aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTamas Ban <tamas.ban@arm.com>2019-10-25 22:13:53 +0100
committerDavid Vincze <david.vincze@arm.com>2019-11-29 16:35:29 +0100
commit80f282420ef3d0953b470a17c41611e5c14cce6c (patch)
treed20a8376178bdd3430b589bc22977b31eb72ce12
parentf824e742209dfaa17e0ff24373778b4efe99ac19 (diff)
downloadtrusted-firmware-m-80f282420ef3d0953b470a17c41611e5c14cce6c.tar.gz
Platform: Get device lifecycle from CC312 on Musca-B1
CryptoCell lifecycle includes: - CM: Chip manufacture lifecycle, belongs to IC vendor - DM: Device manufacture lifecycle, belongs to OEM - SE: Secure enable lifecycle, belongs to end user - RMA: Return to manufacture and analyze, belongs to ICV or OEM debug Mapping PSA lifecycle to CryptoCell lifecycle: - TFM_SLC_ASSEMBLY_AND_TEST – CM - TFM_SLC_PSA_ROT_PROVISIONING - DM - TFM_SLC_SECURED – SE - TFM_SLC_DECOMMISSIONED – RMA If the chip is not yet provisioned, it is CM lifecycle. Change-Id: I7d39c7f0d5b09be7a669a1970fcafc669763ebfb Signed-off-by: Xu Yong <yong.xu@arm.com> Signed-off-by: Tamas Ban <tamas.ban@arm.com>
-rw-r--r--platform/ext/common/cc312/cc312.c6
-rw-r--r--platform/ext/common/cc312/crypto_hw.h10
-rw-r--r--platform/ext/musca_b1.cmake3
-rw-r--r--platform/ext/target/musca_b1/attest_hal.c42
-rw-r--r--test/suites/attestation/attest_token_test.c3
-rw-r--r--test/suites/attestation/attest_token_test_values.h2
6 files changed, 63 insertions, 3 deletions
diff --git a/platform/ext/common/cc312/cc312.c b/platform/ext/common/cc312/cc312.c
index 7dc8556e08..a5c417dd6b 100644
--- a/platform/ext/common/cc312/cc312.c
+++ b/platform/ext/common/cc312/cc312.c
@@ -13,6 +13,7 @@
#include "mbedtls/platform.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/entropy.h"
+#include "mbedtls_cc_mng_int.h"
#include "arm_cmse.h"
CCRndContext_t* CC312_pRndCtx = NULL;
@@ -96,3 +97,8 @@ int crypto_hw_accelerator_finish(void)
return 0;
}
+
+int crypto_hw_accelerator_get_lcs(uint32_t *lcs)
+{
+ return mbedtls_mng_lcsGet(lcs);
+}
diff --git a/platform/ext/common/cc312/crypto_hw.h b/platform/ext/common/cc312/crypto_hw.h
index b5baa8b2c4..2d577cd017 100644
--- a/platform/ext/common/cc312/crypto_hw.h
+++ b/platform/ext/common/cc312/crypto_hw.h
@@ -8,6 +8,8 @@
#ifndef __CRYPTO_HW_H__
#define __CRYPTO_HW_H__
+#include <stdint.h>
+
#ifdef __cplusplus
extern "C" {
#endif /* __cplusplus */
@@ -44,6 +46,14 @@ int crypto_hw_accelerator_finish(void);
*/
int crypto_hw_accelerator_otp_provisioning(void);
+/** \brief Retrieve the device lifecycle
+ *
+ * \param[out] lcs Pointer to store lifecycle state
+ *
+ * \return 0 on success, non-zero otherwise
+ */
+int crypto_hw_accelerator_get_lcs(uint32_t *lcs);
+
#ifdef __cplusplus
}
#endif /* __cplusplus */
diff --git a/platform/ext/musca_b1.cmake b/platform/ext/musca_b1.cmake
index 8f9633c09d..3b7e56fc16 100644
--- a/platform/ext/musca_b1.cmake
+++ b/platform/ext/musca_b1.cmake
@@ -258,4 +258,7 @@ if (CRYPTO_HW_ACCELERATOR)
embedded_include_directories(PATH "${CC312_SOURCE_DIR}/shared/hw/include/musca_b1" ABSOLUTE)
embedded_include_directories(PATH "${CMAKE_CURRENT_BINARY_DIR}/services/crypto/cryptocell/install/include" ABSOLUTE)
embedded_include_directories(PATH "${PLATFORM_DIR}/common/cc312/" ABSOLUTE)
