Hi,
We're seeing a failure in the PSA Arch attestation test, specifically: TEST: 601 | DESCRIPTION: Testing attestation initial attestation APIs | UT: psa_initial_attestation [Info] Executing tests from non-secure [Check 1] Test psa_initial_attestation_get_token with Challenge 32 [Check 2] Test psa_initial_attestation_get_token with Challenge 48 Failed at Checkpoint: 1 Actual: -138 Expected: 0
TEST RESULT: FAILED (Error Code=0x1)
The failure is seen on PSoC, but only the gcc Release build (armclang and the other three gcc builds are all fine. Haven't tested IAR), which makes it tricky to debug. PSoC uses the common attest HAL code, though, so I imagine the issue may also be present on other platforms.
Bisecting the problem leads to commit 09d71ffd40368b978d428744ad7ba0d3963f8d1d ("Platform: Use OTP as backing for attestation data").
-138 is PSA_ERROR_BUFFER_TOO_SMALL.
I'm running gcc-arm-none-eabi-7-2018-q2-update, in case that matters.
Chris Brand
Cypress Semiconductor (Canada), Inc. Sr Prin Software Engr CSCA CSS ICW SW PSW 1 Office: +1 778 234 0515 Chris.Brand@infineon.commailto:Chris.Brand@infineon.com
Hi Chris,
Thanks for reporting this issue. I will take care of it.
Best regards, Hu Ziji
From: TF-M tf-m-bounces@lists.trustedfirmware.org On Behalf Of chris.brand--- via TF-M Sent: Saturday, October 16, 2021 5:47 AM To: tf-m@lists.trustedfirmware.org Subject: [TF-M] PSA Arch attestation test failure
Hi,
We're seeing a failure in the PSA Arch attestation test, specifically: TEST: 601 | DESCRIPTION: Testing attestation initial attestation APIs | UT: psa_initial_attestation [Info] Executing tests from non-secure [Check 1] Test psa_initial_attestation_get_token with Challenge 32 [Check 2] Test psa_initial_attestation_get_token with Challenge 48 Failed at Checkpoint: 1 Actual: -138 Expected: 0
TEST RESULT: FAILED (Error Code=0x1)
The failure is seen on PSoC, but only the gcc Release build (armclang and the other three gcc builds are all fine. Haven't tested IAR), which makes it tricky to debug. PSoC uses the common attest HAL code, though, so I imagine the issue may also be present on other platforms.
Bisecting the problem leads to commit 09d71ffd40368b978d428744ad7ba0d3963f8d1d ("Platform: Use OTP as backing for attestation data").
-138 is PSA_ERROR_BUFFER_TOO_SMALL.
I'm running gcc-arm-none-eabi-7-2018-q2-update, in case that matters.
Chris Brand
Cypress Semiconductor (Canada), Inc. Sr Prin Software Engr CSCA CSS ICW SW PSW 1 Office: +1 778 234 0515 Chris.Brand@infineon.commailto:Chris.Brand@infineon.com
Hi Chris,
Sorry I tried both isolation level 1 and level 2 on PSoC64 with the latest TF-M but cannot reproduce the failure. I tried both GNUARM 7.3.1 and 8.3.1. Both passed the test.
Can you please share your build command?
The log I got:
Starting Cortex-M4 at 0x10050400 Non-secure code running on non-secure core.
Cores sync success. Non-Secure system starting...
***** PSA Architecture Test Suite - Version 1.2 *****
Running.. Attestation Suite ******************************************
TEST: 601 | DESCRIPTION: Testing attestation initial attestation APIs | UT: psa_initial_attestation [Info] Executing tests from non-secure [Check 1] Test psa_initial_attestation_get_token with Challenge 32 [Check 2] Test psa_initial_attestation_get_token with Challenge 48 [Check 3] Test psa_initial_attestation_get_token with Challenge 64 [Check 4] Test psa_initial_attestation_get_token with zero challenge size [Check 5] Test psa_initial_attestation_get_token with small challenge size [Check 6] Test psa_initial_attestation_get_token with invalid challenge size [Check 7] Test psa_initial_attestation_get_token with large challenge size [Check 8] Test psa_initial_attestation_get_token with zero as token size [Check 9] Test psa_initial_attestation_get_token with small token size [Check 10] Test psa_initial_attestation_get_token_size with Challenge 32 [Check 11] Test psa_initial_attestation_get_token_size with Challenge 48 [Check 12] Test psa_initial_attestation_get_token_size with Challenge 64 [Check 13] Test psa_initial_attestation_get_token_size with zero challenge size [Check 14] Test psa_initial_attestation_get_token_size with small challenge size [Check 15] Test psa_initial_attestation_get_token_size with invalid challenge size [Check 16] Test psa_initial_attestation_get_token_size with large challenge size
TEST RESULT: PASSED
******************************************
************ Attestation Suite Report ********** TOTAL TESTS : 1 TOTAL PASSED : 1 TOTAL SIM ERROR : 0 TOTAL FAILED : 0 TOTAL SKIPPED : 0 ******************************************
Entering standby..
