diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 00000000..ec640303 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,7 @@ + +[submodule "secure-debug/psa-adac"] + path = secure-debug/psa-adac + url = https://git.trustedfirmware.org/shared/psa-adac.git +[submodule "secure-debug/external/mbedtls"] + path = secure-debug/external/mbedtls + url = https://github.com/Mbed-TLS/mbedtls.git diff --git a/README.md b/README.md index 8af8eff3..db45d688 100755 --- a/README.md +++ b/README.md @@ -13,12 +13,12 @@ For more information, visit the [PSA webpage](https://developer.arm.com/products API specifications are placed in [PSA API github site](https://github.com/ARM-software/psa-api/). ### PSA Certified API Compliance -The [PSA Certified API tests](api-tests/dev_apis) are the basis for validating compliance with PSA Certified APIs. For more information on the certification program, see [psacertified.org](https://www.psacertified.org/functional-api-certification/) +The [PSA Certified API tests](api-tests/dev_apis) are the basis for validating compliance with PSA Certified APIs. For more information on the certification program, see [psacertified.org](https://www.psacertified.org/functional-api-certification/) ## GitHub branch - For API certification, use the release branch and pick the appropriate release tag. - To get the latest version of the code with bug fixes and new features, use the master branch. - + ## Architecture test suite The current implementation of the Architecture test suite contains tests for following PSA Certified specifications. Arm licensees may contact their partner manager to obtain a copy of this specification.
@@ -46,7 +46,7 @@ Arm PSA test suite is distributed under Apache v2.0 License. - For feedback, use the GitHub Issue Tracker that is associated with this repository. - For support, send an email to support-psa-arch-tests@arm.com with details. - Arm licensees can contact Arm directly through their partner managers. - - Arm welcomes code contributions through GitHub pull requests. + - Arm welcomes code contributions through GitHub pull requests. -------------- diff --git a/api-tests/dev_apis/crypto/common/test_crypto_common.c b/api-tests/dev_apis/crypto/common/test_crypto_common.c index ed6fc9d9..3a0cfe0a 100644 --- a/api-tests/dev_apis/crypto/common/test_crypto_common.c +++ b/api-tests/dev_apis/crypto/common/test_crypto_common.c @@ -1,5 +1,5 @@ /** @file - * Copyright (c) 2020-2022, Arm Limited or its affiliates. All rights reserved. + * Copyright (c) 2020-2023, Arm Limited or its affiliates. All rights reserved. * SPDX-License-Identifier : Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); diff --git a/api-tests/docs/Arm_PSA-M_Functional_API_Test_Suite_Validation_Methodology.pdf b/api-tests/docs/Arm_PSA-M_Functional_API_Test_Suite_Validation_Methodology.pdf index 6b45bfa5..987a6282 100644 Binary files a/api-tests/docs/Arm_PSA-M_Functional_API_Test_Suite_Validation_Methodology.pdf and b/api-tests/docs/Arm_PSA-M_Functional_API_Test_Suite_Validation_Methodology.pdf differ diff --git a/secure-debug/CMakeLists.txt b/secure-debug/CMakeLists.txt index d8e3c5cb..70635af7 100644 --- a/secure-debug/CMakeLists.txt +++ b/secure-debug/CMakeLists.txt @@ -1,18 +1,19 @@ -#/** @file -# * Copyright (c) 2021-2022, Arm Limited or its affiliates. All rights reserved. -# * SPDX-License-Identifier : Apache-2.0 -# * -# * Licensed under the Apache License, Version 2.0 (the "License"); -# * you may not use this file except in compliance with the License. -# * You may obtain a copy of the License at -# * -# * http://www.apache.org/licenses/LICENSE-2.0 -# * -# * Unless required by applicable law or agreed to in writing, software -# * distributed under the License is distributed on an "AS IS" BASIS, -# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# * See the License for the specific language governing permissions and -# * limitations under the License. +# @file +# Copyright (c) 2021-2023, Arm Limited or its affiliates. All rights reserved. +# SPDX-License-Identifier : Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# # Set the minimum required version of CMake for the project cmake_minimum_required(VERSION 3.10) @@ -39,6 +40,11 @@ if (NOT EXISTS ${DEPENDS_INC_PATH}) Message(FATAL_ERROR "Link layer ${LINK_LAYER_COMM} not supported for target ${TARGET}.") endif() +set(PSA_ADAC_MBEDTLS_INCLUDE ${PSA_ROOT_DIR}/external/mbedtls/include) +if (NOT EXISTS ${PSA_ADAC_MBEDTLS_INCLUDE}) + Message(FATAL_ERROR "Does not exist: ${PSA_ADAC_MBEDTLS_INCLUDE}") +endif() + if(NOT DEFINED PSA_ADAC_ROOT) get_filename_component(PSA_ADAC_ROOT ${CMAKE_SOURCE_DIR}/psa-adac ABSOLUTE) endif() @@ -49,10 +55,10 @@ include_directories ( ${DEPENDS_INC_PATH} ${CMAKE_BINARY_DIR} ${PSA_ADAC_ROOT}/psa-adac/core/include - ${PSA_ADAC_ROOT}/ports/include + ${PSA_ADAC_MBEDTLS_INCLUDE} ) -set(MBEDTLS_CONFIG_FILE "${PSA_ADAC_ROOT}/ports/crypto/manager-crypto-config.h") +set(MBEDTLS_CONFIG_FILE "${CMAKE_SOURCE_DIR}/crypto/manager-crypto-config.h") add_compile_options(-DMBEDTLS_CONFIG_FILE="${MBEDTLS_CONFIG_FILE}") if (UNIX) add_compile_options(-fPIC -fpic) @@ -64,7 +70,7 @@ endif () # Generate ADAC LIB add_subdirectory(${PSA_ADAC_ROOT}/psa-adac/core adac_core) add_subdirectory(${PSA_ADAC_ROOT}/psa-adac/sdm adac_sdm) -add_subdirectory(${PSA_ADAC_ROOT}/ports/crypto/psa-crypto psa_adac_psa_crypto) +add_subdirectory(${CMAKE_SOURCE_DIR}/crypto/psa-crypto psa_adac_psa_crypto) set(ADAC_LIBS psa_adac_sdm psa_adac_core psa_adac_psa_crypto mbedcrypto) diff --git a/secure-debug/README.md b/secure-debug/README.md index 2cbc8bb1..980fdb69 100644 --- a/secure-debug/README.md +++ b/secure-debug/README.md @@ -5,7 +5,7 @@ ### ADAC Specification -The [ADAC specification](https://developer.arm.com/documentation/den0101/0001) defines the protocol that allows a target to securely authenticate a debug host. The specification targets software-only layers that are above the physical debug link. +The [ADAC specification](https://developer.arm.com/documentation/den0101/1) defines the protocol that allows a target to securely authenticate a debug host. The specification targets software-only layers that are above the physical debug link. ### ADAC test suite @@ -17,10 +17,10 @@ The ADAC test suite checks if a device-side implementation conforms to the behav - And the corresponding abstraction layers are available with an Apache v2.0 license allowing for external contribution. ## Release details - - Release Version - 0.8 - - Code Quality: Beta
+ - Release Version - 1.0 + - Code Quality: EAC
- - The ADAC tests are written for version beta of the ADAC specification. + - The ADAC tests are written for EAC version of the ADAC specification. - This test suite is not a substitute for design verification. ## Layers @@ -34,7 +34,7 @@ These tests are written on top of VAL and PAL. The abstraction layers provide platform information and runtime environment to enable execution of the tests. -In this release, PAL implementation for the 'emulation' target uses Unix sockets as the link layer to send commands and receive responses. Arm also provides support for executing the test suite on the 'Musca-b1' hardware board by adding a 'musca_b1' target which uses memory window protocol as the link layer. +In this release, Arm provides support for executing the test suite on the 'Musca-b1' hardware board by adding a 'musca_b1' target which uses memory window protocol as the link layer. You can also write your own abstraction layer implementations to allow ADAC tests to run on other host platforms and support the debug link layer. @@ -46,7 +46,7 @@ The mapping of the rules to the test cases and the steps followed in the tests a Follow the instructions in the subsequent sections to get a copy of the source code on your local machine and build the tests.
-See [Arm Authenticated Debug Access Control Test Suite User guide](docs/Arm_Authenticated_Debug_Access_Control_Test_Suite_User_Guide.pdf) to get details on the steps involved in porting the test suite to your platform. +See [Arm Authenticated Debug Access Control Test Suite User guide](docs/Arm_Authenticated_Debug_Access_Control_Test_Suite_User_Guide.pdf) to get details on the steps involved in running the test suite on your platform. This test suite is provided as a separate directory within the psa-arch-tests repository. ### Prerequisites @@ -60,18 +60,11 @@ Before starting the test suite build, ensure that the following requirements are ## Download source +This repository uses git submodules. Either add the --recurse-submodules argument when running git clone, or run git submodule update --init after cloning. To download the main branch of the repository, type the following command: git clone https://github.com/ARM-software/psa-arch-tests.git -To download the main branch of the psa-adac repository, navigate to the secure debug directory and type the following command: - - git clone git@github.com:ARMmbed/psa-adac.git - -Note: - To receive access to the psa-adac repository and some of its dependent submodules, Arm licensees may contact Arm through their partner managers. - - ## Porting steps See the [Porting Guide](docs/porting_guide_adac_host.md) for porting steps for your host platform. @@ -82,10 +75,9 @@ See the [User Guide](docs/Arm_Authenticated_Debug_Access_Control_Test_Suite_User To build ADAC test suite for a given host platform, execute the following commands:
~~~ cd psa-arch-tests/secure-debug - git clone git@github.com:ARMmbed/psa-adac.git --recurse-submodules - cp psa_adac_ats.patch psa-adac/. + cp psa_adac_acs_host.patch psa-adac/. cd psa-adac/ - git apply psa_adac_ats.patch + git apply psa_adac_acs_host.patch cd .. mkdir cd @@ -95,7 +87,7 @@ To build ADAC test suite for a given host platform, execute the following comman "MinGW Makefiles" - to generate Makefiles for cmd.exe on Windows - target to build, as created in the platform/hosts directory - ADAC - specify the ADAC suite - - link layer for the host platform, optional for emulation target + - "memw_pyocd" - link layer protocol used by host, more options can be specified if supported by host platform To build project cmake --build . @@ -113,12 +105,9 @@ The following ADAC test suite build outputs are available under host build direc - psa_adac_test executable - val and platform layer libraries -For running the test suite on the emulation platform, see the [Readme](platform/hosts/emulation/unix_socket/README.md).
For running the test suite on the Musca-b1 hardware platform, see the [Readme](platform/hosts/musca_b1/memw_pyocd/README.md).
Note: - - See the psa-adac directory for information on other target platforms. - - The keys and the certificate credentials for a supported cryptosystem can be generated using the tools provided in the psa-adac repository. - The test suite is designed to run once per supported cryptosystem. Ensure that the device must be provisioned with the correct certificates installed in the device's RoT. ## Security implication @@ -129,6 +118,7 @@ ADAC test suite may run at higher privilege level. An attacker can utilize these Arm ADAC Architecture test suite is distributed under Apache v2.0 license. The psa-adac code repository is distributed under BSD-3-Clause license. +The mbedtls code repository is distributed under Apache v2.0 license. ## Feedback, contributions, and support @@ -139,4 +129,4 @@ The psa-adac code repository is distributed under BSD-3-Clause license. -------------- -*Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.* +*Copyright (c) 2021-2023, Arm Limited and Contributors. All rights reserved.* diff --git a/secure-debug/crypto/manager-crypto-config.h b/secure-debug/crypto/manager-crypto-config.h new file mode 100644 index 00000000..cbd65369 --- /dev/null +++ b/secure-debug/crypto/manager-crypto-config.h @@ -0,0 +1,96 @@ +/** @file + * Copyright (c) 2023, Arm Limited or its affiliates. All rights reserved. + * SPDX-License-Identifier : Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. +**/ + +#ifndef MANAGER_CRYPTO_CONFIG_H +#define MANAGER_CRYPTO_CONFIG_H + +#include + +#define MBEDTLS_PSA_CRYPTO_C + +/* System support */ +#define MBEDTLS_PLATFORM_C +#define MBEDTLS_PLATFORM_MEMORY +#define MBEDTLS_MEMORY_BUFFER_ALLOC_C + +#if defined(PSA_ADAC_RSA3072) || defined(PSA_ADAC_RSA4096) +#define MBEDTLS_RSA_C +#define MBEDTLS_PKCS1_V21 +#define MBEDTLS_OID_C +#define MBEDTLS_BIGNUM_C +#define MBEDTLS_GENPRIME + +/* Support RSA key sizes up to 4096 bit */ +#define MBEDTLS_MPI_MAX_SIZE 512 +#endif + +/* PSA ADAC */ +#if defined(PSA_ADAC_EC_P256) || defined(PSA_ADAC_EC_P521) +#define MBEDTLS_ECDSA_C +#define MBEDTLS_ECDSA_DETERMINISTIC +#define MBEDTLS_ECP_C +#define MBEDTLS_ASN1_PARSE_C +#define MBEDTLS_ASN1_WRITE_C +#define MBEDTLS_HMAC_DRBG_C +#if defined(PSA_ADAC_EC_P256) +#define MBEDTLS_ECP_DP_SECP256R1_ENABLED +#endif +#if defined(PSA_ADAC_EC_P521) +#define MBEDTLS_ECP_DP_SECP521R1_ENABLED +#endif +#endif + +#ifdef PSA_ADAC_CMAC +#define MBEDTLS_CMAC_C +#endif + +#ifdef PSA_ADAC_HMAC +#define MBEDTLS_HKDF_C +#endif + +/* Needed by PSA Crypto API Implementation */ +#define MBEDTLS_CTR_DRBG_C +#define MBEDTLS_ENTROPY_C +#define MBEDTLS_AES_C + +#define MBEDTLS_MD_C +#define MBEDTLS_SHA256_C +#define MBEDTLS_SHA512_C + +/* Add CCM on Windows */ +#if defined(_MSC_VER) +#define MBEDTLS_CCM_C +#endif + +/* Needed by manager */ +#define MBEDTLS_ASN1_PARSE_C +#define MBEDTLS_ASN1_WRITE_C +#define MBEDTLS_PK_WRITE_C +#define MBEDTLS_PK_PARSE_C +#define MBEDTLS_PK_C +#define MBEDTLS_PEM_PARSE_C +#define MBEDTLS_BASE64_C +#define MBEDTLS_CIPHER_C +#define MBEDTLS_FS_IO + +/* Optimizations */ +#define MBEDTLS_AESNI_C +#define MBEDTLS_HAVE_ASM + +#include "mbedtls/check_config.h" + +#endif /* MBEDTLS_CONFIG_BOOT_H */ diff --git a/secure-debug/crypto/mbedcrypto.cmake b/secure-debug/crypto/mbedcrypto.cmake new file mode 100644 index 00000000..014d0c8b --- /dev/null +++ b/secure-debug/crypto/mbedcrypto.cmake @@ -0,0 +1,31 @@ +#/** @file +# * Copyright (c) 2023, Arm Limited or its affiliates. All rights reserved. +# * SPDX-License-Identifier : Apache-2.0 +# * +# * Licensed under the Apache License, Version 2.0 (the "License"); +# * you may not use this file except in compliance with the License. +# * You may obtain a copy of the License at +# * +# * http://www.apache.org/licenses/LICENSE-2.0 +# * +# * Unless required by applicable law or agreed to in writing, software +# * distributed under the License is distributed on an "AS IS" BASIS, +# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# * See the License for the specific language governing permissions and +# * limitations under the License. +#**/ + +if(NOT DEFINED SECURE_DEBUG_ROOT) + get_filename_component(SECURE_DEBUG_ROOT ${CMAKE_CURRENT_SOURCE_DIR}/.. ABSOLUTE) +endif() + +include_directories(${SECURE_DEBUG_ROOT}/external/mbedtls/include) + +set(MBEDTLS_FATAL_WARNINGS OFF CACHE BOOL "Disable fatal warnings" FORCE) +set(ENABLE_PROGRAMS OFF CACHE BOOL "Disable PROGRAMS" FORCE) +set(ENABLE_TESTING OFF CACHE BOOL "Disable TESTING" FORCE) +add_subdirectory(${SECURE_DEBUG_ROOT}/external/mbedtls mbedcrypto) + +set_target_properties(mbedtls mbedx509 PROPERTIES + EXCLUDE_FROM_ALL 1 + EXCLUDE_FROM_DEFAULT_BUILD 1) diff --git a/secure-debug/crypto/psa-crypto/CMakeLists.txt b/secure-debug/crypto/psa-crypto/CMakeLists.txt new file mode 100644 index 00000000..e48899a1 --- /dev/null +++ b/secure-debug/crypto/psa-crypto/CMakeLists.txt @@ -0,0 +1,37 @@ +# @file +# Copyright (c) 2021-2023, Arm Limited or its affiliates. All rights reserved. +# SPDX-License-Identifier : Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +if(NOT DEFINED SECURE_DEBUG_ROOT) + get_filename_component(SECURE_DEBUG_ROOT ${CMAKE_CURRENT_SOURCE_DIR}/../.. ABSOLUTE) +endif() + +if(NOT DEFINED PSA_ADAC_ROOT) + get_filename_component(PSA_ADAC_ROOT ${SECURE_DEBUG_ROOT}/psa-adac ABSOLUTE) +endif() + +include_directories(${PSA_ADAC_ROOT}/psa-adac/core/include) +include(${SECURE_DEBUG_ROOT}/crypto/mbedcrypto.cmake) + +add_library(psa_adac_psa_crypto STATIC) + +set(PSA_CRYPTO_SRC + ${SECURE_DEBUG_ROOT}/crypto/psa-crypto/adac_crypto_psa.c + ${SECURE_DEBUG_ROOT}/crypto/psa-crypto/adac_crypto_psa_hash.c + ${SECURE_DEBUG_ROOT}/crypto/psa-crypto/adac_crypto_psa_mac.c + ${SECURE_DEBUG_ROOT}/crypto/psa-crypto/adac_crypto_psa_pk.c) + +target_sources(psa_adac_psa_crypto PUBLIC ${PSA_CRYPTO_SRC}) diff --git a/secure-debug/crypto/psa-crypto/adac_crypto_psa.c b/secure-debug/crypto/psa-crypto/adac_crypto_psa.c new file mode 100644 index 00000000..15aecbbd --- /dev/null +++ b/secure-debug/crypto/psa-crypto/adac_crypto_psa.c @@ -0,0 +1,64 @@ +/** @file + * Copyright (c) 2023, Arm Limited or its affiliates. All rights reserved. + * SPDX-License-Identifier : Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. +**/ + +#include "adac_crypto_psa.h" +#include + +psa_status_t psa_adac_crypto_init(void) +{ + psa_status_t r = psa_crypto_init(); + if (r == PSA_SUCCESS) + PSA_ADAC_LOG_INFO("psa-crypto", "PSA Crypto API Initialized\n"); + else + PSA_ADAC_LOG_ERR("psa-crypto", "PSA Crypto API Initialization failure => %d\n", r); + + return r; +} + +psa_status_t psa_adac_generate_challenge(uint8_t *output, size_t output_size) +{ + return psa_generate_random(output, output_size); +} + +psa_status_t psa_adac_verify_vendor(uint8_t key_type, uint8_t *key, size_t key_size, + psa_algorithm_t hash_algo, const uint8_t *inputs[], + size_t input_sizes[], size_t input_count, + psa_algorithm_t sig_algo, uint8_t *sig, size_t sig_size) +{ + psa_status_t ret = PSA_ERROR_NOT_SUPPORTED; +#if (defined(PSA_ADAC_CMAC) || defined(PSA_ADAC_HMAC)) + if ((key_type == CMAC_AES) || (key_type == HMAC_SHA256)) { + ret = PSA_SUCCESS; +#if defined(PSA_ADAC_HMAC) + if ((key_type == HMAC_SHA256) && ((sig_algo != HMAC_SIGN_ALGORITHM) || + (hash_algo != HMAC_HASH_ALGORITHM))) + ret = PSA_ERROR_INVALID_ARGUMENT; +#endif +#if defined(PSA_ADAC_CMAC) + if ((key_type == CMAC_AES) && ((sig_algo != CMAC_SIGN_ALGORITHM) || + (hash_algo != CMAC_HASH_ALGORITHM))) + ret = PSA_ERROR_INVALID_ARGUMENT; +#endif + if (PSA_SUCCESS == ret) + ret = psa_adac_verify_mac(key_type, key, key_size, + inputs, input_sizes, input_count, sig_algo, sig, sig_size); + } +#endif + + // TODO: Add support for extra algorithms + return ret; +} diff --git a/secure-debug/crypto/psa-crypto/adac_crypto_psa.h b/secure-debug/crypto/psa-crypto/adac_crypto_psa.h new file mode 100644 index 00000000..fba68f66 --- /dev/null +++ b/secure-debug/crypto/psa-crypto/adac_crypto_psa.h @@ -0,0 +1,36 @@ +/** @file + * Copyright (c) 2023, Arm Limited or its affiliates. All rights reserved. + * SPDX-License-Identifier : Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. +**/ + +#ifndef ADAC_CRYPTO_PSA_H +#define ADAC_CRYPTO_PSA_H + +#include +#include +#include +#include +#include + +psa_status_t psa_adac_verify_vendor(uint8_t key_type, uint8_t *key, size_t key_size, + psa_algorithm_t hash_algo, const uint8_t *inputs[], + size_t input_sizes[], size_t input_count, + psa_algorithm_t sig_algo, uint8_t *sig, size_t sig_size); + +psa_status_t psa_adac_verify_mac(uint8_t key_type, uint8_t *key, size_t key_size, + const uint8_t *inputs[], size_t input_sizes[], size_t input_count, + psa_algorithm_t mac_algo, uint8_t *mac, size_t mac_size); + +#endif //ADAC_CRYPTO_PSA_H diff --git a/secure-debug/crypto/psa-crypto/adac_crypto_psa_hash.c b/secure-debug/crypto/psa-crypto/adac_crypto_psa_hash.c new file mode 100644 index 00000000..cd46226f --- /dev/null +++ b/secure-debug/crypto/psa-crypto/adac_crypto_psa_hash.c @@ -0,0 +1,119 @@ +/** @file + * Copyright (c) 2023, Arm Limited or its affiliates. All rights reserved. + * SPDX-License-Identifier : Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. +**/ + +#include +#include + +psa_status_t psa_adac_hash(psa_algorithm_t alg, const uint8_t *input, size_t input_size, + uint8_t *hash, size_t hash_size, size_t *hash_length) +{ + return psa_adac_hash_multiple(alg, &input, &input_size, 1, hash, hash_size, hash_length); +} + +psa_status_t psa_adac_hash_multiple(psa_algorithm_t alg, const uint8_t *inputs[], + size_t input_sizes[], size_t input_count, + uint8_t hash[], size_t hash_size, size_t *hash_length) +{ + psa_status_t status; + + if (PSA_ALG_IS_VENDOR_DEFINED(alg) != 0) { + // TODO: Add support for extra algorithms + status = PSA_ERROR_NOT_SUPPORTED; + } else { + psa_hash_operation_t hashOperation = PSA_HASH_OPERATION_INIT; + + status = psa_hash_setup(&hashOperation, alg); + for (size_t i = 0; (i < input_count) && (PSA_SUCCESS == status); i++) + status = psa_hash_update(&hashOperation, inputs[i], input_sizes[i]); + + if (PSA_SUCCESS == status) + status = psa_hash_finish(&hashOperation, hash, hash_size, hash_length); + } + + return status; +} + +psa_status_t psa_adac_hash_verify(psa_algorithm_t alg, const uint8_t input[], size_t input_size, + uint8_t hash[], size_t hash_size) +{ + psa_status_t status; + if (PSA_ALG_IS_VENDOR_DEFINED(alg) != 0) { + // TODO: Add support for extra algorithms + status = PSA_ERROR_NOT_SUPPORTED; + } else { + psa_hash_operation_t hashOperation = PSA_HASH_OPERATION_INIT; + + status = psa_hash_setup(&hashOperation, alg); + if (PSA_SUCCESS == status) + status = psa_hash_update(&hashOperation, input, input_size); + + if (PSA_SUCCESS == status) + status = psa_hash_verify(&hashOperation, hash, hash_size); + } + + return status; +} + +static psa_status_t hash_check(const uint8_t *a, size_t la, const uint8_t *b, size_t lb) +{ + uint8_t chk = 1; + + if (la == lb) { + chk = 0; + for (size_t i = 0; i < la; i++) { + chk |= (uint8_t) (a[i] ^ b[i]); + } + } + + return (chk == 0U) ? PSA_SUCCESS : PSA_ERROR_INVALID_SIGNATURE; +} + +psa_status_t psa_adac_hash_verify_multiple(psa_algorithm_t alg, + const uint8_t input[], size_t input_length, + uint8_t *hash[], size_t hash_size[], size_t hash_count) +{ + psa_status_t status; + + if (PSA_ALG_IS_VENDOR_DEFINED(alg) != 0) { + // TODO: Add support for extra algorithms + status = PSA_ERROR_NOT_SUPPORTED; + } else { + psa_hash_operation_t hashOperation = PSA_HASH_OPERATION_INIT; + // cppcheck-suppress misra-c2012-18.8 + uint8_t tmp[PSA_HASH_MAX_SIZE]; + size_t tmp_len; + + status = psa_hash_setup(&hashOperation, alg); + if (PSA_SUCCESS == status) + status = psa_hash_update(&hashOperation, input, input_length); + + if (PSA_SUCCESS == status) + status = psa_hash_finish(&hashOperation, tmp, sizeof(tmp), &tmp_len); + + if (PSA_SUCCESS == status) { + // PSA_ADAC_LOG_TDUMP("crypto", "target", tmp, tmp_len); + for (size_t i = 0; i < hash_count; i++) { + // PSA_ADAC_LOG_TDUMP("crypto", "candidate", hash[i], hash_size[i]); + status = hash_check(hash[i], hash_size[i], tmp, tmp_len); + if (status == PSA_SUCCESS) + break; + } + } + } + + return status; +} diff --git a/secure-debug/crypto/psa-crypto/adac_crypto_psa_mac.c b/secure-debug/crypto/psa-crypto/adac_crypto_psa_mac.c new file mode 100644 index 00000000..32d45bf0 --- /dev/null +++ b/secure-debug/crypto/psa-crypto/adac_crypto_psa_mac.c @@ -0,0 +1,264 @@ +/** @file + * Copyright (c) 2023, Arm Limited or its affiliates. All rights reserved. + * SPDX-License-Identifier : Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. +**/ + +#include "adac_crypto_psa.h" +#include + +#if (defined(PSA_ADAC_CMAC) || defined(PSA_ADAC_HMAC)) + +psa_status_t psa_adac_mac_verify(psa_algorithm_t alg, const uint8_t *inputs[], size_t input_sizes[], + size_t input_count, const uint8_t key[], size_t key_size, + uint8_t mac[], size_t mac_size) +{ + psa_status_t ret = PSA_ERROR_NOT_SUPPORTED; + psa_algorithm_t algo; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_key_handle_t handle; + size_t bits; + + if (alg == PSA_ALG_CMAC) { + if (key_size != 16U) { + ret = PSA_ERROR_INVALID_ARGUMENT; + } else{ + ret = PSA_SUCCESS; + algo = PSA_ALG_CMAC; + bits = 128; + } + } + + if (PSA_SUCCESS == ret) { + psa_set_key_usage_flags(&attributes, 0); + psa_set_key_algorithm(&attributes, algo); + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH); + psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_VOLATILE); + psa_set_key_type(&attributes, PSA_KEY_TYPE_AES); + psa_set_key_bits(&attributes, bits); + + ret = psa_import_key(&attributes, key, key_size, &handle); + if (PSA_SUCCESS == ret) { + psa_mac_operation_t operation = psa_mac_operation_init(); + + ret = psa_mac_verify_setup(&operation, handle, algo); + for (size_t i = 0; (PSA_SUCCESS == ret) && (i < input_count); i++) + ret = psa_mac_update(&operation, inputs[i], input_sizes[i]); + + if (PSA_SUCCESS == ret) + ret = psa_mac_verify_finish(&operation, mac, mac_size); + + psa_destroy_key(handle); + psa_mac_abort(&operation); + } + } + + return ret; +} + +psa_status_t psa_adac_derive_hmac(uint8_t *key, uint8_t *info, size_t size, uint8_t *output) +{ + psa_algorithm_t algo = PSA_ALG_HKDF(PSA_ALG_SHA_256); + psa_key_handle_t handle; + + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_set_key_usage_flags(&attributes, 0); + psa_set_key_algorithm(&attributes, algo); + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); + psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_VOLATILE); + psa_set_key_type(&attributes, PSA_KEY_TYPE_DERIVE); + psa_set_key_bits(&attributes, 256); + + psa_status_t ret = psa_import_key(&attributes, key, 32, &handle); + if (PSA_SUCCESS == ret) { + psa_key_derivation_operation_t operation = psa_key_derivation_operation_init(); + + ret = psa_key_derivation_setup(&operation, algo); + if (PSA_SUCCESS == ret) { + ret = psa_key_derivation_input_key(&operation, PSA_KEY_DERIVATION_INPUT_SECRET, handle); + } + if (PSA_SUCCESS == ret) { + ret = psa_key_derivation_input_bytes(&operation, PSA_KEY_DERIVATION_INPUT_INFO, + info, size); + } + if (PSA_SUCCESS == ret) { + ret = psa_key_derivation_output_bytes(&operation, output, 32); + } + psa_destroy_key(handle); + psa_key_derivation_abort(&operation); + } + return ret; +} + +/* A key-derivation function can iterates n times until l bits of keying material are generated. + For each of the iterations of the PRF, i=1 to n, do: + result(0) = 0; + K(i) = PRF (Ki, [i] || Label || 0x00 || Context || length); + results(i) = result(i-1) || K(i); + + concisely, result(i) = K(i) || k(i-1) || .... || k(0)*/ + +// NIST SP800-108 + Inspiration from SCP03 +// Label || 0x00 || [L]_2 || [i]_2 || Context + +psa_status_t psa_adac_derive_cmac(uint8_t *key, uint8_t *context, size_t context_size, + uint8_t *output) +{ + psa_algorithm_t algo = PSA_ALG_CMAC; + psa_key_handle_t handle; + size_t l = 0; + uint8_t info[16] = { + // Label = 'PSA ADAC 1.0' + 0x50, 0x53, 0x41, 0x20, 0x41, 0x44, 0x41, 0x43, 0x20, 0x31, 0x2E, 0x30, + // Separator (0x00) + 0x00, + // [L]_2 = 128 (encoded in 16 bit) + 0x00, 0x80, + // [i]_2 = 8-bit counter + 0x01 + // Context = input + }; + + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + + psa_set_key_usage_flags(&attributes, 0); + psa_set_key_algorithm(&attributes, algo); + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); + psa_set_key_type(&attributes, PSA_KEY_TYPE_AES); + psa_set_key_bits(&attributes, 128); + + psa_status_t ret = psa_import_key(&attributes, key, 16, &handle); + + if (PSA_SUCCESS == ret) { + psa_mac_operation_t operation = psa_mac_operation_init(); + + ret = psa_mac_sign_setup(&operation, handle, algo); + if (PSA_SUCCESS == ret) { + ret = psa_mac_update(&operation, info, sizeof(info)); + } + if (PSA_SUCCESS == ret) { + ret = psa_mac_update(&operation, context, context_size); + } + if (PSA_SUCCESS == ret) { + ret = psa_mac_sign_finish(&operation, output, 16, &l); + if ((PSA_SUCCESS == ret) && (l != 16U)) + ret = PSA_ERROR_GENERIC_ERROR; + } + psa_destroy_key(handle); + psa_mac_abort(&operation); + } + + return ret; +} + +psa_status_t psa_adac_derive_key(uint8_t *crt, size_t crt_size, + uint8_t key_type, uint8_t *key, size_t key_size) +{ + psa_status_t ret; + + if (key_type == CMAC_AES) { +#ifdef PSA_ADAC_CMAC + if ((key_size == 16U) && (crt_size >= sizeof(certificate_cmac_cmac_t))) { + ret = psa_adac_derive_cmac(key, crt, offsetof(certificate_cmac_cmac_t, signature), key); + PSA_ADAC_LOG_DUMP("psa_adac_derive_key", "cmac", key, 16); + } else { + ret = PSA_ERROR_INVALID_ARGUMENT; + } +#else + ret = PSA_ERROR_NOT_SUPPORTED; +#endif + } else if (key_type == HMAC_SHA256) { +#ifdef PSA_ADAC_HMAC + if ((key_size == 32U) && (crt_size >= sizeof(certificate_hmac_hmac_t))) { + ret = psa_adac_derive_hmac(key, crt, offsetof(certificate_hmac_hmac_t, signature), key); + PSA_ADAC_LOG_DUMP("psa_adac_derive_key", "hmac", key, 32); + } else { + ret = PSA_ERROR_INVALID_ARGUMENT; + } +#else + ret = PSA_ERROR_NOT_SUPPORTED; +#endif + } else { + ret = PSA_ERROR_NOT_SUPPORTED; + } + + return ret; +} + +psa_status_t psa_adac_verify_mac(uint8_t key_type, uint8_t *key, size_t key_size, + const uint8_t *inputs[], size_t input_sizes[], size_t input_count, + psa_algorithm_t mac_algo, uint8_t *mac, size_t mac_size) +{ + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_key_handle_t handle = -1; + psa_status_t ret = PSA_ERROR_NOT_SUPPORTED; + psa_key_type_t type = 0; + size_t bits = 0; + +#ifdef PSA_ADAC_CMAC + if ((key_type == CMAC_AES) && (mac_algo == CMAC_SIGN_ALGORITHM)) { + if (key_size != 16U) { + ret = PSA_ERROR_INVALID_ARGUMENT; + } else { + ret = PSA_SUCCESS; + type = PSA_KEY_TYPE_AES; + bits = 128; + } + } +#endif + +#ifdef PSA_ADAC_HMAC + if ((key_type == HMAC_SHA256) && (mac_algo == HMAC_SIGN_ALGORITHM)) { + if (key_size != 32U) { + ret = PSA_ERROR_INVALID_ARGUMENT; + } else { + ret = PSA_SUCCESS; + type = PSA_KEY_TYPE_HMAC; + bits = 256; + } + } +#endif + + if (ret == PSA_SUCCESS) { + psa_set_key_usage_flags(&attributes, 0); + psa_set_key_algorithm(&attributes, mac_algo); + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH); + psa_set_key_type(&attributes, type); + psa_set_key_bits(&attributes, bits); + ret = psa_import_key(&attributes, key, key_size, &handle); + + if (PSA_SUCCESS != ret) { + PSA_ADAC_LOG_ERR("self", "Error importing key (%d)\n", ret); + } else { + psa_mac_operation_t operation = psa_mac_operation_init(); + + ret = psa_mac_verify_setup(&operation, handle, mac_algo); + for (size_t i = 0; (PSA_SUCCESS == ret) && (i < input_count); i++) { + ret = psa_mac_update(&operation, inputs[i], input_sizes[i]); + } + if (PSA_SUCCESS == ret) { + ret = psa_mac_verify_finish(&operation, mac, mac_size); + } + if (PSA_SUCCESS != ret) { + PSA_ADAC_LOG_ERR("self", "Error during MAC verification (%d)\n", ret); + } + psa_destroy_key(handle); + psa_mac_abort(&operation); + } + } + + return ret; +} + +#endif diff --git a/secure-debug/crypto/psa-crypto/adac_crypto_psa_pk.c b/secure-debug/crypto/psa-crypto/adac_crypto_psa_pk.c new file mode 100644 index 00000000..c2610f3a --- /dev/null +++ b/secure-debug/crypto/psa-crypto/adac_crypto_psa_pk.c @@ -0,0 +1,243 @@ +/** @file + * Copyright (c) 2023, Arm Limited or its affiliates. All rights reserved. + * SPDX-License-Identifier : Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. +**/ + +#include "adac_crypto_psa.h" +#include +#include + +#include + +#if defined(PSA_ADAC_RSA3072) || defined(PSA_ADAC_RSA4096) +static const uint8_t f4[] = {0x02, 0x03, 0x01, 0x00, 0x01}; +#endif + +#ifdef PSA_ADAC_RSA3072 +static const uint8_t rsa3072_header[] = {0x30, 0x82, 0x01, 0x89, 0x02, 0x82, 0x01, 0x80, 0x00}; + +psa_status_t load_rsa_3072_public_key(uint8_t *key, size_t key_size, psa_key_handle_t *handle) +{ + psa_status_t ret; + + if (key_size == RSA_3072_PUBLIC_KEY_SIZE) { + uint8_t pub_key[398]; + size_t offset = 8UL; + size_t pub_size = sizeof(pub_key) - 1UL; + + (void) memcpy(pub_key, rsa3072_header, sizeof(rsa3072_header)); + + // If MSB is set, modulus need to be prefixed by 0 value + if ((key[0] & (uint8_t) 0x80U) != 0x00U) { + pub_key[3] = 0x8aU; + pub_key[7] = 0x81U; + offset = 9UL; + pub_size += 1UL; + } + + (void) memcpy(&(pub_key[offset]), key, RSA_3072_PUBLIC_KEY_SIZE); + offset += RSA_3072_PUBLIC_KEY_SIZE; + (void) memcpy(&(pub_key[offset]), f4, sizeof(f4)); + + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH); + psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY); + psa_set_key_algorithm(&attributes, PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH)); + psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_VOLATILE); + psa_set_key_bits(&attributes, 3072); + + ret = psa_import_key(&attributes, pub_key, pub_size, handle); + } else { + ret = PSA_ERROR_INVALID_ARGUMENT; + } + + return ret; +} + +#endif + +#ifdef PSA_ADAC_RSA4096 +static const uint8_t rsa4096_header[] = {0x30, 0x82, 0x02, 0x09, 0x02, 0x82, 0x02, 0x00, 0x00}; + +psa_status_t load_rsa_4096_public_key(uint8_t *key, size_t key_size, psa_key_handle_t *handle) +{ + psa_status_t ret; + + if (RSA_4096_PUBLIC_KEY_SIZE == key_size) { + uint8_t pub_key[526]; + size_t offset = 8UL; + size_t pub_size = sizeof(pub_key) - 1UL; + + (void) memcpy(pub_key, rsa4096_header, sizeof(rsa4096_header)); + + // If MSB is set, modulus need to be prefixed by 0 value + if ((key[0] & (uint8_t) 0x80) != 0x00U) { + pub_key[3] = 0x0a; + pub_key[7] = 0x01; + offset = 9UL; + pub_size += 1UL; + } + + (void) memcpy(&(pub_key[offset]), key, RSA_4096_PUBLIC_KEY_SIZE); + offset += RSA_4096_PUBLIC_KEY_SIZE; + (void) memcpy(&(pub_key[offset]), f4, sizeof(f4)); + + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH); + psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY); + psa_set_key_algorithm(&attributes, PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH)); + psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_VOLATILE); + psa_set_key_bits(&attributes, 4096); + + ret = psa_import_key(&attributes, pub_key, pub_size, handle); + } else { + ret = PSA_ERROR_INVALID_ARGUMENT; + } + + return ret; +} + +#endif + +#ifdef PSA_ADAC_EC_P256 + +psa_status_t load_ecdsa_p256_public_key(uint8_t *key, size_t key_size, psa_key_handle_t *handle) +{ + psa_status_t ret; + + if (ECDSA_P256_PUBLIC_KEY_SIZE == key_size) { + // cppcheck-suppress misra-c2012-18.8 + uint8_t pub_key[ECDSA_P256_PUBLIC_KEY_SIZE + 1] = {0x04}; + + (void) memcpy(&(pub_key[1]), key, ECDSA_P256_PUBLIC_KEY_SIZE); + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH); + psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1)); + psa_set_key_algorithm(&attributes, PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256)); + psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_VOLATILE); + psa_set_key_bits(&attributes, 256); + + ret = psa_import_key(&attributes, pub_key, sizeof(pub_key), handle); + } else { + + ret = PSA_ERROR_INVALID_ARGUMENT; + } + + return ret; +} + +#endif + +#ifdef PSA_ADAC_EC_P521 + +psa_status_t load_ecdsa_p521_public_key(uint8_t *key, size_t key_size, psa_key_handle_t *handle) +{ + psa_status_t ret; + + if (ECDSA_P521_PUBLIC_KEY_SIZE == key_size) { + // cppcheck-suppress misra-c2012-18.8 + uint8_t pub_key[ECDSA_P521_PUBLIC_KEY_SIZE + 1] = {0x04}; + + (void) memcpy(&(pub_key[1]), key, ECDSA_P521_PUBLIC_KEY_SIZE); + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH); + psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1)); + psa_set_key_algorithm(&attributes, PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_512)); + psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_VOLATILE); + psa_set_key_bits(&attributes, 521); + + ret = psa_import_key(&attributes, pub_key, sizeof(pub_key), handle); + } else { + ret = PSA_ERROR_INVALID_ARGUMENT; + } + + return ret; +} + +#endif + +psa_status_t psa_adac_load_public_key(uint8_t key_type, uint8_t *key, size_t key_size, + psa_key_handle_t *handle) +{ + psa_status_t ret = PSA_ERROR_NOT_SUPPORTED; + + if (key_type == ECDSA_P256_SHA256) { +#ifdef PSA_ADAC_EC_P256 + PSA_ADAC_LOG_TRACE("psa-crypto", "Load EcdsaP256 Public-key\n"); + ret = load_ecdsa_p256_public_key(key, key_size, handle); +#endif + } else if (key_type == ECDSA_P521_SHA512) { +#ifdef PSA_ADAC_EC_P521 + PSA_ADAC_LOG_TRACE("psa-crypto", "Load EcdsaP521 Public-key\n"); + ret = load_ecdsa_p521_public_key(key, key_size, handle); +#endif + } else if (key_type == RSA_3072_SHA256) { +#ifdef PSA_ADAC_RSA3072 + PSA_ADAC_LOG_TRACE("psa-crypto", "Load Rsa3072 Public-key\n"); + ret = load_rsa_3072_public_key(key, key_size, handle); +#endif + } else if (key_type == RSA_4096_SHA256) { +#ifdef PSA_ADAC_RSA4096 + PSA_ADAC_LOG_TRACE("psa-crypto", "Load Rsa4096 Public-key\n"); + ret = load_rsa_4096_public_key(key, key_size, handle); +#endif + } else { + ret = PSA_ERROR_NOT_SUPPORTED; + } + + return ret; +} + +psa_status_t psa_adac_verify_signature(uint8_t key_type, uint8_t *key, size_t key_size, + psa_algorithm_t hash_algo, const uint8_t *inputs[], + size_t input_sizes[], size_t input_count, + psa_algorithm_t sig_algo, uint8_t *sig, size_t sig_size) +{ + // cppcheck-suppress misra-c2012-18.8 + uint8_t hash[PSA_HASH_MAX_SIZE]; + size_t hash_size; + psa_key_handle_t handle; + psa_status_t ret; + + if ((PSA_ALG_IS_VENDOR_DEFINED(sig_algo) != 0) || + (sig_algo == PSA_ALG_HMAC(PSA_ALG_SHA_256)) || (sig_algo == PSA_ALG_CMAC)) { + ret = psa_adac_verify_vendor(key_type, key, key_size, hash_algo, + inputs, input_sizes, input_count, + sig_algo, sig, sig_size); + } else { + ret = psa_adac_load_public_key(key_type, key, key_size, &handle); + if (PSA_SUCCESS != ret) { + PSA_ADAC_LOG_ERR("psa-crypto", "Error loading public key (%d)\n", ret); + } else { + ret = psa_adac_hash_multiple(hash_algo, inputs, input_sizes, input_count, + hash, sizeof(hash), &hash_size); + if (PSA_SUCCESS != ret) { + PSA_ADAC_LOG_ERR("psa-crypto", "Error hashing content (%d)\n", ret); + } else { + PSA_ADAC_LOG_TRACE("psa-crypto", "Verify signature\n"); + ret = psa_verify_hash(handle, sig_algo, hash, hash_size, sig, sig_size); + PSA_ADAC_LOG_DEBUG("psa-crypto", "Signature verification %s\n", + (ret == PSA_SUCCESS) ? "successful" : "failed"); + } + + psa_destroy_key(handle); + } + } + + return ret; +} diff --git a/secure-debug/docs/Arm_Authenticated_Debug_Access_Control_Test_Suite_User_Guide.pdf b/secure-debug/docs/Arm_Authenticated_Debug_Access_Control_Test_Suite_User_Guide.pdf index 178d5885..021c222e 100644 Binary files a/secure-debug/docs/Arm_Authenticated_Debug_Access_Control_Test_Suite_User_Guide.pdf and b/secure-debug/docs/Arm_Authenticated_Debug_Access_Control_Test_Suite_User_Guide.pdf differ diff --git a/secure-debug/docs/porting_guide_adac_host.md b/secure-debug/docs/porting_guide_adac_host.md index ebd205b0..c33ca5bf 100644 --- a/secure-debug/docs/porting_guide_adac_host.md +++ b/secure-debug/docs/porting_guide_adac_host.md @@ -14,8 +14,8 @@ This document provides the porting steps and the list of PAL APIs. 1. Create a new directory in **platform/hosts/**. For reference, see the existing platform **musca_b1** directory. 2. Execute `cp -rf platform/hosts/musca_b1/ platform/hosts//`. 3. Create the link layer directory for each link layer you want to support for your platform. - 4. Update **platform//CMakeLists.txt** appropriately to select the correct instances of PAL files for compilation. - 5. Port the list of PAL APIs referenced in the **List of PAL APIs** section for your target platform. These API definitions are available in **val/include/pal_interfaces.h** and are written for the hardware target **musca_b1**. You can reuse the code if it works for your platform. Otherwise, you must port them for your platform-specific peripherals. + 4. Update **platform///CMakeLists.txt** appropriately to select the correct instances of PAL files for compilation. + 5. Port the list of PAL APIs referenced in the **List of PAL APIs** section for your target platform. These API definitions are available in **platform/common/include/pal_interfaces.h** and are written for the hardware target **musca_b1**. You can reuse the code if it works for your platform. Otherwise, you must port them for your platform-specific peripherals. 6. Provide the path to the key and certificate chain that points to the host credentials in main.c as command-line arguments. You can provide debug link layer-specific parameters as additional command-line arguments. ## List of PAL APIs @@ -35,4 +35,4 @@ Arm PSA test suite is distributed under Apache v2.0 license. -------------- -*Copyright (c) 2021-2022 Arm Limited and Contributors. All rights reserved.* +*Copyright (c) 2021-2023, Arm Limited and Contributors. All rights reserved.* diff --git a/secure-debug/docs/psa_adac_scenarios.md b/secure-debug/docs/psa_adac_scenarios.md index bc9748b0..ab1694c4 100644 --- a/secure-debug/docs/psa_adac_scenarios.md +++ b/secure-debug/docs/psa_adac_scenarios.md @@ -2,22 +2,24 @@ | Scenario ID | Section | Description | Test Cases | |-------------|------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------| -| S_ADAC_001 | Commands | Verify that the following commands are recognized by the target and do not return SDP_INVALID_COMMAND status.
1. Discovery
2. Authentication Start
3. Authentication Response
4. Close Session
5. Lock Debug
| test_a002
| +| S_ADAC_001 | Commands | Verify that the following commands are recognized by the target and do not return ADAC_INVALID_COMMAND status.
