Blame - secure-debug/adac_ats_alpha1.patch - mirror/psa-arch-tests

jk-arm

6e1549d

2021-12-07 18:04:21 +0530

[diff] [blame^]

1

diff --git a/ports/demo/demo-discovery.c b/ports/demo/demo-discovery.c

2

index aab117a..a7a0f5d 100644

3

--- a/ports/demo/demo-discovery.c

4

+++ b/ports/demo/demo-discovery.c

5

@@ -88,24 +88,31 @@

6

ED25519_VAL ED448_VAL SM2SM3_VAL HMAC_VAL CMAC_VAL

7

8

uint8_t discovery_template[] = {

9

- // @+00 (6 bytes) psa_auth_version: 1.0

10

- 0x01, 0x00, 0x02, 0x00, 0x01, 0x00,

11

- // @+06 (6 bytes) vendor_id: {0x04, 0x3B} => 0x023B ("ARM Ltd.")

12

- 0x02, 0x00, 0x02, 0x00, 0x04, 0x3B,

13

- // @+12 (8 bytes) soc_class: [0x00, 0x00, 0x00, 0x00]

14

- 0x03, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00,

15

- // @+20 (20 bytes) soc_id: [0x00] * 16

16

- 0x04, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00,

17

- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

18

+ // @+00 (12 bytes) psa_auth_version: 1.0

19

+ 0x00, 0x00, 0x01, 0x00, 0x02, 0x00, 0x00, 0x00,

20

+ 0x01, 0x00, 0x00, 0x00,

21

+ // @+12 (12 bytes) vendor_id: {0x04, 0x3B} => 0x023B ("ARM Ltd.")

22

+ 0x00, 0x00, 0x02, 0x00, 0x02, 0x00, 0x00, 0x00,

23

+ 0x04, 0x3B, 0x00, 0x00,

24

+ // @+24 (12 bytes) soc_class: [0x00, 0x00, 0x00, 0x00]

25

+ 0x00, 0x00, 0x03, 0x00, 0x04, 0x00, 0x00, 0x00,

26

0x00, 0x00, 0x00, 0x00,

27

- // @+40 (6 bytes) psa_lifecycle: PSA_LIFECYCLE_SECURED

28

- 0x08, 0x00, 0x02, 0x00, 0x00, 0x30,

29

- // @+46 (6 bytes) token_formats: [{0x00, 0x02} (token_psa_debug)]

30

- 0x00, 0x01, 0x02, 0x00, 0x00, 0x02,

31

- // @+52 (6 bytes) cert_formats: [{0x01, 0x02} (cert_psa_debug)]

32

- 0x01, 0x01, 0x02, 0x00, 0x01, 0x02,

33

- // @+58 (4 + X bytes) cryptosystems: [...]

34

- 0x02, 0x01, CRYPTO_CNT, 0x00, CRYPTO_VALS

35

+ // @+36 (24 bytes) soc_id: [0x00] * 16

36

+ 0x00, 0x00, 0x04, 0x00, 0x10, 0x00, 0x00, 0x00,

37

+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

38

+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

39

+ // @+60 (12 bytes) psa_lifecycle: PSA_LIFECYCLE_SECURED

40

+ 0x00, 0x00, 0x08, 0x00, 0x02, 0x00, 0x00, 0x00,

41

+ 0x00, 0x30, 0x00, 0x00,

42

+ // @+72 (12 bytes) token_formats: [{0x00, 0x02} (token_psa_debug)]

43

+ 0x00, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00, 0x00,

44

+ 0x00, 0x02, 0x00, 0x00,

45

+ // @+84 (12 bytes) cert_formats: [{0x01, 0x02} (cert_psa_debug)]

46

+ 0x00, 0x00, 0x01, 0x01, 0x02, 0x00, 0x00, 0x00,

47

+ 0x01, 0x02, 0x00, 0x00,

48

+ // @+96 (8 + X bytes) cryptosystems: [...]

49

+ 0x00, 0x00, 0x02, 0x01, CRYPTO_CNT, 0x00, 0x00, 0x00,

+ CRYPTO_VALS

};

size_t discovery_template_len = sizeof(discovery_template);

54

diff --git a/ports/platforms/transports/unix_socket.c b/ports/platforms/transports/unix_socket.c

55

index 359a8c4..7ad11ff 100644

56

--- a/ports/platforms/transports/unix_socket.c

57

+++ b/ports/platforms/transports/unix_socket.c

58

@@ -54,7 +54,7 @@ static int message_receive(int fd, uint8_t buffer[], size_t max, size_t *size) {

}

}

- PSA_ADAC_LOG_DUMP("msg", "receive", buffer, 4 + p->data_count * 4);

63

+ PSA_ADAC_LOG_DUMP("msg", "receive", buffer, sizeof(request_packet_t) + p->data_count * 4);

return 0;

}

diff --git a/ports/targets/native/autotest.c b/ports/targets/native/autotest.c

68

index 8817825..ad185d5 100644

69

--- a/ports/targets/native/autotest.c

70

+++ b/ports/targets/native/autotest.c

71

@@ -111,7 +111,7 @@ void run_test(char *chain_file, char *key_file, uint8_t type) {

