aboutsummaryrefslogtreecommitdiff
path: root/secure_fw/partitions
diff options
context:
space:
mode:
authorDavid Hu <david.hu@arm.com>2021-05-19 16:43:19 +0800
committerDavid Hu <david.hu@arm.com>2021-06-24 12:16:06 +0200
commit105b4872fc9d1b3171a87a473727bdda153c255e (patch)
tree79ef708a8fd5b4a2a64c17344b4394e1264c4c07 /secure_fw/partitions
parentd0f6ceb0559af6ef08f4624eeac079cc07a1f077 (diff)
downloadtrusted-firmware-m-105b4872fc9d1b3171a87a473727bdda153c255e.tar.gz
Crypto: Support key ID without encoding key owner ID
Enable dealing with Mbed TLS key ID without encoding key owner ID when MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER is deselected. Deselect MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER in TF-M Profile Small. It is usually not enforced to isolate clients in non-secure or secure side in very simple usage scenario on platforms with ultra-constrainted resource. Also disable handle_owner[] if MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER is deselected. Modify the crypto_key.c implementation accordingly. Change-Id: Ie890473126be62d9f07c618b757d3818dfc4f8dd Signed-off-by: David Hu <david.hu@arm.com>
Diffstat (limited to 'secure_fw/partitions')
-rw-r--r--secure_fw/partitions/crypto/crypto_aead.c4
-rw-r--r--secure_fw/partitions/crypto/crypto_asymmetric.c8
-rw-r--r--secure_fw/partitions/crypto/crypto_cipher.c4
-rw-r--r--secure_fw/partitions/crypto/crypto_key.c322
-rw-r--r--secure_fw/partitions/crypto/crypto_key_derivation.c10
-rw-r--r--secure_fw/partitions/crypto/crypto_mac.c4
-rw-r--r--secure_fw/partitions/crypto/tfm_crypto_api.h7
7 files changed, 207 insertions, 152 deletions
diff --git a/secure_fw/partitions/crypto/crypto_aead.c b/secure_fw/partitions/crypto/crypto_aead.c
index d4aee11e44..bb43499618 100644
--- a/secure_fw/partitions/crypto/crypto_aead.c
+++ b/secure_fw/partitions/crypto/crypto_aead.c
@@ -53,7 +53,7 @@ psa_status_t tfm_crypto_aead_encrypt(psa_invec in_vec[],
/* Initialise ciphertext_length to zero. */
out_vec[0].len = 0;
- status = tfm_crypto_check_handle_owner(key_id, NULL);
+ status = tfm_crypto_check_handle_owner(key_id);
if (status != PSA_SUCCESS) {
return status;
}
@@ -103,7 +103,7 @@ psa_status_t tfm_crypto_aead_decrypt(psa_invec in_vec[],
/* Initialise plaintext_length to zero. */
out_vec[0].len = 0;
- status = tfm_crypto_check_handle_owner(key_id, NULL);
+ status = tfm_crypto_check_handle_owner(key_id);
if (status != PSA_SUCCESS) {
return status;
}
diff --git a/secure_fw/partitions/crypto/crypto_asymmetric.c b/secure_fw/partitions/crypto/crypto_asymmetric.c
index 8bf922d144..1291562fe1 100644
--- a/secure_fw/partitions/crypto/crypto_asymmetric.c
+++ b/secure_fw/partitions/crypto/crypto_asymmetric.c
@@ -43,7 +43,7 @@ psa_status_t tfm_crypto_sign_hash(psa_invec in_vec[],
size_t signature_size = out_vec[0].len;
mbedtls_svc_key_id_t encoded_key;
- psa_status_t status = tfm_crypto_check_handle_owner(key_id, NULL);
+ psa_status_t status = tfm_crypto_check_handle_owner(key_id);
if (status != PSA_SUCCESS) {
return status;
}
@@ -81,7 +81,7 @@ psa_status_t tfm_crypto_verify_hash(psa_invec in_vec[],
const uint8_t *signature = in_vec[2].base;
size_t signature_length = in_vec[2].len;
mbedtls_svc_key_id_t encoded_key;
- psa_status_t status = tfm_crypto_check_handle_owner(key_id, NULL);
+ psa_status_t status = tfm_crypto_check_handle_owner(key_id);
