MA-15142 Support secure attestation provision

In host end, need encrypt the attestation keys and certs by manufacture protection public key though AES-128-ECB. Then use below 4 set of commands to provision encrypted RSA attestation and EC attestation: * $fastboot stage atte_rsa_key.bin * $fastboot oem set-rsa-atte-key-enc * $fastboot stage atte_rsa_cert.bin * $fastboot oem append-rsa-atte-cert-enc * $fastboot stage atte_ec_key.bin * $fastboot oem set-ec-atte-key-enc * $fastboot stage atte_ec_cert.bin * $fastboot oem append-ec-atte-cert-enc Change-Id: I8a7c64004a17f7dde89f28c3123a2e2b1a6d3346 Signed-off-by: Haoran.Wang <elven.wang@nxp.com> (cherry picked from commit 58965915dd69050429142d3d180c75e98ad14788)

MA-15142 Support secure attestation provision
In host end, need encrypt the attestation keys and certs by manufacture protection public key though AES-128-ECB. Then use below 4 set of commands to provision encrypted RSA attestation and EC attestation: * $fastboot stage atte_rsa_key.bin * $fastboot oem set-rsa-atte-key-enc * $fastboot stage atte_rsa_cert.bin * $fastboot oem append-rsa-atte-cert-enc * $fastboot stage atte_ec_key.bin * $fastboot oem set-ec-atte-key-enc * $fastboot stage atte_ec_cert.bin * $fastboot oem append-ec-atte-cert-enc Change-Id: I8a7c64004a17f7dde89f28c3123a2e2b1a6d3346 Signed-off-by: Haoran.Wang <elven.wang@nxp.com> (cherry picked from commit 58965915dd69050429142d3d180c75e98ad14788)
Haoran.Wang · Ye Li
1 parent 6bdc7d05cb
Showing 4 changed files with 61 additions and 0 deletions Side-by-side Diff
drivers/fastboot/fb_fsl/fb_fsl_command.c
include/fb_fsl.h
include/interface/keymaster/keymaster.h
lib/trusty/ql-tipc/keymaster.c
@@ -502,6 +502,46 @@
 			strcpy(response, "FAILInternal error!");
 		} else
 			strcpy(response, "OKAY");
+	} else if (endswith(cmd, FASTBOOT_SET_RSA_ATTESTATION_KEY_ENC)) {
+		if (trusty_set_attestation_key_enc(fastboot_buf_addr,
+							fastboot_bytes_received,
+							KM_ALGORITHM_RSA)) {
+			printf("ERROR set rsa attestation key failed!\n");
+			strcpy(response, "FAILInternal error!");
+		} else {
+			printf("Set rsa attestation key successfully!\n");
+			strcpy(response, "OKAY");
+		}
+	} else if (endswith(cmd, FASTBOOT_SET_EC_ATTESTATION_KEY_ENC)) {
+		if (trusty_set_attestation_key_enc(fastboot_buf_addr,
+							fastboot_bytes_received,
+							KM_ALGORITHM_EC)) {
+			printf("ERROR set ec attestation key failed!\n");
+			strcpy(response, "FAILInternal error!");
+		} else {
+			printf("Set ec attestation key successfully!\n");
+			strcpy(response, "OKAY");
+		}
+	} else if (endswith(cmd, FASTBOOT_APPEND_RSA_ATTESTATION_CERT_ENC)) {
+		if (trusty_append_attestation_cert_chain_enc(fastboot_buf_addr,
+								fastboot_bytes_received,
+								KM_ALGORITHM_RSA)) {
+			printf("ERROR append rsa attestation cert chain failed!\n");
+			strcpy(response, "FAILInternal error!");
+		} else {
+			printf("Append rsa attestation key successfully!\n");
+			strcpy(response, "OKAY");
+		}
+	}  else if (endswith(cmd, FASTBOOT_APPEND_EC_ATTESTATION_CERT_ENC)) {
+		if (trusty_append_attestation_cert_chain_enc(fastboot_buf_addr,
+								fastboot_bytes_received,
+								KM_ALGORITHM_EC)) {
+			printf("ERROR append ec attestation cert chain failed!\n");
+			strcpy(response, "FAILInternal error!");
+		} else {
+			printf("Append ec attestation key successfully!\n");
+			strcpy(response, "OKAY");
+		}
 	} else if (endswith(cmd, FASTBOOT_SET_RSA_ATTESTATION_KEY)) {
 		if (trusty_set_attestation_key(fastboot_buf_addr,
 						fastboot_bytes_received,
@@ -95,6 +95,10 @@
 #define FASTBOOT_SET_EC_ATTESTATION_KEY  "set-ec-atte-key"
 #define FASTBOOT_APPEND_RSA_ATTESTATION_CERT  "append-rsa-atte-cert"
 #define FASTBOOT_APPEND_EC_ATTESTATION_CERT  "append-ec-atte-cert"
+#define FASTBOOT_SET_RSA_ATTESTATION_KEY_ENC  "set-rsa-atte-key-enc"
+#define FASTBOOT_SET_EC_ATTESTATION_KEY_ENC  "set-ec-atte-key-enc"
+#define FASTBOOT_APPEND_RSA_ATTESTATION_CERT_ENC  "append-rsa-atte-cert-enc"
+#define FASTBOOT_APPEND_EC_ATTESTATION_CERT_ENC  "append-ec-atte-cert-enc"
 #define FASTBOOT_GET_MPPUBK  "get-mppubk"
 #endif
  
