diff --git a/components/esp_tee/test_apps/tee_cli_app/README.md b/components/esp_tee/test_apps/tee_cli_app/README.md index 67ae90d8f1..bc661586bd 100644 --- a/components/esp_tee/test_apps/tee_cli_app/README.md +++ b/components/esp_tee/test_apps/tee_cli_app/README.md @@ -137,10 +137,9 @@ help [] [-v <0|1>] ```log esp32c6> tee_att_info -I (8180) tee_attest: Attestation token - Length: 1455 +I (8180) tee_attest: Attestation token - Length: 1587 I (8180) tee_attest: Attestation token - Data: -'{"header":{"magic":"44fef7cc","encr_alg":"","sign_alg":"ecdsa_secp256r1_sha256","key_id":"tee_att_key0"},"eat":{"nonce":-1582119980,"client_id":262974944,"device_ver":0,"device_id":"cd9c173cb3675c7adfae243f0cd9841e4bce003237cb5321927a85a86cb4b32e","instance_id":"9616ef0ecf02cdc89a3749f8fc16b3103d5100bd42d9312fcd04593baa7bac64","psa_cert_ref":"0716053550477-10100","device_status":165,"sw_claims":{"tee":{"type":1,"ver":"v0.3.0","idf_ver":"v5.1.4-241-g7ff01fd46f-dirty","secure_ver":0,"part_chip_rev":{"min":0,"max":99},"part_digest":{"type":0,"calc_digest":"94536998e1dcb2a036477cb2feb01ed4fff67ba6208f30482346c62bca64b280","digest_validated":true,"sign_verified":true}},"app":{"type":2,"ver":"v0.1.0","idf_ver":"v5.1.4-241-g7ff01fd46f-dirty","secure_ver":0,"part_chip_rev":{"min":0,"max":99},"part_digest":{"type":0,"calc_digest":"3d4c038fcec76852b4d07acb9e94afaf5fca69fc2eb212a32032d09ce5b4f2b3","digest_validated":true,"sign_verified":true,"secure_padding":true}},"bootloader":{"type":0,"ver":"","idf_ver":"","secure_ver":-1,"part_chip_rev":{"min":0,"max":99},"part_digest":{"type":0,"calc_digest":"1bef421beb1a4642c6fcefb3e37fd4afad60cb4074e538f42605b012c482b946","digest_validated":true,"sign_verified":true}}}},"public_key":{"compressed":"02039c4bfab0762af1aff2fe5596b037f629cf839da8c4a9c0018afedfccf519a6"},"sign":{"r":"915e749f5a780bc21a2b21821cfeb54286dc742e9f12f2387e3de9b8b1a70bc9","s":"1e583236f2630b0fe8e291645ffa35d429f14035182e19868508d4dac0e1a441"}}' - +'{"header":{"magic":"44fef7cc","encr_alg":"","sign_alg":"ecdsa_secp256r1_sha256","key_id":"tee_att_key0"},"eat":{"auth_challenge":"dcb9b53143ad6b081dad1a05c7ebda4e314d388762215799cf24ed52e9387678","client_id":262974944,"device_ver":0,"device_id":"cd9c173cb3675c7adfae243f0cd9841e4bce003237cb5321927a85a86cb4b32e","instance_id":"9616ef0ecf02cdc89a3749f8fc16b3103d5100bd42d9312fcd04593baa7bac64","psa_cert_ref":"0716053550477-10100","device_status":165,"sw_claims":{"tee":{"type":1,"ver":"v0.3.0","idf_ver":"v5.1.4-241-g7ff01fd46f-dirty","secure_ver":0,"part_chip_rev":{"min":0,"max":99},"part_digest":{"type":0,"calc_digest":"94536998e1dcb2a036477cb2feb01ed4fff67ba6208f30482346c62bca64b280","digest_validated":true,"sign_verified":true}},"app":{"type":2,"ver":"v0.1.0","idf_ver":"v5.1.4-241-g7ff01fd46f-dirty","secure_ver":0,"part_chip_rev":{"min":0,"max":99},"part_digest":{"type":0,"calc_digest":"3d4c038fcec76852b4d07acb9e94afaf5fca69fc2eb212a32032d09ce5b4f2b3","digest_validated":true,"sign_verified":true,"secure_padding":true}},"bootloader":{"type":0,"ver":"","idf_ver":"","secure_ver":-1,"part_chip_rev":{"min":0,"max":99},"part_digest":{"type":0,"calc_digest":"1bef421beb1a4642c6fcefb3e37fd4afad60cb4074e538f42605b012c482b946","digest_validated":true,"sign_verified":true}}}},"public_key":{"compressed":"02039c4bfab0762af1aff2fe5596b037f629cf839da8c4a9c0018afedfccf519a6"},"sign":{"r":"915e749f5a780bc21a2b21821cfeb54286dc742e9f12f2387e3de9b8b1a70bc9","s":"1e583236f2630b0fe8e291645ffa35d429f14035182e19868508d4dac0e1a441"}}' ``` diff --git