psa_status_t tfm_initial_attest_get_public_key(
+ uint8_t *public_key,
+ size_t public_key_buf_size,
+ size_t *public_key_len,
+ psa_ecc_family_t *elliptic_curve_type)
+{
+ /* Wrapper to provide compatibility with psa arch tests that assume a TF-M
+ * based device under test.
+ */
+ *elliptic_curve_type = PSA_ECC_FAMILY_SECP_R1;
+
+ psa_status_t status = attest_provision_export_iak_public_key(public_key,
+ public_key_buf_size, public_key_len);
+
+ return status;
+}
diff --git a/components/service/attestation/client/psa/iat_client.c b/components/service/attestation/client/psa/iat_client.c
index 5c88018..c2bb035 100644
--- a/components/service/attestation/client/psa/iat_client.c
+++ b/components/service/attestation/client/psa/iat_client.c
@@ -53,6 +53,8 @@
psa_status_t psa_status = PSA_ERROR_INVALID_ARGUMENT;
size_t req_len = tlv_required_space(challenge_size);
+ if (!token_buf || !token_buf_size) return PSA_ERROR_INVALID_ARGUMENT;
+
struct tlv_record challenge_record;
challenge_record.tag = TS_ATTESTATION_GET_TOKEN_IN_TAG_AUTH_CHALLENGE;
challenge_record.length = challenge_size;
diff --git a/components/service/attestation/include/psa/initial_attestation.h b/components/service/attestation/include/psa/initial_attestation.h
index 2aa93d3..7b44220 100644
--- a/components/service/attestation/include/psa/initial_attestation.h
+++ b/components/service/attestation/include/psa/initial_attestation.h
@@ -18,6 +18,7 @@
#include <limits.h>
#include <stdint.h>
#include <stddef.h>
+#include <psa/crypto.h>
#include <psa/error.h>
#ifdef __cplusplus
@@ -201,6 +202,30 @@
psa_initial_attest_get_token_size(size_t challenge_size,
size_t *token_size);
+/**
+ * \brief Get the attestation public key
+ *
+ * This function is for compatibility with the PSA Arch tests that use
+ * a TF-M specific function to retieve the IAK public key from the device
+ * under test.
+ *
+ * \param[out] public_key Pointer to the buffer where the public key
+ * will be stored.
+ * \param[in] key_buf_size Size of allocated buffer for key, in bytes.
+ * \param[out] public_key_len Size of public key in bytes.
+ * \param[out] public_key_curve Type of the elliptic curve which the key
+ * belongs to.
+ *
+ * \note Currently only the ECDSA P-256 over SHA-256 algorithm is supported.
+ *
+ * \return Returns error code as specified in \ref psa_status_t
+ */
+psa_status_t
+tfm_initial_attest_get_public_key(uint8_t *public_key,
+ size_t public_key_buf_size,
+ size_t *public_key_len,
+ psa_ecc_family_t *elliptic_curve_type);
+
#ifdef __cplusplus
}
#endif
diff --git a/components/service/crypto/client/psa/psa_mac.c b/components/service/crypto/client/psa/psa_mac.c
index 8228fe6..9844ec6 100644
--- a/components/service/crypto/client/psa/psa_mac.c
+++ b/components/service/crypto/client/psa/psa_mac.c
@@ -284,3 +284,14 @@
{
return PSA_ERROR_NOT_SUPPORTED;
}
+
+psa_status_t psa_mac_compute(psa_key_id_t key,
+ psa_algorithm_t alg,
+ const uint8_t *input,
+ size_t input_length,
+ uint8_t *mac,
+ size_t mac_size,
+ size_t *mac_length)
+{
+ return PSA_ERROR_NOT_SUPPORTED;
+}
diff --git a/components/service/locator/standalone/services/attestation/attestation_service_context.cpp b/components/service/locator/standalone/services/attestation/attestation_service_context.cpp
index 0090cf7..df676cd 100644
--- a/components/service/locator/standalone/services/attestation/attestation_service_context.cpp
+++ b/components/service/locator/standalone/services/attestation/attestation_service_context.cpp
@@ -21,7 +21,8 @@
m_event_log_claim_source(),
m_boot_seed_claim_source(),
m_lifecycle_claim_source(),
- m_instance_id_claim_source()
+ m_instance_id_claim_source(),
+ m_implementation_id_claim_source()
{
}
@@ -80,6 +81,11 @@
claim_source = instance_id_claim_source_init(&m_instance_id_claim_source);
claims_register_add_claim_source(CLAIM_CATEGORY_DEVICE, claim_source);
+ /* Implementation ID claim source */
+ claim_source = implementation_id_claim_source_init(&m_implementation_id_claim_source,
+ "trustedfirmware.org.ts.standalone");
+ claims_register_add_claim_source(CLAIM_CATEGORY_DEVICE, claim_source);
+
/* Initialize the attestation service provider */
local_attest_key_mngr_init(LOCAL_ATTEST_KEY_MNGR_VOLATILE_IAK);
struct rpc_interface *attest_ep = attest_provider_init(&m_attest_provider);
diff --git a/components/service/locator/standalone/services/attestation/attestation_service_context.h b/components/service/locator/standalone/services/attestation/attestation_service_context.h
index 8ccd938..cf6b5b7 100644
