Hi all,
Please note that API tfm_initial_attest_get_public_key() has been removed from TF-M Initial Attestation service.
tfm_initial_attest_get_public_key() was defined by TF-M to retrieve Initial Attestation Key (IAK) public key in runtime.
It is not defined by PSA Attestation API spec. It was designed for test purpose only but was always enabled in Initial Attestation service.
TF-M regression tests called tfm_initial_attest_get_public_key() in runtime to retrieve IAK public key to verify the Initial Attestation Token (IAK) generated by Initial Attestation service.
However, such a test implementation doesn't fully align with common attestation protocols, in which the public key is usually distributed to the verifier when the device is deployed or registered.
This API can be misleading and it concerned developers that it may be abused in actual production.
Therefore this API is removed now. A hard-coded dummy public key file is exported instead, to provide the pre-defined public key data to TF-M regression tests.
This dummy public key is hard-coded here<https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tree/platform/e…>.
The removal of this API doesn't impact TF-M Initial Attestation service functionalities. TF-M Initial Attestation service still works as PSA attestation API spec requests.
The changes to TF-M regression tests are either transparent to platform port or tests.
However, there are two exceptions:
- Currently, some develop boards with OTP enabled are provisioned with random IAK pair. The public key is unknown to the attestation verifier.
Therefore a dedicated attestation test partition<https://git.trustedfirmware.org/TF-M/tf-m-tests.git/tree/test/test_services…> is added to workaround this issue. It adds back API tfm_initial_attest_get_public_key() to retrieve IAK public key in runtime.
Boards with similar limitations can select flag ATTEST_TEST_GET_PUBLIC_KEY to enable this workaround during TF-M regression tests.
This test partition is only available for TF-M regression tests. It is recommended to enable this workaround *only when it is necessary*.
- When developers integrate TF-M with 3rd party test tool, developers can pick the dummy public key file and include it into IAK verification tests as public key input.
Sorry for any inconvenience or trouble if this removal impacts your ongoing task.
Please let me know if you have further questions about the removal of API tfm_initial_attest_get_public_key().
Best regards,
Hu Ziji
Hi Chris,
The build failure is a regression caused by moving the arm platforms under arm directory. Here is the patch to fix it:
https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/10333
No need to pass artifacts from SE build to SSE-200 build, and the warning about the redefinition is not nice, but that does not cause any issue.
Best regards,
Mark
________________________________
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> on behalf of Chris.Brand--- via TF-M <tf-m(a)lists.trustedfirmware.org>
Sent: Wednesday, June 16, 2021 11:34 PM
To: tf-m(a)lists.trustedfirmware.org <tf-m(a)lists.trustedfirmware.org>
Subject: [TF-M] Building for Musca B1 with proxy service
Hi,
I’m trying to build for the Musca B1 with the proxy service. I understand that I have to two separate builds, one for the secure_enclave and one for the SSE-200. The secure enclave build works fine, but I’m getting errors for the SSE-200 build and my various attempts to get around them have all failed. I’m (also) wondering if there are artifacts form the secure_enclave build that need to feed into the SSE-200 build somehow, and if so how that works.
Here's my command line and resulting errors:
cmake -S . -B build_musca_sse200_GNUARM_Relwithdebinfo '-GUnix Makefiles' -DTFM_PLATFORM=arm/musca_b1/sse_200 -DTFM_TOOLCHAIN_FILE=toolchain_GNUARM.cmake -DCMAKE_BUILD_TYPE=Relwithdebinfo -DTFM_PSA_API=ON -DFORWARD_PROT_MSG=ON
In file included from /lhome/cbrand/work/trees_2/psoc6_atfm/trusted-firmware-m/platform/ext/target/arm/musca_b1/sse_200/bl0/bl0_main.c:17:0:
/lhome/cbrand/work/trees_2/psoc6_atfm/trusted-firmware-m/platform/ext/target/arm/musca_b1/sse_200/Device/Include/cmsis.h:63:10: fatal error: core_cm33.h: No such file or directory
#include <core_cm33.h> /*!< Arm Cortex-M33 processor and core peripherals */
^~~~~~~~~~~~~
compilation terminated.
/lhome/cbrand/work/trees_2/psoc6_atfm/trusted-firmware-m/platform/ext/target/arm/musca_b1/sse_200/Device/Source/gcc/startup_cmsdk_musca_bl2.S:20:10: fatal error: tfm_plat_config.h: No such file or directory
#include "tfm_plat_config.h"
^~~~~~~~~~~~~~~~~~~
compilation terminated.