if (status != PSA_SUCCESS) {
return status;
@@ -127,7 +127,7 @@ psa_status_t tfm_crypto_asymmetric_encrypt(psa_invec in_vec[],
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
mbedtls_svc_key_id_t encoded_key;
- status = tfm_crypto_check_handle_owner(key_id, NULL);
+ status = tfm_crypto_check_handle_owner(key_id);
if (status != PSA_SUCCESS) {
return status;
}
@@ -185,7 +185,7 @@ psa_status_t tfm_crypto_asymmetric_decrypt(psa_invec in_vec[],
psa_status_t status;
mbedtls_svc_key_id_t encoded_key;
- status = tfm_crypto_check_handle_owner(key_id, NULL);
+ status = tfm_crypto_check_handle_owner(key_id);
if (status != PSA_SUCCESS) {
return status;
}
diff --git a/secure_fw/partitions/crypto/crypto_cipher.c b/secure_fw/partitions/crypto/crypto_cipher.c
index 5a318efd83..6318d0f808 100644
--- a/secure_fw/partitions/crypto/crypto_cipher.c
+++ b/secure_fw/partitions/crypto/crypto_cipher.c
@@ -123,7 +123,7 @@ psa_status_t tfm_crypto_cipher_encrypt_setup(psa_invec in_vec[],
psa_algorithm_t alg = iov->alg;
mbedtls_svc_key_id_t encoded_key;
- status = tfm_crypto_check_handle_owner(key_id, NULL);
+ status = tfm_crypto_check_handle_owner(key_id);
if (status != PSA_SUCCESS) {
return status;
}
@@ -180,7 +180,7 @@ psa_status_t tfm_crypto_cipher_decrypt_setup(psa_invec in_vec[],
psa_algorithm_t alg = iov->alg;
mbedtls_svc_key_id_t encoded_key;
- status = tfm_crypto_check_handle_owner(key_id, NULL);
+ status = tfm_crypto_check_handle_owner(key_id);
if (status != PSA_SUCCESS) {
return status;
}
diff --git a/secure_fw/partitions/crypto/crypto_key.c b/secure_fw/partitions/crypto/crypto_key.c
index d07eef3c1d..e1db197cfe 100644
--- a/secure_fw/partitions/crypto/crypto_key.c
+++ b/secure_fw/partitions/crypto/crypto_key.c
@@ -13,21 +13,129 @@
#include "tfm_crypto_api.h"
#include "tfm_crypto_defs.h"
#include "tfm_crypto_private.h"
-#include <stdbool.h>
+#ifndef TFM_CRYPTO_KEY_MODULE_DISABLED
+#ifdef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
#ifndef TFM_CRYPTO_MAX_KEY_HANDLES
#define TFM_CRYPTO_MAX_KEY_HANDLES (32)
#endif
+
struct tfm_crypto_handle_owner_s {
int32_t owner; /*!< Owner of the allocated handle */
psa_key_id_t key; /*!< Allocated key */
uint8_t in_use; /*!< Flag to indicate if this in use */
};
-#ifndef TFM_CRYPTO_KEY_MODULE_DISABLED
static struct tfm_crypto_handle_owner_s
handle_owner[TFM_CRYPTO_MAX_KEY_HANDLES] = {0};
-#endif
+
+static void set_handle_owner(uint8_t idx, int32_t client_id,
+ psa_key_id_t key_handle)
+{
+ /* Skip checking idx */
+
+ handle_owner[idx].owner = client_id;
+ handle_owner[idx].key = key_handle;
+ handle_owner[idx].in_use = TFM_CRYPTO_IN_USE;
+}
+
+static void clean_handle_owner(uint8_t idx)
+{
+ /* Skip checking idx */
+
+ handle_owner[idx].owner = TFM_INVALID_CLIENT_ID;
+ handle_owner[idx].key = NULL;
+ handle_owner[idx].in_use = TFM_CRYPTO_NOT_IN_USE;
+}
+
+static psa_status_t find_empty_handle_owner_slot(uint8_t *idx)
+{
+ uint8_t i;
+
+ for (i = 0; i < TFM_CRYPTO_MAX_KEY_HANDLES; i++) {
+ if (handle_owner[i].in_use == TFM_CRYPTO_NOT_IN_USE) {
+ *idx = i;
+ return PSA_SUCCESS;
+ }
+ }
+
+ return PSA_ERROR_INSUFFICIENT_MEMORY;
+}
+
+/*
+ * Check that the requested handle belongs to the requesting partition
+ *
+ * Argument idx is optional. It points to the buffer to hold the internal
+ * index corresponding to the input handle. Valid only on PSA_SUCCESS.
