diff options
author | Tamas Ban <tamas.ban@arm.com> | 2019-01-29 22:03:43 +0000 |
---|---|---|
committer | Tamas Ban <tamas.ban@arm.com> | 2019-02-14 15:50:12 +0100 |
commit | ca682b2885f5d396b94d7099d1418833f1b345f8 (patch) | |
tree | 91028f04f3d31ed3a150807f8a55afb80e43eb47 | |
parent | c90adc38f4b86bcb8ab3185a0bb3d9ed603297d4 (diff) | |
download | trusted-firmware-m-ca682b2885f5d396b94d7099d1418833f1b345f8.tar.gz |
Attest: Handle no SW component case
It might happen that bootloader is not capable to
provide the measurements of SW components. In this
case a special claim must be included in IAT, which
aim is to indicate that the lack of measurement
claims is intentional.
Change-Id: I183a58cecc8593fa809f6f18d09b6b8b4eea37c1
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
-rw-r--r-- | secure_fw/services/initial_attestation/attestation_core.c | 33 | ||||
-rw-r--r-- | secure_fw/services/initial_attestation/tfm_attestation.c | 15 |
2 files changed, 39 insertions, 9 deletions
diff --git a/secure_fw/services/initial_attestation/attestation_core.c b/secure_fw/services/initial_attestation/attestation_core.c index 8afdbe1271..b2cd01c92e 100644 --- a/secure_fw/services/initial_attestation/attestation_core.c +++ b/secure_fw/services/initial_attestation/attestation_core.c @@ -25,6 +25,11 @@ #define EAT_SW_COMPONENT_NESTED 1 /* Nested map */ #define EAT_SW_COMPONENT_NOT_NESTED 0 /* Flat structure */ +/* Indicates that the boot status does not contain any SW components' + * measurement + */ +#define NO_SW_COMPONENT_FIXED_VALUE 1 + /*! * \var boot_status * @@ -414,16 +419,12 @@ attest_add_all_sw_components(struct attest_token_ctx *token_ctx) uint8_t *tlv_ptr; uint8_t tlv_id; int32_t found; + uint32_t cnt = 0; uint32_t module; QCBOREncodeContext *cbor_encode_ctx; - /* Open array which stores SW components claims */ - cbor_encode_ctx = attest_token_borrow_cbor_cntxt(token_ctx); - QCBOREncode_OpenArrayInMapN(cbor_encode_ctx, - EAT_CBOR_ARM_LABEL_SW_COMPONENTS); - /* Starting from module 1, because module 0 contains general claims which - * are not related to SW module(i.e: boot_seed) + * are not related to SW module(i.e: boot_seed, etc.) */ for (module = 1; module < SW_MAX; ++module) { /* Indicates to restart the look up from the beginning of the shared @@ -439,12 +440,28 @@ attest_add_all_sw_components(struct attest_token_ctx *token_ctx) } if (found == 1) { + cnt++; + if (cnt == 1) { + /* Open array which stores SW components claims */ + cbor_encode_ctx = attest_token_borrow_cbor_cntxt(token_ctx); + QCBOREncode_OpenArrayInMapN(cbor_encode_ctx, + EAT_CBOR_ARM_LABEL_SW_COMPONENTS); + } attest_add_single_sw_component(token_ctx, module, tlv_ptr); } } - /* Close array which stores SW components claims*/ - QCBOREncode_CloseArray(cbor_encode_ctx); + if (cnt != 0) { + /* Close array which stores SW components claims*/ + QCBOREncode_CloseArray(cbor_encode_ctx); + } else { + /* If there is not any SW components' measurement in the boot status + * then include this claim to indicate that this state is intentional + */ + attest_token_add_integer(token_ctx, + EAT_CBOR_ARM_LABEL_NO_SW_COMPONENTS, + (int64_t)NO_SW_COMPONENT_FIXED_VALUE); + } return PSA_ATTEST_ERR_SUCCESS; } diff --git a/secure_fw/services/initial_attestation/tfm_attestation.c b/secure_fw/services/initial_attestation/tfm_attestation.c index f2dbf922a3..186a58c742 100644 --- a/secure_fw/services/initial_attestation/tfm_attestation.c +++ b/secure_fw/services/initial_attestation/tfm_attestation.c @@ -44,13 +44,26 @@ attest_get_caller_client_id(int32_t *caller_id) enum psa_attest_err_t attest_get_boot_data(uint8_t major_type, void *ptr, uint32_t len) { - enum tfm_status_e tfm_res; enum psa_attest_err_t attest_res = PSA_ATTEST_ERR_SUCCESS; +#ifndef BL2 + struct shared_data_tlv_header *tlv_header; + + /* Avoid compiler warning due to unused argument */ + (void)len; + (void)major_type; + + tlv_header = (struct shared_data_tlv_header *)ptr; + tlv_header->tlv_magic = SHARED_DATA_TLV_INFO_MAGIC; + tlv_header->tlv_tot_len = SHARED_DATA_HEADER_SIZE; +#else + enum tfm_status_e tfm_res; + tfm_res = tfm_core_get_boot_data(major_type, ptr, len); if (tfm_res != TFM_SUCCESS) { attest_res = PSA_ATTEST_ERR_INIT_FAILED; } +#endif /* BL2 */ return attest_res; } |