Add attestation SP deployment
Adds a new deployment for running an Attestation service provider
in an SP for the opteesp environment. Attestation service level
tests have been moved to the common ts-service-test.cmake file
so tests can be run in target and native PC environments. The
Attestation SP has the following limitations:
- Mocked up event log - integration with TF-A/SPM not yet complete
- Uses mbedcrypto directly rather than teh Crypto service
Signed-off-by: Julian Hall <julian.hall@arm.com>
Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
Change-Id: Ib5efffaab1b23e5c31cbf87aba7ebcf3589aeb3a
diff --git a/deployments/attestation/opteesp/CMakeLists.txt b/deployments/attestation/opteesp/CMakeLists.txt
new file mode 100644
index 0000000..6852950
--- /dev/null
+++ b/deployments/attestation/opteesp/CMakeLists.txt
@@ -0,0 +1,163 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+cmake_minimum_required(VERSION 3.16)
+include(../../deployment.cmake REQUIRED)
+
+#-------------------------------------------------------------------------------
+# The CMakeLists.txt for building the attestation deployment for opteesp
+#
+# Builds the attestation service provider for running in an SEL0 secure partition
+# hosted by OPTEE in the role of SPM.
+#-------------------------------------------------------------------------------
+include(${TS_ROOT}/environments/opteesp/env.cmake)
+project(trusted-services LANGUAGES C ASM)
+add_executable(attestation)
+target_include_directories(attestation PRIVATE "${TOP_LEVEL_INCLUDE_DIRS}")
+set(SP_UUID "a1baf155-8876-4695-8f7c-54955e8db974")
+
+
+# Include SP DEV KIT interface
+set(SP_DEV_KIT_INC_DIR ${CMAKE_CURRENT_LIST_DIR})
+list(APPEND CMAKE_MODULE_PATH "${TS_ROOT}/external/Spdevkit")
+find_package(Spdevkit REQUIRED)
+sp_dev_kit_configure_linking(TARGET attestation DEFINES ARM64=1)
+target_link_libraries(attestation PRIVATE ${SP_DEV_KIT_LIBRARIES})
+
+#-------------------------------------------------------------------------------
+# Default deployment specific configuration
+#
+#-------------------------------------------------------------------------------
+set(TS_NO_FLOAT_HW ON)
+
+#-------------------------------------------------------------------------------
+# Components that are specific to deployment in the opteesp environment.
+#
+#-------------------------------------------------------------------------------
+add_components(TARGET "attestation"
+ BASE_DIR ${TS_ROOT}
+ COMPONENTS
+ "components/common/tlv"
+ "components/common/endian"
+ "components/config/ramstore"
+ "components/config/loader/sp"
+ "components/messaging/ffa/libsp"
+ "components/rpc/ffarpc/endpoint"
+ "components/rpc/ffarpc/caller/sp"
+ "components/rpc/common/caller"
+ "components/rpc/common/interface"
+ "components/service/common/include"
+ "components/service/common/provider"
+ "components/service/attestation/include"
+ "components/service/attestation/claims"
+ "components/service/attestation/claims/sources/boot_seed_generator"
+ "components/service/attestation/claims/sources/null_lifecycle"
+ "components/service/attestation/claims/sources/instance_id"
+ "components/service/attestation/claims/sources/event_log"
+ "components/service/attestation/claims/sources/event_log/mock"
+ "components/service/attestation/reporter/psa"
+ "components/service/attestation/key_mngr"
+ "components/service/attestation/provider"
+ "components/service/attestation/provider/serializer/packed-c"
+ "protocols/rpc/common/packed-c"
+ "environments/opteesp"
+)
+
+target_sources(attestation PRIVATE
+ attestation_sp.c
+)
+
