Reassure both humans and compilers that the places where we assign an
integer to a smaller type are safe.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
We were only testing the static key store (MBEDTLS_PSA_KEY_STORE_DYNAMIC
disabled) with configs/*.h. Add a component with the static key store and
everything else (including built-in keys), and a component with the static
key store and CTR_DBRG using PSA for AES (which means PSA uses a volatile
key internally).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Add a practical way to fill the dynamic key store by artificially limiting
the slice length through a test hook.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
When MBEDTLS_PSA_KEY_STORE_DYNAMIC is enabled, key slots are now organized in
multiple slices. The slices are allocated on demand, which allows the key
store to grow. The size of slices grows exponentially, which allows reaching
a large number of slots with a small (static) number of slices without too
much overhead.
Maintain a linked list of free slots in each slice. This way, allocating a
slot takes O(1) time unless a slice needs to be allocated.
In this commit, slices are only ever freed when deinitializing the key
store. This should be improved in the future to free empty slices.
To avoid growing the persistent key cache without control, the persistent
key cache has a fixed size (reusing MBEDTLS_PSA_KEY_SLOT_COUNT to avoid
creating yet another option).
When MBEDTLS_PSA_KEY_STORE_DYNAMIC is disabled. no semantic change and
minimal changes to the code.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Place some fields of psa_key_slot_t in a union, to prepare for a new field
in free slots that should not require extra memory.
For occupied slots, place only the registered_readers field in the union,
not other fields, to minimize textual changes. All fields could move to the
union except state (also needed in free slots) and attr (which must stay
first to reduce the code size, because it is accessed at many call sites).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
It's impractical to fill the key store when it can grow to accommodate
millions of keys.
A later commit will restore those tests in test configurations with the
dynamic key store.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Add some abstractions around code that traverses the key store, in
preparation for adding support for MBEDTLS_PSA_KEY_STORE_DYNAMIC.
No intended behavior change. The generated machine code should be
almost the same with an optimizing compiler (in principle, it could be the
same with sufficient constant folding and inlining, but in practice it will
likely be a few byes larger),
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Create a new compilation option for a dynamically resized key store. The
implementation will follow in subsequent commits.
This option is off by default with custom configuration files, which is best
for typical deployments on highly constrained platforms. This option is on
by default with the provided configuration file, which is best for typical
deployments on relatively high-end platforms.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
GNU Make 3.81 is officially not supported (we require >= 3.82), but be nice
to XCode users who are stuck with 3.81.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
When PSA uses CTR_DRBG for its random generator and CTR_DRBG uses PSA for
AES, as currently implemented, there is one volatile key in permanent use
for the CTR_DRBG instance. Account for that in tests that want to know
exactly how many volatile keys are in use, or how many volatile keys can be
created.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
When the PSA RNG uses AES through a PSA driver, it consumes one volatile key
identifier. When MBEDTLS_PSA_KEY_SLOT_DYNAMIC is enabled, that identifier
happens to coincide with the key ID value that the test case assumes not to
exist. Use a different value that avoids this coincidence.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Split the "many transient keys" test function in two: one that expects to
successfully create many keys, and one that expects to fill the key store.
This will make things easier when we add a dynamic key store where filling
the key store is not practical unless artificially limited.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The description was misleading: setting the option doesn't “restrict” the
number of slots, that restriction exists anyway. Setting the option merely
determines the value of the limit.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
PSA_KEY_ID_VOLATILE_MIN-1 is now in the persistent key ID range, so it's no
longer an invalid key ID for registration.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Fix interference between PSA volatile keys and built-in keys
when MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS is enabled and
MBEDTLS_PSA_KEY_SLOT_COUNT is more than 4096. This overlap used to make it
possible that a volatile key would receive the identifier of a built-in key,
and is now caught by a static assertion.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Ensure that a key ID can't be in range for more than one of volatile keys,
persistent (i.e. user-chosen) keys or built-in keys.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Restricting the built-in key range would be an API break since applications
can hard-code a built-in key value and expect that it won't clash with
anything else. Make it harder to accidentally break the API.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
mbedtls_psa_register_se_key() is not usable with volatile keys, since there
is no way to return the implementation-chosen key identifier which would be
needed to use the key. Document this limitation. Reject an attempt to create
such an unusable key. Fixes#9253.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Make it possible, but not officially supported, to switch the CTR_DRBG
module to PSA mode even if MBEDTLS_AES_C is defined. This is not really
useful in practice, but is convenient to test the PSA mode without setting
up drivers.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
At the top level, the macro would have had to be used without a following
semicolon (except with permissive compilers that accept spurious semicolons
outside of a function), which is confusing to humans and indenters. Fix
that.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Remove the experimental functions psa_generate_key_ext() and
psa_key_derivation_output_key_ext(), which require a flexible array member
and therefore break C++ code that includes Mbed TLS headers. They have been
replaced by psa_generate_key_custom() and
psa_key_derivation_output_key_custom().
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
