Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / e71c689b0034a68d173d308dc66c31b6325ae2aa / . / meta-arm / meta-arm-bsp / recipes-security / trusted-services / secure-partitions / corstone1000 / 0021-Add-psa-ipc-attestation-to-se-proxy.patch
blob: 5376bb22e4061edfb151603c7ab74c77f4cafb4b [file] [log] [blame]
Brad Bishopbec4ebc2022-08-03 09:55:16 -0400[diff] [blame]1From 259300dc81b95ff65cd2e95e0fecd140d76e4b5e Mon Sep 17 00:00:00 2001
2From: Rui Miguel Silva <rui.silva@linaro.org>
3Date: Tue, 7 Dec 2021 11:50:00 +0000
4Subject: [PATCH] Add psa ipc attestation to se proxy
5
6Implement attestation client API as psa ipc and include it to
7se proxy deployment.
8
9Signed-off-by: Rui Miguel Silva <rui.silva@arm.com>
10Signed-off-by: Satish Kumar <satish.kumar01@arm.com>
11
12Upstream-Status: Pending [Not submitted to upstream yet]
13Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
14
15
16---
17 .../client/psa_ipc/component.cmake | 13 +++
18 .../client/psa_ipc/iat_ipc_client.c | 86 +++++++++++++++++++
19 .../reporter/psa_ipc/component.cmake | 13 +++
20 .../reporter/psa_ipc/psa_ipc_attest_report.c | 45 ++++++++++
21 components/service/common/include/psa/sid.h | 4 +
22 deployments/se-proxy/opteesp/CMakeLists.txt | 3 +-
23 .../se-proxy/opteesp/service_proxy_factory.c | 6 ++
24 7 files changed, 169 insertions(+), 1 deletion(-)
25 create mode 100644 components/service/attestation/client/psa_ipc/component.cmake
26 create mode 100644 components/service/attestation/client/psa_ipc/iat_ipc_client.c
27 create mode 100644 components/service/attestation/reporter/psa_ipc/component.cmake
28 create mode 100644 components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c
29
30diff --git a/components/service/attestation/client/psa_ipc/component.cmake b/components/service/attestation/client/psa_ipc/component.cmake
31new file mode 100644
32index 00000000..a5bc6b4a
33--- /dev/null
34+++ b/components/service/attestation/client/psa_ipc/component.cmake
35@@ -0,0 +1,13 @@
36+#-------------------------------------------------------------------------------
37+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
38+#
39+# SPDX-License-Identifier: BSD-3-Clause
40+#
41+#-------------------------------------------------------------------------------
42+if (NOT DEFINED TGT)
43+ message(FATAL_ERROR "mandatory parameter TGT is not defined.")
44+endif()
45+
46+target_sources(${TGT} PRIVATE
47+ "${CMAKE_CURRENT_LIST_DIR}/iat_ipc_client.c"
48+ )
49diff --git a/components/service/attestation/client/psa_ipc/iat_ipc_client.c b/components/service/attestation/client/psa_ipc/iat_ipc_client.c
50new file mode 100644
51index 00000000..30bd0a13
52--- /dev/null
53+++ b/components/service/attestation/client/psa_ipc/iat_ipc_client.c
54@@ -0,0 +1,86 @@
55+/*
56+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
57+ *
58+ * SPDX-License-Identifier: BSD-3-Clause
59+ */
60+
61+#include <stddef.h>
62+#include <string.h>
63+
64+#include "../psa/iat_client.h"
65+#include <protocols/rpc/common/packed-c/status.h>
66+#include <psa/initial_attestation.h>
67+#include <psa/client.h>
68+#include <psa/sid.h>
69+#include <service/common/client/service_client.h>
70+
71+/**
72+ * @brief The singleton psa_iat_client instance
73+ *
74+ * The psa attestation C API assumes a single backend service provider.
