Platform: AN552: Create unique provisioning bundle
If TFM_DUMMY_PROVISIONING is OFF then calculate the
hash of the new private keys' public pair and use that for
provisioning.
The other keys can also be generated if needed or can be
set in the config files.
The provisioning bundle build is supported by armclang, gcc
and iar as well.
Change-Id: I32af4a34720cfa0aeda1220499aa9404a0056cad
Signed-off-by: Dávid Házi <david.hazi@arm.com>
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
diff --git a/docs/platform/arm/mps3/an552/README.rst b/docs/platform/arm/mps3/an552/README.rst
index d455fc7..ac5c313 100644
--- a/docs/platform/arm/mps3/an552/README.rst
+++ b/docs/platform/arm/mps3/an552/README.rst
@@ -26,6 +26,27 @@
provisioning code and provisioning values. The provisioning bundle has to be placed
on the ``0x10022000`` address.
+.. note::
+
+ If ``-DPLATFORM_DEFAULT_PROVISIONING=OFF`` and ``-DTFM_DUMMY_PROVISIONING=OFF`` are set
+ then unique values can be used for provisioning. The ${MCUBOOT_KEY_S} and ${MCUBOOT_KEY_NS}
+ will be used for signing and provisioning so any unique private signing key can be used.
+ If ``-DMCUBOOT_GENERATE_SIGNING_KEYPAIR=ON`` is set then a new mcuboot signing public and private
+ keypair is going to be generated and it's going to be used to sign the S and NS binaries.
+
+ The hash of the public key is going to be written into the ``provisioning_data.c`` automatically.
+ The other keys and seeds can be changed by passing the new values to the build command,
+ otherwise the default values going to be used:
+ ``tf-m/platform/ext/target/arm/mps3/an552/provisioning/provisioning_config.cmake``
+ Optionally it's possible to pass a new config file with the ``-DPROVISIONING_KEYS_CONFIG``
+ flag.
+
+ The new generated keypair can be found in the ``<build dir>/bin`` folder or in the
+ ``<install directory>/image_signing/keys`` after installation.
+ The generated provisioning_data.c file can be found at
+ ``<build directory>/platform/target/provisioning/provisioning_data.c``
+
+
To run the example code on AN552
--------------------------------
FPGA image is available to download `here <https://developer.arm.com/tools-and-software/development-boards/fpga-prototyping-boards/download-fpga-images>`__
diff --git a/platform/ext/target/arm/mps3/an552/config.cmake b/platform/ext/target/arm/mps3/an552/config.cmake
index e69c0e6..7848398 100644
--- a/platform/ext/target/arm/mps3/an552/config.cmake
+++ b/platform/ext/target/arm/mps3/an552/config.cmake
@@ -10,6 +10,7 @@
# Make FLIH IRQ test as the default IRQ test on Corstone-310
set(TEST_NS_SLIH_IRQ OFF CACHE BOOL "Whether to build NS regression Second-Level Interrupt Handling tests")
set(PSA_API_TEST_TARGET "cs3x0" CACHE STRING "PSA_API_TARGET name")
+set(PROVISIONING_KEYS_CONFIG "${CMAKE_SOURCE_DIR}/platform/ext/target/arm/mps3/an552/provisioning/provisioning_config.cmake" CACHE FILEPATH "The config file which has the keys and seeds for provisioning")
if(BL2)
set(BL2_TRAILER_SIZE 0x800 CACHE STRING "Trailer size")
diff --git a/platform/ext/target/arm/mps3/an552/provisioning/CMakeLists.txt b/platform/ext/target/arm/mps3/an552/provisioning/CMakeLists.txt
index fe20e69..4d02723 100644
--- a/platform/ext/target/arm/mps3/an552/provisioning/CMakeLists.txt
+++ b/platform/ext/target/arm/mps3/an552/provisioning/CMakeLists.txt
@@ -10,14 +10,24 @@
add_executable(provisioning_bundle)
+# The armclang toolchain file does not set the CMAKE_OBJCOPY
+# but it's used for the armclang build as well.
+unset(CMAKE_OBJCOPY CACHE)
+find_program(CMAKE_OBJCOPY NAMES "arm-none-eabi-objcopy")
+if(NOT CMAKE_OBJCOPY)
+ message(FATAL_ERROR "GNU ARM objcopy not found!")
