PTA Remote Attestation #7006
PTA Remote Attestation #7006
Conversation
|
Base64 stuff in #7007 |
|
Thank you for moving Could you please advise on the next steps? Should we update our codebase solely to reflect this relocation, or are there other changes we should consider? Thank you for your guidance. |
|
Please rebase on top of the latest to get the updated base64 code. While you do that please separate the imported code that you copied from somewhere into separate commits. For instance |
|
jenswi-linaro |
core/pta/remote_attestation/cbor.c
Outdated
| @@ -0,0 +1,190 @@ | |||
| #include "cbor.h" | |||
There was a problem hiding this comment.
Missing license and copyright header files.
Ditto for some of the other new header and C source files.
| * | ||
| * Return codes: | ||
| * TEE_SUCCESS | ||
| * TEE_ERROR_ACCESS_DENIED - Caller is not a user space TA |
There was a problem hiding this comment.
Prefer Client instead of Caller
| @@ -0,0 +1,426 @@ | |||
| /*============================================================================== | |||
There was a problem hiding this comment.
/* SPDX-License-Identifier: BSD-3-Clause */
|
We reorganized the structure of files and confirmed the binary is build correctly. |
|
We don't use merge commits in pull requests. Please cherry-pick or rebase the branch as needed to replace the merge commits. The commit messages need some work, see https://optee.readthedocs.io/en/latest/general/contribute.html#commit-messages. Since you need to rewrite the history of your branch you need to use |
|
We update the branch. |
|
This pull request adds almost 15000 lines of code. That's too much to review in one go, it must be split into smaller commits. While you have a few commits here, the first one is still almost 15000 lines of code. Sometimes we do large commits like "core: copy files from base repo https://github.com/iisec-suzaki/optee-ra", but that's when updating or importing upstream code that has already been reviewed in that project. In this case, I expect the TA to be added in steps, with different components in separate patches. We have already suggested that |
|
We separated the commit for adding the QCBOR-related libraries and the commit for adding the files necessary for PTA remote attestation. Most of this PR is copied from the QCBOR repository. |
There was a problem hiding this comment.
Hello @kunisuzaki,
Some comments on the QCBOR import.
- I'd like to minimize the differences with upstream, so that updates are easier. Please use the same directory structure as upstream, under
core/lib/qcbor/, that is:
core/lib/qcbor/src/*
core/lib/qcbor/inc/*
...and drop commit "core/lib/qcbor: adjust include paths for QCBOR library files". - Since you do not import all files, please mention in the commit description the commands used to copy from the upstream library into
core/lib/qcbor. We probably want only the src and include directory as well as the LICENSE file. Please see b60fc42a for an example. - Finally, please use subject "core: import QCBOR library" and give the URL in the description.
core/pta/remote_attestation/cbor.c
Outdated
| @@ -1,3 +1,8 @@ | |||
| // SPDX-License-Identifier: BSD-2-Clause | |||
| /* | |||
| * Copyright (C) 2024, Insitite of Information Security (IISEC) | |||
There was a problem hiding this comment.
Institute (and in other places too)
|
Hello @jforissier |
|
For "ci: build with CFG_VERAISON_ATTESTATION_PTA=y":
|
|
For "core: import QCBOR library", I've reproduced the commit with an identical result. |
core/lib/qcbor/sub.mk
Outdated
| cflags-y += -Wno-declaration-after-statement | ||
| cflags-y += -Wno-redundant-decls | ||
| cflags-y += -DQCBOR_DISABLE_FLOAT_HW_USE | ||
| cflags-remove-y += -mgeneral-regs-only |
There was a problem hiding this comment.
Why is this line needed?
There was a problem hiding this comment.
