1*7e05ec25SJerome Forissier /* SPDX-License-Identifier: BSD-2-Clause */ 2*7e05ec25SJerome Forissier /* 3*7e05ec25SJerome Forissier * Copyright (C) 2021, Huawei Technologies Co., Ltd 4*7e05ec25SJerome Forissier */ 5*7e05ec25SJerome Forissier 6*7e05ec25SJerome Forissier /* 7*7e05ec25SJerome Forissier * Provide remote attestation services 8*7e05ec25SJerome Forissier */ 9*7e05ec25SJerome Forissier 10*7e05ec25SJerome Forissier #ifndef __PTA_ATTESTATION_H 11*7e05ec25SJerome Forissier #define __PTA_ATTESTATION_H 12*7e05ec25SJerome Forissier 13*7e05ec25SJerome Forissier #define PTA_ATTESTATION_UUID { 0x39800861, 0x182a, 0x4720, \ 14*7e05ec25SJerome Forissier { 0x9b, 0x67, 0x2b, 0xcd, 0x62, 0x2b, 0xc0, 0xb5 } } 15*7e05ec25SJerome Forissier 16*7e05ec25SJerome Forissier /* 17*7e05ec25SJerome Forissier * Get the RSA public key that should be used to verify the values returned by 18*7e05ec25SJerome Forissier * other commands. 19*7e05ec25SJerome Forissier * 20*7e05ec25SJerome Forissier * [out] memref[0] Public key exponent in big endian order 21*7e05ec25SJerome Forissier * [out] memref[1] Modulus in big endian order 22*7e05ec25SJerome Forissier * [out] value[2] Signature algorithm used by other commands. 23*7e05ec25SJerome Forissier * Currently always 24*7e05ec25SJerome Forissier * TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256. 25*7e05ec25SJerome Forissier * 26*7e05ec25SJerome Forissier * Return codes: 27*7e05ec25SJerome Forissier * TEE_SUCCESS 28*7e05ec25SJerome Forissier * TEE_ERROR_GENERIC - Internal error 29*7e05ec25SJerome Forissier * TEE_ERROR_SHORT_BUFFER - One or both buffers are too small, required size 30*7e05ec25SJerome Forissier * is provided in memref[i].size 31*7e05ec25SJerome Forissier */ 32*7e05ec25SJerome Forissier #define PTA_ATTESTATION_GET_PUBKEY 0x0 33*7e05ec25SJerome Forissier 34*7e05ec25SJerome Forissier /* 35*7e05ec25SJerome Forissier * Return the digest found in the header of a Trusted Application binary or a 36*7e05ec25SJerome Forissier * Trusted Shared library 37*7e05ec25SJerome Forissier * 38*7e05ec25SJerome Forissier * [in] memref[0] UUID of the TA or shared library 39*7e05ec25SJerome Forissier * [in] memref[1] Nonce (random non-NULL, non-empty buffer of any 40*7e05ec25SJerome Forissier * size to prevent replay attacks) 41*7e05ec25SJerome Forissier * [out] memref[2] Output buffer. Receives the signed digest. 42*7e05ec25SJerome Forissier * - The first 32 bytes are the digest itself (from 43*7e05ec25SJerome Forissier * the TA signed header: struct shdr::hash) 44*7e05ec25SJerome Forissier * - The following bytes are a signature: 45*7e05ec25SJerome Forissier * SIG(SHA256(Nonce | digest)) 46*7e05ec25SJerome Forissier * - The algorithm is 47*7e05ec25SJerome Forissier * TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256 with a salt 48*7e05ec25SJerome Forissier * length of 32. 49*7e05ec25SJerome Forissier * - The key pair is generated internally and stored 50*7e05ec25SJerome Forissier * in secure storage. The public key can be 51*7e05ec25SJerome Forissier * retrieved with command PTA_ATTESTATION_GET_PUBKEY 52*7e05ec25SJerome Forissier * (typically during device provisioning). 