+ * It is filled only if the input pointer is not NULL.
+ *
+ * Return values as described in \ref psa_status_t
+ */
+static psa_status_t check_handle_owner(psa_key_id_t key, uint8_t *idx)
+{
+ int32_t client_id = 0;
+ uint8_t i = 0;
+ psa_status_t status;
+
+ status = tfm_crypto_get_caller_id(&client_id);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ for (i = 0; i < TFM_CRYPTO_MAX_KEY_HANDLES; i++) {
+ if (handle_owner[i].in_use && handle_owner[i].key == key) {
+ if (handle_owner[i].owner == client_id) {
+ if (idx) {
+ *idx = i;
+ }
+ return PSA_SUCCESS;
+ } else {
+ return PSA_ERROR_NOT_PERMITTED;
+ }
+ }
+ }
+
+ return PSA_ERROR_INVALID_HANDLE;
+}
+
+static void encoded_key_id_make(psa_key_id_t key, uint8_t slot_idx,
+ mbedtls_svc_key_id_t *encoded_key)
+{
+ /* Skip checking encoded_key */
+ *encoded_key = mbedtls_svc_key_id_make(handle_owner[slot_idx].owner, key);
+}
+#else /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */
+#define set_handle_owner(idx, client_id, key_handle) do {} while (0)
+#define clean_handle_owner(idx) do {} while (0)
+
+static inline psa_status_t find_empty_handle_owner_slot(uint8_t *idx)
+{
+ *idx = 0;
+
+ return PSA_SUCCESS;
+}
+
+static inline psa_status_t check_handle_owner(psa_key_id_t key, uint8_t *idx)
+{
+ (void)key;
+
+ if (idx) {
+ *idx = 0;
+ }
+
+ return PSA_SUCCESS;
+}
+
+static inline void encoded_key_id_make(psa_key_id_t key, uint8_t slot_idx,
+ mbedtls_svc_key_id_t *encoded_key)
+{
+ (void)slot_idx;
+
+ /* Skip checking encoded_key */
+ *encoded_key = mbedtls_svc_key_id_make(TFM_INVALID_CLIENT_ID, key);
+}
+#endif /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */
+#endif /* !TFM_CRYPTO_KEY_MODULE_DISABLED */
/*!
* \defgroup public Public functions
@@ -53,8 +161,12 @@ psa_status_t tfm_crypto_key_attributes_from_client(
key_attributes->core.bits = client_key_attr->bits;
/* Use the client key id as the key_id and its partition id as the owner */
+#ifdef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
key_attributes->core.id.key_id = client_key_attr->id;
key_attributes->core.id.owner = client_id;
+#else
+ key_attributes->core.id = client_key_attr->id;
+#endif
return PSA_SUCCESS;
}
@@ -78,40 +190,21 @@ psa_status_t tfm_crypto_key_attributes_to_client(
client_key_attr->bits = key_attributes->core.bits;
/* Return the key_id as the client key id, do not return the owner */
+#ifdef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
client_key_attr->id = key_attributes->core.id.key_id;
+#else
+ client_key_attr->id = key_attributes->core.id;
+#endif
return PSA_SUCCESS;
}
-psa_status_t tfm_crypto_check_handle_owner(psa_key_id_t key,
- uint32_t *index)
+psa_status_t tfm_crypto_check_handle_owner(psa_key_id_t key)
{
#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
#else
- int32_t partition_id = 0;
- uint32_t i = 0;
- psa_status_t status;
-
- status = tfm_crypto_get_caller_id(&partition_id);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- for (i = 0; i < TFM_CRYPTO_MAX_KEY_HANDLES; i++) {
- if (handle_owner[i].in_use && handle_owner[i].key == key) {
- if (handle_owner[i].owner == partition_id) {
- if (index != NULL) {
- *index = i;
- }
- return PSA_SUCCESS;
- } else {
- return PSA_ERROR_NOT_PERMITTED;
- }
- }
- }
-
- return PSA_ERROR_INVALID_HANDLE;
+ return check_handle_owner(key, NULL);
#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
