From: abdellatif.elkhlifi@arm.com
To: meta-arm@lists.yoctoproject.org, Ross.Burton@arm.com
Cc: nd@arm.com, Satish Kumar <satish.kumar01@arm.com>
Subject: [PATCH 3/9] arm-bsp/secure-partitions: corstone1000: Add psa ipc attestation to se proxy
Date: Tue, 14 Dec 2021 11:07:25 +0000 [thread overview]
Message-ID: <20211214110731.9081-4-abdellatif.elkhlifi@arm.com> (raw)
In-Reply-To: <20211214110731.9081-1-abdellatif.elkhlifi@arm.com>
From: Satish Kumar <satish.kumar01@arm.com>
Implement attestation client API as psa ipc and include it to
se proxy deployment.
Change-Id: I0a1130d2013717c6499da5bb2cd6cd11a752bcce
Signed-off-by: Satish Kumar <satish.kumar01@arm.com>
---
...-Add-psa-ipc-attestation-to-se-proxy.patch | 268 ++++++++++++++++++
.../trusted-services/ts-corstone1000.inc | 1 +
2 files changed, 269 insertions(+)
create mode 100644 meta-arm-bsp/recipes-security/trusted-services/secure-partitions/0021-Add-psa-ipc-attestation-to-se-proxy.patch
diff --git a/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/0021-Add-psa-ipc-attestation-to-se-proxy.patch b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/0021-Add-psa-ipc-attestation-to-se-proxy.patch
new file mode 100644
index 0000000..23b38da
--- /dev/null
+++ b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/0021-Add-psa-ipc-attestation-to-se-proxy.patch
@@ -0,0 +1,268 @@
+Upstream-Status: Pending [Not submitted to upstream yet]
+Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
+
+From 20bab8442387480d77cf5d7c8271758acf9ed181 Mon Sep 17 00:00:00 2001
+From: Rui Miguel Silva <rui.silva@linaro.org>
+Date: Tue, 7 Dec 2021 11:50:00 +0000
+Subject: [PATCH 3/5] Add psa ipc attestation to se proxy
+
+Implement attestation client API as psa ipc and include it to
+se proxy deployment.
+
+Signed-off-by: Rui Miguel Silva <rui.silva@arm.com>
+Signed-off-by: Satish Kumar <satish.kumar01@arm.com>
+---
+ .../client/psa_ipc/component.cmake | 13 +++
+ .../client/psa_ipc/iat_ipc_client.c | 86 +++++++++++++++++++
+ .../reporter/psa_ipc/component.cmake | 13 +++
+ .../reporter/psa_ipc/psa_ipc_attest_report.c | 45 ++++++++++
+ components/service/common/include/psa/sid.h | 4 +
+ deployments/se-proxy/opteesp/CMakeLists.txt | 3 +-
+ .../se-proxy/opteesp/service_proxy_factory.c | 6 ++
+ 7 files changed, 169 insertions(+), 1 deletion(-)
+ create mode 100644 components/service/attestation/client/psa_ipc/component.cmake
+ create mode 100644 components/service/attestation/client/psa_ipc/iat_ipc_client.c
+ create mode 100644 components/service/attestation/reporter/psa_ipc/component.cmake
+ create mode 100644 components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c
+
+diff --git a/components/service/attestation/client/psa_ipc/component.cmake b/components/service/attestation/client/psa_ipc/component.cmake
+new file mode 100644
+index 0000000..a5bc6b4
+--- /dev/null
++++ b/components/service/attestation/client/psa_ipc/component.cmake
+@@ -0,0 +1,13 @@
++#-------------------------------------------------------------------------------
++# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
++#
++# SPDX-License-Identifier: BSD-3-Clause
++#
++#-------------------------------------------------------------------------------
++if (NOT DEFINED TGT)
++ message(FATAL_ERROR "mandatory parameter TGT is not defined.")
++endif()
++
++target_sources(${TGT} PRIVATE
++ "${CMAKE_CURRENT_LIST_DIR}/iat_ipc_client.c"
++ )
+diff --git a/components/service/attestation/client/psa_ipc/iat_ipc_client.c b/components/service/attestation/client/psa_ipc/iat_ipc_client.c
+new file mode 100644
+index 0000000..30bd0a1
+--- /dev/null
++++ b/components/service/attestation/client/psa_ipc/iat_ipc_client.c
+@@ -0,0 +1,86 @@
++/*
++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
++ *
++ * SPDX-License-Identifier: BSD-3-Clause
++ */
++
++#include <stddef.h>
++#include <string.h>
++
++#include "../psa/iat_client.h"
++#include <protocols/rpc/common/packed-c/status.h>
++#include <psa/initial_attestation.h>
++#include <psa/client.h>
++#include <psa/sid.h>
++#include <service/common/client/service_client.h>
++
++/**
++ * @brief The singleton psa_iat_client instance
++ *
++ * The psa attestation C API assumes a single backend service provider.
