Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

psa_asymmetric_encrypt() doesn't work with opaque driver #8461

Closed
michael2012z opened this issue Nov 2, 2023 · 2 comments · Fixed by #8700
Closed

psa_asymmetric_encrypt() doesn't work with opaque driver #8461

michael2012z opened this issue Nov 2, 2023 · 2 comments · Fixed by #8700
Assignees
@valeriosetti
Labels
bug component-psa PSA keystore/dispatch layer (storage, drivers, …) size-s Estimated task size: small (~2d)

Comments

@michael2012z
Copy link

Summary

I am creating an opaque driver which talks to a secure element (in our case it's TF-M). The driver supports entries asymmetric_encrypt and asymmetric_decrypt.

In the application, we generated a key at first with the driver successfully, then we tried to call psa_asymmetric_encrypt() with the key. But the check failed here https://github.com/Mbed-TLS/mbedtls/blob/91aaba0172dfa1c740bc67a12bc201bad4cd509c/library/psa_crypto.c#L1146C4-L1146C4 in psa_get_and_lock_transparent_key_slot_with_policy().

Seemingly the psa_asymmetric_encrypt() assumes that key must be a transparent one and can not be external. The limitation doesn't work with an opaque driver.

System information

Mbed TLS version: v3.4.0
Operating system and version: Linux Ubuntu 22.04
Configuration (if not default, please attach mbedtls_config.h):
Compiler and options (if you used a pre-built binary, please indicate how you obtained it):
Additional environment information:

Expected behavior

In psa_asymmetric_encrypt(), the checks before invoking psa_driver_wrapper_asymmetric_encrypt() should pass.

Additional information

Same problem is also seen in psa_asymmetric_decrypt()
@gilles-peskine-arm gilles-peskine-arm added bug component-psa PSA keystore/dispatch layer (storage, drivers, …) labels Nov 2, 2023
@gilles-peskine-arm
Copy link
Contributor

We intended for this to work, but evidently missed a part of the implementation and aren't testing this adequately.

@gilles-peskine-arm gilles-peskine-arm added the size-s Estimated task size: small (~2d) label Nov 2, 2023
@gilles-peskine-arm gilles-peskine-arm added this to Mbed TLS 3.6 release in EPICs for Mbed TLS Nov 2, 2023
@michael2012z michael2012z mentioned this issue Nov 6, 2023
Closed
3 tasks
@adeaarm
Copy link
Contributor

adeaarm commented Jan 11, 2024

@david-hazi-arm FYI

@valeriosetti valeriosetti self-assigned this Jan 11, 2024
@valeriosetti valeriosetti mentioned this issue Jan 15, 2024
Merged
3 tasks
@mpg mpg closed this as completed in #8700 Jan 22, 2024
Open
@minosgalanakis minosgalanakis removed this from Mbed TLS 3.6 release in EPICs for Mbed TLS Apr 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@valeriosetti valeriosetti

Labels
bug component-psa PSA keystore/dispatch layer (storage, drivers, …) size-s Estimated task size: small (~2d)
Projects
Barriers
Status: Done
Past EPICs
Status: Mbed TLS 3.6 release
Milestone
No milestone
4 participants
@michael2012z @gilles-peskine-arm @adeaarm @valeriosetti