diff options
author | Tamas Ban <tamas.ban@arm.com> | 2019-10-25 22:13:53 +0100 |
---|---|---|
committer | David Vincze <david.vincze@arm.com> | 2019-11-29 16:35:29 +0100 |
commit | 80f282420ef3d0953b470a17c41611e5c14cce6c (patch) | |
tree | d20a8376178bdd3430b589bc22977b31eb72ce12 | |
parent | f824e742209dfaa17e0ff24373778b4efe99ac19 (diff) | |
download | trusted-firmware-m-80f282420ef3d0953b470a17c41611e5c14cce6c.tar.gz |
Platform: Get device lifecycle from CC312 on Musca-B1
CryptoCell lifecycle includes:
- CM: Chip manufacture lifecycle, belongs to IC vendor
- DM: Device manufacture lifecycle, belongs to OEM
- SE: Secure enable lifecycle, belongs to end user
- RMA: Return to manufacture and analyze, belongs to ICV or OEM debug
Mapping PSA lifecycle to CryptoCell lifecycle:
- TFM_SLC_ASSEMBLY_AND_TEST – CM
- TFM_SLC_PSA_ROT_PROVISIONING - DM
- TFM_SLC_SECURED – SE
- TFM_SLC_DECOMMISSIONED – RMA
If the chip is not yet provisioned, it is CM lifecycle.
Change-Id: I7d39c7f0d5b09be7a669a1970fcafc669763ebfb
Signed-off-by: Xu Yong <yong.xu@arm.com>
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
-rw-r--r-- | platform/ext/common/cc312/cc312.c | 6 | ||||
-rw-r--r-- | platform/ext/common/cc312/crypto_hw.h | 10 | ||||
-rw-r--r-- | platform/ext/musca_b1.cmake | 3 | ||||
-rw-r--r-- | platform/ext/target/musca_b1/attest_hal.c | 42 | ||||
-rw-r--r-- | test/suites/attestation/attest_token_test.c | 3 | ||||
-rw-r--r-- | test/suites/attestation/attest_token_test_values.h | 2 |
6 files changed, 63 insertions, 3 deletions
diff --git a/platform/ext/common/cc312/cc312.c b/platform/ext/common/cc312/cc312.c index 7dc8556e08..a5c417dd6b 100644 --- a/platform/ext/common/cc312/cc312.c +++ b/platform/ext/common/cc312/cc312.c @@ -13,6 +13,7 @@ #include "mbedtls/platform.h" #include "mbedtls/ctr_drbg.h" #include "mbedtls/entropy.h" +#include "mbedtls_cc_mng_int.h" #include "arm_cmse.h" CCRndContext_t* CC312_pRndCtx = NULL; @@ -96,3 +97,8 @@ int crypto_hw_accelerator_finish(void) return 0; } + +int crypto_hw_accelerator_get_lcs(uint32_t *lcs) +{ + return mbedtls_mng_lcsGet(lcs); +} diff --git a/platform/ext/common/cc312/crypto_hw.h b/platform/ext/common/cc312/crypto_hw.h index b5baa8b2c4..2d577cd017 100644 --- a/platform/ext/common/cc312/crypto_hw.h +++ b/platform/ext/common/cc312/crypto_hw.h @@ -8,6 +8,8 @@ #ifndef __CRYPTO_HW_H__ #define __CRYPTO_HW_H__ +#include <stdint.h> + #ifdef __cplusplus extern "C" { #endif /* __cplusplus */ @@ -44,6 +46,14 @@ int crypto_hw_accelerator_finish(void); */ int crypto_hw_accelerator_otp_provisioning(void); +/** \brief Retrieve the device lifecycle + * + * \param[out] lcs Pointer to store lifecycle state + * + * \return 0 on success, non-zero otherwise + */ +int crypto_hw_accelerator_get_lcs(uint32_t *lcs); + #ifdef __cplusplus } #endif /* __cplusplus */ diff --git a/platform/ext/musca_b1.cmake b/platform/ext/musca_b1.cmake index 8f9633c09d..3b7e56fc16 100644 --- a/platform/ext/musca_b1.cmake +++ b/platform/ext/musca_b1.cmake @@ -258,4 +258,7 @@ if (CRYPTO_HW_ACCELERATOR) embedded_include_directories(PATH "${CC312_SOURCE_DIR}/shared/hw/include/musca_b1" ABSOLUTE) embedded_include_directories(PATH "${CMAKE_CURRENT_BINARY_DIR}/services/crypto/cryptocell/install/include" ABSOLUTE) embedded_include_directories(PATH "${PLATFORM_DIR}/common/cc312/" ABSOLUTE) + + #Compiling this file requires to disable warning: -Wunused-local-typedefs + set_source_files_properties("${PLATFORM_DIR}/target/musca_b1/dummy_crypto_keys.c" PROPERTIES COMPILE_FLAGS -Wno-unused-local-typedefs) endif() diff --git a/platform/ext/target/musca_b1/attest_hal.c b/platform/ext/target/musca_b1/attest_hal.c index d4d2407680..7b682a843e 100644 --- a/platform/ext/target/musca_b1/attest_hal.c +++ b/platform/ext/target/musca_b1/attest_hal.c @@ -8,15 +8,57 @@ #include "platform/include/tfm_attest_hal.h" #include <stdint.h> +#ifdef CRYPTO_HW_ACCELERATOR +#include "crypto_hw.h" +#include "mbedtls_cc_mng_int.h" +#endif /* CRYPTO_HW_ACCELERATOR */ + /* Example verification service URL for initial attestation token */ static const char verification_service_url[] = "www.trustedfirmware.org"; /* Example profile definition document for initial attestation token */ static const char attestation_profile_definition[] = "PSA_IOT_PROFILE_1"; +#ifdef CRYPTO_HW_ACCELERATOR +static enum tfm_security_lifecycle_t +map_cc312_to_tfm_lifecycle(uint32_t cc312_lcs) +{ + enum tfm_security_lifecycle_t tfm_lcs; + + if (cc312_lcs == CC_MNG_LCS_CM) { + tfm_lcs = TFM_SLC_ASSEMBLY_AND_TEST; + } else if (cc312_lcs == CC_MNG_LCS_DM) { + tfm_lcs = TFM_SLC_PSA_ROT_PROVISIONING; + } else if (cc312_lcs == CC_MNG_LCS_SEC_ENABLED) { + tfm_lcs = TFM_SLC_SECURED; + } else if (cc312_lcs == CC_MNG_LCS_RMA) { + tfm_lcs = TFM_SLC_DECOMMISSIONED; + } else { + tfm_lcs = TFM_SLC_UNKNOWN; + } + + return tfm_lcs; +} +#endif + enum tfm_security_lifecycle_t tfm_attest_hal_get_security_lifecycle(void) { +#ifdef CRYPTO_HW_ACCELERATOR + int rc; + uint32_t cc312_lcs; + enum tfm_security_lifecycle_t tfm_lcs; + + rc = crypto_hw_accelerator_get_lcs(&cc312_lcs); + if (rc) { + return TFM_SLC_UNKNOWN; + } + + tfm_lcs = map_cc312_to_tfm_lifecycle(cc312_lcs); + + return tfm_lcs; +#else return TFM_SLC_SECURED; +#endif } const char * diff --git a/test/suites/attestation/attest_token_test.c b/test/suites/attestation/attest_token_test.c index 88d6528ae2..dd0db4ba13 100644 --- a/test/suites/attestation/attest_token_test.c +++ b/test/suites/attestation/attest_token_test.c @@ -387,8 +387,7 @@ static int_fast16_t check_simple_claims( } /* -- check value of the security lifecycle claim -- */ - if(simple_claims->security_lifecycle != - TOKEN_TEST_VALUE_SECURITY_LIFECYCLE) { + if(!IS_ITEM_FLAG_SET(SECURITY_LIFECYCLE_FLAG,simple_claims->item_flags)) { /* Claim is not present in token */ if(TOKEN_TEST_REQUIRE_SECURITY_LIFECYCLE) { /* It should have been present */ diff --git a/test/suites/attestation/attest_token_test_values.h b/test/suites/attestation/attest_token_test_values.h index 52d7a5406f..385a92b8bd 100644 --- a/test/suites/attestation/attest_token_test_values.h +++ b/test/suites/attestation/attest_token_test_values.h @@ -141,7 +141,7 @@ /* A small unsigned integer * platform/ext/target/<TARGET>/attest_hal.c */ -#define TOKEN_TEST_VALUE_SECURITY_LIFECYCLE 0x3000u /* Hard-coded value */ +#define TOKEN_TEST_VALUE_SECURITY_LIFECYCLE INT32_MAX /* Value not checked */ #define TOKEN_TEST_REQUIRE_SECURITY_LIFECYCLE true /* Mandatory claim */ /* An integer (can be positive or negative */ |