++ */
++static struct service_client instance;
++
++
++psa_status_t psa_iat_client_init(struct rpc_caller *caller)
++{
++ return service_client_init(&instance, caller);
++}
++
++void psa_iat_client_deinit(void)
++{
++ service_client_deinit(&instance);
++}
++
++int psa_iat_client_rpc_status(void)
++{
++ return instance.rpc_status;
++}
++
++psa_status_t psa_initial_attest_get_token(const uint8_t *auth_challenge,
++ size_t challenge_size,
++ uint8_t *token_buf,
++ size_t token_buf_size,
++ size_t *token_size)
++{
++ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
++ struct rpc_caller *caller = instance.caller;
++ struct psa_invec in_vec[] = {
++ { .base = psa_ptr_const_to_u32(auth_challenge), .len = challenge_size},
++ };
++ struct psa_outvec out_vec[] = {
++ { .base = psa_ptr_to_u32(token_buf), .len = token_buf_size},
++ };
++
++ if (!token_buf || !token_buf_size)
++ return PSA_ERROR_INVALID_ARGUMENT;
++
++ status = psa_call(caller, TFM_ATTESTATION_SERVICE_HANDLE,
++ TFM_ATTEST_GET_TOKEN, in_vec, IOVEC_LEN(in_vec),
++ out_vec, IOVEC_LEN(out_vec));
++ if (status == PSA_SUCCESS) {
++ *token_size = out_vec[0].len;
++ }
++
++ return status;
++}
++
++psa_status_t psa_initial_attest_get_token_size(size_t challenge_size,
++ size_t *token_size)
++{
++ struct rpc_caller *caller = instance.caller;
++ psa_status_t status;
++ struct psa_invec in_vec[] = {
++ { .base = psa_ptr_to_u32(&challenge_size), .len = sizeof(uint32_t)}
++ };
++ struct psa_outvec out_vec[] = {
++ { .base = psa_ptr_to_u32(token_size), .len = sizeof(uint32_t)}
++ };
++
++ status = psa_call(caller, TFM_ATTESTATION_SERVICE_HANDLE,
++ TFM_ATTEST_GET_TOKEN_SIZE,
++ in_vec, IOVEC_LEN(in_vec),
++ out_vec, IOVEC_LEN(out_vec));
++
++ return status;
++}
+diff --git a/components/service/attestation/reporter/psa_ipc/component.cmake b/components/service/attestation/reporter/psa_ipc/component.cmake
+new file mode 100644
+index 0000000..b37830c
+--- /dev/null
++++ b/components/service/attestation/reporter/psa_ipc/component.cmake
+@@ -0,0 +1,13 @@
++#-------------------------------------------------------------------------------
++# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
++#
++# SPDX-License-Identifier: BSD-3-Clause
++#
++#-------------------------------------------------------------------------------
++if (NOT DEFINED TGT)
++ message(FATAL_ERROR "mandatory parameter TGT is not defined.")
++endif()
++
++target_sources(${TGT} PRIVATE
++ "${CMAKE_CURRENT_LIST_DIR}/psa_ipc_attest_report.c"
++ )
+diff --git a/components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c b/components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c
+new file mode 100644
+index 0000000..15805e8
+--- /dev/null
++++ b/components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c
+@@ -0,0 +1,45 @@
++/*
++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
++ *
++ * SPDX-License-Identifier: BSD-3-Clause
++ */
++
++/**
++ * A attestation reporter for psa ipc
++ */
++
++#include <stddef.h>
++#include <psa/error.h>
++#include <service/attestation/reporter/attest_report.h>
++#include <psa/initial_attestation.h>
++
++#define TOKEN_BUF_SIZE 1024
++
++static uint8_t token_buf[TOKEN_BUF_SIZE];
++
++int attest_report_create(int32_t client_id, const uint8_t *auth_challenge_data,
++ size_t auth_challenge_len, const uint8_t **report,
++ size_t *report_len)
++{
++ *report = token_buf;
++ psa_status_t ret;
++ size_t token_size = 0;
++
++ ret = psa_initial_attest_get_token(auth_challenge_data,
++ auth_challenge_len, token_buf,
++ TOKEN_BUF_SIZE, &token_size);
++ if (ret != PSA_SUCCESS) {
++ *report = NULL;
++ *report_len = 0;
++ return ret;
++ }
++
++ *report_len = token_size;
++
++ return PSA_SUCCESS;
++}
++
++void attest_report_destroy(const uint8_t *report)
++{
++ (void)report;
++}
+diff --git a/components/service/common/include/psa/sid.h b/components/service/common/include/psa/sid.h
+index aaa973c..833f503 100644
+--- a/components/service/common/include/psa/sid.h
++++ b/components/service/common/include/psa/sid.h
+@@ -50,6 +50,10 @@ extern "C" {
+ #define TFM_ATTESTATION_SERVICE_VERSION (1U)
+ #define TFM_ATTESTATION_SERVICE_HANDLE (0x40000103U)
+
++/* Initial Attestation message types that distinguish Attest services. */
++#define TFM_ATTEST_GET_TOKEN 1001