--- a/components/service/locator/standalone/services/attestation/attestation_service_context.h
+++ b/components/service/locator/standalone/services/attestation/attestation_service_context.h
@@ -14,6 +14,7 @@
#include <service/attestation/claims/sources/boot_seed_generator/boot_seed_generator.h>
#include <service/attestation/claims/sources/null_lifecycle/null_lifecycle_claim_source.h>
#include <service/attestation/claims/sources/instance_id/instance_id_claim_source.h>
+#include <service/attestation/claims/sources/implementation_id/implementation_id_claim_source.h>
class attestation_service_context : public standalone_service_context
{
@@ -31,6 +32,7 @@
struct boot_seed_generator m_boot_seed_claim_source;
struct null_lifecycle_claim_source m_lifecycle_claim_source;
struct instance_id_claim_source m_instance_id_claim_source;
+ struct implementation_id_claim_source m_implementation_id_claim_source;
};
#endif /* STANDALONE_ATTESTATION_SERVICE_CONTEXT_H */
diff --git a/deployments/attestation/opteesp/CMakeLists.txt b/deployments/attestation/opteesp/CMakeLists.txt
index 5cd47d7..40578e3 100644
--- a/deployments/attestation/opteesp/CMakeLists.txt
+++ b/deployments/attestation/opteesp/CMakeLists.txt
@@ -56,6 +56,7 @@
"components/service/attestation/claims/sources/boot_seed_generator"
"components/service/attestation/claims/sources/null_lifecycle"
"components/service/attestation/claims/sources/instance_id"
+ "components/service/attestation/claims/sources/implementation_id"
"components/service/attestation/claims/sources/event_log"
"components/service/attestation/claims/sources/event_log/mock"
"components/service/attestation/reporter/local"
diff --git a/deployments/component-test/component-test.cmake b/deployments/component-test/component-test.cmake
index 4973793..2cfff4c 100644
--- a/deployments/component-test/component-test.cmake
+++ b/deployments/component-test/component-test.cmake
@@ -48,6 +48,7 @@
"components/service/attestation/claims/sources/boot_seed_generator"
"components/service/attestation/claims/sources/null_lifecycle"
"components/service/attestation/claims/sources/instance_id"
+ "components/service/attestation/claims/sources/implementation_id"
"components/service/attestation/claims/sources/event_log"
"components/service/attestation/claims/sources/event_log/mock"
"components/service/attestation/claims/sources/event_log/test"
diff --git a/deployments/libts/linux-pc/CMakeLists.txt b/deployments/libts/linux-pc/CMakeLists.txt
index e2e1077..4b97a1a 100644
--- a/deployments/libts/linux-pc/CMakeLists.txt
+++ b/deployments/libts/linux-pc/CMakeLists.txt
@@ -47,6 +47,7 @@
"components/service/attestation/claims/sources/boot_seed_generator"
"components/service/attestation/claims/sources/null_lifecycle"
"components/service/attestation/claims/sources/instance_id"
+ "components/service/attestation/claims/sources/implementation_id"
"components/service/attestation/claims/sources/event_log"
"components/service/attestation/claims/sources/event_log/mock"
"components/service/attestation/reporter/local"
diff --git a/deployments/psa-api-test/initial_attestation/arm-linux/CMakeLists.txt b/deployments/psa-api-test/initial_attestation/arm-linux/CMakeLists.txt
new file mode 100644
index 0000000..183f121
--- /dev/null
+++ b/deployments/psa-api-test/initial_attestation/arm-linux/CMakeLists.txt
@@ -0,0 +1,33 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+cmake_minimum_required(VERSION 3.16)
+include(../../../deployment.cmake REQUIRED)
+include(../../psa-api-test-config.cmake REQUIRED)
+
+#-------------------------------------------------------------------------------
+# The CMakeLists.txt for building the psa-api-test deployment for arm-linux
+#
+# Used for building and running psa arch tests on an Arm based Linux device
+#-------------------------------------------------------------------------------
+include(${TS_ROOT}/environments/arm-linux/env.cmake)
+project(trusted-services LANGUAGES CXX C)
+add_executable(psa-api-test)
+target_include_directories(psa-api-test PRIVATE "${TOP_LEVEL_INCLUDE_DIRS}")
+
+#-------------------------------------------------------------------------------
+# Extend with components that are common across all deployments of
+# psa-api-test/initial_attestation
+#-------------------------------------------------------------------------------
+include(../iat-api-test.cmake REQUIRED)
+
+#-------------------------------------------------------------------------------
+# Linker option to enable repeated searches for undefined references.