In file included from /lhome/cbrand/work/trees_2/psoc6_atfm/trusted-firmware-m/platform/ext/target/arm/musca_b1/sse_200/Device/Include/platform_description.h:23:0,
from /lhome/cbrand/work/trees_2/psoc6_atfm/trusted-firmware-m/platform/ext/target/arm/musca_b1/sse_200/Device/Source/system_core_init.c:23:
/lhome/cbrand/work/trees_2/psoc6_atfm/trusted-firmware-m/platform/ext/target/arm/musca_b1/sse_200/Device/Include/cmsis.h:63:10: fatal error: core_cm33.h: No such file or directory
#include <core_cm33.h> /*!< Arm Cortex-M33 processor and core peripherals */
^~~~~~~~~~~~~
compilation terminated.
/lhome/cbrand/work/trees_2/psoc6_atfm/trusted-firmware-m/platform/ext/target/arm/musca_b1/sse_200/Device/Source/device_definition.c:29:10: fatal error: tfm_plat_defs.h: No such file or directory
#include "tfm_plat_defs.h"
^~~~~~~~~~~~~~~~~
compilation terminated.
[…]
<command-line>:0:0: warning: "FORWARD_PROT_MSG" redefined
<command-line>:0:0: note: this is the location of the previous definition
<command-line>:0:0: warning: "FORWARD_PROT_MSG" redefined
<command-line>:0:0: note: this is the location of the previous definition
<command-line>:0:0: warning: "FORWARD_PROT_MSG" redefined
<command-line>:0:0: note: this is the location of the previous definition
<command-line>:0:0: warning: "FORWARD_PROT_MSG" redefined
<command-line>:0:0: note: this is the location of the previous definition
<command-line>:0:0: warning: "FORWARD_PROT_MSG" redefined
<command-line>:0:0: note: this is the location of the previous definition
<command-line>:0:0: warning: "FORWARD_PROT_MSG" redefined
<command-line>:0:0: note: this is the location of the previous definition
[…]
platform/target/bl0/CMakeFiles/bl0.dir/build.make:86: recipe for target 'platform/target/bl0/CMakeFiles/bl0.dir/bl0_main.o' failed
gmake[2]: *** [platform/target/bl0/CMakeFiles/bl0.dir/bl0_main.o] Error 1
gmake[2]: *** Waiting for unfinished jobs....
platform/target/bl0/CMakeFiles/bl0.dir/build.make:138: recipe for target 'platform/target/bl0/CMakeFiles/bl0.dir/__/Device/Source/system_core_init.o' failed
gmake[2]: *** [platform/target/bl0/CMakeFiles/bl0.dir/__/Device/Source/system_core_init.o] Error 1
platform/target/bl0/CMakeFiles/bl0.dir/build.make:125: recipe for target 'platform/target/bl0/CMakeFiles/bl0.dir/__/Device/Source/device_definition.o' failed
gmake[2]: *** [platform/target/bl0/CMakeFiles/bl0.dir/__/Device/Source/device_definition.o] Error 1
platform/target/bl0/CMakeFiles/bl0.dir/build.make:81: recipe for target 'platform/target/bl0/CMakeFiles/bl0.dir/__/Device/Source/gcc/startup_cmsdk_musca_bl2.o' failed
gmake[2]: *** [platform/target/bl0/CMakeFiles/bl0.dir/__/Device/Source/gcc/startup_cmsdk_musca_bl2.o] Error 1
CMakeFiles/Makefile2:2539: recipe for target 'platform/target/bl0/CMakeFiles/bl0.dir/all' failed
gmake[1]: *** [platform/target/bl0/CMakeFiles/bl0.dir/all] Error 2
gmake[1]: *** Waiting for unfinished jobs....
This is from a clean checkout of 54d47fbd5269 (current HEAD).
I see that my tree does contain platform/ext/cmsis/core_cm33.h, platform/include/tfm_plat_config.h and platform/include/tfm_plat_defs.h so I guess it’s the include paths that are messed up somehow…?
Thanks,
Chris Brand
Cypress Semiconductor (Canada), Inc.
Sr Prin Software Engr
CSCA CSS ICW SW PSW 1
Office: +1 778 234 0515
Chris.Brand(a)infineon.com<mailto:Chris.Brand@infineon.com>
Hi,
You might noticed that recently documentation became available under the static links (no randomized part in URL anymore). Now it possible to bookmark or share the TF-M docs using a human friendly short URLs like: https://tf-m-user-guide.trustedfirmware.org/docs/introduction/readme.html
Please try and enjoy,
Anton
Hi,
I'm trying to build for the Musca B1 with the proxy service. I understand that I have to two separate builds, one for the secure_enclave and one for the SSE-200. The secure enclave build works fine, but I'm getting errors for the SSE-200 build and my various attempts to get around them have all failed. I'm (also) wondering if there are artifacts form the secure_enclave build that need to feed into the SSE-200 build somehow, and if so how that works.