To ignore these error.
core/lib/qcbor/src/ieee754.c: In function 'IEEE754_HalfToDouble':
core/lib/qcbor/src/ieee754.c:212:1: error: '-mgeneral-regs-only' is incompatible with the use of floating-point types
212 | IEEE754_HalfToDouble(uint16_t uHalfPrecision)
| ^~~~~~~~~~~~~~~~~~~~
core/lib/qcbor/src/ieee754.c: In function 'IEEE754_AssembleDouble':
core/lib/qcbor/src/ieee754.c:197:1: error: '-mgeneral-regs-only' is incompatible with the use of floating-point types
197 | IEEE754_AssembleDouble(uint64_t uDoubleSign,
| ^~~~~~~~~~~~~~~~~~~~~~
There was a problem hiding this comment.
This will not work as intended since floating-point is not enabled in OP-TEE core. There are exceptions with VFP in for example https://github.com/OP-TEE/optee_os/blob/master/core/arch/arm/crypto/sha256_armv8a_ce.c, but that's only to allow assembly code use SIMD and floating-point registers. If you don't need floating-point conversion, we should disable it.
core/lib/qcbor/sub.mk
Outdated
| global-incdirs-y += inc | ||
| cflags-y += -Wno-declaration-after-statement | ||
| cflags-y += -Wno-redundant-decls | ||
| cflags-y += -DQCBOR_DISABLE_FLOAT_HW_USE |
There was a problem hiding this comment.
Please use cppflags-y instead.
|
I wonder if it wouldn't be easier to review this if the following commits were squashed into one. The diff is smaller and it's code that's supposed to work without further modifications. It's not a big deal, but the code churn may distract the review a bit. |
|
Hello @jenswi-linaro, |
There was a problem hiding this comment.
Many coding style comments and few more interesting comments.
For the remote attestation PTA, since it is specific to the Veraison scheme, I think think it should be named Veraison, as usedd in the config switch CFG_VERAISON_ATTESTATION_PTA
core/pta/veraison_attestation/
lib/libutee/include/pta_veraison_attestation.h
Coul you update scripts/checkpatch_inc.sh to exclude
CHECKPATCH_IGNORE=$(echo \
core/include/gen-asm-defines.h \
(...)
core/arch/arm/dts \
ta/pkcs11/scripts/verify-helpers.sh \
+ core/lib/qcbor \
core/arch/riscv/include/encoding.h )
core/lib/qcbor/sub.mk
Outdated
| cflags-y += -Wno-redundant-decls | ||
| cppflags-y += -DQCBOR_DISABLE_FLOAT_HW_USE | ||
| cppflags-y += -DQCBOR_DISABLE_PREFERRED_FLOAT | ||
| cppflags-y += -DUSEFULBUF_DISABLE_ALL_FLOAT |
There was a problem hiding this comment.
Could you change cflags-y to cflags-lib-y so that they apply to qcbor library only?
For the cppflags-lib-y, the directives seems needed in the header files which the PTA include so I guess they should be global.
There was a problem hiding this comment.
cflags-y only affects the current sub.mk file, while cflags-lib-y affects all the sub.mk used to build a lib.
Do we need these cppflags-y to be used outside of the qcbor library?
There was a problem hiding this comment.
cflags-y only affects the current sub.mk file, while cflags-lib-y affects all the sub.mk used to build a lib.
Thanks for the details. Indeed chaning from cflags-y to cflags-lib-y does not chagne the build. Indeed, this sub.mk is the root one for this lib (qcbor) so they are equivalent here.
Do we need these cppflags-y to be used outside of the qcbor library?
I think they do. The directives defined with-D are used in some header files (core/lib/qcbor/inc/qcbor/*.h) indirectly included from core/pta/remote_attestation/{cbor.c|remote_attestation.c}.
There was a problem hiding this comment.
It looks like -DUSEFULBUF_DISABLE_ALL_FLOAT should be enough, judging from qcbor/qcbor_private.h.
We don't have a global-cppflags-y, so either we need to implement that or set add it to cppflags$(sm) on the line after ifeq ($(CFG_QCBOR),y) in core/core.mk.
I can create a PR to add global-cppflags-y support for sub.mk files if that's what we want.
There was a problem hiding this comment.
+1 for global-cpp-flags-y
There was a problem hiding this comment.
