Hi I am trying to use iatverifier tool from tf-m-tools repo to verify token and it seems like the values for Security Lificycle in the tool are wrong, because: this spec https://www.ietf.org/archive/id/draft-tschofenig-rats-psa-token-21.html defines them as psa-lifecycle-unknown-type = 0x0000..0x00ff psa-lifecycle-assembly-and-test-type = 0x1000..0x10ff psa-lifecycle-psa-rot-provisioning-type = 0x2000..0x20ff psa-lifecycle-secured-type = 0x3000..0x30ff psa-lifecycle-non-psa-rot-debug-type = 0x4000..0x40ff psa-lifecycle-recoverable-psa-rot-debug-type = 0x5000..0x50ff psa-lifecycle-decommissioned-type = 0x6000..0x60ff
Which is consistent with values of tfm_security_lifecycle_t enum in TFM enum tfm_security_lifecycle_t { TFM_SLC_UNKNOWN = 0x0000u, TFM_SLC_ASSEMBLY_AND_TEST = 0x1000u, TFM_SLC_PSA_ROT_PROVISIONING = 0x2000u, TFM_SLC_SECURED = 0x3000u, TFM_SLC_NON_PSA_ROT_DEBUG = 0x4000u, TFM_SLC_RECOVERABLE_PSA_ROT_DEBUG = 0x5000u, TFM_SLC_DECOMMISSIONED = 0x6000u, TFM_SLC_MAX_VALUE = UINT32_MAX, };
But in the tf-m-tools/iat-verifier/iatverifier/psa_iot_profile1_token_claims.py these values are defined differently # Security Lifecycle claims SL_UNKNOWN = 0x1000 SL_PSA_ROT_PROVISIONING = 0x2000 SL_SECURED = 0x3000 SL_NON_PSA_ROT_DEBUG = 0x4000 SL_RECOVERABLE_PSA_ROT_DEBUG = 0x5000 SL_PSA_LIFECYCLE_DECOMMISSIONED = 0x6000
Thus I am getting SL_UNKNOWN instead of TFM_SLC_ASSEMBLY_AND_TEST
Is this a known issue? Can this be fixed?
Regards, Bohdan Hunko
Cypress Semiconductor Ukraine Engineer CSUKR CSS ICW SW FW Mobile: +38099 50 19 714 Bohdan.Hunko@infineon.commailto:Bohdan.Hunko@infineon.com
Hi Bohdan,
Thanks for reporting it looks like the iat-verifier tool is out-of-date in this regard.
I have checked and SLC values in iat-verifier are aligned with a very early version of the spec: https://datatracker.ietf.org/doc/html/draft-tschofenig-rats-psa-token-01
I will create a patch.
BR, Tamas
From: Bohdan.Hunko--- via TF-M tf-m@lists.trustedfirmware.org Sent: Tuesday, April 30, 2024 12:02 PM To: tf-m@lists.trustedfirmware.org Subject: [TF-M] Wrong Life Cycle values in iatverifier
Hi I am trying to use iatverifier tool from tf-m-tools repo to verify token and it seems like the values for Security Lificycle in the tool are wrong, because: this spec https://www.ietf.org/archive/id/draft-tschofenig-rats-psa-token-21.html defines them as psa-lifecycle-unknown-type = 0x0000..0x00ff psa-lifecycle-assembly-and-test-type = 0x1000..0x10ff psa-lifecycle-psa-rot-provisioning-type = 0x2000..0x20ff psa-lifecycle-secured-type = 0x3000..0x30ff psa-lifecycle-non-psa-rot-debug-type = 0x4000..0x40ff psa-lifecycle-recoverable-psa-rot-debug-type = 0x5000..0x50ff psa-lifecycle-decommissioned-type = 0x6000..0x60ff
Which is consistent with values of tfm_security_lifecycle_t enum in TFM enum tfm_security_lifecycle_t { TFM_SLC_UNKNOWN = 0x0000u, TFM_SLC_ASSEMBLY_AND_TEST = 0x1000u, TFM_SLC_PSA_ROT_PROVISIONING = 0x2000u, TFM_SLC_SECURED = 0x3000u, TFM_SLC_NON_PSA_ROT_DEBUG = 0x4000u, TFM_SLC_RECOVERABLE_PSA_ROT_DEBUG = 0x5000u, TFM_SLC_DECOMMISSIONED = 0x6000u, TFM_SLC_MAX_VALUE = UINT32_MAX, };
But in the tf-m-tools/iat-verifier/iatverifier/psa_iot_profile1_token_claims.py these values are defined differently # Security Lifecycle claims SL_UNKNOWN = 0x1000 SL_PSA_ROT_PROVISIONING = 0x2000 SL_SECURED = 0x3000 SL_NON_PSA_ROT_DEBUG = 0x4000 SL_RECOVERABLE_PSA_ROT_DEBUG = 0x5000 SL_PSA_LIFECYCLE_DECOMMISSIONED = 0x6000
Thus I am getting SL_UNKNOWN instead of TFM_SLC_ASSEMBLY_AND_TEST
Is this a known issue? Can this be fixed?
