Add TS provider

Create base of Trusted Service provider - it connects to the service
and can be instantiated in the service.

Signed-off-by: Ionut Mihalcea <[email protected]>

Author: ionut-arm

Cargo.lock

@@ -45,6 +45,7 @@ users = "0.11.0"
 libc = "0.2.77"
 anyhow = "1.0.32"
 rust-cryptoauthlib = { version = "0.1.0", optional = true }
+prost = { version = "0.6.1", optional = true }
 
 [dev-dependencies]
 rand = { version = "0.8.2", features = ["small_rng"] }
@@ -64,7 +65,7 @@ mbed-crypto-provider = ["psa-crypto"]
 pkcs11-provider = ["pkcs11", "picky-asn1-der", "picky-asn1", "picky-asn1-x509", "psa-crypto", "rand"]
 tpm-provider = ["tss-esapi", "picky-asn1-der", "picky-asn1", "picky-asn1-x509", "hex"]
 cryptoauthlib-provider = ["rust-cryptoauthlib"]
-trusted-service-provider = ["psa-crypto", "bindgen", "prost-build"]
+trusted-service-provider = ["psa-crypto", "bindgen", "prost-build", "prost"]
 all-providers = ["tpm-provider", "pkcs11-provider", "mbed-crypto-provider", "cryptoauthlib-provider"]
 
 # Authenticators

Cargo.toml

@@ -26,6 +26,9 @@ pub mod tpm;
 #[cfg(feature = "cryptoauthlib-provider")]
 pub mod cryptoauthlib;
 
+#[cfg(feature = "trusted-service-provider")]
+pub mod trusted_service;
+
 /// Provider configuration structure
 /// For providers configs in Parsec config.toml we use a format similar
 /// to the one described in the Internally Tagged Enum representation
@@ -81,6 +84,11 @@ pub enum ProviderConfig {
         /// I2C baud rate
         baud: Option<u32>,
     },
+    /// Trusted Service provider configuration
+    TrustedService {
+        /// Name of Key Info Manager to use
+        key_info_manager: String,
+    },
 }
 
 impl ProviderConfig {
@@ -102,6 +110,10 @@ impl ProviderConfig {
             ProviderConfig::CryptoAuthLib {
                 ref key_info_manager,
                 ..
+            } =
+            ProviderConfig::TrustedService {
+                ref key_info_manager,
+                ..
             } => key_info_manager,
         }
     }
@@ -112,6 +124,7 @@ impl ProviderConfig {
             ProviderConfig::Pkcs11 { .. } => ProviderID::Pkcs11,
             ProviderConfig::Tpm { .. } => ProviderID::Tpm,
             ProviderConfig::CryptoAuthLib { .. } => ProviderID::CryptoAuthLib,
+            ProviderConfig::TrustedService { .. } => ProviderID::TrustedService,
         }
     }
 }

