Add vendor key support #353
Conversation
Added macro to check AES key
Made vendor support more generic
Updated code to use lifetime value for vendor instead of vendor keytype
gilles-peskine-arm
left a comment
gilles-peskine-arm
left a comment
There was a problem hiding this comment.
Thank you for your contribution! I left some individual comments about specific issues.
Testing and documentation
Please note that any new feature should have adequate documentation and test coverage. In particular, any new compile-time option should be documented in include/mbedtls/config.h and tested in tests/scripts/all.sh. Once we (you and the Mbed Crypto team) have converged a bit more on architecture, we (the Mbed Crypto team) can provide more specific guidance.
For driver support code, testing would mean at least doing a build with the driver hooks enabled, and having unit tests with a mock driver or a test driver that wraps around the software implementation. We don't necessarily need full test coverage from the beginning, but at a minimum we need smoke tests to ensure that the new code builds and doesn't do anything that tools like ASan would flag.
Architecture
In general, this is not very well aligned with our medium-term architectural goals. We distinguish between two kinds of hooks for external hardware:
- Accelerators work on plaintext keys. Mbed Crypto dispatches an operation to the accelerator driver if the driver implements that operation. Dispatch is based on a per-algorithm basis and is configured at compile time.
psa/crypto_accel_driver.hdeclares types of functions that accelerator drivers can implement, and the documentation of each type explains the function names that the driver may define. We have not yet started to add support for PSA-style accelerators in Mbed Crypto. Mbed Crypto currently supports accelerators through theMBEDTLS_xxx_ALTinterfaces. - Secure elements work on opaque keys. Mbed Crypto only stores a handle to the key, or a wrapped form of the key.
psa/crypto_se_driver.hdefines the type of structures containing function pointers that secure element drivers implement. Mbed Crypto currently contains proof-of-concept support for some secure element features (only with keys accessed through handles, not yet with keys where Mbed Crypto stores a wrapped form of the key).
We welcome contributions to improve support for cryptographic hardware in Mbed Crypto, but we strongly prefer to add features that are on the path towards our medium-term architectural goal, or at least that have a similar enough interface to facilitate later evolution.
Next steps
Since you're effectively contributing support for features that we intended to have, but earlier than we were planning to provide it, we should have some further private discussions about the architecture.
I think the plaintext-key case and the wrapped-key case should be treated separately. Even if there are many platforms where it's the same hardware under the hood, the key manipulations and the hook points in Mbed Crypto are rather different.
include/psa/crypto_values.h
Outdated
| #define PSA_KEY_TYPE_AES ((psa_key_type_t)0x40000001) | ||
|
|
||
| /** Whether a key type is AES. */ | ||
| #define PSA_KEY_TYPE_IS_AES(type) (((type)&PSA_KEY_TYPE_AES) != 0) |
There was a problem hiding this comment.
PSA_KEY_TYPE_AES is a value, not a flag. The correct expansion of this macro would be (type) == PSA_KEY_TYPE_AES. The API generally doesn't define boolean macros with such a simple expansion.
include/mbedtls/aes.h
Outdated
| <li>Simplifying key expansion in the 256-bit | ||
| case by generating an extra round key. | ||
| </li></ul> */ | ||
| void *vendor_ctx; /*!< Vendor defined context. */ |
There was a problem hiding this comment.
The official way to customize the AES context for an accelerator is to define MBEDTLS_AES_ALT and provide a custom version of the type mbedtls_aes_context as well as all the functions in aes.c (except selftests).
It's also possible to substitute the core AES mechanisms (key expansion, single-block encryption, single-block decryption) by defining MBEDTLS_AES_SETKEY_ENC_ALT, MBEDTLS_AES_SETKEY_DEC_ALT, MBEDTLS_AES_ENCRYPT_ALT and MBEDTLS_AES_DECRYPT_ALT and providing definitions for the corresponding functions (mbedtls_aes_setkey_enc, mbedtls_aes_setkey_dec, mbedtls_internal_aes_encrypt, mbedtls_internal_aes_decrypt). In this case, you have to use the default definition of mbedtls_aes_context. If you override all four functions, you can choose what you put in the rk field. So I believe that vendor_ctx is not necessary.