Regards, Bohdan Hunko
Cypress Semiconductor Ukraine Engineer CSUKR CSS ICW SW FW Mobile: +38099 50 19 714 Bohdan.Hunko@infineon.commailto:Bohdan.Hunko@infineon.com
Hi Bohdan,
I created a patch that updates the lifecycle state values in the tool according to the IETF draft. https://review.trustedfirmware.org/c/TF-M/tf-m-tools/+/28713
Could you please give it a try?
Thanks, Mate ________________________________ From: Tamas Ban via TF-M tf-m@lists.trustedfirmware.org Sent: 30 April 2024 15:35 To: Bohdan.Hunko@infineon.com Bohdan.Hunko@infineon.com; tf-m@lists.trustedfirmware.org tf-m@lists.trustedfirmware.org Subject: [TF-M] Re: Wrong Life Cycle values in iatverifier
Hi Bohdan,
Thanks for reporting it looks like the iat-verifier tool is out-of-date in this regard.
I have checked and SLC values in iat-verifier are aligned with a very early version of the spec: https://datatracker.ietf.org/doc/html/draft-tschofenig-rats-psa-token-01
I will create a patch.
BR,
Tamas
From: Bohdan.Hunko--- via TF-M tf-m@lists.trustedfirmware.org Sent: Tuesday, April 30, 2024 12:02 PM To: tf-m@lists.trustedfirmware.org Subject: [TF-M] Wrong Life Cycle values in iatverifier
Hi
I am trying to use iatverifier tool from tf-m-tools repo to verify token and it seems like the values for Security Lificycle in the tool are wrong, because:
this spec https://www.ietf.org/archive/id/draft-tschofenig-rats-psa-token-21.html defines them as
psa-lifecycle-unknown-type = 0x0000..0x00ff
psa-lifecycle-assembly-and-test-type = 0x1000..0x10ff
psa-lifecycle-psa-rot-provisioning-type = 0x2000..0x20ff
psa-lifecycle-secured-type = 0x3000..0x30ff
psa-lifecycle-non-psa-rot-debug-type = 0x4000..0x40ff
psa-lifecycle-recoverable-psa-rot-debug-type = 0x5000..0x50ff
psa-lifecycle-decommissioned-type = 0x6000..0x60ff
Which is consistent with values of tfm_security_lifecycle_t enum in TFM
enum tfm_security_lifecycle_t {
TFM_SLC_UNKNOWN = 0x0000u,
TFM_SLC_ASSEMBLY_AND_TEST = 0x1000u,
TFM_SLC_PSA_ROT_PROVISIONING = 0x2000u,
TFM_SLC_SECURED = 0x3000u,
TFM_SLC_NON_PSA_ROT_DEBUG = 0x4000u,
TFM_SLC_RECOVERABLE_PSA_ROT_DEBUG = 0x5000u,
TFM_SLC_DECOMMISSIONED = 0x6000u,
TFM_SLC_MAX_VALUE = UINT32_MAX,
};
But in the tf-m-tools/iat-verifier/iatverifier/psa_iot_profile1_token_claims.py these values are defined differently
# Security Lifecycle claims
SL_UNKNOWN = 0x1000
SL_PSA_ROT_PROVISIONING = 0x2000
SL_SECURED = 0x3000
SL_NON_PSA_ROT_DEBUG = 0x4000
SL_RECOVERABLE_PSA_ROT_DEBUG = 0x5000
SL_PSA_LIFECYCLE_DECOMMISSIONED = 0x6000
Thus I am getting SL_UNKNOWN instead of TFM_SLC_ASSEMBLY_AND_TEST
Is this a known issue? Can this be fixed?
Regards,
Bohdan Hunko
Cypress Semiconductor Ukraine
Engineer
CSUKR CSS ICW SW FW
Mobile: +38099 50 19 714 Bohdan.Hunko@infineon.commailto:Bohdan.Hunko@infineon.com
Hi,
Looks good to me. Works as expected.