a/components/esp_tee/test_apps/tee_cli_app/main/idf_component.yml b/components/esp_tee/test_apps/tee_cli_app/main/idf_component.yml index 2aea218675..823d442fd8 100644 --- a/components/esp_tee/test_apps/tee_cli_app/main/idf_component.yml +++ b/components/esp_tee/test_apps/tee_cli_app/main/idf_component.yml @@ -1,6 +1,4 @@ dependencies: - tee_attestation: - path: ${IDF_PATH}/components/esp_tee/subproject/components/tee_attestation tee_ota_ops: path: ${IDF_PATH}/components/esp_tee/subproject/components/tee_ota_ops tee_sec_storage: diff --git a/components/esp_tee/test_apps/tee_cli_app/main/tee_srv_att.c b/components/esp_tee/test_apps/tee_cli_app/main/tee_srv_att.c index 985897d7e5..794bd1d33f 100644 --- a/components/esp_tee/test_apps/tee_cli_app/main/tee_srv_att.c +++ b/components/esp_tee/test_apps/tee_cli_app/main/tee_srv_att.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -7,6 +7,7 @@ #include "esp_event.h" #include "esp_log.h" +#include "esp_random.h" #include "freertos/FreeRTOS.h" #include "freertos/task.h" @@ -14,16 +15,13 @@ #include "esp_console.h" #include "argtable3/argtable3.h" -#include "esp_tee_attestation.h" #include "example_tee_srv.h" +#include "psa/crypto.h" +#include "psa/initial_attestation.h" + static const char *TAG = "tee_attest"; -#define ESP_ATT_TK_BUF_SIZE (1792) -#define ESP_ATT_TK_PSA_CERT_REF ("0716053550477-10100") - -static uint8_t token_buf[ESP_ATT_TK_BUF_SIZE] = {0}; - static int tee_dump_att_token(int argc, char **argv) { if (argc != 1) { @@ -31,16 +29,40 @@ static int tee_dump_att_token(int argc, char **argv) return ESP_ERR_INVALID_ARG; } - uint32_t token_len = 0; - esp_err_t err = esp_tee_att_generate_token(0xA1B2C3D4, 0x0FACADE0, (const char *)ESP_ATT_TK_PSA_CERT_REF, - token_buf, sizeof(token_buf), &token_len); - if (err != ESP_OK) { + esp_err_t err = ESP_FAIL; + + // Prepare authentication challenge + uint8_t auth_challenge[PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32]; + size_t challenge_size = sizeof(auth_challenge); + esp_fill_random(auth_challenge, challenge_size); + + // Get the required token buffer size + size_t token_buf_size = 0; + psa_status_t status = psa_initial_attest_get_token_size(challenge_size, &token_buf_size); + if (status != ESP_OK) { + ESP_LOGE(TAG, "Failed to get token size: %x (PSA status)", status); return err; } - ESP_LOGI(TAG, "Attestation token - Length: %lu", token_len); + // Allocate buffer based on the required size + uint8_t *token_buf = calloc(token_buf_size, sizeof(uint8_t)); + if (token_buf == NULL) { + return ESP_ERR_NO_MEM; + } + + // Generating the attestation token + size_t token_len = 0; + status = psa_initial_attest_get_token(auth_challenge, challenge_size, token_buf, token_buf_size, &token_len); + if (status != PSA_SUCCESS) { + ESP_LOGE(TAG, "Failed to generate token: %x (PSA status)", status); + free(token_buf); + return err; + } + + ESP_LOGI(TAG, "Attestation token - Length: %zu", token_len); ESP_LOGI(TAG, "Attestation token - Data:\n'%.*s'", (int)token_len, token_buf); + free(token_buf); return ESP_OK; } diff --git a/components/esp_tee/test_apps/tee_test_fw/main/CMakeLists.txt b/components/esp_tee/test_apps/tee_test_fw/main/CMakeLists.txt index a4410f1f9b..d26dc82faf 100644 --- a/components/esp_tee/test_apps/tee_test_fw/main/CMakeLists.txt +++ b/components/esp_tee/test_apps/tee_test_fw/main/CMakeLists.txt @@ -4,7 +4,7 @@ set(priv_requires bootloader_support esp_driver_gptimer esp_tee esp_timer mbedtl # Test FW related list(APPEND priv_requires nvs_flash test_utils unity) # TEE related -list(APPEND priv_requires