Finally, what should we change in this PR?
core/pta/remote_attestation/cbor.h
Outdated
| */ | ||
|
|
||
| #ifndef PTA_REMOTE_ATTESTATION_TA_CBOR_H | ||
| #define PTA_REMOTE_ATTESTATION_TA_CBOR_H |
There was a problem hiding this comment.
Prefer PTA_REMOTE_ATTESTATION_CBOR_H| (wihtout TA_) to better match the header file name.
Ditto in hash.h and sign.h.
core/pta/remote_attestation/hash.h
Outdated
| #ifndef PTA_REMOTE_ATTESTATION_TA_HASH_H | ||
| #define PTA_REMOTE_ATTESTATION_TA_HASH_H | ||
|
|
||
| #include <tee_api_types.h> |
There was a problem hiding this comment.
prefer with explicit inclusion of stddef.h (for size_t) and stdint.h (for uint8_t)
| /* clang-format on */ | ||
|
|
||
| static TEE_Result cmd_get_cbor_evidence(uint32_t param_types, | ||
| TEE_Param params[TEE_NUM_PARAMS]) { |
There was a problem hiding this comment.
Brace at a new line, for coding style:
static TEE_Result cmd_get_cbor_evidence(uint32_t param_types,
TEE_Param params[TEE_NUM_PARAMS])
{This comment applies to all functions in core/pta/remote_attestation/*.c files.
| const int psa_security_lifecycle = LIFECYCLE; | ||
| const char measurement_type[] = MEASURMENT_TYPE; | ||
| const uint8_t signer_id[SIGNER_ID_LEN] = {SIGNER_ID}; | ||
| const uint8_t psa_instance_id[INSTANCE_ID_LEN] = {INSTANCE_ID}; |
There was a problem hiding this comment.
for coding style: add a space char after opening brace and before closing brace:
const uint8_t signer_id[SIGNER_ID_LEN] = { SIGNER_ID };
Also applies to lines 57, 59 and 61.
core/pta/remote_attestation/hash.c
Outdated
| return TEE_ERROR_ACCESS_DENIED; | ||
|
|
||
| /* The output buffer must be large enough to hold the hash. */ | ||
| if (out_sz < TEE_SHA256_HASH_SIZE) |
There was a problem hiding this comment.
Nitpicking: this could be removed by expecting a well sized buffer:
`TEE_Result get_hash_ta_memory(uint8_t out[TEE_SHA256_HASH_SIZE]);
| UBC.ptr = UB.ptr; | ||
| UBC.len = UB.len; | ||
|
|
||
| return UBC; |
There was a problem hiding this comment.
What is the scope of such a local variable that in defined in an inline function?
Stack allocated for UBC is released when caller function block is terminated?
There was a problem hiding this comment.
I did not write it, we will have to read the library to know the details.
| @@ -0,0 +1,2506 @@ | |||
| /* ========================================================================= | |||
There was a problem hiding this comment.
Would it be possible to add an SPDX-License-Identifier tag for each source and header files in core/lib/qcbor/ . Maybe this can be addressed in a specific commit so that commit "core: import QCBOR library" dumps the files as found in the referred source stated in the commit message, without any such local changes.
There was a problem hiding this comment.
Should I handle the addition of licence headers in a separate commit from "core: import QCBOR library"?
There was a problem hiding this comment.
Yes, preferably I think but that's not a strong opinion.
There was a problem hiding this comment.
Yes, please. It makes it easier for the library to be updated in the future.
core/pta/remote_attestation/sub.mk
Outdated
| @@ -0,0 +1,4 @@ | |||
| srcs-$(CFG_VERAISON_ATTESTATION_PTA) += remote_attestation.c | |||
There was a problem hiding this comment.
This sub.mk file needs cflags-y += -Wno-declaration-after-statement and cflags-y += -Wno-redundant-decls.
core/pta/remote_attestation/cbor.c
Outdated
| size_t signer_id_len, const uint8_t *psa_instance_id, | ||
| size_t psa_instance_id_len, const uint8_t *psa_nonce, | ||
| size_t psa_nonce_len, const uint8_t *measurement_value, | ||
| size_t mv_len, UsefulBuf cbor_evidence_buffer) { |
There was a problem hiding this comment.
