arm-bsp/secure-partitions: corstone1000: Add psa ipc attestation to se proxy

Implement attestation client API as psa ipc and include it to se proxy deployment. Change-Id: I0a1130d2013717c6499da5bb2cd6cd11a752bcce Signed-off-by: Satish Kumar <satish.kumar01@arm.com> Signed-off-by: Jon Mason <jon.mason@arm.com>
2026-06-04 14:10:01 +00:00 · 2021-12-14 11:07:25 +00:00
parent 70256f1e77
commit 90fd7da98b
2 changed files with 269 additions and 0 deletions
@@ -0,0 +1,268 @@
+Upstream-Status: Pending [Not submitted to upstream yet]
+Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
+
+From 20bab8442387480d77cf5d7c8271758acf9ed181 Mon Sep 17 00:00:00 2001
+From: Rui Miguel Silva <rui.silva@linaro.org>
+Date: Tue, 7 Dec 2021 11:50:00 +0000
+Subject: [PATCH 3/5] Add psa ipc attestation to se proxy
+
+Implement attestation client API as psa ipc and include it to
+se proxy deployment.
+
+Signed-off-by: Rui Miguel Silva <rui.silva@arm.com>
+Signed-off-by: Satish Kumar <satish.kumar01@arm.com>
+---
+ .../client/psa_ipc/component.cmake            | 13 +++
+ .../client/psa_ipc/iat_ipc_client.c           | 86 +++++++++++++++++++
+ .../reporter/psa_ipc/component.cmake          | 13 +++
+ .../reporter/psa_ipc/psa_ipc_attest_report.c  | 45 ++++++++++
+ components/service/common/include/psa/sid.h   |  4 +
+ deployments/se-proxy/opteesp/CMakeLists.txt   |  3 +-
+ .../se-proxy/opteesp/service_proxy_factory.c  |  6 ++
+ 7 files changed, 169 insertions(+), 1 deletion(-)
+ create mode 100644 components/service/attestation/client/psa_ipc/component.cmake
+ create mode 100644 components/service/attestation/client/psa_ipc/iat_ipc_client.c
+ create mode 100644 components/service/attestation/reporter/psa_ipc/component.cmake
+ create mode 100644 components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c
+
+diff --git a/components/service/attestation/client/psa_ipc/component.cmake b/components/service/attestation/client/psa_ipc/component.cmake
+new file mode 100644
+index 0000000..a5bc6b4
+--- /dev/null
+++ b/components/service/attestation/client/psa_ipc/component.cmake
+@@ -0,0 +1,13 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+if (NOT DEFINED TGT)
+	message(FATAL_ERROR "mandatory parameter TGT is not defined.")
+endif()
+
+target_sources(${TGT} PRIVATE
+	"${CMAKE_CURRENT_LIST_DIR}/iat_ipc_client.c"
+	)
+diff --git a/components/service/attestation/client/psa_ipc/iat_ipc_client.c b/components/service/attestation/client/psa_ipc/iat_ipc_client.c
+new file mode 100644
+index 0000000..30bd0a1
+--- /dev/null
+++ b/components/service/attestation/client/psa_ipc/iat_ipc_client.c
+@@ -0,0 +1,86 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <stddef.h>
+#include <string.h>
+
+#include "../psa/iat_client.h"
+#include <protocols/rpc/common/packed-c/status.h>
+#include <psa/initial_attestation.h>
+#include <psa/client.h>
+#include <psa/sid.h>
+#include <service/common/client/service_client.h>
+
+/**
+ * @brief      The singleton psa_iat_client instance
+ *
+ * The psa attestation C API assumes a single backend service provider.
+ */
+static struct service_client instance;
+
+
+psa_status_t psa_iat_client_init(struct rpc_caller *caller)
+{
+	return service_client_init(&instance, caller);
+}
+
+void psa_iat_client_deinit(void)
+{
+	service_client_deinit(&instance);
+}
+
+int psa_iat_client_rpc_status(void)
+{
+	return instance.rpc_status;
+}
+
+psa_status_t psa_initial_attest_get_token(const uint8_t *auth_challenge,
+					  size_t challenge_size,
+					  uint8_t *token_buf,
+					  size_t token_buf_size,
+					  size_t *token_size)
+{
+	psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
+	struct rpc_caller *caller = instance.caller;
+	struct psa_invec in_vec[] = {
+		{ .base = psa_ptr_const_to_u32(auth_challenge), .len = challenge_size},
+	};
+	struct psa_outvec out_vec[] = {
+		{ .base = psa_ptr_to_u32(token_buf), .len = token_buf_size},
+	};
+
+	if (!token_buf || !token_buf_size)
+		return PSA_ERROR_INVALID_ARGUMENT;
+
+	status = psa_call(caller, TFM_ATTESTATION_SERVICE_HANDLE,
+			  TFM_ATTEST_GET_TOKEN, in_vec, IOVEC_LEN(in_vec),
+			  out_vec, IOVEC_LEN(out_vec));
+	if (status == PSA_SUCCESS) {
+		*token_size = out_vec[0].len;
+	}
+
+	return status;
+}
+
+psa_status_t psa_initial_attest_get_token_size(size_t challenge_size,
+						size_t *token_size)
+{
+	struct rpc_caller *caller = instance.caller;
+	psa_status_t status;
+	struct psa_invec in_vec[] = {
+		{ .base = psa_ptr_to_u32(&challenge_size), .len = sizeof(uint32_t)}
+	};
+	struct psa_outvec out_vec[] = {
+		{ .base = psa_ptr_to_u32(token_size), .len = sizeof(uint32_t)}
+	};
+
+	status = psa_call(caller, TFM_ATTESTATION_SERVICE_HANDLE,
+			  TFM_ATTEST_GET_TOKEN_SIZE,
+			  in_vec, IOVEC_LEN(in_vec),
+			  out_vec, IOVEC_LEN(out_vec));
+
+	return status;
+}
+diff --git a/components/service/attestation/reporter/psa_ipc/component.cmake b/components/service/attestation/reporter/psa_ipc/component.cmake
+new file mode 100644
+index 0000000..b37830c
+--- /dev/null
+++ b/components/service/attestation/reporter/psa_ipc/component.cmake
+@@ -0,0 +1,13 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+if (NOT DEFINED TGT)
+	message(FATAL_ERROR "mandatory parameter TGT is not defined.")
