Macros | |
#define | PSA_INITIAL_ATTEST_API_VERSION_MAJOR (0) |
PSA INITIAL ATTESTATION API version. More... | |
#define | PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32 (32u) |
The allowed size of input challenge in bytes: 32, 48, 64 Challenge can be a nonce from server or the hash of some combined data : nonce + attested data by caller. More... | |
Enumerations |
Functions | |
enum psa_attest_err_t | attest_get_boot_data (uint8_t major_type, void *ptr, uint32_t len) |
Copy the boot data (coming from boot loader) from shared memory area to service memory area. More... | |
enum psa_attest_err_t | attest_get_caller_client_id (int32_t *caller_id) |
Get the ID of the caller thread. More... | |
enum psa_attest_err_t | attest_check_memory_access (void *addr, uint32_t size, enum attest_memory_access_t access) |
Verify memory access rights. More... | |
enum psa_attest_err_t | attest_init (void) |
Initialise the initial attestation service during the TF-M boot up process. More... | |
enum psa_attest_err_t | initial_attest_get_token (const psa_invec *in_vec, uint32_t num_invec, psa_outvec *out_vec, uint32_t num_outvec) |
Get initial attestation token. More... | |
enum psa_attest_err_t | initial_attest_get_token_size (const psa_invec *in_vec, uint32_t num_invec, psa_outvec *out_vec, uint32_t num_outvec) |
Get the size of the initial attestation token. More... | |
psa_status_t | psa_attestation_inject_key (const uint8_t *key_data, size_t key_data_length, psa_key_type_t type, uint8_t *public_key_data, size_t public_key_data_size, size_t *public_key_data_length) |
Generate or import a given key pair and export the public part in a binary format. More... | |
enum psa_attest_err_t | psa_initial_attest_get_token (const uint8_t *challenge_obj, uint32_t challenge_size, uint8_t *token, uint32_t *token_size) |
The list of fixed claims in the initial attestation token is still evolving, you can expect slight changes in the future. More... | |
enum psa_attest_err_t | psa_initial_attest_get_token_size (uint32_t challenge_size, uint32_t *token_size) |
Get the exact size of initial attestation token in bytes. More... | |
#define PSA_INITIAL_ATTEST_API_VERSION_MAJOR (0) |
PSA INITIAL ATTESTATION API version.
Definition at line 33 of file psa_initial_attestation_api.h.
#define PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32 (32u) |
The allowed size of input challenge in bytes: 32, 48, 64 Challenge can be a nonce from server or the hash of some combined data : nonce + attested data by caller.
Definition at line 68 of file psa_initial_attestation_api.h.
Type of memory access.
Definition at line 26 of file attestation.h.
enum psa_attest_err_t |
Initial attestation service error types.
Definition at line 42 of file psa_initial_attestation_api.h.
enum psa_attest_err_t attest_check_memory_access | ( | void * | addr, |
uint32_t | size, | ||
enum attest_memory_access_t | access | ||
) |
Verify memory access rights.
[in] | addr | Pointer to the base of the address range to check |
[in] | size | Size of the address range to check |
[in] | access | Type of memory access as specified in attest_memory_access |
enum psa_attest_err_t attest_get_boot_data | ( | uint8_t | major_type, |
void * | ptr, | ||
uint32_t | len | ||
) |
Copy the boot data (coming from boot loader) from shared memory area to service memory area.
[in] | major_type | Major type of TLV entries to copy |
[out] | ptr | Pointer to the buffer to store the boot data [in] len Size of the buffer to store the boot data |
enum psa_attest_err_t attest_get_caller_client_id | ( | int32_t * | caller_id | ) |
Get the ID of the caller thread.
[out] | caller_id | Pointer where to store caller ID |
enum psa_attest_err_t attest_init | ( | void | ) |
Initialise the initial attestation service during the TF-M boot up process.
enum psa_attest_err_t initial_attest_get_token | ( | const psa_invec * | in_vec, |
uint32_t | num_invec, | ||
psa_outvec * | out_vec, | ||
uint32_t | num_outvec | ||
) |
Get initial attestation token.
