Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / 7784c4292cd9e369da612736deb0691153d1b786 / . / meta-arm / meta-arm-bsp / recipes-security / trusted-services / corstone1000 / 0010-Add-psa-ipc-attestation-to-se-proxy.patch
blob: 2d0725cb241d22268e6f01bd8f5132fe681a1c18 [file] [log] [blame]
Patrick Williams7784c422022-11-17 07:29:11 -0600[diff] [blame^]1From b142f3c162fb1c28982d26b5ac2181ba79197a28 Mon Sep 17 00:00:00 2001
Patrick Williams975a06f2022-10-21 14:42:47 -0500[diff] [blame]2From: Rui Miguel Silva <rui.silva@linaro.org>
3Date: Tue, 7 Dec 2021 11:50:00 +0000
Patrick Williams7784c422022-11-17 07:29:11 -0600[diff] [blame^]4Subject: [PATCH 10/20] Add psa ipc attestation to se proxy
Patrick Williams975a06f2022-10-21 14:42:47 -0500[diff] [blame]5
6Implement attestation client API as psa ipc and include it to
7se proxy deployment.
8
9Upstream-Status: Pending
10Signed-off-by: Satish Kumar <satish.kumar01@arm.com>
11Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
12---
13 .../client/psa_ipc/component.cmake | 13 +++
14 .../client/psa_ipc/iat_ipc_client.c | 86 +++++++++++++++++++
15 .../reporter/psa_ipc/component.cmake | 13 +++
16 .../reporter/psa_ipc/psa_ipc_attest_report.c | 45 ++++++++++
17 components/service/common/include/psa/sid.h | 4 +
18 .../se-proxy/common/service_proxy_factory.c | 6 ++
Patrick Williams7784c422022-11-17 07:29:11 -0600[diff] [blame^]19 deployments/se-proxy/se-proxy.cmake | 7 +-
20 ...ble-using-hard-coded-attestation-key.patch | 29 -------
21 external/psa_arch_tests/psa_arch_tests.cmake | 4 -
22 9 files changed, 171 insertions(+), 36 deletions(-)
Patrick Williams975a06f2022-10-21 14:42:47 -0500[diff] [blame]23 create mode 100644 components/service/attestation/client/psa_ipc/component.cmake
24 create mode 100644 components/service/attestation/client/psa_ipc/iat_ipc_client.c
25 create mode 100644 components/service/attestation/reporter/psa_ipc/component.cmake
26 create mode 100644 components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c
Patrick Williams7784c422022-11-17 07:29:11 -0600[diff] [blame^]27 delete mode 100644 external/psa_arch_tests/0001-Disable-using-hard-coded-attestation-key.patch
Patrick Williams975a06f2022-10-21 14:42:47 -0500[diff] [blame]28
29diff --git a/components/service/attestation/client/psa_ipc/component.cmake b/components/service/attestation/client/psa_ipc/component.cmake
30new file mode 100644
31index 000000000000..a5bc6b4a387e
32--- /dev/null
33+++ b/components/service/attestation/client/psa_ipc/component.cmake
34@@ -0,0 +1,13 @@
35+#-------------------------------------------------------------------------------
36+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
37+#
38+# SPDX-License-Identifier: BSD-3-Clause
39+#
40+#-------------------------------------------------------------------------------
41+if (NOT DEFINED TGT)
42+ message(FATAL_ERROR "mandatory parameter TGT is not defined.")
43+endif()
44+
45+target_sources(${TGT} PRIVATE
46+ "${CMAKE_CURRENT_LIST_DIR}/iat_ipc_client.c"
47+ )
48diff --git a/components/service/attestation/client/psa_ipc/iat_ipc_client.c b/components/service/attestation/client/psa_ipc/iat_ipc_client.c
49new file mode 100644
50index 000000000000..30bd0a13a385
51--- /dev/null
52+++ b/components/service/attestation/client/psa_ipc/iat_ipc_client.c
53@@ -0,0 +1,86 @@
54+/*
55+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
56+ *
57+ * SPDX-License-Identifier: BSD-3-Clause
58+ */
59+
60+#include <stddef.h>
61+#include <string.h>
62+
63+#include "../psa/iat_client.h"
64+#include <protocols/rpc/common/packed-c/status.h>
65+#include <psa/initial_attestation.h>
66+#include <psa/client.h>
67+#include <psa/sid.h>
68+#include <service/common/client/service_client.h>
69+
70+/**
71+ * @brief The singleton psa_iat_client instance
72+ *
73+ * The psa attestation C API assumes a single backend service provider.