tee_sec_storage tee_attestation tee_ota_ops test_sec_srv) +list(APPEND priv_requires tee_sec_storage tee_ota_ops test_sec_srv) set(srcs "app_main.c") diff --git a/components/esp_tee/test_apps/tee_test_fw/main/idf_component.yml b/components/esp_tee/test_apps/tee_test_fw/main/idf_component.yml index dc6aab8ab9..cbe2278300 100644 --- a/components/esp_tee/test_apps/tee_test_fw/main/idf_component.yml +++ b/components/esp_tee/test_apps/tee_test_fw/main/idf_component.yml @@ -1,8 +1,6 @@ dependencies: ccomp_timer: "^1.0.0" espressif/cjson: "^1.7.19" - tee_attestation: - path: ${IDF_PATH}/components/esp_tee/subproject/components/tee_attestation tee_ota_ops: path: ${IDF_PATH}/components/esp_tee/subproject/components/tee_ota_ops tee_sec_storage: diff --git a/components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_att.c b/components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_att.c index f6008aac42..8c4ae9067f 100644 --- a/components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_att.c +++ b/components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_att.c @@ -1,17 +1,21 @@ /* - * SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2019-2025, Arm Limited or its affiliates. All rights reserved. * * SPDX-License-Identifier: Apache-2.0 + * + * SPDX-FileContributor: 2024-2026 Espressif Systems (Shanghai) CO LTD */ #include #include "esp_log.h" #include "esp_heap_caps.h" +#include "esp_random.h" + #define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS #include "psa/crypto.h" +#include "psa/initial_attestation.h" #include "esp_tee.h" -#include "esp_tee_attestation.h" #include "secure_service_num.h" #include "esp_tee_sec_storage.h" @@ -19,6 +23,8 @@ #include "cJSON.h" #include "unity.h" +#include "test_esp_tee_att_data.h" + /* Note: negative value here so that assert message prints a grep-able error hex value (mbedTLS uses -N for error codes) */ #define TEST_ASSERT_MBEDTLS_OK(X) TEST_ASSERT_EQUAL_HEX32(0, -(X)) @@ -27,14 +33,9 @@ #define SHA256_DIGEST_SZ (32) #define ECDSA_SECP256R1_KEY_LEN (32) -#define ESP_ATT_TK_BUF_SIZE (1792) -#define ESP_ATT_TK_PSA_CERT_REF ("0632793520245-10010") - -#define ESP_ATT_TK_NONCE (0xABCD1234) -#define ESP_ATT_TK_CLIENT_ID (0x0FACADE0) - -static const char *TAG = "test_esp_tee_att"; +__attribute__((unused)) static const char *TAG = "test_esp_tee_att"; +/* Helper functions */ extern int verify_ecdsa_sign(const esp_tee_sec_storage_type_t key_type, const uint8_t *digest, size_t len, const esp_tee_sec_storage_ecdsa_pubkey_t *pubkey, const esp_tee_sec_storage_ecdsa_sign_t *sign); static uint8_t hexchar_to_byte(char hex) @@ -244,17 +245,8 @@ static void fetch_signature(const char *token_json, esp_tee_sec_storage_ecdsa_si cJSON_Delete(root); } -TEST_CASE("Test TEE Attestation - Generate and verify the EAT", "[attestation]") +static void verify_attestation_token(const uint8_t *token_buf, size_t token_len) { - uint8_t *token_buf = heap_caps_calloc(ESP_ATT_TK_BUF_SIZE, sizeof(uint8_t), MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL); - TEST_ASSERT_NOT_NULL(token_buf); - - // Generating the attestation token - uint32_t token_len = 0; - TEST_ESP_OK(esp_tee_att_generate_token(0xA1B2C3D4, 0x0FACADE0, (const char *)ESP_ATT_TK_PSA_CERT_REF, - token_buf, ESP_ATT_TK_BUF_SIZE, &token_len)); - ESP_LOGI(TAG, "EAT generated - length: %"PRIu32"", token_len); - // Pre-hashing the data uint8_t digest[SHA256_DIGEST_SZ] = {}; prehash_token_data((const char *)token_buf, digest, sizeof(digest)); @@ -269,24 +261,92 @@ TEST_CASE("Test TEE Attestation - Generate