espressif/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2026-04-27 19:13:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(esp_tee): Update TEE attestation tests and examples to use the PSA interface

Browse Source
This commit is contained in:
Laukik Hase
2025-12-31 12:01:09 +05:30
parent 1752290f02
commit b470f08c94
12 changed files with 300 additions and 90 deletions
Download Patch File Download Diff File Expand all files Collapse all files
components/esp_tee/test_apps/tee_cli_app/README.md
+2 -3
View File
@@ -137,10 +137,9 @@ help [<string>] [-v <0|1>]
```log
esp32c6> tee_att_info
I (8180) tee_attest: Attestation token - Length: 1455
I (8180) tee_attest: Attestation token - Length: 1587
I (8180) tee_attest: Attestation token - Data:
'{"header":{"magic":"44fef7cc","encr_alg":"","sign_alg":"ecdsa_secp256r1_sha256","key_id":"tee_att_key0"},"eat":{"nonce":-1582119980,"client_id":262974944,"device_ver":0,"device_id":"cd9c173cb3675c7adfae243f0cd9841e4bce003237cb5321927a85a86cb4b32e","instance_id":"9616ef0ecf02cdc89a3749f8fc16b3103d5100bd42d9312fcd04593baa7bac64","psa_cert_ref":"0716053550477-10100","device_status":165,"sw_claims":{"tee":{"type":1,"ver":"v0.3.0","idf_ver":"v5.1.4-241-g7ff01fd46f-dirty","secure_ver":0,"part_chip_rev":{"min":0,"max":99},"part_digest":{"type":0,"calc_digest":"94536998e1dcb2a036477cb2feb01ed4fff67ba6208f30482346c62bca64b280","digest_validated":true,"sign_verified":true}},"app":{"type":2,"ver":"v0.1.0","idf_ver":"v5.1.4-241-g7ff01fd46f-dirty","secure_ver":0,"part_chip_rev":{"min":0,"max":99},"part_digest":{"type":0,"calc_digest":"3d4c038fcec76852b4d07acb9e94afaf5fca69fc2eb212a32032d09ce5b4f2b3","digest_validated":true,"sign_verified":true,"secure_padding":true}},"bootloader":{"type":0,"ver":"","idf_ver":"","secure_ver":-1,"part_chip_rev":{"min":0,"max":99},"part_digest":{"type":0,"calc_digest":"1bef421beb1a4642c6fcefb3e37fd4afad60cb4074e538f42605b012c482b946","digest_validated":true,"sign_verified":true}}}},"public_key":{"compressed":"02039c4bfab0762af1aff2fe5596b037f629cf839da8c4a9c0018afedfccf519a6"},"sign":{"r":"915e749f5a780bc21a2b21821cfeb54286dc742e9f12f2387e3de9b8b1a70bc9","s":"1e583236f2630b0fe8e291645ffa35d429f14035182e19868508d4dac0e1a441"}}'
'{"header":{"magic":"44fef7cc","encr_alg":"","sign_alg":"ecdsa_secp256r1_sha256","key_id":"tee_att_key0"},"eat":{"auth_challenge":"dcb9b53143ad6b081dad1a05c7ebda4e314d388762215799cf24ed52e9387678","client_id":262974944,"device_ver":0,"device_id":"cd9c173cb3675c7adfae243f0cd9841e4bce003237cb5321927a85a86cb4b32e","instance_id":"9616ef0ecf02cdc89a3749f8fc16b3103d5100bd42d9312fcd04593baa7bac64","psa_cert_ref":"0716053550477-10100","device_status":165,"sw_claims":{"tee":{"type":1,"ver":"v0.3.0","idf_ver":"v5.1.4-241-g7ff01fd46f-dirty","secure_ver":0,"part_chip_rev":{"min":0,"max":99},"part_digest":{"type":0,"calc_digest":"94536998e1dcb2a036477cb2feb01ed4fff67ba6208f30482346c62bca64b280","digest_validated":true,"sign_verified":true}},"app":{"type":2,"ver":"v0.1.0","idf_ver":"v5.1.4-241-g7ff01fd46f-dirty","secure_ver":0,"part_chip_rev":{"min":0,"max":99},"part_digest":{"type":0,"calc_digest":"3d4c038fcec76852b4d07acb9e94afaf5fca69fc2eb212a32032d09ce5b4f2b3","digest_validated":true,"sign_verified":true