74+ */
75+static struct service_client instance;
76+
77+
78+psa_status_t psa_iat_client_init(struct rpc_caller *caller)
79+{
80+ return service_client_init(&instance, caller);
81+}
82+
83+void psa_iat_client_deinit(void)
84+{
85+ service_client_deinit(&instance);
86+}
87+
88+int psa_iat_client_rpc_status(void)
89+{
90+ return instance.rpc_status;
91+}
92+
93+psa_status_t psa_initial_attest_get_token(const uint8_t *auth_challenge,
94+ size_t challenge_size,
95+ uint8_t *token_buf,
96+ size_t token_buf_size,
97+ size_t *token_size)
98+{
99+ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
100+ struct rpc_caller *caller = instance.caller;
101+ struct psa_invec in_vec[] = {
102+ { .base = psa_ptr_const_to_u32(auth_challenge), .len = challenge_size},
103+ };
104+ struct psa_outvec out_vec[] = {
105+ { .base = psa_ptr_to_u32(token_buf), .len = token_buf_size},
106+ };
107+
108+ if (!token_buf || !token_buf_size)
109+ return PSA_ERROR_INVALID_ARGUMENT;
110+
111+ status = psa_call(caller, TFM_ATTESTATION_SERVICE_HANDLE,
112+ TFM_ATTEST_GET_TOKEN, in_vec, IOVEC_LEN(in_vec),
113+ out_vec, IOVEC_LEN(out_vec));
114+ if (status == PSA_SUCCESS) {
115+ *token_size = out_vec[0].len;
116+ }
117+
118+ return status;
119+}
120+
121+psa_status_t psa_initial_attest_get_token_size(size_t challenge_size,
122+ size_t *token_size)
123+{
124+ struct rpc_caller *caller = instance.caller;
125+ psa_status_t status;
126+ struct psa_invec in_vec[] = {
127+ { .base = psa_ptr_to_u32(&challenge_size), .len = sizeof(uint32_t)}
128+ };
129+ struct psa_outvec out_vec[] = {
130+ { .base = psa_ptr_to_u32(token_size), .len = sizeof(uint32_t)}
131+ };
132+
133+ status = psa_call(caller, TFM_ATTESTATION_SERVICE_HANDLE,
134+ TFM_ATTEST_GET_TOKEN_SIZE,
135+ in_vec, IOVEC_LEN(in_vec),
136+ out_vec, IOVEC_LEN(out_vec));
137+
138+ return status;
139+}
140diff --git a/components/service/attestation/reporter/psa_ipc/component.cmake b/components/service/attestation/reporter/psa_ipc/component.cmake
141new file mode 100644
142index 000000000000..b37830c618fe
143--- /dev/null
144+++ b/components/service/attestation/reporter/psa_ipc/component.cmake
145@@ -0,0 +1,13 @@
146+#-------------------------------------------------------------------------------
147+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
148+#
149+# SPDX-License-Identifier: BSD-3-Clause
150+#
151+#-------------------------------------------------------------------------------
152+if (NOT DEFINED TGT)
153+ message(FATAL_ERROR "mandatory parameter TGT is not defined.")
