provisioning: Prevent re-provisioning (#94)

After successful provisioning, the code writes a pattern into the ITS, which could be checked on the next boot. Signed-off-by: Dávid Házi <david.hazi@arm.com>
FreeRTOS · Oct 9, 2024 · f27b98e · f27b98e
1 parent ca1fe7b
commit f27b98e
Show file tree

Hide file tree

Showing 7 changed files with 144 additions and 56 deletions.
diff --git a/applications/freertos_iot_libraries_tests/main.c b/applications/freertos_iot_libraries_tests/main.c
@@ -160,25 +160,35 @@ int main( void )
                                mbedtls_platform_mutex_lock,
                                mbedtls_platform_mutex_unlock );
 
-    xRetVal = vDevModeKeyProvisioning();
-
-    if( xRetVal != CKR_OK )
-    {
-        LogError( ( "Device key provisioning failed [%d]\n", xRetVal ) );
-        LogError( ( "Device cannot connect to IoT Core. Exiting...\n" ) );
-        return EXIT_FAILURE;
-    }
-    else
+    if( uxIsDeviceProvisioned() == 0 )
     {
+        UBaseType_t uxReturnValue = vDevModeKeyProvisioning();
+
+        if( uxReturnValue != CKR_OK )
+        {
+            LogError( ( "Device key provisioning failed [%d]\n", uxReturnValue ) );
+            LogError( ( "Device cannot connect to IoT Core. Exiting...\n" ) );
+            return EXIT_FAILURE;
+        }
+
         LogInfo( ( "Device key provisioning succeeded \n" ) );
-        status = xOtaProvisionCodeSigningKey( &xOTACodeVerifyKeyHandle, 3072 );
 
-        if( status != PSA_SUCCESS )
+        psa_status_t uxStatus = xOtaProvisionCodeSigningKey( &xOTACodeVerifyKeyHandle, 3072 );
+
+        if( uxStatus != PSA_SUCCESS )
         {
-            LogError( ( "OTA signing key provision failed [%d]\n", status ) );
+            LogError( ( "OTA signing key provision failed [%d]\n", uxStatus ) );
+            return EXIT_FAILURE;
+        }
+        else
+        {
+            LogInfo( ( "OTA signing key provisioning succeeded \n" ) );
         }
 
-        LogInfo( ( "OTA signing key provisioning succeeded \n" ) );
+        if( xWriteDeviceProvisioned() != PSA_SUCCESS )
+        {
+            return EXIT_FAILURE;
+        }
     }
 
     status = network_startup();

diff --git a/applications/helpers/provisioning/dev_mode_key_provisioning.c b/applications/helpers/provisioning/dev_mode_key_provisioning.c
@@ -67,6 +67,9 @@
 #include "mbedtls/entropy.h"
 #include "mbedtls/ctr_drbg.h"
 
+/* TF-M ITS include */
+#include "psa/internal_trusted_storage.h"
+
 /* Default FreeRTOS API for console logging. */
 #define DEV_MODE_KEY_PROVISIONING_PRINT( X )    printf
 
@@ -91,6 +94,9 @@ extern void vLoggingPrint( const char * pcFormat );
 
 #define DER_FORMAT_BUFFER_LENGTH    512
 
+#define FIRST_BOOT_ITS_UID          ( 1U )
+#define BOOT_PATTERN                ( 0x55 )
+
 /* Adding one to all of the lengths because ASN1 may pad a leading 0 byte
  * to numbers that could be interpreted as negative */
 typedef struct RsaParams_t
@@ -1443,4 +1449,39 @@ int xOtaProvisionCodeSigningKey( psa_key_handle_t * pxKeyHandle,
     return result;
 }
 