[in] | in_vec | Pointer to in_vec array, which contains input data to attestation service |
[in] | num_invec | Number of elements in in_vec array |
enum psa_attest_err_t initial_attest_get_token_size | ( | const psa_invec * | in_vec, |
uint32_t | num_invec, | ||
psa_outvec * | out_vec, | ||
uint32_t | num_outvec | ||
) |
Get the size of the initial attestation token.
[in] | in_vec | Pointer to in_vec array, which contains input data to attestation service |
[in] | num_invec | Number of elements in in_vec array |
[out] | out_vec | Pointer to out_vec array, which contains pointer where to store the output data |
[in] | num_outvec | Number of elements in out_vec array |
psa_status_t psa_attestation_inject_key | ( | const uint8_t * | key_data, |
size_t | key_data_length, | ||
psa_key_type_t | type, | ||
uint8_t * | public_key_data, | ||
size_t | public_key_data_size, | ||
size_t * | public_key_data_length | ||
) |
Generate or import a given key pair and export the public part in a binary format.
Initial attestation key: Private key for ECDSA-P256 to sign initial attestation token. Attestation private key is a persistent key that saved to persistent storage with persistent storage id = 17.
[in] | key_data | Buffer containing the private key data if given. It must conain the format described in the documentation of psa_export_public_key() for the chosen type. In case of generate the private key - NULL will pass. |
key_data_length | Size of the data buffer in bytes - must be 256 bits. in case key_data isn't NULL. In case of private key generation - 0 will pass. | |
type | Key type - must be a ECC key type (a PSA_KEY_TYPE_ECC_KEYPAIR(PSA_ECC_CURVE_XXX) value). | |
[out] | data | Buffer where the key data is to be written. |
data_size | Size of the data buffer in bytes - needs to be bigger then the max size of the public part. | |
[out] | data_length | On success, the number of bytes that make up the key data. |
PSA_SUCCESS | Success. |
PSA_ERROR_INVALID_HANDLE | |
#PSA_ERROR_OCCUPIED_SLOT | There is already a key in the specified slot. |
PSA_ERROR_NOT_SUPPORTED | |
PSA_ERROR_INVALID_ARGUMENT | |
PSA_ERROR_INSUFFICIENT_MEMORY | |
PSA_ERROR_INSUFFICIENT_ENTROPY | |
PSA_ERROR_COMMUNICATION_FAILURE | |
PSA_ERROR_HARDWARE_FAILURE | |
#PSA_ERROR_TAMPERING_DETECTED | |
PSA_ERROR_BAD_STATE | The library has not been previously initialized by psa_crypto_init(). It is implementation-dependent whether a failure to initialize results in this error code. |
enum psa_attest_err_t psa_initial_attest_get_token | ( | const uint8_t * | challenge_obj, |
uint32_t | challenge_size, | ||
uint8_t * | token, | ||
uint32_t * | token_size | ||
) |
The list of fixed claims in the initial attestation token is still evolving, you can expect slight changes in the future.
The initial attestation token is planned to be aligned with future version of Entity Attestation Token format: https://tools.ietf.org/html/draft-mandyam-eat-01
Current list of claims:
Unknown (0x1000u),
Client ID: The partition ID of that secure partition or non-secure thread who called the initial attestation API. Custom claim with a value encoded as a signed integer. Negative number represents non-secure caller, positive numbers represents secure callers, zero is invalid.
[in] | challenge_obj | Pointer to buffer where challenge input is stored. Nonce and / or hash of attested data. Must be always PSA_INITIAL_ATTEST_CHALLENGE_SIZE bytes long. |
[in] | challenge_size | Size of challenge object in bytes. |
[out] | token | Pointer to the buffer where attestation token must be stored. |
enum psa_attest_err_t psa_initial_attest_get_token_size | ( | uint32_t | challenge_size, |
uint32_t * | token_size | ||
) |
Get the exact size of initial attestation token in bytes.
It just returns with the size of the IAT token. It can be used if the caller dynamically allocates memory for the token buffer.
[in] | challenge_size | Size of challenge object in bytes. |
[out] | token_size | Size of the token in bytes, which is created by initial attestation service. |