[nrf noup] attestation: Sign message instead of hash

For attestation, sign the full token instead of the hash of the token. Signed-off-by: Sigurd Hellesvik <[email protected]>
nrfconnect · Nov 22, 2024 · c9cd993 · c9cd993
1 parent 62b7864
commit c9cd993
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 2 deletions.
diff --git a/docs/integration_guide/services/tfm_attestation_integration_guide.rst b/docs/integration_guide/services/tfm_attestation_integration_guide.rst
@@ -412,7 +412,8 @@ device. System integrators might need to re-implement the following functions
 if they want to use initial attestation service with a different cryptographic
 library than Crypto service:
 
-- ``t_cose_crypto_pub_key_sign()``: Calculates the signature over a hash value.
+- ``t_cose_crypto_pub_key_sign_hash()``: Calculates the signature over a hash value.
+- ``t_cose_crypto_pub_key_sign_message()``: Calculates the signature over a message.
 - ``t_cose_crypto_get_ec_pub_key()``: Get the public key to create the key
   identifier.
 - ``t_cose_crypto_hash_start()``: Start a multipart hash operation.

diff --git a/secure_fw/partitions/initial_attestation/attest_core.c b/secure_fw/partitions/initial_attestation/attest_core.c
@@ -647,7 +647,7 @@ attest_create_token(struct q_useful_buf_c *challenge,
     enum attest_token_err_t token_err;
     struct attest_token_encode_ctx attest_token_ctx;
     int32_t key_select = 0;
-    uint32_t option_flags = 0;
+    uint32_t option_flags = TOKEN_OPT_SIGN_MESSAGE;
     int i;
     int32_t cose_algorithm_id;
 

diff --git a/secure_fw/partitions/initial_attestation/attest_token.h b/secure_fw/partitions/initial_attestation/attest_token.h
@@ -111,6 +111,8 @@ enum attest_token_err_t {
  * replicate it. */
 #define TOKEN_OPT_SHORT_CIRCUIT_SIGN 0x80000000
 
+#define TOKEN_OPT_SIGN_MESSAGE       0x01000000
+
 /**
  * The context for creating an attestation token.  The caller of
  * attest_token_encode must create one of these and pass it to the functions

diff --git a/secure_fw/partitions/initial_attestation/attest_token_encode.c b/secure_fw/partitions/initial_attestation/attest_token_encode.c
@@ -241,6 +241,9 @@ attest_token_encode_start(struct attest_token_encode_ctx *me,
     me->opt_flags  = opt_flags;
     me->key_select = key_select;
 
+    if (opt_flags & TOKEN_OPT_SIGN_MESSAGE) {
+       t_cose_options |= T_COSE_OPT_SIGN_MESSAGE;
+    }
 
     if (opt_flags & TOKEN_OPT_SHORT_CIRCUIT_SIGN) {
         t_cose_options |= T_COSE_OPT_SHORT_CIRCUIT_SIG;