From cd8d4ccad55544b38637632e747a3b00a8c01016 Mon Sep 17 00:00:00 2001 From: Kevin Townsend Date: Thu, 9 Feb 2023 22:03:52 +0100 Subject: [PATCH] modules: tfm: Disable initial attestation service Prevents Zephyr from enabling the initial attestation service in TF-M, due to a dependency it has on an incompatibly-licensed library (QCBOR). This update checks if either of the following config flags are enabled at build time: - `CONFIG_TFM_PARTITION_INITIAL_ATTESTATION` - `CONFIG_TFM_PSA_TEST_INITIAL_ATTESTATION` If either of these are set to true, a fatal error will be thrown at build time, indicating the reason for the failure. This change can be reverted once a longer term solution to the QCBOR license issues has been resolved. Signed-off-by: Kevin Townsend --- modules/trusted-firmware-m/CMakeLists.txt | 20 +++++++++++++++++++ .../trusted-firmware-m/Kconfig.tfm.partitions | 2 +- .../tfm_regression_test/prj.conf | 2 +- 3 files changed, 22 insertions(+), 2 deletions(-) diff --git a/modules/trusted-firmware-m/CMakeLists.txt b/modules/trusted-firmware-m/CMakeLists.txt index 63107f56537..f2857429e2d 100644 --- a/modules/trusted-firmware-m/CMakeLists.txt +++ b/modules/trusted-firmware-m/CMakeLists.txt @@ -238,6 +238,26 @@ if (CONFIG_BUILD_WITH_TFM) message(FATAL_ERROR "Unsupported ZEPHYR_TOOLCHAIN_VARIANT: ${ZEPHYR_TOOLCHAIN_VARIANT}") endif() + if (CONFIG_TFM_PARTITION_INITIAL_ATTESTATION) + # TODO: Remove this when QCBOR licensing issues w/t_cose have been resolved, + # or only allow it when 'QCBOR_PATH' is set to a local path where QCBOR has + # been manually downloaded by the user before starting the build. + message(FATAL_ERROR "CONFIG_TFM_PARTITION_INITIAL_ATTESTATION is not available " + "with TF-M 1.7.0 due to licensing issues with a dependent library. This " + "restriction will be removed once licensing issues have been resolved." + ) + endif() + + if (CONFIG_TFM_PSA_TEST_INITIAL_ATTESTATION) + # TODO: Remove this when QCBOR licensing issues w/t_cose have been resolved, + # or only allow it when 'QCBOR_PATH' is set to a local path where QCBOR has + # been manually downloaded by the user before starting the build. + message(FATAL_ERROR "CONFIG_TFM_PSA_TEST_INITIAL_ATTESTATION is not available " + "with TF-M 1.7.0 due to licensing issues with a dependent library. This " + "restriction will be removed once licensing issues have been resolved." + ) + endif() + if(CONFIG_BOARD_LPCXPRESSO55S69_CPU0) # Supply path to NXP HAL sources used for TF-M build set(TFM_PLATFORM_NXP_HAL_FILE_PATH ${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/platform/ext/target/nxp/) diff --git a/modules/trusted-firmware-m/Kconfig.tfm.partitions b/modules/trusted-firmware-m/Kconfig.tfm.partitions index f035939a1dd..cd9aaadb1ec 100644 --- a/modules/trusted-firmware-m/Kconfig.tfm.partitions +++ b/modules/trusted-firmware-m/Kconfig.tfm.partitions @@ -44,7 +44,7 @@ config TFM_PARTITION_CRYPTO config TFM_PARTITION_INITIAL_ATTESTATION bool "Secure partition 'Initial Attestation'" depends on TFM_PARTITION_CRYPTO - default y + default n help Setting this option will cause '-DTFM_PARTITION_INITIAL_ATTESTATION' to be passed to the TF-M build system. Look at 'config_default.cmake' diff --git a/samples/tfm_integration/tfm_regression_test/prj.conf b/samples/tfm_integration/tfm_regression_test/prj.conf index e6c9ec974a8..6817a7f717b 100644 --- a/samples/tfm_integration/tfm_regression_test/prj.conf +++ b/samples/tfm_integration/tfm_regression_test/prj.conf @@ -15,7 +15,7 @@ CONFIG_TFM_REGRESSION_NS=y CONFIG_TFM_PARTITION_PROTECTED_STORAGE=y CONFIG_TFM_PARTITION_INTERNAL_TRUSTED_STORAGE=y CONFIG_TFM_PARTITION_CRYPTO=y -CONFIG_TFM_PARTITION_INITIAL_ATTESTATION=y +CONFIG_TFM_PARTITION_INITIAL_ATTESTATION=n CONFIG_TFM_PARTITION_PLATFORM=y # Enable IPC mode and isolation level 2 by default