,"secure_padding":true}},"bootloader":{"type":0,"ver":"","idf_ver":"","secure_ver":-1,"part_chip_rev":{"min":0,"max":99},"part_digest":{"type":0,"calc_digest":"1bef421beb1a4642c6fcefb3e37fd4afad60cb4074e538f42605b012c482b946","digest_validated":true,"sign_verified":true}}}},"public_key":{"compressed":"02039c4bfab0762af1aff2fe5596b037f629cf839da8c4a9c0018afedfccf519a6"},"sign":{"r":"915e749f5a780bc21a2b21821cfeb54286dc742e9f12f2387e3de9b8b1a70bc9","s":"1e583236f2630b0fe8e291645ffa35d429f14035182e19868508d4dac0e1a441"}}'
```
</details>
components/esp_tee/test_apps/tee_cli_app/main/idf_component.yml
-2
View File
@@ -1,6 +1,4 @@
dependencies:
tee_attestation:
path: ${IDF_PATH}/components/esp_tee/subproject/components/tee_attestation
tee_ota_ops:
path: ${IDF_PATH}/components/esp_tee/subproject/components/tee_ota_ops
tee_sec_storage:
components/esp_tee/test_apps/tee_cli_app/main/tee_srv_att.c
+34 -12
View File
@@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@@ -7,6 +7,7 @@
#include "esp_event.h"
#include "esp_log.h"
#include "esp_random.h"
#include "freertos/FreeRTOS.h"
#include "freertos/task.h"
@@ -14,16 +15,13 @@
#include "esp_console.h"
#include "argtable3/argtable3.h"
#include "esp_tee_attestation.h"
#include "example_tee_srv.h"
#include "psa/crypto.h"
#include "psa/initial_attestation.h"
static const char *TAG = "tee_attest";
#define ESP_ATT_TK_BUF_SIZE (1792)
#define ESP_ATT_TK_PSA_CERT_REF ("0716053550477-10100")
static uint8_t token_buf[ESP_ATT_TK_BUF_SIZE] = {0};
static int tee_dump_att_token(int argc, char **argv)
{
if (argc != 1) {
@@ -31,16 +29,40 @@ static int tee_dump_att_token(int argc, char **argv)
return ESP_ERR_INVALID_ARG;
}
uint32_t token_len = 0;
esp_err_t err = esp_tee_att_generate_token(0xA1B2C3D4, 0x0FACADE0, (const char *)ESP_ATT_TK_PSA_CERT_REF,
token_buf, sizeof(token_buf), &token_len);
if (err != ESP_OK) {
esp_err_t err = ESP_FAIL;
// Prepare authentication challenge
uint8_t auth_challenge[PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32];
size_t challenge_size = sizeof(auth_challenge);
esp_fill_random(auth_challenge, challenge_size);
// Get the required token buffer size
size_t token_buf_size = 0;
psa_status_t status = psa_initial_attest_get_token_size(challenge_size, &token_buf_size);
if (status != ESP_OK) {
ESP_LOGE(TAG, "Failed to get token size: %x (PSA status)", status);
return err;
}
ESP_LOGI(TAG, "Attestation token - Length: %lu", token_len);
// Allocate buffer based on the required size
uint8_t *token_buf = calloc(token_buf_size, sizeof(uint8_t));
if (token_buf == NULL) {
return ESP_ERR_NO_MEM;
}
// Generating the attestation token
size_t token_len = 0;
status = psa_initial_attest_get_token(auth_challenge, challenge_size, token_buf, token_buf_size, &token_len);
if (status != PSA_SUCCESS) {
ESP_LOGE(TAG, "Failed to generate token: %x (PSA status)", status);
free(token_buf);
return err;
}
ESP_LOGI(TAG, "Attestation token - Length: %zu", token_len);
ESP_LOGI(TAG, "Attestation token - Data:\n'%.*s'", (int)token_len, token_buf);
free(token_buf);
return ESP_OK;
}
components/esp_tee/test_apps/tee_test_fw/main/CMakeLists.txt
+1 -1
View File
@@ -4,7 +4,7 @@ set(priv_requires bootloader_support esp_driver_gptimer esp_tee esp_timer mbedtl