+UBaseType_t uxIsDeviceProvisioned( void )
+{
+    psa_status_t status = PSA_ERROR_GENERIC_ERROR;
+    const psa_storage_uid_t uid = FIRST_BOOT_ITS_UID;
+    uint8_t boot_pattern_in_its = 0;
+    size_t read_data_length = 0;
+
+    status = psa_its_get( uid, 0, 1, &boot_pattern_in_its,
+                          &read_data_length );
+
+    if( status != PSA_SUCCESS )
+    {
+        return 0;
+    }
+
+    if( boot_pattern_in_its == BOOT_PATTERN )
+    {
+        return 1;
+    }
+    else
+    {
+        return 0;
+    }
+}
+
+psa_status_t xWriteDeviceProvisioned( void )
+{
+    const psa_storage_uid_t uid = FIRST_BOOT_ITS_UID;
+    const psa_storage_create_flags_t flags = PSA_STORAGE_FLAG_WRITE_ONCE;
+    uint8_t first_boot_pattern = BOOT_PATTERN;
+
+    /* Write the pattern to ITS */
+    return psa_its_set( uid, 1, &first_boot_pattern, flags );
+}
+
 /*-----------------------------------------------------------*/
diff --git a/applications/helpers/provisioning/dev_mode_key_provisioning.h b/applications/helpers/provisioning/dev_mode_key_provisioning.h
@@ -247,4 +247,8 @@ CK_RV xDestroyProvidedObjects( CK_SESSION_HANDLE xSession,
  */
 int xOtaProvisionCodeSigningKey( psa_key_handle_t * pxKeyHandle,
                                  size_t keyBits );
+
+UBaseType_t uxIsDeviceProvisioned( void );
+psa_status_t xWriteDeviceProvisioned( void );
+
 #endif /* _AWS_DEV_MODE_KEY_PROVISIONING_H_ */
diff --git a/applications/keyword_detection/main.c b/applications/keyword_detection/main.c
@@ -183,25 +183,36 @@ int main( void )
         }
     #endif
 
-    UBaseType_t xRetVal = vDevModeKeyProvisioning();
-
-    if( xRetVal != CKR_OK )
+    if( uxIsDeviceProvisioned() == 0 )
     {
-        LogError( ( "Device key provisioning failed [%d]\n", xRetVal ) );
-        LogError( ( "Device cannot connect to IoT Core. Exiting...\n" ) );
-        return EXIT_FAILURE;
-    }
+        UBaseType_t uxReturnValue = vDevModeKeyProvisioning();
 
-    LogInfo( ( "Device key provisioning succeeded \n" ) );
+        if( uxReturnValue != CKR_OK )
+        {
+            LogError( ( "Device key provisioning failed [%d]\n", uxReturnValue ) );
+            LogError( ( "Device cannot connect to IoT Core. Exiting...\n" ) );
+            return EXIT_FAILURE;
+        }
 
-    status = xOtaProvisionCodeSigningKey( &xOTACodeVerifyKeyHandle, 3072 );
+        LogInfo( ( "Device key provisioning succeeded \n" ) );
 
-    if( status != PSA_SUCCESS )
-    {
-        LogError( ( "OTA signing key provision failed [%d]\n", status ) );
-    }
+        psa_status_t uxStatus = xOtaProvisionCodeSigningKey( &xOTACodeVerifyKeyHandle, 3072 );
+
+        if( uxStatus != PSA_SUCCESS )
+        {
+            LogError( ( "OTA signing key provision failed [%d]\n", uxStatus ) );
+            return EXIT_FAILURE;
+        }
+        else
+        {
+            LogInfo( ( "OTA signing key provisioning succeeded \n" ) );
+        }
 
-    LogInfo( ( "OTA signing key provisioning succeeded \n" ) );
+        if( xWriteDeviceProvisioned() != PSA_SUCCESS )
+        {
+            return EXIT_FAILURE;
+        }
+    }
 
     /* The next initializations are done as a part of the main */
     /* function as these resources are shared between tasks */

diff --git a/applications/object_detection/main.c b/applications/object_detection/main.c
@@ -171,26 +171,36 @@ int main( void )
         }
     #endif
 
-    UBaseType_t xReturnValue = vDevModeKeyProvisioning();
-
-    if( xReturnValue != CKR_OK )
+    if( uxIsDeviceProvisioned() == 0 )
     {
-        LogError( ( "Device key provisioning failed [%d]\n", xReturnValue ) );
-        LogError( ( "Device cannot connect to IoT Core. Exiting...\n" ) );
-        return EXIT_FAILURE;
-    }
+        UBaseType_t uxReturnValue = vDevModeKeyProvisioning();
 