Coding style:
UsefulBufC
encode_evidence_to_cbor(const char *eat_profile, const int psa_client_id,
(...)
size_t mv_len, UsefulBuf cbor_evidence_buffer)
{and use tabulation for indentation.
core/pta/remote_attestation/hash.c
Outdated
|
|
||
| /* | ||
| * Make an array of region pointers so we can use qsort() to order it. | ||
| */ |
There was a problem hiding this comment.
We are using clang-format in this repository to format my code, but it doesn't seem to be working properly.
There was a problem hiding this comment.
OP-TEE OS is not using clang-format. Rather a Linux kernel like format. Could it be possible to adhere to that format, for OP-TEE OS specific source/header files?
Regarding libraries whose source/header files are copied into OP-TEE OS source tree (like qcbor), it's fine preserving the original library format/coding-style. Just ensure CHECKPATCH_IGNORE in scripts/checkpatch_inc.sh contains the lib base path so that checkpatch does not emit false positive reports.
core/pta/remote_attestation/hash.c
Outdated
| if (is_region_valid(r)) | ||
| nregions++; | ||
|
|
||
| regions = malloc(nregions * sizeof(*regions)); |
There was a problem hiding this comment.
prefer calloc(nregions, sizeof(*regions))
core/pta/remote_attestation/hash.c
Outdated
| /* | ||
| * Sort regions so that they are in a consistent order even when TA ASLR | ||
| * is enabled. | ||
| */ |
| #include "hash.h" | ||
| #include <base64.h> | ||
| #include <stdlib.h> | ||
| #include <string.h> |
There was a problem hiding this comment.
To following OP-TEE OS coding style:
#include <base64.h>
#include <kernel/pseudo_ta.h>
#include <pta_remote_attestation.h>
#include <stdlib.h>
#include <string.h>
#include "cbor.h"
#include "hash.h"|
|
||
| /* clang-format off */ | ||
| #define SIGNER_ID \ | ||
| 0xac, 0xbb, 0x11, 0xc7, 0xe4, 0xda, 0x21, 0x72, \ |
There was a problem hiding this comment.
could you fix indentation for lines 30 to 39?
| } | ||
|
|
||
| /* Sign the CBOR and generate a COSE evidence */ | ||
| UsefulBuf_MAKE_STACK_UB(buffer_for_cose, *output_buffer_len); |
There was a problem hiding this comment.
Please have a look ay my comment #7006 (comment).
core/pta/remote_attestation/cbor.c
Outdated
| QCBOREncode_AddBytes(&context, payload); | ||
| QCBOREncode_CloseArray(&context); | ||
|
|
||
| UsefulBufC tbs; |
There was a problem hiding this comment.
Add an initialization value for each local variable that misses one + add an empty line below the local last variable definition.
This comment applies also to other functions in this source file.
| @@ -0,0 +1,2506 @@ | |||
| /* ========================================================================= | |||
There was a problem hiding this comment.
Yes, preferably I think but that's not a strong opinion.
core/pta/remote_attestation/sign.c
Outdated
| static struct ecc_public_key *pubkey = NULL; | ||
|
|
||
| /* | ||
| FIXME: Currently, keys are directly embedded within the code. From a security |
There was a problem hiding this comment.
I think all config switches should be defined (with an explicit inline description comment) and have a default value in mk/config/mk, next to CFG_VERAISON_ATTESTATION_PTA.
core/pta/remote_attestation/cbor.c
Outdated
| /* Close top level array for COSE_Sign1 */ | ||
| QCBOREncode_CloseArray(&cose_context); | ||
|
|
||
| UsefulBufC signed_cose; |
There was a problem hiding this comment.
Could you move this definition (and those at lines 119, 120, 128, 129, 137) at instruction block entry?
|
@etienne-lms We follow your suggestions and update the branch. |
There was a problem hiding this comment.