# Test FW related
list(APPEND priv_requires nvs_flash test_utils unity)
# TEE related
list(APPEND priv_requires tee_sec_storage tee_attestation tee_ota_ops test_sec_srv)
list(APPEND priv_requires tee_sec_storage tee_ota_ops test_sec_srv)
set(srcs "app_main.c")
components/esp_tee/test_apps/tee_test_fw/main/idf_component.yml
-2
View File
@@ -1,8 +1,6 @@
dependencies:
ccomp_timer: "^1.0.0"
espressif/cjson: "^1.7.19"
tee_attestation:
path: ${IDF_PATH}/components/esp_tee/subproject/components/tee_attestation
tee_ota_ops:
path: ${IDF_PATH}/components/esp_tee/subproject/components/tee_ota_ops
tee_sec_storage:
components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_att.c
+92 -32
View File
@@ -1,17 +1,21 @@
/*
* SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2019-2025, Arm Limited or its affiliates. All rights reserved.
*
* SPDX-License-Identifier: Apache-2.0
*
* SPDX-FileContributor: 2024-2026 Espressif Systems (Shanghai) CO LTD
*/
#include <string.h>
#include "esp_log.h"
#include "esp_heap_caps.h"
#include "esp_random.h"
#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS
#include "psa/crypto.h"
#include "psa/initial_attestation.h"
#include "esp_tee.h"
#include "esp_tee_attestation.h"
#include "secure_service_num.h"
#include "esp_tee_sec_storage.h"
@@ -19,6 +23,8 @@
#include "cJSON.h"
#include "unity.h"
#include "test_esp_tee_att_data.h"
/* Note: negative value here so that assert message prints a grep-able
error hex value (mbedTLS uses -N for error codes) */
#define TEST_ASSERT_MBEDTLS_OK(X) TEST_ASSERT_EQUAL_HEX32(0, -(X))
@@ -27,14 +33,9 @@
#define SHA256_DIGEST_SZ (32)
#define ECDSA_SECP256R1_KEY_LEN (32)
#define ESP_ATT_TK_BUF_SIZE (1792)
#define ESP_ATT_TK_PSA_CERT_REF ("0632793520245-10010")
#define ESP_ATT_TK_NONCE (0xABCD1234)
#define ESP_ATT_TK_CLIENT_ID (0x0FACADE0)
static const char *TAG = "test_esp_tee_att";
__attribute__((unused)) static const char *TAG = "test_esp_tee_att";
/* Helper functions */
extern int verify_ecdsa_sign(const esp_tee_sec_storage_type_t key_type, const uint8_t *digest, size_t len, const esp_tee_sec_storage_ecdsa_pubkey_t *pubkey, const esp_tee_sec_storage_ecdsa_sign_t *sign);
static uint8_t hexchar_to_byte(char hex)
@@ -244,17 +245,8 @@ static void fetch_signature(const char *token_json, esp_tee_sec_storage_ecdsa_si
cJSON_Delete(root);
}
TEST_CASE("Test TEE Attestation - Generate and verify the EAT", "[attestation]")
static void verify_attestation_token(const uint8_t *token_buf, size_t token_len)
{
uint8_t *token_buf = heap_caps_calloc(ESP_ATT_TK_BUF_SIZE, sizeof(uint8_t), MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL);
TEST_ASSERT_NOT_NULL(token_buf);
// Generating the attestation token
uint32_t token_len = 0;
TEST_ESP_OK(esp_tee_att_generate_token(0xA1B2C3D4, 0x0FACADE0, (const char *)ESP_ATT_TK_PSA_CERT_REF,
token_buf, ESP_ATT_TK_BUF_SIZE, &token_len));
ESP_LOGI(TAG, "EAT generated - length: %"PRIu32"", token_len);
// Pre-hashing the data
uint8_t digest[SHA256_DIGEST_SZ] = {};
prehash_token_data((const char *)token_buf, digest, sizeof(digest));
@@ -269,24 +261,92 @@ TEST_CASE("Test TEE Attestation - Generate and verify the EAT", "[attestation]")
// Verifying the generated token