-    LogInfo( ( "Device key provisioning succeeded \n" ) );
+        if( uxReturnValue != CKR_OK )
+        {
+            LogError( ( "Device key provisioning failed [%d]\n", uxReturnValue ) );
+            LogError( ( "Device cannot connect to IoT Core. Exiting...\n" ) );
+            return EXIT_FAILURE;
+        }
 
-    /* FIXME: Magic value */
-    uxStatus = xOtaProvisionCodeSigningKey( &xOTACodeVerifyKeyHandle, 3072 );
+        LogInfo( ( "Device key provisioning succeeded \n" ) );
 
-    if( uxStatus != PSA_SUCCESS )
-    {
-        LogError( ( "OTA signing key provision failed [%d]\n", uxStatus ) );
-    }
+        uxStatus = xOtaProvisionCodeSigningKey( &xOTACodeVerifyKeyHandle, 3072 );
+
+        if( uxStatus != PSA_SUCCESS )
+        {
+            LogError( ( "OTA signing key provision failed [%d]\n", uxStatus ) );
+            return EXIT_FAILURE;
+        }
+        else
+        {
+            LogInfo( ( "OTA signing key provisioning succeeded \n" ) );
+        }
 
-    LogInfo( ( "OTA signing key provisioning succeeded \n" ) );
+        if( xWriteDeviceProvisioned() != PSA_SUCCESS )
+        {
+            return EXIT_FAILURE;
+        }
+    }
 
     /* The next initializations are done as a part of the main */
     /* function as these resources are shared between tasks */

diff --git a/applications/speech_recognition/main.c b/applications/speech_recognition/main.c
@@ -182,25 +182,36 @@ int main( void )
         }
     #endif
 
-    UBaseType_t xRetVal = vDevModeKeyProvisioning();
-
-    if( xRetVal != CKR_OK )
+    if( uxIsDeviceProvisioned() == 0 )
     {
-        LogError( ( "Device key provisioning failed [%d]\n", xRetVal ) );
-        LogError( ( "Device cannot connect to IoT Core. Exiting...\n" ) );
-        return EXIT_FAILURE;
-    }
+        UBaseType_t uxReturnValue = vDevModeKeyProvisioning();
 
-    LogInfo( ( "Device key provisioning succeeded \n" ) );
+        if( uxReturnValue != CKR_OK )
+        {
+            LogError( ( "Device key provisioning failed [%d]\n", uxReturnValue ) );
+            LogError( ( "Device cannot connect to IoT Core. Exiting...\n" ) );
+            return EXIT_FAILURE;
+        }
 
-    status = xOtaProvisionCodeSigningKey( &xOTACodeVerifyKeyHandle, 3072 );
+        LogInfo( ( "Device key provisioning succeeded \n" ) );
 
-    if( status != PSA_SUCCESS )
-    {
-        LogError( ( "OTA signing key provision failed [%d]\n", status ) );
-    }
+        psa_status_t uxStatus = xOtaProvisionCodeSigningKey( &xOTACodeVerifyKeyHandle, 3072 );
+
+        if( uxStatus != PSA_SUCCESS )
+        {
+            LogError( ( "OTA signing key provision failed [%d]\n", uxStatus ) );
+            return EXIT_FAILURE;
+        }
+        else
+        {
+            LogInfo( ( "OTA signing key provisioning succeeded \n" ) );
+        }
 
-    LogInfo( ( "OTA signing key provisioning succeeded \n" ) );
+        if( xWriteDeviceProvisioned() != PSA_SUCCESS )
+        {
+            return EXIT_FAILURE;
+        }
+    }
 
     /* The next initializations are done as a part of the main */
     /* function as these resources are shared between tasks */

diff --git a/release_changes/202409101951.change.md b/release_changes/202409101951.change.md
@@ -0,0 +1 @@
+provisioning: Prevent re-provisioning