+endif()
+
+target_sources(${TGT} PRIVATE
+	"${CMAKE_CURRENT_LIST_DIR}/psa_ipc_attest_report.c"
+	)
+diff --git a/components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c b/components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c
+new file mode 100644
+index 0000000..15805e8
+--- /dev/null
+++ b/components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c
+@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+/**
+ * A attestation reporter for psa ipc
+ */
+
+#include <stddef.h>
+#include <psa/error.h>
+#include <service/attestation/reporter/attest_report.h>
+#include <psa/initial_attestation.h>
+
+#define TOKEN_BUF_SIZE	1024
+
+static uint8_t token_buf[TOKEN_BUF_SIZE];
+
+int attest_report_create(int32_t client_id, const uint8_t *auth_challenge_data,
+			 size_t auth_challenge_len, const uint8_t **report,
+			 size_t *report_len)
+{
+	*report = token_buf;
+	psa_status_t ret;
+	size_t token_size = 0;
+
+	ret = psa_initial_attest_get_token(auth_challenge_data,
+					   auth_challenge_len, token_buf,
+					   TOKEN_BUF_SIZE, &token_size);
+	if (ret != PSA_SUCCESS) {
+		*report = NULL;
+		*report_len = 0;
+		return ret;
+	}
+
+	*report_len = token_size;
+
+	return PSA_SUCCESS;
+}
+
+void attest_report_destroy(const uint8_t *report)
+{
+	(void)report;
+}
+diff --git a/components/service/common/include/psa/sid.h b/components/service/common/include/psa/sid.h
+index aaa973c..833f503 100644
+--- a/components/service/common/include/psa/sid.h
+++ b/components/service/common/include/psa/sid.h
+@@ -50,6 +50,10 @@ extern "C" {
+ #define TFM_ATTESTATION_SERVICE_VERSION                            (1U)
+ #define TFM_ATTESTATION_SERVICE_HANDLE                             (0x40000103U)
+ 
+/* Initial Attestation message types that distinguish Attest services. */
+#define TFM_ATTEST_GET_TOKEN       1001
+#define TFM_ATTEST_GET_TOKEN_SIZE  1002
+
+ /******** TFM_SP_FWU ********/
+ #define TFM_FWU_WRITE_SID                                          (0x000000A0U)
+ #define TFM_FWU_WRITE_VERSION                                      (1U)
+diff --git a/deployments/se-proxy/opteesp/CMakeLists.txt b/deployments/se-proxy/opteesp/CMakeLists.txt
+index 663177b..af2225e 100644
+--- a/deployments/se-proxy/opteesp/CMakeLists.txt
+++ b/deployments/se-proxy/opteesp/CMakeLists.txt
+@@ -77,12 +77,13 @@ add_components(TARGET "se-proxy"
+ 		"components/service/attestation/include"
+ 		"components/service/attestation/provider"
+ 		"components/service/attestation/provider/serializer/packed-c"
+		"components/service/attestation/reporter/psa_ipc"
+		"components/service/attestation/client/psa_ipc"
+ 		"components/rpc/openamp/caller/sp"
+ 
+ 		# Stub service provider backends
+ 		"components/rpc/dummy"
+ 		"components/rpc/common/caller"
+-		"components/service/attestation/reporter/stub"
+ 		"components/service/attestation/key_mngr/stub"
+ 		"components/service/crypto/backend/stub"
+ 		"components/service/crypto/client/psa"
+diff --git a/deployments/se-proxy/opteesp/service_proxy_factory.c b/deployments/se-proxy/opteesp/service_proxy_factory.c
+index 5729005..4b8ccec 100644
+--- a/deployments/se-proxy/opteesp/service_proxy_factory.c
+++ b/deployments/se-proxy/opteesp/service_proxy_factory.c
+@@ -23,12 +23,18 @@ struct openamp_caller openamp;
+ struct rpc_interface *attest_proxy_create(void)
+ {
+ 	struct rpc_interface *attest_iface;
+	struct rpc_caller *attest_caller;
+ 
+ 	/* Static objects for proxy instance */
+ 	static struct attest_provider attest_provider;
+ 
+	attest_caller = openamp_caller_init(&openamp);
+	if (!attest_caller)
+		return NULL;
+
+ 	/* Initialize the service provider */
+ 	attest_iface = attest_provider_init(&attest_provider);
+	psa_iat_client_init(&openamp.rpc_caller);
+ 
+ 	attest_provider_register_serializer(&attest_provider,
+ 		TS_RPC_ENCODING_PACKED_C, packedc_attest_provider_serializer_instance());
+-- 
+2.17.1
+
@@ -31,6 +31,7 @@ SRC_URI:append = " \
                  file://0018-Support-FFARPC-call-requests-with-no-shared-buffer.patch \
                  file://0019-Run-psa-arch-test.patch \
                  file://0020-Use-address-instead-of-pointers.patch \
+                  file://0021-Add-psa-ipc-attestation-to-se-proxy.patch \
                  "

 SRC_URI_MBED = "git://github.com/ARMmbed/mbed-crypto.git;protocol=https;branch=development;name=mbed;destsuffix=git/mbedcrypto"