Best regards, Hu Ziji
From: TF-M tf-m-bounces@lists.trustedfirmware.org On Behalf Of David Hu via TF-M Sent: Monday, October 18, 2021 10:03 AM To: Chris.Brand@infineon.com Cc: nd nd@arm.com; tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] PSA Arch attestation test failure
Hi Chris,
Thanks for reporting this issue. I will take care of it.
Best regards, Hu Ziji
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of chris.brand--- via TF-M Sent: Saturday, October 16, 2021 5:47 AM To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: [TF-M] PSA Arch attestation test failure
Hi,
We're seeing a failure in the PSA Arch attestation test, specifically: TEST: 601 | DESCRIPTION: Testing attestation initial attestation APIs | UT: psa_initial_attestation [Info] Executing tests from non-secure [Check 1] Test psa_initial_attestation_get_token with Challenge 32 [Check 2] Test psa_initial_attestation_get_token with Challenge 48 Failed at Checkpoint: 1 Actual: -138 Expected: 0
TEST RESULT: FAILED (Error Code=0x1)
The failure is seen on PSoC, but only the gcc Release build (armclang and the other three gcc builds are all fine. Haven't tested IAR), which makes it tricky to debug. PSoC uses the common attest HAL code, though, so I imagine the issue may also be present on other platforms.
Bisecting the problem leads to commit 09d71ffd40368b978d428744ad7ba0d3963f8d1d ("Platform: Use OTP as backing for attestation data").
-138 is PSA_ERROR_BUFFER_TOO_SMALL.
I'm running gcc-arm-none-eabi-7-2018-q2-update, in case that matters.
Chris Brand
Cypress Semiconductor (Canada), Inc. Sr Prin Software Engr CSCA CSS ICW SW PSW 1 Office: +1 778 234 0515 Chris.Brand@infineon.commailto:Chris.Brand@infineon.com
Hi David,
That's weird. My build command is nothing odd: cmake -S . -B build_GNUARM_Release '-GUnix Makefiles' -DTFM_PLATFORM=cypress/psoc64 -DTFM_TOOLCHAIN_FILE=toolchain_GNUARM.cmake -DCMAKE_BUILD_TYPE=Release -DTEST_PSA_API=INITIAL_ATTESTATION -DTFM_ISOLATION_LEVEL=2
Chris
From: David Hu David.Hu@arm.com Sent: Monday, October 18, 2021 12:03 AM To: Brand Chris (CSCA CSS ICW SW PSW 1) Chris.Brand@infineon.com; tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: RE: PSA Arch attestation test failure
Caution: This e-mail originated outside Infineon Technologies. Do not click on links or open attachments unless you validate it is safehttps://intranet-content.infineon.com/explore/aboutinfineon/rules/informationsecurity/ug/SocialEngineering/Pages/SocialEngineeringElements_en.aspx.
Hi Chris,
Sorry I tried both isolation level 1 and level 2 on PSoC64 with the latest TF-M but cannot reproduce the failure. I tried both GNUARM 7.3.1 and 8.3.1. Both passed the test.
Can you please share your build command?
The log I got:
Starting Cortex-M4 at 0x10050400 Non-secure code running on non-secure core.
Cores sync success. Non-Secure system starting...