+#-------------------------------------------------------------------------------
+# Use the selected platform to provide drivers needed by the deployment
+#
+#-------------------------------------------------------------------------------
+add_platform(TARGET "attestation")
+
+#-------------------------------------------------------------------------------
+# Components used from external projects
+#
+#-------------------------------------------------------------------------------
+
+# Temporary dependency on mbedcrypto
+set(MBEDTLS_USER_CONFIG_FILE
+ "${TS_ROOT}/components/service/crypto/client/cpp/config_mbedtls_user.h"
+ CACHE STRING "Configuration file for mbedcrypto")
+
+# Mbed TLS provides libmbedcrypto
+include(../../../external/MbedTLS/MbedTLS.cmake)
+target_link_libraries(attestation PRIVATE mbedcrypto)
+
+# Qcbor
+include(${TS_ROOT}/external/qcbor/qcbor.cmake)
+target_link_libraries(attestation PRIVATE qcbor)
+
+# t_cose
+include(${TS_ROOT}/external/t_cose/t_cose.cmake)
+target_link_libraries(attestation PRIVATE t_cose)
+
+if(CMAKE_CROSSCOMPILING)
+ target_link_libraries(attestation PRIVATE stdc++ gcc m)
+endif()
+
+#################################################################
+
+target_compile_definitions(attestation PRIVATE
+ ARM64=1
+)
+
+target_include_directories(attestation PRIVATE
+ ${TS_ROOT}
+ ${TS_ROOT}/components
+ ${TS_ROOT}/deployments/attestation/opteesp
+)
+
+if(CMAKE_C_COMPILER_ID STREQUAL "GNU")
+ target_compile_options(attestation PRIVATE
+ -fdiagnostics-show-option
+ -fpic
+ -gdwarf-2
+ -mstrict-align
+ -O0
+ -std=gnu99
+ )
+
+ # Options for GCC that control linking
+ target_link_options(attestation PRIVATE
+ -e __sp_entry
+ -fno-lto
+ -nostdlib
+ -pie
+ -zmax-page-size=4096
+ )
+ # Options directly for LD, these are not understood by GCC
+ target_link_options(attestation PRIVATE
+ -Wl,--as-needed
+ -Wl,--sort-section=alignment
+ # -Wl,--dynamic-list ${CMAKE_CURRENT_LIST_DIR}/dyn_list
+ )
+endif()
+
+compiler_generate_stripped_elf(TARGET attestation NAME "${SP_UUID}.stripped.elf" RES STRIPPED_ELF)
+
+######################################## install
+if (CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
+ set(CMAKE_INSTALL_PREFIX ${CMAKE_BINARY_DIR}/install CACHE PATH "location to install build output to." FORCE)
+endif()
+#TODO: api headers
+
+install(TARGETS attestation
+ PUBLIC_HEADER DESTINATION ${TS_ENV}/include
+ RUNTIME DESTINATION ${TS_ENV}/bin
+ )
+install(FILES ${STRIPPED_ELF} DESTINATION ${TS_ENV}/bin)
+
+get_property(_PROTO_FILES TARGET attestation PROPERTY PROTOBUF_FILES)
+install(FILES ${_PROTO_FILES} DESTINATION ${TS_ENV}/lib/protobuf)
+
+
+set(EXPORT_SP_NAME "attestation")
+set(EXPORT_SP_UUID ${SP_UUID})
+include(${TS_ROOT}/environments/opteesp/ExportSp.cmake)
diff --git a/deployments/attestation/opteesp/attestation_sp.c b/deployments/attestation/opteesp/attestation_sp.c
new file mode 100644
index 0000000..ce45516
--- /dev/null
+++ b/deployments/attestation/opteesp/attestation_sp.c
@@ -0,0 +1,139 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <rpc/ffarpc/caller/sp/ffarpc_caller.h>
+#include <rpc/ffarpc/endpoint/ffarpc_call_ep.h>
+#include <protocols/rpc/common/packed-c/status.h>
+#include <config/ramstore/config_ramstore.h>
+#include <config/loader/sp/sp_config_loader.h>
+#include <service/attestation/provider/attest_provider.h>
+#include <service/attestation/provider/serializer/packed-c/packedc_attest_provider_serializer.h>
+#include <service/attestation/claims/claims_register.h>
+#include <service/attestation/claims/sources/event_log/event_log_claim_source.h>
+#include <service/attestation/claims/sources/boot_seed_generator/boot_seed_generator.h>
