From c8b95343785b0bab44e88db71ff8bcae1db35299 Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Thu, 18 Mar 2021 20:48:06 +0100 Subject: [PATCH] Change signature of mbedtls_psa_platform_get_builtin_key Instead of the full attributes struct, it now only takes/returns what it actually needs to. Signed-off-by: Steven Cooreman --- include/psa/crypto_extra.h | 28 ++++++------- library/psa_crypto_slot_management.c | 7 +++- tests/src/drivers/platform_builtin_keys.c | 50 ++++++++++++++--------- 3 files changed, 50 insertions(+), 35 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 34436e4d49..38d6c2029b 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -759,14 +759,13 @@ static inline int psa_key_id_is_builtin( psa_key_id_t key_id ) ( key_id <= MBEDTLS_PSA_KEY_ID_BUILTIN_MAX ) ); } -/** Platform function to obtain the data of a built-in key. +/** Platform function to obtain the location and slot of a built-in key. * * An application-specific implementation of this function must be provided if * #MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS is enabled. This would typically be provided * as part of a platform's system image. * - * Call psa_get_key_id(\p attributes) to obtain the key identifier \c key_id. - * #MBEDTLS_SVC_KEY_ID_GET_KEY_ID(\p key_id) is in the range from + * #MBEDTLS_SVC_KEY_ID_GET_KEY_ID(\p key_id) needs to be in the range from * #MBEDTLS_PSA_KEY_ID_BUILTIN_MIN to #MBEDTLS_PSA_KEY_ID_BUILTIN_MAX. * * In a multi-application configuration @@ -774,16 +773,15 @@ static inline int psa_key_id_is_builtin( psa_key_id_t key_id ) * this function should check that #MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(\p key_id) * is allowed to use the given key. * - * \param[in,out] attributes On entry, this is #PSA_KEY_ATTRIBUTES_INIT or - * an equivalent value, except that the key - * identifier field is set. - * On successful return, this function must set - * the attributes of the key: lifetime, type, - * bit-size, usage policy. - * \param[out] slot_number On successful return, this function must set - * this to the slot number known to the driver for - * the lifetime location reported through - * \p attributes which corresponds to the + * \param key_id The key ID for which to retrieve the + * location and slot attributes. + * \param[out] lifetime On success, the lifetime associated with the key + * corresponding to \p key_id. Lifetime is a + * combination of which driver contains the key, + * and with what lifecycle the key can be used. + * \param[out] slot_number On success, the slot number known to the driver + * registered at the lifetime location reported + * through \p location which corresponds to the * requested built-in key. * * \retval #PSA_SUCCESS @@ -801,7 +799,9 @@ static inline int psa_key_id_is_builtin( psa_key_id_t key_id ) * is not allowed to access it. */ psa_status_t mbedtls_psa_platform_get_builtin_key( - psa_key_attributes_t *attributes, psa_drv_slot_number_t *slot_number ); + mbedtls_svc_key_id_t key_id, + psa_key_lifetime_t *lifetime, + psa_drv_slot_number_t *slot_number ); #endif /* MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */ /** @} */ diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c index 68943c178c..232e544012 100644 --- a/library/psa_crypto_slot_management.c +++ b/library/psa_crypto_slot_management.c @@ -281,6 +281,7 @@ static psa_status_t psa_load_builtin_key_into_slot( psa_key_slot_t *slot ) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_key_lifetime_t lifetime = PSA_KEY_LIFETIME_VOLATILE; psa_drv_slot_number_t slot_number = 0; uint8_t *key_buffer = NULL; size_t key_buffer_size = 0; @@ -295,10 +296,14 @@ static psa_status_t psa_load_builtin_key_into_slot( psa_key_slot_t *slot ) /* Check the platform function to see whether this key actually exists */ psa_set_key_id( &attributes, slot->attr.id ); - status = mbedtls_psa_platform_get_builtin_key( &attributes, &slot_number ); + status = mbedtls_psa_platform_get_builtin_key( + slot->attr.id, &lifetime, &slot_number ); if( status != PSA_SUCCESS ) return( status ); + /* Set mapped lifetime on the attributes */ + psa_set_key_lifetime( &attributes, lifetime ); + /* If the key should exist according to the platform, load it through the * driver interface. */ status = psa_driver_wrapper_get_key_buffer_size( &attributes, diff --git a/tests/src/drivers/platform_builtin_keys.c b/tests/src/drivers/platform_builtin_keys.c index 131343a906..feccbfd0f6 100644 --- a/tests/src/drivers/platform_builtin_keys.c +++ b/tests/src/drivers/platform_builtin_keys.c @@ -30,7 +30,7 @@ typedef struct { psa_key_id_t builtin_key_id; - psa_key_location_t location; + psa_key_lifetime_t lifetime; psa_drv_slot_number_t slot_number; } mbedtls_psa_builtin_key_description_t; @@ -38,28 +38,41 @@ static const mbedtls_psa_builtin_key_description_t builtin_keys[] = { #if defined(PSA_CRYPTO_DRIVER_TEST) /* For testing, assign the AES builtin key slot to the boundary values. * ECDSA can be exercised on key ID MBEDTLS_PSA_KEY_ID_BUILTIN_MIN + 1. */ - { MBEDTLS_PSA_KEY_ID_BUILTIN_MIN - 1, PSA_CRYPTO_TEST_DRIVER_LIFETIME, - PSA_CRYPTO_TEST_DRIVER_BUILTIN_AES_KEY_SLOT }, - { MBEDTLS_PSA_KEY_ID_BUILTIN_MIN, PSA_CRYPTO_TEST_DRIVER_LIFETIME, - PSA_CRYPTO_TEST_DRIVER_BUILTIN_AES_KEY_SLOT }, - { MBEDTLS_PSA_KEY_ID_BUILTIN_MIN + 1, PSA_CRYPTO_TEST_DRIVER_LIFETIME, - PSA_CRYPTO_TEST_DRIVER_BUILTIN_ECDSA_KEY_SLOT}, - { MBEDTLS_PSA_KEY_ID_BUILTIN_MAX - 1, PSA_CRYPTO_TEST_DRIVER_LIFETIME, - PSA_CRYPTO_TEST_DRIVER_BUILTIN_AES_KEY_SLOT}, - { MBEDTLS_PSA_KEY_ID_BUILTIN_MAX, PSA_CRYPTO_TEST_DRIVER_LIFETIME, - PSA_CRYPTO_TEST_DRIVER_BUILTIN_AES_KEY_SLOT}, - { MBEDTLS_PSA_KEY_ID_BUILTIN_MAX + 1, PSA_CRYPTO_TEST_DRIVER_LIFETIME, - PSA_CRYPTO_TEST_DRIVER_BUILTIN_AES_KEY_SLOT}, + { MBEDTLS_PSA_KEY_ID_BUILTIN_MIN - 1, + PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( + PSA_KEY_PERSISTENCE_READ_ONLY, PSA_CRYPTO_TEST_DRIVER_LIFETIME ), + PSA_CRYPTO_TEST_DRIVER_BUILTIN_AES_KEY_SLOT }, + { MBEDTLS_PSA_KEY_ID_BUILTIN_MIN, + PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( + PSA_KEY_PERSISTENCE_READ_ONLY, PSA_CRYPTO_TEST_DRIVER_LIFETIME ), + PSA_CRYPTO_TEST_DRIVER_BUILTIN_AES_KEY_SLOT }, + { MBEDTLS_PSA_KEY_ID_BUILTIN_MIN + 1, + PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( + PSA_KEY_PERSISTENCE_READ_ONLY, PSA_CRYPTO_TEST_DRIVER_LIFETIME ), + PSA_CRYPTO_TEST_DRIVER_BUILTIN_ECDSA_KEY_SLOT}, + { MBEDTLS_PSA_KEY_ID_BUILTIN_MAX - 1, + PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( + PSA_KEY_PERSISTENCE_READ_ONLY, PSA_CRYPTO_TEST_DRIVER_LIFETIME ), + PSA_CRYPTO_TEST_DRIVER_BUILTIN_AES_KEY_SLOT}, + { MBEDTLS_PSA_KEY_ID_BUILTIN_MAX, + PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( + PSA_KEY_PERSISTENCE_READ_ONLY, PSA_CRYPTO_TEST_DRIVER_LIFETIME ), + PSA_CRYPTO_TEST_DRIVER_BUILTIN_AES_KEY_SLOT}, + { MBEDTLS_PSA_KEY_ID_BUILTIN_MAX + 1, + PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( + PSA_KEY_PERSISTENCE_READ_ONLY, PSA_CRYPTO_TEST_DRIVER_LIFETIME ), + PSA_CRYPTO_TEST_DRIVER_BUILTIN_AES_KEY_SLOT}, #else {0, 0, 0} #endif }; psa_status_t mbedtls_psa_platform_get_builtin_key( - psa_key_attributes_t *attributes, psa_drv_slot_number_t *slot_number ) + mbedtls_svc_key_id_t key_id, + psa_key_lifetime_t *lifetime, + psa_drv_slot_number_t *slot_number ) { - mbedtls_svc_key_id_t svc_key_id = psa_get_key_id( attributes ); - psa_key_id_t app_key_id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID( svc_key_id ); + psa_key_id_t app_key_id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID( key_id ); const mbedtls_psa_builtin_key_description_t *builtin_key; for( size_t i = 0; @@ -68,10 +81,7 @@ psa_status_t mbedtls_psa_platform_get_builtin_key( builtin_key = &builtin_keys[i]; if( builtin_key->builtin_key_id == app_key_id ) { - psa_set_key_lifetime( attributes, - PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( - PSA_KEY_PERSISTENCE_READ_ONLY, - builtin_key->location ) ); + *lifetime = builtin_key->lifetime; *slot_number = builtin_key->slot_number; return( PSA_SUCCESS ); }