Hi Tamas,
I have noticed today, that the PSA test suite has done several merges to its master branch. Based the PSA test-suit readme, it has switched to newer versions of the PSA API. Should we try to update or better to wait for a right signal from the TFM team?
Thanks, Andrej
From: Tamas Ban <Tamas.Ban@arm.commailto:Tamas.Ban@arm.com> Sent: Thursday, February 6, 2020 2:09 PM To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Cc: Andrej Butok <andrey.butok@nxp.commailto:andrey.butok@nxp.com> Subject: RE: PSA Test Suite - Attestation test
Hi Andrej,
The v19.08_TBSA0.9 version of psa-arch test suite is aligned with current TF-M master.
I have executed the test suite and found that unfortunately the attestation test suite is currently broken:
* It was introduced by the QCBOR library update in https://review.trustedfirmware.org/c/trusted-firmware-m/+/2679/6https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Freview.trustedfirmware.org%2Fc%2Ftrusted-firmware-m%2F%2B%2F2679%2F6&data=02%7C01%7Candrey.butok%40nxp.com%7C4674787be3d04be8d99808d7ab05bdce%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C637165913474221548&sdata=w3orsjYZEEjwLS7fCjJi8ZuljXxkT5qJSnCO1a%2F0acw%3D&reserved=0 * Currently there is a misalignment between psa-arch and tf-m in terms of QCBOR version. psa-arch still relies on older version of QCBOR. * The version mismatch lead some parsing error in CBOR that is the reason why the test suite is failing. * Other issue is that v19.08_TBSA0.9 version of psa-arch mandates the key-id in unprotected COSE header, however that field is optional according to the standard. In TF-M the inclusion of key-id was bind to ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID, which was split to two compile time switch (https://review.trustedfirmware.org/c/trusted-firmware-m/+/3147https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Freview.trustedfirmware.org%2Fc%2Ftrusted-firmware-m%2F%2B%2F3147&data=02%7C01%7Candrey.butok%40nxp.com%7C4674787be3d04be8d99808d7ab05bdce%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C637165913474221548&sdata=AFW8FiAKFjext42fMiMv63%2F3xMdjmvKnVlgp4R8VeRo%3D&reserved=0) ATTEST_INCLUDE_COSE_KEY_ID and ATTEST_ INCLUDE_TEST_CODE.
Way forward:
* I let the psa-arch test team to update QCBOR. * Fix will be put on master, but currently the tip of the psa-arch master is not aligned with TF-M master. They are supports different PSA API versions. * In TF-M there is a branchhttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.trustedfirmware.org%2Ftrusted-firmware-m.git%2Flog%2F%3Fh%3Dfeature-psa-dev-api-update&data=02%7C01%7Candrey.butok%40nxp.com%7C4674787be3d04be8d99808d7ab05bdce%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C637165913474231540&sdata=vuk9Lw2GfzcUi4uBlfSzdGdaCVQpXh1t4yRw%2ByazmbY%3D&reserved=0 where the PSA API update is happening. This branch is intended to be merged to master in Q1.
Tamas
From: Andrej Butok <andrey.butok@nxp.commailto:andrey.butok@nxp.com> Sent: 05 February 2020 14:21 To: Tamas Ban <Tamas.Ban@arm.commailto:Tamas.Ban@arm.com> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: RE: PSA Test Suite - Attestation test
Hi Tamas
Could you tell what was the values of these compile time switches in your test?
For the previous TFM, we have used INCLUDE_TEST_CODE_AND_KEY_ID. For the current TFM it was renamed to INCLUDE_TEST_CODE. Other parameters are new, so I have tried different combinations of these parameters, but the PSA Test-Suite Attestation is still failed.
Further do you implemented the boot data sharing between bootloader and runtime firmware?
It's used the TFM template code without change from tfm\platform\ext\common\template
Do you sign SPE and NPSE images together or they are signed separately?
We do not use the secondary bootloader so far, so image is not signed.
As the Attestation Regression tests are passed. It's good to know what combination of parameters have to be used to generate the same token as it was generated by the older TFM and accepted by the PSA Test Suite (last commit on master branch). Or the PSA Test Suite is obsolete.
