arm-bsp/secure-partitions: add secure storage ipc backend

Add secure storage ipc ff-m implementation which may use openamp as rpc to communicate with other processor. Change-Id: I6707f3b0654fb255cacef930d9314662b106273c Signed-off-by: Vishnu Banavath <vishnu.banavath@arm.com> Signed-off-by: Jon Mason <jon.mason@arm.com>
2026-06-04 14:10:01 +00:00 · 2021-12-09 19:19:34 +00:00
parent 31f5df490d
commit d411433a11
2 changed files with 515 additions and 0 deletions
@@ -0,0 +1,514 @@
+Upstream-Status: Pending [Not submitted to upstream yet]
+Signed-off-by: Vishnu Banavath <vishnu.banavath@arm.com>
+
+From ee503eec06c928344a72faaca70ad0d448ff8175 Mon Sep 17 00:00:00 2001
+From: Vishnu Banavath <vishnu.banavath@arm.com>
+Date: Fri, 3 Dec 2021 19:19:24 +0000
+Subject: [PATCH] Add secure storage ipc backend
+
+Add secure storage ipc ff-m implementation which may use
+openamp as rpc to communicate with other processor.
+
+Signed-off-by: Rui Miguel Silva <rui.silva@arm.com>
+
+diff --git a/components/service/common/psa_ipc/service_psa_ipc.c b/components/service/common/psa_ipc/service_psa_ipc.c
+index e8093c2..95a07c1 100644
+--- a/components/service/common/psa_ipc/service_psa_ipc.c
+++ b/components/service/common/psa_ipc/service_psa_ipc.c
+@@ -16,6 +16,52 @@
+ #include <psa/client.h>
+ #include "service_psa_ipc_openamp_lib.h"
+ 
+static struct psa_invec *psa_call_in_vec_param(uint8_t *req)
+{
+	return (struct psa_invec *)(req + sizeof(struct ns_openamp_msg));
+}
+
+static struct psa_outvec *psa_call_out_vec_param(uint8_t *req, size_t in_len)
+{
+	return (struct psa_outvec *)(req + sizeof(struct ns_openamp_msg) +
+				     (in_len * sizeof(struct psa_invec)));
+}
+
+static size_t psa_call_header_len(const struct psa_invec *in_vec, size_t in_len,
+				  struct psa_outvec *out_vec, size_t out_len)
+{
+	return sizeof(struct ns_openamp_msg) + (in_len * sizeof(*in_vec)) +
+		(out_len * sizeof(*out_vec));
+}
+
+static size_t psa_call_in_vec_len(const struct psa_invec *in_vec, size_t in_len)
+{
+	size_t req_len = 0;
+	int i;
+
+	if (!in_vec || !in_len)
+		return 0;
+
+	for (i = 0; i < in_len; i++)
+		req_len += in_vec[i].len;
+
+	return req_len;
+}
+
+static size_t psa_call_out_vec_len(const struct psa_outvec *out_vec, size_t out_len)
+{
+	size_t resp_len = 0;
+	int i;
+
+	if (!out_vec || !out_len)
+		return 0;
+
+	for (i = 0; i < out_len; i++)
+		resp_len += out_vec[i].len;
+
+	return resp_len;
+}
+
+ psa_handle_t psa_connect(struct rpc_caller *caller, uint32_t sid,
+ 			 uint32_t version)
+ {
+@@ -31,7 +77,7 @@ psa_handle_t psa_connect(struct rpc_caller *caller, uint32_t sid,
+ 	rpc_handle = rpc_caller_begin(caller, &req,
+ 				      sizeof(struct ns_openamp_msg));
+ 	if (!rpc_handle) {
+-		EMSG("psa_connect: could not get handle");
+		EMSG("psa_connect: could not get rpc handle");
+ 		return PSA_ERROR_GENERIC_ERROR;
+ 	}
+ 
+@@ -56,14 +102,100 @@ psa_handle_t psa_connect(struct rpc_caller *caller, uint32_t sid,
+ 	return resp_msg ? (psa_handle_t)resp_msg->reply : PSA_NULL_HANDLE;
+ }
+ 
+-psa_status_t psa_call(struct rpc_caller *caller, psa_handle_t handle,
+psa_status_t psa_call(struct rpc_caller *caller, psa_handle_t psa_handle,
