This allows applications greater control over when and how FreeRTOS tasks are created and executed. It's now possible to allocate the memory for the task without having it also start to execute.
This is the final piece rearchitecting the authorized command handling and config reset flows. It decouples the command handling from the types of operations that can be executed after authorization, allowing easy extension to any platform-specific workflows. Without the direct dependency on config_resete APIs, intrusion reset is also decoupled from resetting other configuration in the system.
- Execution handler for all configuration reset calls. This excludes intrusion reset, since that will ultimately be pulled out of config_reset.
- Execution handler for resetting intrusion state via the intrusion manager.
- Update config_reset to support static/const initialization.
Update to the background command handler to support executing arbitrary commands that have been securely authorized. This is the first step of this refactoring to provide the hooks for this handling. A subsequent update will provide execution contexts for the current commands and update the command processing to use these new interfaces.
This will handle any type of vendor defined, and it may or may not be a necessary layer of the protocol stack depending on how the vendor protocol is constructed.
As part of this update, commonalities between all these intermediate layers of the protocol stack has been factored out into a new type that each of the MCTP message transports inherits.
This is the first part of several steps to support impactless vs. impactful detection in the FW update process.
The existing command authorization handling is not easily scalable to support different numbers and types of authorization handlers. Every new authenticated command would need an explicit API added to the interface for handling and the init call would get extended. This would also require a more complicated integration if certain platforms had authenticated commands that didn't exist on others. The command authorization has been updated to remove these inefficiencies by providing a single API that would work for any arbitrary command. The supported commands and identifiers for these commands is configured per-platform at init time. The existing APIs for specific commands have been left for now, but may be removed in the future.
In addition, the command authorization handler was updated to support static and const instances. This change had the ripple effect of requiring updates to the authorization contexts as well. These were equally updated to support static and const instances.
Authorization using a challenge token was even further updated, since the current implementation is limited to using SHA-256 hashes for token signing and verifying. To provide flexibility to support any combination of keys and hashes, the challenge handler was updated to use the auth_token type for token management. This makes challenge authorization not much more than an adaptor between the authorization and auth_token APIs.
With the removal of all error handling from the MCTP layer, the Cerberus handler is only needed for the deprecated response processing, just like MCTP control and SPDM.
Fixes and improvements for debug log tests
- Properly clear debug_timestamp and debug_log on release
- Don't assert on first error encountered on release
- Rename init and release functions with standard naming convention.
This defines an intermediate msg_transport implementation to handle the MCTP message layer of the protocol stack. It's designed to handle MCTP messages of a single type. If multiple different types of messages need to be handled, multiple different msg_transport instances would need to be instantiated.
- Unit test suite was wrong in many ways. Most critically, the mock was never actually getting validated. This masked all the construction issues with the tests.
- Fixed Valgrind issues.
- Removed the compile checks on RSA private key support being enabled. This module doesn't make sense if RSA private keys are not supported, so it would be better to have a compile-time failure.
- Fixed argument naming consistency across API, mock, and implementation definitions.
- Cleaned up a bunch of comments.
Added ephemeral key generation support
- Added ephemeral key generation support
- Added ephemeral key generation rsa support
- Added ephemeral key generation mock support
Related work items: #3929
Requesting the entire certificate chain and building it in dynamically allocated memory is not scalable to arbitrary certificate chain lengths. The certificate chain processing has been updated to only get one certificate at a time from the device and authenticate it, starting from the root CA. As each certificate is validated, the trust anchor of the chain is moved. This ensures there are no more than two certificates in memory any given time. It does have the side effect of no longer enforcing path length constraints on CA certificates.
This change was applied to both Cerberus and SPDM based attestation. In addition, most situations will completely rely on the static message buffer for certificate storage, removing dynamic allocation out of the request path. Overall, this approach may be slightly less performant, especially for SPDM, but is much more efficient in terms of memory usage.
Additional test keys and certs have been created to support this new workflow:
- A new ECC-521 key pair
- End entity certificates that through an ICA to the root
The X.509 test suite was also generally updated for the authenticate tests to remove random ECC key generation in favor of using pre-determined ECC test keys. The old tests were actually leaking the ECC engine, so changing this code also fixed that issue.
