michaelh/zephyr
1
0
Fork 0
Code Releases Activity

modules: tfm: Disable initial attestation service

Browse source 
Prevents Zephyr from enabling the initial attestation service in TF-M,
due to a dependency it has on an incompatibly-licensed library (QCBOR).

This update checks if either of the following config flags are
enabled at build time:

- `CONFIG_TFM_PARTITION_INITIAL_ATTESTATION`
- `CONFIG_TFM_PSA_TEST_INITIAL_ATTESTATION`

If either of these are set to true, a fatal error will be thrown at
build time, indicating the reason for the failure.

This change can be reverted once a longer term solution to the QCBOR
license issues has been resolved.

Signed-off-by: Kevin Townsend <kevin.townsend@linaro.org>
This commit is contained in:
Kevin Townsend 2023-02-09 22:03:52 +01:00 committed by Stephanos Ioannidis
commit cd8d4ccad5
3 changed files with 22 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

20
modules/trusted-firmware-m/CMakeLists.txt
View file

@ -238,6 +238,26 @@ if (CONFIG_BUILD_WITH_TFM)
message(FATAL_ERROR "Unsupported ZEPHYR_TOOLCHAIN_VARIANT: ${ZEPHYR_TOOLCHAIN_VARIANT}") message(FATAL_ERROR "Unsupported ZEPHYR_TOOLCHAIN_VARIANT: ${ZEPHYR_TOOLCHAIN_VARIANT}")
endif() endif()
if (CONFIG_TFM_PARTITION_INITIAL_ATTESTATION)
# TODO: Remove this when QCBOR licensing issues w/t_cose have been resolved,
# or only allow it when 'QCBOR_PATH' is set to a local path where QCBOR has
# been manually downloaded by the user before starting the build.
message(FATAL_ERROR "CONFIG_TFM_PARTITION_INITIAL_ATTESTATION is not available "
"with TF-M 1.7.0 due to licensing issues with a dependent library. This "
"restriction will be removed once licensing issues have been resolved."
)
endif()
if (CONFIG_TFM_PSA_TEST_INITIAL_ATTESTATION)
# TODO: Remove this when QCBOR licensing issues w/t_cose have been resolved,
# or only allow it when 'QCBOR_PATH' is set to a local path where QCBOR has
# been manually downloaded by the user before starting the build.
message(FATAL_ERROR "CONFIG_TFM_PSA_TEST_INITIAL_ATTESTATION is not available "
"with TF-M 1.7.0 due to licensing issues with a dependent library. This "
"restriction will be removed once licensing issues have been resolved."
)
endif()
if(CONFIG_BOARD_LPCXPRESSO55S69_CPU0) if(CONFIG_BOARD_LPCXPRESSO55S69_CPU0)
# Supply path to NXP HAL sources used for TF-M build # Supply path to NXP HAL sources used for TF-M build
set(TFM_PLATFORM_NXP_HAL_FILE_PATH ${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/platform/ext/target/nxp/) set(TFM_PLATFORM_NXP_HAL_FILE_PATH ${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/platform/ext/target/nxp/)

2
modules/trusted-firmware-m/Kconfig.tfm.partitions
View file

@ -44,7 +44,7 @@ config TFM_PARTITION_CRYPTO
config TFM_PARTITION_INITIAL_ATTESTATION config TFM_PARTITION_INITIAL_ATTESTATION
bool "Secure partition 'Initial Attestation'" bool "Secure partition 'Initial Attestation'"
depends on TFM_PARTITION_CRYPTO depends on TFM_PARTITION_CRYPTO
default y default n
help help
Setting this option will cause '-DTFM_PARTITION_INITIAL_ATTESTATION' Setting this option will cause '-DTFM_PARTITION_INITIAL_ATTESTATION'
to be passed to the TF-M build system. Look at 'config_default.cmake' to be passed to the TF-M build system. Look at 'config_default.cmake'

2
samples/tfm_integration/tfm_regression_test/prj.conf
View file

@ -15,7 +15,7 @@ CONFIG_TFM_REGRESSION_NS=y
CONFIG_TFM_PARTITION_PROTECTED_STORAGE=y CONFIG_TFM_PARTITION_PROTECTED_STORAGE=y
CONFIG_TFM_PARTITION_INTERNAL_TRUSTED_STORAGE=y CONFIG_TFM_PARTITION_INTERNAL_TRUSTED_STORAGE=y
CONFIG_TFM_PARTITION_CRYPTO=y CONFIG_TFM_PARTITION_CRYPTO=y
CONFIG_TFM_PARTITION_INITIAL_ATTESTATION=y CONFIG_TFM_PARTITION_INITIAL_ATTESTATION=n
CONFIG_TFM_PARTITION_PLATFORM=y CONFIG_TFM_PARTITION_PLATFORM=y
# Enable IPC mode and isolation level 2 by default # Enable IPC mode and isolation level 2 by default