Hello,
I have been trying to test the initial attestation feature using the regression build for a platform that we are developing. TF-M small profile has been configured, which enables symmetric key-based attestation. On running the regression tests, the TFM_NS_ATTEST_TEST_2001 testcase fails.
On further debugging, I found that the static buffer that mbedtls uses for its allocation is not sufficient ( CRYPTO_ENGINE_BUF_SIZE = 0x400 in small profile). When I increase the buffer size to 0x500, the testcase passes. Therefore, I wanted to know if this change needs to be adopted upstream or if I might be overlooking something on my end. Any leads in this regard would be helpful.
Thanks, Jayashree
Hi Jayashree,
thanks for raising this. We will need to double check internally and get back to you.
Thanks, Antonio
________________________________ From: Srinivasan, Jayashree via TF-M tf-m@lists.trustedfirmware.org Sent: Thursday, November 7, 2024 15:32 To: tf-m@lists.trustedfirmware.org tf-m@lists.trustedfirmware.org Subject: [TF-M] TF-M Small Profile with Initial Attestation - Related Query
Hello,
I have been trying to test the initial attestation feature using the regression build for a platform that we are developing. TF-M small profile has been configured, which enables symmetric key-based attestation. On running the regression tests, the TFM_NS_ATTEST_TEST_2001 testcase fails.
On further debugging, I found that the static buffer that mbedtls uses for its allocation is not sufficient ( CRYPTO_ENGINE_BUF_SIZE = 0x400 in small profile). When I increase the buffer size to 0x500, the testcase passes. Therefore, I wanted to know if this change needs to be adopted upstream or if I might be overlooking something on my end. Any leads in this regard would be helpful.
Thanks, Jayashree
Hi Jayashree,
I have just re-tested the profile_small on the attestation test below, and it works fine for me AN521 (our reference, pure software based implementation which just uses Mbed TLS APIs for crypto and no hardware acceleration). It works fine both with the legacy IOT scheme and the new PSA 2.0 scheme (likely we will move the default the PSA 2.0 hence why I am testing both of them).
In any case it passes for me with the BUF_SIZE set to 0x400.
The requiement on the size of the buffer might of course be different in case an hardware accelerator is plugged in your system which might call APIs from Mbed TLS that allocate in the static heap. If that is not the case, my suggestion is:
1. Compare with the default build of AN521 (you can find instructions on the docs on how to build and run it) 2. I assume your failure is due to some of the Crypto APIs being called which are returning PSA_ERROR_INSUFFICIENT_MEMORY: in that case you should try to pinpoint which is the API that returns that, and specifically what is trying to do when the error occurs
Hope this helps.
Thanks, Antonio
________________________________ From: Antonio De Angelis via TF-M tf-m@lists.trustedfirmware.org Sent: Thursday, November 7, 2024 16:26 To: tf-m@lists.trustedfirmware.org tf-m@lists.trustedfirmware.org Cc: Srinivasan, Jayashree Jayashree.Srinivasan@analog.com; nd nd@arm.com Subject: [TF-M] Re: TF-M Small Profile with Initial Attestation - Related Query
Hi Jayashree,
thanks for raising this. We will need to double check internally and get back to you.
Thanks, Antonio
________________________________ From: Srinivasan, Jayashree via TF-M tf-m@lists.trustedfirmware.org Sent: Thursday, November 7, 2024 15:32 To: tf-m@lists.trustedfirmware.org tf-m@lists.trustedfirmware.org Subject: [TF-M] TF-M Small Profile with Initial Attestation - Related Query
Hello,
I have been trying to test the initial attestation feature using the regression build for a platform that we are developing. TF-M small profile has been configured, which enables symmetric key-based attestation. On running the regression tests, the TFM_NS_ATTEST_TEST_2001 testcase fails.
On further debugging, I found that the static buffer that mbedtls uses for its allocation is not sufficient ( CRYPTO_ENGINE_BUF_SIZE = 0x400 in small profile). When I increase the buffer size to 0x500, the testcase passes. Therefore, I wanted to know if this change needs to be adopted upstream or if I might be overlooking something on my end. Any leads in this regard would be helpful.
Thanks, Jayashree
tf-m@lists.trustedfirmware.org
-
Antonio De Angelis -
Srinivasan, Jayashree