From 25dd2172ae564c74b7e8b42aa96d5ee9a865ec75 Mon Sep 17 00:00:00 2001 From: Mate Toth-Pal Date: Fri, 21 Oct 2022 14:24:49 +0200 Subject: [PATCH] feat(tc): add delegated attest and measurement tests This patch adds Delegated Attestation and Measured Boot tests to the plat/arm/board/tc platform. The test suite can be activated by adding the build time option `PLATFORM_TEST=1` to the make command. In this case the boot sequence is not finished, plat_error_handler is called after the tests are run (regardless of the test result.) The actual test code is coming from the Trusted-Firmware-M project. Some of the files of the tf-m-tests and tf-m-extras repo are linked to the BL31 image. Versions used for testing: https://git.trustedfirmware.org/TF-M/tf-m-tests 614e8c358377e4146e8ee13d1246e59d01b4bf1b https: //git.trustedfirmware.org/TF-M/tf-m-extras 3be9fdd557e6df449de93c2101973fb011699b3d Change-Id: I98f0f5f760a39d2d7e0dd11d33663ddb75f0b6fc Signed-off-by: Mate Toth-Pal --- plat/arm/board/tc/include/platform_def.h | 6 +- plat/arm/board/tc/include/tc_plat.h | 4 + plat/arm/board/tc/plat_tc_mbedtls_config.h | 33 ++++++ plat/arm/board/tc/platform.mk | 5 + plat/arm/board/tc/platform_test.mk | 80 ++++++++++++++ plat/arm/board/tc/region_defs.h | 12 ++ plat/arm/board/tc/rss_ap_test_stubs.c | 121 +++++++++++++++++++++ plat/arm/board/tc/rss_ap_tests.c | 82 ++++++++++++++ plat/arm/board/tc/rss_ap_testsuites.c | 25 +++++ plat/arm/board/tc/rss_ap_testsuites.h | 16 +++ plat/arm/board/tc/tc_bl31_setup.c | 8 +- 11 files changed, 388 insertions(+), 4 deletions(-) create mode 100644 plat/arm/board/tc/plat_tc_mbedtls_config.h create mode 100644 plat/arm/board/tc/platform_test.mk create mode 100644 plat/arm/board/tc/region_defs.h create mode 100644 plat/arm/board/tc/rss_ap_test_stubs.c create mode 100644 plat/arm/board/tc/rss_ap_tests.c create mode 100644 plat/arm/board/tc/rss_ap_testsuites.c create mode 100644 plat/arm/board/tc/rss_ap_testsuites.h diff --git a/plat/arm/board/tc/include/platform_def.h b/plat/arm/board/tc/include/platform_def.h index bc4f25449..0fe4a0a77 100644 --- a/plat/arm/board/tc/include/platform_def.h +++ b/plat/arm/board/tc/include/platform_def.h @@ -101,7 +101,7 @@ * PLAT_ARM_MAX_BL1_RW_SIZE is calculated using the current BL1 RW debug size * plus a little space for growth. */ -#define PLAT_ARM_MAX_BL1_RW_SIZE 0xD000 +#define PLAT_ARM_MAX_BL1_RW_SIZE 0x12000 /* * PLAT_ARM_MAX_ROMLIB_RW_SIZE is define to use a full page @@ -129,7 +129,7 @@ * BL2 and BL1-RW. Current size is considering that TRUSTED_BOARD_BOOT and * MEASURED_BOOT is enabled. */ -#define PLAT_ARM_MAX_BL31_SIZE 0x47000 +#define PLAT_ARM_MAX_BL31_SIZE 0x60000 /* * Size of cacheable stacks @@ -152,7 +152,7 @@ # if SPM_MM # define PLATFORM_STACK_SIZE 0x500 # else -# define PLATFORM_STACK_SIZE 0x400 +# define PLATFORM_STACK_SIZE 0xa00 # endif #elif defined(IMAGE_BL32) # define PLATFORM_STACK_SIZE 0x440 diff --git a/plat/arm/board/tc/include/tc_plat.h b/plat/arm/board/tc/include/tc_plat.h