***** PSA Architecture Test Suite - Version 1.2 *****
Running.. Attestation Suite ******************************************
TEST: 601 | DESCRIPTION: Testing attestation initial attestation APIs | UT: psa_initial_attestation [Info] Executing tests from non-secure [Check 1] Test psa_initial_attestation_get_token with Challenge 32 [Check 2] Test psa_initial_attestation_get_token with Challenge 48 [Check 3] Test psa_initial_attestation_get_token with Challenge 64 [Check 4] Test psa_initial_attestation_get_token with zero challenge size [Check 5] Test psa_initial_attestation_get_token with small challenge size [Check 6] Test psa_initial_attestation_get_token with invalid challenge size [Check 7] Test psa_initial_attestation_get_token with large challenge size [Check 8] Test psa_initial_attestation_get_token with zero as token size [Check 9] Test psa_initial_attestation_get_token with small token size [Check 10] Test psa_initial_attestation_get_token_size with Challenge 32 [Check 11] Test psa_initial_attestation_get_token_size with Challenge 48 [Check 12] Test psa_initial_attestation_get_token_size with Challenge 64 [Check 13] Test psa_initial_attestation_get_token_size with zero challenge size [Check 14] Test psa_initial_attestation_get_token_size with small challenge size [Check 15] Test psa_initial_attestation_get_token_size with invalid challenge size [Check 16] Test psa_initial_attestation_get_token_size with large challenge size
TEST RESULT: PASSED
******************************************
************ Attestation Suite Report ********** TOTAL TESTS : 1 TOTAL PASSED : 1 TOTAL SIM ERROR : 0 TOTAL FAILED : 0 TOTAL SKIPPED : 0 ******************************************
Entering standby..
Best regards, Hu Ziji
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of David Hu via TF-M Sent: Monday, October 18, 2021 10:03 AM To: Chris.Brand@infineon.commailto:Chris.Brand@infineon.com Cc: nd <nd@arm.commailto:nd@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] PSA Arch attestation test failure
Hi Chris,
Thanks for reporting this issue. I will take care of it.
Best regards, Hu Ziji
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of chris.brand--- via TF-M Sent: Saturday, October 16, 2021 5:47 AM To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: [TF-M] PSA Arch attestation test failure
Hi,
We're seeing a failure in the PSA Arch attestation test, specifically: TEST: 601 | DESCRIPTION: Testing attestation initial attestation APIs | UT: psa_initial_attestation [Info] Executing tests from non-secure [Check 1] Test psa_initial_attestation_get_token with Challenge 32 [Check 2] Test psa_initial_attestation_get_token with Challenge 48 Failed at Checkpoint: 1 Actual: -138 Expected: 0
TEST RESULT: FAILED (Error Code=0x1)
The failure is seen on PSoC, but only the gcc Release build (armclang and the other three gcc builds are all fine. Haven't tested IAR), which makes it tricky to debug. PSoC uses the common attest HAL code, though, so I imagine the issue may also be present on other platforms.
Bisecting the problem leads to commit 09d71ffd40368b978d428744ad7ba0d3963f8d1d ("Platform: Use OTP as backing for attestation data").
-138 is PSA_ERROR_BUFFER_TOO_SMALL.
I'm running gcc-arm-none-eabi-7-2018-q2-update, in case that matters.
Chris Brand
Cypress Semiconductor (Canada), Inc. Sr Prin Software Engr CSCA CSS ICW SW PSW 1 Office: +1 778 234 0515 Chris.Brand@infineon.commailto:Chris.Brand@infineon.com
Hi Chris,
It does be a bit weird. I also tried on AN521 but didn't reproduce the issue either. But anyway I will merge Raef's fix soon so you can proceed your job.
Best regards, Hu Ziji
From: Chris.Brand@infineon.com Chris.Brand@infineon.com Sent: Monday, October 18, 2021 11:31 PM To: David Hu David.Hu@arm.com; tf-m@lists.trustedfirmware.org Subject: RE: PSA Arch attestation test failure
Hi David,
That's weird. My build command is nothing odd: cmake -S . -B build_GNUARM_Release '-GUnix Makefiles' -DTFM_PLATFORM=cypress/psoc64 -DTFM_TOOLCHAIN_FILE=toolchain_GNUARM.cmake -DCMAKE_BUILD_TYPE=Release -DTEST_PSA_API=INITIAL_ATTESTATION -DTFM_ISOLATION_LEVEL=2
Chris
From: David Hu <David.Hu@arm.commailto:David.Hu@arm.com> Sent: Monday, October 18, 2021 12:03 AM To: Brand Chris (CSCA CSS ICW SW PSW 1) <Chris.Brand@infineon.commailto:Chris.Brand@infineon.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Cc: nd <nd@arm.commailto:nd@arm.com> Subject: RE: PSA Arch attestation test failure
Caution: This e-mail originated outside Infineon Technologies. Do not click on links or open attachments unless you validate it is safehttps://intranet-content.infineon.com/explore/aboutinfineon/rules/informationsecurity/ug/SocialEngineering/Pages/SocialEngineeringElements_en.aspx.