Thank you, Andrej
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Tamas Ban via TF-M Sent: Wednesday, February 5, 2020 1:13 PM To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] PSA Test Suite - Attestation test
Hi Andrej,
Could you tell what was the values of these compile time switches in your test? I assume you did the test on NXP board. Further do you implemented the boot data sharing between bootloader and runtime firmware? Do you sign SPE and NPSE images together or they are signed separately?
Tamas
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Andrej Butok via TF-M Sent: 04 February 2020 17:33 To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: [TF-M] PSA Test Suite - Attestation test
Hello,
After upgrade to the latest version of TFM, the Attestation test from the PSA Test Suite is failed (but the TFM Attestation regression tests are passed).
What combination of configuration parameters must be used (INCLUDE_OPTIONAL_CLAIMS, INCLUDE_TEST_CODE, INCLUDE_COSE_KEY_ID, BOOT_DATA_AVAILABLE) to follow PSA Test Suite expectations? What commit of the PSA Test-suite must be used for the latest TFM? We are still on the 2019-07-25 (c80681ed7c7f3e2cbf02ded1ef2464ba2ca7ccd5) commit, which was OK with 2-month old TFM. Is the PSA Test Suite Attestation test valid for the latest TFM?
Thank you, Andrej Butok
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Hi Andrej,
The QCBOR update in psa-arch-test repo is still ongoing, the issue has not resolved yet. You can track the status here: https://github.com/ARM-software/psa-arch-tests/issues/143
Tamas
From: Andrej Butok andrey.butok@nxp.com Sent: 10 February 2020 10:04 To: Tamas Ban Tamas.Ban@arm.com Cc: tf-m@lists.trustedfirmware.org Subject: RE: PSA Test Suite - Attestation test
Hi Tamas,
I have noticed today, that the PSA test suite has done several merges to its master branch. Based the PSA test-suit readme, it has switched to newer versions of the PSA API. Should we try to update or better to wait for a right signal from the TFM team?
Thanks, Andrej
From: Tamas Ban <Tamas.Ban@arm.commailto:Tamas.Ban@arm.com> Sent: Thursday, February 6, 2020 2:09 PM To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Cc: Andrej Butok <andrey.butok@nxp.commailto:andrey.butok@nxp.com> Subject: RE: PSA Test Suite - Attestation test
Hi Andrej,
The v19.08_TBSA0.9 version of psa-arch test suite is aligned with current TF-M master.
I have executed the test suite and found that unfortunately the attestation test suite is currently broken:
* It was introduced by the QCBOR library update in https://review.trustedfirmware.org/c/trusted-firmware-m/+/2679/6https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Freview.trustedfirmware.org%2Fc%2Ftrusted-firmware-m%2F%2B%2F2679%2F6&data=02%7C01%7Candrey.butok%40nxp.com%7C4674787be3d04be8d99808d7ab05bdce%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C637165913474221548&sdata=w3orsjYZEEjwLS7fCjJi8ZuljXxkT5qJSnCO1a%2F0acw%3D&reserved=0 * Currently there is a misalignment between psa-arch and tf-m in terms of QCBOR version. psa-arch still relies on older version of QCBOR. * The version mismatch lead some parsing error in CBOR that is the reason why the test suite is failing. * Other issue is that v19.08_TBSA0.9 version of psa-arch mandates the key-id in unprotected COSE header, however that field is optional according to the standard. In TF-M the inclusion of key-id was bind to ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID, which was split to two compile time switch (https://review.trustedfirmware.org/c/trusted-firmware-m/+/3147https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Freview.trustedfirmware.org%2Fc%2Ftrusted-firmware-m%2F%2B%2F3147&data=02%7C01%7Candrey.butok%40nxp.com%7C4674787be3d04be8d99808d7ab05bdce%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C637165913474221548&sdata=AFW8FiAKFjext42fMiMv63%2F3xMdjmvKnVlgp4R8VeRo%3D&reserved=0) ATTEST_INCLUDE_COSE_KEY_ID and ATTEST_ INCLUDE_TEST_CODE.