Here's my command line and resulting errors:
cmake -S . -B build_musca_sse200_GNUARM_Relwithdebinfo '-GUnix Makefiles' -DTFM_PLATFORM=arm/musca_b1/sse_200 -DTFM_TOOLCHAIN_FILE=toolchain_GNUARM.cmake -DCMAKE_BUILD_TYPE=Relwithdebinfo -DTFM_PSA_API=ON -DFORWARD_PROT_MSG=ON
In file included from /lhome/cbrand/work/trees_2/psoc6_atfm/trusted-firmware-m/platform/ext/target/arm/musca_b1/sse_200/bl0/bl0_main.c:17:0:
/lhome/cbrand/work/trees_2/psoc6_atfm/trusted-firmware-m/platform/ext/target/arm/musca_b1/sse_200/Device/Include/cmsis.h:63:10: fatal error: core_cm33.h: No such file or directory
#include <core_cm33.h> /*!< Arm Cortex-M33 processor and core peripherals */
^~~~~~~~~~~~~
compilation terminated.
/lhome/cbrand/work/trees_2/psoc6_atfm/trusted-firmware-m/platform/ext/target/arm/musca_b1/sse_200/Device/Source/gcc/startup_cmsdk_musca_bl2.S:20:10: fatal error: tfm_plat_config.h: No such file or directory
#include "tfm_plat_config.h"
^~~~~~~~~~~~~~~~~~~
compilation terminated.
In file included from /lhome/cbrand/work/trees_2/psoc6_atfm/trusted-firmware-m/platform/ext/target/arm/musca_b1/sse_200/Device/Include/platform_description.h:23:0,
from /lhome/cbrand/work/trees_2/psoc6_atfm/trusted-firmware-m/platform/ext/target/arm/musca_b1/sse_200/Device/Source/system_core_init.c:23:
/lhome/cbrand/work/trees_2/psoc6_atfm/trusted-firmware-m/platform/ext/target/arm/musca_b1/sse_200/Device/Include/cmsis.h:63:10: fatal error: core_cm33.h: No such file or directory
#include <core_cm33.h> /*!< Arm Cortex-M33 processor and core peripherals */
^~~~~~~~~~~~~
compilation terminated.
/lhome/cbrand/work/trees_2/psoc6_atfm/trusted-firmware-m/platform/ext/target/arm/musca_b1/sse_200/Device/Source/device_definition.c:29:10: fatal error: tfm_plat_defs.h: No such file or directory
#include "tfm_plat_defs.h"
^~~~~~~~~~~~~~~~~
compilation terminated.
[...]
<command-line>:0:0: warning: "FORWARD_PROT_MSG" redefined
<command-line>:0:0: note: this is the location of the previous definition
<command-line>:0:0: warning: "FORWARD_PROT_MSG" redefined
<command-line>:0:0: note: this is the location of the previous definition
<command-line>:0:0: warning: "FORWARD_PROT_MSG" redefined
<command-line>:0:0: note: this is the location of the previous definition
<command-line>:0:0: warning: "FORWARD_PROT_MSG" redefined
<command-line>:0:0: note: this is the location of the previous definition
<command-line>:0:0: warning: "FORWARD_PROT_MSG" redefined
<command-line>:0:0: note: this is the location of the previous definition
<command-line>:0:0: warning: "FORWARD_PROT_MSG" redefined
<command-line>:0:0: note: this is the location of the previous definition
[...]
platform/target/bl0/CMakeFiles/bl0.dir/build.make:86: recipe for target 'platform/target/bl0/CMakeFiles/bl0.dir/bl0_main.o' failed
gmake[2]: *** [platform/target/bl0/CMakeFiles/bl0.dir/bl0_main.o] Error 1
gmake[2]: *** Waiting for unfinished jobs....