TEST_ASSERT_EQUAL(0, verify_ecdsa_sign(ESP_SEC_STG_KEY_ECDSA_SECP256R1, digest, sizeof(digest), &pubkey_ctx, &sign_ctx));
free(token_buf);
}
TEST_CASE("Test TEE Attestation - Invalid token buffer", "[attestation]")
/* Test-cases */
int32_t psa_initial_attestation_get_token_test(void)
{
esp_err_t err;
uint32_t token_len = 0;
int num_checks = sizeof(check1) / sizeof(check1[0]);
psa_status_t status;
size_t token_buffer_size, token_size;
uint8_t challenge[PSA_INITIAL_ATTEST_CHALLENGE_SIZE_64 + 1];
uint8_t token_buffer[PSA_INITIAL_ATTEST_MAX_TOKEN_SIZE];
uint8_t *token_buf = heap_caps_calloc(4, sizeof(uint8_t), MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL);
TEST_ASSERT_NOT_NULL(token_buf);
for (int i = 0; i < num_checks; i++) {
size_t challenge_size = check1[i].challenge_size;
err = esp_tee_att_generate_token(ESP_ATT_TK_NONCE, ESP_ATT_TK_CLIENT_ID, (const char *)ESP_ATT_TK_PSA_CERT_REF,
token_buf, 0, &token_len);
TEST_ESP_ERR(ESP_ERR_INVALID_SIZE, err);
printf("Check %d: ", i);
printf("%s", check1[i].test_desc);
err = esp_tee_att_generate_token(ESP_ATT_TK_NONCE, ESP_ATT_TK_CLIENT_ID, (const char *)ESP_ATT_TK_PSA_CERT_REF,
NULL, 0, &token_len);
TEST_ESP_ERR(ESP_ERR_INVALID_ARG, err);
memset(challenge, 0x2a, sizeof(challenge));
memset(token_buffer, 0, sizeof(token_buffer));
free(token_buf);
status = psa_initial_attest_get_token_size(challenge_size, &token_buffer_size);
if (status != PSA_SUCCESS) {
if (challenge_size != PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32 &&
challenge_size != PSA_INITIAL_ATTEST_CHALLENGE_SIZE_48 &&
challenge_size != PSA_INITIAL_ATTEST_CHALLENGE_SIZE_64) {
token_buffer_size = check1[i].token_size;
challenge_size = check1[i].actual_challenge_size;
} else {
return status;
}
}
if (token_buffer_size > PSA_INITIAL_ATTEST_MAX_TOKEN_SIZE) {
printf("Insufficient token buffer size\n");
return -1;
}
status = psa_initial_attest_get_token(challenge, challenge_size, token_buffer,
token_buffer_size, &token_size);
TEST_ASSERT_EQUAL_HEX32(check1[i].expected_status, status);
if (check1[i].expected_status != PSA_SUCCESS) {
continue;
}
/* Validate the token */
verify_attestation_token(token_buffer, token_size);
}
return 0;
}
int32_t psa_initial_attestation_get_token_size_test(void)
{
int num_checks = sizeof(check2) / sizeof(check2[0]);
psa_status_t status;
size_t token_size;
for (int i = 0; i < num_checks; i++) {
printf("Check %d: ", i);
printf("%s", check2[i].test_desc);
status = psa_initial_attest_get_token_size(check2[i].challenge_size, &token_size);
TEST_ASSERT_EQUAL_HEX32(check2[i].expected_status, status);
if (check2[i].expected_status != PSA_SUCCESS) {
continue;
}
if (token_size < check2[i].challenge_size) {
printf("Token size less than challenge size\n");
return -1;
}
}
return 0;
}
TEST_CASE("PSA Attestation: Test psa_initial_attestation_get_token", "[attestation]")
{
TEST_ASSERT_PSA_OK(psa_initial_attestation_get_token_test());
}
TEST_CASE("PSA Attestation: Test psa_initial_attestation_get_token_size", "[attestation]")
{
TEST_ASSERT_PSA_OK(psa_initial_attestation_get_token_size_test());
}
components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_att_data.h
+123
View File
@@ -0,0 +1,123 @@
/*
* SPDX-FileCopyrightText: 2019-2023, Arm Limited or its affiliates. All rights reserved.