+endif()
+
set_target_properties(provisioning_bundle
PROPERTIES
SUFFIX ".axf"
+ RUNTIME_OUTPUT_DIRECTORY "${CMAKE_BINARY_DIR}/bin"
)
target_add_scatter_file(provisioning_bundle
$<$<C_COMPILER_ID:ARMClang>:${CMAKE_CURRENT_SOURCE_DIR}/provisioning_bundle.sct>
$<$<C_COMPILER_ID:GNU>:${CMAKE_CURRENT_SOURCE_DIR}/provisioning_bundle.ld>
+ $<$<C_COMPILER_ID:IAR>:${CMAKE_CURRENT_SOURCE_DIR}/provisioning_bundle.icf>
)
target_link_options(provisioning_bundle
@@ -35,7 +45,7 @@
target_sources(provisioning_bundle
PRIVATE
./provisioning_code.c
- $<$<BOOL:${TFM_DUMMY_PROVISIONING}>:./dummy_provisioning_data.c>
+ $<IF:$<BOOL:${TFM_DUMMY_PROVISIONING}>,dummy_provisioning_data.c,${CMAKE_CURRENT_BINARY_DIR}/provisioning_data.c>
)
target_include_directories(provisioning_bundle
@@ -101,3 +111,38 @@
INTERFACE
.
)
+
+if(NOT TFM_DUMMY_PROVISIONING)
+ include(${PROVISIONING_KEYS_CONFIG})
+ add_custom_target(provisioning_data
+ SOURCES
+ provisioning_data.c
+ )
+
+ add_custom_command(OUTPUT provisioning_data.c
+ # FIXME: combining the two generator prepends the current path, so two is used
+ DEPENDS $<IF:$<BOOL:${MCUBOOT_GENERATE_SIGNING_KEYPAIR}>,generated_private_key,>
+ $<IF:$<BOOL:${MCUBOOT_GENERATE_SIGNING_KEYPAIR}>,$<TARGET_FILE_DIR:bl2>/generated_private_key_s.pem,${MCUBOOT_KEY_S}>
+ # FIXME: combining the two generator prepends the current path, so two is used
+ DEPENDS $<IF:$<BOOL:${MCUBOOT_GENERATE_SIGNING_KEYPAIR}>,generated_private_key,>
+ $<IF:$<BOOL:${MCUBOOT_GENERATE_SIGNING_KEYPAIR}>,$<TARGET_FILE_DIR:bl2>/generated_private_key_ns.pem,${MCUBOOT_KEY_NS}>
+ DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/provisioning_data_template.jinja2
+ DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/create_provisioning_data.py
+ WORKING_DIRECTORY ${MCUBOOT_PATH}/scripts
+ COMMAND ${Python3_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/create_provisioning_data.py
+ ${CMAKE_CURRENT_BINARY_DIR}/provisioning_data.c
+ --bl2_rot_priv_key_0 ${MCUBOOT_KEY_S}
+ --bl2_rot_priv_key_1 ${MCUBOOT_KEY_NS}
+ --template_path ${CMAKE_CURRENT_SOURCE_DIR}
+ --secure_debug_pk ${SECURE_DEBUG_PK}
+ --huk ${HUK}
+ --iak ${IAK}
+ --boot_seed ${BOOT_SEED}
+ --implementation_id ${IMPLEMENTATION_ID}
+ --certification_reference ${CERTIFICATION_REFERENCE}
+ --verification_service_url ${VERIFICATION_SERVICE_URL}
+ --entropy_seed ${ENTROPY_SEED}
+
+ )
+
+endif()
diff --git a/platform/ext/target/arm/mps3/an552/provisioning/bl2_provisioning.c b/platform/ext/target/arm/mps3/an552/provisioning/bl2_provisioning.c
index d1bf141..bd954db 100644
--- a/platform/ext/target/arm/mps3/an552/provisioning/bl2_provisioning.c
+++ b/platform/ext/target/arm/mps3/an552/provisioning/bl2_provisioning.c
@@ -70,7 +70,7 @@
if (lcs == PLAT_OTP_LCS_ASSEMBLY_AND_TEST) {
- BOOT_LOG_INF("[INF] Waiting for CM provisioning bundle\r\n");
+ BOOT_LOG_INF("[INF] Waiting for provisioning bundle\r\n");
while (encrypted_bundle->magic != BUNDLE_MAGIC ||
encrypted_bundle->magic2 != BUNDLE_MAGIC) {
}