+ 		      int32_t type, const struct psa_invec *in_vec,
+ 		      size_t in_len, struct psa_outvec *out_vec, size_t out_len)
+ {
+	psa_status_t psa_status = PSA_SUCCESS;
+	struct s_openamp_msg *resp_msg = NULL;
+	struct psa_outvec *out_vec_param;
+	struct psa_invec *in_vec_param;
+	struct ns_openamp_msg *req_msg;
+	rpc_call_handle rpc_handle;
+	size_t out_vec_len;
+	size_t in_vec_len;
+	size_t header_len;
+	uint8_t *payload;
+	size_t resp_len;
+	uint8_t *resp;
+	uint8_t *req;
+	int ret;
+	int i;
+
+	if ((psa_handle == PSA_NULL_HANDLE) || !caller)
+		return PSA_ERROR_INVALID_ARGUMENT;
+
+	header_len = psa_call_header_len(in_vec, in_len, out_vec, out_len);
+	in_vec_len = psa_call_in_vec_len(in_vec, in_len);
+	out_vec_len = psa_call_out_vec_len(out_vec, out_len);
+ 
+	rpc_handle = rpc_caller_begin(caller, &req, header_len + in_vec_len);
+	if (!rpc_handle) {
+		EMSG("psa_call: could not get handle");
+		return PSA_ERROR_GENERIC_ERROR;
+	}
+
+	payload = req + header_len;
+
+	out_vec_param = psa_call_out_vec_param(req, in_len);
+	in_vec_param = psa_call_in_vec_param(req);
+
+	req_msg = (struct ns_openamp_msg *)req;
+
+	req_msg->call_type = OPENAMP_PSA_CALL;
+	req_msg->request_id = 1234;
+	req_msg->params.psa_call_params.handle = psa_handle;
+	req_msg->params.psa_call_params.type = type;
+	req_msg->params.psa_call_params.in_len = in_len;
+	req_msg->params.psa_call_params.in_vec = rpc_caller_virt_to_phys(caller, in_vec_param);
+	req_msg->params.psa_call_params.out_len = out_len;
+	req_msg->params.psa_call_params.out_vec = rpc_caller_virt_to_phys(caller, out_vec_param);
+
+	for (i = 0; i < in_len; i++) {
+		in_vec_param[i].base = rpc_caller_virt_to_phys(caller, payload);
+		in_vec_param[i].len = in_vec[i].len;
+
+		memcpy(payload, in_vec[i].base, in_vec[i].len);
+		payload += in_vec[i].len;
+	}
+
+	for (i = 0; i < out_len; i++) {
+		out_vec_param[i].base = NULL;
+		out_vec_param[i].len = out_vec[i].len;
+	}
+
+	ret = rpc_caller_invoke(caller, rpc_handle, 0, &psa_status, &resp,
+				&resp_len);
+	if (ret != TS_RPC_CALL_ACCEPTED) {
+		EMSG("psa_call: invoke failed: %d", ret);
+		return PSA_ERROR_GENERIC_ERROR;
+	}
+
+	if (psa_status != PSA_SUCCESS) {
+		EMSG("psa_call: psa_status invoke failed: %d", psa_status);
+		return PSA_ERROR_GENERIC_ERROR;
+	}
+
+	resp_msg = (struct s_openamp_msg *)resp;
+
+	if (!resp_msg || !out_len || resp_msg->reply != PSA_SUCCESS)
+		goto caller_end;
+
+	out_vec_param = (struct psa_outvec *)rpc_caller_phys_to_virt(caller,
+						     resp_msg->params.out_vec);
+
+	for (i = 0; i < resp_msg->params.out_len; i++) {
+		memcpy(out_vec[i].base, rpc_caller_phys_to_virt(caller, out_vec_param[i].base),
+		       out_vec[i].len);
+	}
+
+caller_end:
+	rpc_caller_end(caller, rpc_handle);
+
+	return resp_msg ? resp_msg->reply : PSA_ERROR_COMMUNICATION_FAILURE;
+ }
+ 
+-void psa_close(struct rpc_caller *caller, psa_handle_t handle)
+void psa_close(struct rpc_caller *caller, psa_handle_t psa_handle)
+ {
+ 	psa_status_t psa_status = PSA_SUCCESS;
+ 	struct s_openamp_msg *resp_msg = NULL;
+@@ -74,6 +206,9 @@ void psa_close(struct rpc_caller *caller, psa_handle_t handle)
+ 	uint8_t *req;
+ 	int ret;