154+endif()
155+
156+target_sources(${TGT} PRIVATE
157+ "${CMAKE_CURRENT_LIST_DIR}/psa_ipc_attest_report.c"
158+ )
159diff --git a/components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c b/components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c
160new file mode 100644
161index 000000000000..15805e8ed4b1
162--- /dev/null
163+++ b/components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c
164@@ -0,0 +1,45 @@
165+/*
166+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
167+ *
168+ * SPDX-License-Identifier: BSD-3-Clause
169+ */
170+
171+/**
172+ * A attestation reporter for psa ipc
173+ */
174+
175+#include <stddef.h>
176+#include <psa/error.h>
177+#include <service/attestation/reporter/attest_report.h>
178+#include <psa/initial_attestation.h>
179+
180+#define TOKEN_BUF_SIZE 1024
181+
182+static uint8_t token_buf[TOKEN_BUF_SIZE];
183+
184+int attest_report_create(int32_t client_id, const uint8_t *auth_challenge_data,
185+ size_t auth_challenge_len, const uint8_t **report,
186+ size_t *report_len)
187+{
188+ *report = token_buf;
189+ psa_status_t ret;
190+ size_t token_size = 0;
191+
192+ ret = psa_initial_attest_get_token(auth_challenge_data,
193+ auth_challenge_len, token_buf,
194+ TOKEN_BUF_SIZE, &token_size);
195+ if (ret != PSA_SUCCESS) {
196+ *report = NULL;
197+ *report_len = 0;
198+ return ret;
199+ }
200+
201+ *report_len = token_size;
202+
203+ return PSA_SUCCESS;
204+}
205+
206+void attest_report_destroy(const uint8_t *report)
207+{
208+ (void)report;
209+}
210diff --git a/components/service/common/include/psa/sid.h b/components/service/common/include/psa/sid.h
211index aaa973c6e987..833f5039425f 100644
212--- a/components/service/common/include/psa/sid.h
213+++ b/components/service/common/include/psa/sid.h
214@@ -50,6 +50,10 @@ extern "C" {
215 #define TFM_ATTESTATION_SERVICE_VERSION (1U)
216 #define TFM_ATTESTATION_SERVICE_HANDLE (0x40000103U)
217
218+/* Initial Attestation message types that distinguish Attest services. */
219+#define TFM_ATTEST_GET_TOKEN 1001
220+#define TFM_ATTEST_GET_TOKEN_SIZE 1002
221+
222 /******** TFM_SP_FWU ********/
223 #define TFM_FWU_WRITE_SID (0x000000A0U)
224 #define TFM_FWU_WRITE_VERSION (1U)
225diff --git a/deployments/se-proxy/common/service_proxy_factory.c b/deployments/se-proxy/common/service_proxy_factory.c
226index 57290056d614..4b8cceccbe4d 100644
227--- a/deployments/se-proxy/common/service_proxy_factory.c
228+++ b/deployments/se-proxy/common/service_proxy_factory.c
229@@ -23,12 +23,18 @@ struct openamp_caller openamp;
230 struct rpc_interface *attest_proxy_create(void)
231 {
232 struct rpc_interface *attest_iface;
233+ struct rpc_caller *attest_caller;
234
235 /* Static objects for proxy instance */
236 static struct attest_provider attest_provider;
237
238+ attest_caller = openamp_caller_init(&openamp);
239+ if (!attest_caller)
240+ return NULL;
241+
242 /* Initialize the service provider */
243 attest_iface = attest_provider_init(&attest_provider);
244+ psa_iat_client_init(&openamp.rpc_caller);
245
246 attest_provider_register_serializer(&attest_provider,
247 TS_RPC_ENCODING_PACKED_C, packedc_attest_provider_serializer_instance());
248diff --git a/deployments/se-proxy/se-proxy.cmake b/deployments/se-proxy/se-proxy.cmake
Patrick Williams7784c422022-11-17 07:29:11 -0600[diff] [blame^]249index cd51460406ca..3dbbc36c968d 100644
Patrick Williams975a06f2022-10-21 14:42:47 -0500[diff] [blame]250--- a/deployments/se-proxy/se-proxy.cmake
251+++ b/deployments/se-proxy/se-proxy.cmake