@@ -63,6 +63,8 @@
     KM_ATAP_SET_CA_RESPONSE_FINISH     = (0x7000 << KEYMASTER_REQ_SHIFT),
     KM_ATAP_READ_UUID                  = (0x8000 << KEYMASTER_REQ_SHIFT),
     KM_SET_PRODUCT_ID                  = (0x9000 << KEYMASTER_REQ_SHIFT),
+    KM_SET_ATTESTATION_KEY_ENC         = (0xa000 << KEYMASTER_REQ_SHIFT),
+    KM_APPEND_ATTESTATION_CERT_CHAIN_ENC = (0xb000 << KEYMASTER_REQ_SHIFT),
     KM_GET_MPPUBK                      = (0xc000 << KEYMASTER_REQ_SHIFT)
 };
  
@@ -410,6 +410,21 @@
                                         cert, cert_size, algorithm);
 }
  
+int trusty_set_attestation_key_enc(const uint8_t *key, uint32_t key_size,
+                               keymaster_algorithm_t algorithm)
+{
+    return trusty_send_attestation_data(KM_SET_ATTESTATION_KEY_ENC, key, key_size,
+                                        algorithm);
+}
+
+int trusty_append_attestation_cert_chain_enc(const uint8_t *cert,
+                                         uint32_t cert_size,
+                                         keymaster_algorithm_t algorithm)
+{
+    return trusty_send_attestation_data(KM_APPEND_ATTESTATION_CERT_CHAIN_ENC,
+                                        cert, cert_size, algorithm);
+}
+
 int trusty_atap_get_ca_request(const uint8_t *operation_start,
                                uint32_t operation_start_size,
                                uint8_t **ca_request_p,
...	...	@@ -502,6 +502,46 @@
502	502	strcpy(response, "FAILInternal error!");
503	503	} else
504	504	strcpy(response, "OKAY");
	505	+ } else if (endswith(cmd, FASTBOOT_SET_RSA_ATTESTATION_KEY_ENC)) {
	506	+ if (trusty_set_attestation_key_enc(fastboot_buf_addr,
	507	+ fastboot_bytes_received,
	508	+ KM_ALGORITHM_RSA)) {
	509	+ printf("ERROR set rsa attestation key failed!\n");
	510	+ strcpy(response, "FAILInternal error!");
	511	+ } else {
	512	+ printf("Set rsa attestation key successfully!\n");
	513	+ strcpy(response, "OKAY");
	514	+ }
	515	+ } else if (endswith(cmd, FASTBOOT_SET_EC_ATTESTATION_KEY_ENC)) {
	516	+ if (trusty_set_attestation_key_enc(fastboot_buf_addr,
	517	+ fastboot_bytes_received,
	518	+ KM_ALGORITHM_EC)) {
	519	+ printf("ERROR set ec attestation key failed!\n");
	520	+ strcpy(response, "FAILInternal error!");
	521	+ } else {
	522	+ printf("Set ec attestation key successfully!\n");
	523	+ strcpy(response, "OKAY");
	524	+ }
	525	+ } else if (endswith(cmd, FASTBOOT_APPEND_RSA_ATTESTATION_CERT_ENC)) {
	526	+ if (trusty_append_attestation_cert_chain_enc(fastboot_buf_addr,
	527	+ fastboot_bytes_received,
	528	+ KM_ALGORITHM_RSA)) {