+# Required to resolve dependencies between arch-test and mbedcrypto libraries.
+#-------------------------------------------------------------------------------
+target_link_options(psa-api-test PRIVATE
+ -Wl,--start-group
+ )
diff --git a/deployments/psa-api-test/initial_attestation/iat-api-test.cmake b/deployments/psa-api-test/initial_attestation/iat-api-test.cmake
index 79655ff..55ecd4a 100644
--- a/deployments/psa-api-test/initial_attestation/iat-api-test.cmake
+++ b/deployments/psa-api-test/initial_attestation/iat-api-test.cmake
@@ -12,6 +12,20 @@
set(TS_ARCH_TEST_SUITE INITIAL_ATTESTATION CACHE STRING "Arch test suite")
#-------------------------------------------------------------------------------
+# Set additional defines needed for build.
+#-------------------------------------------------------------------------------
+set(TS_ARCH_TEST_EXTERNAL_DEFS
+ -DPSA_ALG_MD4=0x02000002
+ CACHE STRING "Arch test external defines")
+
+#-------------------------------------------------------------------------------
+# The arch test build system puts its build output under a test suite specific
+# subdirectory. The subdirectory name is different from the test suite name
+# so an additional define is needed to obtain the built library.
+#-------------------------------------------------------------------------------
+set(TS_ARCH_TEST_BUILD_SUBDIR initial_attestation CACHE STRING "Arch test build subdirectory")
+
+#-------------------------------------------------------------------------------
# Add attestation specific components.
#
#-------------------------------------------------------------------------------
@@ -21,6 +35,11 @@
COMPONENTS
"components/service/attestation/include"
"components/service/attestation/client/psa"
+ "components/service/attestation/client/provision"
+)
+
+target_sources(psa-api-test PRIVATE
+ ${TS_ROOT}/deployments/psa-api-test/initial_attestation/iat_locator.c
)
#-------------------------------------------------------------------------------
diff --git a/deployments/psa-api-test/initial_attestation/iat_locator.c b/deployments/psa-api-test/initial_attestation/iat_locator.c
new file mode 100644
index 0000000..3865cd7
--- /dev/null
+++ b/deployments/psa-api-test/initial_attestation/iat_locator.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <stddef.h>
+#include <service_locator.h>
+#include <service/attestation/client/psa/iat_client.h>
+#include <service/attestation/client/provision/attest_provision_client.h>
+#include <protocols/rpc/common/packed-c/encoding.h>
+#include "../service_under_test.h"
+
+/* RPC context */
+static rpc_session_handle session_handle = NULL;
+static struct service_context *crypto_service_context = NULL;
+
+int locate_service_under_test(struct logging_caller *call_logger)
+{
+ int status = -1;
+
+ if (!session_handle && !crypto_service_context) {
+
+ struct rpc_caller *caller;
+
+ crypto_service_context =
+ service_locator_query("sn:trustedfirmware.org:attestation:0", &status);
+
+ if (crypto_service_context) {
+
+ session_handle =
+ service_context_open(crypto_service_context, TS_RPC_ENCODING_PACKED_C, &caller);
+
+ if (session_handle) {
+
+ if (call_logger) {
+
+ struct rpc_caller *stacked_caller = logging_caller_attach(call_logger, caller);
+