+
+ #Compiling this file requires to disable warning: -Wunused-local-typedefs
+ set_source_files_properties("${PLATFORM_DIR}/target/musca_b1/dummy_crypto_keys.c" PROPERTIES COMPILE_FLAGS -Wno-unused-local-typedefs)
endif()
diff --git a/platform/ext/target/musca_b1/attest_hal.c b/platform/ext/target/musca_b1/attest_hal.c
index d4d2407680..7b682a843e 100644
--- a/platform/ext/target/musca_b1/attest_hal.c
+++ b/platform/ext/target/musca_b1/attest_hal.c
@@ -8,15 +8,57 @@
#include "platform/include/tfm_attest_hal.h"
#include <stdint.h>
+#ifdef CRYPTO_HW_ACCELERATOR
+#include "crypto_hw.h"
+#include "mbedtls_cc_mng_int.h"
+#endif /* CRYPTO_HW_ACCELERATOR */
+
/* Example verification service URL for initial attestation token */
static const char verification_service_url[] = "www.trustedfirmware.org";
/* Example profile definition document for initial attestation token */
static const char attestation_profile_definition[] = "PSA_IOT_PROFILE_1";
+#ifdef CRYPTO_HW_ACCELERATOR
+static enum tfm_security_lifecycle_t
+map_cc312_to_tfm_lifecycle(uint32_t cc312_lcs)
+{
+ enum tfm_security_lifecycle_t tfm_lcs;
+
+ if (cc312_lcs == CC_MNG_LCS_CM) {
+ tfm_lcs = TFM_SLC_ASSEMBLY_AND_TEST;
+ } else if (cc312_lcs == CC_MNG_LCS_DM) {
+ tfm_lcs = TFM_SLC_PSA_ROT_PROVISIONING;
+ } else if (cc312_lcs == CC_MNG_LCS_SEC_ENABLED) {
+ tfm_lcs = TFM_SLC_SECURED;
+ } else if (cc312_lcs == CC_MNG_LCS_RMA) {
+ tfm_lcs = TFM_SLC_DECOMMISSIONED;
+ } else {
+ tfm_lcs = TFM_SLC_UNKNOWN;
+ }
+
+ return tfm_lcs;
+}
+#endif
+
enum tfm_security_lifecycle_t tfm_attest_hal_get_security_lifecycle(void)
{
+#ifdef CRYPTO_HW_ACCELERATOR
+ int rc;
+ uint32_t cc312_lcs;
+ enum tfm_security_lifecycle_t tfm_lcs;
+
+ rc = crypto_hw_accelerator_get_lcs(&cc312_lcs);
+ if (rc) {
+ return TFM_SLC_UNKNOWN;
+ }
+
+ tfm_lcs = map_cc312_to_tfm_lifecycle(cc312_lcs);
+
+ return tfm_lcs;
+#else
return TFM_SLC_SECURED;
+#endif
}
const char *
diff --git a/test/suites/attestation/attest_token_test.c b/test/suites/attestation/attest_token_test.c
index 88d6528ae2..dd0db4ba13 100644
--- a/test/suites/attestation/attest_token_test.c
+++ b/test/suites/attestation/attest_token_test.c
@@ -387,8 +387,7 @@ static int_fast16_t check_simple_claims(
}
/* -- check value of the security lifecycle claim -- */
- if(simple_claims->security_lifecycle !=
- TOKEN_TEST_VALUE_SECURITY_LIFECYCLE) {
+ if(!IS_ITEM_FLAG_SET(SECURITY_LIFECYCLE_FLAG,simple_claims->item_flags)) {
/* Claim is not present in token */
if(TOKEN_TEST_REQUIRE_SECURITY_LIFECYCLE) {
/* It should have been present */
diff --git a/test/suites/attestation/attest_token_test_values.h b/test/suites/attestation/attest_token_test_values.h
index 52d7a5406f..385a92b8bd 100644
--- a/test/suites/attestation/attest_token_test_values.h
+++ b/test/suites/attestation/attest_token_test_values.h
@@ -141,7 +141,7 @@
/* A small unsigned integer
* platform/ext/target/<TARGET>/attest_hal.c
*/
-#define TOKEN_TEST_VALUE_SECURITY_LIFECYCLE 0x3000u /* Hard-coded value */
+#define TOKEN_TEST_VALUE_SECURITY_LIFECYCLE INT32_MAX /* Value not checked */
#define TOKEN_TEST_REQUIRE_SECURITY_LIFECYCLE true /* Mandatory claim */
/* An integer (can be positive or negative */