From 94134689493a66d71fd4a1876d86b3ec9afd2b07 Mon Sep 17 00:00:00 2001 From: Sree Revoori Date: Fri, 17 Nov 2023 15:14:13 +0000 Subject: [PATCH] Remove tagging from DPE This will be added to caliptra-sw runtime in a separate PR. --- dpe/fuzz/src/fuzz_target_1.rs | 2 - dpe/src/commands/get_tagged_tci.rs | 41 ------ dpe/src/commands/mod.rs | 10 -- dpe/src/commands/tag_tci.rs | 197 ----------------------------- dpe/src/dpe_instance.rs | 2 - dpe/src/response.rs | 17 +-- dpe/src/support.rs | 39 ++---- simulator/src/main.rs | 7 - verification/abi.go | 86 +------------ verification/client.go | 2 - verification/errors.go | 2 - verification/negativeCases.go | 27 +--- verification/simulator.go | 16 +-- verification/tagTCI.go | 57 --------- verification/verification.go | 10 +- 15 files changed, 27 insertions(+), 488 deletions(-) delete mode 100644 dpe/src/commands/get_tagged_tci.rs delete mode 100644 dpe/src/commands/tag_tci.rs delete mode 100644 verification/tagTCI.go diff --git a/dpe/fuzz/src/fuzz_target_1.rs b/dpe/fuzz/src/fuzz_target_1.rs index 7aeb4998..36184dbe 100644 --- a/dpe/fuzz/src/fuzz_target_1.rs +++ b/dpe/fuzz/src/fuzz_target_1.rs @@ -82,8 +82,6 @@ fn harness(data: &[u8]) { Response::Sign(ref res) => res.resp_hdr.status, Response::DestroyCtx(ref resp_hdr) => resp_hdr.status, Response::ExtendTci(ref res) => res.resp_hdr.status, - Response::TagTci(ref res) => res.resp_hdr.status, - Response::GetTaggedTci(ref res) => res.resp_hdr.status, Response::GetCertificateChain(ref res) => res.resp_hdr.status, Response::Error(ref resp_hdr) => resp_hdr.status, }; diff --git a/dpe/src/commands/get_tagged_tci.rs b/dpe/src/commands/get_tagged_tci.rs deleted file mode 100644 index 989293a3..00000000 --- a/dpe/src/commands/get_tagged_tci.rs +++ /dev/null @@ -1,41 +0,0 @@ -// Licensed under the Apache-2.0 license. -use super::CommandExecution; -use crate::{ - dpe_instance::{DpeEnv, DpeInstance, DpeTypes}, - response::{DpeErrorCode, GetTaggedTciResp, Response, ResponseHdr}, -}; - -#[repr(C)] -#[derive(Debug, PartialEq, Eq, zerocopy::FromBytes)] -#[cfg_attr(test, derive(zerocopy::AsBytes))] -pub struct GetTaggedTciCmd { - tag: u32, -} - -impl CommandExecution for GetTaggedTciCmd { - fn execute( - &self, - dpe: &mut DpeInstance, - _env: &mut DpeEnv, - _: u32, - ) -> Result { - // Make sure this command is supported. - if !dpe.support.tagging() { - return Err(DpeErrorCode::InvalidCommand); - } - - // Tags are unique across all contexts, so we just need to return the first context - // we find with the requested tag. - let ctx = dpe - .contexts - .iter() - .find(|c| c.has_tag() && c.tag == self.tag) - .ok_or(DpeErrorCode::BadTag)?; - - Ok(Response::GetTaggedTci(GetTaggedTciResp { - tci_cumulative: ctx.tci.tci_cumulative, - tci_current: ctx.tci.tci_current, - resp_hdr: ResponseHdr::new(DpeErrorCode::NoError), - })) - } -} diff --git a/dpe/src/commands/mod.rs b/dpe/src/commands/mod.rs index f60cbfd7..0823185f 100644 --- a/dpe/src/commands/mod.rs +++ b/dpe/src/commands/mod.rs @@ -12,10 +12,8 @@ pub use self::initialize_context::InitCtxCmd; pub use self::certify_key::{CertifyKeyCmd, CertifyKeyFlags}; use self::extend_tci::ExtendTciCmd; -use self::get_tagged_tci::GetTaggedTciCmd; pub use self::rotate_context::{RotateCtxCmd, RotateCtxFlags}; pub use self::sign::{SignCmd, SignFlags}; -use self::tag_tci::TagTciCmd; use crate::{ dpe_instance::{DpeEnv, DpeInstance, DpeTypes}, @@ -30,11 +28,9 @@ mod derive_child; mod destroy_context; mod extend_tci; mod get_certificate_chain; -mod get_tagged_tci; mod initialize_context; mod rotate_context; mod sign; -mod tag_tci; #[derive(Debug, PartialEq, Eq)] pub enum Command { @@ -46,8 +42,6 @@ pub enum Command { RotateCtx(RotateCtxCmd), DestroyCtx(DestroyCtxCmd), ExtendTci(ExtendTciCmd), - TagTci(TagTciCmd), - GetTaggedTci(GetTaggedTciCmd), GetCertificateChain(GetCertificateChainCmd), } @@ -85,8 +79,6 @@ impl Command { Self::parse_command(Command::GetCertificateChain, bytes) } Command::EXTEND_TCI => Self::parse_command(Command::ExtendTci, bytes), - Command::TAG_TCI => Self::parse_command(Command::TagTci, bytes), - Command::GET_TAGGED_TCI => Self::parse_command(Command::GetTaggedTci, bytes), _ => Err(DpeErrorCode::InvalidCommand), } } @@ -112,8 +104,6 @@ impl From for u32 { Command::RotateCtx(_) => Command::ROTATE_CONTEXT_HANDLE, Command::DestroyCtx(_) => Command::DESTROY_CONTEXT, Command::ExtendTci(_) => Command::EXTEND_TCI, - Command::TagTci(_) => Command::TAG_TCI, - Command::GetTaggedTci(_) => Command::GET_TAGGED_TCI, Command::GetCertificateChain(_) => Command::GET_CERTIFICATE_CHAIN, } } diff --git a/dpe/src/commands/tag_tci.rs b/dpe/src/commands/tag_tci.rs deleted file mode 100644 index a2d90cd3..00000000 --- a/dpe/src/commands/tag_tci.rs +++ /dev/null @@ -1,197 +0,0 @@ -// Licensed under the Apache-2.0 license. -use super::CommandExecution; -use crate::{ - context::ContextHandle, - dpe_instance::{DpeEnv, DpeInstance, DpeTypes}, - response::{DpeErrorCode, NewHandleResp, Response, ResponseHdr}, -}; - -#[repr(C)] -#[derive(Debug, PartialEq, Eq, zerocopy::FromBytes)] -#[cfg_attr(test, derive(zerocopy::AsBytes))] -pub struct TagTciCmd { - handle: ContextHandle, - tag: u32, -} - -impl CommandExecution for TagTciCmd { - fn execute( - &self, - dpe: &mut DpeInstance, - env: &mut DpeEnv, - locality: u32, - ) -> Result { - // Make sure this command is supported. - if !dpe.support.tagging() { - return Err(DpeErrorCode::InvalidCommand); - } - // Make sure the tag isn't used by any other contexts. - if dpe - .contexts - .iter() - .any(|c| c.has_tag() && c.tag == self.tag) - { - return Err(DpeErrorCode::BadTag); - } - - let idx = dpe.get_active_context_pos(&self.handle, locality)?; - - if dpe.contexts[idx].has_tag() { - return Err(DpeErrorCode::BadTag); - } - - // Because handles are one-time use, let's rotate the handle, if it isn't the default. - dpe.roll_onetime_use_handle(env, idx)?; - let context = &mut dpe.contexts[idx]; - context.has_tag = true.into(); - context.tag = self.tag; - - Ok(Response::TagTci(NewHandleResp { - handle: context.handle, - resp_hdr: ResponseHdr::new(DpeErrorCode::NoError), - })) - } -} - -#[cfg(test)] -mod tests { - use super::*; - use crate::{ - commands::{Command, CommandHdr, InitCtxCmd}, - dpe_instance::tests::{ - TestTypes, RANDOM_HANDLE, SIMULATION_HANDLE, TEST_HANDLE, TEST_LOCALITIES, - }, - support::Support, - }; - use crypto::OpensslCrypto; - use platform::default::DefaultPlatform; - use zerocopy::AsBytes; - - const TEST_TAG_TCI_CMD: TagTciCmd = TagTciCmd { - handle: SIMULATION_HANDLE, - tag: 0x1234_5678, - }; - - #[test] - fn test_deserialize_tag_tci() { - let mut command = CommandHdr::new_for_test(Command::TAG_TCI) - .as_bytes() - .to_vec(); - command.extend(TEST_TAG_TCI_CMD.as_bytes()); - assert_eq!( - Ok(Command::TagTci(TEST_TAG_TCI_CMD)), - Command::deserialize(&command) - ); - } - - #[test] - fn test_tag_tci() { - let mut env = DpeEnv:: { - crypto: OpensslCrypto::new(), - platform: DefaultPlatform, - }; - let mut dpe = DpeInstance::new(&mut env, Support::default()).unwrap(); - // Make sure it returns an error if the command is marked unsupported. - assert_eq!( - Err(DpeErrorCode::InvalidCommand), - TagTciCmd { - handle: ContextHandle::default(), - tag: 0, - } - .execute(&mut dpe, &mut env, TEST_LOCALITIES[0]) - ); - - // Make a new instance that supports tagging. - let mut dpe = DpeInstance::new(&mut env, Support::TAGGING | Support::SIMULATION).unwrap(); - InitCtxCmd::new_use_default() - .execute(&mut dpe, &mut env, TEST_LOCALITIES[0]) - .unwrap(); - - // Wrong locality. - assert_eq!