From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail03.groups.io (mail03.groups.io [45.79.227.220]) by spool.mail.gandi.net (Postfix) with ESMTPS id 7638E74003A for ; Fri, 12 Apr 2024 14:33:52 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=DujQ8tT4UgNXj8W+vHr1kk6KJJhNCS7i9YihylG5+5I=; c=relaxed/simple; d=groups.io; h=Received-SPF:Received-SPF:From:To:CC:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:NoDisclaimer:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type; s=20240206; t=1712932431; v=1; b=CB2s69j3tNXyFWe2NPtX4HuHzLlzcAnvJ9rDkDz/t3F3iDfgb2K3Nh7f6Cs+itN7+oLD3Vzt vNdPKARtKGteL+cJ5UKkk5sqzeF4mKwB1mSg5k84KWejDxVJ252bm7MUGZbEVgpc6OZ5TdNSlKP HNuKGcO8RZkmXKYFikCdTl/tmOyRbkibDoZJNB+aeR0FD4zO4LXI/90pqx32TDco9gxlzqXyxup mMyZbJ80WZ2ShFLyg6vUKMDeV1XOQB9z0u1d1990k1FJb2e2iURGX19dInsziANOUnI3kIkQH0D CuINleOJvPqr4X4gB6jcPauaw28T4jeedm3Y5Z9tyIMEQ== X-Received: by 127.0.0.2 with SMTP id SShlYY7687511x1qQPgZlX9j; Fri, 12 Apr 2024 07:33:51 -0700 X-Received: from EUR05-DB8-obe.outbound.protection.outlook.com (EUR05-DB8-obe.outbound.protection.outlook.com [40.107.20.89]) by mx.groups.io with SMTP id smtpd.web11.47955.1712932428472750651 for ; Fri, 12 Apr 2024 07:33:48 -0700 X-Received: from DUZPR01CA0215.eurprd01.prod.exchangelabs.com (2603:10a6:10:4b4::9) by AS2PR08MB9048.eurprd08.prod.outlook.com (2603:10a6:20b:5fe::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.46; Fri, 12 Apr 2024 14:33:41 +0000 X-Received: from DU2PEPF00028D10.eurprd03.prod.outlook.com (2603:10a6:10:4b4:cafe::d6) by DUZPR01CA0215.outlook.office365.com (2603:10a6:10:4b4::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7452.26 via Frontend Transport; Fri, 12 Apr 2024 14:33:41 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;dmarc=pass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; pr=C X-Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DU2PEPF00028D10.mail.protection.outlook.com (10.167.242.24) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.7452.22 via Frontend Transport; Fri, 12 Apr 2024 14:33:41 +0000 X-Received: ("Tessian outbound 8c03561b2da6:v313"); Fri, 12 Apr 2024 14:33:41 +0000 X-CheckRecipientChecked: true X-CR-MTA-CID: 01f924450380c6e8 X-CR-MTA-TID: 64aa7808 X-Received: from a02f17699095.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 72FA1FC0-598C-46A9-BD2E-9A529724B17C.1; Fri, 12 Apr 2024 14:33:34 +0000 X-Received: from EUR05-VI1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id a02f17699095.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Fri, 12 Apr 2024 14:33:34 +0000 X-Received: from DB7PR03CA0096.eurprd03.prod.outlook.com (2603:10a6:10:72::37) by DB4PR08MB8078.eurprd08.prod.outlook.com (2603:10a6:10:386::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.46; Fri, 12 Apr 2024 14:33:31 +0000 X-Received: from DU2PEPF00028D02.eurprd03.prod.outlook.com (2603:10a6:10:72:cafe::8f) by DB7PR03CA0096.outlook.office365.com (2603:10a6:10:72::37) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7472.26 via Frontend Transport; Fri, 12 Apr 2024 14:33:31 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 40.67.248.234) smtp.mailfrom=arm.