53*7e05ec25SJerome Forissier * Given that the sigature length is equal to the 54*7e05ec25SJerome Forissier * RSA modulus size in bytes, the output buffer size 55*7e05ec25SJerome Forissier * should be at least (digest size + modulus size) 56*7e05ec25SJerome Forissier * bytes. For example, for a 32-byte SHA256 digest and 57*7e05ec25SJerome Forissier * 2048 bit key (256 bytes) the minimum buffer size is 58*7e05ec25SJerome Forissier * 288 bytes. 59*7e05ec25SJerome Forissier * 60*7e05ec25SJerome Forissier * Return codes: 61*7e05ec25SJerome Forissier * TEE_SUCCESS 62*7e05ec25SJerome Forissier * TEE_ERROR_BAD_PARAMETERS - Incorrect input param 63*7e05ec25SJerome Forissier * TEE_ERROR_SHORT_BUFFER - Output buffer size less than required 64*7e05ec25SJerome Forissier */ 65*7e05ec25SJerome Forissier #define PTA_ATTESTATION_GET_TA_SHDR_DIGEST 0x1 66*7e05ec25SJerome Forissier 67*7e05ec25SJerome Forissier /* 68*7e05ec25SJerome Forissier * Return a signed hash for a running user space TA, which must be the caller 69*7e05ec25SJerome Forissier * of this PTA. It is a runtime measurement of the memory pages that contain 70*7e05ec25SJerome Forissier * immutable data (code and read-only data). 71*7e05ec25SJerome Forissier * 72*7e05ec25SJerome Forissier * [in] memref[0] Nonce 73*7e05ec25SJerome Forissier * [out] memref[1] SHA256 hash of the TA memory followed by a 74*7e05ec25SJerome Forissier * signature. See PTA_ATTESTATION_GET_TA_HDR_DIGEST 75*7e05ec25SJerome Forissier * for a description of the signature. 76*7e05ec25SJerome Forissier * 77*7e05ec25SJerome Forissier * Return codes: 78*7e05ec25SJerome Forissier * TEE_SUCCESS 79*7e05ec25SJerome Forissier * TEE_ERROR_ACCESS_DENIED - Caller is not a user space TA 80*7e05ec25SJerome Forissier * TEE_ERROR_BAD_PARAMETERS - Incorrect input param 81*7e05ec25SJerome Forissier * TEE_ERROR_SHORT_BUFFER - Output buffer size less than required 82*7e05ec25SJerome Forissier */ 83*7e05ec25SJerome Forissier #define PTA_ATTESTATION_HASH_TA_MEMORY 0x2 84*7e05ec25SJerome Forissier 85*7e05ec25SJerome Forissier /* 86*7e05ec25SJerome Forissier * Return a signed hash of the TEE OS (kernel) memory. It is a runtime 87*7e05ec25SJerome Forissier * measurement of the memory pages that contain immutable data (code and 88*7e05ec25SJerome Forissier * read-only data). 89*7e05ec25SJerome Forissier * 90*7e05ec25SJerome Forissier * [in] memref[0] Nonce 91*7e05ec25SJerome Forissier * [out] memref[1] SHA256 hash of the TEE memory followed by a 92*7e05ec25SJerome Forissier * signature. See PTA_ATTESTATION_GET_TA_HDR_DIGEST 93*7e05ec25SJerome Forissier * for a description of the signature. 94*7e05ec25SJerome Forissier * 95*7e05ec25SJerome Forissier * Return codes: 96*7e05ec25SJerome Forissier * TEE_SUCCESS 97*7e05ec25SJerome Forissier * TEE_ERROR_BAD_PARAMETERS - Incorrect input param 98*7e05ec25SJerome Forissier * TEE_ERROR_SHORT_BUFFER - Output buffer size less than required 99*7e05ec25SJerome Forissier */ 100*7e05ec25SJerome Forissier #define PTA_ATTESTATION_HASH_TEE_MEMORY 0x3 101*7e05ec25SJerome Forissier 102*7e05ec25SJerome Forissier #endif /* __PTA_ATTESTATION_H */ 103