Hi all,
Please note that API tfm_initial_attest_get_public_key() has been removed from TF-M Initial Attestation service.
tfm_initial_attest_get_public_key() was defined by TF-M to retrieve Initial Attestation Key (IAK) public key in runtime. It is not defined by PSA Attestation API spec. It was designed for test purpose only but was always enabled in Initial Attestation service.
TF-M regression tests called tfm_initial_attest_get_public_key() in runtime to retrieve IAK public key to verify the Initial Attestation Token (IAK) generated by Initial Attestation service. However, such a test implementation doesn't fully align with common attestation protocols, in which the public key is usually distributed to the verifier when the device is deployed or registered. This API can be misleading and it concerned developers that it may be abused in actual production.
Therefore this API is removed now. A hard-coded dummy public key file is exported instead, to provide the pre-defined public key data to TF-M regression tests. This dummy public key is hard-coded herehttps://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tree/platform/ext/common/template/tfm_initial_attest_pub_key.c.
The removal of this API doesn't impact TF-M Initial Attestation service functionalities. TF-M Initial Attestation service still works as PSA attestation API spec requests. The changes to TF-M regression tests are either transparent to platform port or tests. However, there are two exceptions:
- Currently, some develop boards with OTP enabled are provisioned with random IAK pair. The public key is unknown to the attestation verifier.
Therefore a dedicated attestation test partitionhttps://git.trustedfirmware.org/TF-M/tf-m-tests.git/tree/test/test_services/tfm_attest_test_service is added to workaround this issue. It adds back API tfm_initial_attest_get_public_key() to retrieve IAK public key in runtime.
Boards with similar limitations can select flag ATTEST_TEST_GET_PUBLIC_KEY to enable this workaround during TF-M regression tests.
This test partition is only available for TF-M regression tests. It is recommended to enable this workaround *only when it is necessary*.
- When developers integrate TF-M with 3rd party test tool, developers can pick the dummy public key file and include it into IAK verification tests as public key input.
Sorry for any inconvenience or trouble if this removal impacts your ongoing task. Please let me know if you have further questions about the removal of API tfm_initial_attest_get_public_key().
Best regards, Hu Ziji