index 28c0308e6..f7ce2fe1d 100644 --- a/plat/arm/board/tc/include/tc_plat.h +++ b/plat/arm/board/tc/include/tc_plat.h @@ -9,4 +9,8 @@ void tc_bl31_common_platform_setup(void); +#ifdef PLATFORM_TEST +void run_platform_tests(void); +#endif + #endif /* TC_PLAT_H */ diff --git a/plat/arm/board/tc/plat_tc_mbedtls_config.h b/plat/arm/board/tc/plat_tc_mbedtls_config.h new file mode 100644 index 000000000..d776b638a --- /dev/null +++ b/plat/arm/board/tc/plat_tc_mbedtls_config.h @@ -0,0 +1,33 @@ +/* + * Copyright (c) 2022, Arm Ltd. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef PLAT_TC_MBEDTLS_CONFIG_H +#define PLAT_TC_MBEDTLS_CONFIG_H + +#include +#include + +#ifndef TF_MBEDTLS_HEAP_SIZE +#error TF_MBEDTLS_HEAP_SIZE is not defined +#else +#define PLATFORM_TEST_MIN_MBEDTLS_HEAP_SIZE (8 * 1024) +/* Only change heap size if it is less then the minimum required. */ +#if TF_MBEDTLS_HEAP_SIZE < PLATFORM_TEST_MIN_MBEDTLS_HEAP_SIZE +#undef TF_MBEDTLS_HEAP_SIZE +#define TF_MBEDTLS_HEAP_SIZE PLATFORM_TEST_MIN_MBEDTLS_HEAP_SIZE +#endif +#endif + +#define MBEDTLS_PSA_CRYPTO_C +#define MBEDTLS_HMAC_DRBG_C +#define MBEDTLS_ENTROPY_C +#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES +#define MBEDTLS_NO_PLATFORM_ENTROPY +#define MBEDTLS_TEST_NULL_ENTROPY +#define MBEDTLS_ECP_C +#define MBEDTLS_ECP_DP_SECP384R1_ENABLED + +#endif /* PLAT_TC_MBEDTLS_CONFIG_H */ diff --git a/plat/arm/board/tc/platform.mk b/plat/arm/board/tc/platform.mk index 37ba2295c..74c0f1715 100644 --- a/plat/arm/board/tc/platform.mk +++ b/plat/arm/board/tc/platform.mk @@ -193,6 +193,11 @@ PLAT_INCLUDES += -Iinclude/lib/psa endif +# Add this include as first, before arm_common.mk. This is necessary because +# arm_common.mk builds Mbed TLS, and platform_test.mk can change the list of +# Mbed TLS files that are to be compiled (LIBMBEDTLS_SRCS). +include plat/arm/board/tc/platform_test.mk + include plat/arm/common/arm_common.mk include plat/arm/css/common/css_common.mk include plat/arm/soc/common/soc_css.mk diff --git a/plat/arm/board/tc/platform_test.mk b/plat/arm/board/tc/platform_test.mk new file mode 100644 index 000000000..c2ee69ef5 --- /dev/null +++ b/plat/arm/board/tc/platform_test.mk @@ -0,0 +1,80 @@ +# Copyright (c) 2022, Arm Limited. All rights reserved. +# +# SPDX-License-Identifier: BSD-3-Clause +# + +ifeq (${PLATFORM_TEST},1) + + # The variables need to be set to compile the platform test: + ifeq (${TF_M_TESTS_PATH},) + # Example: ../rss/tf-m-tests + $(error Error: TF_M_TESTS_PATH not set) + endif + ifeq (${TF_M_EXTRAS_PATH},) + # Example: ../rss/tf-m-extras + $(error Error: TF_M_EXTRAS_PATH not set) + endif + ifeq (${MEASUREMENT_VALUE_SIZE},) + MEASUREMENT_VALUE_SIZE := 32 + endif + ifeq (${MEASURED_BOOT_HASH_ALG},) + MEASURED_BOOT_HASH_ALG := "PSA_ALG_SHA_256" + endif + + DELEGATED_ATTEST_TESTS_PATH = $(TF_M_EXTRAS_PATH)/partitions/delegated_attestation/test + MEASURED_BOOT_TESTS_PATH = $(TF_M_EXTRAS_PATH)/partitions/measured_boot/test + + MBEDTLS_CONFIG_FILE = "" + + LIBMBEDTLS_SRCS += $(addprefix ${MBEDTLS_DIR}/library/, \ + entropy.c \ + entropy_poll.c \ + hmac_drbg.c \ + psa_crypto.c \ + psa_crypto_client.c \ + psa_crypto_driver_wrappers.c \ + psa_crypto_hash.c \ + psa_crypto_rsa.c \ + psa_crypto_ecp.c \ + psa_crypto_slot_management.c \ + ) + + BL31_SOURCES += ${RSS_COMMS_SOURCES} \ + plat/arm/common/arm_dyn_cfg.c \ + ${TC_BASE}/rss_ap_tests.c \ + ${TC_BASE}/rss_ap_testsuites.c \ + ${TC_BASE}/rss_ap_test_stubs.c \ + $(TF_M_TESTS_PATH)/test/framework/test_framework.c \ + $(MEASURED_BOOT_TESTS_PATH)/measured_boot_common.c \ + $(MEASURED_BOOT_TESTS_PATH)/measured_boot_tests_common.c \ + $(DELEGATED_ATTEST_TESTS_PATH)/delegated_attest_test.c \ + drivers/auth/mbedtls/mbedtls_common.c \ + lib/psa/measured_boot.c \ + lib/psa/delegated_attestation.c + + PLAT_INCLUDES += -I$(TF_M_EXTRAS_PATH)/partitions/measured_boot/interface/include \ + -I$(TF_M_EXTRAS_PATH)/partitions/delegated_attestation/interface/include \ + -I$(TF_M_TESTS_PATH)/test/framework \ + -I$(TF_M_TESTS_PATH)/log \ + -I$(TF_M_TESTS_PATH)/test/secure_fw/suites/extra \ + -I$(MEASURED_BOOT_TESTS_PATH)/non_secure \ + -I$(DELEGATED_ATTEST_TESTS_PATH) \ + -I$(DELEGATED_ATTEST_TESTS_PATH)/non_secure \ + -Iplat/arm/board/tc \ + -Iinclude/drivers/auth/mbedtls \ + -Iinclude/drivers/arm + + # Some of the PSA functions are declared in multiple header files, that + # triggers this warning. + TF_CFLAGS += -Wno-error=redundant-decls + + # TODO: Created patch for warning in tf-m-tests + TF_CFLAGS += -Wno-error=return-type + + # Define macros that are used by the code coming from the tf-m-extras repo. + $(eval $(call add_define,MEASUREMENT_VALUE_SIZE)) + $(eval $(call add_define,MEASURED_BOOT_HASH_ALG)) + $(eval $(call add_define,DELEG_ATTEST_DUMP_TOKEN_AND_KEY)) + + $(eval $(call add_define,PLATFORM_TEST)) +endif diff --git a/plat/arm/board/tc/region_defs.h b/plat/arm/board/tc/region_defs.h new file mode 100644 index 000000000..d3dfd1396 --- /dev/null +++ b/plat/arm/board/tc/region_defs.h @@ -0,0 +1,12 @@ +/* + * Copyright (c) 2022, Arm Ltd. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef REGION_DEFS_H +#define REGION_DEFS_H + +#define PSA_INITIAL_ATTEST_TOKEN_MAX_SIZE 0x800 + +#endif /* REGION_DEFS_H */ diff --git a/plat/arm/board/tc/rss_ap_test_stubs.c b/plat/arm/board/tc/rss_ap_test_stubs.c new file mode 100644 index 000000000..aa97476f3 --- /dev/null +++ b/plat/arm/board/tc/rss_ap_test_stubs.c @@ -0,0 +1,121 @@ +/* + * Copyright (c) 2022, Arm Ltd. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include +#include +#include + +#include +#include +#include + + +psa_status_t +tfm_measured_boot_extend_measurement(uint8_t index, + const uint8_t *signer_id, + size_t signer_id_size, + const uint8_t *version, + size_t version_size, + uint32_t measurement_algo, + const uint8_t *sw_type, + size_t sw_type_size, + const uint8_t *measurement_value, + size_t measurement_value_size, + bool lock_measurement) +{ + return