Hi Chris,
Sorry I tried both isolation level 1 and level 2 on PSoC64 with the latest TF-M but cannot reproduce the failure. I tried both GNUARM 7.3.1 and 8.3.1. Both passed the test.
Can you please share your build command?
The log I got:
Starting Cortex-M4 at 0x10050400 Non-secure code running on non-secure core.
Cores sync success. Non-Secure system starting...
***** PSA Architecture Test Suite - Version 1.2 *****
Running.. Attestation Suite ******************************************
TEST: 601 | DESCRIPTION: Testing attestation initial attestation APIs | UT: psa_initial_attestation [Info] Executing tests from non-secure [Check 1] Test psa_initial_attestation_get_token with Challenge 32 [Check 2] Test psa_initial_attestation_get_token with Challenge 48 [Check 3] Test psa_initial_attestation_get_token with Challenge 64 [Check 4] Test psa_initial_attestation_get_token with zero challenge size [Check 5] Test psa_initial_attestation_get_token with small challenge size [Check 6] Test psa_initial_attestation_get_token with invalid challenge size [Check 7] Test psa_initial_attestation_get_token with large challenge size [Check 8] Test psa_initial_attestation_get_token with zero as token size [Check 9] Test psa_initial_attestation_get_token with small token size [Check 10] Test psa_initial_attestation_get_token_size with Challenge 32 [Check 11] Test psa_initial_attestation_get_token_size with Challenge 48 [Check 12] Test psa_initial_attestation_get_token_size with Challenge 64 [Check 13] Test psa_initial_attestation_get_token_size with zero challenge size [Check 14] Test psa_initial_attestation_get_token_size with small challenge size [Check 15] Test psa_initial_attestation_get_token_size with invalid challenge size [Check 16] Test psa_initial_attestation_get_token_size with large challenge size
TEST RESULT: PASSED
******************************************
************ Attestation Suite Report ********** TOTAL TESTS : 1 TOTAL PASSED : 1 TOTAL SIM ERROR : 0 TOTAL FAILED : 0 TOTAL SKIPPED : 0 ******************************************
Entering standby..
Best regards, Hu Ziji
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of David Hu via TF-M Sent: Monday, October 18, 2021 10:03 AM To: Chris.Brand@infineon.commailto:Chris.Brand@infineon.com Cc: nd <nd@arm.commailto:nd@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] PSA Arch attestation test failure
Hi Chris,
Thanks for reporting this issue. I will take care of it.
Best regards, Hu Ziji
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of chris.brand--- via TF-M Sent: Saturday, October 16, 2021 5:47 AM To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: [TF-M] PSA Arch attestation test failure
Hi,
We're seeing a failure in the PSA Arch attestation test, specifically: TEST: 601 | DESCRIPTION: Testing attestation initial attestation APIs | UT: psa_initial_attestation [Info] Executing tests from non-secure [Check 1] Test psa_initial_attestation_get_token with Challenge 32 [Check 2] Test psa_initial_attestation_get_token with Challenge 48 Failed at Checkpoint: 1 Actual: -138 Expected: 0
TEST RESULT: FAILED (Error Code=0x1)
The failure is seen on PSoC, but only the gcc Release build (armclang and the other three gcc builds are all fine. Haven't tested IAR), which makes it tricky to debug. PSoC uses the common attest HAL code, though, so I imagine the issue may also be present on other platforms.
Bisecting the problem leads to commit 09d71ffd40368b978d428744ad7ba0d3963f8d1d ("Platform: Use OTP as backing for attestation data").
-138 is PSA_ERROR_BUFFER_TOO_SMALL.
I'm running gcc-arm-none-eabi-7-2018-q2-update, in case that matters.
