Crypto: Remove TF-M Crypto service key handle array
TF-M Crypto service allocates a key handle array to map keys and
owners. However, this array is redundant since TF-M Crypto eventually
relies on Mbed TLS key handle management.
Remove TF-M Crypto service key handle array to simplify TF-M Crypto key
handling routine and optimize memory footprint.
Remove CRYPTO_KEY_ID_ENCODES_OWNER.
Enforce MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER to be enabled.
Update the test commit ID accordingly.
Change-Id: Ic1ecff587ec33a95fbeabcd8dd9fd6430455117b
Signed-off-by: David Hu <david.hu@arm.com>
Co-authored-by: Summer Qin <summer.qin@arm.com>
diff --git a/config/config_default.cmake b/config/config_default.cmake
index 33665fe..649c712 100644
--- a/config/config_default.cmake
+++ b/config/config_default.cmake
@@ -134,9 +134,6 @@
set(CRYPTO_ASYM_ENCRYPT_MODULE_DISABLED FALSE CACHE BOOL "Disable PSA Crypto asymmetric key encryption module")
set(CRYPTO_KEY_DERIVATION_MODULE_DISABLED FALSE CACHE BOOL "Disable PSA Crypto key derivation module")
set(CRYPTO_IOVEC_BUFFER_SIZE 5120 CACHE STRING "Default size of the internal scratch buffer used for PSA FF IOVec allocations")
-# TODO CRYPTO_KEY_ID_ENCODES_OWNER shall be aligned with underlying crypto
-# library key ID encoding configuration
-set(CRYPTO_KEY_ID_ENCODES_OWNER ON CACHE BOOL "Encode client ID into Crypto PSA key ID")
set(TFM_PARTITION_INITIAL_ATTESTATION ON CACHE BOOL "Enable Initial Attestation partition")
set(SYMMETRIC_INITIAL_ATTESTATION OFF CACHE BOOL "Use symmetric crypto for inital attestation")
@@ -185,7 +182,7 @@
set(TFM_MBEDCRYPTO_PLATFORM_EXTRA_CONFIG_PATH "" CACHE PATH "Config to append to standard Mbed Crypto config, used by platforms to cnfigure feature support")
set(TFM_TEST_REPO_PATH "DOWNLOAD" CACHE PATH "Path to TFM-TEST repo (or DOWNLOAD to fetch automatically")
-set(TFM_TEST_REPO_VERSION "a602746" CACHE STRING "The version of tf-m-tests to use")
+set(TFM_TEST_REPO_VERSION "5d5ad03" CACHE STRING "The version of tf-m-tests to use")
set(CMSIS_5_PATH "DOWNLOAD" CACHE PATH "Path to CMSIS_5 (or DOWNLOAD to fetch automatically")
set(MCUBOOT_PATH "DOWNLOAD" CACHE PATH "Path to MCUboot (or DOWNLOAD to fetch automatically")
diff --git a/config/profile/profile_small.cmake b/config/profile/profile_small.cmake
index 27e576e..73ba284 100644
--- a/config/profile/profile_small.cmake
+++ b/config/profile/profile_small.cmake
@@ -27,9 +27,6 @@
set(CRYPTO_ENGINE_BUF_SIZE 0x800 CACHE STRING "Heap size for the crypto backend")
set(CRYPTO_ASYM_SIGN_MODULE_DISABLED ON CACHE BOOL "Disable PSA Crypto asymmetric key signature module")
set(CRYPTO_ASYM_ENCRYPT_MODULE_DISABLED ON CACHE BOOL "Disable PSA Crypto asymmetric key encryption module")
-# TODO CRYPTO_KEY_ID_ENCODES_OWNER shall be aligned with underlying crypto
-# library key ID encoding configuration
-set(CRYPTO_KEY_ID_ENCODES_OWNER OFF CACHE BOOL "Encode client ID into Crypto PSA key ID")
set(SYMMETRIC_INITIAL_ATTESTATION ON CACHE BOOL "Use symmetric crypto for inital attestation")
diff --git a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_small.h b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_small.h
index 68432b7..eecf026 100644
--- a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_small.h
+++ b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_small.h
@@ -846,7 +846,7 @@
* Note that this option is meant for internal use only and may be removed
* without notice.