diff --git a/platform/ext/target/arm/mps3/an552/provisioning/create_provisioning_data.py b/platform/ext/target/arm/mps3/an552/provisioning/create_provisioning_data.py
new file mode 100644
index 0000000..4a8a7b5
--- /dev/null
+++ b/platform/ext/target/arm/mps3/an552/provisioning/create_provisioning_data.py
@@ -0,0 +1,140 @@
+#! /usr/bin/env python3
+#
+# -----------------------------------------------------------------------------
+# Copyright (c) 2020-2022, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+# -----------------------------------------------------------------------------
+
+import re
+import os
+import sys
+import click
+from jinja2 import Environment, FileSystemLoader
+from cryptography.hazmat.primitives.hashes import Hash, SHA256
+
+# Add the cwd to the path so that if there is a version of imgtool in there then
+# it gets used over the system imgtool. Used so that imgtool from upstream
+# mcuboot is preferred over system imgtool
+cwd = os.getcwd()
+sys.path = [cwd] + sys.path
+import imgtool
+import imgtool.main
+
+parser_path = os.path.abspath(os.path.join(os.path.dirname(__file__), '../'))
+sys.path.append(parser_path)
+
+
+sign_bin_size_re = re.compile(r"^\s*RE_SIGN_BIN_SIZE\s*=\s*(.*)")
+load_addr_re = re.compile(r"^\s*RE_IMAGE_LOAD_ADDRESS\s*=\s*(.*)")
+rom_fixed_re = re.compile(r"^\s*RE_IMAGE_ROM_FIXED\s*=\s*(.*)")
+
+#This works around Python 2 and Python 3 handling character encodings
+#differently. More information about this issue at
+#https://click.palletsprojects.com/en/5.x/python3
+os.environ['LC_ALL'] = 'C.UTF-8'
+os.environ['LANG'] = 'C.UTF-8'
+
+
+def get_key_hash_c_array(key_file):
+ key = imgtool.main.load_key(key_file)
+ digest = Hash(SHA256())
+ digest.update(key.get_public_bytes())
+ return hex_to_c_array(digest.finalize())
+
+
+@click.argument('outfile')
+@click.option('--bl2_rot_priv_key_0', metavar='filename', required=True)
+@click.option('--bl2_rot_priv_key_1', metavar='filename', required=False)
+@click.option('--bl2_rot_priv_key_2', metavar='filename', required=False)
+@click.option('--bl2_rot_priv_key_3', metavar='filename', required=False)
+@click.option('--template_path', metavar='filename', required=True)
+@click.option('--secure_debug_pk', metavar='key', required=False)
+@click.option('--huk', metavar='key', required=False)
+@click.option('--iak', metavar='key', required=False)
+@click.option('--boot_seed', metavar='seed', required=False)
+@click.option('--implementation_id', metavar='id', required=False)
+@click.option('--certification_reference', metavar='reference', required=True)
+@click.option('--verification_service_url', metavar='url', required=True)
+@click.option('--entropy_seed', metavar='seed', required=False)
+@click.command(help='''Create a signed or unsigned image\n
+ INFILE and OUTFILE are parsed as Intel HEX if the params have
+ .hex extension, otherwise binary format is used''')
+def generate_provisioning_data_c(outfile, bl2_rot_priv_key_0,
+ bl2_rot_priv_key_1,
+ template_path, bl2_rot_priv_key_2,
+ bl2_rot_priv_key_3,
