feat(dice): add cert_id argument to dpe_derive_context()

This custom argument is meant to simplify to group components into certificates. Components with the same cert_id contribute to the same certificate regardless of the load order or the structure of the derivation tree. This argument aims to flatten the tree structure and make it easy to include branches or subtrees in the main derivation line. Signed-off-by: Tamas Ban <tamas.ban@arm.com> Change-Id: I83c4abc399616063a5eb04792d603899f7513627
2024-01-30 10:22:29 +01:00 · 2024-01-30 10:22:29 +01:00 · 6a415bd1e7
parent 33f29b8ae4
commit 6a415bd1e7
4 changed files with 13 additions and 0 deletions
--- a/drivers/measured_boot/rss/dice_prot_env.c
+++ b/drivers/measured_boot/rss/dice_prot_env.c
@ -110,6 +110,7 @@ int dpe_measure_and_record(struct dpe_metadata *metadata,

 	VERBOSE("Calling dpe_derive_context, image_id: %d\n", metadata->id);
 	ret = dpe_derive_context(current_context_handle,
+				 metadata->cert_id,
 				 metadata->retain_parent_context,
 				 metadata->allow_new_context_to_derive,
 				 metadata->create_certificate,
--- a/include/drivers/measured_boot/rss/dice_prot_env.h
+++ b/include/drivers/measured_boot/rss/dice_prot_env.h
@ -17,6 +17,7 @@

 struct dpe_metadata {
 	unsigned int id;
+	uint32_t cert_id;
 	uint8_t signer_id[SIGNER_ID_MAX_SIZE];
 	size_t  signer_id_size;
 	uint8_t version[VERSION_MAX_SIZE];
--- a/include/lib/psa/dice_protection_environment.h
+++ b/include/lib/psa/dice_protection_environment.h
@ -41,6 +41,8 @@ typedef int32_t dpe_error_t;
 *
 * \param[in]  context_handle              Input context handle for the DPE
 *                                         context.
+ * \param[in]  cert_id                     Logical certificate id to which derived
+ *                                         context belongs to.
 * \param[in]  retain_parent_context       Flag to indicate whether to retain the
 *                                         parent context. True only if a client
 *                                         will call further DPE commands on the
@ -77,6 +79,7 @@ typedef int32_t dpe_error_t;
 * \return Returns error code of type dpe_error_t
 */
 dpe_error_t dpe_derive_context(int      context_handle,
+			       uint32_t cert_id,
 			       bool     retain_parent_context,
 			       bool     allow_new_context_to_derive,
 			       bool     create_certificate,
--- a/lib/psa/dice_protection_environment.c
+++ b/lib/psa/dice_protection_environment.c
@ -58,6 +58,8 @@ enum dpe_derive_context_input_labels_t {
 	DPE_DERIVE_CONTEXT_RETURN_CERTIFICATE = 9,
 	DPE_DERIVE_CONTEXT_ALLOW_NEW_CONTEXT_TO_EXPORT = 10,
 	DPE_DERIVE_CONTEXT_EXPORT_CDI = 11,
+	/* enum values 256 and onwards are reserved for custom arguments */
+	DPE_DERIVE_CONTEXT_CERT_ID = 256,
 };

 enum dpe_derive_context_output_labels_t {
@ -70,6 +72,7 @@ enum dpe_derive_context_output_labels_t {

 struct derive_context_input_t {
 	int context_handle;
+	uint32_t cert_id;
 	bool retain_parent_context;
 	bool allow_new_context_to_derive;
 	bool create_certificate;
@ -154,6 +157,9 @@ static QCBORError encode_derive_context(const struct derive_context_input_t *arg
 				   DPE_DERIVE_CONTEXT_CONTEXT_HANDLE,
 				   (UsefulBufC) { &args->context_handle,
 						  sizeof(args->context_handle) });
+	QCBOREncode_AddUInt64ToMapN(&encode_ctx,
+				    DPE_DERIVE_CONTEXT_CERT_ID,
+				    args->cert_id);
 	QCBOREncode_AddBoolToMapN(&encode_ctx,
 				  DPE_DERIVE_CONTEXT_RETAIN_PARENT_CONTEXT,
 				  args->retain_parent_context);
@ -263,6 +269,7 @@ static int32_t dpe_client_call(const char *cmd_input, size_t cmd_input_size,
 }

 dpe_error_t dpe_derive_context(int context_handle,
+			       uint32_t cert_id,
 			       bool retain_parent_context,
 			       bool allow_new_context_to_derive,
 			       bool create_certificate,
@ -288,6 +295,7 @@ dpe_error_t dpe_derive_context(int context_handle,

 	const struct derive_context_input_t in_args = {
 		context_handle,
+		cert_id,
 		retain_parent_context,
 		allow_new_context_to_derive,
 		create_certificate,