modules: tfm: Disable initial attestation service

Prevents Zephyr from enabling the initial attestation service in TF-M, due to a dependency it has on an incompatibly-licensed library (QCBOR). This update checks if either of the following config flags are enabled at build time: - `CONFIG_TFM_PARTITION_INITIAL_ATTESTATION` - `CONFIG_TFM_PSA_TEST_INITIAL_ATTESTATION` If either of these are set to true, a fatal error will be thrown at build time, indicating the reason for the failure. This change can be reverted once a longer term solution to the QCBOR license issues has been resolved. Signed-off-by: Kevin Townsend <kevin.townsend@linaro.org>
2023-02-09 22:03:52 +01:00 · 2023-02-09 22:03:52 +01:00 · cd8d4ccad5
commit cd8d4ccad5
parent 4de473e4c9
3 changed files with 22 additions and 2 deletions
--- a/modules/trusted-firmware-m/CMakeLists.txt
+++ b/modules/trusted-firmware-m/CMakeLists.txt
@ -238,6 +238,26 @@ if (CONFIG_BUILD_WITH_TFM)
    message(FATAL_ERROR "Unsupported ZEPHYR_TOOLCHAIN_VARIANT: ${ZEPHYR_TOOLCHAIN_VARIANT}")
  endif()

+  if (CONFIG_TFM_PARTITION_INITIAL_ATTESTATION)
+    # TODO: Remove this when QCBOR licensing issues w/t_cose have been resolved,
+    # or only allow it when 'QCBOR_PATH' is set to a local path where QCBOR has
+    # been manually downloaded by the user before starting the build.
+    message(FATAL_ERROR "CONFIG_TFM_PARTITION_INITIAL_ATTESTATION is not available "
+      "with TF-M 1.7.0 due to licensing issues with a dependent library. This "
+      "restriction will be removed once licensing issues have been resolved."
+      )
+  endif()
+
+  if (CONFIG_TFM_PSA_TEST_INITIAL_ATTESTATION)
+    # TODO: Remove this when QCBOR licensing issues w/t_cose have been resolved,
+    # or only allow it when 'QCBOR_PATH' is set to a local path where QCBOR has
+    # been manually downloaded by the user before starting the build.
+    message(FATAL_ERROR "CONFIG_TFM_PSA_TEST_INITIAL_ATTESTATION is not available "
+      "with TF-M 1.7.0 due to licensing issues with a dependent library. This "
+      "restriction will be removed once licensing issues have been resolved."
+      )
+  endif()
+
  if(CONFIG_BOARD_LPCXPRESSO55S69_CPU0)
    # Supply path to NXP HAL sources used for TF-M build
    set(TFM_PLATFORM_NXP_HAL_FILE_PATH ${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/platform/ext/target/nxp/)
--- a/modules/trusted-firmware-m/Kconfig.tfm.partitions
+++ b/modules/trusted-firmware-m/Kconfig.tfm.partitions
@ -44,7 +44,7 @@ config TFM_PARTITION_CRYPTO
 config TFM_PARTITION_INITIAL_ATTESTATION
 	bool "Secure partition 'Initial Attestation'"
 	depends on TFM_PARTITION_CRYPTO
-	default y
+	default n
 	help
 	  Setting this option will cause '-DTFM_PARTITION_INITIAL_ATTESTATION'
 	  to be passed to the TF-M build system. Look at 'config_default.cmake'
--- a/samples/tfm_integration/tfm_regression_test/prj.conf
+++ b/samples/tfm_integration/tfm_regression_test/prj.conf
@ -15,7 +15,7 @@ CONFIG_TFM_REGRESSION_NS=y
 CONFIG_TFM_PARTITION_PROTECTED_STORAGE=y
 CONFIG_TFM_PARTITION_INTERNAL_TRUSTED_STORAGE=y
 CONFIG_TFM_PARTITION_CRYPTO=y
-CONFIG_TFM_PARTITION_INITIAL_ATTESTATION=y
+CONFIG_TFM_PARTITION_INITIAL_ATTESTATION=n
 CONFIG_TFM_PARTITION_PLATFORM=y

 # Enable IPC mode and isolation level 2 by default