( - Err(DpeErrorCode::InvalidLocality), - TagTciCmd { - handle: ContextHandle::default(), - tag: 0, - } - .execute(&mut dpe, &mut env, TEST_LOCALITIES[1]) - ); - - let sim_local = TEST_LOCALITIES[1]; - // Make a simulation context to test against. - InitCtxCmd::new_simulation() - .execute(&mut dpe, &mut env, sim_local) - .unwrap(); - - // Invalid handle. - assert_eq!( - Err(DpeErrorCode::InvalidHandle), - TagTciCmd { - handle: TEST_HANDLE, - tag: 0, - } - .execute(&mut dpe, &mut env, TEST_LOCALITIES[0]) - ); - - // Tag default handle. - assert_eq!( - Ok(Response::TagTci(NewHandleResp { - handle: ContextHandle::default(), - resp_hdr: ResponseHdr::new(DpeErrorCode::NoError), - })), - TagTciCmd { - handle: ContextHandle::default(), - tag: 0, - } - .execute(&mut dpe, &mut env, TEST_LOCALITIES[0]) - ); - - // Try to re-tag the default context. - assert_eq!( - Err(DpeErrorCode::BadTag), - TagTciCmd { - handle: ContextHandle::default(), - tag: 1, - } - .execute(&mut dpe, &mut env, TEST_LOCALITIES[0]) - ); - - // Try same tag on simulation. - assert_eq!( - Err(DpeErrorCode::BadTag), - TagTciCmd { - handle: SIMULATION_HANDLE, - tag: 0, - } - .execute(&mut dpe, &mut env, TEST_LOCALITIES[1]) - ); - - // Give the simulation context another handle so we can prove the handle rotates when it - // gets tagged. - let simulation_ctx = &mut dpe.contexts[dpe - .get_active_context_pos(&RANDOM_HANDLE, sim_local) - .unwrap()]; - let sim_tmp_handle = ContextHandle([0xff; ContextHandle::SIZE]); - simulation_ctx.handle = sim_tmp_handle; - assert!(dpe - .get_active_context_pos(&RANDOM_HANDLE, sim_local) - .is_err()); - - // Tag simulation. - match (TagTciCmd { - handle: sim_tmp_handle, - tag: 1, - } - .execute(&mut dpe, &mut env, TEST_LOCALITIES[1])) - { - Ok(Response::TagTci(NewHandleResp { handle, .. })) => { - // Make sure it rotated back to the deterministic simulation handle. - assert!(dpe - .get_active_context_pos(&sim_tmp_handle, sim_local) - .is_err()); - assert!(dpe.get_active_context_pos(&handle, sim_local).is_ok()); - } - _ => panic!("Tag simulation failed"), - } - } -} diff --git a/dpe/src/dpe_instance.rs b/dpe/src/dpe_instance.rs index 54a9f492..8abe4b48 100644 --- a/dpe/src/dpe_instance.rs +++ b/dpe/src/dpe_instance.rs @@ -114,8 +114,6 @@ impl DpeInstance { Command::RotateCtx(cmd) => cmd.execute(self, env, locality), Command::DestroyCtx(cmd) => cmd.execute(self, env, locality), Command::ExtendTci(cmd) => cmd.execute(self, env, locality), - Command::TagTci(cmd) => cmd.execute(self, env, locality), - Command::GetTaggedTci(cmd) => cmd.execute(self, env, locality), Command::GetCertificateChain(cmd) => cmd.execute(self, env, locality), }; diff --git a/dpe/src/response.rs b/dpe/src/response.rs index b5ffda48..78859127 100644 --- a/dpe/src/response.rs +++ b/dpe/src/response.rs @@ -5,8 +5,8 @@ Abstract: DPE reponses and serialization. --*/ use crate::{ - context::ContextHandle, tci::TciMeasurement, CURRENT_PROFILE_MAJOR_VERSION, - CURRENT_PROFILE_MINOR_VERSION, DPE_PROFILE, MAX_CERT_SIZE, MAX_HANDLES, + context::ContextHandle, CURRENT_PROFILE_MAJOR_VERSION, CURRENT_PROFILE_MINOR_VERSION, + DPE_PROFILE, MAX_CERT_SIZE, MAX_HANDLES, }; use crypto::CryptoError; use platform::PlatformError; @@ -23,8 +23,6 @@ pub enum Response { Sign(SignResp), DestroyCtx(ResponseHdr), ExtendTci(NewHandleResp), - TagTci(NewHandleResp), - GetTaggedTci(GetTaggedTciResp), GetCertificateChain(GetCertificateChainResp), Error(ResponseHdr), } @@ -40,8 +38,6 @@ impl Response { Response::Sign(res) => res.as_bytes(), Response::DestroyCtx(res) => res.as_bytes(), Response::ExtendTci(res) => res.as_bytes(), - Response::TagTci(res) => res.as_bytes(), - Response::GetTaggedTci(res) => res.as_bytes(), Response::GetCertificateChain(res) => res.as_bytes(), Response::Error(res) => res.as_bytes(), } @@ -135,15 +131,6 @@ pub struct SignResp { pub sig_s: [u8; DPE_PROFILE.get_ecc_int_size()], } -#[repr(C)] -#[derive(Debug, zerocopy::AsBytes)] -#[cfg_attr(test, derive(PartialEq, Eq))] -pub struct GetTaggedTciResp { - pub resp_hdr: ResponseHdr, - pub tci_cumulative: TciMeasurement, - pub tci_current: TciMeasurement, -} - #[repr(C)] #[derive(Debug, PartialEq, Eq, zerocopy::AsBytes, zerocopy::FromBytes)] pub struct GetCertificateChainResp { diff --git a/dpe/src/support.rs b/dpe/src/support.rs index 170c142c..5f38ac85 100644 --- a/dpe/src/support.rs +++ b/dpe/src/support.rs @@ -12,14 +12,13 @@ bitflags! { const SIMULATION = 1u32 << 31; const EXTEND_TCI = 1u32 << 30; const AUTO_INIT = 1u32 << 29; - const TAGGING = 1u32 << 28; const ROTATE_CONTEXT = 1u32 << 27; const X509 = 1u32 << 26; const CSR = 1u32 << 25; const IS_SYMMETRIC = 1u32 << 24; - const INTERNAL_INFO = 1u32 << 23; - const INTERNAL_DICE = 1u32 << 22; - const IS_CA = 1u32 << 21; + const INTERNAL_INFO = 1u32 << 22; + const INTERNAL_DICE = 1u32 << 21; + const IS_CA = 1u32 << 20; } } @@ -33,9 +32,6 @@ impl Support { pub fn auto_init(&self) -> bool { self.contains(Support::AUTO_INIT) } - pub fn tagging(&self) -> bool { - self.contains(Support::TAGGING) - } pub fn rotate_context(&self) -> bool { self.contains(Support::ROTATE_CONTEXT) } @@ -67,7 +63,6 @@ pub mod test { pub const SUPPORT: Support = bitflags_join!( Support::SIMULATION, Support::AUTO_INIT, - Support::TAGGING, Support::ROTATE_CONTEXT, Support::X509 ); @@ -83,9 +78,6 @@ pub mod test { // Supports auto-init. let flags = Support::AUTO_INIT.bits(); assert_eq!(flags, 1 << 29); - // Supports tagging. - let flags = Support::TAGGING.bits(); - assert_eq!(flags, 1 << 28); // Supports rotate context. let flags = Support::ROTATE_CONTEXT.bits(); assert_eq!(flags, 1 << 27); @@ -100,13 +92,13 @@ pub mod test { assert_eq!(flags, 1 << 24); // Supports internal info. let flags = Support::INTERNAL_INFO.bits(); - assert_eq!(flags, 1 << 23); + assert_eq!(flags, 1 << 22); // Supports internal DICE. let flags = Support::INTERNAL_DICE.bits(); - assert_eq!(flags, 1 << 22); + assert_eq!(flags, 1 << 21); // Supports is ca. let flags = Support::IS_CA.bits(); - assert_eq!(flags, 1 << 21); + assert_eq!(flags, 1 << 20); // Supports a couple combos. let flags = (Support::SIMULATION | Support::AUTO_INIT @@ -116,18 +108,12 @@ pub mod test { .bits(); assert_eq!( flags, - (1 << 31) | (1 << 29) | (1 << 27) | (1 << 25) | (1 << 22) - ); - let flags = (Support::EXTEND_TCI - | Support::TAGGING - | Support::X509 - | Support::IS_SYMMETRIC - | Support::INTERNAL_INFO) - .bits(); - assert_eq!( - flags, - (1 << 30) | (1 << 28) | (1 << 26) | (1 << 24) | (1 << 23) + (1 << 31) | (1 << 29) | (1 << 27) | (1 << 25) | (1 << 21) ); + let flags = + (Support::EXTEND_TCI | Support::X509 | Support::IS_SYMMETRIC | Support::INTERNAL_INFO) + .bits(); + assert_eq!(flags, (1 << 30) | (1 << 26) | (1 << 24) | (1 << 22)); // Supports everything. let flags = Support::all().bits(); assert_eq!