rss_measured_boot_extend_measurement(index, + signer_id, + signer_id_size, + version, + version_size, + measurement_algo, + sw_type, + sw_type_size, + measurement_value, + measurement_value_size, + lock_measurement); +} + +psa_status_t +tfm_measured_boot_read_measurement(uint8_t index, + uint8_t *signer_id, + size_t signer_id_size, + size_t *signer_id_len, + uint8_t *version, + size_t version_size, + size_t *version_len, + uint32_t *measurement_algo, + uint8_t *sw_type, + size_t sw_type_size, + size_t *sw_type_len, + uint8_t *measurement_value, + size_t measurement_value_size, + size_t *measurement_value_len, + bool *is_locked) +{ + return rss_measured_boot_read_measurement(index, + signer_id, + signer_id_size, + signer_id_len, + version, + version_size, + version_len, + measurement_algo, + sw_type, + sw_type_size, + sw_type_len, + measurement_value, + measurement_value_size, + measurement_value_len, + is_locked); +} + +psa_status_t +tfm_delegated_attest_get_token(const uint8_t *dak_pub_hash, + size_t dak_pub_hash_size, + uint8_t *token_buf, + size_t token_buf_size, + size_t *token_size) +{ + return rss_delegated_attest_get_token(dak_pub_hash, + dak_pub_hash_size, + token_buf, + token_buf_size, + token_size); +} + +psa_status_t +tfm_delegated_attest_get_delegated_key(uint8_t ecc_curve, + uint32_t key_bits, + uint8_t *key_buf, + size_t key_buf_size, + size_t *key_size, + uint32_t hash_algo) +{ + return rss_delegated_attest_get_delegated_key(ecc_curve, + key_bits, + key_buf, + key_buf_size, + key_size, + hash_algo); +} + +int tfm_log_printf(const char *fmt, ...) +{ + int count; + va_list ap; + + va_start(ap, fmt); + count = vprintf(fmt, ap); + va_end(ap); + + return count; +} + +void printf_set_color(int color_id) +{ + (void)color_id; +} diff --git a/plat/arm/board/tc/rss_ap_tests.c b/plat/arm/board/tc/rss_ap_tests.c new file mode 100644 index 000000000..b62043ece --- /dev/null +++ b/plat/arm/board/tc/rss_ap_tests.c @@ -0,0 +1,82 @@ +/* + * Copyright (c) 2022, Arm Ltd. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include +#include + +#include +#include +#include +#include + +#include "rss_ap_testsuites.h" + +static struct test_suite_t test_suites[] = { + {.freg = register_testsuite_delegated_attest}, + {.freg = register_testsuite_measured_boot}, +}; + +static void run_tests(void) +{ + enum test_suite_err_t ret; + psa_status_t status; + size_t i; + + rss_comms_init(PLAT_RSS_AP_SND_MHU_BASE, PLAT_RSS_AP_RCV_MHU_BASE); + mbedtls_init(); + status = psa_crypto_init(); + if (status != PSA_SUCCESS) { + printf("\n\npsa_crypto_init failed (status = %d)\n", status); + assert(false); + plat_error_handler(-1); + } + + for (i = 0; i < ARRAY_SIZE(test_suites); ++i) { + struct test_suite_t *suite = &(test_suites[i]); + + suite->freg(suite); + ret = run_testsuite(suite); + if (ret != TEST_SUITE_ERR_NO_ERROR) { + printf("\n\nError during executing testsuite '%s'.\n", suite->name); + assert(false); + plat_error_handler(-1); + } + } + printf("\nAll tests are run.