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 40.67.248.234 as permitted sender) receiver=protection.outlook.com; client-ip=40.67.248.234; helo=nebula.arm.com; pr=C X-Received: from nebula.arm.com (40.67.248.234) by DU2PEPF00028D02.mail.protection.outlook.com (10.167.242.186) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.7452.22 via Frontend Transport; Fri, 12 Apr 2024 14:33:31 +0000 X-Received: from AZ-NEU-EX04.Arm.com (10.251.24.32) by AZ-NEU-EX03.Arm.com (10.251.24.31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Fri, 12 Apr 2024 14:33:27 +0000 X-Received: from E114225.Arm.com (10.1.196.56) by mail.arm.com (10.251.24.32) with Microsoft SMTP Server id 15.1.2507.35 via Frontend Transport; Fri, 12 Apr 2024 14:33:27 +0000 From: "Sami Mujawar" To: CC: Sami Mujawar , , , , , , , Subject: [edk2-devel] [PATCH v2 06/45] ArmVirtPkg: ArmCcaRsiLib: Add an interface to get an attestation token Date: Fri, 12 Apr 2024 15:32:43 +0100 Message-ID: <20240412143322.5244-7-sami.mujawar@arm.com> In-Reply-To: <20240412143322.5244-1-sami.mujawar@arm.com> References: <20240412143322.5244-1-sami.mujawar@arm.com> MIME-Version: 1.0 X-EOPAttributedMessage: 1 X-MS-TrafficTypeDiagnostic: DU2PEPF00028D02:EE_|DB4PR08MB8078:EE_|DU2PEPF00028D10:EE_|AS2PR08MB9048:EE_ X-MS-Office365-Filtering-Correlation-Id: 94a1c139-7dab-4a1f-3cfe-08dc5afd8cc7 x-checkrecipientrouted: true NoDisclaimer: true X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Untrusted: BCL:0; X-Microsoft-Antispam-Message-Info-Original: lhoX8S7uS/la5mZ5Pl02Ll+36rgVP1t8cHWxKMWDLY6y8FWHhrrbz0aHSQt8E2hZtYcr+/8zDWdHNu7pvkyyPWl0hhbWg2mSmsHDIIamXJqLNoxcMkDlTsFUEXzM4Pw5WIcwylgvMhlsqxXsUk4YxbrtM2il/e62E9N5SiRjwe38jjLd9I19iwxA7/4DarfGKeFm7aEr41ipfwceCRDGmNh0oQgMgh2FOgV/fq4Sw3dLO+9+W5tGZg/LXRFVAKynpgo92/4eL9Fn36MFq4NGf6ERG82PyIk851kp0DwF1UFfc/Nc+611XVP4CEalpzEcCsaag00dpiBoaZRj0YwsPI7DGHswxoUjbqqQmbrNVenVUHpJXwqHcxXt4JYoRGZeA1FaNu3zEjW1KEtYFx3w4OfxjdWJRThvsCfHQblGP6oeuGFTg4rEQ1DRYcc9bVLNKEF/I2YTvKt8UDy9P8D1yPWOWsjZHHhT2PzKE6yO1tzTGqEL1GJ+uGs+QW/6hg9IYT5P8PITeNtbzPSQD8VdrStKTxWXjCuEs/mStIOH8Tfv26oLP1njirJzdRGEKdu5twNJ6nbM+6v4HmrcQTTAEFZMObQ0uQ3qrhqjx6TBgfSESjT7XdLtgKIukPl4QbHVGvnWjBtw4iMd61cC7BE6rYdISQoIYPM174Q2aL7ytEKGdiNl7XTb6y184g3GONhhpqI3nkBH11GjJO/QAsL11ybHp1TofnwTcrV5A4P2VZDt6NlP3kZe6LemPGJ8EYN+ X-Forefront-Antispam-Report-Untrusted: CIP:40.67.248.234;CTRY:IE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:nebula.arm.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230031)(82310400014)(376005)(1800799015)(36860700004);DIR:OUT;SFP:1101; X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB4PR08MB8078 X-MS-Exchange-Transport-CrossTenantHeadersStripped: DU2PEPF00028D10.eurprd03.prod.outlook.com X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id-Prvs: b733158f-06ea-451a-93df-08dc5afd86ca X-Microsoft-Antispam-Message-Info: QBRXQ6hEpoA9EzP10stdJHYeeKtfgd3okcuiMZfn1JRCG1Jk9/MgLXwgl22LYGv54o5Ylr6X6leuzIicxlJeOiCEoO/h/VMQDieHK0Mg5lc61X1KJBs9DclBUNyr6u7+lxeOEsX2gnD5uy7dD4rCP+ultDR2Yhr2rh0zPLnt0Ed4VBnvGJQiEG/+JWdNvJwokdjYGrje01Bmm4OX2e0scV0m4DdmE9/z6S5+XGyZFQTIqxHBxMwDVM35tQnHyvRC3bgQK8b7cWkrHsQWOZ4udU+hwKFvgiLHLaT+K8PgAXTTsP/6Zrks26adLRFe69WqbhbFDpbSUcqHQq6JIFpj6wU66hFqD6KkLaeBDsyX14ZmhWKiPVysTdTOwQ6G3X4LSMwZuonpfk95kFwU/iD+W32M7n3Ik5q/CZZYM/5h4/wPZXbFHP9ZospdIPT8DxeEm1zmLZpD4e0gK8ZqJ43VpOdU8NWkgf1cMuds7PnDyFsRGY12yxtQQZpZyzHzWGx16qIBpc0nZoY6TSS9mTsd528d8CeS0vDb53B7QsOwsA8lOuaBaWjk4n7nCtTY7CEapgqgr8u76deW+12KxdECtlujWV49/V/16ckhpiB0LNz9wzg6o+3PmCpBMr9yGXLs9pl5qcdzkuxvn3TPpb8V5VGyDnLDAftbr99KpqoPqXVqpo2YLwemlcTZPsRHFKJ4zTjWMxUQCWr+l7P0nT87wsTXtWZT6SL6DHInEzl1Tc7pKE2wMiVw7J56z30zFFKx X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Apr 2024 14:33:41.4236 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 94a1c139-7dab-4a1f-3cfe-08dc5afd8cc7 X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d;Ip=[63.35.35.123];Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-AuthSource: DU2PEPF00028D10.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS2PR08MB9048 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Fri, 12 Apr 2024 07:33:49 -0700 Resent-From: sami.mujawar@arm.com Reply-To: devel@edk2.groups.io,sami.mujawar@arm.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: qCJbgnaaMBl1eb9RkKQh7Xf5x7686176AA= Content-Type: text/plain X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=CB2s69j3; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=arm.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.227.220 as permitted sender) smtp.mailfrom=bounce@groups.io A CCA attestation token is a collection of claims about the state of a Realm and of the CCA platform on which the Realm is running. A CCA attestation token consists of two parts: * Realm token - Contains attributes of the Realm, including: # Realm Initial Measurement # Realm Extensible Measurements * CCA platform token - Contains attributes of the CCA platform on which the Realm is running, including: # CCA platform identity # CCA platform life cycle state # CCA platform software component measurements The CCA attestation token is used by a verification service to validate these claims. The Realm Service Interface defines the following interfaces to retrieve an attestation token from the Realm Management Monitor (RMM). - RSI_ATTESTATION_TOKEN_INIT - RSI_ATTESTATION_TOKEN_CONTINUE Therefore, update the ArmCcaRsiLib to add an interface to get an attestation token from the RMM. Cc: Ard Biesheuvel Cc: Leif Lindholm Cc: Gerd Hoffmann Signed-off-by: Sami Mujawar --- ArmVirtPkg/Include/Library/ArmCcaRsiLib.h | 44 ++++- ArmVirtPkg/Library/ArmCcaRsiLib/ArmCcaRsi.h | 10 +- ArmVirtPkg/Library/ArmCcaRsiLib/ArmCcaRsiLib.c | 195 +++++++++++++++++++- 3 files changed, 243 insertions(+), 6 deletions(-) diff --git a/ArmVirtPkg/Include/Library/ArmCcaRsiLib.h b/ArmVirtPkg/Include/Library/ArmCcaRsiLib.h index 0c7f1afc78252b286a20dd8a7a81d538cf76ea8f..f88b07ee9806a51dd10add3a82bf5ce1115c0656 