}
@@ -141,16 +234,7 @@ psa_status_t tfm_crypto_check_key_storage(uint32_t *index)
#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
#else
- uint32_t i;
-
- for (i = 0; i < TFM_CRYPTO_MAX_KEY_HANDLES; i++) {
- if (handle_owner[i].in_use == TFM_CRYPTO_NOT_IN_USE) {
- *index = i;
- return PSA_SUCCESS;
- }
- }
-
- return PSA_ERROR_INSUFFICIENT_MEMORY;
+ return find_empty_handle_owner_slot((uint8_t *)index);
#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
}
@@ -168,9 +252,7 @@ psa_status_t tfm_crypto_set_key_storage(uint32_t index,
return status;
}
- handle_owner[index].owner = partition_id;
- handle_owner[index].key = key_handle;
- handle_owner[index].in_use = TFM_CRYPTO_IN_USE;
+ set_handle_owner(index, partition_id, key_handle);
return PSA_SUCCESS;
#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
@@ -225,20 +307,13 @@ psa_status_t tfm_crypto_import_key(psa_invec in_vec[],
psa_status_t status;
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
- uint32_t i = 0;
+ uint8_t i = 0;
mbedtls_svc_key_id_t encoded_key;
int32_t partition_id = 0;
- bool empty_found = false;
-
- for (i = 0; i < TFM_CRYPTO_MAX_KEY_HANDLES; i++) {
- if (handle_owner[i].in_use == TFM_CRYPTO_NOT_IN_USE) {
- empty_found = true;
- break;
- }
- }
- if (!empty_found) {
- return PSA_ERROR_INSUFFICIENT_MEMORY;
+ status = find_empty_handle_owner_slot(&i);
+ if (status != PSA_SUCCESS) {
+ return status;
}
status = tfm_crypto_get_caller_id(&partition_id);
@@ -255,12 +330,14 @@ psa_status_t tfm_crypto_import_key(psa_invec in_vec[],
status = psa_import_key(&key_attributes, data, data_length, &encoded_key);
/* Update the imported key id */
+#ifdef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
*psa_key = encoded_key.key_id;
+#else
+ *psa_key = (psa_key_id_t)encoded_key;
+#endif
if (status == PSA_SUCCESS) {
- handle_owner[i].owner = partition_id;
- handle_owner[i].key = *psa_key;
- handle_owner[i].in_use = TFM_CRYPTO_IN_USE;
+ set_handle_owner(i, partition_id, *psa_key);
}
return status;
@@ -289,16 +366,11 @@ psa_status_t tfm_crypto_open_key(psa_invec in_vec[],
psa_status_t status;
mbedtls_svc_key_id_t encoded_key;
int32_t partition_id;
- uint32_t i;
+ uint8_t i;
- for (i = 0; i < TFM_CRYPTO_MAX_KEY_HANDLES; i++) {
- if (handle_owner[i].in_use == TFM_CRYPTO_NOT_IN_USE) {
- break;
- }
- }
-
- if (i == TFM_CRYPTO_MAX_KEY_HANDLES) {
- return PSA_ERROR_INSUFFICIENT_MEMORY;
+ status = find_empty_handle_owner_slot(&i);
+ if (status != PSA_SUCCESS) {
+ return status;
}
status = tfm_crypto_get_caller_id(&partition_id);
@@ -310,12 +382,14 @@ psa_status_t tfm_crypto_open_key(psa_invec in_vec[],
encoded_key = mbedtls_svc_key_id_make(partition_id, client_key_id);
status = psa_open_key(encoded_key, &encoded_key);
+#ifdef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
*key = encoded_key.key_id;
+#else
+ *key = (psa_key_id_t)encoded_key;
+#endif
if (status == PSA_SUCCESS) {
- handle_owner[i].owner = partition_id;
- handle_owner[i].key = *key;
- handle_owner[i].in_use = TFM_CRYPTO_IN_USE;
+ set_handle_owner(i, partition_id, *key);
}
return status;
@@ -340,21 +414,20 @@ psa_status_t tfm_crypto_close_key(psa_invec in_vec[],
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
psa_key_id_t key = iov->key_id;
- uint32_t index;
+ uint8_t index;
mbedtls_svc_key_id_t encoded_key;
+ psa_status_t status;
- psa_status_t status = tfm_crypto_check_handle_owner(key, &index);