Chris Brand
Cypress Semiconductor (Canada), Inc. Sr Prin Software Engr CSCA CSS ICW SW PSW 1 Office: +1 778 234 0515 Chris.Brand@infineon.commailto:Chris.Brand@infineon.com
Hey Chris
Can you try out this patch as a fix?
https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/11953
On my end it seems to prevent any failures in the attestation tests
Raef
________________________________________ From: Chris.Brand@infineon.com Chris.Brand@infineon.com Sent: 15 October 2021 22:47 To: tf-m@lists.trustedfirmware.org Cc: Raef Coles Subject: PSA Arch attestation test failure
Hi,
We’re seeing a failure in the PSA Arch attestation test, specifically: TEST: 601 | DESCRIPTION: Testing attestation initial attestation APIs | UT: psa_initial_attestation [Info] Executing tests from non-secure [Check 1] Test psa_initial_attestation_get_token with Challenge 32 [Check 2] Test psa_initial_attestation_get_token with Challenge 48 Failed at Checkpoint: 1 Actual: -138 Expected: 0
TEST RESULT: FAILED (Error Code=0x1)
The failure is seen on PSoC, but only the gcc Release build (armclang and the other three gcc builds are all fine. Haven’t tested IAR), which makes it tricky to debug. PSoC uses the common attest HAL code, though, so I imagine the issue may also be present on other platforms.
Bisecting the problem leads to commit 09d71ffd40368b978d428744ad7ba0d3963f8d1d (“Platform: Use OTP as backing for attestation data”).
-138 is PSA_ERROR_BUFFER_TOO_SMALL.
I’m running gcc-arm-none-eabi-7-2018-q2-update, in case that matters.
Chris Brand
Cypress Semiconductor (Canada), Inc. Sr Prin Software Engr CSCA CSS ICW SW PSW 1 Office: +1 778 234 0515 Chris.Brand@infineon.commailto:Chris.Brand@infineon.com
Hi Raef,
That patch does seem to fix the issue.
Thanks!
Chris
-----Original Message----- From: Raef Coles Raef.Coles@arm.com Sent: Monday, October 18, 2021 2:33 AM To: Brand Chris (CSCA CSS ICW SW PSW 1) Chris.Brand@infineon.com; tf-m@lists.trustedfirmware.org Subject: Re: PSA Arch attestation test failure
Caution: This e-mail originated outside Infineon Technologies. Do not click on links or open attachments unless you validate it is safehttps://intranet-content.infineon.com/explore/aboutinfineon/rules/informationsecurity/ug/SocialEngineering/Pages/SocialEngineeringElements_en.aspx.
Hey Chris
Can you try out this patch as a fix?
https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/11953
On my end it seems to prevent any failures in the attestation tests
Raef
________________________________________ From: Chris.Brand@infineon.com Chris.Brand@infineon.com Sent: 15 October 2021 22:47 To: tf-m@lists.trustedfirmware.org Cc: Raef Coles Subject: PSA Arch attestation test failure
Hi,
We're seeing a failure in the PSA Arch attestation test, specifically: TEST: 601 | DESCRIPTION: Testing attestation initial attestation APIs | UT: psa_initial_attestation [Info] Executing tests from non-secure [Check 1] Test psa_initial_attestation_get_token with Challenge 32 [Check 2] Test psa_initial_attestation_get_token with Challenge 48 Failed at Checkpoint: 1 Actual: -138 Expected: 0
TEST RESULT: FAILED (Error Code=0x1)
The failure is seen on PSoC, but only the gcc Release build (armclang and the other three gcc builds are all fine. Haven't tested IAR), which makes it tricky to debug. PSoC uses the common attest HAL code, though, so I imagine the issue may also be present on other platforms.
Bisecting the problem leads to commit 09d71ffd40368b978d428744ad7ba0d3963f8d1d ("Platform: Use OTP as backing for attestation data").
-138 is PSA_ERROR_BUFFER_TOO_SMALL.
I'm running gcc-arm-none-eabi-7-2018-q2-update, in case that matters.
Chris Brand
Cypress Semiconductor (Canada), Inc. Sr Prin Software Engr CSCA CSS ICW SW PSW 1 Office: +1 778 234 0515 Chris.Brand@infineon.commailto:Chris.Brand@infineon.com
tf-m@lists.trustedfirmware.org