Commit Graph

28 Commits

Author SHA1 Message Date
Gilles Peskine
88fa5c463e Minor documentation improvements
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-04 21:00:53 +01:00
Gilles Peskine
c0963010c0 Document mbedtls_psa_external_random_context_t
Note that the implementation here is just a sample, and integrators
are expected to replace it with whatever they need.

But do try to supply a definition that can be somewhat useful (give
room for pointer+size).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-11-23 17:42:54 +01:00
Gilles Peskine
b8af22858d Autonomous random driver: declare the type and function
Define a sample type mbedtls_psa_external_random_context_t in
psa/crypto_platform.h and define the prototype of
mbedtls_psa_external_get_random() in a public header.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-11-23 16:28:09 +01:00
Gilles Peskine
662deb38d6
Merge pull request #3547 from ronald-cron-arm/psa-openless
Openless PSA crypto APIs implementation
2020-11-20 18:48:33 +01:00
Ronald Cron
c4d1b514ab Define handles as key identifiers
Define psa_key_handle_t to be equal to
mbedtls_svc_key_id_t. Make the handle of a persistent
key be equal to its key identifier. For volatile keys,
make the key handle equal to the volatile key
identifier of the created volatile key.

The unit tests are modified just to make them compile
not to make them run successfully. They are fixed in
the subsequent commits.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:00:41 +01:00
Ronald Cron
47a85614ed Introduce psa_key_handle_equal inline function
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:00:41 +01:00
Ronald Cron
c26f8d467a Introduce psa_key_handle_is_null inline function
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:00:41 +01:00
Ronald Cron
91e9515424 Introduce PSA_KEY_HANDLE_INIT macro
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:00:41 +01:00
Gilles Peskine
bce4dc028f Include config_psa.h from psa/crypto.h
When the new PSA crypto configuration mechanism MBEDTLS_PSA_CRYPTO_CONFIG
is disabled, legacy configurations must keep working, even if they don't
include the new header file mbedtls/config_psa.h. Code that uses or
implements PSA crypto interfaces needs some of the symbols defined by the
new header file. Therefore, include the new header file via PSA crypto
headers, which are included everywhere mbedtls/config_psa.h is needed.

Include it early, in psa/crypto_platform.h, just after including
mbedtls/config.h, so that its symbols are available wherever the symbols
from mbedtls/config.h is available.

This fixes the unit tests with configs/config-psa-crypto.h: some unit
tests were failing, revealing that library features controlled with
the new symbols were no longer getting built.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-11-09 15:17:07 +01:00
Ronald Cron
9a2511e78f Fix key owner identifier documentation
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-09-15 08:50:20 +02:00
Ronald Cron
ecfb237f23 Fix PSA code and unit tests
Fix PSA code and unit tests for the unit tests
to pass with key identifiers encoding owner
identifiers.

The changes in PSA code just make the enablement
of key identifiers encoding owner identifiers
platform independent. Previous to this commit,
such key identifiers were used only in the case
of PSA SPM platforms.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-09-02 14:27:07 +02:00
Ronald Cron
71016a9ea7 psa: Rename psa_key_file_id_t to mbedtls_svc_key_id_t
With PSA crypto v1.0.0, a volatile key identifier may
contain a owner identifier but no file is associated
to it. Thus rename the type psa_key_file_id_t to
mbedtls_svc_key_id_t to avoid a direct link with a
file when a key identifier involves an owner
identifier.

The new type name is prefixed by mbedtls to highlight
that the type is specific to Mbed TLS implementation
and not defined in the PSA Cryptography API
specification.

The svc in the type name stands for service as this
is the key identifier type from the point of view of
the service providing the Cryptography services.
The service can be completely provided by the present
library or partially in case of a multi-client service.

As a consequence rename as well:
. MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER to
  MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
. PSA_KEY_ID_INIT to MBEDTLS_SVC_KEY_ID_INIT
. PSA_KEY_FILE_GET_KEY_ID to MBEDTLS_SVC_KEY_ID_GET_KEY_ID
. psa_key_file_id_make to mbedtls_svc_key_id_make

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-09-02 14:27:07 +02:00
Ronald Cron
72f65fc6e9 psa: Rename pss_key_owner_id_t to mbedtls_key_owner_id_t
Rename psa_key_owner_id_t to mbedtls_key_owner_id_t to
highlight that this is a Mbed TLS specific type and not
a type defined in the PSA Cryptography API specification.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-09-02 14:27:07 +02:00
Ronald Cron
039a98b598 Define always psa_key_id_t as defined in PSA crypto spec
Define always psa_key_id_t as defined in the PSA
Cryptography API specification independently of
whether the MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER
configuration file is set or not.

As a consequence, get rid of `psa_app_key_id_t` that is
not needed anymore.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-09-02 14:27:07 +02:00
Ronald Cron
80b95101a9 psa: Move psa_key_file_id_t definition to crypto_types.h
`psa_key_file_id_t` was defined in `crypto_platform.h` and
not `crypto_types.h` even if it wasn't platform dependent
because back when the PSA Crypto Specification was put
together `crypto_types.h` was meant to contain only types
that were intended to make it to the specification. There
is not such constraint anymore thus move the definition
of `psa_key_file_id_t` to crypto_types.h.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-09-02 14:27:07 +02:00
Bence Szépkúti
1e14827beb Update copyright notices to use Linux Foundation guidance
As a result, the copyright of contributors other than Arm is now
acknowledged, and the years of publishing are no longer tracked in the
source files.

