Merge pull request #9312 from kfnta/psa_compliance

PSA compliance tests suite

Author: Cruz Monrreal

.astyleignore

@@ -24,6 +24,7 @@ components/802.15.4_RF
 components/wifi
 components/TARGET_PSA/TARGET_TFM
 tools
+components/TARGET_PSA/TESTS
 components/TARGET_PSA/services/attestation/COMPONENT_PSA_SRV_IMPL/tfm_impl
 components/TARGET_PSA/services/attestation/qcbor
-components/TARGET_PSA/services/attestation/attestation.h
+components/TARGET_PSA/services/attestation/attestation.h

components/TARGET_PSA/TESTS/compliance_attestation/psa_attestation_testlist.md

@@ -0,0 +1,22 @@
+# PSA Initial Attestation Testcase checklist
+
+| Test      | Return value                         | API                                                               | Test Algorithm                                                                                                                                                  | Test Cases                                                                                                                                                                                             |
+|-----------|--------------------------------------|-------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| test_a001 | PSA_ATTEST_ERR_SUCCESS               | psa_initial_attest_get_token()<br />psa_initial_attest_get_token_size() | 1. Provide correct inputs to API with described challenge sizes  <br />2. Expect API to return this define as return value each time  <br />3. Verify the token | 1. Challenge_size = 32 <br />2. Challenge_size = 48 <br />3. Challenge_size = 64                                                                                                         |
+|           | PSA_ATTEST_ERR_INVALID_INPUT         | psa_initial_attest_get_token()<br />psa_initial_attest_get_token_size() | 1. Provide described challenge sizes to the API along with other valid parameters <br />2. Expect API to return this define as return value each time           | 1. Challenge_size is zero <br />2. Invalid challenge size between 0 and 32 <br />3. Invalid challenge size between 32 and 64  <br />4. Challenge_size is greater than MAX_CHALLENGE_SIZE |
+|           | PSA_ATTEST_ERR_TOKEN_BUFFER_OVERFLOW | psa_initial_attest_get_token()                                    | 1. Provide described taken size to the API along with other valid parameters <br />2. Expect API to return this define as return value each time                | Pass the token_size which less than actual/required token size                                                                                                                                        |
+|           | PSA_ATTEST_ERR_INIT_FAILED           | psa_initial_attest_get_token()<br />psa_initial_attest_get_token_size() | Can't simulate. Test can't generate stimulus where attestation initialisation fails                                                                             |                                                                                                                                                                                                       |
+|           | PSA_ATTEST_ERR_CLAIM_UNAVAILABLE     | psa_initial_attest_get_token()                                    | Can't simulate. Test can't generate stimulus where claim can unavailable                                                                                        |                                                                                                                                                                                                       |
+|           | PSA_ATTEST_ERR_GENERAL               | psa_initial_attest_get_token()<br />psa_initial_attest_get_token_size() | Can't simulate. Test can't generate stimulus where unexpected error happened during API operation                                                               |                                                                                                                                                                                                       |
+
+## Note
+
+1. In verifying the token, only the data type of claims and presence of the mandatory claims are checked and the values of the claims are not checked.
+2. Checks related to token signature validation will be part of future release
+
+# License
+Arm PSA test suite is distributed under Apache v2.0 License.
+
+--------------
+
+*Copyright (c) 2019, Arm Limited and Contributors. All rights reserved.*

components/TARGET_PSA/TESTS/compliance_attestation/test_a001/main.c

@@ -0,0 +1,9 @@
+#include "val_interfaces.h"
+#include "pal_mbed_os_intf.h"
+
+void test_entry_a001(val_api_t *val_api, psa_api_t *psa_api); 
+
+int main(void)
+{
+    test_start(test_entry_a001, COMPLIANCE_TEST_ATTESTATION);
+}

