Crypto: Upgrade Mbed TLS to 2.25
Set the MBEDCRYPTO_VERSION to 2.25.0.
First three patches in existing v2.24 already applied in v2.25
and hence removed.
Replaced MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER with
MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER in all configuration and
source as updated in v2.25 library.
Update all headers of psa/include as per mbedtls-v2.25 excluding
changes required to hide some implementation.
Update id field in the client_key_attributes structure to
psa_key_id_t.
Update Copyright year to 2021!
Removed patch 006 as not required in MbedTLS v2.25.0.
Update references of handle to key as per MbedTLS api changes.
Increase NUM_HANDLES to 32 to accommodate crypto api tests.
Added corresponding tfm implementation of psa_purge_key().
Signed-off-by: Maulik Patel <maulik.patel@arm.com>
Change-Id: I6a532da96735cf32996250c4a8733a8654c1f44e
diff --git a/secure_fw/partitions/crypto/crypto_key.c b/secure_fw/partitions/crypto/crypto_key.c
index a2ca7d8..d07eef3 100644
--- a/secure_fw/partitions/crypto/crypto_key.c
+++ b/secure_fw/partitions/crypto/crypto_key.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018-2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2018-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -16,11 +16,11 @@
#include <stdbool.h>
#ifndef TFM_CRYPTO_MAX_KEY_HANDLES
-#define TFM_CRYPTO_MAX_KEY_HANDLES (16)
+#define TFM_CRYPTO_MAX_KEY_HANDLES (32)
#endif
struct tfm_crypto_handle_owner_s {
int32_t owner; /*!< Owner of the allocated handle */
- psa_key_handle_t handle; /*!< Allocated handle */
+ psa_key_id_t key; /*!< Allocated key */
uint8_t in_use; /*!< Flag to indicate if this in use */
};
@@ -35,9 +35,9 @@
*/
/*!@{*/
psa_status_t tfm_crypto_key_attributes_from_client(
- const struct psa_client_key_attributes_s *client_key_attr,
- int32_t client_id,
- psa_key_attributes_t *key_attributes)
+ const struct psa_client_key_attributes_s *client_key_attr,
+ int32_t client_id,
+ psa_key_attributes_t *key_attributes)
{
if (client_key_attr == NULL || key_attributes == NULL) {
return PSA_ERROR_PROGRAMMER_ERROR;
@@ -60,8 +60,8 @@
}
psa_status_t tfm_crypto_key_attributes_to_client(
- const psa_key_attributes_t *key_attributes,
- struct psa_client_key_attributes_s *client_key_attr)
+ const psa_key_attributes_t *key_attributes,
+ struct psa_client_key_attributes_s *client_key_attr)
{
if (client_key_attr == NULL || key_attributes == NULL) {
return PSA_ERROR_PROGRAMMER_ERROR;
@@ -83,7 +83,7 @@
return PSA_SUCCESS;
}
-psa_status_t tfm_crypto_check_handle_owner(psa_key_handle_t handle,
+psa_status_t tfm_crypto_check_handle_owner(psa_key_id_t key,
uint32_t *index)
{
#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
@@ -99,7 +99,7 @@
}
for (i = 0; i < TFM_CRYPTO_MAX_KEY_HANDLES; i++) {
- if (handle_owner[i].in_use && handle_owner[i].handle == handle) {
+ if (handle_owner[i].in_use && handle_owner[i].key == key) {
if (handle_owner[i].owner == partition_id) {
if (index != NULL) {
*index = i;
@@ -115,6 +115,27 @@
#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
}
+psa_status_t tfm_crypto_encode_id_and_owner(psa_key_id_t key_id,
+ mbedtls_svc_key_id_t *enc_key_ptr)
+{
+ int32_t partition_id = 0;
+ psa_status_t status = tfm_crypto_get_caller_id(&partition_id);
+
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ /* If Null Pointer, return PSA_ERROR_PROGRAMMER_ERROR */
+ if (enc_key_ptr == NULL) {
+ return PSA_ERROR_PROGRAMMER_ERROR;
+ }
+
