feat(rss): set the signer-ID in the RSS metadata
Calculate a hash of the public key and put that into the signer-ID
field of the relevant RSS metadata. The signer-ID metadata is mandatory
in the Arm CCA attestation scheme.
Change-Id: Ic846d8bf882cfea8581d3523a3461c919462df30
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
diff --git a/drivers/measured_boot/rss/rss_measured_boot.c b/drivers/measured_boot/rss/rss_measured_boot.c
index 1b2f177..258aa8d 100644
--- a/drivers/measured_boot/rss/rss_measured_boot.c
+++ b/drivers/measured_boot/rss/rss_measured_boot.c
@@ -32,6 +32,19 @@
# error Invalid Measured Boot algorithm.
#endif /* MBOOT_ALG_ID */
+#if ENABLE_ASSERTIONS
+static bool null_arr(const uint8_t *signer_id, size_t signer_id_size)
+{
+ for (size_t i = 0U; i < signer_id_size; i++) {
+ if (signer_id[i] != 0U) {
+ return false;
+ }
+ }
+
+ return true;
+}
+#endif /* ENABLE_ASSERTIONS */
+
/* Functions' declarations */
void rss_measured_boot_init(struct rss_mboot_metadata *metadata_ptr)
{
@@ -39,6 +52,7 @@
/* Init the non-const members of the metadata structure */
while (metadata_ptr->id != RSS_MBOOT_INVALID_ID) {
+ assert(null_arr(metadata_ptr->signer_id, MBOOT_DIGEST_SIZE));
metadata_ptr->sw_type_size =
strlen((const char *)&metadata_ptr->sw_type) + 1;
metadata_ptr++;
@@ -93,36 +107,53 @@
}
int rss_mboot_set_signer_id(struct rss_mboot_metadata *metadata_ptr,
- unsigned int img_id,
+ const void *pk_oid,
const void *pk_ptr,
size_t pk_len)
{
unsigned char hash_data[CRYPTO_MD_MAX_SIZE];
int rc;
+ bool hash_calc_done = false;
assert(metadata_ptr != NULL);
- /* Get the metadata associated with this image. */
- while ((metadata_ptr->id != RSS_MBOOT_INVALID_ID) &&
- (metadata_ptr->id != img_id)) {
- metadata_ptr++;
- }
+ /*
+ * Do an exhaustive search over the platform metadata to find
+ * all images whose key OID matches the one passed in argument.
+ *
+ * Note that it is not an error if do not get any matches.
+ * The platform may decide not to measure all of the images
+ * in the system.
+ */
+ while (metadata_ptr->id != RSS_MBOOT_INVALID_ID) {
+ /* Get the metadata associated with this key-oid */
+ if (metadata_ptr->pk_oid == pk_oid) {
+ if (!hash_calc_done) {
+ /* Calculate public key hash */
+ rc = crypto_mod_calc_hash(CRYPTO_MD_ID,
+ (void *)pk_ptr,
+ pk_len, hash_data);
+ if (rc != 0) {
+ return rc;
+ }
- /* If image is not present in metadata array then skip */
- if (metadata_ptr->id == RSS_MBOOT_INVALID_ID) {
- return 0;
- }
+ hash_calc_done = true;
+ }
- /* Calculate public key hash */
- rc = crypto_mod_calc_hash(CRYPTO_MD_ID, (void *)pk_ptr,
- pk_len, hash_data);
- if (rc != 0) {
- return rc;
- }
+ /*
+ * Fill the signer-ID field with the newly/already
+ * computed hash of the public key and update its
+ * signer ID size field with compile-time decided
+ * digest size.
+ */
+ (void)memcpy(metadata_ptr->signer_id,
+ hash_data,
+ MBOOT_DIGEST_SIZE);
+ metadata_ptr->signer_id_size = MBOOT_DIGEST_SIZE;
+ }
- /* Update metadata struct with the received signer_id */
- (void)memcpy(metadata_ptr->signer_id, hash_data, MBOOT_DIGEST_SIZE);
- metadata_ptr->signer_id_size = MBOOT_DIGEST_SIZE;
+ metadata_ptr++;
+ }
return 0;
}