-
Notifications
You must be signed in to change notification settings - Fork 1k
/
pta_attestation.h
102 lines (94 loc) · 4.04 KB
/
pta_attestation.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
/* SPDX-License-Identifier: BSD-2-Clause */
/*
* Copyright (C) 2021, Huawei Technologies Co., Ltd
*/
/*
* Provide remote attestation services
*/
#ifndef __PTA_ATTESTATION_H
#define __PTA_ATTESTATION_H
#define PTA_ATTESTATION_UUID { 0x39800861, 0x182a, 0x4720, \
{ 0x9b, 0x67, 0x2b, 0xcd, 0x62, 0x2b, 0xc0, 0xb5 } }
/*
* Get the RSA public key that should be used to verify the values returned by
* other commands.
*
* [out] memref[0] Public key exponent in big endian order
* [out] memref[1] Modulus in big endian order
* [out] value[2] Signature algorithm used by other commands.
* Currently always
* TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256.
*
* Return codes:
* TEE_SUCCESS
* TEE_ERROR_GENERIC - Internal error
* TEE_ERROR_SHORT_BUFFER - One or both buffers are too small, required size
* is provided in memref[i].size
*/
#define PTA_ATTESTATION_GET_PUBKEY 0x0
/*
* Return the digest found in the header of a Trusted Application binary or a
* Trusted Shared library
*
* [in] memref[0] UUID of the TA or shared library
* [in] memref[1] Nonce (random non-NULL, non-empty buffer of any
* size to prevent replay attacks)
* [out] memref[2] Output buffer. Receives the signed digest.
* - The first 32 bytes are the digest itself (from
* the TA signed header: struct shdr::hash)
* - The following bytes are a signature:
* SIG(SHA256(Nonce | digest))
* - The algorithm is
* TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256 with a salt
* length of 32.
* - The key pair is generated internally and stored
* in secure storage. The public key can be
* retrieved with command PTA_ATTESTATION_GET_PUBKEY
* (typically during device provisioning).
* Given that the sigature length is equal to the
* RSA modulus size in bytes, the output buffer size
* should be at least (digest size + modulus size)
* bytes. For example, for a 32-byte SHA256 digest and
* 2048 bit key (256 bytes) the minimum buffer size is
* 288 bytes.
*
* Return codes:
* TEE_SUCCESS
* TEE_ERROR_BAD_PARAMETERS - Incorrect input param
* TEE_ERROR_SHORT_BUFFER - Output buffer size less than required
*/
#define PTA_ATTESTATION_GET_TA_SHDR_DIGEST 0x1
/*
* Return a signed hash for a running user space TA, which must be the caller
* of this PTA. It is a runtime measurement of the memory pages that contain
* immutable data (code and read-only data).
*
* [in] memref[0] Nonce
* [out] memref[1] SHA256 hash of the TA memory followed by a
* signature. See PTA_ATTESTATION_GET_TA_HDR_DIGEST
* for a description of the signature.
*
* Return codes:
* TEE_SUCCESS
* TEE_ERROR_ACCESS_DENIED - Caller is not a user space TA
* TEE_ERROR_BAD_PARAMETERS - Incorrect input param
* TEE_ERROR_SHORT_BUFFER - Output buffer size less than required
*/
#define PTA_ATTESTATION_HASH_TA_MEMORY 0x2
/*
* Return a signed hash of the TEE OS (kernel) memory. It is a runtime
* measurement of the memory pages that contain immutable data (code and
* read-only data).
*
* [in] memref[0] Nonce
* [out] memref[1] SHA256 hash of the TEE memory followed by a
* signature. See PTA_ATTESTATION_GET_TA_HDR_DIGEST
* for a description of the signature.
*
* Return codes:
* TEE_SUCCESS
* TEE_ERROR_BAD_PARAMETERS - Incorrect input param
* TEE_ERROR_SHORT_BUFFER - Output buffer size less than required
*/
#define PTA_ATTESTATION_HASH_TEE_MEMORY 0x3
#endif /* __PTA_ATTESTATION_H */