| Julian Hall | 201ce46 | 2021-04-29 11:05:34 +0100 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (c) 2018-2021, Arm Limited. All rights reserved. |
| 3 | * |
| 4 | * SPDX-License-Identifier: BSD-3-Clause |
| 5 | * |
| 6 | */ |
| 7 | |
| 8 | /***************************************************************************/ |
| 9 | /* DRAFT UNDER REVIEW */ |
| 10 | /* These APIs are still evolving and are meant as a prototype for review.*/ |
| 11 | /* The APIs will change depending on feedback and will be firmed up */ |
| 12 | /* to a stable set of APIs once all the feedback has been considered. */ |
| 13 | /***************************************************************************/ |
| 14 | |
| 15 | #ifndef __PSA_INITIAL_ATTESTATION_H__ |
| 16 | #define __PSA_INITIAL_ATTESTATION_H__ |
| 17 | |
| 18 | #include <limits.h> |
| 19 | #include <stdint.h> |
| 20 | #include <stddef.h> |
| Julian Hall | b7db580 | 2021-07-26 16:20:40 +0100 | [diff] [blame^] | 21 | #include <psa/crypto.h> |
| Julian Hall | b57aa0d | 2021-07-13 10:34:59 +0100 | [diff] [blame] | 22 | #include <psa/error.h> |
| Julian Hall | 201ce46 | 2021-04-29 11:05:34 +0100 | [diff] [blame] | 23 | |
| 24 | #ifdef __cplusplus |
| 25 | extern "C" { |
| 26 | #endif |
| 27 | |
| 28 | /** |
| 29 | * \brief PSA INITIAL ATTESTATION API version |
| 30 | * |
| 31 | * Initial attestation API version is: 1.0.0 |
| 32 | */ |
| 33 | #define PSA_INITIAL_ATTEST_API_VERSION_MAJOR (1) |
| 34 | #define PSA_INITIAL_ATTEST_API_VERSION_MINOR (0) |
| 35 | |
| 36 | /** |
| 37 | * The allowed size of input challenge in bytes: 32, 48, 64 |
| 38 | * Challenge can be a nonce from server |
| 39 | * or the hash of some combined data : nonce + attested data by caller. |
| 40 | */ |
| 41 | #define PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32 (32u) |
| 42 | #define PSA_INITIAL_ATTEST_CHALLENGE_SIZE_48 (48u) |
| 43 | #define PSA_INITIAL_ATTEST_CHALLENGE_SIZE_64 (64u) |
| 44 | |
| 45 | /** |
| 46 | * The maximum size of an attestation token that can be generated by the |
| 47 | * attestation service. Used to configure buffers for services that verify the |
| 48 | * produced tokens. |
| 49 | */ |
| Julian Hall | 700aa36 | 2021-05-13 15:30:39 +0100 | [diff] [blame] | 50 | #define PSA_INITIAL_ATTEST_MAX_TOKEN_SIZE (4096) |
| Julian Hall | 201ce46 | 2021-04-29 11:05:34 +0100 | [diff] [blame] | 51 | |
| 52 | /** |
| 53 | * The list of fixed claims in the initial attestation token is still evolving, |
| 54 | * you can expect slight changes in the future. |
| 55 | * |
| 56 | * The initial attestation token is planned to be aligned with future version of |
| 57 | * Entity Attestation Token format: |
| 58 | * https://tools.ietf.org/html/draft-mandyam-eat-01 |
| 59 | * |
| 60 | * Current list of claims: |
| 61 | * - Challenge: Input object from caller. Can be a single nonce from server |
| 62 | * or hash of nonce and attested data. It is intended to provide |
| 63 | * freshness to reports and the caller has responsibility to |
| 64 | * arrange this. Allowed length: 32, 48, 64 bytes. The claim is |
| 65 | * modeled to be eventually represented by the EAT standard |
| 66 | * claim nonce. Until such a time as that standard exists, |
| 67 | * the claim will be represented by a custom claim. Value |
| 68 | * is encoded as byte string. |
| 69 | * |
| 70 | * - Instance ID: It represents the unique identifier of the instance. In the |
| 71 | * PSA definition it is a hash of the public attestation key |
| 72 | * of the instance. The claim is modeled to be eventually |
| 73 | * represented by the EAT standard claim UEID of type GUID. |
| 74 | * Until such a time as that standard exists, the claim will be |
| 75 | * represented by a custom claim Value is encoded as byte |
| 76 | * string. |
| 77 | * |
| 78 | * - Verification service indicator: Optional, recommended claim. It is used by |