+ /* Use the client key id as the key_id and its partition id as the owner */
+ *enc_key_ptr = mbedtls_svc_key_id_make(partition_id, key_id);
+
+ return PSA_SUCCESS;
+}
+
psa_status_t tfm_crypto_check_key_storage(uint32_t *index)
{
#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
@@ -134,7 +155,7 @@
}
psa_status_t tfm_crypto_set_key_storage(uint32_t index,
- psa_key_handle_t key_handle)
+ psa_key_id_t key_handle)
{
#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
@@ -148,7 +169,7 @@
}
handle_owner[index].owner = partition_id;
- handle_owner[index].handle = key_handle;
+ handle_owner[index].key = key_handle;
handle_owner[index].in_use = TFM_CRYPTO_IN_USE;
return PSA_SUCCESS;
@@ -194,16 +215,18 @@
if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
(in_vec[1].len != sizeof(struct psa_client_key_attributes_s)) ||
- (out_vec[0].len != sizeof(psa_key_handle_t))) {
+ (out_vec[0].len != sizeof(psa_key_id_t))) {
return PSA_ERROR_PROGRAMMER_ERROR;
}
const struct psa_client_key_attributes_s *client_key_attr = in_vec[1].base;
const uint8_t *data = in_vec[2].base;
size_t data_length = in_vec[2].len;
- psa_key_handle_t *key_handle = out_vec[0].base;
+ psa_key_id_t *psa_key = out_vec[0].base;
+
psa_status_t status;
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
uint32_t i = 0;
+ mbedtls_svc_key_id_t encoded_key;
int32_t partition_id = 0;
bool empty_found = false;
@@ -230,11 +253,13 @@
return status;
}
- status = psa_import_key(&key_attributes, data, data_length, key_handle);
+ status = psa_import_key(&key_attributes, data, data_length, &encoded_key);
+ /* Update the imported key id */
+ *psa_key = encoded_key.key_id;
if (status == PSA_SUCCESS) {
handle_owner[i].owner = partition_id;
- handle_owner[i].handle = *key_handle;
+ handle_owner[i].key = *psa_key;
handle_owner[i].in_use = TFM_CRYPTO_IN_USE;
}
@@ -254,15 +279,15 @@
CRYPTO_IN_OUT_LEN_VALIDATE(in_len, 2, 2, out_len, 1, 1);
if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
- (in_vec[1].len != sizeof(psa_app_key_id_t)) ||
- (out_vec[0].len != sizeof(psa_key_handle_t))) {
+ (in_vec[1].len != sizeof(psa_key_id_t)) ||
+ (out_vec[0].len != sizeof(psa_key_id_t))) {
return PSA_ERROR_PROGRAMMER_ERROR;
}
- psa_app_key_id_t client_key_id = *((psa_app_key_id_t *)in_vec[1].base);
- psa_key_handle_t *key_handle = out_vec[0].base;
+ psa_key_id_t client_key_id = *((psa_key_id_t *)in_vec[1].base);
+ psa_key_id_t *key = out_vec[0].base;
psa_status_t status;
- psa_key_id_t id;
+ mbedtls_svc_key_id_t encoded_key;
int32_t partition_id;
uint32_t i;
@@ -282,13 +307,14 @@
}
/* Use the client key id as the key_id and its partition id as the owner */
- id = (psa_key_id_t){ .key_id = client_key_id, .owner = partition_id };
+ encoded_key = mbedtls_svc_key_id_make(partition_id, client_key_id);
- status = psa_open_key(id, key_handle);
+ status = psa_open_key(encoded_key, &encoded_key);
+ *key = encoded_key.key_id;
if (status == PSA_SUCCESS) {
handle_owner[i].owner = partition_id;
- handle_owner[i].handle = *key_handle;
+ handle_owner[i].key = *key;
handle_owner[i].in_use = TFM_CRYPTO_IN_USE;
}
@@ -313,19 +339,21 @@
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- psa_key_handle_t key = iov->key_handle;
+ psa_key_id_t key = iov->key_id;
uint32_t index;
- psa_status_t status = tfm_crypto_check_handle_owner(key, &index);
+ mbedtls_svc_key_id_t encoded_key;
+ psa_status_t status = tfm_crypto_check_handle_owner(key, &index);
if (status != PSA_SUCCESS) {
