tf-m: Add Attestation support for nRF54L15 #19040
Conversation
|
The following west manifest projects have changed revision in this Pull Request:
✅ All manifest checks OK Note: This message is automatically posted and updated by the Manifest GitHub Action. |
github-actions
bot
added
the
changelog-entry-required
hellesvik-nordic
force-pushed
the
nrf54l15_attestation
branch
from
2235121 to
716c951
Compare
CI InformationTo view the history of this post, clich the 'edited' button above Inputs:Sources:sdk-nrf: PR head: 1337531253f473f79fa1a4ce72059ab2ed635268 more detailssdk-nrf:
Github labels
List of changed files detected by CI (13)Outputs:ToolchainVersion: aedb4c0245 Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped;
|
hellesvik-nordic
force-pushed
the
nrf54l15_attestation
branch
from
716c951 to
fce97d0
Compare
|
You can find the documentation preview for this PR at this link. It will be updated about 10 minutes after the documentation build succeeds. Note: This comment is automatically posted by the Documentation Publish GitHub Action. |
| set(CONFIG_NRFX_RRAMC ON CACHE BOOL "Enable nrfx drivers for RRAMC") | ||
| add_compile_definitions(CONFIG_NRFX_RRAMC) |
There was a problem hiding this comment.
Hmm, we are already using a very minimal homemade RRAMC driver in TF-M. What are you doing this for exactly?
(Also the add_compile_definitions() line seems a bit weird, why is it needed?)
There was a problem hiding this comment.
CONFIG_NRFX_RRAMC is used in attest_hal.c, which is used in both Zephyr and TF-M. For example here.
If I remove add_compile_definitions(), I get errors such as "CONFIG_NRFX_RRAMC" not defined. I don't know if this is the correct way to add it, I just copied it from cpuarch.cmake.
Do you think I should look for alternative ways to get this config included?
There was a problem hiding this comment.
Ahem you are linking to add_compile_definitions(__NRF_TFM__) in cpuarch.cmake?
There was a problem hiding this comment.
Ah ups. Edited to change file name.
There was a problem hiding this comment.
Hmm okay, you are still linking to the example of __NRF_TFM__, I thought you'd have an example with CONFIG_NRFX_RRAMC. (After grepping I see there is none).
I am not sure, but it seems like this add_compile_definitions() could be unconditionally adding CONFIG_NRFX_RRAMC as a define? Or does it somehow get its value from the set() line above? Do you know how it works?
I'm wondering why don't we do this via Kconfig, as this is a Kconfig option.
This doesn't seem like a natural (or proper) way to do that, but I'm not sure.
What is this needed for exactly? Where do you get errors from?
There was a problem hiding this comment.
What Im trying to do:
attest_hal.c is a file that can be ran either from zephyr or from TF-M.
This file depends on the correct Kconfig options being set. (CONFIG_NRFX_RRAMC in this case)
add_compile_definitions() is the way I found to make sure that TF-M has CONFIG_NRFX_RRAMC defined.
What is the best way to do this?
There was a problem hiding this comment.
Where do you get errors from?
My errors were pretty much "CONFIG_NRFX_RRAMC not defined".
I will spend some more time looking into this.
There was a problem hiding this comment.
I talked to Tomi and added a check around the add_compile_definitions(), so it is only included for attestation.
hellesvik-nordic
force-pushed
the
nrf54l15_attestation
branch
from
fce97d0 to
8b0040b
Compare
hellesvik-nordic
force-pushed
the
nrf54l15_attestation
branch
from
8b0040b to
6bedc93
Compare
hellesvik-nordic
force-pushed
the
nrf54l15_attestation
branch
from
6bedc93 to
4b60d5e
Compare
hellesvik-nordic
force-pushed
the
nrf54l15_attestation
branch
4 times, most recently
from
eff9ee2 to
44c4367
Compare
hellesvik-nordic
force-pushed
the
nrf54l15_attestation
branch
from
44c4367 to
54f5d6c
Compare
modules/trusted-firmware-m/tfm_boards/nrf54l15_cpuapp/config.cmake
Outdated
Show resolved
Hide resolved
modules/trusted-firmware-m/tfm_boards/nrf54l15_cpuapp/config.cmake
Outdated
Show resolved
Hide resolved
samples/tfm/tfm_psa_template/boards/nrf54l15dk_nrf54l15_cpuapp_ns.conf
Outdated
Show resolved
Hide resolved
|
Rebase |
hellesvik-nordic
force-pushed
the
nrf54l15_attestation
branch
2 times, most recently
from
edc363c to
5b35e9a
Compare
|
Rebase |
| @@ -13,3 +13,12 @@ include(${PLATFORM_PATH}/common/${NRF_SOC_VARIANT}/config.cmake) | |||
|
|
|||
| # Override PS_CRYPTO_KDF_ALG | |||
| set(PS_CRYPTO_KDF_ALG PSA_ALG_SP800_108_COUNTER_CMAC CACHE STRING "KDF Algorithm to use") | |||
|
|
|||
|
|
|||
| t->params.ik.privkey = privkey; | ||
| t->params.ik.signature = signature; | ||
| } | ||
|
|
| @@ -114,17 +115,12 @@ static int finish_ecdsa_ik_sign(struct sitask *t, struct siwq *wq) | |||
| return exit_ikg(t); | |||
| } | |||
|
|
|||
| static int start_ecdsa_ik_sign(struct sitask *t, struct siwq *wq) | |||
| static int start_ecdsa_ik_sign(struct sitask *t) | |||
| { | |||
| struct sx_pk_acq_req pkreq; | |||
| struct sx_pk_inops_ik_ecdsa_sign inputs; | |||
| int opsz; | |||
| size_t digestsz = sx_hash_get_digestsz(&t->u.h); | |||
There was a problem hiding this comment.