Way forward:
* I let the psa-arch test team to update QCBOR. * Fix will be put on master, but currently the tip of the psa-arch master is not aligned with TF-M master. They are supports different PSA API versions. * In TF-M there is a branchhttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.trustedfirmware.org%2Ftrusted-firmware-m.git%2Flog%2F%3Fh%3Dfeature-psa-dev-api-update&data=02%7C01%7Candrey.butok%40nxp.com%7C4674787be3d04be8d99808d7ab05bdce%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C637165913474231540&sdata=vuk9Lw2GfzcUi4uBlfSzdGdaCVQpXh1t4yRw%2ByazmbY%3D&reserved=0 where the PSA API update is happening. This branch is intended to be merged to master in Q1.
Tamas
From: Andrej Butok <andrey.butok@nxp.commailto:andrey.butok@nxp.com> Sent: 05 February 2020 14:21 To: Tamas Ban <Tamas.Ban@arm.commailto:Tamas.Ban@arm.com> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: RE: PSA Test Suite - Attestation test
Hi Tamas
Could you tell what was the values of these compile time switches in your test?
For the previous TFM, we have used INCLUDE_TEST_CODE_AND_KEY_ID. For the current TFM it was renamed to INCLUDE_TEST_CODE. Other parameters are new, so I have tried different combinations of these parameters, but the PSA Test-Suite Attestation is still failed.
Further do you implemented the boot data sharing between bootloader and runtime firmware?
It's used the TFM template code without change from tfm\platform\ext\common\template
Do you sign SPE and NPSE images together or they are signed separately?
We do not use the secondary bootloader so far, so image is not signed.
As the Attestation Regression tests are passed. It's good to know what combination of parameters have to be used to generate the same token as it was generated by the older TFM and accepted by the PSA Test Suite (last commit on master branch). Or the PSA Test Suite is obsolete.
Thank you, Andrej
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Tamas Ban via TF-M Sent: Wednesday, February 5, 2020 1:13 PM To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] PSA Test Suite - Attestation test
Hi Andrej,
Could you tell what was the values of these compile time switches in your test? I assume you did the test on NXP board. Further do you implemented the boot data sharing between bootloader and runtime firmware? Do you sign SPE and NPSE images together or they are signed separately?
Tamas
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Andrej Butok via TF-M Sent: 04 February 2020 17:33 To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: [TF-M] PSA Test Suite - Attestation test
Hello,
After upgrade to the latest version of TFM, the Attestation test from the PSA Test Suite is failed (but the TFM Attestation regression tests are passed).
What combination of configuration parameters must be used (INCLUDE_OPTIONAL_CLAIMS, INCLUDE_TEST_CODE, INCLUDE_COSE_KEY_ID, BOOT_DATA_AVAILABLE) to follow PSA Test Suite expectations? What commit of the PSA Test-suite must be used for the latest TFM? We are still on the 2019-07-25 (c80681ed7c7f3e2cbf02ded1ef2464ba2ca7ccd5) commit, which was OK with 2-month old TFM. Is the PSA Test Suite Attestation test valid for the latest TFM?
Thank you, Andrej Butok
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Hi Andrej,
Attestation alignment issues between psa-arch-test(tag: v20.03_API1.0) and tf-m(tip of master) are resolved.
Tamas
From: Tamas Ban Sent: 10 February 2020 15:07 To: tf-m@lists.trustedfirmware.org Cc: Andrej Butok andrey.butok@nxp.com; Gowtham Siddarth Gowtham.Siddarth@arm.com Subject: RE: PSA Test Suite - Attestation test
Hi Andrej,
The QCBOR update in psa-arch-test repo is still ongoing, the issue has not resolved yet. You can track the status here: https://github.com/ARM-software/psa-arch-tests/issues/143
Tamas
From: Andrej Butok <andrey.butok@nxp.commailto:andrey.butok@nxp.com> Sent: 10 February 2020 10:04 To: Tamas Ban <Tamas.Ban@arm.commailto:Tamas.Ban@arm.com> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: RE: PSA Test Suite - Attestation test
Hi Tamas,
I have noticed today, that the PSA test suite has done several merges to its master branch. Based the PSA test-suit readme, it has switched to newer versions of the PSA API. Should we try to update or better to wait for a right signal from the TFM team?