( @@ -135,14 +121,13 @@ pub mod test { (1 << 31) | (1 << 30) | (1 << 29) - | (1 << 28) | (1 << 27) | (1 << 26) | (1 << 25) | (1 << 24) - | (1 << 23) | (1 << 22) | (1 << 21) + | (1 << 20) ); } } diff --git a/simulator/src/main.rs b/simulator/src/main.rs index d788366c..76941501 100644 --- a/simulator/src/main.rs +++ b/simulator/src/main.rs @@ -49,8 +49,6 @@ fn handle_request(dpe: &mut DpeInstance, env: &mut DpeEnv, stream Response::Sign(ref res) => res.resp_hdr.status, Response::DestroyCtx(ref resp_hdr) => resp_hdr.status, Response::ExtendTci(ref res) => res.resp_hdr.status, - Response::TagTci(ref res) => res.resp_hdr.status, - Response::GetTaggedTci(ref res) => res.resp_hdr.status, Response::GetCertificateChain(ref res) => res.resp_hdr.status, Response::Error(ref resp_hdr) => resp_hdr.status, }; @@ -83,10 +81,6 @@ struct Args { #[arg(long)] supports_auto_init: bool, - /// Supports the TagTci and GetTaggedTci commands. - #[arg(long)] - supports_tagging: bool, - /// Supports the RotateContextHandle command. #[arg(long)] supports_rotate_context: bool, @@ -152,7 +146,6 @@ fn main() -> std::io::Result<()> { support.set(Support::INTERNAL_INFO, args.supports_internal_info); support.set(Support::IS_CA, args.supports_is_ca); support.set(Support::IS_SYMMETRIC, args.supports_is_symmetric); - support.set(Support::TAGGING, args.supports_tagging); let mut env = DpeEnv:: { crypto: OpensslCrypto::new(), diff --git a/verification/abi.go b/verification/abi.go index 22b23295..63f76607 100755 --- a/verification/abi.go +++ b/verification/abi.go @@ -23,7 +23,6 @@ type Support struct { Simulation bool ExtendTci bool AutoInit bool - Tagging bool RotateContext bool X509 bool Csr bool @@ -43,8 +42,6 @@ const ( CommandDestroyContext CommandCode = 0xf CommandGetCertificateChain CommandCode = 0x80 CommandExtendTCI CommandCode = 0x81 - CommandTagTCI CommandCode = 0x82 - CommandGetTaggedTCI CommandCode = 0x83 ) type CommandHdr struct { @@ -141,26 +138,6 @@ type GetCertificateChainResp struct { CertificateChain []byte } -type TCITag uint32 - -type TagTCIReq struct { - ContextHandle ContextHandle - Tag TCITag -} - -type TagTCIResp struct { - NewContextHandle ContextHandle -} - -type GetTaggedTCIReq struct { - Tag TCITag -} - -type GetTaggedTCIResp[Digest DigestAlgorithm] struct { - CumulativeTCI Digest - CurrentTCI Digest -} - type RotateContextHandleFlags uint32 const ( @@ -443,30 +420,6 @@ func (c *dpeABI[_, _]) GetCertificateChainABI() (*GetCertificateChainResp, error return &certs, nil } -// TagTCI calls the DPE TagTCI command. -func (c *dpeABI[_, _]) TagTCIABI(cmd *TagTCIReq) (*TagTCIResp, error) { - var respStruct TagTCIResp - - _, err := execCommand(c.transport, CommandTagTCI, c.Profile, cmd, &respStruct) - if err != nil { - return nil, err - } - - return &respStruct, nil -} - -// GetTaggedTCI calls the DPE GetTaggedTCI command. -func (c *dpeABI[_, Digest]) GetTaggedTCIABI(cmd *GetTaggedTCIReq) (*GetTaggedTCIResp[Digest], error) { - var respStruct GetTaggedTCIResp[Digest] - - _, err := execCommand(c.transport, CommandGetTaggedTCI, c.Profile, cmd, &respStruct) - if err != nil { - return nil, err - } - - return &respStruct, nil -} - // DeriveChild calls DPE DeriveChild command. func (c *dpeABI[_, Digest]) DeriveChildABI(cmd *DeriveChildReq[Digest]) (*DeriveChildResp, error) { var respStruct DeriveChildResp @@ -558,36 +511,6 @@ func (c *dpeABI[_, Digest]) CertifyKey(handle *ContextHandle, label []byte, form return key, nil } -func (c *dpeABI[_, _]) TagTCI(handle *ContextHandle, tag TCITag) (*ContextHandle, error) { - cmd := TagTCIReq{ - ContextHandle: *handle, - Tag: tag, - } - - resp, err := c.TagTCIABI(&cmd) - if err != nil { - return nil, err - } - - return &resp.NewContextHandle, nil -} - -func (c *dpeABI[_, _]) GetTaggedTCI(tag TCITag) (*DPETCI, error) { - cmd := GetTaggedTCIReq{ - Tag: tag, - } - - resp, err := c.GetTaggedTCIABI(&cmd) - if err != nil { - return nil, err - } - - return &DPETCI{ - CumulativeTCI: resp.CumulativeTCI.Bytes(), - CurrentTCI: resp.CurrentTCI.Bytes(), - }, nil -} - func (c *dpeABI[_, _]) DestroyContext(handle *ContextHandle, flags DestroyCtxFlags) error { cmd := DestroyCtxCmd{ handle: *handle, @@ -697,9 +620,6 @@ func (s *Support) ToFlags() uint32 { if s.AutoInit { flags |= (1 << 29) } - if s.Tagging { - flags |= (1 << 28) - } if s.RotateContext { flags |= (1 << 27) } @@ -713,13 +633,13 @@ func (s *Support) ToFlags() uint32 { flags |= (1 << 24) } if s.InternalInfo { - flags |= (1 << 23) + flags |= (1 << 22) } if s.InternalDice { - flags |= (1 << 22) + flags |= (1 << 21) } if s.IsCA { - flags |= (1 << 21) + flags |= (1 << 20) } return flags } diff --git a/verification/client.go b/verification/client.go index 23aaf42f..6f6109a1 100755 --- a/verification/client.go +++ b/verification/client.go @@ -44,8 +44,6 @@ type DPEClient interface { GetProfile() (*GetProfileResp, error) CertifyKey(handle *ContextHandle, label []byte, format CertifyKeyFormat, flags CertifyKeyFlags) (*CertifiedKey, error) GetCertificateChain() ([]byte, error) - TagTCI(handle *ContextHandle, tag TCITag) (*ContextHandle, error) - GetTaggedTCI(tag TCITag) (*DPETCI, error) DestroyContext(handle *ContextHandle, flags DestroyCtxFlags) error DeriveChild(handle *ContextHandle, inputData []byte, flags DeriveChildFlags, tciType uint32, targetLocality uint32) (*DeriveChildResp, error) RotateContextHandle(handle *ContextHandle, flags RotateContextHandleFlags) (*ContextHandle, error) diff --git a/verification/errors.go b/verification/errors.go index 4236f790..c94a138a 100644 --- a/verification/errors.go +++ b/verification/errors.go @@ -35,8 +35,6 @@ func (s Status) Error() string { return "contextHandle does not exist" case StatusInvalidLocality: return "Hardware Locality does not exist" - case StatusBadTag: - return "TCI Tag is either in use (TagTci) or not found (GetTaggedTci)" case StatusMaxTCIs: return "maximum number of TCIs have been created" case StatusPlatformError: diff --git a/verification/negativeCases.go b/verification/negativeCases.go index 9f6f9f1f..ac39092c 100644 --- a/verification/negativeCases.go +++ b/verification/negativeCases.go @@ -10,7 +10,7 @@ import ( var InvalidHandle = ContextHandle{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15} // Checks whether error is reported when non-existent handle is passed as input to DPE commands. -// Exceptions are - GetProfile, InitializeContext, GetCertificateChain, GetTaggedTCI commands +// Exceptions are - GetProfile, InitializeContext, GetCertificateChain, commands // which do not need context handle as input parameter. func TestInvalidHandle(d TestDPEInstance, c DPEClient, t *testing.T) { ctx := getInitialContextHandle(d, c, t, true) @@ -63,17 +63,10 @@ func TestInvalidHandle(d TestDPEInstance, c DPEClient, t *testing.T) { } else if !errors.Is(err, StatusInvalidHandle) { t.Errorf("[ERROR]: Incorrect error type. ExtendTCI should return %q, but returned %q", StatusInvalidHandle, err) } - - // Check TagTCI with invalid handle - if _, err := c.TagTCI(&InvalidHandle, 0); err == nil { - t.Errorf("[ERROR]: TagTCI should return %q, but returned no error", StatusInvalidHandle) - } else if !errors.Is(err, StatusInvalidHandle) { - t.Errorf("[ERROR]: Incorrect error type. TagTCI should return %q, but returned %q", StatusInvalidHandle, err) - } } // Checks whether error is reported when caller from one locality issues DPE commands in another locality. -// Exceptions are - GetProfile, InitializeContext, GetCertificateChain, GetTaggedTCI commands +// Exceptions are - GetProfile, InitializeContext, GetCertificateChain, commands // which do not need context handle as input and hence locality is irrelevant. func TestWrongLocality(d TestDPEInstance, c DPEClient, t *testing.T) { // Modify and later restore the locality of DPE instance to test @@ -132,17 +125,10 @@ func TestWrongLocality(d