Also remove the now-redundant lines declaring that the files are part of
MbedTLS.

This commit was generated using the following script:

# ========================
#!/bin/sh

# Find files
find '(' -path './.git' -o -path './3rdparty' ')' -prune -o -type f -print | xargs sed -bi '

# Replace copyright attribution line
s/Copyright.*Arm.*/Copyright The Mbed TLS Contributors/I

# Remove redundant declaration and the preceding line
$!N
/This file is part of Mbed TLS/Id
P
D
'
# ========================

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-08-19 10:35:41 +02:00
Jaeden Amero
8096969905
Merge pull request #139 from Patater/des-faster-and-typo-fix
Make DES self-test faster, and fix a typo
2019-09-04 12:18:39 +01:00
Jaeden Amero
95d8438138 crypto_platform: Fix typo 2019-09-04 10:11:45 +01:00
Jaeden Amero
39f03fcf1a psa: Add PSA_KEY_ID_INIT
A macro useful for initializing psa_key_id_t, whether
MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER is set or not. Without this
macro, it is necessary to know if
MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER as with it the key ID is
non-scalar and needs to be initialized with {0, 0}, and 0 otherwise when
key ID is scalar.
2019-08-28 17:24:27 +01:00
Jaeden Amero
d58a00d5b7 psa: Avoid use of relative include paths
Relative include paths should be avoided. The build system will
determine where to pull in includes from. Specifically, `#include
"../mbedtls/config.h"` shouldn't be used. Use `#include
"mbedtls/config.h` instead, so that the submodule-building makefiles can
change which directory to use to get mbedtls include files from.

Fixes #141
2019-06-07 11:49:59 +01:00
Gilles Peskine
572f067205 PSA crypto service: encode the key owner (ITS backend only)
When building for the PSA crypto service (defined(PSA_CRYPTO_SECURE)),
define psa_key_owner_id_t as int32_t, which is how a PSA platform
encodes partition identity. Note that this only takes effect when the
build option MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER is active.

Support this configuration in the ITS backend.
2019-02-20 12:52:09 +01:00
Gilles Peskine
69d7c8b2d7 Declare a psa_key_file_id_t layout with an owner field
Declare the owner as psa_key_owner_id_t, of which an implementation
must be provided separately.

Make this a configuration option
MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER, to make the conditional
compilation flow easier to follow. Declare it in config.h to
pacify check_names.sh.

Support for a specific implementation of psa_key_owner_id_t in storage
backends will come in a subsequent commit.
2019-02-20 12:52:09 +01:00
Gilles Peskine
5b229a06f4 Support encoding an owner in key file IDs
Differentiate between _key identifiers_, which are always `uint32_t`,
and _key file identifiers_, which are platform-dependent. Normally,
the two are the same.

In `psa/crypto_platform.h`, define `psa_app_key_id_t` (which is always
32 bits, the standard key identifier type) and
`psa_key_file_id_t` (which will be different in some service builds).
A subsequent commit will introduce a platform where the two are different.

It would make sense for the function declarations in `psa/crypto.h` to
use `psa_key_file_id_t`. However this file is currently part of the
PSA Crypto API specification, so it must stick to the standard type
`psa_key_id_t`. Hence, as long as the specification and Mbed Crypto
are not separate, use the implementation-specific file
`psa/crypto_platform.h` to define `psa_key_id_t` as `psa_key_file_id_t`.

In the library, systematically use `psa_key_file_id_t`.

    perl -i -pe 's/psa_key_id_t/psa_key_file_id_t/g' library/*.[hc]
2019-02-20 12:52:07 +01:00
Gilles Peskine
f6cc435a8a Remove psa_key_slot_t from public headers
This commit marks the beginning of the removal of support for direct
access to key slots. From this commit on, programs that use
psa_key_slot_t will no longer compile.

Subsequent commits will remove the now-unused legacy support in
psa_crypto.c.
2018-12-11 16:48:13 +01:00
Gilles Peskine
f535eb2e61 Declare the new slot management functions in crypto.h
No changes to existing functions.
2018-12-11 16:06:51 +01:00
Gilles Peskine
07c91f5df3 Add notes about the purpose and usage of auxiliary header files 2018-09-12 16:41:11 +03:00
Gilles Peskine
2f9c4dc5ad Add key management functions
Define psa_key_type_t and a first stab at a few values.

New functions psa_import_key, psa_export_key, psa_destroy_key,
psa_get_key_information. Implement them for raw data and RSA.

Under the hood, create an in-memory, fixed-size keystore with room
for MBEDTLS_PSA_KEY_SLOT_COUNT - 1 keys.
2018-09-05 11:53:24 +03:00
Gilles Peskine
e59236fc17 Add PSA crypto module
New module psa_crypto.c (MBEDTLS_PSA_CRYPTO_C):
Platform Security Architecture compatibility layer on top of
libmedcrypto.

Implement psa_crypto_init function which sets up a RNG.

Add a mbedtls_psa_crypto_free function which deinitializes the
library.

Define a first batch of error codes.
2018-09-05 10:59:00 +03:00