75+ */
76+static struct service_client instance;
77+
78+
79+psa_status_t psa_iat_client_init(struct rpc_caller *caller)
80+{
81+ return service_client_init(&instance, caller);
82+}
83+
84+void psa_iat_client_deinit(void)
85+{
86+ service_client_deinit(&instance);
87+}
88+
89+int psa_iat_client_rpc_status(void)
90+{
91+ return instance.rpc_status;
92+}
93+
94+psa_status_t psa_initial_attest_get_token(const uint8_t *auth_challenge,
95+ size_t challenge_size,
96+ uint8_t *token_buf,
97+ size_t token_buf_size,
98+ size_t *token_size)
99+{
100+ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
101+ struct rpc_caller *caller = instance.caller;
102+ struct psa_invec in_vec[] = {
103+ { .base = psa_ptr_const_to_u32(auth_challenge), .len = challenge_size},
104+ };
105+ struct psa_outvec out_vec[] = {
106+ { .base = psa_ptr_to_u32(token_buf), .len = token_buf_size},
107+ };
108+
109+ if (!token_buf || !token_buf_size)
110+ return PSA_ERROR_INVALID_ARGUMENT;
111+
112+ status = psa_call(caller, TFM_ATTESTATION_SERVICE_HANDLE,
113+ TFM_ATTEST_GET_TOKEN, in_vec, IOVEC_LEN(in_vec),
114+ out_vec, IOVEC_LEN(out_vec));
115+ if (status == PSA_SUCCESS) {
116+ *token_size = out_vec[0].len;
117+ }
118+
119+ return status;
120+}
121+
122+psa_status_t psa_initial_attest_get_token_size(size_t challenge_size,
123+ size_t *token_size)
124+{
125+ struct rpc_caller *caller = instance.caller;
126+ psa_status_t status;
127+ struct psa_invec in_vec[] = {
128+ { .base = psa_ptr_to_u32(&challenge_size), .len = sizeof(uint32_t)}
129+ };
130+ struct psa_outvec out_vec[] = {
131+ { .base = psa_ptr_to_u32(token_size), .len = sizeof(uint32_t)}
132+ };
133+
134+ status = psa_call(caller, TFM_ATTESTATION_SERVICE_HANDLE,
135+ TFM_ATTEST_GET_TOKEN_SIZE,
136+ in_vec, IOVEC_LEN(in_vec),
137+ out_vec, IOVEC_LEN(out_vec));
138+
139+ return status;
140+}
141diff --git a/components/service/attestation/reporter/psa_ipc/component.cmake b/components/service/attestation/reporter/psa_ipc/component.cmake
142new file mode 100644
143index 00000000..b37830c6
144--- /dev/null
145+++ b/components/service/attestation/reporter/psa_ipc/component.cmake
146@@ -0,0 +1,13 @@
147+#-------------------------------------------------------------------------------
148+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
149+#
150+# SPDX-License-Identifier: BSD-3-Clause
151+#
152+#-------------------------------------------------------------------------------
153+if (NOT DEFINED TGT)
154+ message(FATAL_ERROR "mandatory parameter TGT is not defined.")