100644 --- a/ArmVirtPkg/Include/Library/ArmCcaRsiLib.h +++ b/ArmVirtPkg/Include/Library/ArmCcaRsiLib.h @@ -31,6 +31,19 @@ */ #define RIPAS_TYPE_MASK 0xFF +/* Maximum attestation token size + RBXKKY The size of an attestation token is no larger than 4KB. +*/ +#define MAX_ATTESTATION_TOKEN_SIZE SIZE_4KB + +/* Maximum challenge data size in bits. +*/ +#define MAX_CHALLENGE_DATA_SIZE_BITS 512 + +/* Minimum recommended challenge data size in bits. +*/ +#define MIN_CHALLENGE_DATA_SIZE_BITS 256 + /** An enum describing the RSI RIPAS. See Section A5.2.2 Realm IPA state, RMM Specification, version A-bet0 */ @@ -51,6 +64,35 @@ typedef struct RealmConfig { UINT8 Reserved[SIZE_4KB - sizeof (UINT64)]; } REALM_CONFIG; +/** + Retrieve an attestation token from the RMM. + + @param [in] ChallengeData Pointer to the challenge data to be + included in the attestation token. + @param [in] ChallengeDataSizeBits Size of the challenge data in bits. + @param [out] TokenBuffer Pointer to a buffer to store the + retrieved attestation token. + @param [in, out] TokenBufferSize Size of the token buffer on input and + number of bytes stored in token buffer + on return. + + @retval RETURN_SUCCESS Success. + @retval RETURN_INVALID_PARAMETER A parameter is invalid. + @retval RETURN_ABORTED The operation was aborted as the state + of the Realm or REC does not match the + state expected by the command. + @retval RETURN_NOT_READY The operation requested by the command + is not complete. +**/ +RETURN_STATUS +EFIAPI +RsiGetAttestationToken ( + IN CONST UINT8 *CONST ChallengeData, + IN UINT64 ChallengeDataSizeBits, + OUT UINT8 *CONST TokenBuffer, + IN OUT UINT64 *CONST TokenBufferSize + ); + /** Returns the IPA state for the page pointed by the address. @@ -111,7 +153,7 @@ RsiGetRealmConfig ( @retval RETURN_SUCCESS Success. @retval RETURN_INVALID_PARAMETER A parameter is invalid. - */ +**/ RETURN_STATUS EFIAPI RsiGetVersion ( diff --git a/ArmVirtPkg/Library/ArmCcaRsiLib/ArmCcaRsi.h b/ArmVirtPkg/Library/ArmCcaRsiLib/ArmCcaRsi.h index 9cc12bc5a70b457367077d0b26011c3b91fa63c9..325234d06695befc840dcf37e951130dfe0550c3 100644 --- a/ArmVirtPkg/Library/ArmCcaRsiLib/ArmCcaRsi.h +++ b/ArmVirtPkg/Library/ArmCcaRsiLib/ArmCcaRsi.h @@ -18,10 +18,12 @@ #define ARM_CCA_RSI_H_ // FIDs for Realm Service Interface calls. -#define FID_RSI_IPA_STATE_GET 0xC4000198 -#define FID_RSI_IPA_STATE_SET 0xC4000197 -#define FID_RSI_REALM_CONFIG 0xC4000196 -#define FID_RSI_VERSION 0xC4000190 +#define FID_RSI_ATTESTATION_TOKEN_CONTINUE 0xC4000195 +#define FID_RSI_ATTESTATION_TOKEN_INIT 0xC4000194 +#define FID_RSI_IPA_STATE_GET 0xC4000198 +#define FID_RSI_IPA_STATE_SET 0xC4000197 +#define FID_RSI_REALM_CONFIG 0xC4000196 +#define FID_RSI_VERSION 0xC4000190 /** RSI Command Return codes See Section B4.4.1, RMM Specification, version A-bet0. diff --git a/ArmVirtPkg/Library/ArmCcaRsiLib/ArmCcaRsiLib.c b/ArmVirtPkg/Library/ArmCcaRsiLib/ArmCcaRsiLib.c index 546df9a94cb86533b37fef7e42fdaf7b8563052d..3cc6be299e0a7bd12e5a91d17eb0b9393f57a907 