TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / sandbox / pfalcon / trusted-firmware-m / 00dceb154a8feb66b908b05c79cd32119aad9c04^! / .
commit00dceb154a8feb66b908b05c79cd32119aad9c04[log] [tgz]
authorDavid Vincze <david.vincze@arm.com>Tue Sep 17 17:34:03 2019 +0200
committerTamas Ban <tamas.ban@arm.com>Thu Oct 17 10:29:19 2019 +0000
tree0811512263fbcd05c95a3c70aa89201e9717a03d
parent219a175396f3d50ca99fea1e736e9a68a641fd16 [diff]
Attest: Use boot record TLV in IAT token creation

Use the build time generated measured boot record structure which is
already CBOR encoded for the creation of the SW_COMPONENTS claim, but
also keep the backward compatibility.
Set the default value of ATTEST_BOOT_INTERFACE to 'CBOR_ENCODED_CLAIMS'
so the bootloader will copy (after a successful image authentication)
the content of the boot record TLV to the shared data area instead of
the individual SW component claims.

Change-Id: I33f1a89f8b2befed914c6ea9c77b1e0f896d27d7
Signed-off-by: David Vincze <david.vincze@arm.com>

diff --git a/CommonConfig.cmake b/CommonConfig.cmake
index 3e03aec..88bf8b3 100644
--- a/CommonConfig.cmake
+++ b/CommonConfig.cmake

@@ -370,7 +370,7 @@
 	set(ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID OFF)
 endif()
 
-set(ATTEST_BOOT_INTERFACE "INDIVIDUAL_CLAIMS" CACHE STRING "Set the format in which to pass the claims to the initial-attestation service.")
+set(ATTEST_BOOT_INTERFACE "CBOR_ENCODED_CLAIMS" CACHE STRING "Set the format in which to pass the claims to the initial-attestation service.")
 set_property(CACHE ATTEST_BOOT_INTERFACE PROPERTY STRINGS "INDIVIDUAL_CLAIMS;CBOR_ENCODED_CLAIMS")
 validate_cache_value(ATTEST_BOOT_INTERFACE)
 

diff --git a/secure_fw/services/initial_attestation/CMakeLists.inc b/secure_fw/services/initial_attestation/CMakeLists.inc
index 7b9bec9..d9c8dca 100644
--- a/secure_fw/services/initial_attestation/CMakeLists.inc
+++ b/secure_fw/services/initial_attestation/CMakeLists.inc

@@ -46,10 +46,15 @@
 	set_property(SOURCE ${ATTEST_C_SRC} APPEND PROPERTY COMPILE_DEFINITIONS INCLUDE_TEST_CODE_AND_KEY_ID)
 endif()
 
+if (ATTEST_BOOT_INTERFACE STREQUAL "INDIVIDUAL_CLAIMS")
+	set_property(SOURCE ${ATTEST_C_SRC} APPEND PROPERTY COMPILE_DEFINITIONS INDIVIDUAL_SW_COMPONENTS)
+endif()
+
 #Inform the user about attestation service features selected based on the cmake flags
 message("The Initial Attestation service compile configuration is as follows:")
 message("- ATTEST_INCLUDE_OPTIONAL_CLAIMS: ${ATTEST_INCLUDE_OPTIONAL_CLAIMS}")
 message("- ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID: ${ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID}")
+message("- ATTEST_BOOT_INTERFACE: ${ATTEST_BOOT_INTERFACE}")
 
 #Setting include directories
 embedded_include_directories(PATH ${TFM_ROOT_DIR} ABSOLUTE)

diff --git a/secure_fw/services/initial_attestation/attestation_core.c b/secure_fw/services/initial_attestation/attestation_core.c
index d8e8b97..4518b07 100644
--- a/secure_fw/services/initial_attestation/attestation_core.c
+++ b/secure_fw/services/initial_attestation/attestation_core.c

@@ -227,6 +227,7 @@
     return found;
 }
 
+#ifdef INDIVIDUAL_SW_COMPONENTS /* DEPRECATED */
 /*!
  * \brief Static function to add SW component related claims to attestation
  *        token in CBOR format.
@@ -238,6 +239,9 @@
  * \param[in]  claim_value  A structure which carries a pointer and size about
  *                          the data item to be added to the token
  *
+ * \deprecated This function is deprecated and will probably be removed
+ *             in the future.
+ *
  * \return Returns error code as specified in \ref psa_attest_err_t
  */
 static enum psa_attest_err_t
@@ -288,6 +292,8 @@
  *                          which belongs to this SW component.
  * \param[in]  nested_map   Flag to indicate that how to encode the SW component
  *                          measurement data: nested map or non-nested map.
+ * \deprecated This function is deprecated and will probably be removed
+ *             in the future.
  *
  * \return Returns error code as specified in \ref psa_attest_err_t
  */
@@ -357,6 +363,9 @@
  * \param[in]  tlv_address  Address of the first TLV entry in the boot status,
  *                          which belongs to this SW component.
  *
+ * \deprecated This function is deprecated and will probably be removed
+ *             in the future.
+ *
  * \return Returns error code as specified in \ref psa_attest_err_t
  */
 static enum psa_attest_err_t
@@ -424,6 +433,7 @@
 
     return PSA_ATTEST_ERR_SUCCESS;
 }
+#endif /* INDIVIDUAL_SW_COMPONENTS */
 
 /*!
  * \brief Static function to add the claims of all SW components to the
@@ -442,8 +452,12 @@
     int32_t found;
     uint32_t cnt = 0;
     uint32_t module;
-    QCBOREncodeContext *cbor_encode_ctx;
+    QCBOREncodeContext *cbor_encode_ctx = NULL;
+#ifdef INDIVIDUAL_SW_COMPONENTS
     enum psa_attest_err_t res;
+#else
+    UsefulBufC encoded = NULLUsefulBufC;
+#endif
 
     /* Starting from module 1, because module 0 contains general claims which
      * are not related to SW module(i.e: boot_seed, etc.)
@@ -469,10 +483,17 @@
                 QCBOREncode_OpenArrayInMapN(cbor_encode_ctx,
                                             EAT_CBOR_ARM_LABEL_SW_COMPONENTS);
             }
+
+#ifdef INDIVIDUAL_SW_COMPONENTS
             res = attest_add_single_sw_component(token_ctx, module, tlv_ptr);
             if (res != PSA_ATTEST_ERR_SUCCESS) {
                 return res;
             }
+#else
+            encoded.ptr = tlv_ptr + SHARED_DATA_ENTRY_HEADER_SIZE;
+            encoded.len = tlv_len - SHARED_DATA_ENTRY_HEADER_SIZE;
+            QCBOREncode_AddEncoded(cbor_encode_ctx, encoded);
+#endif /* INDIVIDUAL_SW_COMPONENTS */
         }
     }
 
@@ -622,7 +643,6 @@
  *
  * \return Returns error code as specified in \ref psa_attest_err_t
  */
-
 static enum psa_attest_err_t
 attest_add_security_lifecycle_claim(struct attest_token_ctx *token_ctx)
 {