+#include <service/attestation/claims/sources/null_lifecycle/null_lifecycle_claim_source.h>
+#include <service/attestation/claims/sources/instance_id/instance_id_claim_source.h>
+#include <ffa_api.h>
+#include <sp_api.h>
+#include <sp_rxtx.h>
+#include <trace.h>
+
+
+/* Temporary dependencies */
+#include <service/attestation/claims/sources/event_log/mock/mock_event_log.h>
+#include <psa/crypto.h>
+
+
+uint16_t own_id = 0; /* !!Needs refactoring as parameter to ffarpc_caller_init */
+
+
+static int sp_init(uint16_t *own_sp_id);
+
+void __noreturn sp_main(struct ffa_init_info *init_info)
+{
+ /* Service provider objects */
+ struct attest_provider attest_provider;
+ struct rpc_interface *attest_iface;
+ struct ffa_call_ep ffarpc_call_ep;
+ struct ffa_direct_msg req_msg;
+
+ /* Claim source objects */
+ struct claim_source *claim_source;
+ struct event_log_claim_source event_log_claim_source;
+ struct boot_seed_generator boot_seed_claim_source;
+ struct null_lifecycle_claim_source lifecycle_claim_source;
+ struct instance_id_claim_source instance_id_claim_source;
+
+ /*********************************************************
+ * Boot phase
+ *********************************************************/
+ if (sp_init(&own_id) != 0) goto fatal_error;
+
+ config_ramstore_init();
+ sp_config_load(init_info);
+
+ /**
+ * Register claim sources for deployment
+ */
+ claims_register_init();
+
+ /* Boot measurement claim source - uses mock event log */
+ claim_source = event_log_claim_source_init(&event_log_claim_source,
+ mock_event_log_start(), mock_event_log_size());
+ claims_register_add_claim_source(CLAIM_CATEGORY_BOOT_MEASUREMENT, claim_source);
+
+ /* Boot seed claim source */
+ claim_source = boot_seed_generator_init(&boot_seed_claim_source);
+ claims_register_add_claim_source(CLAIM_CATEGORY_DEVICE, claim_source);
+
+ /* Lifecycle state claim source */
+ claim_source = null_lifecycle_claim_source_init(&lifecycle_claim_source);
+ claims_register_add_claim_source(CLAIM_CATEGORY_DEVICE, claim_source);
+
+ /* Instance ID claim source */
+ claim_source = instance_id_claim_source_init(&instance_id_claim_source);
+ claims_register_add_claim_source(CLAIM_CATEGORY_DEVICE, claim_source);
+
+ /**
+ * Initialize the service provider
+ */
+ psa_crypto_init(); /* temporary */
+
+ attest_iface = attest_provider_init(&attest_provider, ATTEST_KEY_MNGR_VOLATILE_IAK);
+
+ attest_provider_register_serializer(&attest_provider,
+ TS_RPC_ENCODING_PACKED_C, packedc_attest_provider_serializer_instance());
+
+ ffa_call_ep_init(&ffarpc_call_ep, attest_iface);
+
+ /*********************************************************
+ * End of boot phase
+ *********************************************************/
+ ffa_msg_wait(&req_msg);
+
+ while (1) {
+ if (req_msg.function_id == FFA_MSG_SEND_DIRECT_REQ_32) {
+
+ struct ffa_direct_msg resp_msg;
+
+ ffa_call_ep_receive(&ffarpc_call_ep, &req_msg, &resp_msg);
+
+ ffa_msg_send_direct_resp(req_msg.destination_id,
+ req_msg.source_id, resp_msg.args[0], resp_msg.args[1],
+ resp_msg.args[2], resp_msg.args[3], resp_msg.args[4],
+ &req_msg);
+ }
+ }
+
+fatal_error:
+ /* SP is not viable */
+ EMSG("Attestation SP error");
+ while (1) {}
+}
+
+void sp_interrupt_handler(uint32_t interrupt_id)
+{
+ (void)interrupt_id;
+}
+
+static int sp_init(uint16_t *own_sp_id)
+{
+ int status = -1;
+ ffa_result ffa_res;
+ sp_result sp_res;
+ static uint8_t tx_buffer[4096] __aligned(4096);
+ static uint8_t rx_buffer[4096] __aligned(4096);
+
+ sp_res = sp_rxtx_buffer_map(tx_buffer, rx_buffer, sizeof(rx_buffer));