155+endif()
156+
157+target_sources(${TGT} PRIVATE
158+ "${CMAKE_CURRENT_LIST_DIR}/psa_ipc_attest_report.c"
159+ )
160diff --git a/components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c b/components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c
161new file mode 100644
162index 00000000..15805e8e
163--- /dev/null
164+++ b/components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c
165@@ -0,0 +1,45 @@
166+/*
167+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
168+ *
169+ * SPDX-License-Identifier: BSD-3-Clause
170+ */
171+
172+/**
173+ * A attestation reporter for psa ipc
174+ */
175+
176+#include <stddef.h>
177+#include <psa/error.h>
178+#include <service/attestation/reporter/attest_report.h>
179+#include <psa/initial_attestation.h>
180+
181+#define TOKEN_BUF_SIZE 1024
182+
183+static uint8_t token_buf[TOKEN_BUF_SIZE];
184+
185+int attest_report_create(int32_t client_id, const uint8_t *auth_challenge_data,
186+ size_t auth_challenge_len, const uint8_t **report,
187+ size_t *report_len)
188+{
189+ *report = token_buf;
190+ psa_status_t ret;
191+ size_t token_size = 0;
192+
193+ ret = psa_initial_attest_get_token(auth_challenge_data,
194+ auth_challenge_len, token_buf,
195+ TOKEN_BUF_SIZE, &token_size);
196+ if (ret != PSA_SUCCESS) {
197+ *report = NULL;
198+ *report_len = 0;
199+ return ret;
200+ }
201+
202+ *report_len = token_size;
203+
204+ return PSA_SUCCESS;
205+}
206+
207+void attest_report_destroy(const uint8_t *report)
208+{
209+ (void)report;
210+}
211diff --git a/components/service/common/include/psa/sid.h b/components/service/common/include/psa/sid.h
212index aaa973c6..833f5039 100644
213--- a/components/service/common/include/psa/sid.h
214+++ b/components/service/common/include/psa/sid.h
215@@ -50,6 +50,10 @@ extern "C" {
216 #define TFM_ATTESTATION_SERVICE_VERSION (1U)
217 #define TFM_ATTESTATION_SERVICE_HANDLE (0x40000103U)
218
219+/* Initial Attestation message types that distinguish Attest services. */
220+#define TFM_ATTEST_GET_TOKEN 1001
221+#define TFM_ATTEST_GET_TOKEN_SIZE 1002
222+
223 /******** TFM_SP_FWU ********/
224 #define TFM_FWU_WRITE_SID (0x000000A0U)
225 #define TFM_FWU_WRITE_VERSION (1U)
226diff --git a/deployments/se-proxy/opteesp/CMakeLists.txt b/deployments/se-proxy/opteesp/CMakeLists.txt
227index 663177b7..af2225e7 100644
228--- a/deployments/se-proxy/opteesp/CMakeLists.txt
229+++ b/deployments/se-proxy/opteesp/CMakeLists.txt
230@@ -77,12 +77,13 @@ add_components(TARGET "se-proxy"
231 "components/service/attestation/include"
232 "components/service/attestation/provider"
233 "components/service/attestation/provider/serializer/packed-c"
234+ "components/service/attestation/reporter/psa_ipc"
235+ "components/service/attestation/client/psa_ipc"
236 "components/rpc/openamp/caller/sp"
237
238 # Stub service provider backends
239 "components/rpc/dummy"
240 "components/rpc/common/caller"
241- "components/service/attestation/reporter/stub"
242 "components/service/attestation/key_mngr/stub"
243 "components/service/crypto/backend/stub"
244 "components/service/crypto/client/psa"
245diff --git a/deployments/se-proxy/opteesp/service_proxy_factory.c b/deployments/se-proxy/opteesp/service_proxy_factory.c
246index 57290056..4b8ccecc 100644
247--- a/deployments/se-proxy/opteesp/service_proxy_factory.c
248+++ b/deployments/se-proxy/opteesp/service_proxy_factory.c
249@@ -23,12 +23,18 @@ struct openamp_caller openamp;
250 struct rpc_interface *attest_proxy_create(void)
251 {
252 struct rpc_interface *attest_iface;
253+ struct rpc_caller *attest_caller;
254
255 /* Static objects for proxy instance */
256 static struct attest_provider attest_provider;
257
258+ attest_caller = openamp_caller_init(&openamp);
259+ if (!attest_caller)
260+ return NULL;
261+
262 /* Initialize the service provider */
263 attest_iface = attest_provider_init(&attest_provider);
264+ psa_iat_client_init(&openamp.rpc_caller);
265
266 attest_provider_register_serializer(&attest_provider,
267 TS_RPC_ENCODING_PACKED_C, packedc_attest_provider_serializer_instance());