*/
-//#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
+#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
/**
* \def MBEDTLS_MEMORY_DEBUG
diff --git a/secure_fw/partitions/crypto/CMakeLists.txt b/secure_fw/partitions/crypto/CMakeLists.txt
index 8332d29..6c62445 100644
--- a/secure_fw/partitions/crypto/CMakeLists.txt
+++ b/secure_fw/partitions/crypto/CMakeLists.txt
@@ -75,7 +75,6 @@
$<$<BOOL:${CRYPTO_ENGINE_BUF_SIZE}>:TFM_CRYPTO_ENGINE_BUF_SIZE=${CRYPTO_ENGINE_BUF_SIZE}>
$<$<BOOL:${CRYPTO_CONC_OPER_NUM}>:TFM_CRYPTO_CONC_OPER_NUM=${CRYPTO_CONC_OPER_NUM}>
$<$<AND:$<BOOL:${TFM_PSA_API}>,$<BOOL:${CRYPTO_IOVEC_BUFFER_SIZE}>>:TFM_CRYPTO_IOVEC_BUFFER_SIZE=${CRYPTO_IOVEC_BUFFER_SIZE}>
- $<$<BOOL:${CRYPTO_KEY_ID_ENCODES_OWNER}>:CRYPTO_KEY_ID_ENCODES_OWNER>
)
################ Display the configuration being applied #######################
@@ -93,7 +92,6 @@
message(STATUS "CRYPTO_ASYM_ENCRYPT_MODULE_DISABLED is set to ${CRYPTO_ASYM_ENCRYPT_MODULE_DISABLED}")
message(STATUS "CRYPTO_ENGINE_BUF_SIZE is set to ${CRYPTO_ENGINE_BUF_SIZE}")
message(STATUS "CRYPTO_CONC_OPER_NUM is set to ${CRYPTO_CONC_OPER_NUM}")
-message(STATUS "CRYPTO_KEY_ID_ENCODES_OWNER is set to ${CRYPTO_KEY_ID_ENCODES_OWNER}")
if (${TFM_PSA_API})
message(STATUS "CRYPTO_IOVEC_BUFFER_SIZE is set to ${CRYPTO_IOVEC_BUFFER_SIZE}")
endif()
diff --git a/secure_fw/partitions/crypto/crypto_aead.c b/secure_fw/partitions/crypto/crypto_aead.c
index bb43499..012ffcf 100644
--- a/secure_fw/partitions/crypto/crypto_aead.c
+++ b/secure_fw/partitions/crypto/crypto_aead.c
@@ -53,11 +53,6 @@
/* Initialise ciphertext_length to zero. */
out_vec[0].len = 0;
- status = tfm_crypto_check_handle_owner(key_id);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
status = tfm_crypto_encode_id_and_owner(key_id, &encoded_key);
if (status != PSA_SUCCESS) {
return status;
@@ -103,11 +98,6 @@
/* Initialise plaintext_length to zero. */
out_vec[0].len = 0;
- status = tfm_crypto_check_handle_owner(key_id);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
status = tfm_crypto_encode_id_and_owner(key_id, &encoded_key);
if (status != PSA_SUCCESS) {
return status;
diff --git a/secure_fw/partitions/crypto/crypto_asymmetric.c b/secure_fw/partitions/crypto/crypto_asymmetric.c
index f0bda4e..6640403 100644
--- a/secure_fw/partitions/crypto/crypto_asymmetric.c
+++ b/secure_fw/partitions/crypto/crypto_asymmetric.c
@@ -42,11 +42,7 @@
uint8_t *signature = out_vec[0].base;
size_t signature_size = out_vec[0].len;
mbedtls_svc_key_id_t encoded_key;
-
- psa_status_t status = tfm_crypto_check_handle_owner(key_id);
- if (status != PSA_SUCCESS) {
- return status;
- }
+ psa_status_t status;
status = tfm_crypto_encode_id_and_owner(key_id, &encoded_key);
if (status != PSA_SUCCESS) {
@@ -81,11 +77,7 @@
const uint8_t *signature = in_vec[2].base;
size_t signature_length = in_vec[2].len;
mbedtls_svc_key_id_t encoded_key;
- psa_status_t status = tfm_crypto_check_handle_owner(key_id);
-
- if (status != PSA_SUCCESS) {
- return status;
- }
+ psa_status_t status;
status = tfm_crypto_encode_id_and_owner(key_id, &encoded_key);
if (status != PSA_SUCCESS) {
@@ -119,11 +111,7 @@
uint8_t *signature = out_vec[0].base;