src/providers/mod.rs

@@ -0,0 +1,100 @@
+// Copyright 2020 Contributors to the Parsec project.
+// SPDX-License-Identifier: Apache-2.0
+use log::info;
+use std::ffi::{c_void, CString};
+use std::io::{Error, ErrorKind};
+use std::ptr::null_mut;
+use ts_binding::*;
+
+#[allow(
+    non_snake_case,
+    non_camel_case_types,
+    non_upper_case_globals,
+    clippy::unseparated_literal_suffix,
+    // There is an issue where long double become u128 in extern blocks. Check this issue:
+    // https://github.com/rust-lang/rust-bindgen/issues/1549
+    improper_ctypes,
+    missing_debug_implementations,
+    trivial_casts,
+    clippy::all,
+    unused,
+    unused_qualifications
+)]
+pub mod ts_binding {
+    include!(concat!(env!("OUT_DIR"), "/ts_bindings.rs"));
+}
+
+#[allow(
+    non_snake_case,
+    non_camel_case_types,
+    non_upper_case_globals,
+    clippy::unseparated_literal_suffix,
+    // There is an issue where long double become u128 in extern blocks. Check this issue:
+    // https://github.com/rust-lang/rust-bindgen/issues/1549
+    improper_ctypes,
+    missing_debug_implementations,
+    trivial_casts,
+    clippy::all,
+    unused,
+    unused_qualifications
+)]
+mod ts_protobuf {
+    include!(concat!(env!("OUT_DIR"), "/ts_crypto.rs"));
+}
+
+#[derive(Debug)]
+pub struct Context {
+    rpc_caller: *mut rpc_caller,
+    service_context: *mut service_context,
+    rpc_session_handle: *mut c_void,
+}
+
+impl Context {
+    pub fn connect() -> anyhow::Result<Self> {
+        info!("Querying for crypto Trusted Services");
+        let mut status = 0;
+        let service_context = unsafe {
+            service_locator_query(
+                CString::new("sn:tf.org:crypto:0").unwrap().into_raw(),
+                &mut status,
+            )
+        };
+        if service_context == null_mut() || status != 0 {
+            return Err(Error::new(
+                ErrorKind::Other,
+                format!(
+                    "Failed to connect to Trusted Service; status code: {}",
+                    status
+                ),
+            )
+            .into());
+        }
+
+        info!("Starting crypto Trusted Service context");
+        let mut rpc_caller = null_mut();
+        let rpc_session_handle = unsafe { service_context_open(service_context, &mut rpc_caller) };
+        if rpc_caller == null_mut() || rpc_session_handle == null_mut() {
+            return Err(
+                Error::new(ErrorKind::Other, "Failed to start Trusted Service context").into(),
+            );
+        }
+        let ctx = Context {
+            rpc_caller,
+            service_context,
+            rpc_session_handle,
+        };
+
+        Ok(ctx)
+    }
+}
+
+impl Drop for Context {
+    fn drop(&mut self) {
+        unsafe { service_context_close(self.service_context, self.rpc_session_handle) };
+
+        unsafe { service_locator_relinquish(self.service_context) };
+    }
+}
+
+unsafe impl Sync for Context {}
+unsafe impl Send for Context {}

src/providers/trusted_service/context.rs

@@ -0,0 +1,107 @@
+// Copyright 2020 Contributors to the Parsec project.
+// SPDX-License-Identifier: Apache-2.0
+//! Trusted Service provider
+//!
+//! This provider is backed by a crypto Trusted Service deployed in TrustZone
+use crate::key_info_managers::ManageKeyInfo;
+use crate::providers::Provide;
+use context::Context;
+use derivative::Derivative;
+use parsec_interface::operations::list_providers::ProviderInfo;
+use parsec_interface::operations::psa_key_attributes::{Attributes, Id};
+use parsec_interface::requests::{Opcode, ProviderID, Result};
+use psa_crypto::types::key;
+use std::collections::HashMap;
+use std::collections::HashSet;
+use std::sync::{atomic::AtomicU32, Arc, RwLock};
+use uuid::Uuid;
+
+mod context;
+
+const SUPPORTED_OPCODES: [Opcode; 0] = [];
+
+/// Trusted Service provider structure
+///
+/// Currently the provider only supports volatile keys due to limitations in the stack
+/// underneath us. Therefore none of the key information is persisted, being kept instead
+/// in a map for fast access.
+#[derive(Derivative)]
+#[derivative(Debug)]
+pub struct Provider {
+    context: Context,
+    // When calling write on a reference of key_info_store, a type
+    // std::sync::RwLockWriteGuard<dyn ManageKeyInfo + Send + Sync> is returned. We need to use the
+    // dereference operator (*) to access the inner type dyn ManageKeyInfo + Send + Sync and then
+    // reference it to match with the method prototypes.
+    #[derivative(Debug = "ignore")]
+    key_info_store: Arc<RwLock<dyn ManageKeyInfo + Send + Sync>>,
+    key_attr_map: HashMap<String, (Id, Attributes)>,
+
+    // Holds the highest ID of all keys (including destroyed keys). New keys will receive an ID of
+    // id_counter + 1. Once id_counter reaches the highest allowed ID, no more keys can be created.
+    id_counter: AtomicU32,
+}
+
+impl Provider {
+    /// Creates and initialise a new instance of Provider.
+    fn new(
+        key_info_store: Arc<RwLock<dyn ManageKeyInfo + Send + Sync>>,
+    ) -> anyhow::Result<Provider> {
+        let ts_provider = Provider {
+            key_info_store,
+            context: Context::connect()?,
+            key_attr_map: HashMap::new(),
+            id_counter: AtomicU32::new(key::PSA_KEY_ID_USER_MIN),
+        };
+        Ok(ts_provider)
+    }
+}
+
+impl Provide for Provider {
+    fn describe(&self) -> Result<(ProviderInfo, HashSet<Opcode>)> {
+        Ok((ProviderInfo {
+            // Assigned UUID for this provider: 1c1139dc-ad7c-47dc-ad6b-db6fdb466552
+            uuid: Uuid::parse_str("1c1139dc-ad7c-47dc-ad6b-db6fdb466552")?,
+            description: String::from("Provider exposing functionality provided by the Crypto Trusted Service running in a Trusted Execution Environment"),
+            vendor: String::from("Arm"),
+            version_maj: 0,
+            version_min: 1,
+            version_rev: 0,
+            id: ProviderID::TrustedService,
+        }, SUPPORTED_OPCODES.iter().copied().collect()))
+    }
+}
+
+/// Trusted Service provider builder
+#[derive(Default, Derivative)]
+#[derivative(Debug)]
+pub struct ProviderBuilder {
+    #[derivative(Debug = "ignore")]
+    key_info_store: Option<Arc<RwLock<dyn ManageKeyInfo + Send + Sync>>>,
+}
+
+impl ProviderBuilder {
+    /// Create a new provider builder
+    pub fn new() -> ProviderBuilder {
+        ProviderBuilder {
+            key_info_store: None,
+        }
+    }
+
+    /// Add a KeyInfo manager
+    pub fn with_key_info_store(
+        mut self,
+        key_info_store: Arc<RwLock<dyn ManageKeyInfo + Send + Sync>>,
+    ) -> ProviderBuilder {
+        self.key_info_store = Some(key_info_store);
+
+        self
+    }
+
+    /// Build into a TrustedService
+    pub fn build(self) -> anyhow::Result<Provider> {
+        Provider::new(self.key_info_store.ok_or_else(|| {
+            std::io::Error::new(std::io::ErrorKind::InvalidData, "missing key info store")
+        })?)
+    }
+}