\n"); +} + +void run_platform_tests(void) +{ + size_t i; + + run_tests(); + + printf("\n\n"); + + /* Print a summary of all the tests that had been run. */ + printf("SUMMARY:\n"); + for (i = 0; i < ARRAY_SIZE(test_suites); ++i) { + + struct test_suite_t *suite = &(test_suites[i]); + + switch (suite->val) { + case TEST_PASSED: + printf(" %s PASSED.\n", suite->name); + break; + case TEST_FAILED: + printf(" %s FAILED.\n", suite->name); + break; + case TEST_SKIPPED: + printf(" %s SKIPPED.\n", suite->name); + break; + default: + assert(false); + break; + } + } + + printf("\n\n"); +} diff --git a/plat/arm/board/tc/rss_ap_testsuites.c b/plat/arm/board/tc/rss_ap_testsuites.c new file mode 100644 index 000000000..aa47d4c22 --- /dev/null +++ b/plat/arm/board/tc/rss_ap_testsuites.c @@ -0,0 +1,25 @@ +/* + * Copyright (c) 2022, Arm Ltd. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +/* + * `delegated_attest_ns_interface_testsuite.c` and + * `measured_boot_ns_interface_testsuite.c` are not added to the build directly. + * but are included in this file, and this file is added to the build. This is + * necessary because both files define the function `extra_tests_init`, so a + * linker error occurs when both are linked to BL31. This file defines a macro + * that renames the colliding function names to something unique. + * `plat/arm/board/tc/rss_ap_tests.c` can call the test init functions with + * their new name. + */ + +#define register_testsuite_extra_ns_interface \ + register_testsuite_delegated_attest +#include + +#undef register_testsuite_extra_ns_interface +#define register_testsuite_extra_ns_interface \ + register_testsuite_measured_boot +#include \ No newline at end of file diff --git a/plat/arm/board/tc/rss_ap_testsuites.h b/plat/arm/board/tc/rss_ap_testsuites.h new file mode 100644 index 000000000..58502ab66 --- /dev/null +++ b/plat/arm/board/tc/rss_ap_testsuites.h @@ -0,0 +1,16 @@ + +/* + * Copyright (c) 2022, Arm Ltd. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef RSS_AP_TESTSUITES_H +#define RSS_AP_TESTSUITES_H + +#include + +void register_testsuite_measured_boot(struct test_suite_t *p_test_suite); +void register_testsuite_delegated_attest(struct test_suite_t *p_test_suite); + +#endif /* RSS_AP_TESTSUITES_H */ diff --git a/plat/arm/board/tc/tc_bl31_setup.c b/plat/arm/board/tc/tc_bl31_setup.c index 0523ef8f2..674bdedd5 100644 --- a/plat/arm/board/tc/tc_bl31_setup.c +++ b/plat/arm/board/tc/tc_bl31_setup.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2020-2021, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2020-2022, ARM Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -52,6 +52,12 @@ void bl31_early_platform_setup2(u_register_t arg0, u_register_t arg1, void tc_bl31_common_platform_setup(void) { arm_bl31_platform_setup(); +#ifdef PLATFORM_TEST + run_platform_tests(); + + /* Suspend booting */ + plat_error_handler(-1); +#endif } const plat_psci_ops_t *plat_arm_psci_override_pm_ops(plat_psci_ops_t *ops) -- 2.39.5