components/TARGET_PSA/TESTS/compliance_attestation/test_a001/test_a001.c

@@ -0,0 +1,105 @@
+/** @file
+ * Copyright (c) 2019, Arm Limited or its affiliates. All rights reserved.
+ * SPDX-License-Identifier : Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+**/
+
+#include "val_interfaces.h"
+#include "val_target.h"
+#include "test_a001.h"
+#include "test_data.h"
+
+client_test_t test_a001_attestation_list[] = {
+    NULL,
+    psa_initial_attestation_get_token_test,
+    psa_initial_attestation_get_token_size_test,
+    NULL,
+};
+
+static int         g_test_count = 1;
+
+int32_t psa_initial_attestation_get_token_test(security_t caller)
+{
+    int         num_checks = sizeof(check1)/sizeof(check1[0]);
+    uint32_t    i, status, token_size;
+    uint8_t     challenge[PSA_INITIAL_ATTEST_CHALLENGE_SIZE_64+1];
+    uint8_t     token_buffer[TOKEN_SIZE];
+
+    for (i = 0; i < num_checks; i++)
+    {
+        val->print(PRINT_TEST, "[Check %d] ", g_test_count++);
+        val->print(PRINT_TEST, check1[i].test_desc, 0);
+
+        memset(challenge, 0x2a, sizeof(challenge));
+        memset(token_buffer, 0, sizeof(token_buffer));
+
+        status = val->attestation_function(VAL_INITIAL_ATTEST_GET_TOKEN_SIZE,
+                     check1[i].challenge_size, &token_size);
+        if (status != PSA_SUCCESS)
+        {
+            if (check1[i].challenge_size != PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32 ||
+                check1[i].challenge_size != PSA_INITIAL_ATTEST_CHALLENGE_SIZE_48 ||
+                check1[i].challenge_size != PSA_INITIAL_ATTEST_CHALLENGE_SIZE_64)
+            {
+                token_size = check1[i].token_size;
+                check1[i].challenge_size = check1[i].actual_challenge_size;
+            }
+            else
+                return status;
+        }
+
+        status = val->attestation_function(VAL_INITIAL_ATTEST_GET_TOKEN, challenge,
+                     check1[i].challenge_size, token_buffer, &token_size);
+        TEST_ASSERT_EQUAL(status, check1[i].expected_status, TEST_CHECKPOINT_NUM(1));
+
+        if (check1[i].expected_status != PSA_SUCCESS)
+            continue;
+
+        /* Validate the token */
+        status = val->attestation_function(VAL_INITIAL_ATTEST_VERIFY_TOKEN, challenge,
+                    check1[i].challenge_size, token_buffer, token_size);
+        TEST_ASSERT_EQUAL(status, PSA_SUCCESS, TEST_CHECKPOINT_NUM(2));
+    }
+
+    return VAL_STATUS_SUCCESS;
+}
+
+int32_t psa_initial_attestation_get_token_size_test(security_t caller)
+{
+    int         num_checks = sizeof(check2)/sizeof(check2[0]);
+    uint32_t    i, status, token_size;
+
+    for (i = 0; i < num_checks; i++)
+    {
+        val->print(PRINT_TEST, "[Check %d] ", g_test_count++);
+        val->print(PRINT_TEST, check2[i].test_desc, 0);
+
+        status = val->attestation_function(VAL_INITIAL_ATTEST_GET_TOKEN_SIZE,
+                     check2[i].challenge_size, &token_size);
+
+        TEST_ASSERT_EQUAL(status, check2[i].expected_status, TEST_CHECKPOINT_NUM(1));
+
+        if (check2[i].expected_status != PSA_SUCCESS)
+            continue;
+
+        if (token_size < check2[i].challenge_size)
+        {
+            val->print(PRINT_ERROR, "Token size less than challenge size\n", 0);
+            return VAL_STATUS_INSUFFICIENT_SIZE;
+        }
+    }
+
+    return VAL_STATUS_SUCCESS;
+}
+

components/TARGET_PSA/TESTS/compliance_attestation/test_a001/test_a001.h

@@ -0,0 +1,33 @@
+/** @file
+ * Copyright (c) 2019, Arm Limited or its affiliates. All rights reserved.
+ * SPDX-License-Identifier : Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+**/
+#ifndef _TEST_A001_CLIENT_TESTS_H_
+#define _TEST_A001_CLIENT_TESTS_H_
+
+#include "val_attestation.h"
+#define test_entry CONCAT(test_entry_, a001)
+#define val CONCAT(val,test_entry)
+#define psa CONCAT(psa,test_entry)
+
+#define TOKEN_SIZE          512
+
+extern val_api_t *val;
+extern psa_api_t *psa;
+extern client_test_t test_a001_attestation_list[];
+
+int32_t psa_initial_attestation_get_token_test(security_t caller);
+int32_t psa_initial_attestation_get_token_size_test(security_t caller);
+#endif /* _TEST_A001_CLIENT_TESTS_H_ */

