Hi,
Regarding attestation:
- CCA attestation seems more appropriate for your use case. The Crypto TS is necessary to sign the token. A secure provisioning (or derivation) of the attestation key is crucial. The
measured boot must be enabled in TF-A to collect the boot measurements.
- Another option could be the TPM attestation. It depends on the availability of a TPM chip in the end product. TF-A support is in progress. Patches on
review.
Tamas
From: Max Adam <maxadamcamb@gmail.com>
Sent: Monday, December 2, 2024 3:12 PM
To: Tamas Ban <Tamas.Ban@arm.com>
Cc: Gyorgy Szing <Gyorgy.Szing@arm.com>; tf-a@lists.trustedfirmware.org
Subject: Re: [TF-A] Interaction with TF-a from NS World
Thank you, Gyorgy and Tamas,
The environment is TI's AM644x. Yes, it is Cortex-A + Cortex M with two additional Cortex R5 cores, but TI seems using one R5 core for boot, not the CortexM core.
Our customer is asking for the "attestation token" to verify the running image (hash) likely.
PSA seems more standard, but if CCA helps, we can go for it as well.
So, what Attestation implementation shall we go for, PSA/CCA, any recommendation.
The other issue is Yocto which I am not familiar :)
I asked someone's help to include "attestation" TS using Yocto build, by following the tutorial
https://git.yoctoproject.org/meta-arm/about/documentation/trusted-services.md
> MACHINE_FEATURES:append = "arm-ffa and ts-attestation" and setting CONFIG_ARM_FFA_TRANSPORT=y
but I am getting errror like
"ERROR: Nothing PROVIDES 'ts-sp-attestation' (..../recipes-bsp/optee/optee-os_4.1.0.bb DEPENDS on or otherwise requires it) "
ts-sp-attestation was skipped
So, I am neither Linux nor yocto expert, is there any simple introdcutions for newbies?
1. How to include&build ts-attestation etc, as I am getting errors
2. How to use the drivers to interact with TSs? I searched for tstee and libts but any examples using these libraries?
Thank you in advance.
Tamas Ban <Tamas.Ban@arm.com>, 2 Ara 2024 Pzt, 13:38 tarihinde şunu yazdı:
Hi Max,
> Can we say this presentation (2022) is there and ready to use?
Yes, there are multiple measured boot and attestation schemes are implemented in TF-A and Trusted Services. What to use is depends on your use case and your system capability:
- A class core only
- A+M system where the M core is in a secure enclave
> By the way, you mentioned that attestation is not handled in TF-a (EL3), but the below EL3 handler handles it (RMM_ATTEST_GET_PLAT_TOKEN). Does it just send the request to the "Trusted Service" you were referencing?
No, they are different.
The available options/schemes:
- -If you have a single A class core and you want something similar to psa_initial_attest_get_token() then read this:
https://trusted-services.readthedocs.io/en/latest/services/attest-service-description.html
Here the token is created by a secure service running in SEL0/1. EL3 only responsible for making the world switch (S<->NS). This is callable from Linux user space, with the libs and kernel driver pointed out by George.- What you mentioned above (RMM_ATTEST_GET_PLAT_TOKEN) is basically the CCA attestation scheme, where there are two halves tokens. It is targeting the RME capable systems which otherwise have A+M cores. One half of the token is produced by the M class secure enclave(HES) the other half by the RMM running in REL2 on the A core. There is a hash link between the half tokens.
Please elaborate your use case then I can help more!
Regards,
Tamas
From: Gyorgy Szing <Gyorgy.Szing@arm.com>
Sent: Monday, December 2, 2024 11:43 AM
To: Max Adam <maxadamcamb@gmail.com>; Tamas Ban <Tamas.Ban@arm.com>
Subject: Re: [TF-A] Interaction with TF-a from NS World
Hi,
“By the way, you mentioned that attestation is not handled in TF-a (EL3),”
Sorry, my bad. Since you mentioned PSA I got the impression you are after PSA Initial Attestation, and that is out of scope for TF-A.
Tamas: Can you please respond to the RMM related attestation question?
/George