19 Commits

Author SHA1 Message Date
Janos Follath
502ff7bcef
Merge pull request #9639 from waleed-elmelegy-arm/add-iop-key-gen-setup
Add PSA interruptible key generation setup & abort APIs
2024-11-06 09:10:42 +00:00
Waleed Elmelegy
b16edbef72 Improve comments for interuptible key agreement APIs
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2024-10-31 16:41:00 +00:00
Ronald Cron
5f6e69dae5
Merge pull request #9693 from Harry-Ramsey/split-revert-error-development
Split error.h and move back error.c to mbedtls
2024-10-25 13:12:58 +00:00
Valerio Setti
7310130333 psa: zeroize static key buffer content when key slot is freed
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-10-22 17:56:36 +02:00
Valerio Setti
8321ac7bc1 psa-core: remove unnecessary element in psa_key_slot_t
Instead of checking for "in_use" to be true/false or "key.data"
to be not NULL, simply check that "key.bytes" is 0/not-0.
psa_allocate_buffer_to_slot() will update this value whenever
a new slot is allocated (for the fully static case "allocated"
actually mean "taken").

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-10-22 17:56:36 +02:00
Valerio Setti
678e0fb3e5 psa: allow to use static key buffers instead of dynamic ones
This helps reducing heap memory usage and, if heap memory is
not used anywhere else in an embedded device, it also reduces
code footprint since there is no need for heap management code
in this case.

A new build symbol is added for this purpose, named
MBEDTLS_PSA_STATIC_KEY_SLOTS. It's disabled by default so that
normal usage of Mbed TLS library is not affected.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-10-22 17:56:36 +02:00
Waleed Elmelegy
cca4dbef4c Add PSA interruptible key generation setup & abort APIs
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2024-10-21 13:41:59 +01:00
Harry Ramsey
a05bfeed1e Refactor tf-psa-crypto to use error_common.h instead of error.h
This commit refactors tf-psa-crypto to include error_common.h instead of
error.h as these files have been split and the relevant error codes are
now inside error_common.h.

Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
2024-10-18 08:19:50 +01:00
Gilles Peskine
ab0af45d11
Merge pull request #9464 from gilles-peskine-arm/psa-keystore-dynamic-development
dynamically sized key store
2024-08-26 10:47:00 +00:00
Waleed Elmelegy
d1562407c3 Fix possible issues in testing and implementation of psa_key_agreement()
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2024-08-16 14:37:46 +01:00
Waleed Elmelegy
bdf2c98a27 Add psa_key_agreement() API
Add psa_key_agreement() API and basic testing.

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2024-08-16 14:36:47 +01:00
Gilles Peskine
eab36d1d06 Dynamic key store: implementation
When MBEDTLS_PSA_KEY_STORE_DYNAMIC is enabled, key slots are now organized in
multiple slices. The slices are allocated on demand, which allows the key
store to grow. The size of slices grows exponentially, which allows reaching
a large number of slots with a small (static) number of slices without too
much overhead.

Maintain a linked list of free slots in each slice. This way, allocating a
slot takes O(1) time unless a slice needs to be allocated.

In this commit, slices are only ever freed when deinitializing the key
store. This should be improved in the future to free empty slices.

To avoid growing the persistent key cache without control, the persistent
key cache has a fixed size (reusing MBEDTLS_PSA_KEY_SLOT_COUNT to avoid
creating yet another option).

When MBEDTLS_PSA_KEY_STORE_DYNAMIC is disabled. no semantic change and
minimal changes to the code.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-08-09 15:41:11 +02:00
Gilles Peskine
dc41fff669 psa_key_slot_t: different fields in free vs occupied slots
Place some fields of psa_key_slot_t in a union, to prepare for a new field
in free slots that should not require extra memory.

For occupied slots, place only the registered_readers field in the union,
not other fields, to minimize textual changes. All fields could move to the
union except state (also needed in free slots) and attr (which must stay
first to reduce the code size, because it is accessed at many call sites).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-08-09 15:41:11 +02:00
Gilles Peskine
b0b1b32914 Prevent mbedtls_psa_register_se_key with volatile keys
mbedtls_psa_register_se_key() is not usable with volatile keys, since there
is no way to return the implementation-chosen key identifier which would be
needed to use the key. Document this limitation. Reject an attempt to create
such an unusable key. Fixes #9253.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-08-07 12:39:05 +02:00
Gilles Peskine
3077f2f9c6 Remove experimental, superseded function psa_generate_key_ext
Remove the experimental functions psa_generate_key_ext() and
psa_key_derivation_output_key_ext(), which require a flexible array member
and therefore break C++ code that includes Mbed TLS headers. They have been
replaced by psa_generate_key_custom() and
psa_key_derivation_output_key_custom().

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-08-05 15:52:37 +02:00
Gilles Peskine
63d06efc38 Rename one more deprecated identifier
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-08-05 15:52:37 +02:00
Gilles Peskine
ae8fa71669 Rename internal function psa_key_production_parameters_are_default
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-08-05 15:52:37 +02:00
Gilles Peskine
f9408282e8 Implement psa_generate_key_custom
Implement `psa_generate_key_custom()` and
`psa_key_derivation_output_key_custom()`. These functions replace
`psa_generate_key_ext()` and `psa_key_derivation_output_key_ext()`.
They have the same functionality, but a slightly different interface:
the `ext` functions use a structure with a flexible array member to pass
variable-length data, while the `custom` functions use a separate parameter.

Keep the `ext` functions for backward compatibility with Mbed TLS 3.6.0.
But make them a thin wrapper around the new `custom` functions.

Duplicate the test code and data. The test cases have to be duplicated
anyway, and the test functions are individually more readable this way.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-08-05 15:49:22 +02:00
Ronald Cron
90ca4145cf Move crypto modules
Move all the modules that constitute
the crypto library as well as the
associated headers to tf-psa-crypto/core
for the PSA core modules and to
tf-psa-crypto/drivers/builtin/src for
the others.

The common.h file is copied instead of
being just moved as eventually they
will be different in mbedtls and
TF-PSA-Crypto. Some parts of it can be
shared though but this will be done later,
probably when adding the CMake build
system in tf-psa-crypto.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-07-10 08:07:34 +02:00