- For commit "core: import QCBOR library":
Acked-by: Jerome Forissier <[email protected]> - For commit "core/lib/qcbor: add build configuration for QCBOR library":
Reviewed-by: Jerome Forissier <[email protected]> - For commit "core/lib/qcbor: add SPDX license identifiers to QCBOR files":
Acked-by: Jerome Forissier <[email protected]>
I would prefer you reorder this commit just after "core: import QCBOR library". - For commit "core/pta/remote_attestation: integrate PTA remote attestation":
Could you please rewrite the description to use the imperative mood? "Copy PTA... Add build configuration... Replace the custom based implementation... etc.".
Thanks!
|
@jforissier I added a |
|
@etienne-lms Thanks a lot for your review. How should I put your |
core/pta/veraison_attestation/sub.mk
Outdated
| srcs-$(CFG_VERAISON_ATTESTATION_PTA) += hash.c | ||
| srcs-$(CFG_VERAISON_ATTESTATION_PTA) += sign.c | ||
|
|
||
| cflags-y += -Wno-declaration-after-statement |
There was a problem hiding this comment.
It's a pity we need to disable these two warnings because of the QCBOR header files.
It's out of the scope of this PR to fix that, but in the longer term, we should look into how to temporarily disable warnings in a header file.
There was a problem hiding this comment.
That should be cflags-$(CFG_VERAISON_ATTESTATION_PTA) += ... and same for the next line
There was a problem hiding this comment.
For " core/pta/remote_attestation: integrate PTA remote attestation":
- "remote attestation PTA", not "PTA remote attestation".
- Please see my comments below
- With the above addressed, please add
Acked-by: Jerome Forissier <[email protected]>
core/pta/veraison_attestation/sub.mk
Outdated
| srcs-$(CFG_VERAISON_ATTESTATION_PTA) += hash.c | ||
| srcs-$(CFG_VERAISON_ATTESTATION_PTA) += sign.c | ||
|
|
||
| cflags-y += -Wno-declaration-after-statement |
There was a problem hiding this comment.
That should be cflags-$(CFG_VERAISON_ATTESTATION_PTA) += ... and same for the next line
core/pta/veraison_attestation/sub.mk
Outdated
|
|
||
| ifeq ($(CFG_VERAISON_ATTESTATION_PTA_TEST_KEY),y) | ||
| cppflags-y += -DCFG_VERAISON_ATTESTATION_PTA_TEST_KEY | ||
| endif |
There was a problem hiding this comment.
More simply written as cppflags-$(CFG_VERAISON_ATTESTATION_PTA_TEST_KEY) += -DCFG_VERAISON_ATTESTATION_PTA_TEST_KEY
|
One more thing about " core/pta/remote_attestation: integrate PTA remote attestation": the path is now incorrect. I think the subject should be "core/pta/veraison_attestation: integrate Veraison remote attestation PTA" |
There was a problem hiding this comment.
Acked-by: Etienne Carriere <[email protected]> (with minor comment addressed) for commits
- "core: import QCBOR library"
with s/Imports/Import/ in commit message - "core/lib/qcbor: add SPDX license identifiers to QCBOR files"
with s/This commit adds/Add/ in commit message,
with s/core/lib/qcbor/core: lib: qcbor:/ in header line; - "core/lib/qcbor: add build configuration for QCBOR library"
with s/This commit adds/Add/ and s/Updates/Update/ in commit message,
with s/core/lib/qcbor/core: lib: qcbor:/ in header line; - "ci: build with CFG_VERAISON_ATTESTATION_PTA=y".
Few comments for commit "core/pta/veraison_attestation: integrate Veraison remote attestation PTA".
core/pta/veraison_attestation/cbor.c
Outdated
| } | ||
|
|
||
| static void encode_protected_header_wrapper(QCBOREncodeContext *context, | ||
| void *args) |
There was a problem hiding this comment.
prefer use __unused here instead of line 135.
(and add #include <compiler.h>)
| ubc_cbor_evidence); | ||
| if (UsefulBuf_IsNULLC(tbs_payload)) { | ||
| DMSG("Failed to encode to-be-signed payload"); | ||
| mempool_free(mempool_default, (void *)protected_header.ptr); |
There was a problem hiding this comment.