+ if (sp_res == SP_RESULT_OK) {
+ ffa_res = ffa_id_get(own_sp_id);
+ if (ffa_res == FFA_OK) {
+ status = 0;
+ }
+ }
+
+ return status;
+}
diff --git a/deployments/attestation/opteesp/attestation_sp.h b/deployments/attestation/opteesp/attestation_sp.h
new file mode 100644
index 0000000..7c4af58
--- /dev/null
+++ b/deployments/attestation/opteesp/attestation_sp.h
@@ -0,0 +1,18 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef ATTESTATION_SP_H
+#define ATTESTATION_SP_H
+
+#define ATTESTATION_SP_UUID \
+ {0xa1baf155, 0x8876, 0x4695, \
+ {0x8f, 0x7c, 0x54, 0x95, 0x5e, 0x8d, 0xb9, 0x74}}
+
+#define ATTESTATION_SP_UUID_BYTES \
+ {0xa1, 0xba, 0xf1, 0x55, 0x88, 0x76, 0x46, 0x95, \
+ 0x8f, 0x7c, 0x54, 0x95, 0x5e, 0x8d, 0xb9, 0x74}
+
+#endif /* ATTESTATION_SP_H */
diff --git a/deployments/attestation/opteesp/default_attestation.dts.in b/deployments/attestation/opteesp/default_attestation.dts.in
new file mode 100644
index 0000000..a184164
--- /dev/null
+++ b/deployments/attestation/opteesp/default_attestation.dts.in
@@ -0,0 +1,19 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+@DTS_TAG@
+
+@DTS_NODE@ {
+ compatible = "arm,ffa-manifest-1.0";
+ ffa-version = <0x00010000>; /* 31:16 - Major, 15:0 - Minor */
+ uuid = <@EXPORT_SP_UUID_DT@>;
+ description = "Attestation";
+ execution-ctx-count = <1>;
+ exception-level = <1>; /* S-EL0 */
+ execution-state = <0>; /* AArch64 */
+ xlat-granule = <0>; /* 4KiB */
+ messaging-method = <0>; /* Direct messaging only */
+};
diff --git a/deployments/attestation/opteesp/optee_sp_user_defines.h b/deployments/attestation/opteesp/optee_sp_user_defines.h
new file mode 100644
index 0000000..23c67b6
--- /dev/null
+++ b/deployments/attestation/opteesp/optee_sp_user_defines.h
@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef SP_HEADER_DEFINES_H
+#define SP_HEADER_DEFINES_H
+
+/* To get UUID definition */
+#include "attestation_sp.h"
+
+#define OPTEE_SP_UUID ATTESTATION_SP_UUID
+#define OPTEE_SP_FLAGS 0
+
+/* Provisioned stack size */
+#define OPTEE_SP_STACK_SIZE (64 * 1024)
+
+/* Provisioned heap size */
+#define OPTEE_SP_HEAP_SIZE (32 * 1024)
+
+#endif /* SP_HEADER_DEFINES_H */
diff --git a/deployments/ts-service-test/linux-pc/CMakeLists.txt b/deployments/ts-service-test/linux-pc/CMakeLists.txt
index 798b8cb..c165fac 100644
--- a/deployments/ts-service-test/linux-pc/CMakeLists.txt
+++ b/deployments/ts-service-test/linux-pc/CMakeLists.txt
@@ -78,12 +78,8 @@
TARGET "ts-service-test"
BASE_DIR ${TS_ROOT}
COMPONENTS
- "components/service/test_runner/client/cpp"
+ "components/service/test_runner/client/cpp"
"components/service/test_runner/test/service"
- "components/service/attestation/include"
- "components/service/attestation/client/psa"
- "components/service/attestation/client/provision"
- "components/service/attestation/test/service"
)
#-------------------------------------------------------------------------------
diff --git a/deployments/ts-service-test/ts-service-test.cmake b/deployments/ts-service-test/ts-service-test.cmake
index 28ff49d..f56ac01 100644
--- a/deployments/ts-service-test/ts-service-test.cmake
+++ b/deployments/ts-service-test/ts-service-test.cmake
@@ -39,6 +39,10 @@
"components/service/crypto/client/cpp/protobuf"
"components/service/crypto/client/cpp/packed-c"
"components/service/common/serializer/protobuf"
+ "components/service/attestation/include"
+ "components/service/attestation/client/psa"
+ "components/service/attestation/client/provision"
+ "components/service/attestation/test/service"
"protocols/service/crypto/protobuf"
"protocols/service/crypto/packed-c"
"components/service/secure_storage/include"