size_t signature_size = out_vec[0].len;
mbedtls_svc_key_id_t encoded_key;
-
- psa_status_t status = tfm_crypto_check_handle_owner(key_id);
- if (status != PSA_SUCCESS) {
- return status;
- }
+ psa_status_t status;
status = tfm_crypto_encode_id_and_owner(key_id, &encoded_key);
if (status != PSA_SUCCESS) {
@@ -158,11 +146,7 @@
const uint8_t *signature = in_vec[2].base;
size_t signature_length = in_vec[2].len;
mbedtls_svc_key_id_t encoded_key;
- psa_status_t status = tfm_crypto_check_handle_owner(key_id);
-
- if (status != PSA_SUCCESS) {
- return status;
- }
+ psa_status_t status;
status = tfm_crypto_encode_id_and_owner(key_id, &encoded_key);
if (status != PSA_SUCCESS) {
@@ -204,11 +188,6 @@
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
mbedtls_svc_key_id_t encoded_key;
- status = tfm_crypto_check_handle_owner(key_id);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
status = tfm_crypto_encode_id_and_owner(key_id, &encoded_key);
if (status != PSA_SUCCESS) {
return status;
@@ -262,11 +241,6 @@
psa_status_t status;
mbedtls_svc_key_id_t encoded_key;
- status = tfm_crypto_check_handle_owner(key_id);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
status = tfm_crypto_encode_id_and_owner(key_id, &encoded_key);
if (status != PSA_SUCCESS) {
return status;
diff --git a/secure_fw/partitions/crypto/crypto_cipher.c b/secure_fw/partitions/crypto/crypto_cipher.c
index 670aa48..a45d239 100644
--- a/secure_fw/partitions/crypto/crypto_cipher.c
+++ b/secure_fw/partitions/crypto/crypto_cipher.c
@@ -123,11 +123,6 @@
psa_algorithm_t alg = iov->alg;
mbedtls_svc_key_id_t encoded_key;
- status = tfm_crypto_check_handle_owner(key_id);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
/* Allocate the operation context in the secure world */
status = tfm_crypto_operation_alloc(TFM_CRYPTO_CIPHER_OPERATION,
&handle,
@@ -180,11 +175,6 @@
psa_algorithm_t alg = iov->alg;
mbedtls_svc_key_id_t encoded_key;
- status = tfm_crypto_check_handle_owner(key_id);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
/* Allocate the operation context in the secure world */
status = tfm_crypto_operation_alloc(TFM_CRYPTO_CIPHER_OPERATION,
&handle,
@@ -375,11 +365,6 @@
size_t output_size = out_vec[0].len;
mbedtls_svc_key_id_t encoded_key;
- status = tfm_crypto_check_handle_owner(key_id);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
status = tfm_crypto_encode_id_and_owner(key_id, &encoded_key);
if (status != PSA_SUCCESS) {
return status;
@@ -414,11 +399,6 @@
size_t output_size = out_vec[0].len;
mbedtls_svc_key_id_t encoded_key;
- status = tfm_crypto_check_handle_owner(key_id);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
status = tfm_crypto_encode_id_and_owner(key_id, &encoded_key);
if (status != PSA_SUCCESS) {
return status;
diff --git a/secure_fw/partitions/crypto/crypto_key.c b/secure_fw/partitions/crypto/crypto_key.c
index 0d95ac6..892ce11 100644
--- a/secure_fw/partitions/crypto/crypto_key.c
+++ b/secure_fw/partitions/crypto/crypto_key.c
@@ -14,129 +14,10 @@
#include "tfm_crypto_defs.h"
#include "tfm_crypto_private.h"
-#ifndef TFM_CRYPTO_KEY_MODULE_DISABLED
-#ifdef CRYPTO_KEY_ID_ENCODES_OWNER
-#ifndef TFM_CRYPTO_MAX_KEY_HANDLES