return status;
}
- status = psa_close_key(key);
+ encoded_key = mbedtls_svc_key_id_make(handle_owner[index].owner, key);
+ status = psa_close_key(encoded_key);
if (status == PSA_SUCCESS) {
handle_owner[index].owner = 0;
- handle_owner[index].handle = 0;
+ handle_owner[index].key = 0;
handle_owner[index].in_use = TFM_CRYPTO_NOT_IN_USE;
}
@@ -349,20 +377,21 @@
return PSA_ERROR_PROGRAMMER_ERROR;
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
-
- psa_key_handle_t key = iov->key_handle;
+ psa_key_id_t key = iov->key_id;
uint32_t index;
- psa_status_t status = tfm_crypto_check_handle_owner(key, &index);
+ mbedtls_svc_key_id_t encoded_key;
+ psa_status_t status = tfm_crypto_check_handle_owner(key, &index);
if (status != PSA_SUCCESS) {
return status;
}
- status = psa_destroy_key(key);
+ encoded_key = mbedtls_svc_key_id_make(handle_owner[index].owner, key);
+ status = psa_destroy_key(encoded_key);
if (status == PSA_SUCCESS) {
handle_owner[index].owner = 0;
- handle_owner[index].handle = 0;
+ handle_owner[index].key = 0;
handle_owner[index].in_use = TFM_CRYPTO_NOT_IN_USE;
}
@@ -387,18 +416,23 @@
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- psa_key_handle_t key = iov->key_handle;
+ psa_key_id_t key = iov->key_id;
struct psa_client_key_attributes_s *client_key_attr = out_vec[0].base;
psa_status_t status;
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
+ mbedtls_svc_key_id_t encoded_key;
status = tfm_crypto_check_handle_owner(key, NULL);
if (status != PSA_SUCCESS) {
return status;
}
- status = psa_get_key_attributes(key, &key_attributes);
+ status = tfm_crypto_encode_id_and_owner(key, &encoded_key);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ status = psa_get_key_attributes(encoded_key, &key_attributes);
if (status == PSA_SUCCESS) {
status = tfm_crypto_key_attributes_to_client(&key_attributes,
client_key_attr);
@@ -464,11 +498,21 @@
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- psa_key_handle_t key = iov->key_handle;
+ psa_key_id_t key = iov->key_id;
uint8_t *data = out_vec[0].base;
size_t data_size = out_vec[0].len;
+ mbedtls_svc_key_id_t encoded_key;
+ uint32_t index;
- return psa_export_key(key, data, data_size, &(out_vec[0].len));
+ psa_status_t status = tfm_crypto_check_handle_owner(key, &index);
+
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ encoded_key = mbedtls_svc_key_id_make(handle_owner[index].owner, key);
+ return psa_export_key(encoded_key, data, data_size,
+ &(out_vec[0].len));
#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
}
@@ -487,12 +531,61 @@
return PSA_ERROR_PROGRAMMER_ERROR;
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
-
- psa_key_handle_t key = iov->key_handle;
+ psa_key_id_t key = iov->key_id;
uint8_t *data = out_vec[0].base;
size_t data_size = out_vec[0].len;
+ mbedtls_svc_key_id_t encoded_key;
+ uint32_t index;
- return psa_export_public_key(key, data, data_size, &(out_vec[0].len));
+ psa_status_t status = tfm_crypto_check_handle_owner(key, &index);
+
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ encoded_key = mbedtls_svc_key_id_make(handle_owner[index].owner, key);
+
+ return psa_export_public_key(encoded_key, data, data_size,
+ &(out_vec[0].len));
+#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
+}
+
+psa_status_t tfm_crypto_purge_key(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
+ return PSA_ERROR_NOT_SUPPORTED;
+#else
+ (void)out_vec;
+
+ CRYPTO_IN_OUT_LEN_VALIDATE(in_len, 1, 1, out_len, 0, 0);
+