+ secure_debug_pk, huk, iak, boot_seed,
+ implementation_id,
+ certification_reference,
+ verification_service_url,
+ entropy_seed):
+
+ environment = Environment(loader=FileSystemLoader(template_path))
+ template = environment.get_template("provisioning_data_template.jinja2")
+
+ # getpubhash cannot be called directly because of its click decorators
+ bl2_rot_pub_key_0_hash = ""
+ if bool(bl2_rot_priv_key_0) is True:
+ bl2_rot_pub_key_0_hash = get_key_hash_c_array(bl2_rot_priv_key_0)
+
+ bl2_rot_pub_key_1_hash = ""
+ if bool(bl2_rot_priv_key_1) is True:
+ bl2_rot_pub_key_1_hash = get_key_hash_c_array(bl2_rot_priv_key_1)
+
+ bl2_rot_pub_key_2_hash = ""
+ if bool(bl2_rot_priv_key_2) is True:
+ bl2_rot_pub_key_2_hash = get_key_hash_c_array(bl2_rot_priv_key_2)
+
+ bl2_rot_pub_key_3_hash = ""
+ if bool(bl2_rot_priv_key_3) is True:
+ bl2_rot_pub_key_3_hash = get_key_hash_c_array(bl2_rot_priv_key_3)
+
+ if bool(huk) is False:
+ huk = hex_to_c_array(os.urandom(32))
+
+ if bool(iak) is False:
+ iak = hex_to_c_array(os.urandom(32))
+
+ if bool(boot_seed) is False:
+ boot_seed = hex_to_c_array(os.urandom(32))
+
+ if bool(implementation_id) is False:
+ implementation_id = hex_to_c_array(os.urandom(32))
+
+ if bool(entropy_seed) is False:
+ entropy_seed = hex_to_c_array(os.urandom(64))
+
+ key_arrays = {
+ "bl2_rotpk_0": bl2_rot_pub_key_0_hash,
+ "bl2_rotpk_1": bl2_rot_pub_key_1_hash,
+ "bl2_rotpk_2": bl2_rot_pub_key_2_hash,
+ "bl2_rotpk_3": bl2_rot_pub_key_3_hash,
+ "secure_debug_pk": secure_debug_pk,
+ "huk": huk,
+ "iak": iak,
+ "iak_len": "32",
+ "boot_seed": boot_seed,
+ "implementation_id": implementation_id,
+ "certification_reference": certification_reference,
+ "verification_service_url": verification_service_url,
+ "entropy_seed": entropy_seed
+ }
+
+ with open(outfile, "w") as F:
+ F.write(template.render(key_arrays))
+
+
+def hex_to_c_array(hex_val):
+ c_array = ""
+ for count, b in enumerate(hex_val):
+ if count % 8 == 0 and count != 0:
+ c_array = c_array + '\n'
+ c_array = c_array + "0x{:02x}, ".format(b)
+
+ return c_array
+
+
+if __name__ == '__main__':
+ generate_provisioning_data_c()
diff --git a/platform/ext/target/arm/mps3/an552/provisioning/provisioning_bundle.icf b/platform/ext/target/arm/mps3/an552/provisioning/provisioning_bundle.icf
new file mode 100644
index 0000000..66d78a9
--- /dev/null
+++ b/platform/ext/target/arm/mps3/an552/provisioning/provisioning_bundle.icf
@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 2023 Arm Limited. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include "region_defs.h"
+
+do not initialize { section .noinit };
+do not initialize { readwrite };
+
+define block VALUES with fixed order, maximum size = PROVISIONING_BUNDLE_VALUES_SIZE {
+ ro object *provisioning_data.o
+};
+"VALUES": place at address PROVISIONING_BUNDLE_VALUES_START { block VALUES };
+
+define ram region DATA = [from PROVISIONING_BUNDLE_DATA_START size PROVISIONING_BUNDLE_DATA_SIZE];
+
+define block RW_DATA {
+ rw data
+};