1. Discovery
2. Authentication Start
3. Authentication Response
4. Close Session
5. Lock Debug
| test_a002
| | S_ADAC_002 | Commands | Send two authentication-start commands back-to-back and verify that the challenge vector obtained in the response is different. | test_a001
| | S_ADAC_003 | Commands | Use discovery command to query the target for supported response fragment formats. Check the following constraints for the response:
1. token_formats (Type ID 0x0100) TLV enlists token_adac (Type ID 0x200)
2. cert_formats (Type ID 0x0101) TLV enlists cert_adac (Type ID 0x201)
3. psa_lifecyle TLV indicates only one state.
| test_a003
| -| S_ADAC_004 | Commands | Send discovery command with list of specified TLV entries, both in increasing and decreasing order. Verify that the target responds with SDP_SUCCESS status. | test_a004
| -| S_ADAC_005 | Commands | Send invalid response fragment as part of Authentication response command sequence and check that the target responds with SDP_FAILURE status.| test_a005
| -| S_ADAC_006 | Commands | Request two challenge sequences back-to-back. Send the ADAC token signed with the older challenge and verify that the target rejects the token by responding with SDP_FAILURE. Send the ADAC token with the latest issued challenge and check that the target rejects the updated token as well by responding with SDP_FAILURE status. | test_a005
| -| S_ADAC_007 | Commands | Send an authentication response command with a NULL payload and verify that the target responds with SDP_FAILURE status. | test_a006
| -| S_ADAC_008 | Commands | Verify that the target responds to an unrecognized ADAC command with SDP_INVALID_COMMAND status. | test_a007
| -| S_ADAC_009 | Commands | Verify that for a multiple fragment Authentication response request, the device responds with a SDP_MORE_DATA_NEEDED status code after each response fragment. | test_a001, test_a005
| -| S_ADAC_010 | Commands | Check that the Close Session command always returns an SDP_SUCCESS status. | test_a001
| +| S_ADAC_004 | Commands | Send discovery command with list of specified TLV entries, both in increasing and decreasing order. Verify that the target responds with ADAC_SUCCESS status. | test_a004
| +| S_ADAC_005 | Commands | Send invalid response fragment as part of Authentication response command sequence and check that the target responds with ADAC_FAILURE status.| test_a005
| +| S_ADAC_006 | Commands | Request two challenge sequences back-to-back. Send the ADAC token signed with the older challenge and verify that the target rejects the token by responding with ADAC_FAILURE. Send the ADAC token with the latest issued challenge and check that the target rejects the updated token as well by responding with ADAC_FAILURE status. | test_a005
| +| S_ADAC_007 | Commands | Send an authentication response command with a NULL payload and verify that the target responds with ADAC_FAILURE status. | test_a006
| +| S_ADAC_008 | Commands | Verify that the target responds to an unrecognized ADAC command with ADAC_INVALID_COMMAND status. | test_a007
| +| S_ADAC_009 | Commands | Verify that for a multiple fragment Authentication response request, the device responds with a ADAC_MORE_DATA_NEEDED status code after each response fragment. | test_a001, test_a005
| +| S_ADAC_010 | Commands | Check that the Close Session command always returns an ADAC_SUCCESS status. | test_a001
| | S_ADAC_011 | Constraints| In a certificate chain, provide a leaf certificate before a root certificate and verify that the target responds with an error. | test_a008
| | S_ADAC_012 | Constraints| Check that a certificate is rejected due to each of the following scope-limiting feature:
1. Role
2. Lifecycle
| test_a008
| | S_ADAC_013 | Constraints| Check that if two or more distinct non-neutral values are present in the certificate chain, a failure response is obtained.| test_a009
| | S_ADAC_014 | Constraints| Request a permission value (perm_req) via authentication token which is denied due to a restrictive perm_mask field. Check that the authentication response is successful.| test_a002
| | S_ADAC_015 | Constraints| Request access to software partition with no software partition ID listed in the certificate chain. Check that success status is reported.| test_a010
| | S_ADAC_016 | Constraints| Verify that the reserved fields of TLV sequences read as 0 for ADAC version 1.0 implementation.| test_a011
| +| S_ADAC_017 | Constraints| Verify that when the host sends ADAC_LCS_CHANGE command, the target does not respond with ADAC_INVALID_COMMAND status.| test_a012
| +| S_ADAC_018 | Constraints| Verify that when the host sends ADAC_LCS_CHANGE command without a TLV sequence containing lifecycle state, the target responds with ADAC_INVALID_PARAMETERS status.| test_a012
| ## Note @@ -29,4 +31,4 @@ Arm PSA test suite is distributed under Apache v2.0 License. -------------- -*Copyright (c) 2021 Arm Limited and Contributors. All rights reserved.* +*Copyright (c) 2021-2023 Arm Limited and Contributors. All rights reserved.* diff --git a/secure-debug/docs/test_failure_analysis.md b/secure-debug/docs/test_failure_analysis.md index 180de1d9..f57791d0 100644 --- a/secure-debug/docs/test_failure_analysis.md +++ b/secure-debug/docs/test_failure_analysis.md @@ -2,16 +2,18 @@ # Test failure analysis document ----------------------------------------------------- -This file contains list of failures identified when testing the release of Beta quality ADAC Test suite. -PSA-ADAC repository commit Hash - e91ebc4c06351e860b5c50dbdc2901a8260979a1 -along with the patch file psa_adac_ats.patch +This file contains list of failures identified when testing the release of EAC quality ADAC Test suite. +MBEDTLS repository commit Hash - 8d42cfddd65f5d379c21e910e546cf9d7d1b212f +PSA-ADAC repository commit Hash - 4c35930fb6df95400ea4fe5722acaaa594ac3b8b +TF-M repository commit Tag - TF-Mv1.8.0 + The reason for each failing test is listed here in this file. ## Known Failures -| Test | Fail description | Github issue | -|------|---------------------------------------------------------------------------------| ------------ | -|test_a010 | Token extension hash signing check failed | https://github.com/ARM-software/psa-adac/issues/5 | +| Test | Fail description | +|------|---------------------------------------------------------------------------------| +|test_a010 | Token extension hash signing check failed | ## License @@ -19,4 +21,4 @@ Arm PSA test suite is distributed under Apache v2.0 License. -------------- -*Copyright (c) 2022 Arm Limited and Contributors. All rights reserved.* +*Copyright (c) 2022-2023 Arm Limited and Contributors. All rights reserved.* diff --git a/secure-debug/external/mbedtls b/secure-debug/external/mbedtls new file mode 160000 index 00000000..265ce7c1 --- /dev/null +++ b/secure-debug/external/mbedtls @@ -0,0 +1 @@ +Subproject commit 265ce7c1da775e2e57ce93984fba3d86c4c6a1ea diff --git a/secure-debug/platform/common/include/adac_util.h b/secure-debug/platform/common/include/adac_util.h index 14af7ac1..d0d0f9a7 100644 --- a/secure-debug/platform/common/include/adac_util.h +++ b/secure-debug/platform/common/include/adac_util.h @@ -1,5 +1,5 @@ /** @file - * Copyright (c) 2021, Arm Limited or its affiliates. All rights reserved. + * Copyright (c) 2021-2023, Arm Limited or its affiliates. All rights reserved. * SPDX-License-Identifier : Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -29,27 +29,6 @@ typedef struct { size_t size; } adac_command_frame_t; -typedef enum { - NULL_TYPE = 0x0000, - ADAC_AUTH_VERSION = 0x0001, - VENDOR_ID = 0x0002, - SOC_CLASS = 0x0003, - SOC_ID = 0x0004, - TARGET_IDENTITY = 0x0005, - HW_PERMISSIONS_FIXED = 0x0006, - HW_PERMISSIONS_MASK = 0x0007, - PSA_LIFECYCLE = 0x0008, - SW_PARTITION_ID = 0x0009, - SDA_ID = 0x000a, - TOKEN_FORMATS = 0x0100, - CERT_FORMATS = 0x0101, - CRYPTOSYSTEMS = 0x0102, - TOKEN_ADAC = 0x0200, - CERT_ADAC = 0x0201, - ROT_META = 0x0202, - VENDOR_TYPE_ID0 = 0x8000 -} adac_type_id_t; - typedef enum { UNKNOWN = 0x0000, ASSEMBLY_AND_TEST = 0x1000, diff --git a/secure-debug/platform/common/src/adac_command_util.c b/secure-debug/platform/common/src/adac_command_util.c index 2439102b..b246abe0 100644 --- a/secure-debug/platform/common/src/adac_command_util.c +++ b/secure-debug/platform/common/src/adac_command_util.c @@ -1,5 +1,5 @@ /** @file - * Copyright (c) 2021 Arm Limited or its affiliates. All rights reserved. + * Copyright (c) 2021-2023, Arm Limited or its affiliates. All rights reserved. * SPDX-License-Identifier : Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -76,7 +76,7 @@ uint8_t detect_cryptosystem(psa_tlv_t *extns_list[], size_t extn_count) for (i = 0; i < extn_count; i++) { current_extn = extns_list[i]; - if ((current_extn)->type_id == CERT_ADAC) + if ((current_extn)->type_id == PSA_BINARY_CRT) key_type = ((certificate_header_t *) current_extn->value)->key_type; } PSA_ADAC_LOG_INFO("host", "Cryptosystem detected: %d\n", key_type); @@ -91,7 +91,7 @@ uint8_t get_certificate_role(psa_tlv_t *extns_list[], size_t extn_count) for (i = 0; i < extn_count; i++) { current_extn = extns_list[i]; - if ((current_extn)->type_id == CERT_ADAC) + if ((current_extn)->type_id == PSA_BINARY_CRT) role_type = ((certificate_header_t *) current_extn->value)->role; } PSA_ADAC_LOG_INFO("host", "Certificate role: %d\n", role_type); @@ -162,21 +162,24 @@ psa_status_t psa_adac_issue_command(uint32_t command, request_packet_t *packet, } switch (command) { - case SDP_DISCOVERY_CMD: + case ADAC_DISCOVERY_CMD: PSA_ADAC_LOG_INFO("host", "Sending discovery request\n"); break; - case SDP_AUTH_START_CMD: + case ADAC_AUTH_START_CMD: PSA_ADAC_LOG_INFO("host", "Sending challenge request\n"); break; - case SDP_AUTH_RESPONSE_CMD: + case ADAC_AUTH_RESPONSE_CMD: PSA_ADAC_LOG_INFO("host", "Sending authentication response\n"); break; - case SDP_RESUME_BOOT_CMD: + case ADAC_RESUME_BOOT_CMD: PSA_ADAC_LOG_INFO("host", "Sending close session command\n"); break; - case SDP_LOCK_DEBUG_CMD: + case ADAC_LOCK_DEBUG_CMD: PSA_ADAC_LOG_INFO("host", "Sending lock debug request\n"); break; + case ADAC_LCS_CHANGE_CMD: + PSA_ADAC_LOG_INFO("host", "Sending LCS change command\n"); + break; default: if (command & 0x8000u) PSA_ADAC_LOG_INFO("host", "Vendor specific command provided. ID=(0x%x)\n", command); @@ -216,7 +219,7 @@ psa_status_t psa_adac_parse_response(uint32_t command, response_packet_t *packet } switch (command) { - case SDP_DISCOVERY_CMD: + case ADAC_DISCOVERY_CMD: PSA_ADAC_LOG_INFO("host", "Receiving discovery response...\n"); for (i = 0; (i + 4) < (packet->data_count * 4);) { tlv = (psa_tlv_t *) (((uint8_t *)packet->data) + i); @@ -225,7 +228,7 @@ psa_status_t psa_adac_parse_response(uint32_t command, response_packet_t *packet i += sizeof(psa_tlv_t) + ROUND_TO_WORD(tlv->length_in_bytes); } break; - case SDP_AUTH_START_CMD: + case ADAC_AUTH_START_CMD: PSA_ADAC_LOG_INFO("host", "Receiving challenge..\n"); if (packet->data_count * 4 != sizeof(psa_auth_challenge_t)) { r = PSA_ERROR_GENERIC_ERROR; @@ -233,9 +236,10 @@ psa_status_t psa_adac_parse_response(uint32_t command, response_packet_t *packet } challenge = (psa_auth_challenge_t *) packet->data; break; - case SDP_AUTH_RESPONSE_CMD: - case SDP_RESUME_BOOT_CMD: - case SDP_LOCK_DEBUG_CMD: + case ADAC_AUTH_RESPONSE_CMD: + case ADAC_RESUME_BOOT_CMD: + case ADAC_LOCK_DEBUG_CMD: + case ADAC_LCS_CHANGE_CMD: break; default: r = PSA_ERROR_NOT_SUPPORTED; @@ -260,20 +264,20 @@ psa_status_t psa_adac_send_certificate(psa_tlv_t **extns_list, size_t extns_coun payload_size = current_extn->length_in_bytes + sizeof(psa_tlv_t); PSA_ADAC_LOG_INFO("host", "Sending Certificate..\n"); - r = psa_adac_issue_command(SDP_AUTH_RESPONSE_CMD, request, payload, payload_size); + r = psa_adac_issue_command(ADAC_AUTH_RESPONSE_CMD, request, payload, payload_size); if (r != PSA_SUCCESS) return r; response = psa_adac_await_response(); - r = psa_adac_parse_response(SDP_AUTH_RESPONSE_CMD, response); + r = psa_adac_parse_response(ADAC_AUTH_RESPONSE_CMD, response); if (r != PSA_SUCCESS) return r; - if (response->status == SDP_NEED_MORE_DATA) + if (response->status == ADAC_NEED_MORE_DATA) response_packet_release(response); } } - if (response->status != SDP_NEED_MORE_DATA) { + if (response->status != ADAC_NEED_MORE_DATA) { PSA_ADAC_LOG_ERR("host", "Unexpected response status %x\n", response->status); r = PSA_ERROR_GENERIC_ERROR; return r; diff --git a/secure-debug/platform/hosts/emulation/unix_socket/README.md b/secure-debug/platform/hosts/emulation/unix_socket/README.md deleted file mode 100644 index 67e1463e..00000000 --- a/secure-debug/platform/hosts/emulation/unix_socket/README.md +++ /dev/null @@ -1,38 +0,0 @@ - -# Verifying test suite on emulation platform - -## Build steps for target image - -To generate the target image for the virtual target, follow these steps: -~~~ - cd psa-arch-tests/secure-debug/psa-adac - make native -~~~ - -## Build steps for host image - -To build ADAC test suite, execute the following commands:
-~~~ - cd psa-arch-tests/secure-debug - mkdir - cd - cmake ../ -G"Unix Makefiles" -DTARGET=emulation -DSUITE=ADAC - cmake --build . -~~~ - -## Test Suite Execution - -The current release provides a reference implementation of ADAC target which communicates with the host platform using Unix sockets. -To launch the target to run as a server instance, run the target executable in another terminal as shown: -~~~ - cd psa-arch-tests/secure-debug/psa-adac - ./build/native/Debug/psa_adac_server coms.socket tools/test/resources/chains/chain.EcdsaP256-3 -~~~ - -To run the test suite, execute the following command from your host build directory : -~~~ - ./psa_adac_test ../psa-adac/tools/test/resources/keys/EcdsaP256Key-3.pem \../psa-adac/tools/test/resources/chains/chain.EcdsaP256-3 ../psa-adac/coms.socket -~~~ --------------- - -*Copyright (c) 2022, Arm Limited and Contributors. All rights reserved.* diff --git a/secure-debug/platform/hosts/emulation/unix_socket/include/platform.h b/secure-debug/platform/hosts/emulation/unix_socket/include/platform.h deleted file mode 100644 index d7f789bf..00000000 --- a/secure-debug/platform/hosts/emulation/unix_socket/include/platform.h +++ /dev/null @@ -1,37 +0,0 @@ -/** @file - * Copyright (c) 2022 Arm Limited or its affiliates. All rights reserved. - * SPDX-License-Identifier : Apache-2.0 - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. -**/ - -#ifndef PSA_ADAC_PLATFORM_H -#define PSA_ADAC_PLATFORM_H - -#include -#include - -#ifdef PSA_ADAC_PLATFORM_CONFIG_FILE -#include PSA_ADAC_PLATFORM_CONFIG_FILE -#else -#include -#endif - -#ifndef PSA_ADAC_PLATFORM_BANNER -#define PSA_ADAC_PLATFORM_BANNER "PSA ADAC " -#endif - -void platform_init(void); -void psa_adac_platform_init(void); - -#endif //PSA_ADAC_PLATFORM_H diff --git a/secure-debug/platform/hosts/emulation/unix_socket/include/unix_msg.h b/secure-debug/platform/hosts/emulation/unix_socket/include/unix_msg.h deleted file mode 100644 index 5b1eff74..00000000 --- a/secure-debug/platform/hosts/emulation/unix_socket/include/unix_msg.h +++ /dev/null @@ -1,41 +0,0 @@ -/** @file - * Copyright (c) 2022 Arm Limited or its affiliates. All rights reserved. - * SPDX-License-Identifier : Apache-2.0 - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. -**/ - -#ifndef PSA_ADAC_UNIX_MSG_H -#define PSA_ADAC_UNIX_MSG_H - -#include -#include - -#if !defined(_MSC_VER) -#include -#else // !defined(_MSC_VER) -#include -typedef SSIZE_T ssize_t; -#endif // !defined(_MSC_VER) - -bool unix_socket_init(void); - -int unix_socket_server(const char *path); -int unix_socket_client(const char *path); - -void unix_socket_close(int fd); - -ssize_t nwrite(int fd, const uint8_t *buf, size_t count); -ssize_t nread(int fd, uint8_t *buf, size_t count); - -#endif //PSA_ADAC_UNIX_MSG_H diff --git a/secure-debug/platform/hosts/emulation/unix_socket/src/main.c b/secure-debug/platform/hosts/emulation/unix_socket/src/main.c deleted file mode 100644 index 6fdc3dd8..00000000 --- a/secure-debug/platform/hosts/emulation/unix_socket/src/main.c +++ /dev/null @@ -1,57 +0,0 @@ -/** @file - * Copyright (c) 2022 Arm Limited or its affiliates. All rights reserved. - * SPDX-License-Identifier : Apache-2.0 - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. -**/ - -#include -#include -#include "pal_interfaces.h" -#include "unix_msg.h" - -int32_t val_entry(void); - -/** - @brief - PSA C main function, used for generating host-side test binaries. - @param - argc : the number of command line arguments. - argv : array containing command line arguments. - @return - error status -**/ -extern uint8_t buffer[4096]; -uint8_t buffer[4096]; -char *key_file, *chain_file; - -int main(int argc, char *argv[]) -{ - if (argc < 4) { - printf("Usage:\n\tpsa_adac_test \n\n"); - exit(-1); - } - - key_file = argv[1]; - chain_file = argv[2]; - char *socket_path = argv[3]; - int fd; - - fd = unix_socket_client(socket_path); - if (-1 == fd) - exit(-1); - - msg_interface_init((void *) &fd, buffer, sizeof(buffer)); - - return val_entry(); - - msg_interface_free(NULL); - return 0; -} diff --git a/secure-debug/platform/hosts/emulation/unix_socket/src/pal_interfaces.c b/secure-debug/platform/hosts/emulation/unix_socket/src/pal_interfaces.c deleted file mode 100644 index 892c76f1..00000000 --- a/secure-debug/platform/hosts/emulation/unix_socket/src/pal_interfaces.c +++ /dev/null @@ -1,89 +0,0 @@ -/** @file - * Copyright (c) 2022 Arm Limited or its affiliates. All rights reserved. - * SPDX-License-Identifier : Apache-2.0 - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. -**/ - -#include "unix_msg.h" -#include - -#include -#include -#include - -#if !defined(_MSC_VER) - #include -#else // !defined(_MSC_VER) - #include - - // Disable warning about POSIX function names. - #pragma warning(disable : 4996) -#endif // !defined(_MSC_VER) - -#define PAL_STATUS_UNSUPPORTED_FUNC 0xFF - -typedef enum { - PAL_STATUS_SUCCESS = 0x0, - PAL_STATUS_ERROR = 0x80 -} pal_status_t; - -static int _fd; - -int pal_print(const char *str, int32_t data) -{ - if (printf(str, data) < 0) - { - return PAL_STATUS_ERROR; - } - return PAL_STATUS_SUCCESS; -} - -void pal_terminate_simulation(void) -{ - ; -} - -int pal_system_reset(void) -{ - return PAL_STATUS_UNSUPPORTED_FUNC; -} - -int pal_msg_interface_init(void *ctx) -{ - unix_socket_init(); - - if (ctx == NULL) - return -1; - - _fd = *((int *) ctx); - return 0; -} - -int pal_msg_interface_free(void *ctx) -{ - unix_socket_close(_fd); - _fd = -1; - return 0; -} - -int pal_message_send(uint8_t buffer[], size_t size) -{ - return (nwrite(_fd, (uint8_t *) buffer, size) == size ? 0 : -1); -} - -int pal_message_receive(uint8_t buffer[], size_t size) -{ - return nread(_fd, buffer, size); -} - diff --git a/secure-debug/platform/hosts/emulation/unix_socket/src/unix_msg.c b/secure-debug/platform/hosts/emulation/unix_socket/src/unix_msg.c deleted file mode 100644 index 3a1d3de8..00000000 --- a/secure-debug/platform/hosts/emulation/unix_socket/src/unix_msg.c +++ /dev/null @@ -1,156 +0,0 @@ -/** @file - * Copyright (c) 2022 Arm Limited or its affiliates. All rights reserved. - * SPDX-License-Identifier : Apache-2.0 - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. -**/ - -#include "unix_msg.h" - -#include -#include -#include -#include - -#if !defined(_MSC_VER) - #include - #include - #include -#else // !defined(_MSC_VER) - #include - #include - #include - - // Disable warning about POSIX function names. - #pragma warning(disable : 4996) -#endif // !defined(_MSC_VER) - -void unix_socket_close(int fd) -{ - if (fd != -1) { -#if defined(_MSC_VER) - closesocket(fd); -#else - close(fd); -#endif - } -} - -bool unix_socket_init(void) -{ -#if defined(_MSC_VER) - static bool did_init_winsock; - - did_init_winsock = false; - if (!did_init_winsock) { - WSADATA wsa_data = { 0 }; - - int result = WSAStartup(MAKEWORD(2, 2), &wsa_data); - - if (result != 0) { - printf("WSAStartup failed with error: %d\n", result); - return false; - } - } -#endif - return true; -} - -int unix_socket_server(const char *path) -{ - struct sockaddr_un addr; - int fd; - - fd = socket(AF_UNIX, SOCK_STREAM, 0); - if (fd == -1) { - perror("Error while calling socket()"); - goto error; - } - - memset(&addr, 0, sizeof(addr)); - addr.sun_family = AF_UNIX; - strncpy(addr.sun_path, path, sizeof(addr.sun_path) - 1); - - if (bind(fd, (struct sockaddr *) &addr, sizeof(addr)) != 0) { - perror("Error while calling bind()"); - goto error; - } - - if (listen(fd, 1) == -1) { - perror("Error while calling listen()"); - goto error; - } - return fd; - -error: - unix_socket_close(fd); - return -1; -} - -int unix_socket_client(const char *path) -{ - struct sockaddr_un addr; - int fd; - - fd = socket(AF_UNIX, SOCK_STREAM, 0); - if (fd == -1) { - perror("Error while calling socket()"); - goto error; - } - - memset(&addr, 0, sizeof(addr)); - addr.sun_family = AF_UNIX; - strncpy(addr.sun_path, path, sizeof(addr.sun_path) - 1); - - if (connect(fd, (struct sockaddr *) &addr, sizeof(addr)) == -1) { - perror("Error while calling connect()"); - goto error; - } - return fd; - -error: - unix_socket_close(fd); - return -1; -} - -ssize_t nwrite(int fd, const uint8_t *buf, size_t count) -{ - const char *ptr = (const char *) buf; - ssize_t t; - size_t left = count; - - while (left) { - t = send(fd, ptr, left, 0); - if (t < 0) - return -1; - left -= t; - ptr += t; - } - return count; -} - -ssize_t nread(int fd, uint8_t *buf, size_t count) -{ - char *ptr = (char *) buf; /* Removes warning on pointer operation */ - ssize_t t = 0; - size_t left = count; - - while (left) { - t = recv(fd, ptr, left, 0); - if (t < 0) - return -1; - left -= t; - ptr += t; - } - return count; -} diff --git a/secure-debug/platform/hosts/musca_b1/memw_pyocd/README.md b/secure-debug/platform/hosts/musca_b1/memw_pyocd/README.md index 7e4b0e60..8b0ad6b3 100644 --- a/secure-debug/platform/hosts/musca_b1/memw_pyocd/README.md +++ b/secure-debug/platform/hosts/musca_b1/memw_pyocd/README.md @@ -11,7 +11,8 @@ Before executing the test suite on host, ensure that the following requirements ## Build steps for target image -The steps to build and flash the image for the musca-b1 hardware target are described in the psa-adac repository in ports/targets/musca-b1/README.md. +Refer to the trusted-firmware-M documentation for the steps to build and flash the image for the musca-b1 hardware target. +Copy psa_adac_acs_tgt.patch to the psa-adac repository and apply it before building the target image. ## Build steps for host image @@ -29,19 +30,19 @@ To build ADAC test suite, execute the following commands:
Arm uses UDP sockets to transmit and receive test information from the host to pyOCD. pyOCD is used for communication with the target board. The pyOCD script communicates with the board using a memory window-based debug mailbox. To launch the pyOCD script, run the following in another terminal as shown: ~~~ - cd platform/hosts/musca_b1/mem_pyocd - python host_connect.py - where: + cd platform/hosts/musca_b1/mem_pyocd + python host_connect.py + where: - - The port number for communicating between host and pyOCD. Default is 7777 ~~~ To run the test suite, execute the following command from your host build directory : ~~~ - ./psa_adac_test ../psa-adac/tools/test/resources/keys/EcdsaP256Key-3.pem \../psa-adac/tools/test/resources/chains/chain.EcdsaP256-3 - where: - - - The IP address of the network connection running the server instance + ./psa_adac_test + where: + - - The IP address of the network connection running the server instance - - The port number for communicating between host and pyOCD. Default is 7777 ~~~ -------------- -*Copyright (c) 2022, Arm Limited and Contributors. All rights reserved.* +*Copyright (c) 2022-2023, Arm Limited and Contributors. All rights reserved.* diff --git a/secure-debug/platform/hosts/musca_b1/memw_pyocd/host_connect.py b/secure-debug/platform/hosts/musca_b1/memw_pyocd/host_connect.py old mode 100644 new mode 100755 diff --git a/secure-debug/psa-adac b/secure-debug/psa-adac new file mode 160000 index 00000000..4c35930f --- /dev/null +++ b/secure-debug/psa-adac @@ -0,0 +1 @@ +Subproject commit 4c35930fb6df95400ea4fe5722acaaa594ac3b8b diff --git a/secure-debug/psa_adac_acs_host.patch b/secure-debug/psa_adac_acs_host.patch new file mode 100644 index 00000000..602570c9 --- /dev/null +++ b/secure-debug/psa_adac_acs_host.patch @@ -0,0 +1,13 @@ +diff --git a/psa-adac/sdm/src/psa_adac_sdm.c b/psa-adac/sdm/src/psa_adac_sdm.c +index c993ee5..c1e0002 100644 +--- a/psa-adac/sdm/src/psa_adac_sdm.c ++++ b/psa-adac/sdm/src/psa_adac_sdm.c +@@ -148,7 +148,7 @@ int import_private_key(const char *key_file, uint8_t *type, psa_key_handle_t *ha + + mbedtls_pk_init(&pk); + +- rc = mbedtls_pk_parse_keyfile(&pk, key_file, NULL); ++ rc = mbedtls_pk_parse_keyfile(&pk, key_file, NULL, NULL, NULL); + if (rc < 0) { + PSA_ADAC_LOG_ERR("sdm", "Error loading key file '%s'\n", key_file); + return rc; diff --git a/secure-debug/psa_adac_acs_tgt.patch b/secure-debug/psa_adac_acs_tgt.patch new file mode 100644 index 00000000..dd468aca --- /dev/null +++ b/secure-debug/psa_adac_acs_tgt.patch @@ -0,0 +1,22 @@ +diff --git a/psa-adac/sda/src/psa_adac_sda.c b/psa-adac/sda/src/psa_adac_sda.c +index d7786cc..0c5a0c1 100644 +--- a/psa-adac/sda/src/psa_adac_sda.c ++++ b/psa-adac/sda/src/psa_adac_sda.c +@@ -395,7 +395,7 @@ int authentication_handle(authentication_context_t *auth_ctx) { + (void) authenticator_request_packet_release(auth_ctx, request); + response = authenticator_response_packet_build(auth_ctx, ADAC_SUCCESS, NULL, 0); + ret = authenticator_send_response(auth_ctx, response); +- done = 1; ++ //done = 1; + break; + + case ADAC_LCS_CHANGE_CMD: +@@ -417,7 +417,7 @@ int authentication_handle(authentication_context_t *auth_ctx) { + } + + if ((auth_ctx->state == AUTH_SUCCESS) || (auth_ctx->state == AUTH_FAILURE)) { +- done = 1; ++ //done = 1; + } + } + diff --git a/secure-debug/psa_adac_ats.patch b/secure-debug/psa_adac_ats.patch deleted file mode 100644 index 17a17f3e..00000000 --- a/secure-debug/psa_adac_ats.patch +++ /dev/null @@ -1,241 +0,0 @@ -diff --git a/ports/demo/demo-discovery.c b/ports/demo/demo-discovery.c -index aab117a..a7a0f5d 100644 ---- a/ports/demo/demo-discovery.c -+++ b/ports/demo/demo-discovery.c -@@ -88,24 +88,31 @@ - ED25519_VAL ED448_VAL SM2SM3_VAL HMAC_VAL CMAC_VAL - - uint8_t discovery_template[] = { -- // @+00 (6 bytes) psa_auth_version: 1.0 -- 0x01, 0x00, 0x02, 0x00, 0x01, 0x00, -- // @+06 (6 bytes) vendor_id: {0x04, 0x3B} => 0x023B ("ARM Ltd.") -- 0x02, 0x00, 0x02, 0x00, 0x04, 0x3B, -- // @+12 (8 bytes) soc_class: [0x00, 0x00, 0x00, 0x00] -- 0x03, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, -- // @+20 (20 bytes) soc_id: [0x00] * 16 -- 0x04, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, -- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ // @+00 (12 bytes) psa_auth_version: 1.0 -+ 0x00, 0x00, 0x01, 0x00, 0x02, 0x00, 0x00, 0x00, -+ 0x01, 0x00, 0x00, 0x00, -+ // @+12 (12 bytes) vendor_id: {0x04, 0x3B} => 0x023B ("ARM Ltd.") -+ 0x00, 0x00, 0x02, 0x00, 0x02, 0x00, 0x00, 0x00, -+ 0x04, 0x3B, 0x00, 0x00, -+ // @+24 (12 bytes) soc_class: [0x00, 0x00, 0x00, 0x00] -+ 0x00, 0x00, 0x03, 0x00, 0x04, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, -- // @+40 (6 bytes) psa_lifecycle: PSA_LIFECYCLE_SECURED -- 0x08, 0x00, 0x02, 0x00, 0x00, 0x30, -- // @+46 (6 bytes) token_formats: [{0x00, 0x02} (token_psa_debug)] -- 0x00, 0x01, 0x02, 0x00, 0x00, 0x02, -- // @+52 (6 bytes) cert_formats: [{0x01, 0x02} (cert_psa_debug)] -- 0x01, 0x01, 0x02, 0x00, 0x01, 0x02, -- // @+58 (4 + X bytes) cryptosystems: [...] -- 0x02, 0x01, CRYPTO_CNT, 0x00, CRYPTO_VALS -+ // @+36 (24 bytes) soc_id: [0x00] * 16 -+ 0x00, 0x00, 0x04, 0x00, 0x10, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ // @+60 (12 bytes) psa_lifecycle: PSA_LIFECYCLE_SECURED -+ 0x00, 0x00, 0x08, 0x00, 0x02, 0x00, 0x00, 0x00, -+ 0x00, 0x30, 0x00, 0x00, -+ // @+72 (12 bytes) token_formats: [{0x00, 0x02} (token_psa_debug)] -+ 0x00, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00, 0x00, -+ 0x00, 0x02, 0x00, 0x00, -+ // @+84 (12 bytes) cert_formats: [{0x01, 0x02} (cert_psa_debug)] -+ 0x00, 0x00, 0x01, 0x01, 0x02, 0x00, 0x00, 0x00, -+ 0x01, 0x02, 0x00, 0x00, -+ // @+96 (8 + X bytes) cryptosystems: [...] -+ 0x00, 0x00, 0x02, 0x01, CRYPTO_CNT, 0x00, 0x00, 0x00, -+ CRYPTO_VALS - }; - - size_t discovery_template_len = sizeof(discovery_template); -diff --git a/ports/platforms/transports/unix_socket.c b/ports/platforms/transports/unix_socket.c -index 359a8c4..7ad11ff 100644 ---- a/ports/platforms/transports/unix_socket.c -+++ b/ports/platforms/transports/unix_socket.c -@@ -54,7 +54,7 @@ static int message_receive(int fd, uint8_t buffer[], size_t max, size_t *size) { - } - } - -- PSA_ADAC_LOG_DUMP("msg", "receive", buffer, 4 + p->data_count * 4); -+ PSA_ADAC_LOG_DUMP("msg", "receive", buffer, sizeof(request_packet_t) + p->data_count * 4); - - return 0; - } -diff --git a/ports/targets/native/autotest.c b/ports/targets/native/autotest.c -index 8817825..ad185d5 100644 ---- a/ports/targets/native/autotest.c -+++ b/ports/targets/native/autotest.c -@@ -111,7 +111,7 @@ void run_test(char *chain_file, char *key_file, uint8_t type) { - return; - } - psa_adac_sign_token(challenge->challenge_vector, sizeof(challenge->challenge_vector), -- key_type, NULL, 0, &token, &token_size, handle, NULL, 0); -+ key_type, NULL, 0, &token, &token_size, NULL, handle, NULL, 0); - psa_destroy_key(handle); - } else if ((type == CMAC_AES) || (type == HMAC_SHA256)) { - if (0 != load_secret_key(key_file, key_type, &key, &key_size)) { -@@ -119,7 +119,7 @@ void run_test(char *chain_file, char *key_file, uint8_t type) { - return; - } - psa_adac_sign_token(challenge->challenge_vector, sizeof(challenge->challenge_vector), -- key_type, NULL, 0, &token, &token_size, 0, key, key_size); -+ key_type, NULL, 0, &token, &token_size, NULL, 0, key, key_size); - } - response_packet_release(response); - -diff --git a/ports/targets/native/client.c b/ports/targets/native/client.c -index 2316a87..740be99 100755 ---- a/ports/targets/native/client.c -+++ b/ports/targets/native/client.c -@@ -135,7 +135,7 @@ int main(int argc, char *argv[]) { - - - if (PSA_SUCCESS == psa_adac_sign_token(challenge->challenge_vector, sizeof(challenge->challenge_vector), -- key_type, NULL, 0, &token, &token_size, handle, key, key_size)) { -+ key_type, NULL, 0, &token, &token_size, NULL, handle, key, key_size)) { - response_packet_release(response); - PSA_ADAC_LOG_DUMP("client", "token", token, token_size); - } else { -diff --git a/ports/targets/native/psa_sdm.c b/ports/targets/native/psa_sdm.c -index 2d775c1..d5e47ea 100755 ---- a/ports/targets/native/psa_sdm.c -+++ b/ports/targets/native/psa_sdm.c -@@ -178,7 +178,7 @@ SDM_EXTERN SDMReturnCode SDM_Authenticate(SDMHandle handle, const SDMAuthenticat - config->callbacks->updateProgress("signing token", 40, config->refcon); - - if (PSA_SUCCESS == psa_adac_sign_token(challenge->challenge_vector, sizeof(challenge->challenge_vector), -- key_type, NULL, 0, &token, &token_size, key_handle, NULL, 0)) { -+ key_type, NULL, 0, &token, &token_size, NULL, key_handle, NULL, 0)) { - response_packet_release(response); - PSA_ADAC_LOG_DUMP("client", "token", token, token_size); - } else { -diff --git a/ports/targets/native/selftest.c b/ports/targets/native/selftest.c -index 14d09d1..a1084e9 100755 ---- a/ports/targets/native/selftest.c -+++ b/ports/targets/native/selftest.c -@@ -133,7 +133,7 @@ int main(int argc, char *argv[]) { - } - - if (PSA_SUCCESS == psa_adac_sign_token(challenge.challenge_vector, sizeof(challenge.challenge_vector), -- key_type, NULL, 0, &token, &token_size, handle, NULL, 0)) { -+ key_type, NULL, 0, &token, &token_size, NULL, handle, NULL, 0)) { - // PSA_ADAC_LOG_DUMP("client", "token", token, token_size); - - if (PSA_SUCCESS != psa_adac_verify_token_signature(token + 4, token_size - 4, -diff --git a/psa-adac/core/include/psa_adac.h b/psa-adac/core/include/psa_adac.h -index c965f76..0bf80be 100644 ---- a/psa-adac/core/include/psa_adac.h -+++ b/psa-adac/core/include/psa_adac.h -@@ -20,6 +20,17 @@ - - #define ROUND_TO_WORD(x) (((size_t)x + 3) & ~0x03UL) - -+/** \brief Version -+ * -+ * Current version numbers for certificate and token format. -+ */ -+enum _adac_versions { -+ SDP_CERT_MAJOR = 1, -+ SDP_CERT_MINOR = 0, -+ SDP_TOKEN_MAJOR = 1, -+ SDP_TOKEN_MINOR = 0, -+}; -+ - /** \brief Key options - * - */ -@@ -124,7 +135,7 @@ typedef struct { - uint8_t usage; - uint16_t _reserved; //!< Must be set to zero. - uint16_t lifecycle; -- uint16_t custom_constraint; -+ uint16_t oem_constraint; - uint32_t extensions_bytes; - uint32_t soc_class; - uint8_t soc_id[16]; -@@ -144,6 +155,7 @@ typedef struct { - - #define CHALLENGE_SIZE 32 - #define MAX_EXTENSIONS 16 -+#define PERMISSION_BITS 128 - - /** \brief Authentication challenge - * -diff --git a/psa-adac/sda/src/psa_adac_sda.c b/psa-adac/sda/src/psa_adac_sda.c -index f57f65c..d5e030c 100644 ---- a/psa-adac/sda/src/psa_adac_sda.c -+++ b/psa-adac/sda/src/psa_adac_sda.c -@@ -365,7 +365,6 @@ int authentication_handle(authentication_context_t *auth_ctx) { - (void) authenticator_request_packet_release(auth_ctx, request); - response = authenticator_response_packet_build(auth_ctx, SDP_SUCCESS, NULL, 0); - ret = authenticator_send_response(auth_ctx, response); -- done = 1; - break; - - default: -@@ -380,8 +379,12 @@ int authentication_handle(authentication_context_t *auth_ctx) { - PSA_ADAC_LOG_ERR("auth", "Error sending response: %04x\n", ret); - } - -- if ((auth_ctx->state == AUTH_SUCCESS) || (auth_ctx->state == AUTH_FAILURE)) { -- done = 1; -+ if ((auth_ctx->state == AUTH_SUCCESS)) { -+ PSA_ADAC_LOG_INFO("auth", "Authentication is a success\n"); -+ auth_ctx->state = AUTH_INIT; -+ } else if (auth_ctx->state == AUTH_FAILURE) { -+ PSA_ADAC_LOG_INFO("auth", "Authentication is a failure\n"); -+ auth_ctx->state = AUTH_INIT; - } - } - -diff --git a/psa-adac/sdm/include/psa_adac_sdm.h b/psa-adac/sdm/include/psa_adac_sdm.h -index b15c630..616ef62 100644 ---- a/psa-adac/sdm/include/psa_adac_sdm.h -+++ b/psa-adac/sdm/include/psa_adac_sdm.h -@@ -31,9 +31,9 @@ int load_trust_chain(const char *chain_file, uint8_t **chain, size_t *chain_size - int load_trust_rotpk(const char *chain_file, psa_algorithm_t alg, uint8_t *rotpk, - size_t buffer_size, size_t *rotpk_size, uint8_t *rotpk_type); - --psa_status_t psa_adac_sign_token(uint8_t challenge[], size_t challenge_size, uint8_t signature_type, uint8_t exts[], -- size_t exts_size, uint8_t *fragment[], size_t *fragment_size, psa_key_handle_t handle, -- uint8_t *key, size_t key_size); -+psa_status_t psa_adac_sign_token(uint8_t challenge[], size_t challenge_size, uint8_t signature_type, -+ uint8_t exts[], size_t exts_size, uint8_t *fragment[], size_t *fragment_size, -+ uint8_t *req_perms, psa_key_handle_t handle, uint8_t *key, size_t key_size); - - /**@}*/ - -diff --git a/psa-adac/sdm/src/sdm_token.c b/psa-adac/sdm/src/sdm_token.c -index 7d048d7..01df4f4 100644 ---- a/psa-adac/sdm/src/sdm_token.c -+++ b/psa-adac/sdm/src/sdm_token.c -@@ -82,9 +82,9 @@ psa_status_t psa_adac_mac_sign(psa_algorithm_t algo, const uint8_t *inputs[], si - return r; - } - --psa_status_t psa_adac_sign_token(uint8_t challenge[], size_t challenge_size, uint8_t signature_type, uint8_t exts[], -- size_t exts_size, uint8_t *fragment[], size_t *fragment_size, psa_key_handle_t handle, -- uint8_t *key, size_t key_size) { -+psa_status_t psa_adac_sign_token(uint8_t challenge[], size_t challenge_size, uint8_t signature_type, -+ uint8_t exts[], size_t exts_size, uint8_t *fragment[], size_t *fragment_size, -+ uint8_t *req_perms, psa_key_handle_t handle, uint8_t *key, size_t key_size) { - uint8_t hash[PSA_HASH_MAX_SIZE], *sig, *ext_hash, *_fragment; - size_t token_size, hash_size, sig_size, body_size, tbs_size, ext_hash_size; - psa_algorithm_t hash_algo, sig_algo; -@@ -243,8 +243,13 @@ psa_status_t psa_adac_sign_token(uint8_t challenge[], size_t challenge_size, uin - - token_header_t *token = (token_header_t *) (_fragment + sizeof(psa_tlv_t)); - // memset(token, 0, token_size); -+ token->format_version.minor = SDP_TOKEN_MINOR; -+ token->format_version.major = SDP_TOKEN_MAJOR; - token->signature_type = signature_type; - token->extensions_bytes = exts_size; -+ if(req_perms != NULL) -+ memcpy((void*)(token->requested_permissions), req_perms, PERMISSION_BITS/8); -+ - if (exts_size > 0) { - // FIXME: Support PSA_ALG_CMAC - psa_adac_hash(hash_algo, exts, exts_size, ext_hash, ext_hash_size, &hash_size); diff --git a/secure-debug/tests/adac/test_a001/test_a001.c b/secure-debug/tests/adac/test_a001/test_a001.c index d6ce71fa..9ad831c3 100644 --- a/secure-debug/tests/adac/test_a001/test_a001.c +++ b/secure-debug/tests/adac/test_a001/test_a001.c @@ -1,5 +1,5 @@ /** @file - * Copyright (c) 2021, Arm Limited or its affiliates. All rights reserved. + * Copyright (c) 2021-2022 Arm Limited or its affiliates. All rights reserved. * SPDX-License-Identifier : Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -44,14 +44,14 @@ void test_entry(val_api_t *val_api) request_packet_t *request; response_packet_t *response; - ret = psa_adac_issue_command(SDP_AUTH_START_CMD, request, NULL, 0); + ret = psa_adac_issue_command(ADAC_AUTH_START_CMD, request, NULL, 0); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(1), VAL_STATUS_WRITE_FAILED); goto test_end; } response = psa_adac_await_response(); - ret = psa_adac_parse_response(SDP_AUTH_START_CMD, response); + ret = psa_adac_parse_response(ADAC_AUTH_START_CMD, response); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(2), VAL_STATUS_READ_FAILED); goto test_end; @@ -64,14 +64,14 @@ void test_entry(val_api_t *val_api) for (i = 0; i < CHALLENGE_SIZE; i++) challenge1[i] = *(vect+i); - ret = psa_adac_issue_command(SDP_AUTH_START_CMD, request, NULL, 0); + ret = psa_adac_issue_command(ADAC_AUTH_START_CMD, request, NULL, 0); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(3), VAL_STATUS_WRITE_FAILED); goto test_end; } response = psa_adac_await_response(); - ret = psa_adac_parse_response(SDP_AUTH_START_CMD, response); + ret = psa_adac_parse_response(ADAC_AUTH_START_CMD, response); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(4), VAL_STATUS_READ_FAILED); goto test_end; diff --git a/secure-debug/tests/adac/test_a002/test_a002.c b/secure-debug/tests/adac/test_a002/test_a002.c index 9aeec89a..6880cbfc 100644 --- a/secure-debug/tests/adac/test_a002/test_a002.c +++ b/secure-debug/tests/adac/test_a002/test_a002.c @@ -1,5 +1,5 @@ /** @file - * Copyright (c) 2021, Arm Limited or its affiliates. All rights reserved. + * Copyright (c) 2021-2022 Arm Limited or its affiliates. All rights reserved. * SPDX-License-Identifier : Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -45,20 +45,20 @@ void test_entry(val_api_t *val_api) response_packet_t *response; // Ensure device is locked before starting unlock sequence. - ret = psa_adac_issue_command(SDP_LOCK_DEBUG_CMD, request, NULL, 0); + ret = psa_adac_issue_command(ADAC_LOCK_DEBUG_CMD, request, NULL, 0); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(1), VAL_STATUS_WRITE_FAILED); goto test_end; } response = psa_adac_await_response(); - ret = psa_adac_parse_response(SDP_LOCK_DEBUG_CMD, response); + ret = psa_adac_parse_response(ADAC_LOCK_DEBUG_CMD, response); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(2), VAL_STATUS_READ_FAILED); goto test_end; } - if ((response->status != SDP_SUCCESS) && (response->status != SDP_UNSUPPORTED)) { + if ((response->status != ADAC_SUCCESS) && (response->status != ADAC_UNSUPPORTED)) { val->err_check_set(TEST_CHECKPOINT_NUM(3), VAL_STATUS_INVALID); goto test_end; } @@ -82,14 +82,14 @@ void test_entry(val_api_t *val_api) } key_type = detect_cryptosystem(exts, exts_count); - ret = psa_adac_issue_command(SDP_DISCOVERY_CMD, request, NULL, 0); + ret = psa_adac_issue_command(ADAC_DISCOVERY_CMD, request, NULL, 0); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(6), VAL_STATUS_WRITE_FAILED); goto test_end; } response = psa_adac_await_response(); - ret = psa_adac_parse_response(SDP_DISCOVERY_CMD, response); + ret = psa_adac_parse_response(ADAC_DISCOVERY_CMD, response); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(7), VAL_STATUS_READ_FAILED); goto test_end; @@ -113,14 +113,14 @@ void test_entry(val_api_t *val_api) goto test_end; } - ret = psa_adac_issue_command(SDP_AUTH_START_CMD, request, NULL, 0); + ret = psa_adac_issue_command(ADAC_AUTH_START_CMD, request, NULL, 0); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(9), VAL_STATUS_WRITE_FAILED); goto test_end; } response = psa_adac_await_response(); - ret = psa_adac_parse_response(SDP_AUTH_START_CMD, response); + ret = psa_adac_parse_response(ADAC_AUTH_START_CMD, response); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(10), VAL_STATUS_READ_FAILED); goto test_end; @@ -152,7 +152,7 @@ void test_entry(val_api_t *val_api) } val->print(PRINT_INFO, "Sending token\n", 0); - ret = psa_adac_issue_command(SDP_AUTH_RESPONSE_CMD, request, (uint8_t *)token, token_size); + ret = psa_adac_issue_command(ADAC_AUTH_RESPONSE_CMD, request, (uint8_t *)token, token_size); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(13), VAL_STATUS_WRITE_FAILED); goto test_end; @@ -160,13 +160,13 @@ void test_entry(val_api_t *val_api) val->print(PRINT_INFO, "Receiving token_authentication response\n", 0); response = psa_adac_await_response(); - ret = psa_adac_parse_response(SDP_AUTH_RESPONSE_CMD, response); + ret = psa_adac_parse_response(ADAC_AUTH_RESPONSE_CMD, response); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(14), VAL_STATUS_READ_FAILED); goto test_end; } - if (response->status == SDP_SUCCESS) + if (response->status == ADAC_SUCCESS) val->print(PRINT_INFO, "Target unlocked successfully\n", 0); else val->err_check_set(TEST_CHECKPOINT_NUM(15), VAL_STATUS_ERROR); @@ -174,42 +174,42 @@ void test_entry(val_api_t *val_api) response_packet_release(response); val->print(PRINT_INFO, "Closing debug session\n", 0); - ret = psa_adac_issue_command(SDP_RESUME_BOOT_CMD, request, NULL, 0); + ret = psa_adac_issue_command(ADAC_RESUME_BOOT_CMD, request, NULL, 0); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(16), VAL_STATUS_WRITE_FAILED); goto test_end; } response = psa_adac_await_response(); - ret = psa_adac_parse_response(SDP_RESUME_BOOT_CMD, response); + ret = psa_adac_parse_response(ADAC_RESUME_BOOT_CMD, response); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(17), VAL_STATUS_READ_FAILED); goto test_end; } - if (response->status != SDP_SUCCESS) { + if (response->status != ADAC_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(18), VAL_STATUS_INVALID); goto test_end; } response_packet_release(response); // Set device in locked state. - ret = psa_adac_issue_command(SDP_LOCK_DEBUG_CMD, request, NULL, 0); + ret = psa_adac_issue_command(ADAC_LOCK_DEBUG_CMD, request, NULL, 0); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(19), VAL_STATUS_WRITE_FAILED); goto test_end; } response = psa_adac_await_response(); - ret = psa_adac_parse_response(SDP_LOCK_DEBUG_CMD, response); + ret = psa_adac_parse_response(ADAC_LOCK_DEBUG_CMD, response); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(20), VAL_STATUS_READ_FAILED); goto test_end; } - if (response->status == SDP_SUCCESS) + if (response->status == ADAC_SUCCESS) val->print(PRINT_INFO, "Debug access is locked\n", 0); - else if (response->status == SDP_UNSUPPORTED) + else if (response->status == ADAC_UNSUPPORTED) val->print(PRINT_INFO, "Debug access cannot be locked\n", 0); else { val->print(PRINT_ERROR, "Invalid response\n", 0); diff --git a/secure-debug/tests/adac/test_a003/test_a003.c b/secure-debug/tests/adac/test_a003/test_a003.c index 865db6f6..388cbbab 100644 --- a/secure-debug/tests/adac/test_a003/test_a003.c +++ b/secure-debug/tests/adac/test_a003/test_a003.c @@ -1,5 +1,5 @@ /** @file - * Copyright (c) 2021, Arm Limited or its affiliates. All rights reserved. + * Copyright (c) 2021-2023, Arm Limited or its affiliates. All rights reserved. * SPDX-License-Identifier : Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -48,7 +48,7 @@ void test_entry(val_api_t *val_api) size_t type_id_size, i, j; // Send discovery packet with no requested type ID. - request = request_packet_build(SDP_DISCOVERY_CMD, NULL, 0); + request = request_packet_build(ADAC_DISCOVERY_CMD, NULL, 0); if (request == NULL) { val->err_check_set(TEST_CHECKPOINT_NUM(1), VAL_STATUS_CONNECTION_FAILED); goto test_end; @@ -152,7 +152,7 @@ static val_status_t check_adac_token_support(uint8_t *value, size_t size) for (i = 0; i < payload_bytes; i += 2) { payload = (*(uint16_t *)(value + i)); - if (payload == TOKEN_ADAC) + if (payload == PSA_BINARY_TOKEN) return VAL_STATUS_SUCCESS; } @@ -168,7 +168,7 @@ static val_status_t check_adac_cert_support(uint8_t *value, size_t size) for (i = 0; i < payload_bytes; i += 2) { payload = (*(uint16_t *)(value + i)); - if (payload == CERT_ADAC) + if (payload == PSA_BINARY_CRT) return VAL_STATUS_SUCCESS; } diff --git a/secure-debug/tests/adac/test_a004/test_a004.c b/secure-debug/tests/adac/test_a004/test_a004.c index 4b8be6ab..7e310a7f 100644 --- a/secure-debug/tests/adac/test_a004/test_a004.c +++ b/secure-debug/tests/adac/test_a004/test_a004.c @@ -1,5 +1,5 @@ /** @file - * Copyright (c) 2021, Arm Limited or its affiliates. All rights reserved. + * Copyright (c) 2021-2022 Arm Limited or its affiliates. All rights reserved. * SPDX-License-Identifier : Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -50,7 +50,7 @@ void test_entry(val_api_t *val_api) // Send discovery packet with no requested type ID. type_id_ptr = NULL; type_id_size = 0; - ret = psa_adac_issue_command(SDP_DISCOVERY_CMD, request, type_id_ptr, type_id_size); + ret = psa_adac_issue_command(ADAC_DISCOVERY_CMD, request, type_id_ptr, type_id_size); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(1), VAL_STATUS_WRITE_FAILED); goto test_end; @@ -89,7 +89,7 @@ void test_entry(val_api_t *val_api) // Send discovery request packet with a subset of requested type ID. type_id_ptr = (uint8_t *)type_id_list; type_id_size = (tlv_entries/2) * sizeof(uint16_t); - ret = psa_adac_issue_command(SDP_DISCOVERY_CMD, request, type_id_ptr, type_id_size); + ret = psa_adac_issue_command(ADAC_DISCOVERY_CMD, request, type_id_ptr, type_id_size); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(4), VAL_STATUS_WRITE_FAILED); goto test_end; @@ -101,7 +101,7 @@ void test_entry(val_api_t *val_api) goto test_end; } - if (response->status == SDP_SUCCESS) { + if (response->status == ADAC_SUCCESS) { for (i = 0, j = 0; (i + 4) < (response->data_count * 4); j++) { tlv = (psa_tlv_t *) (((uint8_t *)response->data) + i); i += sizeof(psa_tlv_t) + ROUND_TO_WORD(tlv->length_in_bytes); @@ -121,7 +121,7 @@ void test_entry(val_api_t *val_api) // Send discovery packet with a reverse order of requested type ID. type_id_ptr = (uint8_t *)type_id_list_rev; type_id_size = tlv_entries * sizeof(uint16_t); - ret = psa_adac_issue_command(SDP_DISCOVERY_CMD, request, type_id_ptr, type_id_size); + ret = psa_adac_issue_command(ADAC_DISCOVERY_CMD, request, type_id_ptr, type_id_size); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(8), VAL_STATUS_WRITE_FAILED); goto test_end; @@ -133,7 +133,7 @@ void test_entry(val_api_t *val_api) goto test_end; } - if (response->status != SDP_SUCCESS) + if (response->status != ADAC_SUCCESS) val->err_check_set(TEST_CHECKPOINT_NUM(10), VAL_STATUS_ERROR); response_packet_release(response); diff --git a/secure-debug/tests/adac/test_a005/test_a005.c b/secure-debug/tests/adac/test_a005/test_a005.c index 612a8825..ce974738 100644 --- a/secure-debug/tests/adac/test_a005/test_a005.c +++ b/secure-debug/tests/adac/test_a005/test_a005.c @@ -1,5 +1,5 @@ /** @file - * Copyright (c) 2021, Arm Limited or its affiliates. All rights reserved. + * Copyright (c) 2021-2022 Arm Limited or its affiliates. All rights reserved. * SPDX-License-Identifier : Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -43,20 +43,20 @@ void test_entry(val_api_t *val_api) request_packet_t *request; response_packet_t *response; - ret = psa_adac_issue_command(SDP_LOCK_DEBUG_CMD, request, NULL, 0); + ret = psa_adac_issue_command(ADAC_LOCK_DEBUG_CMD, request, NULL, 0); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(1), VAL_STATUS_WRITE_FAILED); goto test_end; } response = psa_adac_await_response(); - ret = psa_adac_parse_response(SDP_LOCK_DEBUG_CMD, response); + ret = psa_adac_parse_response(ADAC_LOCK_DEBUG_CMD, response); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(2), VAL_STATUS_READ_FAILED); goto test_end; } - if (response->status == SDP_SUCCESS) + if (response->status == ADAC_SUCCESS) val->print(PRINT_INFO, "Target is locked\n", 0); else val->err_check_set(TEST_CHECKPOINT_NUM(3), VAL_STATUS_ERROR); @@ -80,14 +80,14 @@ void test_entry(val_api_t *val_api) } key_type = detect_cryptosystem(exts, exts_count); - ret = psa_adac_issue_command(SDP_DISCOVERY_CMD, request, NULL, 0); + ret = psa_adac_issue_command(ADAC_DISCOVERY_CMD, request, NULL, 0); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(6), VAL_STATUS_WRITE_FAILED); goto test_end; } response = psa_adac_await_response(); - ret = psa_adac_parse_response(SDP_DISCOVERY_CMD, response); + ret = psa_adac_parse_response(ADAC_DISCOVERY_CMD, response); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(7), VAL_STATUS_READ_FAILED); goto test_end; @@ -111,14 +111,14 @@ void test_entry(val_api_t *val_api) goto test_end; } - ret = psa_adac_issue_command(SDP_AUTH_START_CMD, request, NULL, 0); + ret = psa_adac_issue_command(ADAC_AUTH_START_CMD, request, NULL, 0); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(9), VAL_STATUS_WRITE_FAILED); goto test_end; } response = psa_adac_await_response(); - ret = psa_adac_parse_response(SDP_AUTH_START_CMD, response); + ret = psa_adac_parse_response(ADAC_AUTH_START_CMD, response); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(10), VAL_STATUS_READ_FAILED); goto test_end; @@ -138,14 +138,14 @@ void test_entry(val_api_t *val_api) } response_packet_release(response); - ret = psa_adac_issue_command(SDP_AUTH_START_CMD, request, NULL, 0); + ret = psa_adac_issue_command(ADAC_AUTH_START_CMD, request, NULL, 0); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(13), VAL_STATUS_WRITE_FAILED); goto test_end; } response = psa_adac_await_response(); - ret = psa_adac_parse_response(SDP_AUTH_START_CMD, response); + ret = psa_adac_parse_response(ADAC_AUTH_START_CMD, response); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(14), VAL_STATUS_READ_FAILED); goto test_end; @@ -172,7 +172,7 @@ void test_entry(val_api_t *val_api) } val->print(PRINT_INFO, "Sending older token\n", 0); - ret = psa_adac_issue_command(SDP_AUTH_RESPONSE_CMD, request, (uint8_t *)token1, token1_size); + ret = psa_adac_issue_command(ADAC_AUTH_RESPONSE_CMD, request, (uint8_t *)token1, token1_size); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(17), VAL_STATUS_WRITE_FAILED); goto test_end; @@ -180,13 +180,13 @@ void test_entry(val_api_t *val_api) val->print(PRINT_INFO, "Receiving token_authentication response\n", 0); response = psa_adac_await_response(); - ret = psa_adac_parse_response(SDP_AUTH_RESPONSE_CMD, response); + ret = psa_adac_parse_response(ADAC_AUTH_RESPONSE_CMD, response); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(18), VAL_STATUS_READ_FAILED); goto test_end; } - if (response->status != SDP_FAILURE) { + if (response->status != ADAC_FAILURE) { val->err_check_set(TEST_CHECKPOINT_NUM(19), VAL_STATUS_ERROR); goto test_end; } @@ -194,7 +194,7 @@ void test_entry(val_api_t *val_api) response_packet_release(response); val->print(PRINT_INFO, "Sending new token\n", 0); - ret = psa_adac_issue_command(SDP_AUTH_RESPONSE_CMD, request, (uint8_t *)token2, token2_size); + ret = psa_adac_issue_command(ADAC_AUTH_RESPONSE_CMD, request, (uint8_t *)token2, token2_size); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(20), VAL_STATUS_WRITE_FAILED); goto test_end; @@ -202,13 +202,13 @@ void test_entry(val_api_t *val_api) val->print(PRINT_INFO, "Receiving token_authentication response\n", 0); response = psa_adac_await_response(); - ret = psa_adac_parse_response(SDP_AUTH_RESPONSE_CMD, response); + ret = psa_adac_parse_response(ADAC_AUTH_RESPONSE_CMD, response); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(21), VAL_STATUS_READ_FAILED); goto test_end; } - if (response->status != SDP_FAILURE) + if (response->status != ADAC_FAILURE) val->err_check_set(TEST_CHECKPOINT_NUM(22), VAL_STATUS_INVALID); response_packet_release(response); diff --git a/secure-debug/tests/adac/test_a006/test_a006.c b/secure-debug/tests/adac/test_a006/test_a006.c index bb63679e..a19a6035 100644 --- a/secure-debug/tests/adac/test_a006/test_a006.c +++ b/secure-debug/tests/adac/test_a006/test_a006.c @@ -1,5 +1,5 @@ /** @file - * Copyright (c) 2021, Arm Limited or its affiliates. All rights reserved. + * Copyright (c) 2021-2022 Arm Limited or its affiliates. All rights reserved. * SPDX-License-Identifier : Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -42,20 +42,20 @@ void test_entry(val_api_t *val_api) response_packet_t *response; // Send authentication response command with no payload. - ret = psa_adac_issue_command(SDP_AUTH_RESPONSE_CMD, request, NULL, 0); + ret = psa_adac_issue_command(ADAC_AUTH_RESPONSE_CMD, request, NULL, 0); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(1), VAL_STATUS_WRITE_FAILED); goto test_end; } response = psa_adac_await_response(); - ret = psa_adac_parse_response(SDP_AUTH_RESPONSE_CMD, response); + ret = psa_adac_parse_response(ADAC_AUTH_RESPONSE_CMD, response); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(2), VAL_STATUS_READ_FAILED); goto test_end; } - if (response->status != SDP_FAILURE) + if (response->status != ADAC_FAILURE) val->err_check_set(TEST_CHECKPOINT_NUM(3), VAL_STATUS_ERROR); response_packet_release(response); diff --git a/secure-debug/tests/adac/test_a007/test_a007.c b/secure-debug/tests/adac/test_a007/test_a007.c index a9ee1259..fe4d0b29 100644 --- a/secure-debug/tests/adac/test_a007/test_a007.c +++ b/secure-debug/tests/adac/test_a007/test_a007.c @@ -1,5 +1,5 @@ /** @file - * Copyright (c) 2021, Arm Limited or its affiliates. All rights reserved. + * Copyright (c) 2021-2022 Arm Limited or its affiliates. All rights reserved. * SPDX-License-Identifier : Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -57,7 +57,7 @@ void test_entry(val_api_t *val_api) } response = response_packet_receive(); - if (response->status != SDP_INVALID_COMMAND) + if (response->status != ADAC_INVALID_COMMAND) val->err_check_set(TEST_CHECKPOINT_NUM((2*i)), VAL_STATUS_ERROR); response_packet_release(response); diff --git a/secure-debug/tests/adac/test_a008/test_a008.c b/secure-debug/tests/adac/test_a008/test_a008.c index 7b362e67..2f27a5a6 100644 --- a/secure-debug/tests/adac/test_a008/test_a008.c +++ b/secure-debug/tests/adac/test_a008/test_a008.c @@ -1,5 +1,5 @@ /** @file - * Copyright (c) 2021, Arm Limited or its affiliates. All rights reserved. + * Copyright (c) 2021-2023, Arm Limited or its affiliates. All rights reserved. * SPDX-License-Identifier : Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -61,14 +61,14 @@ void test_entry(val_api_t *val_api) key_type = detect_cryptosystem(exts, exts_count); - ret = psa_adac_issue_command(SDP_DISCOVERY_CMD, request, NULL, 0); + ret = psa_adac_issue_command(ADAC_DISCOVERY_CMD, request, NULL, 0); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(3), VAL_STATUS_WRITE_FAILED); goto test_end; } response = psa_adac_await_response(); - ret = psa_adac_parse_response(SDP_DISCOVERY_CMD, response); + ret = psa_adac_parse_response(ADAC_DISCOVERY_CMD, response); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(4), VAL_STATUS_READ_FAILED); goto test_end; @@ -82,14 +82,14 @@ void test_entry(val_api_t *val_api) response_packet_release(response); - ret = psa_adac_issue_command(SDP_AUTH_START_CMD, request, NULL, 0); + ret = psa_adac_issue_command(ADAC_AUTH_START_CMD, request, NULL, 0); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(5), VAL_STATUS_WRITE_FAILED); goto test_end; } response = psa_adac_await_response(); - ret = psa_adac_parse_response(SDP_AUTH_START_CMD, response); + ret = psa_adac_parse_response(ADAC_AUTH_START_CMD, response); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(6), VAL_STATUS_READ_FAILED); goto test_end; @@ -103,13 +103,13 @@ void test_entry(val_api_t *val_api) for (i = 0; i < exts_count; i++) { current_extn = exts[i]; - if (current_extn->type_id == CERT_ADAC) { + if (current_extn->type_id == PSA_BINARY_CRT) { payload = (uint8_t *)current_extn; payload_size = current_extn->length_in_bytes + sizeof(psa_tlv_t); certificate_header_t *header = (certificate_header_t *) (current_extn->value); - if (header->role == SDP_CRT_ROLE_LEAF) { + if (header->role == ADAC_CRT_ROLE_LEAF) { leaf_cert = current_extn->value; leaf_cert_size = current_extn->length_in_bytes; break; @@ -128,20 +128,20 @@ void test_entry(val_api_t *val_api) goto test_end; } - ret = psa_adac_issue_command(SDP_AUTH_RESPONSE_CMD, request, payload, payload_size); + ret = psa_adac_issue_command(ADAC_AUTH_RESPONSE_CMD, request, payload, payload_size); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(9), VAL_STATUS_WRITE_FAILED); goto test_end; } response = psa_adac_await_response(); - ret = psa_adac_parse_response(SDP_AUTH_RESPONSE_CMD, response); + ret = psa_adac_parse_response(ADAC_AUTH_RESPONSE_CMD, response); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(10), VAL_STATUS_READ_FAILED); goto test_end; } - if (response->status != SDP_FAILURE) + if (response->status != ADAC_FAILURE) val->err_check_set(TEST_CHECKPOINT_NUM(11), VAL_STATUS_ERROR); response_packet_release(response); diff --git a/secure-debug/tests/adac/test_a009/test_a009.c b/secure-debug/tests/adac/test_a009/test_a009.c index e117e5fe..47521078 100644 --- a/secure-debug/tests/adac/test_a009/test_a009.c +++ b/secure-debug/tests/adac/test_a009/test_a009.c @@ -1,5 +1,5 @@ /** @file - * Copyright (c) 2021, Arm Limited or its affiliates. All rights reserved. + * Copyright (c) 2021-2023, Arm Limited or its