and verify the EAT", "[attestation]") // Verifying the generated token TEST_ASSERT_EQUAL(0, verify_ecdsa_sign(ESP_SEC_STG_KEY_ECDSA_SECP256R1, digest, sizeof(digest), &pubkey_ctx, &sign_ctx)); - free(token_buf); } -TEST_CASE("Test TEE Attestation - Invalid token buffer", "[attestation]") +/* Test-cases */ +int32_t psa_initial_attestation_get_token_test(void) { - esp_err_t err; - uint32_t token_len = 0; + int num_checks = sizeof(check1) / sizeof(check1[0]); + psa_status_t status; + size_t token_buffer_size, token_size; + uint8_t challenge[PSA_INITIAL_ATTEST_CHALLENGE_SIZE_64 + 1]; + uint8_t token_buffer[PSA_INITIAL_ATTEST_MAX_TOKEN_SIZE]; - uint8_t *token_buf = heap_caps_calloc(4, sizeof(uint8_t), MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL); - TEST_ASSERT_NOT_NULL(token_buf); + for (int i = 0; i < num_checks; i++) { + size_t challenge_size = check1[i].challenge_size; - err = esp_tee_att_generate_token(ESP_ATT_TK_NONCE, ESP_ATT_TK_CLIENT_ID, (const char *)ESP_ATT_TK_PSA_CERT_REF, - token_buf, 0, &token_len); - TEST_ESP_ERR(ESP_ERR_INVALID_SIZE, err); + printf("Check %d: ", i); + printf("%s", check1[i].test_desc); - err = esp_tee_att_generate_token(ESP_ATT_TK_NONCE, ESP_ATT_TK_CLIENT_ID, (const char *)ESP_ATT_TK_PSA_CERT_REF, - NULL, 0, &token_len); - TEST_ESP_ERR(ESP_ERR_INVALID_ARG, err); + memset(challenge, 0x2a, sizeof(challenge)); + memset(token_buffer, 0, sizeof(token_buffer)); - free(token_buf); + status = psa_initial_attest_get_token_size(challenge_size, &token_buffer_size); + if (status != PSA_SUCCESS) { + if (challenge_size != PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32 && + challenge_size != PSA_INITIAL_ATTEST_CHALLENGE_SIZE_48 && + challenge_size != PSA_INITIAL_ATTEST_CHALLENGE_SIZE_64) { + token_buffer_size = check1[i].token_size; + challenge_size = check1[i].actual_challenge_size; + } else { + return status; + } + } + + if (token_buffer_size > PSA_INITIAL_ATTEST_MAX_TOKEN_SIZE) { + printf("Insufficient token buffer size\n"); + return -1; + } + + status = psa_initial_attest_get_token(challenge, challenge_size, token_buffer, + token_buffer_size, &token_size); + + TEST_ASSERT_EQUAL_HEX32(check1[i].expected_status, status); + + if (check1[i].expected_status != PSA_SUCCESS) { + continue; + } + + /* Validate the token */ + verify_attestation_token(token_buffer, token_size); + } + + return 0; +} + +int32_t psa_initial_attestation_get_token_size_test(void) +{ + int num_checks = sizeof(check2) / sizeof(check2[0]); + psa_status_t status; + size_t token_size; + + for (int i = 0; i < num_checks; i++) { + printf("Check %d: ", i); + printf("%s", check2[i].test_desc); + + status = psa_initial_attest_get_token_size(check2[i].challenge_size, &token_size); + + TEST_ASSERT_EQUAL_HEX32(check2[i].expected_status, status); + + if (check2[i].expected_status != PSA_SUCCESS) { + continue; + } + + if (token_size < check2[i].challenge_size) { + printf("Token size less than challenge size\n"); + return -1; + } + } + + return 0; +} + +TEST_CASE("PSA Attestation: Test psa_initial_attestation_get_token", "[attestation]") +{ + TEST_ASSERT_PSA_OK(psa_initial_attestation_get_token_test()); +} + +TEST_CASE("PSA Attestation: Test psa_initial_attestation_get_token_size", "[attestation]") +{ + TEST_ASSERT_PSA_OK(psa_initial_attestation_get_token_size_test()); } diff --git a/components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_att_data.h b/components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_att_data.h new file mode 100644 index 0000000000..fd267e3655 --- /dev/null +++ b/components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_att_data.h @@ -0,0 +1,123 @@ +/* + * SPDX-FileCopyrightText: 2019-2023, Arm Limited or its affiliates. All rights reserved. + * + * SPDX-License-Identifier: Apache-2.0 + * + * SPDX-FileContributor: 2026 Espressif Systems (Shanghai) CO LTD + */ +#ifndef _TEST_DATA_H_ +#define _TEST_DATA_H_ + +#include "psa/crypto_values.h" +#include "psa/initial_attestation.h" + +/* Define TOKEN_SIZE and MAX_CHALLENGE_SIZE if not already defined */ +#ifndef TOKEN_SIZE +#define TOKEN_SIZE PSA_INITIAL_ATTEST_MAX_TOKEN_SIZE +#endif + +#ifndef MAX_CHALLENGE_SIZE +#define MAX_CHALLENGE_SIZE PSA_INITIAL_ATTEST_CHALLENGE_SIZE_64 +#endif + +typedef struct { + char test_desc[100]; + size_t challenge_size; + size_t actual_challenge_size; + size_t token_size; + psa_status_t expected_status; +} test_data; + +static const test_data check1[] = { + { + "Test psa_initial_attestation_get_token with Challenge 32\n", + PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32, TOKEN_SIZE, PSA_SUCCESS + }, + + { + "Test psa_initial_attestation_get_token with Challenge 48\n", + PSA_INITIAL_ATTEST_CHALLENGE_SIZE_48, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_48, TOKEN_SIZE, PSA_SUCCESS + }, + + { + "Test psa_initial_attestation_get_token with Challenge 64\n", + PSA_INITIAL_ATTEST_CHALLENGE_SIZE_64, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_64, TOKEN_SIZE, PSA_SUCCESS + }, + + { + "Test psa_initial_attestation_get_token with zero challenge size\n", + 0, 0, TOKEN_SIZE, PSA_ERROR_INVALID_ARGUMENT + }, + + { + "Test psa_initial_attestation_get_token with small challenge size\n", + PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32 - 1, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32 - 1, + TOKEN_SIZE, PSA_ERROR_INVALID_ARGUMENT + }, + + { + "Test psa_initial_attestation_get_token with invalid challenge size\n", + PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32 + 1, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32 + 1, + TOKEN_SIZE, PSA_ERROR_INVALID_ARGUMENT + }, + + { + "Test psa_initial_attestation_get_token with large challenge size\n", + MAX_CHALLENGE_SIZE + 1, MAX_CHALLENGE_SIZE + 1, TOKEN_SIZE, PSA_ERROR_INVALID_ARGUMENT + }, + + { + "Test psa_initial_attestation_get_token with zero as token size\n", + PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32 - 1, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32, + 0, PSA_ERROR_INVALID_ARGUMENT + }, + + { + "Test psa_initial_attestation_get_token with small token size\n", + PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32 - 1, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32, + PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32 - 1, PSA_ERROR_BUFFER_TOO_SMALL + }, +}; + +static const test_data check2[] = { + { + "Test psa_initial_attestation_get_token_size with Challenge 32\n", + PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32, TOKEN_SIZE, PSA_SUCCESS + }, + + { + "Test psa_initial_attestation_get_token_size with Challenge 48\n", + PSA_INITIAL_ATTEST_CHALLENGE_SIZE_48, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_48, TOKEN_SIZE, PSA_SUCCESS + }, + + { + "Test psa_initial_attestation_get_token_size with Challenge 64\n", + PSA_INITIAL_ATTEST_CHALLENGE_SIZE_64, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_64, TOKEN_SIZE, PSA_SUCCESS + }, + + { + "Test psa_initial_attestation_get_token_size with zero challenge size\n", + 0, 0, + TOKEN_SIZE, PSA_ERROR_INVALID_ARGUMENT + }, + + { + "Test