+ psa_iat_client_init(stacked_caller);
+ attest_provision_client_init(stacked_caller);
+ }
+ else {
+
+ psa_iat_client_init(caller);
+ attest_provision_client_init(caller);
+ }
+
+ status = 0;
+ }
+ else {
+
+ status = -1;
+ relinquish_service_under_test();
+ }
+ }
+ }
+
+ return status;
+}
+
+void relinquish_service_under_test(void)
+{
+ psa_iat_client_deinit();
+ attest_provision_client_deinit();
+
+ if (crypto_service_context && session_handle) {
+
+ service_context_close(crypto_service_context, session_handle);
+ session_handle = NULL;
+ }
+
+ if (crypto_service_context) {
+
+ service_context_relinquish(crypto_service_context);
+ crypto_service_context = NULL;
+ }
+}
diff --git a/deployments/se-proxy/opteesp/CMakeLists.txt b/deployments/se-proxy/opteesp/CMakeLists.txt
index 2b87cba..cb34e26 100644
--- a/deployments/se-proxy/opteesp/CMakeLists.txt
+++ b/deployments/se-proxy/opteesp/CMakeLists.txt
@@ -81,6 +81,7 @@
"components/service/attestation/claims/sources/boot_seed_generator"
"components/service/attestation/claims/sources/null_lifecycle"
"components/service/attestation/claims/sources/instance_id"
+ "components/service/attestation/claims/sources/implementation_id"
"components/service/attestation/claims/sources/event_log"
"components/service/attestation/claims/sources/event_log/mock"
"components/service/attestation/reporter/local"
diff --git a/external/psa_arch_tests/modify_attest_config.patch b/external/psa_arch_tests/modify_attest_config.patch
new file mode 100644
index 0000000..ebe8c44
--- /dev/null
+++ b/external/psa_arch_tests/modify_attest_config.patch
@@ -0,0 +1,13 @@
+diff --git a/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_config.h b/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_config.h
+index 6112ba7..1cdf581 100755
+--- a/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_config.h
++++ b/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_config.h
+@@ -60,7 +60,7 @@ typedef uint32_t cfg_id_t;
+ #define CRYPTO_VERSION_BETA3
+
+ /* Use hardcoded public key */
+-#define PLATFORM_OVERRIDE_ATTEST_PK
++//#define PLATFORM_OVERRIDE_ATTEST_PK
+
+ /*
+ * Include of PSA defined Header files
diff --git a/external/psa_arch_tests/psa_arch_tests.cmake b/external/psa_arch_tests/psa_arch_tests.cmake
index e87d2da..0bfaba4 100644
--- a/external/psa_arch_tests/psa_arch_tests.cmake
+++ b/external/psa_arch_tests/psa_arch_tests.cmake
@@ -32,6 +32,8 @@
GIT_REPOSITORY ${PSA_ARCH_TESTS_URL}
GIT_TAG ${PSA_ARCH_TESTS_REFSPEC}
GIT_SHALLOW TRUE
+ PATCH_COMMAND git stash
+ COMMAND git apply ${CMAKE_CURRENT_LIST_DIR}/modify_attest_config.patch
)
# FetchContent_GetProperties exports psa-arch-tests_SOURCE_DIR and psa-arch-tests_BINARY_DIR variables
diff --git a/tools/b-test/test_data.yaml b/tools/b-test/test_data.yaml
index e496741..4222885 100644
--- a/tools/b-test/test_data.yaml
+++ b/tools/b-test/test_data.yaml
@@ -52,6 +52,11 @@
os_id : "GNU/Linux"
params:
- "-GUnix Makefiles"
+ - name: "psa-api-test-initial_attestation-arm-linux"
+ src: "$TS_ROOT/deployments/psa-api-test/initial_attestation/arm-linux"
+ os_id : "GNU/Linux"
+ params:
+ - "-GUnix Makefiles"
- name: "psa-api-test-protected_storage-pc-linux"
src: "$TS_ROOT/deployments/psa-api-test/protected_storage/linux-pc"
os_id : "GNU/Linux"