PSA-Attestation

Files
file	psa_initial_attestation_api.h
	The list of fixed claims in the initial attestation token is still evolving, you can expect slight changes in the future.

Macros
#define	PSA_INITIAL_ATTEST_API_VERSION_MAJOR   (0)
	PSA INITIAL ATTESTATION API version. More...
#define	PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32   (32u)
	32 byte challenge More...
#define	PSA_INITIAL_ATTEST_CHALLENGE_SIZE_48   (48u)
	48 byte challenge More...
#define	PSA_INITIAL_ATTEST_CHALLENGE_SIZE_64   (64u)
	64 byte challenge More...

Enumerations
enum	attest_memory_access_t
	Type of memory access. More...
enum	psa_attest_err_t {   PSA_ATTEST_ERR_SUCCESS = 0 , PSA_ATTEST_ERR_INIT_FAILED , PSA_ATTEST_ERR_TOKEN_BUFFER_OVERFLOW , PSA_ATTEST_ERR_CLAIM_UNAVAILABLE ,   PSA_ATTEST_ERR_INVALID_INPUT , PSA_ATTEST_ERR_GENERAL , PSA_ATTEST_ERR_FORCE_INT_SIZE = INT_MAX }
	Initial attestation service error types. More...

Functions
enum psa_attest_err_t	attest_get_boot_data (uint8_t major_type, void *ptr, uint32_t len)
	Copy the boot data (coming from boot loader) from shared memory area to service memory area. More...
enum psa_attest_err_t	attest_get_caller_client_id (int32_t *caller_id)
	Get the ID of the caller thread. More...
enum psa_attest_err_t	attest_check_memory_access (void *addr, uint32_t size, enum attest_memory_access_t access)
	Verify memory access rights. More...
enum psa_attest_err_t	attest_init (void)
	Initialise the initial attestation service during the TF-M boot up process. More...
enum psa_attest_err_t	initial_attest_get_token (const psa_invec *in_vec, uint32_t num_invec, psa_outvec *out_vec, uint32_t num_outvec)
	Get initial attestation token. More...
enum psa_attest_err_t	initial_attest_get_token_size (const psa_invec *in_vec, uint32_t num_invec, psa_outvec *out_vec, uint32_t num_outvec)
	Get the size of the initial attestation token. More...
psa_status_t	psa_attestation_inject_key (const uint8_t *key_data, size_t key_data_length, psa_key_type_t type, uint8_t *public_key_data, size_t public_key_data_size, size_t *public_key_data_length)
	Generate or import a given key pair and export the public part in a binary format. More...
enum psa_attest_err_t	psa_initial_attest_get_token (const uint8_t *challenge_obj, uint32_t challenge_size, uint8_t *token, uint32_t *token_size)
	Get initial attestation token. More...
enum psa_attest_err_t	psa_initial_attest_get_token_size (uint32_t challenge_size, uint32_t *token_size)
	Get the exact size of initial attestation token in bytes. More...

Detailed Description

Macro Definition Documentation

PSA_INITIAL_ATTEST_API_VERSION_MAJOR

#define PSA_INITIAL_ATTEST_API_VERSION_MAJOR   (0)

PSA INITIAL ATTESTATION API version.

Definition at line 153 of file psa_initial_attestation_api.h.

PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32

#define PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32   (32u)

32 byte challenge

Definition at line 188 of file psa_initial_attestation_api.h.

PSA_INITIAL_ATTEST_CHALLENGE_SIZE_48

#define PSA_INITIAL_ATTEST_CHALLENGE_SIZE_48   (48u)

48 byte challenge

Definition at line 189 of file psa_initial_attestation_api.h.

PSA_INITIAL_ATTEST_CHALLENGE_SIZE_64

#define PSA_INITIAL_ATTEST_CHALLENGE_SIZE_64   (64u)

64 byte challenge

Definition at line 190 of file psa_initial_attestation_api.h.

Enumeration Type Documentation

attest_memory_access_t

enum attest_memory_access_t

Type of memory access.

Definition at line 26 of file attestation.h.

psa_attest_err_t

enum psa_attest_err_t

Initial attestation service error types.

Enumerator
PSA_ATTEST_ERR_SUCCESS	Action was performed successfully.
PSA_ATTEST_ERR_INIT_FAILED	Boot status data is unavailable or malformed.
PSA_ATTEST_ERR_TOKEN_BUFFER_OVERFLOW	Token buffer is too small to store the created token there.
PSA_ATTEST_ERR_CLAIM_UNAVAILABLE	Some of the mandatory claims are unavailable.
PSA_ATTEST_ERR_INVALID_INPUT	Some parameter or combination of parameters are recognised as invalid: challenge size is not allowed challenge object is unavailable token buffer is unavailable
PSA_ATTEST_ERR_GENERAL	Unexpected error happened during operation.
PSA_ATTEST_ERR_FORCE_INT_SIZE	Following entry is only to ensure the error code of integer size.

Definition at line 162 of file psa_initial_attestation_api.h.

Function Documentation

attest_get_boot_data()

enum psa_attest_err_t attest_get_boot_data	(	uint8_t	major_type,
		void *	ptr,
		uint32_t	len
	)

Copy the boot data (coming from boot loader) from shared memory area to service memory area.

Parameters

[in]	major_type	Major type of TLV entries to copy
[out]	ptr	Pointer to the buffer to store the boot data
[in]	len	Size of the buffer to store the boot data

Returns

Returns error code as specified in psa_attest_err_t

attest_get_caller_client_id()

enum psa_attest_err_t attest_get_caller_client_id

(

int32_t *

caller_id

)

Get the ID of the caller thread.