-#define TFM_CRYPTO_MAX_KEY_HANDLES (32)
+#ifndef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
+#error "MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER must be selected in Mbed TLS config file"
#endif
-struct tfm_crypto_handle_owner_s {
- int32_t owner; /*!< Owner of the allocated handle */
- psa_key_id_t key; /*!< Allocated key */
- uint8_t in_use; /*!< Flag to indicate if this in use */
-};
-
-static struct tfm_crypto_handle_owner_s
- handle_owner[TFM_CRYPTO_MAX_KEY_HANDLES] = {0};
-
-static void set_handle_owner(uint8_t idx, int32_t client_id,
- psa_key_id_t key_handle)
-{
- /* Skip checking idx */
-
- handle_owner[idx].owner = client_id;
- handle_owner[idx].key = key_handle;
- handle_owner[idx].in_use = TFM_CRYPTO_IN_USE;
-}
-
-static void clean_handle_owner(uint8_t idx)
-{
- /* Skip checking idx */
-
- handle_owner[idx].owner = TFM_INVALID_CLIENT_ID;
- handle_owner[idx].key = (psa_key_id_t)0;
- handle_owner[idx].in_use = TFM_CRYPTO_NOT_IN_USE;
-}
-
-static psa_status_t find_empty_handle_owner_slot(uint8_t *idx)
-{
- uint8_t i;
-
- for (i = 0; i < TFM_CRYPTO_MAX_KEY_HANDLES; i++) {
- if (handle_owner[i].in_use == TFM_CRYPTO_NOT_IN_USE) {
- *idx = i;
- return PSA_SUCCESS;
- }
- }
-
- return PSA_ERROR_INSUFFICIENT_MEMORY;
-}
-
-/*
- * Check that the requested handle belongs to the requesting partition
- *
- * Argument idx is optional. It points to the buffer to hold the internal
- * index corresponding to the input handle. Valid only on PSA_SUCCESS.
- * It is filled only if the input pointer is not NULL.
- *
- * Return values as described in \ref psa_status_t
- */
-static psa_status_t check_handle_owner(psa_key_id_t key, uint8_t *idx)
-{
- int32_t client_id = 0;
- uint8_t i = 0;
- psa_status_t status;
-
- status = tfm_crypto_get_caller_id(&client_id);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- for (i = 0; i < TFM_CRYPTO_MAX_KEY_HANDLES; i++) {
- if (handle_owner[i].in_use && handle_owner[i].key == key) {
- if (handle_owner[i].owner == client_id) {
- if (idx) {
- *idx = i;
- }
- return PSA_SUCCESS;
- } else {
- return PSA_ERROR_NOT_PERMITTED;
- }
- }
- }
-
- return PSA_ERROR_INVALID_HANDLE;
-}
-
-static void encoded_key_id_make(psa_key_id_t key, uint8_t slot_idx,
- mbedtls_svc_key_id_t *encoded_key)
-{
- /* Skip checking encoded_key */
- *encoded_key = mbedtls_svc_key_id_make(handle_owner[slot_idx].owner, key);
-}
-#else /* CRYPTO_KEY_ID_ENCODES_OWNER */
-#define set_handle_owner(idx, client_id, key_handle) do {} while (0)
-#define clean_handle_owner(idx) do {} while (0)
-
-static inline psa_status_t find_empty_handle_owner_slot(uint8_t *idx)
-{
- *idx = 0;
-
- return PSA_SUCCESS;
-}
-
-static inline psa_status_t check_handle_owner(psa_key_id_t key, uint8_t *idx)
-{
- (void)key;
-
- if (idx) {
- *idx = 0;
- }
-
- return PSA_SUCCESS;
-}
-
-static inline void encoded_key_id_make(psa_key_id_t key, uint8_t slot_idx,
- mbedtls_svc_key_id_t *encoded_key)
-{
- (void)slot_idx;
-
- /* Skip checking encoded_key */
- *encoded_key = mbedtls_svc_key_id_make(TFM_INVALID_CLIENT_ID, key);
-}
-#endif /* CRYPTO_KEY_ID_ENCODES_OWNER */
-#endif /* !TFM_CRYPTO_KEY_MODULE_DISABLED */
-
/*!