| 79 | * a Relying Party to locate a validation service for the token. |
| 80 | * The value is a text string that can be used to locate the |
| 81 | * service or a URL specifying the address of the service. The |
| 82 | * claim is modeled to be eventually represented by the EAT |
| 83 | * standard claim origination. Until such a time as that |
| 84 | * standard exists, the claim will be represented by a custom |
| 85 | * claim. Value is encoded as text string. |
| 86 | * |
| 87 | * - Profile definition: Optional, recommended claim. It contains the name of |
| 88 | * a document that describes the 'profile' of the token, being |
| 89 | * a full description of the claims, their usage, verification |
| 90 | * and token signing. The document name may include versioning. |
| 91 | * Custom claim with a value encoded as text string. |
| 92 | * |
| 93 | * - Implementation ID: It represents the original implementation signer of the |
| 94 | * attestation key and identifies the contract between the |
| 95 | * report and verification. A verification service will use this |
| 96 | * claim to locate the details of the verification process. |
| 97 | * Custom claim with a value encoded as byte string. |
| 98 | * |
| 99 | * - Security lifecycle: It represents the current lifecycle state of the |
| 100 | * instance. Custom claim with a value encoded as integer that |
| 101 | * is divided to convey a major state and a minor state. The |
| 102 | * PSA state and implementation state are encoded as follows: |
| 103 | * - version[15:8] - PSA lifecycle state - major |
| 104 | * - version[7:0] - IMPLEMENTATION DEFINED state - minor |
| 105 | * Possible PSA lifecycle states: |
| 106 | * - Unknown (0x1000u), |
| 107 | * - PSA_RoT_Provisioning (0x2000u), |
| 108 | * - Secured (0x3000u), |
| 109 | * - Non_PSA_RoT_Debug(0x4000u), |
| 110 | * - Recoverable_PSA_RoT_Debug (0x5000u), |
| 111 | * - Decommissioned (0x6000u) |
| 112 | * |
| 113 | * - Client ID: The partition ID of that secure partition or non-secure |
| 114 | * thread who called the initial attestation API. Custom claim |
| 115 | * with a value encoded as a *signed* integer. Negative number |
| 116 | * represents non-secure caller, positive numbers represents |
| 117 | * secure callers, zero is invalid. |
| 118 | * |
| 119 | * - HW version: Optional claim. Globally unique number in EAN-13 format |
| 120 | * identifying the GDSII that went to fabrication, HW and ROM. |
| 121 | * It can be used to reference the security level of the PSA-ROT |
| 122 | * via a certification website. Custom claim with a value is |
| 123 | * encoded as text string. |
| 124 | |
| 125 | * - Boot seed: It represents a random value created at system boot time that |
| 126 | * will allow differentiation of reports from different system |
| 127 | * sessions. The size is 32 bytes. Custom claim with a value is |
| 128 | * encoded as byte string. |
| 129 | * |
| 130 | * - Software components: Recommended claim. It represents the software state |
| 131 | * of the system. The value of the claim is an array of CBOR map |
| 132 | * entries, with one entry per software component within the |
| 133 | * device. Each map contains multiple claims that describe |
| 134 | * evidence about the details of the software component. |
| 135 | * |
| 136 | * - Measurement type: Optional claim. It represents the role of the |
| 137 | * software component. Value is encoded as short(!) text |
| 138 | * string. |
| 139 | * |
| 140 | * - Measurement value: It represents a hash of the invariant software |
| 141 | * component in memory at start-up time. The value must be a |
| 142 | * cryptographic hash of 256 bits or stronger.Value is |
| 143 | * encoded as byte string. |
| 144 | * |
| 145 | * - Version: Optional claim. It represents the issued software version. |
| 146 | * Value is encoded as text string. |
| 147 | * |
