Hi,

 

Looks good to me. Works as expected.

 

Thanks

 

 

Regards,

Bohdan Hunko

 

Cypress Semiconductor Ukraine

Engineer

CSUKR CSS ICW SW FW

Mobile: +38099 50 19 714
Bohdan.Hunko@infineon.com

 

 

From: Mate Toth-Pal <Mate.Toth-Pal@arm.com>
Sent: Friday, May 3, 2024 10:51
To: Hunko Bohdan (CSS ICW SW FW 3) <Bohdan.Hunko@infineon.com>; tf-m@lists.trustedfirmware.org; Tamas Ban <Tamas.Ban@arm.com>
Cc: nd <nd@arm.com>
Subject: Re: Wrong Life Cycle values in iatverifier

 

Caution: This e-mail originated outside Infineon Technologies. Do not click on links or open attachments unless you validate it is safe.

 

Hi Bohdan,

 

I created a patch that updates the lifecycle state values in the tool according to the IETF draft.

https://review.trustedfirmware.org/c/TF-M/tf-m-tools/+/28713

 

Could you please give it a try?

 

Thanks,

Mate

From: Tamas Ban via TF-M <tf-m@lists.trustedfirmware.org>
Sent: 30 April 2024 15:35
To: Bohdan.Hunko@infineon.com <Bohdan.Hunko@infineon.com>; tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.org>
Subject: [TF-M] Re: Wrong Life Cycle values in iatverifier

 

Hi Bohdan,

 

Thanks for reporting it looks like the iat-verifier tool is out-of-date in this regard.

I have checked and SLC values in iat-verifier are aligned with a very early version of the spec:
https://datatracker.ietf.org/doc/html/draft-tschofenig-rats-psa-token-01

 

I will create a patch.

 

BR,

Tamas

 

From: Bohdan.Hunko--- via TF-M <tf-m@lists.trustedfirmware.org>
Sent: Tuesday, April 30, 2024 12:02 PM
To: tf-m@lists.trustedfirmware.org
Subject: [TF-M] Wrong Life Cycle values in iatverifier

 

Hi

I am trying to use iatverifier tool from tf-m-tools repo to verify token and it seems like the values for Security Lificycle in the tool are wrong, because:

this spec https://www.ietf.org/archive/id/draft-tschofenig-rats-psa-token-21.html defines them as

psa-lifecycle-unknown-type = 0x0000..0x00ff

psa-lifecycle-assembly-and-test-type = 0x1000..0x10ff

psa-lifecycle-psa-rot-provisioning-type = 0x2000..0x20ff

psa-lifecycle-secured-type = 0x3000..0x30ff

psa-lifecycle-non-psa-rot-debug-type = 0x4000..0x40ff

psa-lifecycle-recoverable-psa-rot-debug-type = 0x5000..0x50ff

psa-lifecycle-decommissioned-type = 0x6000..0x60ff

 

Which is consistent with values of tfm_security_lifecycle_t enum in TFM

enum tfm_security_lifecycle_t {

    TFM_SLC_UNKNOWN                   = 0x0000u,

    TFM_SLC_ASSEMBLY_AND_TEST         = 0x1000u,

    TFM_SLC_PSA_ROT_PROVISIONING      = 0x2000u,

    TFM_SLC_SECURED                   = 0x3000u,

    TFM_SLC_NON_PSA_ROT_DEBUG         = 0x4000u,

    TFM_SLC_RECOVERABLE_PSA_ROT_DEBUG = 0x5000u,

    TFM_SLC_DECOMMISSIONED            = 0x6000u,

    TFM_SLC_MAX_VALUE                 = UINT32_MAX,

};

 

 

But in the tf-m-tools/iat-verifier/iatverifier/psa_iot_profile1_token_claims.py these values are defined differently

    # Security Lifecycle claims

    SL_UNKNOWN = 0x1000

    SL_PSA_ROT_PROVISIONING = 0x2000

    SL_SECURED = 0x3000

    SL_NON_PSA_ROT_DEBUG = 0x4000

    SL_RECOVERABLE_PSA_ROT_DEBUG = 0x5000

    SL_PSA_LIFECYCLE_DECOMMISSIONED = 0x6000

 

 

Thus I am getting SL_UNKNOWN instead of TFM_SLC_ASSEMBLY_AND_TEST

 

Is this a known issue? Can this be fixed?

 

Regards,

Bohdan Hunko

 

Cypress Semiconductor Ukraine

Engineer

CSUKR CSS ICW SW FW

Mobile: +38099 50 19 714
Bohdan.Hunko@infineon.com