* \defgroup public Public functions
*
@@ -166,12 +47,8 @@
core->MBEDTLS_PRIVATE(bits) = client_key_attr->bits;
/* Use the client key id as the key_id and its partition id as the owner */
-#ifdef CRYPTO_KEY_ID_ENCODES_OWNER
core->MBEDTLS_PRIVATE(id).MBEDTLS_PRIVATE(key_id) = client_key_attr->id;
core->MBEDTLS_PRIVATE(id).MBEDTLS_PRIVATE(owner) = client_id;
-#else
- core->MBEDTLS_PRIVATE(id) = client_key_attr->id;
-#endif
return PSA_SUCCESS;
}
@@ -196,24 +73,11 @@
client_key_attr->bits = core.MBEDTLS_PRIVATE(bits);
/* Return the key_id as the client key id, do not return the owner */
-#ifdef CRYPTO_KEY_ID_ENCODES_OWNER
client_key_attr->id = core.MBEDTLS_PRIVATE(id).MBEDTLS_PRIVATE(key_id);
-#else
- client_key_attr->id = core.MBEDTLS_PRIVATE(id);
-#endif
return PSA_SUCCESS;
}
-psa_status_t tfm_crypto_check_handle_owner(psa_key_id_t key)
-{
-#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
- return PSA_ERROR_NOT_SUPPORTED;
-#else
- return check_handle_owner(key, NULL);
-#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
-}
-
psa_status_t tfm_crypto_encode_id_and_owner(psa_key_id_t key_id,
mbedtls_svc_key_id_t *enc_key_ptr)
{
@@ -235,35 +99,6 @@
return PSA_SUCCESS;
}
-psa_status_t tfm_crypto_check_key_storage(uint32_t *index)
-{
-#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
- return PSA_ERROR_NOT_SUPPORTED;
-#else
- return find_empty_handle_owner_slot((uint8_t *)index);
-#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
-}
-
-psa_status_t tfm_crypto_set_key_storage(uint32_t index,
- psa_key_id_t key_handle)
-{
-#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
- return PSA_ERROR_NOT_SUPPORTED;
-#else
- psa_status_t status;
- int32_t partition_id;
-
- status = tfm_crypto_get_caller_id(&partition_id);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- set_handle_owner(index, partition_id, key_handle);
-
- return PSA_SUCCESS;
-#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
-}
-
psa_status_t tfm_crypto_set_key_domain_parameters(psa_invec in_vec[],
size_t in_len,
psa_outvec out_vec[],
@@ -313,15 +148,9 @@
psa_status_t status;
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
- uint8_t i = 0;
mbedtls_svc_key_id_t encoded_key;
int32_t partition_id = 0;
- status = find_empty_handle_owner_slot(&i);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
status = tfm_crypto_get_caller_id(&partition_id);
if (status != PSA_SUCCESS) {
return status;
@@ -335,17 +164,13 @@
}
status = psa_import_key(&key_attributes, data, data_length, &encoded_key);
- /* Update the imported key id */
-#ifdef CRYPTO_KEY_ID_ENCODES_OWNER
- *psa_key = encoded_key.MBEDTLS_PRIVATE(key_id);
-#else
- *psa_key = (psa_key_id_t)encoded_key;
-#endif
-
- if (status == PSA_SUCCESS) {
- set_handle_owner(i, partition_id, *psa_key);
+ if (status != PSA_SUCCESS) {
+ return status;
}
+ /* Update the imported key id */
+ *psa_key = encoded_key.MBEDTLS_PRIVATE(key_id);
+
return status;
#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
}
@@ -371,13 +196,7 @@
psa_key_id_t *key = out_vec[0].base;
psa_status_t status;
mbedtls_svc_key_id_t encoded_key;
- int32_t partition_id;
- uint8_t i;
-
- status = find_empty_handle_owner_slot(&i);
- if (status != PSA_SUCCESS) {
- return status;
- }
+ int32_t partition_id = 0;
status = tfm_crypto_get_caller_id(&partition_id);
if (status != PSA_SUCCESS) {
@@ -388,16 +207,12 @@
encoded_key = mbedtls_svc_key_id_make(partition_id, client_key_id);
status = psa_open_key(encoded_key, &encoded_key);
-#ifdef CRYPTO_KEY_ID_ENCODES_OWNER
- *key = encoded_key.MBEDTLS_PRIVATE(key_id);
-#else
- *key = (psa_key_id_t)encoded_key;
-#endif
-
- if (status == PSA_SUCCESS) {
- set_handle_owner(i, partition_id, *key);
+ if (status != PSA_SUCCESS) {
+ return status;
}
+ *key = encoded_key.MBEDTLS_PRIVATE(key_id);
+
return status;