	529	+ printf("ERROR append rsa attestation cert chain failed!\n");
	530	+ strcpy(response, "FAILInternal error!");
	531	+ } else {
	532	+ printf("Append rsa attestation key successfully!\n");
	533	+ strcpy(response, "OKAY");
	534	+ }
	535	+ } else if (endswith(cmd, FASTBOOT_APPEND_EC_ATTESTATION_CERT_ENC)) {
	536	+ if (trusty_append_attestation_cert_chain_enc(fastboot_buf_addr,
	537	+ fastboot_bytes_received,
	538	+ KM_ALGORITHM_EC)) {
	539	+ printf("ERROR append ec attestation cert chain failed!\n");
	540	+ strcpy(response, "FAILInternal error!");
	541	+ } else {
	542	+ printf("Append ec attestation key successfully!\n");
	543	+ strcpy(response, "OKAY");
	544	+ }
505	545	} else if (endswith(cmd, FASTBOOT_SET_RSA_ATTESTATION_KEY)) {
506	546	if (trusty_set_attestation_key(fastboot_buf_addr,
507	547	fastboot_bytes_received,
...	...	@@ -95,6 +95,10 @@
95	95	#define FASTBOOT_SET_EC_ATTESTATION_KEY "set-ec-atte-key"
96	96	#define FASTBOOT_APPEND_RSA_ATTESTATION_CERT "append-rsa-atte-cert"
97	97	#define FASTBOOT_APPEND_EC_ATTESTATION_CERT "append-ec-atte-cert"
	98	+#define FASTBOOT_SET_RSA_ATTESTATION_KEY_ENC "set-rsa-atte-key-enc"
	99	+#define FASTBOOT_SET_EC_ATTESTATION_KEY_ENC "set-ec-atte-key-enc"
	100	+#define FASTBOOT_APPEND_RSA_ATTESTATION_CERT_ENC "append-rsa-atte-cert-enc"
	101	+#define FASTBOOT_APPEND_EC_ATTESTATION_CERT_ENC "append-ec-atte-cert-enc"
98	102	#define FASTBOOT_GET_MPPUBK "get-mppubk"
99	103	#endif
100	104
...	...	@@ -63,6 +63,8 @@
63	63	KM_ATAP_SET_CA_RESPONSE_FINISH = (0x7000 << KEYMASTER_REQ_SHIFT),
64	64	KM_ATAP_READ_UUID = (0x8000 << KEYMASTER_REQ_SHIFT),
65	65	KM_SET_PRODUCT_ID = (0x9000 << KEYMASTER_REQ_SHIFT),
	66	+ KM_SET_ATTESTATION_KEY_ENC = (0xa000 << KEYMASTER_REQ_SHIFT),
	67	+ KM_APPEND_ATTESTATION_CERT_CHAIN_ENC = (0xb000 << KEYMASTER_REQ_SHIFT),
66	68	KM_GET_MPPUBK = (0xc000 << KEYMASTER_REQ_SHIFT)
67	69	};
68	70
...	...	@@ -410,6 +410,21 @@
410	410	cert, cert_size, algorithm);
411	411	}
412	412
	413	+int trusty_set_attestation_key_enc(const uint8_t *key, uint32_t key_size,
	414	+ keymaster_algorithm_t algorithm)
	415	+{
	416	+ return trusty_send_attestation_data(KM_SET_ATTESTATION_KEY_ENC, key, key_size,
	417	+ algorithm);
	418	+}
	419	+
	420	+int trusty_append_attestation_cert_chain_enc(const uint8_t *cert,
	421	+ uint32_t cert_size,
	422	+ keymaster_algorithm_t algorithm)
	423	+{
	424	+ return trusty_send_attestation_data(KM_APPEND_ATTESTATION_CERT_CHAIN_ENC,
	425	+ cert, cert_size, algorithm);
	426	+}
	427	+
413	428	int trusty_atap_get_ca_request(const uint8_t *operation_start,
414	429	uint32_t operation_start_size,
415	430	uint8_t **ca_request_p,