*
* SPDX-License-Identifier: Apache-2.0
*
* SPDX-FileContributor: 2026 Espressif Systems (Shanghai) CO LTD
*/
#ifndef _TEST_DATA_H_
#define _TEST_DATA_H_
#include "psa/crypto_values.h"
#include "psa/initial_attestation.h"
/* Define TOKEN_SIZE and MAX_CHALLENGE_SIZE if not already defined */
#ifndef TOKEN_SIZE
#define TOKEN_SIZE PSA_INITIAL_ATTEST_MAX_TOKEN_SIZE
#endif
#ifndef MAX_CHALLENGE_SIZE
#define MAX_CHALLENGE_SIZE PSA_INITIAL_ATTEST_CHALLENGE_SIZE_64
#endif
typedef struct {
char test_desc[100];
size_t challenge_size;
size_t actual_challenge_size;
size_t token_size;
psa_status_t expected_status;
} test_data;
static const test_data check1[] = {
{
"Test psa_initial_attestation_get_token with Challenge 32\n",
PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32, TOKEN_SIZE, PSA_SUCCESS
},
{
"Test psa_initial_attestation_get_token with Challenge 48\n",
PSA_INITIAL_ATTEST_CHALLENGE_SIZE_48, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_48, TOKEN_SIZE, PSA_SUCCESS
},
{
"Test psa_initial_attestation_get_token with Challenge 64\n",
PSA_INITIAL_ATTEST_CHALLENGE_SIZE_64, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_64, TOKEN_SIZE, PSA_SUCCESS
},
{
"Test psa_initial_attestation_get_token with zero challenge size\n",
0, 0, TOKEN_SIZE, PSA_ERROR_INVALID_ARGUMENT
},
{
"Test psa_initial_attestation_get_token with small challenge size\n",
PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32 - 1, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32 - 1,
TOKEN_SIZE, PSA_ERROR_INVALID_ARGUMENT
},
{
"Test psa_initial_attestation_get_token with invalid challenge size\n",
PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32 + 1, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32 + 1,
TOKEN_SIZE, PSA_ERROR_INVALID_ARGUMENT
},
{
"Test psa_initial_attestation_get_token with large challenge size\n",
MAX_CHALLENGE_SIZE + 1, MAX_CHALLENGE_SIZE + 1, TOKEN_SIZE, PSA_ERROR_INVALID_ARGUMENT
},
{
"Test psa_initial_attestation_get_token with zero as token size\n",
PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32 - 1, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32,
0, PSA_ERROR_INVALID_ARGUMENT
},
{
"Test psa_initial_attestation_get_token with small token size\n",
PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32 - 1, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32,
PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32 - 1, PSA_ERROR_BUFFER_TOO_SMALL
},
};
static const test_data check2[] = {
{
"Test psa_initial_attestation_get_token_size with Challenge 32\n",
PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32, TOKEN_SIZE, PSA_SUCCESS
},
{
"Test psa_initial_attestation_get_token_size with Challenge 48\n",
PSA_INITIAL_ATTEST_CHALLENGE_SIZE_48, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_48, TOKEN_SIZE, PSA_SUCCESS
},
{
"Test psa_initial_attestation_get_token_size with Challenge 64\n",
PSA_INITIAL_ATTEST_CHALLENGE_SIZE_64, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_64, TOKEN_SIZE, PSA_SUCCESS
},
{
"Test psa_initial_attestation_get_token_size with zero challenge size\n",