+ if (in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) {
+ return PSA_ERROR_PROGRAMMER_ERROR;
+ }
+ const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
+ psa_key_id_t key = iov->key_id;
+ uint32_t index;
+ mbedtls_svc_key_id_t encoded_key;
+
+ psa_status_t status = tfm_crypto_check_handle_owner(key, &index);
+
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ encoded_key = mbedtls_svc_key_id_make(handle_owner[index].owner, key);
+
+ status = psa_purge_key(encoded_key);
+ if (status == PSA_SUCCESS) {
+ handle_owner[index].owner = 0;
+ handle_owner[index].key = 0;
+ handle_owner[index].in_use = TFM_CRYPTO_NOT_IN_USE;
+ }
+
+ return status;
#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
}
@@ -508,20 +601,22 @@
CRYPTO_IN_OUT_LEN_VALIDATE(in_len, 2, 2, out_len, 1, 1);
if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
- (out_vec[0].len != sizeof(psa_key_handle_t)) ||
+ (out_vec[0].len != sizeof(psa_key_id_t)) ||
(in_vec[1].len != sizeof(struct psa_client_key_attributes_s))) {
return PSA_ERROR_PROGRAMMER_ERROR;
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- psa_key_handle_t source_handle = iov->key_handle;
- psa_key_handle_t *target_handle = out_vec[0].base;
+ psa_key_id_t source_key_id = iov->key_id;
+ psa_key_id_t *target_key_id = out_vec[0].base;
const struct psa_client_key_attributes_s *client_key_attr = in_vec[1].base;
psa_status_t status;
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
uint32_t i = 0;
int32_t partition_id = 0;
bool empty_found = false;
+ mbedtls_svc_key_id_t target_key;
+ mbedtls_svc_key_id_t encoded_key;
for (i = 0; i < TFM_CRYPTO_MAX_KEY_HANDLES; i++) {
if (handle_owner[i].in_use == TFM_CRYPTO_NOT_IN_USE) {
@@ -546,11 +641,21 @@
return status;
}
- status = psa_copy_key(source_handle, &key_attributes, target_handle);
+ status = tfm_crypto_check_handle_owner(source_key_id, NULL);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ status = tfm_crypto_encode_id_and_owner(source_key_id, &encoded_key);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ status = psa_copy_key(encoded_key, &key_attributes, &target_key);
+ *target_key_id = target_key.key_id;
if (status == PSA_SUCCESS) {
handle_owner[i].owner = partition_id;
- handle_owner[i].handle = *target_handle;
+ handle_owner[i].key = *target_key_id;
handle_owner[i].in_use = TFM_CRYPTO_IN_USE;
}
@@ -571,16 +676,17 @@
if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
(in_vec[1].len != sizeof(struct psa_client_key_attributes_s)) ||
- (out_vec[0].len != sizeof(psa_key_handle_t))) {
+ (out_vec[0].len != sizeof(psa_key_id_t))) {
return PSA_ERROR_PROGRAMMER_ERROR;
}
- psa_key_handle_t *key_handle = out_vec[0].base;
+ psa_key_id_t *key_handle = out_vec[0].base;
const struct psa_client_key_attributes_s *client_key_attr = in_vec[1].base;
psa_status_t status;
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
uint32_t i = 0;
int32_t partition_id = 0;
bool empty_found = false;
+ mbedtls_svc_key_id_t encoded_key;
for (i = 0; i < TFM_CRYPTO_MAX_KEY_HANDLES; i++) {
if (handle_owner[i].in_use == TFM_CRYPTO_NOT_IN_USE) {
@@ -605,11 +711,12 @@
return status;
}
- status = psa_generate_key(&key_attributes, key_handle);
+ status = psa_generate_key(&key_attributes, &encoded_key);
+ *key_handle = encoded_key.key_id;
if (status == PSA_SUCCESS) {
handle_owner[i].owner = partition_id;
- handle_owner[i].handle = *key_handle;
+ handle_owner[i].key = *key_handle;
handle_owner[i].in_use = TFM_CRYPTO_IN_USE;
}