From c0037da514c02a8e6ba4add1b68a9acddaab38ec Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 24 Jun 2024 18:31:37 +0200 Subject: [PATCH] psa_open_key does not lock the key in memory Signed-off-by: Gilles Peskine --- docs/architecture/psa-keystore-design.md | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/docs/architecture/psa-keystore-design.md b/docs/architecture/psa-keystore-design.md index 61b57cbd10..4ddd9950fc 100644 --- a/docs/architecture/psa-keystore-design.md +++ b/docs/architecture/psa-keystore-design.md @@ -184,13 +184,6 @@ The persistent key cache is a fixed-size array of `MBEDTLS_PSA_KEY_SLOT_COUNT` s `psa_get_and_lock_key_slot()` automatically loads persistent and built-in keys if the specified key identifier is in the corresponding range. To that effect, it traverses the key cache to see if a key with the given identifier is already loaded. If not, it loads the key. This cache walk takes time that is proportional to the cache size. -#### Slot readers - -At any given time, a slot can have registered readers. The `registered_readers` fields contains the number of readers. The following are readers: - -* A thread that is currently reading metadata or data from the slot (see [“Concurrency”](#concurrency)). -* A persistent key that has been opened with `psa_open_key()`, until the corresponding handle is closed with `psa_close_key()`. - #### Cache eviction A key slot must be allocated in the cache slice: @@ -199,6 +192,6 @@ A key slot must be allocated in the cache slice: * to create a persistent key; * to load a persistent or built-in key. -If the cache slice is full, the code will try to evict an entry. Only slots that do not have readers can be evicted (see [“Slot readers”](#slot-readers)). In the static key store, slots containing volatile keys cannot be evicted. +If the cache slice is full, the code will try to evict an entry. Only slots that do not have readers can be evicted (see [“Concurrency”](#concurrency)). In the static key store, slots containing volatile keys cannot be evicted. As of Mbed TLS 3.6.1, there is no tracking of a key's usage frequency or age. The slot eviction code picks the first evictable slot it finds in its traversal order. We have not reasoned about or experimented with different strategies.