Merge changes from topics "rotpk_rss_interface", "rss_interfaces" into integration
* changes:
refactor(tc): print RSS interface test PSA status
test(tc): test for AP/RSS interface for ROTPK
feat(psa): interface with RSS for retrieving ROTPK
diff --git a/include/lib/psa/psa_manifest/sid.h b/include/lib/psa/psa_manifest/sid.h
index be78bae..7183112 100644
--- a/include/lib/psa/psa_manifest/sid.h
+++ b/include/lib/psa/psa_manifest/sid.h
@@ -8,6 +8,9 @@
#ifndef PSA_MANIFEST_SID_H
#define PSA_MANIFEST_SID_H
+/******** RSS_SP_CRYPTO ********/
+#define RSS_CRYPTO_HANDLE (0x40000100U)
+
/******** RSS_SP_PLATFORM ********/
#define RSS_PLATFORM_SERVICE_HANDLE (0x40000105U)
diff --git a/include/lib/psa/rss_crypto_defs.h b/include/lib/psa/rss_crypto_defs.h
new file mode 100644
index 0000000..b8c7426
--- /dev/null
+++ b/include/lib/psa/rss_crypto_defs.h
@@ -0,0 +1,58 @@
+/*
+ * Copyright (c) 2023, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ */
+
+#ifndef RSS_CRYPTO_DEFS_H
+#define RSS_CRYPTO_DEFS_H
+
+/* Declares types that encode errors, algorithms, key types, policies, etc. */
+#include "psa/crypto_types.h"
+
+/*
+ * Value identifying export public key function API, used to dispatch the request
+ * to the corresponding API implementation in the Crypto service backend.
+ *
+ */
+#define RSS_CRYPTO_EXPORT_PUBLIC_KEY_SID (uint16_t)(0x701)
+
+/*
+ * The persistent key identifiers for RSS builtin keys.
+ */
+enum rss_key_id_builtin_t {
+ RSS_BUILTIN_KEY_ID_HOST_S_ROTPK = 0x7FFF816Cu,
+ RSS_BUILTIN_KEY_ID_HOST_NS_ROTPK,
+ RSS_BUILTIN_KEY_ID_HOST_CCA_ROTPK,
+};
+
+/*
+ * This type is used to overcome a limitation within RSS firmware in the number of maximum
+ * IOVECs it can use especially in psa_aead_encrypt and psa_aead_decrypt.
+ */
+#define RSS_CRYPTO_MAX_NONCE_LENGTH (16u)
+struct rss_crypto_aead_pack_input {
+ uint8_t nonce[RSS_CRYPTO_MAX_NONCE_LENGTH];
+ uint32_t nonce_length;
+};
+
+/*
+ * Structure used to pack non-pointer types in a call
+ */
+struct rss_crypto_pack_iovec {
+ psa_key_id_t key_id; /* Key id */
+ psa_algorithm_t alg; /* Algorithm */
+ uint32_t op_handle; /* Frontend context handle associated
+ to a multipart operation */
+ uint32_t capacity; /* Key derivation capacity */
+ uint32_t ad_length; /* Additional Data length for multipart AEAD */
+ uint32_t plaintext_length; /* Plaintext length for multipart AEAD */
+ struct rss_crypto_aead_pack_input aead_in; /* Packs AEAD-related inputs */
+ uint16_t function_id; /* Used to identify the function in the API dispatcher
+ to the service backend. See rss_crypto_func_sid for
+ detail */
+ uint16_t step; /* Key derivation step */
+};
+
+#endif /* RSS_CRYPTO_DEFS_H */
diff --git a/include/lib/psa/rss_platform_api.h b/include/lib/psa/rss_platform_api.h
index 1dd7d05..8f74a51 100644
--- a/include/lib/psa/rss_platform_api.h
+++ b/include/lib/psa/rss_platform_api.h
@@ -11,6 +11,7 @@
#include <stdint.h>
#include "psa/error.h"
+#include <rss_crypto_defs.h>
#define RSS_PLATFORM_API_ID_NV_READ (1010)
#define RSS_PLATFORM_API_ID_NV_INCREMENT (1011)
@@ -41,4 +42,19 @@
rss_platform_nv_counter_read(uint32_t counter_id,
uint32_t size, uint8_t *val);
+/*
+ * Reads the public key or the public part of a key pair in binary format.
+ *
+ * key Identifier of the key to export.
+ * data Buffer where the key data is to be written.
+ * data_size Size of the data buffer in bytes.