platform/target/bl0/CMakeFiles/bl0.dir/build.make:138: recipe for target 'platform/target/bl0/CMakeFiles/bl0.dir/__/Device/Source/system_core_init.o' failed
gmake[2]: *** [platform/target/bl0/CMakeFiles/bl0.dir/__/Device/Source/system_core_init.o] Error 1
platform/target/bl0/CMakeFiles/bl0.dir/build.make:125: recipe for target 'platform/target/bl0/CMakeFiles/bl0.dir/__/Device/Source/device_definition.o' failed
gmake[2]: *** [platform/target/bl0/CMakeFiles/bl0.dir/__/Device/Source/device_definition.o] Error 1
platform/target/bl0/CMakeFiles/bl0.dir/build.make:81: recipe for target 'platform/target/bl0/CMakeFiles/bl0.dir/__/Device/Source/gcc/startup_cmsdk_musca_bl2.o' failed
gmake[2]: *** [platform/target/bl0/CMakeFiles/bl0.dir/__/Device/Source/gcc/startup_cmsdk_musca_bl2.o] Error 1
CMakeFiles/Makefile2:2539: recipe for target 'platform/target/bl0/CMakeFiles/bl0.dir/all' failed
gmake[1]: *** [platform/target/bl0/CMakeFiles/bl0.dir/all] Error 2
gmake[1]: *** Waiting for unfinished jobs....
This is from a clean checkout of 54d47fbd5269 (current HEAD).
I see that my tree does contain platform/ext/cmsis/core_cm33.h, platform/include/tfm_plat_config.h and platform/include/tfm_plat_defs.h so I guess it's the include paths that are messed up somehow...?
Thanks,
Chris Brand
Cypress Semiconductor (Canada), Inc.
Sr Prin Software Engr
CSCA CSS ICW SW PSW 1
Office: +1 778 234 0515
Chris.Brand(a)infineon.com<mailto:Chris.Brand@infineon.com>
Hi,
The next Technical Forum is planned on Thursday, June 24 7:00-8:00 UTC (Asia time zone).
Please reply on this email with your proposals for agenda topics.
Recording and slides of previous meetings are here:
https://www.trustedfirmware.org/meetings/tf-m-technical-forum/
Best regards,
Anton
Hi Ken
> Or any doubts about depreciating it?
It is not used because its implementation is not finished, the current
implementation is only for PSA L1 and not supported by IPC. This is not
enough for certification.
The Log service is optimally required by the PSA Certification.
If you going to deprecate it, first delete the requirement from the PSA
L2&L3 Certification profiles.
Thanks,
Andrej
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Ken Liu via
TF-M
Sent: Wednesday, June 16, 2021 10:46 AM
To: tf-m(a)lists.trustedfirmware.org
Cc: nd <nd(a)arm.com>
Subject: [TF-M] Deprecate 'partitions/audit_logging' and its related tests
Hi,
The component name under this folder is 'Audit logging', and:
* There is no explicit specification or requirements for it, and its
functionality is as a simple log collector (and looks no one is using it).
* It supported under the library model only. And it is meaningless to
move to IPC because of this.
* It costs extra maintenance effort in test cases and partition code.
So a plan is to deprecate this folder and its related test cases; will
create a new one when the specification or requirements are explicitly
defined.
Question here is:
Anyone is using this service? Or any doubts about depreciating it?
Will collect the response and broadcast it at 25th Jun.
Thanks.
/Ken
Hi,
The component name under this folder is 'Audit logging', and:
* There is no explicit specification or requirements for it, and its functionality is as a simple log collector (and looks no one is using it).
* It supported under the library model only. And it is meaningless to move to IPC because of this.
* It costs extra maintenance effort in test cases and partition code.
So a plan is to deprecate this folder and its related test cases; will create a new one when the specification or requirements are explicitly defined.
Question here is:
Anyone is using this service? Or any doubts about depreciating it?
Will collect the response and broadcast it at 25th Jun.
Thanks.
