Forbid volatile key identifiers for non volatile keys

Volatile key identifiers in the vendor range are reserved to volatile keys thus don't allow them for persistent keys when creating a key. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-11-22 17:55:40 +01:00 · 2020-10-15 19:24:49 +02:00 · 2020-10-15 19:24:49 +02:00 · fc9c556127
commit fc9c556127
parent f67aefed3f
5 changed files with 30 additions and 10 deletions
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@ -1792,7 +1792,7 @@ static psa_status_t psa_validate_key_attributes(
    {
        status = psa_validate_key_id(
            psa_get_key_id( attributes ),
-            psa_key_lifetime_is_external( lifetime ) );
+            psa_key_lifetime_is_external( lifetime ), 0 );

        if( status != PSA_SUCCESS )
            return( status );
--- a/library/psa_crypto_slot_management.c
+++ b/library/psa_crypto_slot_management.c
@ -51,7 +51,8 @@ typedef struct

 static psa_global_data_t global_data;

-psa_status_t psa_validate_key_id( mbedtls_svc_key_id_t key, int vendor_ok )
+psa_status_t psa_validate_key_id(
+    mbedtls_svc_key_id_t key, int vendor_ok, int volatile_ok )
 {
    psa_key_id_t key_id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID( key );

@ -61,7 +62,12 @@ psa_status_t psa_validate_key_id( mbedtls_svc_key_id_t key, int vendor_ok )

    if( vendor_ok &&
        ( PSA_KEY_ID_VENDOR_MIN <= key_id ) &&
-        ( key_id <= PSA_KEY_ID_VENDOR_MAX ) )
+        ( key_id < PSA_KEY_ID_VOLATILE_MIN ) )
+        return( PSA_SUCCESS );
+
+    if( volatile_ok &&
+        ( PSA_KEY_ID_VOLATILE_MIN <= key_id ) &&
+        ( key_id <= PSA_KEY_ID_VOLATILE_MAX ) )
        return( PSA_SUCCESS );

    return( PSA_ERROR_INVALID_HANDLE );
@ -191,7 +197,7 @@ psa_status_t psa_get_key_slot( mbedtls_svc_key_id_t key,
    if( ! global_data.key_slots_initialized )
        return( PSA_ERROR_BAD_STATE );

-    status = psa_validate_key_id( key, 1 );
+    status = psa_validate_key_id( key, 1, 1 );
    if( status != PSA_SUCCESS )
        return( status );

--- a/library/psa_crypto_slot_management.h
+++ b/library/psa_crypto_slot_management.h
@ -155,13 +155,17 @@ psa_status_t psa_validate_key_persistence( psa_key_lifetime_t lifetime );

 /** Validate a key identifier.
 *
- * \param[in] key        The key identifier.
- * \param[in] vendor_ok  Non-zero to indicate that key identifiers in the
- *                       vendor range are allowed, \c 0 otherwise.
+ * \param[in] key           The key identifier.
+ * \param[in] vendor_ok     Non-zero to indicate that key identifiers in the
+ *                          vendor range are allowed, volatile key identifiers
+ *                          excepted \c 0 otherwise.
+ * \param[in] volatile_ok   Non-zero to indicate that volatile key identifiers
+ *                          are allowed \c 0 otherwise.
 *
 * \retval #PSA_SUCCESS The identifier is valid.
 * \retval #PSA_ERROR_INVALID_ARGUMENT The key identifier is not valid.
 */
-psa_status_t psa_validate_key_id( mbedtls_svc_key_id_t key, int vendor_ok );
+psa_status_t psa_validate_key_id(
+    mbedtls_svc_key_id_t key, int vendor_ok, int volatile_ok );

 #endif /* PSA_CRYPTO_SLOT_MANAGEMENT_H */
--- a/tests/suites/test_suite_psa_crypto_se_driver_hal.data
+++ b/tests/suites/test_suite_psa_crypto_se_driver_hal.data
@ -150,8 +150,17 @@ register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:7:1:-1:PSA_ERROR_NOT_SUPPORT
 Key registration: key id out of range
 register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:7:PSA_KEY_ID_VENDOR_MAX+1:-1:PSA_ERROR_INVALID_HANDLE

-Key registration: key id in vendor range
-register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:7:PSA_KEY_ID_VENDOR_MAX:1:PSA_SUCCESS
+Key registration: key id min vendor
+register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:7:PSA_KEY_ID_VENDOR_MIN:1:PSA_SUCCESS
+
+Key registration: key id max vendor except volatile
+register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:7:PSA_KEY_ID_VOLATILE_MIN-1:1:PSA_SUCCESS
+
+Key registration: key id min volatile
+register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:7:PSA_KEY_ID_VOLATILE_MIN:1:PSA_ERROR_INVALID_HANDLE
+
+Key registration: key id max volatile
+register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:7:PSA_KEY_ID_VOLATILE_MAX:1:PSA_ERROR_INVALID_HANDLE

 Import-sign-verify: sign in driver, ECDSA
 depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
--- a/tests/suites/test_suite_psa_crypto_se_driver_hal.function
+++ b/tests/suites/test_suite_psa_crypto_se_driver_hal.function
@ -3,6 +3,7 @@
 #include "psa/crypto_se_driver.h"

 #include "psa_crypto_se.h"
+#include "psa_crypto_slot_management.h"
 #include "psa_crypto_storage.h"

 /* Invasive peeking: check the persistent data */