We would prefer not to change the layout of mbedtls_aes_context at this point.
include/psa/crypto_extra.h
Outdated
| * \note This function has to be defined by the vendor if MBEDTLS_PSA_CRYPTO_ACCEL_DRV_C | ||
| * is defined. | ||
| * A weakly linked version is provided by default and returns | ||
| * PSA_ERROR_NOT_SUPPORTED. Do not use this function directly; |
There was a problem hiding this comment.
Since this function is not meant to be called by applications, it should not be declared in crypto_extra.h. The correct location would be crypto_accel_driver.h. That file is still in an early draft stage and not ready for production yet. I propose that we work together on getting at least part of it production-ready.
This applies to the other functions added here.
include/psa/crypto_struct.h
Outdated
| { | ||
| attributes->core.lifetime = lifetime; | ||
| if( lifetime == PSA_KEY_LIFETIME_VOLATILE ) | ||
| if (PSA_KEY_LIFETIME_IS_VOLATILE(lifetime)) |
There was a problem hiding this comment.
For Mbed Crypto specific files (as opposed to standard PSA headers), please use the Mbed TLS coding style, with its unusual whitespace placement: spaces inside parentheses, not outside.
if( PSA_KEY_LIFETIME_IS_VOLATILE( lifetime ) )
include/psa/crypto_values.h
Outdated
| #define PSA_KEY_LIFETIME_PERSISTENT ((psa_key_lifetime_t)0x00000001) | ||
|
|
||
| #define PSA_KEY_LIFETIME_IS_VOLATILE(lifetime) \ | ||
| (((lifetime)&PSA_KEY_LIFETIME_VOLATILE) != 0) |
There was a problem hiding this comment.
PSA_KEY_LIFETIME_VOLATILE is a value, not a flag. There are currently two defined lifetime values: VOLATILE = 0 and PERSISTENT = 1. We can make 0x00000001 a PSA_KEY_LIFETIME_PERSISTENT_FLAG and thus
#define PSA_KEY_LIFETIME_PERSISTENT_FLAG ((psa_key_lifetime_t)0x00000001)
#define PSA_KEY_LIFETIME_IS_VOLATILE(lifetime) (((lifetime) & PSA_KEY_LIFETIME_PERSISTENT_FLAG) == 0)
include/psa/crypto_values.h
Outdated
| #define PSA_KEY_LIFETIME_VOLATILE_VENDOR (PSA_KEY_LIFETIME_VENDOR_FLAG | PSA_KEY_LIFETIME_VOLATILE) | ||
|
|
||
| #define PSA_KEY_LIFETIME_IS_VENDOR_DEFINED(lifetime) \ | ||
| (((lifetime)&PSA_KEY_LIFETIME_VENDOR_FLAG) != 0) |
There was a problem hiding this comment.
Style: please put whitespace around binary operators including & ((t)&x would be the address of x cast to the type t).
There was a problem hiding this comment.
This one will also change to match your proposal.
library/psa_crypto.c
Outdated
| else | ||
| #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ | ||
| #if defined (MBEDTLS_PSA_CRYPTO_ACCEL_DRV_C) | ||
| if (PSA_KEY_LIFETIME_IS_VENDOR_DEFINED(slot->attr.lifetime)) |
There was a problem hiding this comment.
If an accelerated implementation is available, it should be called for any transparent key regardless of its lifetime. Custom lifetimes may indicate keys in vendor-specific storage, or (to be clarified) keys with vendor-specific wrapping.
include/psa/crypto_values.h
Outdated
| */ | ||
| #define PSA_KEY_LIFETIME_PERSISTENT ((psa_key_lifetime_t)0x00000001) | ||
|
|
||
| #define PSA_KEY_LIFETIME_IS_VOLATILE(lifetime) \ |
There was a problem hiding this comment.
Please refer to the definition of PSA_KEY_LIFETIME_IS_VOLATILE and to the new structure for lifetime values in #358, which is slated to be included in the next release of Mbed Crypto and in an upcoming version of the PSA Cryptography specification.
There was a problem hiding this comment.
I am fine with that new definition. Im not quite sure how to get it in here though.
moved accel definitions from other header files to accel header file
This reverts commit a9ba5bb.
3 participants
No description provided.