100644 --- a/ArmVirtPkg/Library/ArmCcaRsiLib/ArmCcaRsiLib.c +++ b/ArmVirtPkg/Library/ArmCcaRsiLib/ArmCcaRsiLib.c @@ -82,6 +82,199 @@ AddrIsGranuleAligned ( return TRUE; } +/** + Continue the operation to retrieve an attestation token. + + @param [out] TokenBuffer Pointer to a buffer to store the + retrieved attestation token. + @param [in,out] TokenSize On input size of the token buffer, + and on output size of the token + returned if operation is successful, + otherwise 0. + + @retval RETURN_SUCCESS Success. + @retval RETURN_INVALID_PARAMETER A parameter is invalid. + @retval RETURN_ABORTED The operation was aborted as the state + of the Realm or REC does not match the + state expected by the command. + @retval RETURN_NOT_READY The operation requested by the command + is not complete. + **/ +STATIC +RETURN_STATUS +EFIAPI +RsiAttestationTokenContinue ( + OUT UINT8 *CONST TokenBuffer, + IN OUT UINT64 *CONST TokenSize + ) +{ + RETURN_STATUS Status; + ARM_SMC_ARGS SmcCmd; + + ZeroMem (&SmcCmd, sizeof (SmcCmd)); + SmcCmd.Arg0 = FID_RSI_ATTESTATION_TOKEN_CONTINUE; + // Set the IPA of the Granule to which the token will be written. + SmcCmd.Arg1 = (UINTN)TokenBuffer; + + ArmCallSmc (&SmcCmd); + Status = RsiCmdStatusToEfiStatus (SmcCmd.Arg0); + if (!RETURN_ERROR (Status)) { + // Update the token size + *TokenSize = SmcCmd.Arg1; + } else { + // Clear the TokenBuffer on error. + ZeroMem (TokenBuffer, *TokenSize); + *TokenSize = 0; + } + + return Status; +} + +/** + Initialize the operation to retrieve an attestation token. + + @param [in] ChallengeData Pointer to the challenge data to be + included in the attestation token. + @param [in] ChallengeDataSizeBits Size of the challenge data in bits. + @param [in] TokenBuffer Pointer to a buffer to store the + retrieved attestation token. + + @retval RETURN_SUCCESS Success. + @retval RETURN_INVALID_PARAMETER A parameter is invalid. + **/ +STATIC +RETURN_STATUS +EFIAPI +RsiAttestationTokenInit ( + IN CONST UINT8 *CONST ChallengeData, + IN UINT64 ChallengeDataSizeBits, + IN UINT8 *CONST TokenBuffer + ) +{ + ARM_SMC_ARGS SmcCmd; + UINT8 *Buffer8; + CONST UINT8 *Data8; + UINT64 Count; + UINT8 TailBits; + + /* See A7.2.2 Attestation token generation, RMM Specification, version A-bet0 + IWTKDD - If the size of the challenge provided by the relying party is less + than 64 bytes, it should be zero-padded prior to calling + RSI_ATTESTATION_TOKEN_INIT. + + Therefore, zero out the SmcCmd memory before coping the ChallengeData + bits. + */ + ZeroMem (&SmcCmd, sizeof (SmcCmd)); + SmcCmd.Arg0 = FID_RSI_ATTESTATION_TOKEN_INIT; + // Set the IPA of the Granule to which the token will be written. + SmcCmd.Arg1 = (UINTN)TokenBuffer; + + // Copy challenge data. + Buffer8 = (UINT8 *)&SmcCmd.Arg2; + Data8 = ChallengeData; + + // First copy whole bytes + Count = ChallengeDataSizeBits >> 3; + CopyMem (Buffer8, Data8, Count); + + // Now copy any remaining tail bits. + TailBits = ChallengeDataSizeBits & (8 - 1); + if (TailBits > 