+ 
+	if ((psa_handle == PSA_NULL_HANDLE) || !caller)
+		return;
+
+ 	rpc_handle = rpc_caller_begin(caller, &req,
+ 				      sizeof(struct ns_openamp_msg));
+ 	if (!rpc_handle) {
+@@ -84,7 +219,7 @@ void psa_close(struct rpc_caller *caller, psa_handle_t handle)
+ 	req_msg = (struct ns_openamp_msg *)req;
+ 
+ 	req_msg->call_type = OPENAMP_PSA_CLOSE;
+-	req_msg->params.psa_close_params.handle = handle;
+	req_msg->params.psa_close_params.handle = psa_handle;
+ 
+ 	ret = rpc_caller_invoke(caller, rpc_handle, 0, &psa_status, &resp,
+ 				&resp_len);
+diff --git a/components/service/secure_storage/backend/secure_storage_ipc/component.cmake b/components/service/secure_storage/backend/secure_storage_ipc/component.cmake
+new file mode 100644
+index 0000000..5d8f671
+--- /dev/null
+++ b/components/service/secure_storage/backend/secure_storage_ipc/component.cmake
+@@ -0,0 +1,14 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+if (NOT DEFINED TGT)
+	message(FATAL_ERROR "mandatory parameter TGT is not defined.")
+endif()
+
+target_sources(${TGT} PRIVATE
+	"${CMAKE_CURRENT_LIST_DIR}/secure_storage_ipc.c"
+	)
+
+diff --git a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c
+new file mode 100644
+index 0000000..9b55f77
+--- /dev/null
+++ b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c
+@@ -0,0 +1,214 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <protocols/rpc/common/packed-c/status.h>
+#include "secure_storage_ipc.h"
+#include <psa/client.h>
+#include <psa/sid.h>
+#include <rpc_caller.h>
+#include <string.h>
+#include <trace.h>
+
+
+static psa_status_t secure_storage_ipc_set(void *context, uint32_t client_id,
+			 psa_storage_uid_t uid, size_t data_length,
+			 const void *p_data, psa_storage_create_flags_t create_flags)
+{
+	struct secure_storage_ipc *ipc = context;
+	struct rpc_caller *caller = ipc->client.caller;
+	psa_handle_t psa_handle;
+	psa_status_t psa_status;
+	struct psa_invec in_vec[] = {
+		{ .base = &uid, .len = sizeof(uid) },
+		{ .base = p_data, .len = data_length },
+		{ .base = &create_flags, .len = sizeof(create_flags) },
+	};
+
+	(void)client_id;
+
+	ipc->client.rpc_status = TS_RPC_CALL_ACCEPTED;
+
+	/* Validating input parameters */
+	if (p_data == NULL)
+		return PSA_ERROR_INVALID_ARGUMENT;
+
+	psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE,
+			      TFM_PS_SET, in_vec, IOVEC_LEN(in_vec), NULL, 0);
+	if (psa_status < 0)
+		EMSG("ipc_set: psa_call failed: %d", psa_status);
+
+	return psa_status;
+}
+
+static psa_status_t secure_storage_ipc_get(void *context,
+					   uint32_t client_id,
+					   psa_storage_uid_t uid,
+					   size_t data_offset,
+					   size_t data_size,
+					   void *p_data,
+					   size_t *p_data_length)
+{
+	struct secure_storage_ipc *ipc = context;
+	struct rpc_caller *caller = ipc->client.caller;
+	psa_handle_t psa_handle;
+	psa_status_t psa_status;
+	uint32_t offset = (uint32_t)data_offset;
+	struct psa_invec in_vec[] = {
+		{ .base = &uid, .len = sizeof(uid) },
+		{ .base = &offset, .len = sizeof(offset) },
+	};
+	struct psa_outvec out_vec[] = {
+		{ .base = p_data, .len = data_size },
+	};
+
+	if (!p_data_length) {