Thanks
Regards, Bohdan Hunko
Cypress Semiconductor Ukraine Engineer CSUKR CSS ICW SW FW Mobile: +38099 50 19 714 Bohdan.Hunko@infineon.commailto:Bohdan.Hunko@infineon.com
From: Mate Toth-Pal Mate.Toth-Pal@arm.com Sent: Friday, May 3, 2024 10:51 To: Hunko Bohdan (CSS ICW SW FW 3) Bohdan.Hunko@infineon.com; tf-m@lists.trustedfirmware.org; Tamas Ban Tamas.Ban@arm.com Cc: nd nd@arm.com Subject: Re: Wrong Life Cycle values in iatverifier
Caution: This e-mail originated outside Infineon Technologies. Do not click on links or open attachments unless you validate it is safehttps://intranet-content.infineon.com/explore/aboutinfineon/rules/informationsecurity/ug/SocialEngineering/Pages/SocialEngineeringElements_en.aspx.
Hi Bohdan,
I created a patch that updates the lifecycle state values in the tool according to the IETF draft. https://review.trustedfirmware.org/c/TF-M/tf-m-tools/+/28713
Could you please give it a try?
Thanks, Mate ________________________________ From: Tamas Ban via TF-M <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Sent: 30 April 2024 15:35 To: Bohdan.Hunko@infineon.commailto:Bohdan.Hunko@infineon.com <Bohdan.Hunko@infineon.commailto:Bohdan.Hunko@infineon.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Subject: [TF-M] Re: Wrong Life Cycle values in iatverifier
Hi Bohdan,
Thanks for reporting it looks like the iat-verifier tool is out-of-date in this regard.
I have checked and SLC values in iat-verifier are aligned with a very early version of the spec: https://datatracker.ietf.org/doc/html/draft-tschofenig-rats-psa-token-01
I will create a patch.
BR,
Tamas
From: Bohdan.Hunko--- via TF-M <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Sent: Tuesday, April 30, 2024 12:02 PM To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: [TF-M] Wrong Life Cycle values in iatverifier
Hi
I am trying to use iatverifier tool from tf-m-tools repo to verify token and it seems like the values for Security Lificycle in the tool are wrong, because:
this spec https://www.ietf.org/archive/id/draft-tschofenig-rats-psa-token-21.html defines them as
psa-lifecycle-unknown-type = 0x0000..0x00ff
psa-lifecycle-assembly-and-test-type = 0x1000..0x10ff
psa-lifecycle-psa-rot-provisioning-type = 0x2000..0x20ff
psa-lifecycle-secured-type = 0x3000..0x30ff
psa-lifecycle-non-psa-rot-debug-type = 0x4000..0x40ff
psa-lifecycle-recoverable-psa-rot-debug-type = 0x5000..0x50ff
psa-lifecycle-decommissioned-type = 0x6000..0x60ff
Which is consistent with values of tfm_security_lifecycle_t enum in TFM
enum tfm_security_lifecycle_t {
TFM_SLC_UNKNOWN = 0x0000u,
TFM_SLC_ASSEMBLY_AND_TEST = 0x1000u,
TFM_SLC_PSA_ROT_PROVISIONING = 0x2000u,
TFM_SLC_SECURED = 0x3000u,
TFM_SLC_NON_PSA_ROT_DEBUG = 0x4000u,
TFM_SLC_RECOVERABLE_PSA_ROT_DEBUG = 0x5000u,
TFM_SLC_DECOMMISSIONED = 0x6000u,
TFM_SLC_MAX_VALUE = UINT32_MAX,
};
But in the tf-m-tools/iat-verifier/iatverifier/psa_iot_profile1_token_claims.py these values are defined differently
# Security Lifecycle claims
SL_UNKNOWN = 0x1000
SL_PSA_ROT_PROVISIONING = 0x2000
SL_SECURED = 0x3000
SL_NON_PSA_ROT_DEBUG = 0x4000
SL_RECOVERABLE_PSA_ROT_DEBUG = 0x5000
SL_PSA_LIFECYCLE_DECOMMISSIONED = 0x6000
Thus I am getting SL_UNKNOWN instead of TFM_SLC_ASSEMBLY_AND_TEST
Is this a known issue? Can this be fixed?
Regards,
Bohdan Hunko
Cypress Semiconductor Ukraine
Engineer
CSUKR CSS ICW SW FW
Mobile: +38099 50 19 714 Bohdan.Hunko@infineon.commailto:Bohdan.Hunko@infineon.com
tf-m@lists.trustedfirmware.org