+ status = check_handle_owner(key, &index);
if (status != PSA_SUCCESS) {
return status;
}
- encoded_key = mbedtls_svc_key_id_make(handle_owner[index].owner, key);
- status = psa_close_key(encoded_key);
+ encoded_key_id_make(key, index, &encoded_key);
+ status = psa_close_key(encoded_key);
if (status == PSA_SUCCESS) {
- handle_owner[index].owner = 0;
- handle_owner[index].key = 0;
- handle_owner[index].in_use = TFM_CRYPTO_NOT_IN_USE;
+ clean_handle_owner(index);
}
return status;
@@ -378,21 +451,20 @@ psa_status_t tfm_crypto_destroy_key(psa_invec in_vec[],
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
psa_key_id_t key = iov->key_id;
- uint32_t index;
+ uint8_t index;
mbedtls_svc_key_id_t encoded_key;
+ psa_status_t status;
- psa_status_t status = tfm_crypto_check_handle_owner(key, &index);
+ status = check_handle_owner(key, &index);
if (status != PSA_SUCCESS) {
return status;
}
- encoded_key = mbedtls_svc_key_id_make(handle_owner[index].owner, key);
+ encoded_key_id_make(key, index, &encoded_key);
status = psa_destroy_key(encoded_key);
if (status == PSA_SUCCESS) {
- handle_owner[index].owner = 0;
- handle_owner[index].key = 0;
- handle_owner[index].in_use = TFM_CRYPTO_NOT_IN_USE;
+ clean_handle_owner(index);
}
return status;
@@ -421,16 +493,14 @@ psa_status_t tfm_crypto_get_key_attributes(psa_invec in_vec[],
psa_status_t status;
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
mbedtls_svc_key_id_t encoded_key;
+ uint8_t index;
- status = tfm_crypto_check_handle_owner(key, NULL);
+ status = check_handle_owner(key, &index);
if (status != PSA_SUCCESS) {
return status;
}
- status = tfm_crypto_encode_id_and_owner(key, &encoded_key);
- if (status != PSA_SUCCESS) {
- return status;
- }
+ encoded_key_id_make(key, index, &encoded_key);
status = psa_get_key_attributes(encoded_key, &key_attributes);
if (status == PSA_SUCCESS) {
@@ -502,15 +572,16 @@ psa_status_t tfm_crypto_export_key(psa_invec in_vec[],
uint8_t *data = out_vec[0].base;
size_t data_size = out_vec[0].len;
mbedtls_svc_key_id_t encoded_key;
- uint32_t index;
-
- psa_status_t status = tfm_crypto_check_handle_owner(key, &index);
+ psa_status_t status;
+ uint8_t index;
+ status = check_handle_owner(key, &index);
if (status != PSA_SUCCESS) {
return status;
}
- encoded_key = mbedtls_svc_key_id_make(handle_owner[index].owner, key);
+ encoded_key_id_make(key, index, &encoded_key);
+
return psa_export_key(encoded_key, data, data_size,
&(out_vec[0].len));
#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
@@ -535,15 +606,15 @@ psa_status_t tfm_crypto_export_public_key(psa_invec in_vec[],
uint8_t *data = out_vec[0].base;
size_t data_size = out_vec[0].len;
mbedtls_svc_key_id_t encoded_key;
- uint32_t index;
-
- psa_status_t status = tfm_crypto_check_handle_owner(key, &index);
+ psa_status_t status;
+ uint8_t index;
+ status = check_handle_owner(key, &index);
if (status != PSA_SUCCESS) {
return status;
}
- encoded_key = mbedtls_svc_key_id_make(handle_owner[index].owner, key);
+ encoded_key_id_make(key, index, &encoded_key);
return psa_export_public_key(encoded_key, data, data_size,
&(out_vec[0].len));
@@ -567,22 +638,20 @@ psa_status_t tfm_crypto_purge_key(psa_invec in_vec[],
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
psa_key_id_t key = iov->key_id;
- uint32_t index;
mbedtls_svc_key_id_t encoded_key;
+ psa_status_t status;