#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
}
@@ -420,23 +235,18 @@
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
psa_key_id_t key = iov->key_id;
- uint8_t index;
mbedtls_svc_key_id_t encoded_key;
+ int32_t partition_id = 0;
psa_status_t status;
- status = check_handle_owner(key, &index);
+ status = tfm_crypto_get_caller_id(&partition_id);
if (status != PSA_SUCCESS) {
return status;
}
- encoded_key_id_make(key, index, &encoded_key);
+ encoded_key = mbedtls_svc_key_id_make(partition_id, key);
- status = psa_close_key(encoded_key);
- if (status == PSA_SUCCESS) {
- clean_handle_owner(index);
- }
-
- return status;
+ return psa_close_key(encoded_key);
#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
}
@@ -457,23 +267,18 @@
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
psa_key_id_t key = iov->key_id;
- uint8_t index;
mbedtls_svc_key_id_t encoded_key;
+ int32_t partition_id = 0;
psa_status_t status;
- status = check_handle_owner(key, &index);
+ status = tfm_crypto_get_caller_id(&partition_id);
if (status != PSA_SUCCESS) {
return status;
}
- encoded_key_id_make(key, index, &encoded_key);
+ encoded_key = mbedtls_svc_key_id_make(partition_id, key);
- status = psa_destroy_key(encoded_key);
- if (status == PSA_SUCCESS) {
- clean_handle_owner(index);
- }
-
- return status;
+ return psa_destroy_key(encoded_key);
#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
}
@@ -499,14 +304,14 @@
psa_status_t status;
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
mbedtls_svc_key_id_t encoded_key;
- uint8_t index;
+ int32_t partition_id = 0;
- status = check_handle_owner(key, &index);
+ status = tfm_crypto_get_caller_id(&partition_id);
if (status != PSA_SUCCESS) {
return status;
}
- encoded_key_id_make(key, index, &encoded_key);
+ encoded_key = mbedtls_svc_key_id_make(partition_id, key);
status = psa_get_key_attributes(encoded_key, &key_attributes);
if (status == PSA_SUCCESS) {
@@ -578,15 +383,15 @@
uint8_t *data = out_vec[0].base;
size_t data_size = out_vec[0].len;
mbedtls_svc_key_id_t encoded_key;
+ int32_t partition_id = 0;
psa_status_t status;
- uint8_t index;
- status = check_handle_owner(key, &index);
+ status = tfm_crypto_get_caller_id(&partition_id);
if (status != PSA_SUCCESS) {
return status;
}
- encoded_key_id_make(key, index, &encoded_key);
+ encoded_key = mbedtls_svc_key_id_make(partition_id, key);
return psa_export_key(encoded_key, data, data_size,
&(out_vec[0].len));
@@ -612,15 +417,15 @@
uint8_t *data = out_vec[0].base;
size_t data_size = out_vec[0].len;
mbedtls_svc_key_id_t encoded_key;
+ int32_t partition_id = 0;
psa_status_t status;
- uint8_t index;
- status = check_handle_owner(key, &index);
+ status = tfm_crypto_get_caller_id(&partition_id);
if (status != PSA_SUCCESS) {
return status;
}
- encoded_key_id_make(key, index, &encoded_key);
+ encoded_key = mbedtls_svc_key_id_make(partition_id, key);
return psa_export_public_key(encoded_key, data, data_size,
&(out_vec[0].len));
@@ -645,22 +450,17 @@
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
psa_key_id_t key = iov->key_id;
mbedtls_svc_key_id_t encoded_key;
+ int32_t partition_id = 0;
psa_status_t status;
- uint8_t index;
- status = check_handle_owner(key, &index);
+ status = tfm_crypto_get_caller_id(&partition_id);
if (status != PSA_SUCCESS) {
return status;
}
- encoded_key_id_make(key, index, &encoded_key);
+ encoded_key = mbedtls_svc_key_id_make(partition_id, key);
- status = psa_purge_key(encoded_key);
- if (status == PSA_SUCCESS) {
- clean_handle_owner(index);
- }
-
- return status;
+ return psa_purge_key(encoded_key);
#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
}
@@ -687,16 +487,10 @@
const struct psa_client_key_attributes_s *client_key_attr = in_vec[1].base;
psa_status_t status;
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
- uint8_t source_idx = 0, target_idx = 0;