Add new attestation states for attestation requester
1. DEVICE_MANAGER_ATTESTATION_INTERRUPED
2. DEVICE_MANAGER_ATTESTATION_INVALID_VERSION
3. DEVICE_MANAGER_ATTESTATION_INVALID_CAPS
4. DEVICE_MANAGER_ATTESTATION_INVALID_ALGORITHM
5. DEVICE_MANAGER_ATTESTATION_INVALID_DIGESTS
6. DEVICE_MANAGER_ATTESTATION_INVALID_CERTS
7. DEVICE_MANAGER_ATTESTATION_INVALID_CHALLENEGE
8. DEVICE_MANAGER_ATTESTATION_INVALID_MEASUREMENT
9. DEVICE_MANAGER_ATTESTATION_MEASUREMENT_MISMATCH
10. DEVICE_MANAGER_ATTESTATION_UNTRUSTED_CERTS
11. DEVICE_MANAGER_ATTESTATION_INVALID_RESPONSE
12. DEVICE_MANAGER_AUTHENTICATED_WITH_TIMEOUT
Above attestation states help to clearly identify the errors
and take appropriate actions.
Related work items: #3895
Add general support for enabling ECDSA usage directly with ecc_hw instances in a FIPS compliant way. Only direct interfacing with ECC HW is part of this update. FIPS compliant usage for the ECC API will come later.
- Provide ECDSA sign functions that interact directly with an ecc_hw instance and bundle together the hash and sign operations of ECDSA. This function takes an optional RNG instance, providing the ability to override random 'k' generation during signing.
- Provide ECDSA verify functions that interact directly with an ecc_hw instance and bundle together the hash and verify operations of ECDSA.
- Update the ecc_hw sign API to take an optional RNG to use for 'k' generation.
- Build known answer tests for ECDSA sign/verify ECC HW wrapper functions.
- Update the ECC API implementation using ecc_hw to take an RNG instance for use with signing calls. This is meant to accommodate ECC HW implementations that don't have a default RNG to use when one isn't provided.
This change includes:
- Add new error codes to differentiate key set go failure for rx and tx direction.
- Update the AES key definitions with MACRO instead of hardcoded values.
Related work items: #4010
It's not always necessary to test all the different ways of interfacing with the hash engine, since data management is not part of the algorithm. For hash self-tests, separate the two different calculation mechanisms into separate self-tests so that both don't always get run for any given algorithm. For HMAC self-tests, remove the start/update/finish set of HMAC calls, as this is redundant.
Run uncrustify on cerberus-core repo
Uncrustify Configuration file run from cerberus-core root directory,
Uncructify format run cerberus-core except below directories,
external\
projects\
cmake\
Related work items: #3970
This is the final step to remove details from other protocols out of the MCTP transport handling. Rather than generating Cerberus status responses based on errors or lack of payload, this step is handled by the Cerberus protocol handlers.
This also moves error logging for Cerberus messages out of the MCTP layer. The error message that is logged now contains more relevant details about the failure, such as command code being executed.
Currently both MSFT VDM and Cerberus handlers have this functionality, but this is likely a temporary state until the Cerberus protocol handler is better integrated with Cerberus command handling.
Update to make spdm script common for all components
- Add parameter to take the component name as input and use it for naming the output xml files
- Add parameter to take the signed status as input
Related work items: #3292
- Add a function to check for an empty buffer. This is useful when generating ECDSA signatures that need to check for a 0 value.
- Additional error codes for ECC hardware implementations.
To isolate KAT tests and vectors from targets that don't need them, move the SHA, HMAC, and KDF self-tests to a separate files from the main APIs.
This is just moving functions from one file to another. No contents have been changed from what was there previously.
FIPS requires known answer tests to be executed at run-time before using any crypto instantiation. Self tests have been created for the hash API, HMAC, and KDFs that can be executed to satisfy run-time FIPS requirements.
Additionally, there have been optimizations and updates to the HMAC and KDF implementations and test suites.
Updated the 'to_array.sh' script to align with current array initializer formatting.
Christopher Weimer
Anton Rakovchuk
Gandhimathi Anand
Ashvinkumar Parmar
Umar Farooq Kolimi
Long Wei
Rob Unoki
Krutik Amin
Vishal Mhatre
Rajesh Bhagat
Maheshkumar Prajapati
Paul Rhea
Thiyagu Selvam
Anjali Verma
Rajib Dutta
Cristian Pop
Sriram Prasad Sahoo
Atul Shah