feat(dice): add cert_id argument to dpe_derive_context()
This custom argument is meant to simplify to group
components into certificates. Components with
the same cert_id contribute to the same certificate
regardless of the load order or the structure of the
derivation tree. This argument aims to flatten the tree
structure and make it easy to include branches or
subtrees in the main derivation line.
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: I83c4abc399616063a5eb04792d603899f7513627
diff --git a/drivers/measured_boot/rss/dice_prot_env.c b/drivers/measured_boot/rss/dice_prot_env.c
index 3d55ace..81a21d1 100644
--- a/drivers/measured_boot/rss/dice_prot_env.c
+++ b/drivers/measured_boot/rss/dice_prot_env.c
@@ -110,6 +110,7 @@
VERBOSE("Calling dpe_derive_context, image_id: %d\n", metadata->id);
ret = dpe_derive_context(current_context_handle,
+ metadata->cert_id,
metadata->retain_parent_context,
metadata->allow_new_context_to_derive,
metadata->create_certificate,
diff --git a/include/drivers/measured_boot/rss/dice_prot_env.h b/include/drivers/measured_boot/rss/dice_prot_env.h
index b7fcf36..6f754f5 100644
--- a/include/drivers/measured_boot/rss/dice_prot_env.h
+++ b/include/drivers/measured_boot/rss/dice_prot_env.h
@@ -17,6 +17,7 @@
struct dpe_metadata {
unsigned int id;
+ uint32_t cert_id;
uint8_t signer_id[SIGNER_ID_MAX_SIZE];
size_t signer_id_size;
uint8_t version[VERSION_MAX_SIZE];
diff --git a/include/lib/psa/dice_protection_environment.h b/include/lib/psa/dice_protection_environment.h
index ddf9aa7..61b6482 100644
--- a/include/lib/psa/dice_protection_environment.h
+++ b/include/lib/psa/dice_protection_environment.h
@@ -41,6 +41,8 @@
*
* \param[in] context_handle Input context handle for the DPE
* context.
+ * \param[in] cert_id Logical certificate id to which derived
+ * context belongs to.
* \param[in] retain_parent_context Flag to indicate whether to retain the
* parent context. True only if a client
* will call further DPE commands on the
@@ -77,6 +79,7 @@
* \return Returns error code of type dpe_error_t
*/
dpe_error_t dpe_derive_context(int context_handle,
+ uint32_t cert_id,
bool retain_parent_context,
bool allow_new_context_to_derive,
bool create_certificate,
diff --git a/lib/psa/dice_protection_environment.c b/lib/psa/dice_protection_environment.c
index b33ae7a..44a5848 100644
--- a/lib/psa/dice_protection_environment.c
+++ b/lib/psa/dice_protection_environment.c
@@ -58,6 +58,8 @@
DPE_DERIVE_CONTEXT_RETURN_CERTIFICATE = 9,
DPE_DERIVE_CONTEXT_ALLOW_NEW_CONTEXT_TO_EXPORT = 10,
DPE_DERIVE_CONTEXT_EXPORT_CDI = 11,
+ /* enum values 256 and onwards are reserved for custom arguments */
+ DPE_DERIVE_CONTEXT_CERT_ID = 256,
};
enum dpe_derive_context_output_labels_t {
@@ -70,6 +72,7 @@
struct derive_context_input_t {
int context_handle;
+ uint32_t cert_id;
bool retain_parent_context;
bool allow_new_context_to_derive;
bool create_certificate;
@@ -154,6 +157,9 @@
DPE_DERIVE_CONTEXT_CONTEXT_HANDLE,
(UsefulBufC) { &args->context_handle,
sizeof(args->context_handle) });
+ QCBOREncode_AddUInt64ToMapN(&encode_ctx,
+ DPE_DERIVE_CONTEXT_CERT_ID,
+ args->cert_id);
QCBOREncode_AddBoolToMapN(&encode_ctx,
DPE_DERIVE_CONTEXT_RETAIN_PARENT_CONTEXT,
args->retain_parent_context);
@@ -263,6 +269,7 @@
}
dpe_error_t dpe_derive_context(int context_handle,
+ uint32_t cert_id,
bool retain_parent_context,
bool allow_new_context_to_derive,
bool create_certificate,
@@ -288,6 +295,7 @@
const struct derive_context_input_t in_args = {
context_handle,
+ cert_id,
retain_parent_context,
allow_new_context_to_derive,
create_certificate,