Nitpicking maybe: for consistency, it would be nice to add a release_encoded_buffer() helper function (that calls mempool_free()) next to build_encoded_buffer() definition so that it is simpler to find the matching mempool_alloc()/mempool_free() calls.
| #define PTA_VERAISON_ATTESTATION_HASH_H | ||
|
|
||
| #include <stddef.h> | ||
| #include <stdint.h> |
core/pta/veraison_attestation/sign.c
Outdated
|
|
||
| static void free_keypair(void) | ||
| { | ||
| assert(key && key->d && key->x && key->y); |
There was a problem hiding this comment.
The 3 last assertion will fail when called from generate_key() error path.
Prefer something like:
- assert(key && key->d && key->x && key->y);
+ if(!key)
+ return;Ditto for free_pubkey().
core/pta/veraison_attestation/sign.c
Outdated
| /* Allocate the key pair*/ | ||
| res = generate_key(); | ||
| if (res != TEE_SUCCESS) | ||
| goto out; |
There was a problem hiding this comment.
nitpicking: return res is simpler here
core/pta/veraison_attestation/sub.mk
Outdated
| cflags-$(CFG_VERAISON_ATTESTATION_PTA) += -Wno-declaration-after-statement | ||
| cflags-$(CFG_VERAISON_ATTESTATION_PTA) += -Wno-redundant-decls | ||
|
|
||
| cppflags-$(CFG_VERAISON_ATTESTATION_PTA_TEST_KEY) += -DCFG_VERAISON_ATTESTATION_PTA_TEST_KEY |
There was a problem hiding this comment.
The above line is not needed. CFG_VERAISON_ATTESTATION_PTA_TEST_KEY macro is already defined for C sources build directive when the config switch is enabled.
There was a problem hiding this comment.
Good catch, I missed that
| /* Encode measurement_value to base64 */ | ||
| if (base64_enc(measurement_value, TEE_SHA256_HASH_SIZE, | ||
| b64_measurement_value, | ||
| &b64_measurement_value_len) != 1) { |
There was a problem hiding this comment.
base64_en() returns a bool value. Prefer test against a bool value here:
if (!base64_enc(...)) { error case ... }
| DMSG("Failed to encode measurement_value to base64"); | ||
| return TEE_ERROR_GENERIC; | ||
| } | ||
| b64_measurement_value[b64_measurement_value_len] = '\0'; |
There was a problem hiding this comment.
Terminal nul byte is already set by base64_enc().
| free_ubc_cose_evidence: | ||
| mempool_free(mempool_default, (void *)ubc_cose_evidence.ptr); | ||
| free_ubc_cbor_evidence: | ||
| mempool_free(mempool_default, (void *)ubc_cbor_evidence.ptr); |
There was a problem hiding this comment.
I think calling here some release_cose_evidence()/release_cbor_evidence() helper function (or a single release_encoded_buffer() helper function) would help mantainaince of the allocation scheme use in this PTA.
| * TEE_ERROR_ACCESS_DENIED - Caller is not a user space TA | ||
| * TEE_ERROR_BAD_PARAMETERS - Incorrect input param | ||
| * TEE_ERROR_SHORT_BUFFER - Output buffer size less than required | ||
| * TEE_ERROR_NOT_IMPLEMENTED - Command not implemented |
There was a problem hiding this comment.
There are few other return codes this PTA can report.
Maybe replace Return codes with Main return codes at line 24?
core/pta/veraison_attestation/sign.c
Outdated
|
|
||
| static void free_pubkey(void) | ||
| { | ||
| if(!key) |
core/pta/veraison_attestation/sign.c
Outdated
| key = calloc(1, sizeof(*key)); | ||
| if (!key) { | ||
| return TEE_ERROR_OUT_OF_MEMORY; | ||
| } |
There was a problem hiding this comment.
nitpicking: remove braces as per OP-TEE OS coding style
There was a problem hiding this comment.