components/TARGET_PSA/TESTS/compliance_attestation/test_a001/test_data.h

@@ -0,0 +1,103 @@
+/** @file
+ * Copyright (c) 2019, Arm Limited or its affiliates. All rights reserved.
+ * SPDX-License-Identifier : Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+**/
+
+#include "val_attestation.h"
+
+typedef struct {
+    char                    test_desc[100];
+    uint32_t                challenge_size;
+    uint32_t                actual_challenge_size;
+    uint32_t                token_size;
+    psa_status_t            expected_status;
+} test_data;
+
+
+static test_data check1[] = {
+{"Test psa_initial_attestation_get_token with Challenge 32\n",
+ PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32, TOKEN_SIZE, PSA_SUCCESS
+},
+
+{"Test psa_initial_attestation_get_token with Challenge 48\n",
+ PSA_INITIAL_ATTEST_CHALLENGE_SIZE_48, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_48, TOKEN_SIZE, PSA_SUCCESS
+},
+
+{"Test psa_initial_attestation_get_token with Challenge 64\n",
+ PSA_INITIAL_ATTEST_CHALLENGE_SIZE_64, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_64, TOKEN_SIZE, PSA_SUCCESS
+},
+
+{"Test psa_initial_attestation_get_token with zero challenge size\n",
+ 0, 0, TOKEN_SIZE, PSA_ATTEST_ERR_INVALID_INPUT
+},
+
+{"Test psa_initial_attestation_get_token with small challenge size\n",
+ PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32-1, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32-1,
+ TOKEN_SIZE, PSA_ATTEST_ERR_INVALID_INPUT
+},
+
+{"Test psa_initial_attestation_get_token with invalid challenge size\n",
+ PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32+1, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32+1,
+ TOKEN_SIZE, PSA_ATTEST_ERR_INVALID_INPUT
+},
+
+{"Test psa_initial_attestation_get_token with large challenge size\n",
+ MAX_CHALLENGE_SIZE+1,  MAX_CHALLENGE_SIZE+1, TOKEN_SIZE, PSA_ATTEST_ERR_INVALID_INPUT
+},
+
+{"Test psa_initial_attestation_get_token with zero as token size\n",
+ PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32-1, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32,
+ 0, PSA_ATTEST_ERR_INVALID_INPUT
+},
+
+{"Test psa_initial_attestation_get_token with small token size\n",
+ PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32-1, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32,
+ PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32-1, PSA_ATTEST_ERR_TOKEN_BUFFER_OVERFLOW
+},
+};
+
+static test_data check2[] = {
+{"Test psa_initial_attestation_get_token_size with Challenge 32\n",
+ PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32, TOKEN_SIZE, PSA_SUCCESS
+},
+
+{"Test psa_initial_attestation_get_token_size with Challenge 48\n",
+ PSA_INITIAL_ATTEST_CHALLENGE_SIZE_48, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_48, TOKEN_SIZE, PSA_SUCCESS
+},
+
+{"Test psa_initial_attestation_get_token_size with Challenge 64\n",
+ PSA_INITIAL_ATTEST_CHALLENGE_SIZE_64, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_64, TOKEN_SIZE, PSA_SUCCESS
+},
+
+{"Test psa_initial_attestation_get_token_size with zero challenge size\n",
+ 0, 0,
+ TOKEN_SIZE, PSA_ATTEST_ERR_INVALID_INPUT
+},
+
+{"Test psa_initial_attestation_get_token_size with small challenge size\n",
+ PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32-1, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32-1,
+ TOKEN_SIZE, PSA_ATTEST_ERR_INVALID_INPUT
+},
+
+{"Test psa_initial_attestation_get_token_size with invalid challenge size\n",
+ PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32+1, PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32+1,
+ TOKEN_SIZE, PSA_ATTEST_ERR_INVALID_INPUT
+},
+
+{"Test psa_initial_attestation_get_token_size with large challenge size\n",
+ MAX_CHALLENGE_SIZE+1,  MAX_CHALLENGE_SIZE+1,
+ TOKEN_SIZE, PSA_ATTEST_ERR_INVALID_INPUT
+},
+};

components/TARGET_PSA/TESTS/compliance_attestation/test_a001/test_entry.c

@@ -0,0 +1,52 @@
+/** @file
+ * Copyright (c) 2019, Arm Limited or its affiliates. All rights reserved.
+ * SPDX-License-Identifier : Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+**/
+
+#include "val_interfaces.h"
+#include "val_target.h"
+#include "test_a001.h"
+
+#define TEST_NUM  VAL_CREATE_TEST_ID(VAL_INITIAL_ATTESTATION_BASE, 1)
+#define TEST_DESC "Testing initial attestation APIs\n"
+TEST_PUBLISH(TEST_NUM, test_entry);
+val_api_t *val = NULL;
+psa_api_t *psa = NULL;
+
+void test_entry(val_api_t *val_api, psa_api_t *psa_api)
+{
+    int32_t   status = VAL_STATUS_SUCCESS;
+
+    val = val_api;
+    psa = psa_api;
+
+    /* test init */
+    val->test_init(TEST_NUM, TEST_DESC, TEST_FIELD(TEST_ISOLATION_L1, WD_HIGH_TIMEOUT));
+    if (!IS_TEST_START(val->get_status()))
+    {
+        goto test_exit;
+    }
+
+    /* Execute list of tests available in test[num]_attestation_list from Non-secure side*/
+    status = val->execute_non_secure_tests(TEST_NUM, test_a001_attestation_list, FALSE);
+
+    if (VAL_ERROR(status))
+    {
+        goto test_exit;
+    }
+
+test_exit:
+    val->test_exit();
+}