+ * data_length On success, the number of bytes that make up the key data.
+ *
+ * PSA_SUCCESS if the value is read correctly. Otherwise,
+ * it returns a PSA_ERROR.
+ */
+psa_status_t
+rss_platform_key_read(enum rss_key_id_builtin_t key, uint8_t *data,
+ size_t data_size, size_t *data_length);
+
#endif /* RSS_PLATFORM_API_H */
diff --git a/lib/psa/rss_platform.c b/lib/psa/rss_platform.c
index 359f894..7d90bfc 100644
--- a/lib/psa/rss_platform.c
+++ b/lib/psa/rss_platform.c
@@ -5,10 +5,9 @@
*
*/
-#include <stdint.h>
-
#include <psa/client.h>
#include <psa_manifest/sid.h>
+#include <rss_crypto_defs.h>
#include <rss_platform_api.h>
psa_status_t
@@ -41,3 +40,30 @@
RSS_PLATFORM_API_ID_NV_READ,
in_vec, 1, out_vec, 1);
}
+
+psa_status_t
+rss_platform_key_read(enum rss_key_id_builtin_t key, uint8_t *data,
+ size_t data_size, size_t *data_length)
+{
+ psa_status_t status;
+
+ struct rss_crypto_pack_iovec iov = {
+ .function_id = RSS_CRYPTO_EXPORT_PUBLIC_KEY_SID,
+ .key_id = key,
+ };
+
+ psa_invec in_vec[] = {
+ {.base = &iov, .len = sizeof(struct rss_crypto_pack_iovec)},
+ };
+ psa_outvec out_vec[] = {
+ {.base = data, .len = data_size}
+ };
+
+ status = psa_call(RSS_CRYPTO_HANDLE, PSA_IPC_CALL,
+ in_vec, IOVEC_LEN(in_vec),
+ out_vec, IOVEC_LEN(out_vec));
+
+ *data_length = out_vec[0].len;
+
+ return status;
+}
diff --git a/plat/arm/board/tc/include/tc_plat.h b/plat/arm/board/tc/include/tc_plat.h
index 117fbb4..a6b2b0d 100644
--- a/plat/arm/board/tc/include/tc_plat.h
+++ b/plat/arm/board/tc/include/tc_plat.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2021-2023, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2021-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -7,6 +7,10 @@
#ifndef TC_PLAT_H
#define TC_PLAT_H
+#ifdef PLATFORM_TEST_ROTPK
+#include <rss_crypto_defs.h>
+#endif
+
void tc_bl31_common_platform_setup(void);
#ifdef PLATFORM_TEST_TFM_TESTSUITE
@@ -17,4 +21,13 @@
int nv_counter_test(void);
#endif
+#ifdef PLATFORM_TEST_ROTPK
+struct key_id_info {
+ enum rss_key_id_builtin_t key_id;
+ const char *key_id_name;
+};
+
+int rotpk_test(void);
+#endif
+
#endif /* TC_PLAT_H */
diff --git a/plat/arm/board/tc/nv_counter_test.c b/plat/arm/board/tc/nv_counter_test.c
index f9e001e..179ec4b 100644
--- a/plat/arm/board/tc/nv_counter_test.c
+++ b/plat/arm/board/tc/nv_counter_test.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2023, ARM Limited. All rights reserved.
+ * Copyright (c) 2023, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -22,29 +22,29 @@
status = rss_comms_init(PLAT_RSS_AP_SND_MHU_BASE, PLAT_RSS_AP_RCV_MHU_BASE);
if (status != PSA_SUCCESS) {
- printf("Failed to initialize RSS communication channel\n");
+ printf("Failed to initialize RSS communication channel - psa_status = %d\n", status);
return -1;
}
for (id = 0; id < 3; id++) {
status = rss_platform_nv_counter_read(id, sizeof(old_val), (uint8_t *)&old_val);
if (status != PSA_SUCCESS) {
- printf("Failed during first id=(%d) rss_platform_nv_counter_read\n",
- id);
+ printf("Failed during first id=(%d) rss_platform_nv_counter_read - psa_status = %d\n",
+ id, status);
return -1;
}
status = rss_platform_nv_counter_increment(id);
if (status != PSA_SUCCESS) {
- printf("Failed during id=(%d) rss_platform_nv_counter_increment\n",
- id);
+ printf("Failed during id=(%d) rss_platform_nv_counter_increment - psa_status = %d\n",
+ id, status);
return -1;
}
status = rss_platform_nv_counter_read(id, sizeof(new_val), (uint8_t *)&new_val);
if (status != PSA_SUCCESS) {
- printf("Failed during second id=(%d) rss_platform_nv_counter_read\n",
- id);
+ printf("Failed during second id=(%d) rss_platform_nv_counter_read - psa_status = %d\n",
+ id, status);
return -1;
}
diff --git a/plat/arm/board/tc/platform.mk b/plat/arm/board/tc/platform.mk
index 5a1d83a..c3a5a2f 100644
--- a/plat/arm/board/tc/platform.mk
+++ b/plat/arm/board/tc/platform.mk
@@ -205,6 +205,20 @@
PLAT_INCLUDES += -Iinclude/lib/psa
$(eval $(call add_define,PLATFORM_TEST_NV_COUNTERS))
+ else ifeq (${PLATFORM_TEST},rss-rotpk)
+ include drivers/arm/rss/rss_comms.mk
+
+ # Test code.