+		EMSG("ipc_get: p_data_length not defined");
+		return PSA_ERROR_INVALID_ARGUMENT;
+	}
+
+	psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE,
+			      TFM_PS_GET, in_vec, IOVEC_LEN(in_vec),
+			      out_vec, IOVEC_LEN(out_vec));
+	if (psa_status == PSA_SUCCESS)
+		*p_data_length = out_vec[0].len;
+
+	return psa_status;
+}
+
+static psa_status_t secure_storage_ipc_get_info(void *context,
+						uint32_t client_id,
+						psa_storage_uid_t uid,
+						struct psa_storage_info_t *p_info)
+{
+	struct secure_storage_ipc *ipc = context;
+	struct rpc_caller *caller = ipc->client.caller;
+	psa_handle_t psa_handle;
+	psa_status_t psa_status;
+	struct psa_invec in_vec[] = {
+		{ .base = &uid, .len = sizeof(uid) },
+	};
+	struct psa_outvec out_vec[] = {
+		{ .base = p_info, .len = sizeof(*p_info) },
+	};
+
+	(void)client_id;
+
+	/* Validating input parameters */
+	if (!p_info)
+		return PSA_ERROR_INVALID_ARGUMENT;
+
+	psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE,
+			      TFM_PS_GET_INFO, in_vec,
+			      IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec));
+	if (psa_status != PSA_SUCCESS)
+		EMSG("ipc_get_info: failed to psa_call: %d", psa_status);
+
+	return psa_status;
+}
+
+static psa_status_t secure_storage_ipc_remove(void *context,
+						uint32_t client_id,
+						psa_storage_uid_t uid)
+{
+	struct secure_storage_ipc *ipc = context;
+	struct rpc_caller *caller = ipc->client.caller;
+	psa_handle_t psa_handle;
+	psa_status_t psa_status;
+	struct psa_invec in_vec[] = {
+		{ .base = &uid, .len = sizeof(uid) },
+	};
+
+	(void)client_id;
+
+	psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE,
+			      TFM_PS_REMOVE, in_vec,
+			      IOVEC_LEN(in_vec), NULL, 0);
+	if (psa_status != PSA_SUCCESS)
+		EMSG("ipc_remove: failed to psa_call: %d", psa_status);
+
+	return psa_status;
+}
+
+static psa_status_t secure_storage_ipc_create(void *context,
+					      uint32_t client_id,
+					      uint64_t uid,
+					      size_t capacity,
+					      uint32_t create_flags)
+{
+	(void)context;
+	(void)uid;
+	(void)client_id;
+	(void)capacity;
+	(void)create_flags;
+
+	return PSA_ERROR_NOT_SUPPORTED;
+}
+
+static psa_status_t secure_storage_set_extended(void *context,
+						uint32_t client_id,
+						uint64_t uid,
+						size_t data_offset,
+						size_t data_length,
+						const void *p_data)
+{
+	(void)context;
+	(void)uid;
+	(void)client_id;
+	(void)data_offset;
+	(void)data_length;
+	(void)p_data;
+
+	return PSA_ERROR_NOT_SUPPORTED;
+}
+
+static uint32_t secure_storage_get_support(void *context, uint32_t client_id)
+{
+	struct secure_storage_ipc *ipc = context;
+	struct rpc_caller *caller = ipc->client.caller;
+	psa_handle_t psa_handle;
+	psa_status_t psa_status;
+	uint32_t support_flags;
+	struct psa_outvec out_vec[] = {
+		{ .base = &support_flags, .len =  sizeof(support_flags) },
+	};
+
+	(void)client_id;
+
+	psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE,
+			      TFM_PS_GET_SUPPORT, NULL, 0,
+			      out_vec, IOVEC_LEN(out_vec));
+	if (psa_status != PSA_SUCCESS)
+		EMSG("ipc_get_support: failed to psa_call: %d", psa_status);
+
+	return psa_status;
+}
+