+"RW_DATA": place at start of DATA { block RW_DATA };
+
+define block RO_DATA {
+ ro data
+} except {
+ ro object *provisioning_data.o
+};
+"RO_DATA": place in DATA { block RO_DATA };
+
+define block BSS_DATA {
+ zi section .bss
+};
+"BSS_DATA": place in DATA { block BSS_DATA };
+
+define block CODE with fixed order, alignment = 4, maximum size = PROVISIONING_BUNDLE_CODE_SIZE {
+ ro section DO_PROVISION,
+ ro code,
+};
+"CODE": place at address PROVISIONING_BUNDLE_CODE_START { block CODE };
diff --git a/platform/ext/target/arm/mps3/an552/provisioning/provisioning_bundle.ld b/platform/ext/target/arm/mps3/an552/provisioning/provisioning_bundle.ld
index 0400f51..a6fdb44 100644
--- a/platform/ext/target/arm/mps3/an552/provisioning/provisioning_bundle.ld
+++ b/platform/ext/target/arm/mps3/an552/provisioning/provisioning_bundle.ld
@@ -59,7 +59,7 @@
VALUES :
{
- *_provisioning_data.o(.rodata.data)
+ *provisioning_data.o(.rodata.data)
} > VALUES
}
diff --git a/platform/ext/target/arm/mps3/an552/provisioning/provisioning_config.cmake b/platform/ext/target/arm/mps3/an552/provisioning/provisioning_config.cmake
new file mode 100644
index 0000000..26d76d2
--- /dev/null
+++ b/platform/ext/target/arm/mps3/an552/provisioning/provisioning_config.cmake
@@ -0,0 +1,48 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2023, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+
+set(SECURE_DEBUG_PK "0xf4, 0x0c, 0x8f, 0xbf, 0x12, 0xdb, 0x78, 0x2a, \
+0xfd, 0xf4, 0x75, 0x96, 0x6a, 0x06, 0x82, 0x36, \
+0xe0, 0x32, 0xab, 0x80, 0xd1, 0xb7, 0xf1, 0xbc, \
+0x9f, 0xe7, 0xd8, 0x7a, 0x88, 0xcb, 0x26, 0xd0," CACHE STRING "")
+
+set(HUK "0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, \
+0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, \
+0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, \
+0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f" CACHE STRING "Hardware unique key")
+
+set(IAK "0xA9, 0xB4, 0x54, 0xB2, 0x6D, 0x6F, 0x90, 0xA4, \
+0xEA, 0x31, 0x19, 0x35, 0x64, 0xCB, 0xA9, 0x1F, \
+0xEC, 0x6F, 0x9A, 0x00, 0x2A, 0x7D, 0xC0, 0x50, \
+0x4B, 0x92, 0xA1, 0x93, 0x71, 0x34, 0x58, 0x5F" CACHE STRING "Initial attestaion key")
+
+set(IAK_LEN "32" CACHE STRING "Initial attestaion key len")
+
+set(BOOT_SEED "0xA0, 0xA1, 0xA2, 0xA3, 0xA4, 0xA5, 0xA6, 0xA7, \
+0xA8, 0xA9, 0xAA, 0xAB, 0xAC, 0xAD, 0xAE, 0xAF, \
+0xB0, 0xB1, 0xB2, 0xB3, 0xB4, 0xB5, 0xB6, 0xB7, \
+0xB8, 0xB9, 0xBA, 0xBB, 0xBC, 0xBD, 0xBE, 0xBF," CACHE STRING "")
+
+set(IMPLEMENTATION_ID "0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, \
+0xBB, 0xBB, 0xBB, 0xBB, 0xBB, 0xBB, 0xBB, 0xBB, \
+0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, \
+0xDD, 0xDD, 0xDD, 0xDD, 0xDD, 0xDD, 0xDD, 0xDD," CACHE STRING "")
+
+set(CERTIFICATION_REFERENCE "0604565272829-10010" CACHE STRING "")
+
+set(VERIFICATION_SERVICE_URL "www.trustedfirmware.org" CACHE STRING "")
+
+set(ENTROPY_SEED "0x12, 0x13, 0x23, 0x34, 0x0a, 0x05, 0x89, 0x78, \
+0xa3, 0x66, 0x8c, 0x0d, 0x97, 0x55, 0x53, 0xca, \
+0xb5, 0x76, 0x18, 0x62, 0x29, 0xc6, 0xb6, 0x79, \