| 148 | * - Signer ID: It represents the hash of a signing authority public key. |
| 149 | * Value is encoded as byte string. |
| 150 | * |
| 151 | * - Measurement description: Optional claim. It represents the way in which |
| 152 | * the measurement value of the software component is |
| 153 | * computed. Value is encoded as text string containing an |
| 154 | * abbreviated description (name) of the measurement method. |
| 155 | * |
| 156 | * - No software measurements: In the event that the implementation does not |
| 157 | * contain any software measurements then the software |
| 158 | * components claim above can be omitted but instead |
| 159 | * it is mandatory to include this claim to indicate this is a |
| 160 | * deliberate state. Custom claim a value is encoded as unsigned |
| 161 | * integer set to 1. |
| 162 | */ |
| 163 | |
| 164 | /** |
| 165 | * \brief Get initial attestation token |
| 166 | * |
| 167 | * \param[in] auth_challenge Pointer to buffer where challenge input is |
| 168 | * stored. Nonce and / or hash of attested data. |
| 169 | * Must be always |
| 170 | * \ref PSA_INITIAL_ATTEST_TOKEN_SIZE bytes |
| 171 | * long. |
| 172 | * \param[in] challenge_size Size of challenge object in bytes. |
| 173 | * \param[out] token_buf Pointer to the buffer where attestation token |
| 174 | * will be stored. |
| 175 | * \param[in] token_buf_size Size of allocated buffer for token, in bytes. |
| 176 | * \param[out] token_size Size of the token that has been returned, in |
| 177 | * bytes. |
| 178 | * |
| 179 | * \return Returns error code as specified in \ref psa_status_t |
| 180 | */ |
| 181 | psa_status_t |
| 182 | psa_initial_attest_get_token(const uint8_t *auth_challenge, |
| 183 | size_t challenge_size, |
| 184 | uint8_t *token_buf, |
| 185 | size_t token_buf_size, |
| 186 | size_t *token_size); |
| 187 | |
| 188 | /** |
| 189 | * \brief Get the exact size of initial attestation token in bytes. |
| 190 | * |
| 191 | * It just returns with the size of the IAT token. It can be used if the caller |
| 192 | * dynamically allocates memory for the token buffer. |
| 193 | * |
| 194 | * \param[in] challenge_size Size of challenge object in bytes. This must be |
| 195 | * a supported challenge size (as above). |
| 196 | * \param[out] token_size Size of the token in bytes, which is created by |
| 197 | * initial attestation service. |
| 198 | * |
| 199 | * \return Returns error code as specified in \ref psa_status_t |
| 200 | */ |
| 201 | psa_status_t |
| 202 | psa_initial_attest_get_token_size(size_t challenge_size, |
| 203 | size_t *token_size); |
| 204 | |
| Julian Hall | b7db580 | 2021-07-26 16:20:40 +0100 | [diff] [blame^] | 205 | /** |
| 206 | * \brief Get the attestation public key |
| 207 | * |
| 208 | * This function is for compatibility with the PSA Arch tests that use |
| 209 | * a TF-M specific function to retieve the IAK public key from the device |
| 210 | * under test. |
| 211 | * |
| 212 | * \param[out] public_key Pointer to the buffer where the public key |
| 213 | * will be stored. |
| 214 | * \param[in] key_buf_size Size of allocated buffer for key, in bytes. |
| 215 | * \param[out] public_key_len Size of public key in bytes. |
| 216 | * \param[out] public_key_curve Type of the elliptic curve which the key |
| 217 | * belongs to. |
| 218 | * |
| 219 | * \note Currently only the ECDSA P-256 over SHA-256 algorithm is supported. |
| 220 | * |
| 221 | * \return Returns error code as specified in \ref psa_status_t |
| 222 | */ |
| 223 | psa_status_t |
| 224 | tfm_initial_attest_get_public_key(uint8_t *public_key, |
| 225 | size_t public_key_buf_size, |
| 226 | size_t *public_key_len, |
| 227 | psa_ecc_family_t *elliptic_curve_type); |
| 228 | |
| Julian Hall | 201ce46 | 2021-04-29 11:05:34 +0100 | [diff] [blame] | 229 | #ifdef __cplusplus |
| 230 | } |
| 231 | #endif |
| 232 | |
| 233 | #endif /* __PSA_INITIAL_ATTESTATION_H__ */ |