72

return;

73

}

74

psa_adac_sign_token(challenge->challenge_vector, sizeof(challenge->challenge_vector),

75

- key_type, NULL, 0, &token, &token_size, handle, NULL, 0);

76

+ key_type, NULL, 0, &token, &token_size, NULL, handle, NULL, 0);

77

psa_destroy_key(handle);

78

} else if ((type == CMAC_AES) || (type == HMAC_SHA256)) {

79

if (0 != load_secret_key(key_file, key_type, &key, &key_size)) {

80

@@ -119,7 +119,7 @@ void run_test(char *chain_file, char *key_file, uint8_t type) {

81

return;

82

}

83

psa_adac_sign_token(challenge->challenge_vector, sizeof(challenge->challenge_vector),

84

- key_type, NULL, 0, &token, &token_size, 0, key, key_size);

85

+ key_type, NULL, 0, &token, &token_size, NULL, 0, key, key_size);

86

}

87

response_packet_release(response);

88

89

diff --git a/ports/targets/native/client.c b/ports/targets/native/client.c

90

index 2316a87..740be99 100755

91

--- a/ports/targets/native/client.c

92

+++ b/ports/targets/native/client.c

93

@@ -135,7 +135,7 @@ int main(int argc, char *argv[]) {

94

95

96

if (PSA_SUCCESS == psa_adac_sign_token(challenge->challenge_vector, sizeof(challenge->challenge_vector),

97

- key_type, NULL, 0, &token, &token_size, handle, key, key_size)) {

98

+ key_type, NULL, 0, &token, &token_size, NULL, handle, key, key_size)) {

99

response_packet_release(response);

100

PSA_ADAC_LOG_DUMP("client", "token", token, token_size);

101

} else {

102

diff --git a/ports/targets/native/psa_sdm.c b/ports/targets/native/psa_sdm.c

103

index 2d775c1..d5e47ea 100755

104

--- a/ports/targets/native/psa_sdm.c

105

+++ b/ports/targets/native/psa_sdm.c

106

@@ -178,7 +178,7 @@ SDM_EXTERN SDMReturnCode SDM_Authenticate(SDMHandle handle, const SDMAuthenticat

107

config->callbacks->updateProgress("signing token", 40, config->refcon);

108

109

if (PSA_SUCCESS == psa_adac_sign_token(challenge->challenge_vector, sizeof(challenge->challenge_vector),

110

- key_type, NULL, 0, &token, &token_size, key_handle, NULL, 0)) {

111

+ key_type, NULL, 0, &token, &token_size, NULL, key_handle, NULL, 0)) {

112

response_packet_release(response);

113

PSA_ADAC_LOG_DUMP("client", "token", token, token_size);

114

} else {

115

diff --git a/ports/targets/native/selftest.c b/ports/targets/native/selftest.c

116

index 14d09d1..a1084e9 100755

117

--- a/ports/targets/native/selftest.c

118

+++ b/ports/targets/native/selftest.c

119

@@ -133,7 +133,7 @@ int main(int argc, char *argv[]) {

120

}

121

122

if (PSA_SUCCESS == psa_adac_sign_token(challenge.challenge_vector, sizeof(challenge.challenge_vector),

123

- key_type, NULL, 0, &token, &token_size, handle, NULL, 0)) {

124

+ key_type, NULL, 0, &token, &token_size, NULL, handle, NULL, 0)) {

125

// PSA_ADAC_LOG_DUMP("client", "token", token, token_size);

126

127

if (PSA_SUCCESS != psa_adac_verify_token_signature(token + 4, token_size - 4,

128

diff --git a/psa-adac/core/include/psa_adac.h b/psa-adac/core/include/psa_adac.h

129

index c965f76..0bf80be 100644

130

--- a/psa-adac/core/include/psa_adac.h

131

+++ b/psa-adac/core/include/psa_adac.h

132

@@ -20,6 +20,17 @@

133

134

#define ROUND_TO_WORD(x) (((size_t)x + 3) & ~0x03UL)

+/** \brief Version

+ *

+ * Current version numbers for certificate and token format.

139

+ */

140

+enum _adac_versions {

141

+ SDP_CERT_MAJOR = 1,

142

+ SDP_CERT_MINOR = 0,

143

+ SDP_TOKEN_MAJOR = 1,

144

+ SDP_TOKEN_MINOR = 0,

145

+};

146

+

147

/** \brief Key options

148

*

149

*/

150

@@ -124,7 +135,7 @@ typedef struct {

151

uint8_t usage;

152

uint16_t _reserved; //!< Must be set to zero.