Thanks, Andrej
From: Tamas Ban <Tamas.Ban@arm.commailto:Tamas.Ban@arm.com> Sent: Thursday, February 6, 2020 2:09 PM To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Cc: Andrej Butok <andrey.butok@nxp.commailto:andrey.butok@nxp.com> Subject: RE: PSA Test Suite - Attestation test
Hi Andrej,
The v19.08_TBSA0.9 version of psa-arch test suite is aligned with current TF-M master.
I have executed the test suite and found that unfortunately the attestation test suite is currently broken:
* It was introduced by the QCBOR library update in https://review.trustedfirmware.org/c/trusted-firmware-m/+/2679/6https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Freview.trustedfirmware.org%2Fc%2Ftrusted-firmware-m%2F%2B%2F2679%2F6&data=02%7C01%7Candrey.butok%40nxp.com%7C4674787be3d04be8d99808d7ab05bdce%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C637165913474221548&sdata=w3orsjYZEEjwLS7fCjJi8ZuljXxkT5qJSnCO1a%2F0acw%3D&reserved=0 * Currently there is a misalignment between psa-arch and tf-m in terms of QCBOR version. psa-arch still relies on older version of QCBOR. * The version mismatch lead some parsing error in CBOR that is the reason why the test suite is failing. * Other issue is that v19.08_TBSA0.9 version of psa-arch mandates the key-id in unprotected COSE header, however that field is optional according to the standard. In TF-M the inclusion of key-id was bind to ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID, which was split to two compile time switch (https://review.trustedfirmware.org/c/trusted-firmware-m/+/3147https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Freview.trustedfirmware.org%2Fc%2Ftrusted-firmware-m%2F%2B%2F3147&data=02%7C01%7Candrey.butok%40nxp.com%7C4674787be3d04be8d99808d7ab05bdce%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C637165913474221548&sdata=AFW8FiAKFjext42fMiMv63%2F3xMdjmvKnVlgp4R8VeRo%3D&reserved=0) ATTEST_INCLUDE_COSE_KEY_ID and ATTEST_ INCLUDE_TEST_CODE.
Way forward:
* I let the psa-arch test team to update QCBOR. * Fix will be put on master, but currently the tip of the psa-arch master is not aligned with TF-M master. They are supports different PSA API versions. * In TF-M there is a branchhttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.trustedfirmware.org%2Ftrusted-firmware-m.git%2Flog%2F%3Fh%3Dfeature-psa-dev-api-update&data=02%7C01%7Candrey.butok%40nxp.com%7C4674787be3d04be8d99808d7ab05bdce%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C637165913474231540&sdata=vuk9Lw2GfzcUi4uBlfSzdGdaCVQpXh1t4yRw%2ByazmbY%3D&reserved=0 where the PSA API update is happening. This branch is intended to be merged to master in Q1.
Tamas
From: Andrej Butok <andrey.butok@nxp.commailto:andrey.butok@nxp.com> Sent: 05 February 2020 14:21 To: Tamas Ban <Tamas.Ban@arm.commailto:Tamas.Ban@arm.com> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: RE: PSA Test Suite - Attestation test
Hi Tamas
Could you tell what was the values of these compile time switches in your test?
For the previous TFM, we have used INCLUDE_TEST_CODE_AND_KEY_ID. For the current TFM it was renamed to INCLUDE_TEST_CODE. Other parameters are new, so I have tried different combinations of these parameters, but the PSA Test-Suite Attestation is still failed.
Further do you implemented the boot data sharing between bootloader and runtime firmware?
It's used the TFM template code without change from tfm\platform\ext\common\template
Do you sign SPE and NPSE images together or they are signed separately?
We do not use the secondary bootloader so far, so image is not signed.
As the Attestation Regression tests are passed. It's good to know what combination of parameters have to be used to generate the same token as it was generated by the older TFM and accepted by the PSA Test Suite (last commit on master branch). Or the PSA Test Suite is obsolete.
Thank you, Andrej
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Tamas Ban via TF-M Sent: Wednesday, February 5, 2020 1:13 PM To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] PSA Test Suite - Attestation test
Hi Andrej,
Could you tell what was the values of these compile time switches in your test? I assume you did the test on NXP board. Further do you implemented the boot data sharing between bootloader and runtime firmware? Do you sign SPE and NPSE images together or they are signed separately?