src/providers/trusted_service/mod.rs

@@ -47,12 +47,15 @@ use crate::providers::mbed_crypto::ProviderBuilder as MbedCryptoProviderBuilder;
 use crate::providers::pkcs11::ProviderBuilder as Pkcs11ProviderBuilder;
 #[cfg(feature = "tpm-provider")]
 use crate::providers::tpm::ProviderBuilder as TpmProviderBuilder;
+#[cfg(feature = "trusted-service-provider")]
+use crate::providers::trusted_service::ProviderBuilder as TrustedServiceProviderBuilder;
 
 #[cfg(any(
     feature = "mbed-crypto-provider",
     feature = "pkcs11-provider",
     feature = "tpm-provider",
-    feature = "cryptoauthlib-provider"
+    feature = "cryptoauthlib-provider",
+    feature = "trusted-service-provider"
 ))]
 use log::info;
 
@@ -284,7 +287,8 @@ fn build_providers(
         feature = "mbed-crypto-provider",
         feature = "pkcs11-provider",
         feature = "tpm-provider",
-        feature = "cryptoauthlib-provider"
+        feature = "cryptoauthlib-provider",
+        feature = "trusted-service-provider"
     )),
     allow(unused_variables),
     allow(clippy::match_single_binding)
@@ -362,11 +366,21 @@ unsafe fn get_provider(
                     .build()?,
             ))
         }
+        #[cfg(feature = "trusted-service-provider")]
+        ProviderConfig::TrustedService { .. } => {
+            info!("Creating a TPM Provider.");
+            Ok(Arc::new(
+                TrustedServiceProviderBuilder::new()
+                    .with_key_info_store(key_info_manager)
+                    .build()?,
+            ))
+        }
         #[cfg(not(all(
             feature = "mbed-crypto-provider",
             feature = "pkcs11-provider",
             feature = "tpm-provider",
-            feature = "cryptoauthlib-provider"
+            feature = "cryptoauthlib-provider",
+            feature = "trusted-service-provider"
         )))]
         _ => {
             error!(