Acked-by: Etienne Carriere <[email protected]> for commit
"core/pta/veraison_attestation: integrate Veraison remote attestation PTA"
with commit header line fixed:
pta: veraison_attestation: integrate Veraison remote attestation PTA
I think it would be worth to explicitly mention in mk/config.mk that CFG_VERAISON_ATTESTATION_PTA is an experimental feature even if it's somewhat already the case since CFG_VERAISON_ATTESTATION_PTA_TESTKEY is mandated.
mmxsrup
force-pushed
the
master
branch
2 times, most recently
from
06738f4
to
4ced682
Compare
|
I did apply some additional fixes. Is there anything else that needs to be done? |
|
@mmxsrup, it's not easy to find what you've modified in the latest version. It would have been easier for us if you had appended some fixup commits on top of the already reviewed series so we can check and ack' them. |
|
@etienne-lms Sorry, Thank you for your cooperation. |
|
@jenswi-linaro should your Ack be applied to all commits? Thanks. |
Yes, please. |
Import QCBOR v1.4.1 from https://github.com/laurencelundblade/QCBOR Commit 4487f10e1bf258434fb8a39e4f59c29e31910ad0 (tag v1.4.1) Certain files will never be needed and are thus removed (reducing number of lines to almost 60%): rm -f CMakeLists.txt Makefile SECURITY.md rm -f .gitignore rm -f cmd_line_main.c example.c example.h ub-example.c ub-example.h rm -rf QCBOR.xcodeproj doc doxygen test rm -rf .git .github Signed-off-by: Yuichi Sugiyama <[email protected]> Acked-by: Jens Wiklander <[email protected]> Acked-by: Jerome Forissier <[email protected]> Acked-by: Etienne Carriere <[email protected]>
Add SPDX license identifiers to QCBOR files as per BSD-3-Clause licensing requirements, ensuring clear license information across both header and source files. Signed-off-by: Yuichi Sugiyama <[email protected]> Acked-by: Jerome Forissier <[email protected]> Acked-by: Etienne Carriere <[email protected]> Acked-by: Jens Wiklander <[email protected]>
Add the necessary build configuration for integrating the QCBOR library. Update to core.mk ensure that the library is included when CFG_QCBOR is enabled. A sub.mk file is also added to define the source files and global include directories for QCBOR. Signed-off-by: Yuichi Sugiyama <[email protected]> Reviewed-by: Jerome Forissier <[email protected]> Acked-by: Etienne Carriere <[email protected]> Acked-by: Jens Wiklander <[email protected]>
Copy remote attestation PTA functionality from the repository: https://github.com/iisec-suzaki/optee-ra (commit: 80ca8ef), and make the following adjustments for integration: - Add build configuration for remote attestation PTA by introducing the CFG_VERAISON_ATTESTATION_PTA option to align with the new naming convention. - Replace the custom base64 implementation with the base64 library added in PR OP-TEE#7007. - Update QCBOR integration by removing custom QCBOR files and using the standard library, adjusting paths as necessary. - Apply region validation improvements introduced in PR OP-TEE#6195. - Update API calls in sign.c to align with libmbedtls changes from PR OP-TEE#6151. - Calculate the required buffer size at runtime to minimize memory allocation. - Refactor code to improve readability and maintainability. - Add SPDX license identifier (BSD-2-Clause) and copyright notice. Signed-off-by: Yuichi Sugiyama <[email protected]> Reviewed-by: Thomas Fossati <[email protected]> Acked-by: Jerome Forissier <[email protected]> Acked-by: Etienne Carriere <[email protected]> Acked-by: Jens Wiklander <[email protected]>
Add a build configuration CFG_VERAISON_ATTESTATION_PTA=y. Signed-off-by: Yuichi Sugiyama <[email protected]> Reviewed-by: Jerome Forissier <[email protected]> Acked-by: Etienne Carriere <[email protected]> Acked-by: Jens Wiklander <[email protected]>
|
@jenswi-linaro I added |
|
@mmxsrup thanks for your contribution. |
As commented at isse #6921 "OP-TEE Remote Attestation with VERAISON Verification", I create a pull request.
I hope this pull request follows the mammer.
I will add the CA and TA for this PTA Remote Attestation, I will make a pull request at
optee_examples.