Tamas
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Andrej Butok via TF-M Sent: 04 February 2020 17:33 To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: [TF-M] PSA Test Suite - Attestation test
Hello,
After upgrade to the latest version of TFM, the Attestation test from the PSA Test Suite is failed (but the TFM Attestation regression tests are passed).
What combination of configuration parameters must be used (INCLUDE_OPTIONAL_CLAIMS, INCLUDE_TEST_CODE, INCLUDE_COSE_KEY_ID, BOOT_DATA_AVAILABLE) to follow PSA Test Suite expectations? What commit of the PSA Test-suite must be used for the latest TFM? We are still on the 2019-07-25 (c80681ed7c7f3e2cbf02ded1ef2464ba2ca7ccd5) commit, which was OK with 2-month old TFM. Is the PSA Test Suite Attestation test valid for the latest TFM?
Thank you, Andrej Butok
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Hi Tamas,
Yes it's solved. So, the TFM weakest place now is the failed PSA crypto tests .
Thank you, Andrej
From: Tamas Ban Tamas.Ban@arm.com Sent: Thursday, March 12, 2020 11:07 AM To: tf-m@lists.trustedfirmware.org Cc: Andrej Butok andrey.butok@nxp.com Subject: RE: PSA Test Suite - Attestation test
Hi Andrej,
Attestation alignment issues between psa-arch-test(tag: v20.03_API1.0) and tf-m(tip of master) are resolved.
Tamas
From: Tamas Ban Sent: 10 February 2020 15:07 To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Cc: Andrej Butok <andrey.butok@nxp.commailto:andrey.butok@nxp.com>; Gowtham Siddarth <Gowtham.Siddarth@arm.commailto:Gowtham.Siddarth@arm.com> Subject: RE: PSA Test Suite - Attestation test
Hi Andrej,
The QCBOR update in psa-arch-test repo is still ongoing, the issue has not resolved yet. You can track the status here: https://github.com/ARM-software/psa-arch-tests/issues/143https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FARM-software%2Fpsa-arch-tests%2Fissues%2F143&data=02%7C01%7Candrey.butok%40nxp.com%7C55682eacd24445b7cb3e08d7c66d19d4%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C637196044200762305&sdata=M5a5S9g5ZFvIWvtGEK%2FEFf7457Y70VJ60CLGLb7mNhI%3D&reserved=0
Tamas
From: Andrej Butok <andrey.butok@nxp.commailto:andrey.butok@nxp.com> Sent: 10 February 2020 10:04 To: Tamas Ban <Tamas.Ban@arm.commailto:Tamas.Ban@arm.com> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: RE: PSA Test Suite - Attestation test
Hi Tamas,
I have noticed today, that the PSA test suite has done several merges to its master branch. Based the PSA test-suit readme, it has switched to newer versions of the PSA API. Should we try to update or better to wait for a right signal from the TFM team?
Thanks, Andrej
From: Tamas Ban <Tamas.Ban@arm.commailto:Tamas.Ban@arm.com> Sent: Thursday, February 6, 2020 2:09 PM To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Cc: Andrej Butok <andrey.butok@nxp.commailto:andrey.butok@nxp.com> Subject: RE: PSA Test Suite - Attestation test
Hi Andrej,
The v19.08_TBSA0.9 version of psa-arch test suite is aligned with current TF-M master.