0, 0,
TOKEN_SIZE, PSA_ERROR_INVALID_ARGUMENT
},
{
"Test psa_initial_attestation_get_token_size with small challenge size\n",
PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32 - 1, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32 - 1,
TOKEN_SIZE, PSA_ERROR_INVALID_ARGUMENT
},
{
"Test psa_initial_attestation_get_token_size with invalid challenge size\n",
PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32 + 1, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32 + 1,
TOKEN_SIZE, PSA_ERROR_INVALID_ARGUMENT
},
{
"Test psa_initial_attestation_get_token_size with large challenge size\n",
MAX_CHALLENGE_SIZE + 1, MAX_CHALLENGE_SIZE + 1,
TOKEN_SIZE, PSA_ERROR_INVALID_ARGUMENT
},
};
#endif /* _TEST_DATA_H_ */
components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_sec_stg.c
+12 -11
View File
@@ -13,9 +13,7 @@
#include "esp_tee.h"
#include "esp_tee_sec_storage.h"
#include "secure_service_num.h"
#if CONFIG_SECURE_TEE_ATTESTATION
#include "esp_tee_attestation.h"
#endif
#include "psa/initial_attestation.h"
#include "esp_random.h"
#include "nvs.h"
@@ -33,9 +31,6 @@
#define ECDSA_SECP256R1_KEY_LEN (32)
#define ECDSA_SECP192R1_KEY_LEN (24)
#define ESP_ATT_TK_BUF_SIZE (1792)
#define ESP_ATT_TK_PSA_CERT_REF ("0632793520245-10010")
#define MAX_SEC_STG_ITER (16)
static const char *TAG = "test_esp_tee_sec_storage";
@@ -527,13 +522,19 @@ TEST_CASE("Test TEE Secure Storage - Host-generated keys", "[sec_storage_host_ke
#endif /* CONFIG_SECURE_TEE_SEC_STG_SUPPORT_SECP384R1_SIGN */
#if CONFIG_SECURE_TEE_ATTESTATION
uint8_t *token_buf = heap_caps_calloc(ESP_ATT_TK_BUF_SIZE, sizeof(uint8_t), MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL);
// Prepare authentication challenge (just the nonce/challenge data)
uint8_t auth_challenge[PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32];
size_t challenge_size = sizeof(auth_challenge);
esp_fill_random(auth_challenge, challenge_size);
size_t token_buf_size = 0;
TEST_ESP_OK(psa_initial_attest_get_token_size(challenge_size, &token_buf_size));
uint8_t *token_buf = heap_caps_calloc(token_buf_size, sizeof(uint8_t), MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL);
TEST_ASSERT_NOT_NULL(token_buf);
uint32_t token_len = 0;
TEST_ESP_OK(esp_tee_att_generate_token(0xA1B2C3D4, 0x0FACADE0, (const char *)ESP_ATT_TK_PSA_CERT_REF,
token_buf, ESP_ATT_TK_BUF_SIZE, &token_len));
size_t token_len = 0;
TEST_ESP_OK(psa_initial_attest_get_token(auth_challenge, challenge_size, token_buf, token_buf_size, &token_len));
free(token_buf);
const char *attest_key_id = "attest_key";
examples/security/tee/tee_attestation/README.md
+1 -1
View File
@@ -26,7 +26,7 @@
"key_id": "tee_att_key0",
},
"eat": {
"nonce": -1582119980,
"auth_challenge": "dcb9b53143ad6b081dad1a05c7ebda4e314d388762215799cf24ed52e9387678",
"client_id": 262974944,
"device_ver": 1,
"device_id": "e8cddb2a7f9a5a7c61735d6dda26e4bd153c6d772a9be6f26bd321dfe25e0ac8",
examples/security/tee/tee_attestation/main/CMakeLists.txt
+2 -1
View File
@@ -1,2 +1,3 @@
idf_component_register(SRCS "app_main.c"
INCLUDE_DIRS ".")
