Skip to content

Add support for DICE attestation + PSA attestation#668

Merged
dgarske merged 1 commit intowolfSSL:masterfrom
danielinux:dice
Feb 6, 2026
Merged

Add support for DICE attestation + PSA attestation#668
dgarske merged 1 commit intowolfSSL:masterfrom
danielinux:dice

Conversation

@danielinux
Copy link
Member

@danielinux danielinux commented Jan 14, 2026

No description provided.

@danielinux danielinux self-assigned this Jan 14, 2026
@danielinux danielinux assigned dgarske and unassigned danielinux Jan 26, 2026
@danielinux danielinux requested a review from dgarske January 26, 2026 16:51
@dgarske dgarske requested a review from Copilot January 26, 2026 22:20
Copilot AI reviewed Jan 26, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a DICE-based PSA Initial Attestation implementation (COSE_Sign1 token builder) and extends the TrustZone PSA plumbing so non-secure code can exercise PSA Crypto + Initial Attestation (plus new hash clone / cipher service IDs).

Changes:

  • Implement DICE token construction and expose it via the ARM TEE PSA attestation service path.
  • Extend the ARM TEE crypto shim with hash clone and basic cipher operations (setup/iv/update/finish/abort).
  • Update STM32H5 test app + build system/docs to enable and exercise PSA crypto + attestation from non-secure.

Reviewed changes

Copilot reviewed 24 out of 24 changed files in this pull request and generated 18 comments.

Show a summary per file
File Description
zephyr/src/arm_tee_crypto_api.c Switches operation handle storage to opaque, adds hash clone and cipher PSA wrappers.
zephyr/include/arm_tee_crypto_defs.h Adds new service IDs for hash clone and cipher operations.
tools/keytools/otp/Makefile Adds wolfSSL path/config defines and optional hash objects for OTP primer.
tools/config.mk Introduces new config toggles for attestation IAK/test.
test-app/wcs/user_settings.h Gates PKCS11 settings on WOLFBOOT_TZ_PKCS11, enables AES-CBC and key export/PKCS formats.
test-app/hal_trng_psa.c Adds PSA-backed TRNG implementation for bare-metal test app.
test-app/arm_tee_ns_interface_stub.c Adds minimal non-Zephyr dispatcher stub for bare-metal PSA calls.
test-app/app_stm32h5.c Adds PSA init, PSA random, and PSA Initial Attestation test/printing flow.
test-app/Makefile Adds PSA/TZ build wiring, local wolfSSL object directory build rule, and attestation test toggle.
test-app/ARM-stm32h5.ld Exposes end symbol for linker compatibility.
test-app/ARM-stm32h5-ns.ld Exposes end symbol for linker compatibility (non-secure).
src/dice/dice.c New DICE claim collection + CBOR/COSE_Sign1 encoding and signing implementation.
src/arm_tee_psa_ipc.c Wires DICE token service into PSA attestation calls; adds hash clone + cipher slot dispatch.
options.mk Adds WOLFBOOT_ATTESTATION_IAK build flag and extra wolfCrypt objects for PSA TZ mode.
include/wolfboot/dice.h Public header for DICE token size/token generation APIs.
include/hal.h Adds attestation-related HAL hook declarations.
hal/stm32l5.c Implements basic UDS derivation and lifecycle for STM32L5.
hal/stm32h5.c Implements basic UDS derivation and lifecycle for STM32H5.
hal/hal.c Adds weak stub implementations for new attestation HAL hooks.
docs/Targets.md Documents STM32H5 WOLFBOOT_TZ_PSA behavior and points to DICE docs.
docs/STM32-TZ.md Adds PSA Initial Attestation section referencing DICE implementation.
docs/DICE.md New documentation describing DICE attestation protocol, HAL hooks, and usage.
Makefile Adds dice object to build when PSA/TZ is enabled (via new flag).
CMakeLists.txt Adds dice source to build when PSA/TZ is enabled (via new flag).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@danielinux
Copy link
Member Author

danielinux commented Jan 27, 2026

Addressed robot reviewer comments (all valid points), rebased on latest master, re-tested.

In particular, to fix the objection on the demo using UID as UDS, I've implemented three possible UDS mechanisms:

  • Stored in OTP alongwith the keystore (default if no extra option is specified)
  • OBKey UDS / iRoT on HDPL1 area (STM32H5 only) when WOLFBOOT_UDS_OBKEYS=1 is selected
  • Test-only fallback with WOLFBOOT_UDS_UID_FALLBACK_FORTEST=1, uses UID as before in this PR (as noted in the review, should not be used for attestation in production)

@dgarske dgarske removed their assignment Jan 27, 2026
@danielinux
Copy link
Member Author

danielinux commented Jan 28, 2026

Depends on wolfPSA/#3

@danielinux danielinux assigned dgarske and unassigned danielinux and wolfSSL-Bot Jan 28, 2026
dgarske
dgarske requested changes Jan 28, 2026
View reviewed changes
Copy link
Contributor

@dgarske dgarske left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot has a few things that need fixed still too.

@dgarske dgarske assigned danielinux and unassigned dgarske Jan 28, 2026
@danielinux danielinux requested a review from dgarske February 6, 2026 06:58
@danielinux danielinux assigned dgarske and unassigned danielinux Feb 6, 2026
@dgarske dgarske merged commit 5b43fcc into wolfSSL:master Feb 6, 2026
412 of 414 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@dgarske dgarske dgarske approved these changes

Assignees

@dgarske dgarske

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@danielinux @dgarske @wolfSSL-Bot