++#define TFM_ATTEST_GET_TOKEN_SIZE 1002
++
+ /******** TFM_SP_FWU ********/
+ #define TFM_FWU_WRITE_SID (0x000000A0U)
+ #define TFM_FWU_WRITE_VERSION (1U)
+diff --git a/deployments/se-proxy/opteesp/CMakeLists.txt b/deployments/se-proxy/opteesp/CMakeLists.txt
+index 663177b..af2225e 100644
+--- a/deployments/se-proxy/opteesp/CMakeLists.txt
++++ b/deployments/se-proxy/opteesp/CMakeLists.txt
+@@ -77,12 +77,13 @@ add_components(TARGET "se-proxy"
+ "components/service/attestation/include"
+ "components/service/attestation/provider"
+ "components/service/attestation/provider/serializer/packed-c"
++ "components/service/attestation/reporter/psa_ipc"
++ "components/service/attestation/client/psa_ipc"
+ "components/rpc/openamp/caller/sp"
+
+ # Stub service provider backends
+ "components/rpc/dummy"
+ "components/rpc/common/caller"
+- "components/service/attestation/reporter/stub"
+ "components/service/attestation/key_mngr/stub"
+ "components/service/crypto/backend/stub"
+ "components/service/crypto/client/psa"
+diff --git a/deployments/se-proxy/opteesp/service_proxy_factory.c b/deployments/se-proxy/opteesp/service_proxy_factory.c
+index 5729005..4b8ccec 100644
+--- a/deployments/se-proxy/opteesp/service_proxy_factory.c
++++ b/deployments/se-proxy/opteesp/service_proxy_factory.c
+@@ -23,12 +23,18 @@ struct openamp_caller openamp;
+ struct rpc_interface *attest_proxy_create(void)
+ {
+ struct rpc_interface *attest_iface;
++ struct rpc_caller *attest_caller;
+
+ /* Static objects for proxy instance */
+ static struct attest_provider attest_provider;
+
++ attest_caller = openamp_caller_init(&openamp);
++ if (!attest_caller)
++ return NULL;
++
+ /* Initialize the service provider */
+ attest_iface = attest_provider_init(&attest_provider);
++ psa_iat_client_init(&openamp.rpc_caller);
+
+ attest_provider_register_serializer(&attest_provider,
+ TS_RPC_ENCODING_PACKED_C, packedc_attest_provider_serializer_instance());
+--
+2.17.1
+
diff --git a/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc b/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc
index 6858986..4bfb6b7 100644
--- a/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc
+++ b/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc
@@ -31,6 +31,7 @@ SRC_URI:append = " \
file://0018-Support-FFARPC-call-requests-with-no-shared-buffer.patch \
file://0019-Run-psa-arch-test.patch \
file://0020-Use-address-instead-of-pointers.patch \
+ file://0021-Add-psa-ipc-attestation-to-se-proxy.patch \
"
SRC_URI_MBED = "git://github.com/ARMmbed/mbed-crypto.git;protocol=https;branch=development;name=mbed;destsuffix=git/mbedcrypto"
--
2.17.1
next prev parent reply other threads:[~2021-12-14 11:07 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-14 11:07 [PATCH 0/9] corstone1000: out of tree patches for secure partitions and psa-arch-tests abdellatif.elkhlifi
2021-12-14 11:07 ` [PATCH 1/9] arm-bsp/secure-partitions: fixes required to run psa-arch-test abdellatif.elkhlifi
2021-12-14 11:07 ` [PATCH 2/9] arm-bsp/secure-partitions: corstone1000: Use address instead of pointers abdellatif.elkhlifi
2021-12-14 11:07 ` abdellatif.elkhlifi [this message]
2021-12-14 11:07 ` [PATCH 4/9] arm-bsp/secure-partitions: corstone1000: Setup its backend abdellatif.elkhlifi
2021-12-14 11:07 ` [PATCH 5/9] arm-bsp/secure-partitions: corstone1000: add psa ipc crypto backend abdellatif.elkhlifi
2021-12-14 11:07 ` [PATCH 6/9] arm-bsp/trusted-firmware-m: corstone1000: Aligning with TF-M master abdellatif.elkhlifi
2021-12-14 11:07 ` [PATCH 7/9] arm-bsp/psa-arch-tests: corstone1000: configuring crypto and attestation test abdellatif.elkhlifi
2021-12-14 11:07 ` [PATCH 8/9] arm-bsp/secure-partitions: corstone1000: Increase SMM Gateway variable handling capacity abdellatif.elkhlifi
2021-12-14 11:07 ` [PATCH 9/9] arm-bsp/secure-partitions: add capsule update interface to SE proxy SP abdellatif.elkhlifi
2021-12-14 18:58 ` [PATCH 0/9] corstone1000: out of tree patches for secure partitions and psa-arch-tests Jon Mason
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211214110731.9081-4-abdellatif.elkhlifi@arm.com \
--to=abdellatif.elkhlifi@arm.com \
--cc=Ross.Burton@arm.com \
--cc=meta-arm@lists.yoctoproject.org \
--cc=nd@arm.com \
--cc=satish.kumar01@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.