INCLUDE_DIRS "."
PRIV_REQUIRES esp_tee mbedtls)
examples/security/tee/tee_attestation/main/app_main.c
+33 -22
View File
@@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Unlicense OR CC0-1.0
*/
@@ -9,43 +9,54 @@
#include "esp_system.h"
#include "esp_log.h"
#include "esp_random.h"
#include "freertos/FreeRTOS.h"
#include "freertos/task.h"
#include "esp_tee_attestation.h"
#include "psa/crypto.h"
#include "psa/initial_attestation.h"
static const char *TAG = "example_tee_attest";
#define ESP_ATT_TK_NONCE (0xA1B2C3D4)
#define ESP_ATT_TK_CLIENT_ID (0x0FACADE0)
#define ESP_ATT_TK_BUF_SIZE (1792)
#define ESP_ATT_TK_PSA_CERT_REF ("0716053550477-10100")
static uint8_t token_buf[ESP_ATT_TK_BUF_SIZE] = {0};
void app_main(void)
{
ESP_LOGI(TAG, "TEE Attestation Service");
uint32_t token_len = 0;
// Prepare authentication challenge for freshness
uint8_t auth_challenge[PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32];
size_t challenge_size = sizeof(auth_challenge);
esp_fill_random(auth_challenge, challenge_size);
/* Generate entity attestation token using the following parameters
* and return the token length in token_len:
* - Nonce value for freshness
* - Client ID to identify requester
* - PSA certification ID reference string
* - Buffer to store the generated token
// Get the required token buffer size
size_t token_buf_size = 0;
psa_status_t status = psa_initial_attest_get_token_size(challenge_size, &token_buf_size);
if (status != PSA_SUCCESS) {
ESP_LOGE(TAG, "Failed to get token size: %x", status);
abort();
}
// Allocate buffer based on the required size
uint8_t *token_buf = calloc(token_buf_size, sizeof(uint8_t));
if (token_buf == NULL) {
abort();
}
/* Generate entity attestation token using PSA interface
* - Authentication challenge for freshness
* - Dynamic buffer allocation based on required size
*/
esp_err_t err = esp_tee_att_generate_token(ESP_ATT_TK_NONCE, ESP_ATT_TK_CLIENT_ID, (const char *)ESP_ATT_TK_PSA_CERT_REF,
token_buf, sizeof(token_buf), &token_len);
if (err != ESP_OK) {
ESP_LOGE(TAG, "Failed to generate entity attestation token!");
size_t token_len = 0;
status = psa_initial_attest_get_token(auth_challenge, challenge_size, token_buf, token_buf_size, &token_len);
if (status != PSA_SUCCESS) {
ESP_LOGE(TAG, "Failed to generate entity attestation token: %x (PSA status)", status);
free(token_buf);
abort();
}
/* Print the generated token details - length and contents */
ESP_LOGI(TAG, "Attestation token - Length: %lu", token_len);
ESP_LOGI(TAG, "Attestation token - Length: %zu", token_len);
ESP_LOGI(TAG, "Attestation token - Data:\n'%.*s'", (int)token_len, token_buf);
free(token_buf);
}
examples/security/tee/tee_attestation/main/idf_component.yml
-3
View File
@@ -1,3 +0,0 @@
dependencies:
tee_attestation:
path: ${IDF_PATH}/components/esp_tee/subproject/components/tee_attestation