diff --git a/applications/freertos_iot_libraries_tests/main.c b/applications/freertos_iot_libraries_tests/main.c index 2e5d6d9..2afc820 100644 --- a/applications/freertos_iot_libraries_tests/main.c +++ b/applications/freertos_iot_libraries_tests/main.c @@ -160,25 +160,36 @@ int main( void ) mbedtls_platform_mutex_lock, mbedtls_platform_mutex_unlock ); - xRetVal = vDevModeKeyProvisioning(); - - if( xRetVal != CKR_OK ) - { - LogError( ( "Device key provisioning failed [%d]\n", xRetVal ) ); - LogError( ( "Device cannot connect to IoT Core. Exiting...\n" ) ); - return EXIT_FAILURE; - } - else + if( uxIsDeviceProvisioned() == false ) { + UBaseType_t uxReturnValue = vDevModeKeyProvisioning(); + + if( uxReturnValue != CKR_OK ) + { + LogError( ( "Device key provisioning failed [%d]\n", uxReturnValue ) ); + LogError( ( "Device cannot connect to IoT Core. Exiting...\n" ) ); + return EXIT_FAILURE; + } + LogInfo( ( "Device key provisioning succeeded \n" ) ); - status = xOtaProvisionCodeSigningKey( &xOTACodeVerifyKeyHandle, 3072 ); - if( status != PSA_SUCCESS ) + /* FIXME: Magic value */ + psa_status_t uxStatus = xOtaProvisionCodeSigningKey( &xOTACodeVerifyKeyHandle, 3072 ); + + if( uxStatus != PSA_SUCCESS ) { - LogError( ( "OTA signing key provision failed [%d]\n", status ) ); + LogError( ( "OTA signing key provision failed [%d]\n", uxStatus ) ); + return EXIT_FAILURE; + } + else + { + LogInfo( ( "OTA signing key provisioning succeeded \n" ) ); } - LogInfo( ( "OTA signing key provisioning succeeded \n" ) ); + if( xWriteDeviceProvisioned() != PSA_SUCCESS ) + { + return EXIT_FAILURE; + } } status = network_startup(); diff --git a/applications/helpers/provisioning/dev_mode_key_provisioning.c b/applications/helpers/provisioning/dev_mode_key_provisioning.c index dee8f45..43d4be0 100644 --- a/applications/helpers/provisioning/dev_mode_key_provisioning.c +++ b/applications/helpers/provisioning/dev_mode_key_provisioning.c @@ -67,6 +67,9 @@ #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" +/* TF-M ITS include */ +#include "psa/internal_trusted_storage.h" + /* Default FreeRTOS API for console logging. */ #define DEV_MODE_KEY_PROVISIONING_PRINT( X ) printf @@ -91,6 +94,9 @@ extern void vLoggingPrint( const char * pcFormat ); #define DER_FORMAT_BUFFER_LENGTH 512 +#define FIRST_BOOT_ITS_UID ( 1U ) +#define BOOT_PATTERN ( 0x55 ) + /* Adding one to all of the lengths because ASN1 may pad a leading 0 byte * to numbers that could be interpreted as negative */ typedef struct RsaParams_t @@ -1443,4 +1449,39 @@ int xOtaProvisionCodeSigningKey( psa_key_handle_t * pxKeyHandle, return result; } +UBaseType_t uxIsDeviceProvisioned( void ) +{ + psa_status_t status = PSA_ERROR_GENERIC_ERROR; + const psa_storage_uid_t uid = FIRST_BOOT_ITS_UID; + uint8_t boot_pattern_in_its = 0; + size_t read_data_length = 0; + + status = psa_its_get( uid, 0, 1, &boot_pattern_in_its, + &read_data_length ); + + if( status != PSA_SUCCESS ) + { + return 0; + } + + if( boot_pattern_in_its == BOOT_PATTERN ) + { + return 1; + } + else + { + return 0; + } +} + +psa_status_t xWriteDeviceProvisioned( void ) +{ + const psa_storage_uid_t uid = FIRST_BOOT_ITS_UID; + const psa_storage_create_flags_t flags = PSA_STORAGE_FLAG_WRITE_ONCE; + uint8_t first_boot_pattern = BOOT_PATTERN; + + /* Write the pattern to ITS */ + return psa_its_set( uid, 1, &first_boot_pattern, flags ); +} + /*-----------------------------------------------------------*/ diff --git a/applications/helpers/provisioning/dev_mode_key_provisioning.h b/applications/helpers/provisioning/dev_mode_key_provisioning.h index 5342675..ddacedd 100644 --- a/applications/helpers/provisioning/dev_mode_key_provisioning.h +++ b/applications/helpers/provisioning/dev_mode_key_provisioning.h @@ -247,4 +247,8 @@ CK_RV xDestroyProvidedObjects( CK_SESSION_HANDLE xSession, */ int xOtaProvisionCodeSigningKey( psa_key_handle_t * pxKeyHandle, size_t keyBits ); + +UBaseType_t uxIsDeviceProvisioned( void ); +psa_status_t xWriteDeviceProvisioned( void ); + #endif /* _AWS_DEV_MODE_KEY_PROVISIONING_H_ */ diff --git a/applications/keyword_detection/main.c b/applications/keyword_detection/main.c index 44b4237..dc17b92 100644 --- a/applications/keyword_detection/main.c +++ b/applications/keyword_detection/main.c @@ -183,25 +183,37 @@ int main( void ) } #endif - UBaseType_t xRetVal = vDevModeKeyProvisioning(); - - if( xRetVal != CKR_OK ) + if( uxIsDeviceProvisioned() == false ) { - LogError( ( "Device key provisioning failed [%d]\n", xRetVal ) ); - LogError( ( "Device cannot connect to IoT Core. Exiting...\n" ) ); - return EXIT_FAILURE; - } + UBaseType_t uxReturnValue = vDevModeKeyProvisioning(); - LogInfo( ( "Device key provisioning succeeded \n" ) ); + if( uxReturnValue != CKR_OK ) + { + LogError( ( "Device key provisioning failed [%d]\n", uxReturnValue ) ); + LogError( ( "Device cannot connect to IoT Core. Exiting...\n" ) ); + return EXIT_FAILURE; + } - status = xOtaProvisionCodeSigningKey( &xOTACodeVerifyKeyHandle, 3072 ); + LogInfo( ( "Device key provisioning succeeded \n" ) ); - if( status != PSA_SUCCESS ) - { - LogError( ( "OTA signing key provision failed [%d]\n", status ) ); - } + /* FIXME: Magic value */ + psa_status_t uxStatus = xOtaProvisionCodeSigningKey( &xOTACodeVerifyKeyHandle, 3072 ); + + if( uxStatus != PSA_SUCCESS ) + { + LogError( ( "OTA signing key provision failed [%d]\n", uxStatus ) ); + return EXIT_FAILURE; + } + else + { + LogInfo( ( "OTA signing key provisioning succeeded \n" ) ); + } - LogInfo( ( "OTA signing key provisioning succeeded \n" ) ); + if( xWriteDeviceProvisioned() != PSA_SUCCESS ) + { + return EXIT_FAILURE; + } + } /* The next initializations are done as a part of the main */ /* function as these resources are shared between tasks */ diff --git a/applications/object_detection/main.c b/applications/object_detection/main.c index 8fb5595..34c4909 100644 --- a/applications/object_detection/main.c +++ b/applications/object_detection/main.c @@ -171,26 +171,37 @@ int main( void ) } #endif - UBaseType_t xReturnValue = vDevModeKeyProvisioning(); - - if( xReturnValue != CKR_OK ) + if( uxIsDeviceProvisioned() == false ) { - LogError( ( "Device key provisioning failed [%d]\n", xReturnValue ) ); - LogError( ( "Device cannot connect to IoT Core. Exiting...