1 /* SPDX-License-Identifier: BSD-2-Clause */ 2 /* 3 * Copyright (C) 2021, Huawei Technologies Co., Ltd 4 */ 5 6 /* 7 * Provide remote attestation services 8 */ 9 10 #ifndef __PTA_ATTESTATION_H 11 #define __PTA_ATTESTATION_H 12 13 #define PTA_ATTESTATION_UUID { 0x39800861, 0x182a, 0x4720, \ 14 { 0x9b, 0x67, 0x2b, 0xcd, 0x62, 0x2b, 0xc0, 0xb5 } } 15 16 /* 17 * Get the RSA public key that should be used to verify the values returned by 18 * other commands. 19 * 20 * [out] memref[0] Public key exponent in big endian order 21 * [out] memref[1] Modulus in big endian order 22 * [out] value[2] Signature algorithm used by other commands. 23 * Currently always 24 * TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256. 25 * 26 * Return codes: 27 * TEE_SUCCESS 28 * TEE_ERROR_GENERIC - Internal error 29 * TEE_ERROR_SHORT_BUFFER - One or both buffers are too small, required size 30 * is provided in memref[i].size 31 */ 32 #define PTA_ATTESTATION_GET_PUBKEY 0x0 33 34 /* 35 * Return the digest found in the header of a Trusted Application binary or a 36 * Trusted Shared library 37 * 38 * [in] memref[0] UUID of the TA or shared library 39 * [in] memref[1] Nonce (random non-NULL, non-empty buffer of any 40 * size to prevent replay attacks) 41 * [out] memref[2] Output buffer. Receives the signed digest. 42 * - The first 32 bytes are the digest itself (from 43 * the TA signed header: struct shdr::hash) 44 * - The following bytes are a signature: 45 * SIG(SHA256(Nonce | digest)) 46 * - The algorithm is 47 * TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256 with a salt 48 * length of 32. 49 * - The key pair is generated internally and stored 50 * in secure storage. The public key can be 51 * retrieved with command PTA_ATTESTATION_GET_PUBKEY 52 * (typically during device provisioning). 53 * Given that the sigature length is equal to the 54 * RSA modulus size in bytes, the output buffer size 55 * should be at least (digest size + modulus size) 56 * bytes. For example, for a 32-byte SHA256 digest and 57 * 2048 bit key (256 bytes) the minimum buffer size is 58 * 288 bytes. 59 * 60 * Return codes: 61 * TEE_SUCCESS 62 * TEE_ERROR_BAD_PARAMETERS - Incorrect input param 63 * TEE_ERROR_SHORT_BUFFER - Output buffer size less than required 64 */ 65 #define PTA_ATTESTATION_GET_TA_SHDR_DIGEST 0x1 66 67 /* 68 * Return a signed hash for a running user space TA, which must be the caller 69 * of this PTA. It is a runtime measurement of the memory pages that contain 70 * immutable data (code and read-only data). 71 * 72 * [in] memref[0] Nonce 73 * [out] memref[1] SHA256 hash of the TA memory followed by a 74 * signature. See PTA_ATTESTATION_GET_TA_HDR_DIGEST 75 * for a description of the signature. 76 * 77 * Return codes: 78 * TEE_SUCCESS 79 * TEE_ERROR_ACCESS_DENIED - Caller is not a user space TA 80 * TEE_ERROR_BAD_PARAMETERS - Incorrect input param 81 * TEE_ERROR_SHORT_BUFFER - Output buffer size less than required 82 */ 83 #define PTA_ATTESTATION_HASH_TA_MEMORY 0x2 84 85 /* 86 * Return a signed hash of the TEE OS (kernel) memory. It is a runtime 87 * measurement of the memory pages that contain immutable data (code and 88 * read-only data). 89 * 90 * [in] memref[0] Nonce 91 * [out] memref[1] SHA256 hash of the TEE memory followed by a 92 * signature. See PTA_ATTESTATION_GET_TA_HDR_DIGEST 93 * for a description of the signature. 94 * 95 * Return codes: 96 * TEE_SUCCESS 97 * TEE_ERROR_BAD_PARAMETERS - Incorrect input param 98 * TEE_ERROR_SHORT_BUFFER - Output buffer size less than required 99 */ 100 #define PTA_ATTESTATION_HASH_TEE_MEMORY 0x3 101 102 #endif /* __PTA_ATTESTATION_H */ 103