psa_initial_attestation_get_token_size with small challenge size\n", + PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32 - 1, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32 - 1, + TOKEN_SIZE, PSA_ERROR_INVALID_ARGUMENT + }, + + { + "Test psa_initial_attestation_get_token_size with invalid challenge size\n", + PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32 + 1, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32 + 1, + TOKEN_SIZE, PSA_ERROR_INVALID_ARGUMENT + }, + + { + "Test psa_initial_attestation_get_token_size with large challenge size\n", + MAX_CHALLENGE_SIZE + 1, MAX_CHALLENGE_SIZE + 1, + TOKEN_SIZE, PSA_ERROR_INVALID_ARGUMENT + }, +}; + +#endif /* _TEST_DATA_H_ */ diff --git a/components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_sec_stg.c b/components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_sec_stg.c index da72c34c27..dcd086c364 100644 --- a/components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_sec_stg.c +++ b/components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_sec_stg.c @@ -13,9 +13,7 @@ #include "esp_tee.h" #include "esp_tee_sec_storage.h" #include "secure_service_num.h" -#if CONFIG_SECURE_TEE_ATTESTATION -#include "esp_tee_attestation.h" -#endif +#include "psa/initial_attestation.h" #include "esp_random.h" #include "nvs.h" @@ -33,9 +31,6 @@ #define ECDSA_SECP256R1_KEY_LEN (32) #define ECDSA_SECP192R1_KEY_LEN (24) -#define ESP_ATT_TK_BUF_SIZE (1792) -#define ESP_ATT_TK_PSA_CERT_REF ("0632793520245-10010") - #define MAX_SEC_STG_ITER (16) static const char *TAG = "test_esp_tee_sec_storage"; @@ -527,13 +522,19 @@ TEST_CASE("Test TEE Secure Storage - Host-generated keys", "[sec_storage_host_ke #endif /* CONFIG_SECURE_TEE_SEC_STG_SUPPORT_SECP384R1_SIGN */ #if CONFIG_SECURE_TEE_ATTESTATION - uint8_t *token_buf = heap_caps_calloc(ESP_ATT_TK_BUF_SIZE, sizeof(uint8_t), MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL); + // Prepare authentication challenge (just the nonce/challenge data) + uint8_t auth_challenge[PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32]; + size_t challenge_size = sizeof(auth_challenge); + esp_fill_random(auth_challenge, challenge_size); + + size_t token_buf_size = 0; + TEST_ESP_OK(psa_initial_attest_get_token_size(challenge_size, &token_buf_size)); + + uint8_t *token_buf = heap_caps_calloc(token_buf_size, sizeof(uint8_t), MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL); TEST_ASSERT_NOT_NULL(token_buf); - uint32_t token_len = 0; - TEST_ESP_OK(esp_tee_att_generate_token(0xA1B2C3D4, 0x0FACADE0, (const char *)ESP_ATT_TK_PSA_CERT_REF, - token_buf, ESP_ATT_TK_BUF_SIZE, &token_len)); - + size_t token_len = 0; + TEST_ESP_OK(psa_initial_attest_get_token(auth_challenge, challenge_size, token_buf, token_buf_size, &token_len)); free(token_buf); const char *attest_key_id = "attest_key"; diff --git a/examples/security/tee/tee_attestation/README.md b/examples/security/tee/tee_attestation/README.md index 4f8ee89a3b..72b87ce690 100644 --- a/examples/security/tee/tee_attestation/README.md +++ b/examples/security/tee/tee_attestation/README.md @@ -26,7 +26,7 @@ "key_id": "tee_att_key0", }, "eat": { - "nonce": -1582119980, + "auth_challenge": "dcb9b53143ad6b081dad1a05c7ebda4e314d388762215799cf24ed52e9387678", "client_id": 262974944, "device_ver": 1, "device_id": "e8cddb2a7f9a5a7c61735d6dda26e4bd153c6d772a9be6f26bd321dfe25e0ac8", diff --git a/examples/security/tee/tee_attestation/main/CMakeLists.txt b/examples/security/tee/tee_attestation/main/CMakeLists.txt index a129db3d96..57581f33ee 100644 --- a/examples/security/tee/tee_attestation/main/CMakeLists.txt +++ b/examples/security/tee/tee_attestation/main/CMakeLists.txt @@ -1,2 +1,3 @@ idf_component_register(SRCS "app_main.c" - INCLUDE_DIRS ".") + INCLUDE_DIRS "." + PRIV_REQUIRES esp_tee mbedtls) diff --git a/examples/security/tee/tee_attestation/main/app_main.c b/examples/security/tee/tee_attestation/main/app_main.c index e3b2800cf4..4e351f1cbe 100644 --- a/examples/security/tee/tee_attestation/main/app_main.c +++ b/examples/security/tee/tee_attestation/main/app_main.