/Ken
This event has been changed with this note:
"Extending end date"
Title: TF-M Tech forum
About TF-M Tech forum:This is an open forum for anyone to participate and
it is not restricted to Trusted Firmware project members. It will operate
under the guidance of the TF TSC.Feel free to forward it to
colleagues.Details of previous meetings are
here: https://www.trustedfirmware.org/meetings/tf-m-technical-forum/==…Topic:
TF-M Tech forum - Asia Time Zone FriendlyTime: Nov 12, 2020 07:00 AM
Greenwich Mean Time Every 4 weeks on Thu, until
Mar 4, 2021, 5 occurrence(s) Nov 12, 2020 07:00
AM Dec 10, 2020 07:00 AM
Jan 7, 2021 07:00 AM Feb 4, 2021 07:00
AM Mar 4, 2021 07:00 AMPlease download and
import the following iCalendar (.ics) files to your calendar system.Weekly:
https://linaro-org.zoom.us/meeting/tJYodOyvpz8jGNEc_1ykVap8Zg6oTLqZZSeJ/ics…
Zoom
Meetinghttps://linaro-org.zoom.us/j/92535794925?pwd=TTl0cmo4R2hTNm8wcHo1M3ZKdjlnUT09Meeting
ID: 925 3579 4925Passcode: 414410One tap mobile+12532158782,,92535794925#
US (Tacoma)+13462487799,,92535794925# US (Houston)Dial by your
location +1 253 215 8782 US (Tacoma)
+1 346 248 7799 US (Houston)
+1 669 900 9128 US (San Jose) +1 301 715
8592 US (Germantown) +1 312 626 6799 US
(Chicago) +1 646 558 8656 US (New York)
888 788 0099 US Toll-free
877 853 5247 US Toll-freeMeeting ID: 925 3579 4925Find your local number:
https://linaro-org.zoom.us/u/aesS64I7GW
When: Every 4 weeks from 12am to 1am on Thursday Mountain Standard Time -
Phoenix (changed)
Where:
https://linaro-org.zoom.us/j/92535794925?pwd=TTl0cmo4R2hTNm8wcHo1M3ZKdjlnUT…
Calendar: tf-m(a)lists.trustedfirmware.org
Who:
* Don Harbin - creator
* tf-m(a)lists.trustedfirmware.org
* anton.komlev(a)arm.com
* leonardo.sandoval(a)linaro.org
* abdelmalek.omar1(a)gmail.com
Event details:
https://calendar.google.com/calendar/event?action=VIEW&eid=aDM1OHZtbG0wa2di…
Invitation from Google Calendar: https://calendar.google.com/calendar/
You are receiving this courtesy email at the account
tf-m(a)lists.trustedfirmware.org because you are an attendee of this event.
To stop receiving future updates for this event, decline this event.
Alternatively you can sign up for a Google account at
https://calendar.google.com/calendar/ and control your notification
settings for your entire calendar.
Forwarding this invitation could allow any recipient to send a response to
the organizer and be added to the guest list, or invite others regardless
of their own invitation status, or to modify your RSVP. Learn more at
https://support.google.com/calendar/answer/37135#forwarding
Hi Anton,
If it's open agenda, I would like to take this opportunity to get some inputs about the use scenarios and solutions for sharing flash controller (or even other HW resources) between S and NS. For example, the security/concurrency concerns/issues etc.
Thanks.
Regards,
David Wang
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Anton Komlev via TF-M
Sent: Wednesday, June 9, 2021 11:03 PM
To: tf-m(a)lists.trustedfirmware.org
Cc: nd <nd(a)arm.com>
Subject: Re: [TF-M] Technical Forum call - June 10
Hi,
We have an open agenda for the forum tomorrow.
Let's use that time to review any ongoing items and discuss open questions.
To start:
1. What kind of project measurements would be interesting for collection and ways for benchmarking.
* Booting time
* PSA service access time
* ... anything else ?
Regards and please bring your topic,
Anton
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org<mailto:tf-m-bounces@lists.trustedfirmware.org>> On Behalf Of Anton Komlev via TF-M
Sent: Wednesday, June 2, 2021 11:26 AM
To: tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>
Cc: nd <nd(a)arm.com<mailto:nd@arm.com>>
Subject: [TF-M] Technical Forum call - June 10
Hi,
The next Technical Forum is planned on Thursday, June 10, 15:00-16:00 UTC (US time zone).
Please reply on this email with your proposals for agenda topics.
Recording and slides of previous meetings are here:
https://www.trustedfirmware.org/meetings/tf-m-technical-forum/
Best regards,
Anton
Hi,
We have an open agenda for the forum tomorrow.
Let's use that time to review any ongoing items and discuss open questions.
To start:
1. What kind of project measurements would be interesting for collection and ways for benchmarking.
* Booting time
* PSA service access time
* ... anything else ?
Regards and please bring your topic,
Anton
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Anton Komlev via TF-M
Sent: Wednesday, June 2, 2021 11:26 AM
To: tf-m(a)lists.trustedfirmware.org
Cc: nd <nd(a)arm.com>
Subject: [TF-M] Technical Forum call - June 10
Hi,
The next Technical Forum is planned on Thursday, June 10, 15:00-16:00 UTC (US time zone).
Please reply on this email with your proposals for agenda topics.
Recording and slides of previous meetings are here:
https://www.trustedfirmware.org/meetings/tf-m-technical-forum/
Best regards,
Anton