+ BL31_SOURCES += plat/arm/board/tc/rotpk_test.c
+
+ # Code under testing.
+ BL31_SOURCES += lib/psa/rss_platform.c \
+ drivers/arm/rss/rss_comms.c \
+ ${RSS_COMMS_SOURCES}
+
+ PLAT_INCLUDES += -Iinclude/lib/psa
+
+ $(eval $(call add_define,PLATFORM_TEST_ROTPK))
else ifeq (${PLATFORM_TEST},tfm-testsuite)
# Add this include as first, before arm_common.mk. This is necessary
# because arm_common.mk builds Mbed TLS, and platform_test.mk can
diff --git a/plat/arm/board/tc/rotpk_test.c b/plat/arm/board/tc/rotpk_test.c
new file mode 100644
index 0000000..ed56c31
--- /dev/null
+++ b/plat/arm/board/tc/rotpk_test.c
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 2023, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <stdint.h>
+#include <stdio.h>
+
+#include <drivers/arm/rss_comms.h>
+#include <plat/common/platform.h>
+#include <rss_platform_api.h>
+#include <tc_plat.h>
+
+static void print_hex(const char *key_id_name, size_t key_size, const uint8_t *key_buf)
+{
+ printf("%s = ", key_id_name);
+ for (int i = 0; i < key_size; i++) {
+ printf("%02x", key_buf[i]);
+ }
+ printf("\n\n");
+}
+
+int rotpk_test(void)
+{
+ psa_status_t status;
+ uint8_t key_buf[128];
+ size_t key_size;
+
+ struct key_id_info key_ids[3] = {
+ {.key_id = RSS_BUILTIN_KEY_ID_HOST_S_ROTPK, .key_id_name = "Secure-ROTPK"},
+ {.key_id = RSS_BUILTIN_KEY_ID_HOST_NS_ROTPK, .key_id_name = "NS-ROTPK"},
+ {.key_id = RSS_BUILTIN_KEY_ID_HOST_CCA_ROTPK, .key_id_name = "CCA-ROTPK"}
+ };
+
+ status = rss_comms_init(PLAT_RSS_AP_SND_MHU_BASE, PLAT_RSS_AP_RCV_MHU_BASE);
+ if (status != PSA_SUCCESS) {
+ printf("Failed to initialize RSS communication channel - psa_status = %d\n", status);
+ return -1;
+ }
+
+ for (int i = 0; i < ARRAY_SIZE(key_ids); i++) {
+ status = rss_platform_key_read(key_ids[i].key_id, key_buf,
+ sizeof(key_buf), &key_size);
+ if (status != PSA_SUCCESS) {
+ printf("Failed to retrieve %s - psa_status = %d\n", key_ids[i].key_id_name, status);
+ return -1;
+ }
+ print_hex(key_ids[i].key_id_name, key_size, key_buf);
+ }
+
+ printf("Passed rotpk_test\n");
+
+ return 0;
+}
diff --git a/plat/arm/board/tc/tc_bl31_setup.c b/plat/arm/board/tc/tc_bl31_setup.c
index ca3a032..9ffd5c4 100644
--- a/plat/arm/board/tc/tc_bl31_setup.c
+++ b/plat/arm/board/tc/tc_bl31_setup.c
@@ -59,6 +59,8 @@
#ifdef PLATFORM_TEST_NV_COUNTERS
tests_failed = nv_counter_test();
+#elif PLATFORM_TEST_ROTPK
+ tests_failed = rotpk_test();
#elif PLATFORM_TEST_TFM_TESTSUITE
tests_failed = run_platform_tests();
#endif