Commit 04e5532e1637e5c03f9b0b381acd2b2a5d0604bc
Committed by
Ye Li
1 parent
6bdc7d05cb
Exists in
smarc_8mq_lf_v2020.04
and in
4 other branches
MA-15142 Support secure attestation provision
In host end, need encrypt the attestation keys and certs by manufacture protection public key though AES-128-ECB. Then use below 4 set of commands to provision encrypted RSA attestation and EC attestation: * $fastboot stage atte_rsa_key.bin * $fastboot oem set-rsa-atte-key-enc * $fastboot stage atte_rsa_cert.bin * $fastboot oem append-rsa-atte-cert-enc * $fastboot stage atte_ec_key.bin * $fastboot oem set-ec-atte-key-enc * $fastboot stage atte_ec_cert.bin * $fastboot oem append-ec-atte-cert-enc Change-Id: I8a7c64004a17f7dde89f28c3123a2e2b1a6d3346 Signed-off-by: Haoran.Wang <elven.wang@nxp.com> (cherry picked from commit 58965915dd69050429142d3d180c75e98ad14788)
Showing 4 changed files with 61 additions and 0 deletions Side-by-side Diff
drivers/fastboot/fb_fsl/fb_fsl_command.c
... | ... | @@ -502,6 +502,46 @@ |
502 | 502 | strcpy(response, "FAILInternal error!"); |
503 | 503 | } else |
504 | 504 | strcpy(response, "OKAY"); |
505 | + } else if (endswith(cmd, FASTBOOT_SET_RSA_ATTESTATION_KEY_ENC)) { | |
506 | + if (trusty_set_attestation_key_enc(fastboot_buf_addr, | |
507 | + fastboot_bytes_received, | |
508 | + KM_ALGORITHM_RSA)) { | |
509 | + printf("ERROR set rsa attestation key failed!\n"); | |
510 | + strcpy(response, "FAILInternal error!"); | |
511 | + } else { | |
512 | + printf("Set rsa attestation key successfully!\n"); | |
513 | + strcpy(response, "OKAY"); | |
514 | + } | |
515 | + } else if (endswith(cmd, FASTBOOT_SET_EC_ATTESTATION_KEY_ENC)) { | |
516 | + if (trusty_set_attestation_key_enc(fastboot_buf_addr, | |
517 | + fastboot_bytes_received, | |
518 | + KM_ALGORITHM_EC)) { | |
519 | + printf("ERROR set ec attestation key failed!\n"); | |
520 | + strcpy(response, "FAILInternal error!"); | |
521 | + } else { | |
522 | + printf("Set ec attestation key successfully!\n"); | |
523 | + strcpy(response, "OKAY"); | |
524 | + } | |
525 | + } else if (endswith(cmd, FASTBOOT_APPEND_RSA_ATTESTATION_CERT_ENC)) { | |
526 | + if (trusty_append_attestation_cert_chain_enc(fastboot_buf_addr, | |
527 | + fastboot_bytes_received, | |
528 | + KM_ALGORITHM_RSA)) { | |
529 | + printf("ERROR append rsa attestation cert chain failed!\n"); | |
530 | + strcpy(response, "FAILInternal error!"); | |
531 | + } else { | |
532 | + printf("Append rsa attestation key successfully!\n"); | |
533 | + strcpy(response, "OKAY"); | |
534 | + } | |
535 | + } else if (endswith(cmd, FASTBOOT_APPEND_EC_ATTESTATION_CERT_ENC)) { | |
536 | + if (trusty_append_attestation_cert_chain_enc(fastboot_buf_addr, | |
537 | + fastboot_bytes_received, | |
538 | + KM_ALGORITHM_EC)) { | |
539 | + printf("ERROR append ec attestation cert chain failed!\n"); | |
540 | + strcpy(response, "FAILInternal error!"); | |
541 | + } else { | |
542 | + printf("Append ec attestation key successfully!\n"); | |
543 | + strcpy(response, "OKAY"); | |
544 | + } | |
505 | 545 | } else if (endswith(cmd, FASTBOOT_SET_RSA_ATTESTATION_KEY)) { |
506 | 546 | if (trusty_set_attestation_key(fastboot_buf_addr, |
507 | 547 | fastboot_bytes_received, |
include/fb_fsl.h
... | ... | @@ -95,6 +95,10 @@ |
95 | 95 | #define FASTBOOT_SET_EC_ATTESTATION_KEY "set-ec-atte-key" |
96 | 96 | #define FASTBOOT_APPEND_RSA_ATTESTATION_CERT "append-rsa-atte-cert" |
97 | 97 | #define FASTBOOT_APPEND_EC_ATTESTATION_CERT "append-ec-atte-cert" |
98 | +#define FASTBOOT_SET_RSA_ATTESTATION_KEY_ENC "set-rsa-atte-key-enc" | |
99 | +#define FASTBOOT_SET_EC_ATTESTATION_KEY_ENC "set-ec-atte-key-enc" | |
100 | +#define FASTBOOT_APPEND_RSA_ATTESTATION_CERT_ENC "append-rsa-atte-cert-enc" | |
101 | +#define FASTBOOT_APPEND_EC_ATTESTATION_CERT_ENC "append-ec-atte-cert-enc" | |
98 | 102 | #define FASTBOOT_GET_MPPUBK "get-mppubk" |
99 | 103 | #endif |
100 | 104 |
include/interface/keymaster/keymaster.h
... | ... | @@ -63,6 +63,8 @@ |
63 | 63 | KM_ATAP_SET_CA_RESPONSE_FINISH = (0x7000 << KEYMASTER_REQ_SHIFT), |
64 | 64 | KM_ATAP_READ_UUID = (0x8000 << KEYMASTER_REQ_SHIFT), |
65 | 65 | KM_SET_PRODUCT_ID = (0x9000 << KEYMASTER_REQ_SHIFT), |
66 | + KM_SET_ATTESTATION_KEY_ENC = (0xa000 << KEYMASTER_REQ_SHIFT), | |
67 | + KM_APPEND_ATTESTATION_CERT_CHAIN_ENC = (0xb000 << KEYMASTER_REQ_SHIFT), | |
66 | 68 | KM_GET_MPPUBK = (0xc000 << KEYMASTER_REQ_SHIFT) |
67 | 69 | }; |
68 | 70 |
lib/trusty/ql-tipc/keymaster.c
... | ... | @@ -410,6 +410,21 @@ |
410 | 410 | cert, cert_size, algorithm); |
411 | 411 | } |
412 | 412 | |
413 | +int trusty_set_attestation_key_enc(const uint8_t *key, uint32_t key_size, | |
414 | + keymaster_algorithm_t algorithm) | |
415 | +{ | |
416 | + return trusty_send_attestation_data(KM_SET_ATTESTATION_KEY_ENC, key, key_size, | |
417 | + algorithm); | |
418 | +} | |
419 | + | |
420 | +int trusty_append_attestation_cert_chain_enc(const uint8_t *cert, | |
421 | + uint32_t cert_size, | |
422 | + keymaster_algorithm_t algorithm) | |
423 | +{ | |
424 | + return trusty_send_attestation_data(KM_APPEND_ATTESTATION_CERT_CHAIN_ENC, | |
425 | + cert, cert_size, algorithm); | |
426 | +} | |
427 | + | |
413 | 428 | int trusty_atap_get_ca_request(const uint8_t *operation_start, |
414 | 429 | uint32_t operation_start_size, |
415 | 430 | uint8_t **ca_request_p, |