+0x75, 0xc8, 0x5a, 0x8d, 0x9e, 0x11, 0x8f, 0x85, \
+0xde, 0xc4, 0x5f, 0x66, 0x21, 0x52, 0xf9, 0x39, \
+0xd9, 0x77, 0x93, 0x28, 0xb0, 0x5e, 0x02, 0xfa, \
+0x58, 0xb4, 0x16, 0xc8, 0x0f, 0x38, 0x91, 0xbb, \
+0x28, 0x17, 0xcd, 0x8a, 0xc9, 0x53, 0x72, 0x66" CACHE STRING "")
+
+
diff --git a/platform/ext/target/arm/mps3/an552/provisioning/provisioning_data_template.jinja2 b/platform/ext/target/arm/mps3/an552/provisioning/provisioning_data_template.jinja2
new file mode 100644
index 0000000..c0269fa
--- /dev/null
+++ b/platform/ext/target/arm/mps3/an552/provisioning/provisioning_data_template.jinja2
@@ -0,0 +1,97 @@
+/*
+ * Copyright (c) 2023, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ */
+
+#include "provisioning_bundle.h"
+#include "psa/crypto.h"
+#include "config_tfm.h"
+
+/* This file is generated by the create_provisioning_data.py */
+
+const struct provisioning_data_t data = {
+ .bl2_assembly_and_test_prov_data = {
+ /* bl2 rotpk 0 */
+ {
+ {{bl2_rotpk_0 | indent(12)}}
+ },
+ /* bl2 rotpk 1 */
+ {
+ {{bl2_rotpk_1 | indent(12)}}
+ },
+#if (MCUBOOT_IMAGE_NUMBER > 2)
+ /* bl2 rotpk 2 */
+ {
+ {{bl2_rotpk_2 | indent(12)}}
+ },
+#endif /* MCUBOOT_IMAGE_NUMBER > 2 */
+#if (MCUBOOT_IMAGE_NUMBER > 3)
+ /* bl2 rotpk 3 */
+ {
+ {{bl2_rotpk_3 | indent(12)}}
+ },
+#endif /* MCUBOOT_IMAGE_NUMBER > 3 */
+ },
+#ifdef PLATFORM_PSA_ADAC_SECURE_DEBUG
+ {
+ {{secure_debug_pk | indent(12)}}
+ },
+#endif /* PLATFORM_PSA_ADAC_SECURE_DEBUG */
+ .assembly_and_test_prov_data = {
+ /* HUK */
+ {
+ {{huk | indent(12)}}
+ },
+ },
+ .psa_rot_prov_data = {
+ /* IAK */
+ {
+ {{iak | indent(12)}}
+ },
+ /* IAK len */
+ {{iak_len | indent(8)}},
+#ifdef SYMMETRIC_INITIAL_ATTESTATION
+ /* IAK type */
+ PSA_ALG_HMAC(PSA_ALG_SHA_256),
+#else
+ /* IAK type */
+ PSA_ECC_FAMILY_SECP_R1,
+#endif /* SYMMETRIC_INITIAL_ATTESTATION */
+#if ATTEST_INCLUDE_COSE_KEY_ID
+ /* IAK id */
+ "kid@trustedfirmware.example",
+#endif /* ATTEST_INCLUDE_COSE_KEY_ID */
+ /* boot seed */
+ {
+ {{boot_seed | indent(12)}}
+ },
+ /* implementation id */
+ {
+ {{implementation_id | indent(12)}}
+ },
+ /* certification reference */
+ "{{certification_reference | indent(12)}}",
+ /* verification_service_url */
+ "{{verification_service_url | indent(12)}}",
+ /* attestation_profile_definition */
+ #if ATTEST_TOKEN_PROFILE_PSA_IOT_1
+ "PSA_IOT_PROFILE_1",
+#elif ATTEST_TOKEN_PROFILE_PSA_2_0_0
+ "http://arm.com/psa/2.0.0",
+#elif ATTEST_TOKEN_PROFILE_ARM_CCA
+ "http://arm.com/CCA-SSD/1.0.0",
+#else
+#ifdef TFM_PARTITION_INITIAL_ATTESTATION
+#error "Attestation token profile is incorrect"
+#else
+ "UNDEFINED",
+#endif /* TFM_PARTITION_INITIAL_ATTESTATION */
+#endif
+ /* Entropy seed */
+ {
+ {{entropy_seed | indent(12)}}
+ },
+ }
+};
diff --git a/toolchain_IARARM.cmake b/toolchain_IARARM.cmake
index 75ce694..46e8556 100644
--- a/toolchain_IARARM.cmake
+++ b/toolchain_IARARM.cmake
@@ -58,6 +58,7 @@
--silent
--semihosting
--redirect __write=__write_buffered
+ --diag_suppress=lp005
"SHELL:--fpu none"
)
endmacro()