153

uint16_t lifecycle;

154

- uint16_t custom_constraint;

155

+ uint16_t oem_constraint;

156

uint32_t extensions_bytes;

157

uint32_t soc_class;

158

uint8_t soc_id[16];

159

@@ -144,6 +155,7 @@ typedef struct {

160

161

#define CHALLENGE_SIZE 32

162

#define MAX_EXTENSIONS 16

163

+#define PERMISSION_BITS 128

164

165

/** \brief Authentication challenge

166

*

167

diff --git a/psa-adac/sda/src/psa_adac_sda.c b/psa-adac/sda/src/psa_adac_sda.c

168

index f57f65c..d5e030c 100644

169

--- a/psa-adac/sda/src/psa_adac_sda.c

170

+++ b/psa-adac/sda/src/psa_adac_sda.c

171

@@ -365,7 +365,6 @@ int authentication_handle(authentication_context_t *auth_ctx) {

172

(void) authenticator_request_packet_release(auth_ctx, request);

173

response = authenticator_response_packet_build(auth_ctx, SDP_SUCCESS, NULL, 0);

174

ret = authenticator_send_response(auth_ctx, response);

- done = 1;

break;

default:

@@ -380,8 +379,12 @@ int authentication_handle(authentication_context_t *auth_ctx) {

180

PSA_ADAC_LOG_ERR("auth", "Error sending response: %04x\n", ret);

181

}

182

183

- if ((auth_ctx->state == AUTH_SUCCESS) || (auth_ctx->state == AUTH_FAILURE)) {

184

- done = 1;

185

+ if ((auth_ctx->state == AUTH_SUCCESS)) {

186

+ PSA_ADAC_LOG_INFO("auth", "Authentication is a success\n");

187

+ auth_ctx->state = AUTH_INIT;

188

+ } else if (auth_ctx->state == AUTH_FAILURE) {

189

+ PSA_ADAC_LOG_INFO("auth", "Authentication is a failure\n");

190

+ auth_ctx->state = AUTH_INIT;

}

}

diff --git a/psa-adac/sdm/include/psa_adac_sdm.h b/psa-adac/sdm/include/psa_adac_sdm.h

195

index b15c630..616ef62 100644

196

--- a/psa-adac/sdm/include/psa_adac_sdm.h

197

+++ b/psa-adac/sdm/include/psa_adac_sdm.h

198

@@ -31,9 +31,9 @@ int load_trust_chain(const char *chain_file, uint8_t **chain, size_t *chain_size

199

int load_trust_rotpk(const char *chain_file, psa_algorithm_t alg, uint8_t *rotpk,

200

size_t buffer_size, size_t *rotpk_size, uint8_t *rotpk_type);

201

202

-psa_status_t psa_adac_sign_token(uint8_t challenge[], size_t challenge_size, uint8_t signature_type, uint8_t exts[],

203

- size_t exts_size, uint8_t *fragment[], size_t *fragment_size, psa_key_handle_t handle,

204

- uint8_t *key, size_t key_size);

205

+psa_status_t psa_adac_sign_token(uint8_t challenge[], size_t challenge_size, uint8_t signature_type,

206

+ uint8_t exts[], size_t exts_size, uint8_t *fragment[], size_t *fragment_size,

207

+ uint8_t *req_perms, psa_key_handle_t handle, uint8_t *key, size_t key_size);

/**@}*/

diff --git a/psa-adac/sdm/src/sdm_token.c b/psa-adac/sdm/src/sdm_token.c

212

index 7d048d7..01df4f4 100644

213

--- a/psa-adac/sdm/src/sdm_token.c

214

+++ b/psa-adac/sdm/src/sdm_token.c

215

@@ -82,9 +82,9 @@ psa_status_t psa_adac_mac_sign(psa_algorithm_t algo, const uint8_t *inputs[], si

return r;

}

-psa_status_t psa_adac_sign_token(uint8_t challenge[], size_t challenge_size, uint8_t signature_type, uint8_t exts[],

220

- size_t exts_size, uint8_t *fragment[], size_t *fragment_size, psa_key_handle_t handle,

221

- uint8_t *key, size_t key_size) {

222

+psa_status_t psa_adac_sign_token(uint8_t challenge[], size_t challenge_size, uint8_t signature_type,

223

+ uint8_t exts[], size_t exts_size, uint8_t *fragment[], size_t *fragment_size,

224

+ uint8_t *req_perms, psa_key_handle_t handle, uint8_t *key, size_t key_size) {

225

uint8_t hash[PSA_HASH_MAX_SIZE], *sig, *ext_hash, *_fragment;

226

size_t token_size, hash_size, sig_size, body_size, tbs_size, ext_hash_size;

227

psa_algorithm_t hash_algo, sig_algo;

228

@@ -243,8 +243,13 @@ psa_status_t psa_adac_sign_token(uint8_t challenge[], size_t challenge_size, uin

229

230

token_header_t *token = (token_header_t *) (_fragment + sizeof(psa_tlv_t));

231

// memset(token, 0, token_size);

232

+ token->format_version.minor = SDP_TOKEN_MINOR;

233

+ token->format_version.major = SDP_TOKEN_MAJOR;

234

token->signature_type = signature_type;

235

token->extensions_bytes = exts_size;

236

+ if(req_perms != NULL)

237

+ memcpy((void*)(token->requested_permissions), req_perms, PERMISSION_BITS/8);

238

+

239

if (exts_size > 0) {

240

// FIXME: Support PSA_ALG_CMAC

241

psa_adac_hash(hash_algo, exts, exts_size, ext_hash, ext_hash_size, &hash_size);