Patrick Williams7784c422022-11-17 07:29:11 -0600[diff] [blame^]252@@ -49,14 +49,15 @@ add_components(TARGET "se-proxy"
Patrick Williams975a06f2022-10-21 14:42:47 -0500[diff] [blame]253 "components/service/attestation/include"
254 "components/service/attestation/provider"
255 "components/service/attestation/provider/serializer/packed-c"
256+ "components/service/attestation/reporter/psa_ipc"
257+ "components/service/attestation/client/psa_ipc"
258 "components/rpc/openamp/caller/sp"
259
260 # Stub service provider backends
261 "components/rpc/dummy"
262 "components/rpc/common/caller"
263- "components/service/attestation/reporter/stub"
Patrick Williams7784c422022-11-17 07:29:11 -0600[diff] [blame^]264- "components/service/attestation/key_mngr/stub"
265- "components/service/crypto/backend/stub"
266+ "components/service/attestation/key_mngr/local"
267+ "components/service/crypto/backend/psa_ipc"
Patrick Williams975a06f2022-10-21 14:42:47 -0500[diff] [blame]268 "components/service/crypto/client/psa"
Patrick Williams7784c422022-11-17 07:29:11 -0600[diff] [blame^]269 "components/service/secure_storage/backend/mock_store"
270 )
271diff --git a/external/psa_arch_tests/0001-Disable-using-hard-coded-attestation-key.patch b/external/psa_arch_tests/0001-Disable-using-hard-coded-attestation-key.patch
272deleted file mode 100644
273index 6664961ab662..000000000000
274--- a/external/psa_arch_tests/0001-Disable-using-hard-coded-attestation-key.patch
275+++ /dev/null
276@@ -1,29 +0,0 @@
277-From dbd25f94eb62a9855bf342dd97503a49ea50f83e Mon Sep 17 00:00:00 2001
278-From: Gyorgy Szing <Gyorgy.Szing@arm.com>
279-Date: Tue, 8 Feb 2022 17:06:37 +0000
280-Subject: [PATCH 1/1] Disable using hard-coded attestation key
281-
282-Modify platform config to disable using a hard-coded attestation
283-key.
284-
285-Signed-off-by: Gyorgy Szing <Gyorgy.Szing@arm.com>
286----
287- api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_config.h | 2 +-
288- 1 file changed, 1 insertion(+), 1 deletion(-)
289-
290-diff --git a/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_config.h b/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_config.h
291-index 6112ba7..1cdf581 100755
292---- a/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_config.h
293-+++ b/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_config.h
294-@@ -60,7 +60,7 @@ typedef uint32_t cfg_id_t;
295- #define CRYPTO_VERSION_BETA3
296-
297- /* Use hardcoded public key */
298--#define PLATFORM_OVERRIDE_ATTEST_PK
299-+//#define PLATFORM_OVERRIDE_ATTEST_PK
300-
301- /*
302- * Include of PSA defined Header files
303---
304-2.17.1
305-
306diff --git a/external/psa_arch_tests/psa_arch_tests.cmake b/external/psa_arch_tests/psa_arch_tests.cmake
307index a8b77a1fc05e..1995df3e0b49 100644
308--- a/external/psa_arch_tests/psa_arch_tests.cmake
309+++ b/external/psa_arch_tests/psa_arch_tests.cmake
310@@ -15,10 +15,6 @@ set(GIT_OPTIONS
311 GIT_REPOSITORY ${PSA_ARCH_TESTS_URL}
312 GIT_TAG ${PSA_ARCH_TESTS_REFSPEC}
313 GIT_SHALLOW FALSE
314- PATCH_COMMAND git stash
315- COMMAND git tag -f ts-before-am
316- COMMAND git am ${CMAKE_CURRENT_LIST_DIR}/0001-Disable-using-hard-coded-attestation-key.patch
317- COMMAND git reset ts-before-am
318 )
319
320 # Ensure list of defines is separated correctly
Patrick Williams975a06f2022-10-21 14:42:47 -0500[diff] [blame]321--
Patrick Williams7784c422022-11-17 07:29:11 -0600[diff] [blame^]3222.38.1
Patrick Williams975a06f2022-10-21 14:42:47 -0500[diff] [blame]323