+struct storage_backend *secure_storage_ipc_init(struct secure_storage_ipc *context,
+						struct rpc_caller *caller)
+{
+	service_client_init(&context->client, caller);
+
+	static const struct storage_backend_interface interface =
+	{
+		.set = secure_storage_ipc_set,
+		.get = secure_storage_ipc_get,
+		.get_info = secure_storage_ipc_get_info,
+		.remove = secure_storage_ipc_remove,
+		.create = secure_storage_ipc_create,
+		.set_extended = secure_storage_set_extended,
+		.get_support = secure_storage_get_support,
+	};
+
+	context->backend.context = context;
+	context->backend.interface = &interface;
+
+	return &context->backend;
+}
+
+void secure_storage_ipc_deinit(struct secure_storage_ipc *context)
+{
+	service_client_deinit(&context->client);
+}
+diff --git a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h
+new file mode 100644
+index 0000000..e8c1e8f
+--- /dev/null
+++ b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h
+@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef SECURE_STORAGE_IPC_H
+#define SECURE_STORAGE_IPC_H
+
+#include <service/secure_storage/backend/storage_backend.h>
+#include <service/common/client/service_client.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * @brief      Secure storage ipc instance
+ */
+struct secure_storage_ipc
+{
+    struct storage_backend backend;
+    struct service_client client;
+};
+
+/**
+ * @brief      Initialize a secure storage ipc client
+ *
+ * A secure storage client is a storage backend that makes RPC calls
+ * to a remote secure storage provider.
+ *
+ * @param[in]  context    Instance data
+ * @param[in]  rpc_caller RPC caller instance
+ *
+ *
+ * @return     Pointer to inialized storage backend or NULL on failure
+ */
+struct storage_backend *secure_storage_ipc_init(struct secure_storage_ipc *context,
+						struct rpc_caller *caller);
+
+/**
+ * @brief      Deinitialize a secure storage ipc client
+ *
+ * @param[in]  context   Instance data
+ */
+void secure_storage_ipc_deinit(struct secure_storage_ipc *context);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* SECURE_STORAGE_IPC_H */
+diff --git a/deployments/se-proxy/opteesp/CMakeLists.txt b/deployments/se-proxy/opteesp/CMakeLists.txt
+index 3b5dd1d..87fdd58 100644
+--- a/deployments/se-proxy/opteesp/CMakeLists.txt
+++ b/deployments/se-proxy/opteesp/CMakeLists.txt
+@@ -70,6 +70,7 @@ add_components(TARGET "se-proxy"
+ 		"components/service/crypto/factory/full"
+ 		"components/service/secure_storage/include"
+ 		"components/service/secure_storage/frontend/secure_storage_provider"
+		"components/service/secure_storage/backend/secure_storage_ipc"
+ 		"components/service/attestation/include"
+ 		"components/service/attestation/provider"
+ 		"components/service/attestation/provider/serializer/packed-c"
+-- 
+2.17.1
+
@@ -22,6 +22,7 @@ SRC_URI:append = " \
                  file://0009-Add-openamp-rpc-caller.patch \
                  file://0010-add-psa-client-definitions-for-ff-m.patch \
                  file://0011-Add-common-service-component-to-ipc-support.patch \
+                  file://0012-Add-secure-storage-ipc-backend.patch \
                  "

 SRCREV_ts = "882a2db4f9181fc6ddb505b82262f82e5a0c2fd5"