affiliates. All rights reserved. * SPDX-License-Identifier : Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -61,14 +61,14 @@ void test_entry(val_api_t *val_api) key_type = detect_cryptosystem(exts, exts_count); - ret = psa_adac_issue_command(SDP_DISCOVERY_CMD, request, NULL, 0); + ret = psa_adac_issue_command(ADAC_DISCOVERY_CMD, request, NULL, 0); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(3), VAL_STATUS_WRITE_FAILED); goto test_end; } response = psa_adac_await_response(); - ret = psa_adac_parse_response(SDP_DISCOVERY_CMD, response); + ret = psa_adac_parse_response(ADAC_DISCOVERY_CMD, response); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(4), VAL_STATUS_READ_FAILED); goto test_end; @@ -82,14 +82,14 @@ void test_entry(val_api_t *val_api) response_packet_release(response); - ret = psa_adac_issue_command(SDP_AUTH_START_CMD, request, NULL, 0); + ret = psa_adac_issue_command(ADAC_AUTH_START_CMD, request, NULL, 0); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(5), VAL_STATUS_WRITE_FAILED); goto test_end; } response = psa_adac_await_response(); - ret = psa_adac_parse_response(SDP_AUTH_START_CMD, response); + ret = psa_adac_parse_response(ADAC_AUTH_START_CMD, response); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(6), VAL_STATUS_READ_FAILED); goto test_end; @@ -106,36 +106,36 @@ void test_entry(val_api_t *val_api) // Modify scope limit constraints at host-side for soc_class for (i = 0; i < exts_count; i++) { current_extn = exts[i]; - if (current_extn->type_id == CERT_ADAC) { + if (current_extn->type_id == PSA_BINARY_CRT) { payload = (uint8_t *)current_extn; payload_size = current_extn->length_in_bytes + sizeof(psa_tlv_t); header = (certificate_header_t *) (current_extn->value); - if (header->role != SDP_CRT_ROLE_ROOT) { + if (header->role != ADAC_CRT_ROLE_ROOT) { leaf_cert = current_extn->value; modify_soc_class_neutral(header, i); } - ret = psa_adac_issue_command(SDP_AUTH_RESPONSE_CMD, request, payload, payload_size); + ret = psa_adac_issue_command(ADAC_AUTH_RESPONSE_CMD, request, payload, payload_size); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(7), VAL_STATUS_WRITE_FAILED); goto test_end; } // Restore the tampered certificate value - if (header->role == SDP_CRT_ROLE_ROOT) + if (header->role == ADAC_CRT_ROLE_ROOT) modify_soc_class_neutral(header, i); response = psa_adac_await_response(); - ret = psa_adac_parse_response(SDP_AUTH_RESPONSE_CMD, response); + ret = psa_adac_parse_response(ADAC_AUTH_RESPONSE_CMD, response); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(8), VAL_STATUS_READ_FAILED); goto test_end; } - if (response->status == SDP_NEED_MORE_DATA) { + if (response->status == ADAC_NEED_MORE_DATA) { response_packet_release(response); - } else if (response->status == SDP_FAILURE) { + } else if (response->status == ADAC_FAILURE) { val->print(PRINT_INFO, "Inconsistent certificate chain rejected by target\n", 0); break; } else { @@ -151,7 +151,7 @@ void test_entry(val_api_t *val_api) goto test_end; } - if (response->status != SDP_FAILURE) + if (response->status != ADAC_FAILURE) val->err_check_set(TEST_CHECKPOINT_NUM(11), VAL_STATUS_ERROR); response_packet_release(response); diff --git a/secure-debug/tests/adac/test_a010/test_a010.c b/secure-debug/tests/adac/test_a010/test_a010.c index 45b71581..8fabca7e 100644 --- a/secure-debug/tests/adac/test_a010/test_a010.c +++ b/secure-debug/tests/adac/test_a010/test_a010.c @@ -1,5 +1,5 @@ /** @file - * Copyright (c) 2021, Arm Limited or its affiliates. All rights reserved. + * Copyright (c) 2021-2022 Arm Limited or its affiliates. All rights reserved. * SPDX-License-Identifier : Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -60,14 +60,14 @@ void test_entry(val_api_t *val_api) } key_type = detect_cryptosystem(exts, exts_count); - ret = psa_adac_issue_command(SDP_DISCOVERY_CMD, request, NULL, 0); + ret = psa_adac_issue_command(ADAC_DISCOVERY_CMD, request, NULL, 0); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(3), VAL_STATUS_WRITE_FAILED); goto test_end; } response = psa_adac_await_response(); - ret = psa_adac_parse_response(SDP_DISCOVERY_CMD, response); + ret = psa_adac_parse_response(ADAC_DISCOVERY_CMD, response); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(4), VAL_STATUS_READ_FAILED); goto test_end; @@ -91,14 +91,14 @@ void test_entry(val_api_t *val_api) goto test_end; } - ret = psa_adac_issue_command(SDP_AUTH_START_CMD, request, NULL, 0); + ret = psa_adac_issue_command(ADAC_AUTH_START_CMD, request, NULL, 0); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(6), VAL_STATUS_WRITE_FAILED); goto test_end; } response = psa_adac_await_response(); - ret = psa_adac_parse_response(SDP_AUTH_START_CMD, response); + ret = psa_adac_parse_response(ADAC_AUTH_START_CMD, response); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(7), VAL_STATUS_READ_FAILED); goto test_end; @@ -127,7 +127,7 @@ void test_entry(val_api_t *val_api) } val->print(PRINT_INFO, "Sending token\n", 0); - ret = psa_adac_issue_command(SDP_AUTH_RESPONSE_CMD, request, (uint8_t *)token, token_size); + ret = psa_adac_issue_command(ADAC_AUTH_RESPONSE_CMD, request, (uint8_t *)token, token_size); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(10), VAL_STATUS_WRITE_FAILED); goto test_end; @@ -135,13 +135,13 @@ void test_entry(val_api_t *val_api) val->print(PRINT_INFO, "Receiving token_authentication response\n", 0); response = psa_adac_await_response(); - ret = psa_adac_parse_response(SDP_AUTH_RESPONSE_CMD, response); + ret = psa_adac_parse_response(ADAC_AUTH_RESPONSE_CMD, response); if (ret != PSA_SUCCESS) { val->err_check_set(TEST_CHECKPOINT_NUM(11), VAL_STATUS_READ_FAILED); goto test_end; } - if (response->status == SDP_SUCCESS) + if (response->status == ADAC_SUCCESS) val->print(PRINT_INFO, "Target unlocked successfully\n", 0); else val->err_check_set(TEST_CHECKPOINT_NUM(12), VAL_STATUS_ERROR); diff --git a/secure-debug/tests/adac/test_a011/test_a011.c b/secure-debug/tests/adac/test_a011/test_a011.c index 09d33baa..2793ef7d 100644 --- a/secure-debug/tests/adac/test_a011/test_a011.c +++ b/secure-debug/tests/adac/test_a011/test_a011.c @@ -1,5 +1,5 @@ /** @file - * Copyright (c) 2021, Arm Limited or its affiliates. All rights reserved. + * Copyright (c) 2021-2022 Arm Limited or its affiliates. All rights reserved. * SPDX-License-Identifier : Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -45,7 +45,7 @@ void test_entry(val_api_t *val_api) size_t chain_size = 0, exts_count = 0, i, err_count; // Send discovery packet with no requested type ID. - request = request_packet_build(SDP_DISCOVERY_CMD, NULL, 0); + request = request_packet_build(ADAC_DISCOVERY_CMD, NULL, 0); if (request == NULL) { val->err_check_set(TEST_CHECKPOINT_NUM(1), VAL_STATUS_CONNECTION_FAILED); goto test_end; diff --git a/secure-debug/platform/hosts/emulation/unix_socket/CMakeLists.txt b/secure-debug/tests/adac/test_a012/test.cmake similarity index 52% rename from secure-debug/platform/hosts/emulation/unix_socket/CMakeLists.txt rename to secure-debug/tests/adac/test_a012/test.cmake index b89d54a3..2b96da62 100644 --- a/secure-debug/platform/hosts/emulation/unix_socket/CMakeLists.txt +++ b/secure-debug/tests/adac/test_a012/test.cmake @@ -1,5 +1,5 @@ #/** @file -# * Copyright (c) 2022 Arm Limited or its affiliates. All rights reserved. +# * Copyright (c) 2023, Arm Limited or its affiliates. All rights reserved. # * SPDX-License-Identifier : Apache-2.0 # * # * Licensed under the Apache License, Version 2.0 (the "License"); @@ -13,21 +13,9 @@ # * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # * See the License for the specific language governing permissions and # * limitations under the License. +#**/ -# Set the minimum required version of CMake for the project -cmake_minimum_required(VERSION 3.10) -PROJECT (platform_host) - -include_directories( - ${CMAKE_SOURCE_DIR}/platform/common/include - ${CMAKE_CURRENT_SOURCE_DIR}/include - ) - -add_library(platform_host STATIC) -target_sources(platform_host PUBLIC - ${CMAKE_CURRENT_SOURCE_DIR}/src/pal_interfaces.c - ${CMAKE_CURRENT_SOURCE_DIR}/src/unix_msg.c - ${CMAKE_CURRENT_SOURCE_DIR}/src/main.c - ) - -target_link_libraries(platform_host) +list(APPEND CC_SOURCE + test_a012.c +) +list(APPEND CC_OPTIONS ) diff --git a/secure-debug/tests/adac/test_a012/test_a012.c b/secure-debug/tests/adac/test_a012/test_a012.c new file mode 100644 index 00000000..2fa180e4 --- /dev/null +++ b/secure-debug/tests/adac/test_a012/test_a012.c @@ -0,0 +1,134 @@ +/** @file + * Copyright (c) 2023 Arm Limited or its affiliates. All rights reserved. + * SPDX-License-Identifier : Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. +**/ + +#include +#include +#include "val_interfaces.h" + +#include "test_a012.h" + +#define TEST_NUM VAL_CREATE_TEST_ID(VAL_SECURE_DEBUG_BASE, 12) +#define TEST_DESC "Testing ADAC Protocol Host API| UT: psa_lcs_change_command\n" +TEST_PUBLISH(TEST_NUM, test_entry); + +void test_entry(val_api_t *val_api) +{ + psa_status_t ret; + val_api_t *val = val_api; + + /* test init */ + val->test_init(TEST_NUM, TEST_DESC); + if (!IS_TEST_START(val->get_status())) + { + goto test_end; + } + psa_adac_host_init(); + + request_packet_t *request; + response_packet_t *response; + + psa_tlv_t *tlv = NULL, *lifecycle_tlv = NULL, **tlv_seq = NULL; + uint8_t *tlv_ptr; + size_t i, j, tlv_size; + + // Send discovery packet with no requested type ID. + ret = psa_adac_issue_command(ADAC_DISCOVERY_CMD, request, NULL, 0); + if (ret != PSA_SUCCESS) { + val->err_check_set(TEST_CHECKPOINT_NUM(1), VAL_STATUS_WRITE_FAILED); + goto test_end; + } + + response = psa_adac_await_response(); + if (response == NULL) { + val->err_check_set(TEST_CHECKPOINT_NUM(2), VAL_STATUS_CONNECTION_FAILED); + goto test_end; + } + + // Variable to collect the reference to each TLV in the response sequence. + tlv_seq = (psa_tlv_t **)malloc((response->data_count) * sizeof(psa_tlv_t *)); + if (tlv_seq == NULL) { + val->err_check_set(TEST_CHECKPOINT_NUM(3), VAL_STATUS_INSUFFICIENT_SIZE); + goto test_end; + } + + // Parse the TLV sequence and obtain tlv with type_id as psa_lifecycle. + for (i = 0, j = 0; (i + 4) < (response->data_count * 4); j++) { + tlv = (psa_tlv_t *) (((uint8_t *)response->data) + i); + + if (tlv->type_id == PSA_LIFECYCLE) { + tlv_seq[j] = tlv; + tlv_ptr = (uint8_t *)(tlv); + tlv_size = sizeof(psa_tlv_t) + ROUND_TO_WORD(tlv->length_in_bytes); + } + i += sizeof(psa_tlv_t) + ROUND_TO_WORD(tlv->length_in_bytes); + } + + response_packet_release(response); + + // Send ADAC LCS command with empty TLV list + ret = psa_adac_issue_command(ADAC_LCS_CHANGE_CMD, request, NULL, 0); + if (ret != PSA_SUCCESS) { + val->err_check_set(TEST_CHECKPOINT_NUM(4), VAL_STATUS_WRITE_FAILED); + goto test_end; + } + + response = psa_adac_await_response(); + ret = psa_adac_parse_response(ADAC_LCS_CHANGE_CMD, response); + if (ret != PSA_SUCCESS) { + val->err_check_set(TEST_CHECKPOINT_NUM(2), VAL_STATUS_READ_FAILED); + goto test_end; + } + + // Target must recognize LCS command + if (response->status == ADAC_INVALID_COMMAND) { + val->err_check_set(TEST_CHECKPOINT_NUM(3), VAL_STATUS_INVALID); + goto test_end; + } + + if ((response->status != ADAC_UNSUPPORTED) && (response->status != ADAC_INVALID_PARAMETERS)) { + val->err_check_set(TEST_CHECKPOINT_NUM(3), VAL_STATUS_INVALID); + goto test_end; + } + response_packet_release(response); + + // Send ADAC LCS command with TLV sequence + ret = psa_adac_issue_command(ADAC_LCS_CHANGE_CMD, request, tlv_ptr, tlv_size); + if (ret != PSA_SUCCESS) { + val->err_check_set(TEST_CHECKPOINT_NUM(4), VAL_STATUS_WRITE_FAILED); + goto test_end; + } + + response = psa_adac_await_response(); + ret = psa_adac_parse_response(ADAC_LCS_CHANGE_CMD, response); + if (ret != PSA_SUCCESS) { + val->err_check_set(TEST_CHECKPOINT_NUM(2), VAL_STATUS_READ_FAILED); + goto test_end; + } + + // Target must recognize LCS command + if (response->status == ADAC_INVALID_COMMAND) { + val->err_check_set(TEST_CHECKPOINT_NUM(3), VAL_STATUS_INVALID); + goto test_end; + } + response_packet_release(response); + +test_end: + if (tlv_seq != NULL) + free(tlv_seq); + + val->test_exit(); +} diff --git a/secure-debug/platform/hosts/emulation/unix_socket/include/psa_adac_platform.h b/secure-debug/tests/adac/test_a012/test_a012.h similarity index 70% rename from secure-debug/platform/hosts/emulation/unix_socket/include/psa_adac_platform.h rename to secure-debug/tests/adac/test_a012/test_a012.h index aaad6731..42cf8912 100644 --- a/secure-debug/platform/hosts/emulation/unix_socket/include/psa_adac_platform.h +++ b/secure-debug/tests/adac/test_a012/test_a012.h @@ -1,5 +1,5 @@ /** @file - * Copyright (c) 2022 Arm Limited or its affiliates. All rights reserved. + * Copyright (c) 2023, Arm Limited or its affiliates. All rights reserved. * SPDX-License-Identifier : Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -15,9 +15,11 @@ * limitations under the License. **/ -#ifndef PSA_ADAC_NATIVE_PSA_ADAC_PLATFORM_H -#define PSA_ADAC_NATIVE_PSA_ADAC_PLATFORM_H +#ifndef _TEST_A012_TESTS_H_ +#define _TEST_A012_TESTS_H_ -#define PSA_ADAC_MANAGER_IMPLICIT_TRANSPORT +#define test_entry CONCAT(test_entry_, a012) -#endif //PSA_ADAC_NATIVE_PSA_ADAC_PLATFORM_H +extern val_api_t *val; + +#endif /* _TEST_A012_TESTS_H_ */ diff --git a/secure-debug/tests/adac/testsuite.db b/secure-debug/tests/adac/testsuite.db index ce2e642d..15dead73 100644 --- a/secure-debug/tests/adac/testsuite.db +++ b/secure-debug/tests/adac/testsuite.db @@ -1,5 +1,5 @@ #/** @file -# * Copyright (c) 2021 Arm Limited or its affiliates. All rights reserved. +# * Copyright (c) 2021-2023 Arm Limited or its affiliates. All rights reserved. # * SPDX-License-Identifier : Apache-2.0 # * # * Licensed under the Apache License, Version 2.0 (the "License"); @@ -31,5 +31,6 @@ test_a008 test_a009 test_a010 test_a011 +test_a012 (END) diff --git a/secure-debug/val/include/val_entry.h b/secure-debug/val/include/val_entry.h index 44035991..ecbda96b 100644 --- a/secure-debug/val/include/val_entry.h +++ b/secure-debug/val/include/val_entry.h @@ -1,5 +1,5 @@ /** @file - * Copyright (c) 2022 Arm Limited or its affiliates. All rights reserved. + * Copyright (c) 2022-2023 Arm Limited or its affiliates. All rights reserved. * SPDX-License-Identifier : Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -20,8 +20,8 @@ #include "val.h" -#define PSA_ACS_MAJOR_VER 0 -#define PSA_ACS_MINOR_VER 8 +#define PSA_ACS_MAJOR_VER 1 +#define PSA_ACS_MINOR_VER 0 /** @brief - PSA Test Suite C main function, does VAL init and calls test dispatcher