TestDPEInstance, c DPEClient, t *testing.T) { } else if !errors.Is(err, StatusInvalidLocality) { t.Errorf("[ERROR]: Incorrect error type. ExtendTCI should return %q, but returned %q", StatusInvalidLocality, err) } - - // Check TagTCI from wrong locality - if _, err := c.TagTCI(handle, 0); err == nil { - t.Errorf("[ERROR]: TagTCI should return %q, but returned no error", StatusInvalidLocality) - } else if !errors.Is(err, StatusInvalidLocality) { - t.Errorf("[ERROR]: Incorrect error type. TagTCI should return %q, but returned %q", StatusInvalidLocality, err) - } } // Checks whether error is reported while using commands that are turned off in DPE. -// DPE commands - TagTCI, RotateContextHandle, ExtendTCI, require support to be enabled in DPE profile +// DPE commands - RotateContextHandle, ExtendTCI, require support to be enabled in DPE profile // before being called. func TestUnsupportedCommand(d TestDPEInstance, c DPEClient, t *testing.T) { ctx := &DefaultContextHandle @@ -166,13 +152,6 @@ func TestUnsupportedCommand(d TestDPEInstance, c DPEClient, t *testing.T) { } else if !errors.Is(err, StatusInvalidCommand) { t.Errorf("[ERROR]: Incorrect error type. ExtendTCI is not supported by DPE, should return %q, but returned %q", StatusInvalidCommand, err) } - - // Check whether TagTCI is unsupported by DPE profile - if _, err := c.TagTCI(ctx, 0); err == nil { - t.Errorf("[ERROR]: TagTCI is not supported by DPE, should return %q, but returned no error", StatusInvalidCommand) - } else if !errors.Is(err, StatusInvalidCommand) { - t.Errorf("[ERROR]: Incorrect error type. TagTCI is not supported by DPE, should return %q, but returned %q", StatusInvalidCommand, err) - } } // Checks whether error is reported while enabling command flags that are turned off in DPE. diff --git a/verification/simulator.go b/verification/simulator.go index e0b3e8ad..dd7b4adf 100644 --- a/verification/simulator.go +++ b/verification/simulator.go @@ -55,9 +55,6 @@ func (s *DpeSimulator) PowerOn() error { if s.supports.AutoInit { args = append(args, "--supports-auto-init") } - if s.supports.Tagging { - args = append(args, "--supports-tagging") - } if s.supports.RotateContext { args = append(args, "--supports-rotate-context") } @@ -230,7 +227,7 @@ func GetSimulatorTargets() []TestTarget { }, { "DefaultSupport", - getTestTarget([]string{"AutoInit", "Simulation", "X509", "IsCA", "Tagging", "RotateContext", "ExtendTci"}), + getTestTarget([]string{"AutoInit", "Simulation", "X509", "IsCA", "RotateContext", "ExtendTci"}), AllTestCases, }, { @@ -248,11 +245,6 @@ func GetSimulatorTargets() []TestTarget { getTestTarget([]string{"AutoInit"}), []TestCase{GetProfileTestCase}, }, - { - "GetProfile_Tagging", - getTestTarget([]string{"Tagging"}), - []TestCase{GetProfileTestCase}, - }, { "GetProfile_RotateContext", getTestTarget([]string{"RotateContext"}), @@ -295,12 +287,12 @@ func GetSimulatorTargets() []TestTarget { }, { "GetProfile_Combo02", - getTestTarget([]string{"ExtendTci", "Tagging", "X509", "InternalInfo"}), + getTestTarget([]string{"ExtendTci", "X509", "InternalInfo"}), []TestCase{GetProfileTestCase}, }, { "GetProfile_All", - getTestTarget([]string{"Simulation", "ExtendTci", "AutoInit", "Tagging", "RotateContext", "X509", "Csr", "IsSymmetric", "InternalInfo", "InternalDice", "IsCA"}), + getTestTarget([]string{"Simulation", "ExtendTci", "AutoInit", "RotateContext", "X509", "Csr", "IsSymmetric", "InternalInfo", "InternalDice", "IsCA"}), []TestCase{GetProfileTestCase}, }, { @@ -310,7 +302,7 @@ func GetSimulatorTargets() []TestTarget { }, { "NegativeCase_UnsupportedFeatureByDPE", - getTestTarget([]string{"AutoInit", "RotateContext", "ExtendTci", "Tagging"}), + getTestTarget([]string{"AutoInit", "RotateContext", "ExtendTci"}), []TestCase{UnsupportedCommandFlag}, }, } diff --git a/verification/tagTCI.go b/verification/tagTCI.go deleted file mode 100644 index b02a1c3a..00000000 --- a/verification/tagTCI.go +++ /dev/null @@ -1,57 +0,0 @@ -// Licensed under the Apache-2.0 license - -package verification - -import ( - "errors" - //"reflect" - "testing" -) - -func TestTagTCI(d TestDPEInstance, client DPEClient, t *testing.T) { - useSimulation := false - ctx := getInitialContextHandle(d, client, t, useSimulation) - - tag := TCITag(12345) - // Check to see our tag is not yet found. - if _, err := client.GetTaggedTCI(tag); !errors.Is(err, StatusBadTag) { - t.Fatalf("GetTaggedTCI returned %v, want %v", err, StatusBadTag) - } - - // Tag the default context - handle, err := client.TagTCI(ctx, tag) - if err != nil { - t.Fatalf("Could not tag TCI: %v", err) - } - - if *handle != *ctx { - t.Errorf("New context handle from TagTCI was %x, expected %x", handle, ctx) - } - - _, err = client.GetTaggedTCI(tag) - if err != nil { - t.Fatalf("Could not get tagged TCI: %v", err) - } - - // TODO: For profiles which use auto-initialization, we don't know the expected - // TCIs. Uncomment this once the DeriveChild API is implemented so the test - // can control the TCI inputs. - /* - wantCumulativeTCI := make([]byte, profile.GetDigestSize()) - if !reflect.DeepEqual(taggedTCI.CumulativeTCI, wantCumulativeTCI) { - t.Errorf("GetTaggedTCI returned cumulative TCI %x, expected %x", taggedTCI.CumulativeTCI, wantCumulativeTCI) - } - - wantCurrentTCI := make([]byte, profile.GetDigestSize()) - if !reflect.DeepEqual(taggedTCI.CurrentTCI, wantCurrentTCI) { - t.Errorf("GetTaggedTCI returned current TCI %x, expected %x", taggedTCI.CurrentTCI, wantCurrentTCI) - } - */ - - // Make sure some other tag is still not found. - if _, err := client.GetTaggedTCI(TCITag(98765)); !errors.Is(err, StatusBadTag) { - t.Fatalf("GetTaggedTCI returned %v, want %v", err, StatusBadTag) - } - - // TODO: When DeriveChild is implemented, call it here to add more TCIs and call TagTCI again. -} diff --git a/verification/verification.go b/verification/verification.go index 2da85fc9..b1325970 100644 --- a/verification/verification.go +++ b/verification/verification.go @@ -35,30 +35,26 @@ var CertifyKeySimulationTestCase = TestCase{ var GetCertificateChainTestCase = TestCase{ "GetCertificateChain", TestGetCertificateChain, []string{"AutoInit", "X509"}, } -var TagTCITestCase = TestCase{ - "TagTCI", TestTagTCI, []string{"AutoInit", "Tagging"}, -} var GetProfileTestCase = TestCase{ "GetProfile", TestGetProfile, []string{}, } var InvalidHandleTestCase = TestCase{ - "CheckInvalidHandle", TestInvalidHandle, []string{"Simulation", "RotateContext", "ExtendTci", "Tagging"}, + "CheckInvalidHandle", TestInvalidHandle, []string{"Simulation", "RotateContext", "ExtendTci"}, } var WrongLocalityTestCase = TestCase{ - "CheckWrongLocality", TestWrongLocality, []string{"AutoInit", "RotateContext", "ExtendTci", "Tagging"}, + "CheckWrongLocality", TestWrongLocality, []string{"AutoInit", "RotateContext", "ExtendTci"}, } var UnsupportedCommand = TestCase{ "CheckSupportForCommand", TestUnsupportedCommand, []string{"AutoInit"}, } var UnsupportedCommandFlag = TestCase{ - "CheckSupportForCommmandFlag", TestUnsupportedCommandFlag, []string{"AutoInit", "RotateContext", "ExtendTci", "Tagging"}, + "CheckSupportForCommmandFlag", TestUnsupportedCommandFlag, []string{"AutoInit", "RotateContext", "ExtendTci"}, } var AllTestCases = []TestCase{ CertifyKeyTestCase, CertifyKeySimulationTestCase, GetCertificateChainTestCase, - TagTCITestCase, GetProfileTestCase, InitializeContextTestCase, InitializeContextSimulationTestCase,