Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[nrf noup] For Attestation, use message instead of hash #180

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

[nrf noup] For Attestation, use message instead of hash #180

wants to merge 2 commits into from

Conversation

hellesvik-nordic
Copy link

Also updated T_COSE library to support this

hellesvik-nordic
hellesvik-nordic commented Nov 18, 2024
View reviewed changes
secure_fw/partitions/initial_attestation/attest_token_encode.c Outdated
@@ -241,6 +241,9 @@ attest_token_encode_start(struct attest_token_encode_ctx *me,
me->opt_flags = opt_flags;
me->key_select = key_select;

if (opt_flags & TOKEN_OPT_SIGN_MESSAGE) {
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should I make sure this is only added for nRF54L15, or should we use sign_message for all chips?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that it makes sense to keep the default as is and not use sign_message.

But we need to have this as an option in TFM. We can sync with a call tomorrow or something and we can find a way to do that.

Vge0rge
Vge0rge reviewed Nov 18, 2024
View reviewed changes
lib/ext/t_cose/src/t_cose_sign1_sign.c Outdated Show resolved Hide resolved
lib/ext/t_cose/crypto_adapters/t_cose_psa_crypto.c Outdated Show resolved Hide resolved
lib/ext/t_cose/inc/t_cose_common.h Outdated
@@ -496,6 +496,14 @@ struct t_cose_parameters {
*/
#define T_COSE_OPT_DECODE_ONLY 0x00000008

/**
* By defualt, the cose t_cose_sign1_sign will calculate the hash
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"defualt" -> "default"

And the function t_cose_sign1_sign doesnt exit now.

lib/ext/t_cose/inc/t_cose_sign1_sign.h Outdated Show resolved Hide resolved
lib/ext/t_cose/src/t_cose_crypto.h Outdated Show resolved Hide resolved
secure_fw/partitions/initial_attestation/attest_token_encode.c Outdated
@@ -241,6 +241,9 @@ attest_token_encode_start(struct attest_token_encode_ctx *me,
me->opt_flags = opt_flags;
me->key_select = key_select;

if (opt_flags & TOKEN_OPT_SIGN_MESSAGE) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that it makes sense to keep the default as is and not use sign_message.

But we need to have this as an option in TFM. We can sync with a call tomorrow or something and we can find a way to do that.

@hellesvik-nordic hellesvik-nordic force-pushed the t_cose_add_message_sign branch 13 times, most recently from c9cd993 to dc8b931 Compare November 22, 2024 12:44
@hellesvik-nordic
[nrf noup] COSE: Add sign_message option to sign1
2e12b98 
The t_cose library only had support for signing a hash/digest.
Adding support for signing message instead by using
the option T_COSE_OPT_SIGN_MESSAGE.

Signed-off-by: Sigurd Hellesvik <[email protected]>
@hellesvik-nordic
[nrf noup] attestation: Sign message instead of hash
9c1a5ad 
For attestation, sign the full token instead of the hash of the token.

Signed-off-by: Sigurd Hellesvik <[email protected]>
@NordicBuilder NordicBuilder mentioned this pull request Nov 22, 2024
Open
tomi-font
tomi-font reviewed Nov 25, 2024
View reviewed changes
lib/ext/t_cose/tfm_t_cose.cmake
Copy link
Contributor

@tomi-font tomi-font Nov 25, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are we making changes to lib/ext/t_cose as a noup while it exists upstream?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. I will make a PR upstream instead, and then fix this PR accordingly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tomi-font tomi-font tomi-font left review comments

@Vge0rge Vge0rge Vge0rge left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@hellesvik-nordic @Vge0rge @tomi-font