I have executed the test suite and found that unfortunately the attestation test suite is currently broken:
* It was introduced by the QCBOR library update in https://review.trustedfirmware.org/c/trusted-firmware-m/+/2679/6https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Freview.trustedfirmware.org%2Fc%2Ftrusted-firmware-m%2F%2B%2F2679%2F6&data=02%7C01%7Candrey.butok%40nxp.com%7C55682eacd24445b7cb3e08d7c66d19d4%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C637196044200762305&sdata=%2FIJ6DfZCm%2FCRt4xmpZP%2FEI1xYEHY0jZjbFdO0UMr6e4%3D&reserved=0 * Currently there is a misalignment between psa-arch and tf-m in terms of QCBOR version. psa-arch still relies on older version of QCBOR. * The version mismatch lead some parsing error in CBOR that is the reason why the test suite is failing. * Other issue is that v19.08_TBSA0.9 version of psa-arch mandates the key-id in unprotected COSE header, however that field is optional according to the standard. In TF-M the inclusion of key-id was bind to ATTEST_INCLUDE_TEST_CODE_AND_KEY_ID, which was split to two compile time switch (https://review.trustedfirmware.org/c/trusted-firmware-m/+/3147https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Freview.trustedfirmware.org%2Fc%2Ftrusted-firmware-m%2F%2B%2F3147&data=02%7C01%7Candrey.butok%40nxp.com%7C55682eacd24445b7cb3e08d7c66d19d4%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C637196044200772296&sdata=rkGL1YUChARi008Za1n2PgITfukzg2fJhiSVviiAtig%3D&reserved=0) ATTEST_INCLUDE_COSE_KEY_ID and ATTEST_ INCLUDE_TEST_CODE.
Way forward:
* I let the psa-arch test team to update QCBOR. * Fix will be put on master, but currently the tip of the psa-arch master is not aligned with TF-M master. They are supports different PSA API versions. * In TF-M there is a branchhttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.trustedfirmware.org%2Ftrusted-firmware-m.git%2Flog%2F%3Fh%3Dfeature-psa-dev-api-update&data=02%7C01%7Candrey.butok%40nxp.com%7C55682eacd24445b7cb3e08d7c66d19d4%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C637196044200772296&sdata=3XQAJ3h1BIx%2FCiV5o%2BTsyu8Q%2F9yyNd1Q8HaNlgCPTZM%3D&reserved=0 where the PSA API update is happening. This branch is intended to be merged to master in Q1.
Tamas
From: Andrej Butok <andrey.butok@nxp.commailto:andrey.butok@nxp.com> Sent: 05 February 2020 14:21 To: Tamas Ban <Tamas.Ban@arm.commailto:Tamas.Ban@arm.com> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: RE: PSA Test Suite - Attestation test
Hi Tamas
Could you tell what was the values of these compile time switches in your test?
For the previous TFM, we have used INCLUDE_TEST_CODE_AND_KEY_ID. For the current TFM it was renamed to INCLUDE_TEST_CODE. Other parameters are new, so I have tried different combinations of these parameters, but the PSA Test-Suite Attestation is still failed.
Further do you implemented the boot data sharing between bootloader and runtime firmware?
It's used the TFM template code without change from tfm\platform\ext\common\template
Do you sign SPE and NPSE images together or they are signed separately?
We do not use the secondary bootloader so far, so image is not signed.
As the Attestation Regression tests are passed. It's good to know what combination of parameters have to be used to generate the same token as it was generated by the older TFM and accepted by the PSA Test Suite (last commit on master branch). Or the PSA Test Suite is obsolete.
Thank you, Andrej
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Tamas Ban via TF-M Sent: Wednesday, February 5, 2020 1:13 PM To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] PSA Test Suite - Attestation test
Hi Andrej,
Could you tell what was the values of these compile time switches in your test? I assume you did the test on NXP board. Further do you implemented the boot data sharing between bootloader and runtime firmware? Do you sign SPE and NPSE images together or they are signed separately?
Tamas
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Andrej Butok via TF-M Sent: 04 February 2020 17:33 To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: [TF-M] PSA Test Suite - Attestation test
Hello,
After upgrade to the latest version of TFM, the Attestation test from the PSA Test Suite is failed (but the TFM Attestation regression tests are passed).
What combination of configuration parameters must be used (INCLUDE_OPTIONAL_CLAIMS, INCLUDE_TEST_CODE, INCLUDE_COSE_KEY_ID, BOOT_DATA_AVAILABLE) to follow PSA Test Suite expectations? What commit of the PSA Test-suite must be used for the latest TFM? We are still on the 2019-07-25 (c80681ed7c7f3e2cbf02ded1ef2464ba2ca7ccd5) commit, which was OK with 2-month old TFM. Is the PSA Test Suite Attestation test valid for the latest TFM?
Thank you, Andrej Butok
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
tf-m@lists.trustedfirmware.org