+ uint8_t index;
- psa_status_t status = tfm_crypto_check_handle_owner(key, &index);
-
+ status = check_handle_owner(key, &index);
if (status != PSA_SUCCESS) {
return status;
}
- encoded_key = mbedtls_svc_key_id_make(handle_owner[index].owner, key);
+ encoded_key_id_make(key, index, &encoded_key);
status = psa_purge_key(encoded_key);
if (status == PSA_SUCCESS) {
- handle_owner[index].owner = 0;
- handle_owner[index].key = 0;
- handle_owner[index].in_use = TFM_CRYPTO_NOT_IN_USE;
+ clean_handle_owner(index);
}
return status;
@@ -612,21 +681,14 @@ psa_status_t tfm_crypto_copy_key(psa_invec in_vec[],
const struct psa_client_key_attributes_s *client_key_attr = in_vec[1].base;
psa_status_t status;
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
- uint32_t i = 0;
+ uint8_t i = 0;
int32_t partition_id = 0;
- bool empty_found = false;
mbedtls_svc_key_id_t target_key;
mbedtls_svc_key_id_t encoded_key;
- for (i = 0; i < TFM_CRYPTO_MAX_KEY_HANDLES; i++) {
- if (handle_owner[i].in_use == TFM_CRYPTO_NOT_IN_USE) {
- empty_found = true;
- break;
- }
- }
-
- if (!empty_found) {
- return PSA_ERROR_INSUFFICIENT_MEMORY;
+ status = find_empty_handle_owner_slot(&i);
+ if (status != PSA_SUCCESS) {
+ return status;
}
status = tfm_crypto_get_caller_id(&partition_id);
@@ -641,22 +703,21 @@ psa_status_t tfm_crypto_copy_key(psa_invec in_vec[],
return status;
}
- status = tfm_crypto_check_handle_owner(source_key_id, NULL);
+ status = check_handle_owner(source_key_id, NULL);
if (status != PSA_SUCCESS) {
return status;
}
- status = tfm_crypto_encode_id_and_owner(source_key_id, &encoded_key);
- if (status != PSA_SUCCESS) {
- return status;
- }
+ encoded_key_id_make(source_key_id, i, &encoded_key);
status = psa_copy_key(encoded_key, &key_attributes, &target_key);
+#ifdef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
*target_key_id = target_key.key_id;
+#else
+ *target_key_id = (psa_key_id_t)target_key;
+#endif
if (status == PSA_SUCCESS) {
- handle_owner[i].owner = partition_id;
- handle_owner[i].key = *target_key_id;
- handle_owner[i].in_use = TFM_CRYPTO_IN_USE;
+ set_handle_owner(i, partition_id, *target_key_id);
}
return status;
@@ -683,20 +744,13 @@ psa_status_t tfm_crypto_generate_key(psa_invec in_vec[],
const struct psa_client_key_attributes_s *client_key_attr = in_vec[1].base;
psa_status_t status;
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
- uint32_t i = 0;
+ uint8_t i = 0;
int32_t partition_id = 0;
- bool empty_found = false;
mbedtls_svc_key_id_t encoded_key;
- for (i = 0; i < TFM_CRYPTO_MAX_KEY_HANDLES; i++) {
- if (handle_owner[i].in_use == TFM_CRYPTO_NOT_IN_USE) {
- empty_found = true;
- break;
- }
- }
-
- if (!empty_found) {
- return PSA_ERROR_INSUFFICIENT_MEMORY;
+ status = find_empty_handle_owner_slot(&i);
+ if (status != PSA_SUCCESS) {
+ return status;
}
status = tfm_crypto_get_caller_id(&partition_id);
@@ -712,12 +766,14 @@ psa_status_t tfm_crypto_generate_key(psa_invec in_vec[],
}
status = psa_generate_key(&key_attributes, &encoded_key);
+#ifdef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
*key_handle = encoded_key.key_id;
+#else
+ *key_handle = (psa_key_id_t)encoded_key;
+#endif
if (status == PSA_SUCCESS) {
- handle_owner[i].owner = partition_id;
- handle_owner[i].key = *key_handle;
- handle_owner[i].in_use = TFM_CRYPTO_IN_USE;
+ set_handle_owner(i, partition_id, *key_handle);
}