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Unlicense OR CC0-1.0 */ @@ -9,43 +9,54 @@ #include "esp_system.h" #include "esp_log.h" +#include "esp_random.h" #include "freertos/FreeRTOS.h" #include "freertos/task.h" -#include "esp_tee_attestation.h" +#include "psa/crypto.h" +#include "psa/initial_attestation.h" static const char *TAG = "example_tee_attest"; -#define ESP_ATT_TK_NONCE (0xA1B2C3D4) -#define ESP_ATT_TK_CLIENT_ID (0x0FACADE0) - -#define ESP_ATT_TK_BUF_SIZE (1792) -#define ESP_ATT_TK_PSA_CERT_REF ("0716053550477-10100") - -static uint8_t token_buf[ESP_ATT_TK_BUF_SIZE] = {0}; - void app_main(void) { ESP_LOGI(TAG, "TEE Attestation Service"); - uint32_t token_len = 0; + // Prepare authentication challenge for freshness + uint8_t auth_challenge[PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32]; + size_t challenge_size = sizeof(auth_challenge); + esp_fill_random(auth_challenge, challenge_size); - /* Generate entity attestation token using the following parameters - * and return the token length in token_len: - * - Nonce value for freshness - * - Client ID to identify requester - * - PSA certification ID reference string - * - Buffer to store the generated token + // Get the required token buffer size + size_t token_buf_size = 0; + psa_status_t status = psa_initial_attest_get_token_size(challenge_size, &token_buf_size); + if (status != PSA_SUCCESS) { + ESP_LOGE(TAG, "Failed to get token size: %x", status); + abort(); + } + + // Allocate buffer based on the required size + uint8_t *token_buf = calloc(token_buf_size, sizeof(uint8_t)); + if (token_buf == NULL) { + abort(); + } + + /* Generate entity attestation token using PSA interface + * - Authentication challenge for freshness + * - Dynamic buffer allocation based on required size */ - esp_err_t err = esp_tee_att_generate_token(ESP_ATT_TK_NONCE, ESP_ATT_TK_CLIENT_ID, (const char *)ESP_ATT_TK_PSA_CERT_REF, - token_buf, sizeof(token_buf), &token_len); - if (err != ESP_OK) { - ESP_LOGE(TAG, "Failed to generate entity attestation token!"); + size_t token_len = 0; + status = psa_initial_attest_get_token(auth_challenge, challenge_size, token_buf, token_buf_size, &token_len); + if (status != PSA_SUCCESS) { + ESP_LOGE(TAG, "Failed to generate entity attestation token: %x (PSA status)", status); + free(token_buf); abort(); } /* Print the generated token details - length and contents */ - ESP_LOGI(TAG, "Attestation token - Length: %lu", token_len); + ESP_LOGI(TAG, "Attestation token - Length: %zu", token_len); ESP_LOGI(TAG, "Attestation token - Data:\n'%.*s'", (int)token_len, token_buf); + + free(token_buf); } diff --git a/examples/security/tee/tee_attestation/main/idf_component.yml b/examples/security/tee/tee_attestation/main/idf_component.yml deleted file mode 100644 index ffc1a7d072..0000000000 --- a/examples/security/tee/tee_attestation/main/idf_component.yml +++ /dev/null @@ -1,3 +0,0 @@ -dependencies: - tee_attestation: - path: ${IDF_PATH}/components/esp_tee/subproject/components/tee_attestation