0) { + // Advance buffer pointers. + Buffer8 += Count; + Data8 += Count; + + // Copy tail byte. + *Buffer8 = *Data8; + + // Clear unused tail bits. + *Buffer8 &= ~(0xFF << TailBits); + } + + ArmCallSmc (&SmcCmd); + return RsiCmdStatusToEfiStatus (SmcCmd.Arg0); +} + +/** + Retrieve an attestation token from the RMM. + + @param [in] ChallengeData Pointer to the challenge data to be + included in the attestation token. + @param [in] ChallengeDataSizeBits Size of the challenge data in bits. + @param [out] TokenBuffer Pointer to a buffer to store the + retrieved attestation token. + @param [in, out] TokenBufferSize Size of the token buffer on input and + number of bytes stored in token buffer + on return. + + @retval RETURN_SUCCESS Success. + @retval RETURN_INVALID_PARAMETER A parameter is invalid. + @retval RETURN_ABORTED The operation was aborted as the state + of the Realm or REC does not match the + state expected by the command. + @retval RETURN_NOT_READY The operation requested by the command + is not complete. +**/ +RETURN_STATUS +EFIAPI +RsiGetAttestationToken ( + IN CONST UINT8 *CONST ChallengeData, + IN UINT64 ChallengeDataSizeBits, + OUT UINT8 *CONST TokenBuffer, + IN OUT UINT64 *CONST TokenBufferSize + ) +{ + RETURN_STATUS Status; + + if ((TokenBuffer == NULL) || + (TokenBufferSize == NULL) || + (ChallengeData == NULL)) + { + return RETURN_INVALID_PARAMETER; + } + + if (*TokenBufferSize < MAX_ATTESTATION_TOKEN_SIZE) { + *TokenBufferSize = MAX_ATTESTATION_TOKEN_SIZE; + return RETURN_BAD_BUFFER_SIZE; + } + + if (!AddrIsGranuleAligned ((UINT64 *)TokenBuffer)) { + DEBUG ((DEBUG_ERROR, "ERROR : Token buffer not granule aligned\n")); + return RETURN_INVALID_PARAMETER; + } + + if (ChallengeDataSizeBits > MAX_CHALLENGE_DATA_SIZE_BITS) { + return RETURN_INVALID_PARAMETER; + } + + /* See A7.2.2 Attestation token generation, RMM Specification, version A-bet0 + IWTKDD - Arm recommends that the challenge should contain at least 32 bytes + of unique data. + */ + if (ChallengeDataSizeBits < MIN_CHALLENGE_DATA_SIZE_BITS) { + DEBUG ((DEBUG_WARN, "Minimum Challenge data size should be 32 bytes\n")); + } + + Status = RsiAttestationTokenInit ( + ChallengeData, + ChallengeDataSizeBits, + TokenBuffer + ); + if (RETURN_ERROR (Status)) { + ASSERT (0); + return Status; + } + + /* Loop until the token is ready or there is an error. + */ + do { + Status = RsiAttestationTokenContinue (TokenBuffer, TokenBufferSize); + } while (Status == RETURN_NOT_READY); + + return Status; +} + /** Returns the IPA state for the page pointed by the address. @@ -213,7 +406,7 @@ RsiGetRealmConfig ( @retval RETURN_SUCCESS Success. @retval RETURN_INVALID_PARAMETER A parameter is invalid. - */ +**/ RETURN_STATUS EFIAPI RsiGetVersion ( -- 'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)' -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#117675): https://edk2.groups.io/g/devel/message/117675 Mute This Topic: https://groups.io/mt/105483413/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-