return status;
diff --git a/secure_fw/partitions/crypto/crypto_key_derivation.c b/secure_fw/partitions/crypto/crypto_key_derivation.c
index 2e1d7f8196..38fda1b19c 100644
--- a/secure_fw/partitions/crypto/crypto_key_derivation.c
+++ b/secure_fw/partitions/crypto/crypto_key_derivation.c
@@ -339,7 +339,7 @@ psa_status_t tfm_crypto_key_derivation_input_key(psa_invec in_vec[],
psa_key_derivation_operation_t *operation = NULL;
mbedtls_svc_key_id_t encoded_key;
- status = tfm_crypto_check_handle_owner(key_id, NULL);
+ status = tfm_crypto_check_handle_owner(key_id);
if (status != PSA_SUCCESS) {
return status;
}
@@ -421,7 +421,11 @@ psa_status_t tfm_crypto_key_derivation_output_key(psa_invec in_vec[],
status = psa_key_derivation_output_key(&key_attributes, operation,
&encoded_key);
}
+#ifdef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
*key_handle = encoded_key.key_id;
+#else
+ *key_handle = (psa_key_id_t)encoded_key;
+#endif
if (status == PSA_SUCCESS) {
status = tfm_crypto_set_key_storage(index, *key_handle);
@@ -509,7 +513,7 @@ psa_status_t tfm_crypto_key_derivation_key_agreement(psa_invec in_vec[],
psa_key_derivation_step_t step = iov->step;
mbedtls_svc_key_id_t encoded_key;
- status = tfm_crypto_check_handle_owner(private_key, NULL);
+ status = tfm_crypto_check_handle_owner(private_key);
if (status != PSA_SUCCESS) {
return status;
}
@@ -557,7 +561,7 @@ psa_status_t tfm_crypto_raw_key_agreement(psa_invec in_vec[],
size_t peer_key_length = in_vec[1].len;
mbedtls_svc_key_id_t encoded_key;
- psa_status_t status = tfm_crypto_check_handle_owner(private_key, NULL);
+ psa_status_t status = tfm_crypto_check_handle_owner(private_key);
if (status != PSA_SUCCESS) {
return status;
diff --git a/secure_fw/partitions/crypto/crypto_mac.c b/secure_fw/partitions/crypto/crypto_mac.c
index e0f3a6f02e..1c4beae782 100644
--- a/secure_fw/partitions/crypto/crypto_mac.c
+++ b/secure_fw/partitions/crypto/crypto_mac.c
@@ -44,7 +44,7 @@ psa_status_t tfm_crypto_mac_sign_setup(psa_invec in_vec[],
psa_algorithm_t alg = iov->alg;
mbedtls_svc_key_id_t encoded_key;
- status = tfm_crypto_check_handle_owner(key_id, NULL);
+ status = tfm_crypto_check_handle_owner(key_id);
if (status != PSA_SUCCESS) {
return status;
}
@@ -105,7 +105,7 @@ psa_status_t tfm_crypto_mac_verify_setup(psa_invec in_vec[],
psa_algorithm_t alg = iov->alg;
mbedtls_svc_key_id_t encoded_key;
- status = tfm_crypto_check_handle_owner(key_id, NULL);
+ status = tfm_crypto_check_handle_owner(key_id);
if (status != PSA_SUCCESS) {
return status;
}
diff --git a/secure_fw/partitions/crypto/tfm_crypto_api.h b/secure_fw/partitions/crypto/tfm_crypto_api.h
index 3f3d9bf097..7e85b22e99 100644
--- a/secure_fw/partitions/crypto/tfm_crypto_api.h
+++ b/secure_fw/partitions/crypto/tfm_crypto_api.h
@@ -100,15 +100,10 @@ psa_status_t tfm_crypto_key_attributes_to_client(
* partition
*
* \param[in] key key given as input
- * \param[out] index Optionally, pointer to hold the internal index
- * corresponding to the input handle. Valid only
- * on PSA_SUCCESS, it's returned only if the input
- * parameter is not NULL.
*
* \return Return values as described in \ref psa_status_t
*/
-psa_status_t tfm_crypto_check_handle_owner(psa_key_id_t key,
- uint32_t *index);
+psa_status_t tfm_crypto_check_handle_owner(psa_key_id_t key);
/**
* \brief Checks that there is enough local storage in RAM to keep another key,