Getting digest size from this hash context won't work when calling psa_sign_hash(). This is because the hash context is never created since sx_hash_create() is not needed and therefore not called. Changing this line to:
size_t digestsz = sx_hash_get_alg_digestsz(t->params.ik.privkey->hashalg);
makes my tests pass
lib/identity_key/Kconfig
Outdated
| This option adds support for an identity key stored in the KMU to TF-M. | ||
| The key is stored in an encrypted form and is decrypted | ||
| by the identity key library. | ||
| The identity key is an ECC secp256r1 key pair. |
There was a problem hiding this comment.
column is 100 chars so more text can be on each line
| @@ -115,7 +115,7 @@ if (${TFM_PARTITION_CRYPTO}) | |||
| tfm_sprt | |||
| ) | |||
|
|
|||
| if (${TFM_PARTITION_INITIAL_ATTESTATION}) | |||
| if ((${TFM_PARTITION_INITIAL_ATTESTATION}) AND CONFIG_IDENTITY_KEY_TFM) | |||
There was a problem hiding this comment.
| if ((${TFM_PARTITION_INITIAL_ATTESTATION}) AND CONFIG_IDENTITY_KEY_TFM) | |
| if((${TFM_PARTITION_INITIAL_ATTESTATION}) AND CONFIG_IDENTITY_KEY_TFM) |
| # This is because bl_storage is a lib intended to be run from either the bootloader (Zephyr) or from TF-M. | ||
| # This is independent from the NS image's CONFIG_NRFX_RRAMC, which must be disabled, so we can not inherit | ||
| # this from app Kconfig. | ||
| if (TFM_PARTITION_INITIAL_ATTESTATION) |
There was a problem hiding this comment.
| if (TFM_PARTITION_INITIAL_ATTESTATION) | |
| if(TFM_PARTITION_INITIAL_ATTESTATION) |
hellesvik-nordic
force-pushed
the
nrf54l15_attestation
branch
from
5b35e9a to
4dbab51
Compare
|
Rebase |
hellesvik-nordic
force-pushed
the
nrf54l15_attestation
branch
2 times, most recently
from
834e149 to
56a214b
Compare
lib/identity_key/Kconfig
Outdated
| bool "Identity key support in TF-M" | ||
| depends on HAS_HW_NRF_CC3XX | ||
| depends on TRUSTED_EXECUTION_NONSECURE | ||
| default y if SOC_NRF5340_CPUAPP || SOC_SERIES_NRF91X |
There was a problem hiding this comment.
why is this defaulting to y? This will default to on when someone builds hello world
There was a problem hiding this comment.
Good point. I removed the default
hellesvik-nordic
force-pushed
the
nrf54l15_attestation
branch
4 times, most recently
from
83feae5 to
121be49
Compare
Add support for PSA Attestation to the nRF54L15. Ref: NCSDK-22598 Signed-off-by: Sigurd Hellesvik <sigurd.hellesvik@nordicsemi.no>
Add support for sign_digest support to silex sicrypto drivers for iksign.c, making it possible to sign_digest for the IKG. Signed-off-by: Sigurd Hellesvik <sigurd.hellesvik@nordicsemi.no>
hellesvik-nordic
force-pushed
the
nrf54l15_attestation
branch
from
121be49 to
1337531
Compare
|
Add support for PSA Attestation to the nRF54L15. Includes noup changes to TF-M repository.
Ref: NCSDK-22598