\n" ) ); - return EXIT_FAILURE; - } + UBaseType_t uxReturnValue = vDevModeKeyProvisioning(); - LogInfo( ( "Device key provisioning succeeded \n" ) ); + if( uxReturnValue != CKR_OK ) + { + LogError( ( "Device key provisioning failed [%d]\n", uxReturnValue ) ); + LogError( ( "Device cannot connect to IoT Core. Exiting...\n" ) ); + return EXIT_FAILURE; + } - /* FIXME: Magic value */ - uxStatus = xOtaProvisionCodeSigningKey( &xOTACodeVerifyKeyHandle, 3072 ); + LogInfo( ( "Device key provisioning succeeded \n" ) ); - if( uxStatus != PSA_SUCCESS ) - { - LogError( ( "OTA signing key provision failed [%d]\n", uxStatus ) ); - } + /* FIXME: Magic value */ + uxStatus = xOtaProvisionCodeSigningKey( &xOTACodeVerifyKeyHandle, 3072 ); + + if( uxStatus != PSA_SUCCESS ) + { + LogError( ( "OTA signing key provision failed [%d]\n", uxStatus ) ); + return EXIT_FAILURE; + } + else + { + LogInfo( ( "OTA signing key provisioning succeeded \n" ) ); + } - LogInfo( ( "OTA signing key provisioning succeeded \n" ) ); + if( xWriteDeviceProvisioned() != PSA_SUCCESS ) + { + return EXIT_FAILURE; + } + } /* The next initializations are done as a part of the main */ /* function as these resources are shared between tasks */ diff --git a/applications/speech_recognition/main.c b/applications/speech_recognition/main.c index f3325a7..52629ab 100644 --- a/applications/speech_recognition/main.c +++ b/applications/speech_recognition/main.c @@ -182,25 +182,37 @@ int main( void ) } #endif - UBaseType_t xRetVal = vDevModeKeyProvisioning(); - - if( xRetVal != CKR_OK ) + if( uxIsDeviceProvisioned() == false ) { - LogError( ( "Device key provisioning failed [%d]\n", xRetVal ) ); - LogError( ( "Device cannot connect to IoT Core. Exiting...\n" ) ); - return EXIT_FAILURE; - } + UBaseType_t uxReturnValue = vDevModeKeyProvisioning(); - LogInfo( ( "Device key provisioning succeeded \n" ) ); + if( uxReturnValue != CKR_OK ) + { + LogError( ( "Device key provisioning failed [%d]\n", uxReturnValue ) ); + LogError( ( "Device cannot connect to IoT Core. Exiting...\n" ) ); + return EXIT_FAILURE; + } - status = xOtaProvisionCodeSigningKey( &xOTACodeVerifyKeyHandle, 3072 ); + LogInfo( ( "Device key provisioning succeeded \n" ) ); - if( status != PSA_SUCCESS ) - { - LogError( ( "OTA signing key provision failed [%d]\n", status ) ); - } + /* FIXME: Magic value */ + psa_status_t uxStatus = xOtaProvisionCodeSigningKey( &xOTACodeVerifyKeyHandle, 3072 ); + + if( uxStatus != PSA_SUCCESS ) + { + LogError( ( "OTA signing key provision failed [%d]\n", uxStatus ) ); + return EXIT_FAILURE; + } + else + { + LogInfo( ( "OTA signing key provisioning succeeded \n" ) ); + } - LogInfo( ( "OTA signing key provisioning succeeded \n" ) ); + if( xWriteDeviceProvisioned() != PSA_SUCCESS ) + { + return EXIT_FAILURE; + } + } /* The next initializations are done as a part of the main */ /* function as these resources are shared between tasks */ diff --git a/release_changes/202409101951.change.md b/release_changes/202409101951.change.md new file mode 100644 index 0000000..cbf8b1c --- /dev/null +++ b/release_changes/202409101951.change.md @@ -0,0 +1 @@ +provisioning: Prevent re-provisioning