Parameters

[out]

caller_id

Pointer where to store caller ID

Returns

Returns error code as specified in psa_attest_err_t

attest_check_memory_access()

enum psa_attest_err_t attest_check_memory_access	(	void *	addr,
		uint32_t	size,
		enum attest_memory_access_t	access
	)

Verify memory access rights.

Parameters

[in]	addr	Pointer to the base of the address range to check
[in]	size	Size of the address range to check
[in]	access	Type of memory access as specified in attest_memory_access_t

Returns

Returns error code as specified in psa_attest_err_t

attest_init()

enum psa_attest_err_t attest_init

(

void

)

Initialise the initial attestation service during the TF-M boot up process.

Returns

Returns PSA_ATTEST_ERR_SUCCESS if init has been completed, otherwise error as specified in psa_attest_err_t

initial_attest_get_token()

enum psa_attest_err_t initial_attest_get_token	(	const psa_invec *	in_vec,
		uint32_t	num_invec,
		psa_outvec *	out_vec,
		uint32_t	num_outvec
	)

Get initial attestation token.

Parameters

[in]	in_vec	Pointer to in_vec array, which contains input data to attestation service
[in]	num_invec	Number of elements in in_vec array
[in,out]	out_vec	Pointer out_vec array, which contains output data to attestation service
[in]	num_outvec	Number of elements in out_vec array

Returns

Returns error code as specified in psa_attest_err_t

initial_attest_get_token_size()

enum psa_attest_err_t initial_attest_get_token_size	(	const psa_invec *	in_vec,
		uint32_t	num_invec,
		psa_outvec *	out_vec,
		uint32_t	num_outvec
	)

Get the size of the initial attestation token.

Parameters

[in]	in_vec	Pointer to in_vec array, which contains input data to attestation service
[in]	num_invec	Number of elements in in_vec array
[out]	out_vec	Pointer to out_vec array, which contains pointer where to store the output data
[in]	num_outvec	Number of elements in out_vec array

Returns

Returns error code as specified in psa_attest_err_t

psa_attestation_inject_key()

psa_status_t psa_attestation_inject_key	(	const uint8_t *	key_data,
		size_t	key_data_length,
		psa_key_type_t	type,
		uint8_t *	public_key_data,
		size_t	public_key_data_size,
		size_t *	public_key_data_length
	)

Generate or import a given key pair and export the public part in a binary format.

Initial attestation key: Private key for ECDSA-P256 to sign initial attestation token. Attestation private key is a persistent key that saved to persistent storage with persistent storage id = 17.

Parameters

[in]	key_data	Buffer containing the private key data if given. It must conain the format described in the documentation of psa_export_public_key() for the chosen type. In case of generate the private key - NULL will pass.
	key_data_length	Size of the data buffer in bytes - must be 256 bits. in case key_data isn't NULL. In case of private key generation - 0 will pass.
	type	Key type - must be a ECC key type (a PSA_KEY_TYPE_ECC_KEYPAIR(PSA_ECC_CURVE_XXX) value).
[out]	public_key_data	Buffer where the key data is to be written.
	public_key_data_size	Size of the public_key_data buffer in bytes - needs to be bigger then the max size of the public part.
[out]	public_key_data_length	On success, the number of bytes that make up the key data.

Return values

PSA_SUCCESS	Success.
PSA_ERROR_INVALID_HANDLE
PSA_ERROR_OCCUPIED_SLOT	There is already a key in the specified slot.
PSA_ERROR_NOT_SUPPORTED
PSA_ERROR_INVALID_ARGUMENT
PSA_ERROR_INSUFFICIENT_MEMORY
PSA_ERROR_INSUFFICIENT_ENTROPY
PSA_ERROR_COMMUNICATION_FAILURE
PSA_ERROR_HARDWARE_FAILURE
PSA_ERROR_TAMPERING_DETECTED
PSA_ERROR_BAD_STATE	The library has not been previously initialized by psa_crypto_init(). It is implementation-dependent whether a failure to initialize results in this error code.

psa_initial_attest_get_token()

enum psa_attest_err_t psa_initial_attest_get_token	(	const uint8_t *	challenge_obj,
		uint32_t	challenge_size,
		uint8_t *	token,
		uint32_t *	token_size
	)

Get initial attestation token.

Parameters

[in]	challenge_obj	Pointer to buffer where challenge input is stored. Nonce and / or hash of attested data. Must have a length equal to one of the PSA_INITIAL_ATTEST_CHALLENGE_SIZE_xxx constants.
[in]	challenge_size	Size of challenge object in bytes.
[out]	token	Pointer to the buffer where attestation token must be stored.
[in,out]	token_size	Size of allocated buffer for token, which updated by initial attestation service with final token size.

Returns

Returns error code as specified in psa_attest_err_t

psa_initial_attest_get_token_size()

enum psa_attest_err_t psa_initial_attest_get_token_size	(	uint32_t	challenge_size,
		uint32_t *	token_size
	)

Get the exact size of initial attestation token in bytes.

It just returns with the size of the IAT token. It can be used if the caller dynamically allocates memory for the token buffer.

Parameters

[in]	challenge_size	Size of challenge object in bytes.
[out]	token_size	Size of the token in bytes, which is created by initial attestation service.

Returns

Returns error code as specified in psa_attest_err_t