Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add identity key support for PSA attestation #8188

Merged
merged 5 commits into from
Sep 7, 2022
Merged

Add identity key support for PSA attestation #8188

merged 5 commits into from
Sep 7, 2022

Conversation

frkv
Copy link
Contributor

@frkv frkv commented Jul 14, 2022
edited by Vge0rge
Loading

-Adds library for identity key services making use of nrf_cc3xx_platform APIs
that encrypts/decrypts an asymmetric key using MKEK.
-Adds support for key retrieval in TF-M images

ref: NCSDK-14121
ref: NCSDK-12235

Signed-off-by: Frank Audun Kvamtrø frank.kvamtro@nordicsemi.no

test-sdk-nrf: sdk-nrf-PR-8188

@frkv frkv added the DNM label Jul 14, 2022
@frkv frkv requested review from joerchan and Vge0rge July 14, 2022 17:08
@github-actions github-actions bot added changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. doc-required PR must not be merged without tech writer approval. labels Jul 14, 2022
@frkv frkv requested a review from torsteingrindvik July 14, 2022 17:08
@NordicBuilder
Copy link
Contributor

NordicBuilder commented Jul 14, 2022
edited
Loading

Integration test specification

Test Module File based changes Manually selected West overwrite
test-fw-nrfconnect-chip X
test-fw-nrfconnect-nrf_crypto X
test-fw-nrfconnect-tfm X

Detailed information of selected test modules

Note: This message is automatically posted and updated by the CI

@Vge0rge Vge0rge force-pushed the tf-m-attestation branch from 1d0be32 to 2caaa69 Compare July 20, 2022 12:04
joerchan
joerchan reviewed Jul 21, 2022
View reviewed changes
modules/tfm/tfm/boards/common/crypto_keys.c Outdated Show resolved Hide resolved
samples/keys/identity_key_usage/src/main.c Outdated Show resolved Hide resolved
samples/keys/identity_key_usage/src/main.c Outdated Show resolved Hide resolved
samples/keys/identity_key_usage/sample.yaml Outdated Show resolved Hide resolved
samples/keys/identity_key_usage/README.rst Outdated Show resolved Hide resolved
lib/identity_key/hw_unique_key_internal.h Outdated Show resolved Hide resolved
@Vge0rge Vge0rge force-pushed the tf-m-attestation branch from 2caaa69 to 3e34de3 Compare July 21, 2022 20:38
@Vge0rge Vge0rge changed the title DNM: Add identity key support for PSA attestation Add identity key support for PSA attestation Jul 21, 2022
@Vge0rge Vge0rge force-pushed the tf-m-attestation branch 11 times, most recently from 10a3b25 to c3ba52e Compare July 28, 2022 10:41
@Vge0rge Vge0rge force-pushed the tf-m-attestation branch 3 times, most recently from 0bf379c to 77f70c9 Compare September 1, 2022 12:55
@Vge0rge Vge0rge force-pushed the tf-m-attestation branch 6 times, most recently from b5f78a1 to a305189 Compare September 1, 2022 20:59
@Vge0rge Vge0rge requested a review from mia-ko September 1, 2022 21:41
mia-ko
mia-ko requested changes Sep 2, 2022
View reviewed changes
samples/keys/identity_key_usage/prj.conf Outdated Show resolved Hide resolved
doc/nrf/libraries/others/identity_key.rst Outdated Show resolved Hide resolved
doc/nrf/libraries/others/identity_key.rst Outdated Show resolved Hide resolved
doc/nrf/libraries/others/identity_key.rst Outdated Show resolved Hide resolved
doc/nrf/libraries/others/identity_key.rst Outdated Show resolved Hide resolved
samples/keys/identity_key_generation/README.rst Outdated Show resolved Hide resolved
samples/keys/identity_key_generation/README.rst Outdated Show resolved Hide resolved
samples/keys/identity_key_usage/README.rst Outdated Show resolved Hide resolved
samples/keys/identity_key_usage/README.rst Outdated Show resolved Hide resolved
samples/keys/identity_key_usage/README.rst Outdated Show resolved Hide resolved
@Vge0rge Vge0rge force-pushed the tf-m-attestation branch 2 times, most recently from 3a0f3b6 to 0f47289 Compare September 2, 2022 09:04
frkv and others added 5 commits September 2, 2022 14:54
@frkv @Vge0rge
library: Adding identity key subsystem
aada2f5 
-Adds library for storing and retrieving an identity key
-This uses the hw_unique_key library to ensure that HUK keys
 are generated or written to the device.

ref: NCSDK-14121

Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
@frkv @Vge0rge
samples: Add identity key generation sample
cccfbcc 
-Sample showcasing writing an identity key to the reserved
 KMU slot. The key will be encrypted using the MKEK key.

ref: NCSDK-14121

Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
@frkv @Vge0rge
samples: Add identity key usage example
f3abe1d 
-This uses reads the identity key in the reserved slot in KMU,
 decrypts it and loads it into PSA Crypto key storage.
 Afterwards the key is used to sign a message.

ref: NCSDK-14121

Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
@frkv @Vge0rge
TF-M: Adding support for Attestation Key
0116468 
-Add usage of nrf_cc3xx_platform_identity_key_retrieve function to
 allow decrypting the key from its reserved KMU slot.
-This usage expects the Attestation Key to be placed in this location
 prior to usage

ref: NCSDK-12235

Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
@torsteingrindvik @Vge0rge
samples: Identity key generation specific key build config
4ed230f 
The identity key generation sample by default creates a random key.
The TFM regression tests rely on a specific key.

Add an extra sample configuration which generates this specific key,
such that it is possible to run this before the regression tests.

ref: NCSDK-14121

Signed-off-by: Torstein Grindvik <torstein.grindvik@nordicsemi.no>
Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
@greg-fer greg-fer mentioned this pull request Sep 6, 2022
Merged
14 tasks
@frkv frkv removed the DNM label Sep 7, 2022
@rlubos
Copy link
Contributor

rlubos commented Sep 7, 2022

As per offline discussion, I was told this PR was agreed to be merged post RC1.

@rlubos rlubos merged commit dfebe5c into nrfconnect:main Sep 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@torsteingrindvik torsteingrindvik torsteingrindvik left review comments

@Vge0rge Vge0rge Vge0rge approved these changes

@joerchan joerchan joerchan left review comments

@jorgenmk jorgenmk jorgenmk left review comments

@mia-ko mia-ko mia-ko approved these changes

@SebastianBoe SebastianBoe SebastianBoe approved these changes

@anangl anangl Awaiting requested review from anangl

@rlubos rlubos Awaiting requested review from rlubos

@carlescufi carlescufi Awaiting requested review from carlescufi

@tejlmand tejlmand Awaiting requested review from tejlmand

@b-gent b-gent Awaiting requested review from b-gent

Assignees
No one assigned
Labels
doc-required PR must not be merged without tech writer approval.
Projects
None yet
Milestone
2.1.0
Development

Successfully merging this pull request may close these issues.
10 participants
@frkv @NordicBuilder @umapraseeda @rlubos @jorgenmk @SebastianBoe @joerchan @Vge0rge @torsteingrindvik @mia-ko