int32_t partition_id = 0;
mbedtls_svc_key_id_t target_key;
mbedtls_svc_key_id_t encoded_key;
- status = find_empty_handle_owner_slot(&target_idx);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
status = tfm_crypto_get_caller_id(&partition_id);
if (status != PSA_SUCCESS) {
return status;
@@ -709,22 +503,14 @@
return status;
}
- status = check_handle_owner(source_key_id, &source_idx);
+ encoded_key = mbedtls_svc_key_id_make(partition_id, source_key_id);
+
+ status = psa_copy_key(encoded_key, &key_attributes, &target_key);
if (status != PSA_SUCCESS) {
return status;
}
- encoded_key_id_make(source_key_id, source_idx, &encoded_key);
-
- status = psa_copy_key(encoded_key, &key_attributes, &target_key);
-#ifdef CRYPTO_KEY_ID_ENCODES_OWNER
*target_key_id = target_key.MBEDTLS_PRIVATE(key_id);
-#else
- *target_key_id = (psa_key_id_t)target_key;
-#endif
- if (status == PSA_SUCCESS) {
- set_handle_owner(target_idx, partition_id, *target_key_id);
- }
return status;
#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
@@ -750,15 +536,9 @@
const struct psa_client_key_attributes_s *client_key_attr = in_vec[1].base;
psa_status_t status;
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
- uint8_t i = 0;
int32_t partition_id = 0;
mbedtls_svc_key_id_t encoded_key;
- status = find_empty_handle_owner_slot(&i);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
status = tfm_crypto_get_caller_id(&partition_id);
if (status != PSA_SUCCESS) {
return status;
@@ -772,16 +552,12 @@
}
status = psa_generate_key(&key_attributes, &encoded_key);
-#ifdef CRYPTO_KEY_ID_ENCODES_OWNER
- *key_handle = encoded_key.MBEDTLS_PRIVATE(key_id);
-#else
- *key_handle = (psa_key_id_t)encoded_key;
-#endif
-
- if (status == PSA_SUCCESS) {
- set_handle_owner(i, partition_id, *key_handle);
+ if (status != PSA_SUCCESS) {
+ return status;
}
+ *key_handle = encoded_key.MBEDTLS_PRIVATE(key_id);
+
return status;
#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
}
diff --git a/secure_fw/partitions/crypto/crypto_key_derivation.c b/secure_fw/partitions/crypto/crypto_key_derivation.c
index 3399683..1850b86 100644
--- a/secure_fw/partitions/crypto/crypto_key_derivation.c
+++ b/secure_fw/partitions/crypto/crypto_key_derivation.c
@@ -347,11 +347,6 @@
psa_key_derivation_operation_t *operation = NULL;
mbedtls_svc_key_id_t encoded_key;
- status = tfm_crypto_check_handle_owner(key_id);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
/* Look up the corresponding operation context */
status = tfm_crypto_operation_lookup(TFM_CRYPTO_KEY_DERIVATION_OPERATION,
handle,
@@ -394,7 +389,6 @@
psa_key_id_t *key_handle = out_vec[0].base;
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
int32_t partition_id;
- uint32_t index;
mbedtls_svc_key_id_t encoded_key;
/* Look up the corresponding operation context */
@@ -405,11 +399,6 @@
return status;
}
- status = tfm_crypto_check_key_storage(&index);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
status = tfm_crypto_get_caller_id(&partition_id);
if (status != PSA_SUCCESS) {
return status;
@@ -429,15 +418,8 @@
status = psa_key_derivation_output_key(&key_attributes, operation,
&encoded_key);
}
-#ifdef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
- *key_handle = encoded_key.MBEDTLS_PRIVATE(key_id);
-#else
- *key_handle = (psa_key_id_t)encoded_key;
-#endif
- if (status == PSA_SUCCESS) {
- status = tfm_crypto_set_key_storage(index, *key_handle);
- }
+ *key_handle = encoded_key.MBEDTLS_PRIVATE(key_id);
return status;
#endif /* TFM_CRYPTO_KEY_DERIVATION_MODULE_DISABLED */
@@ -521,11 +503,6 @@
psa_key_derivation_step_t step = iov->step;
mbedtls_svc_key_id_t encoded_key;
- status = tfm_crypto_check_handle_owner(private_key);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
/* Look up the corresponding operation context */
status = tfm_crypto_operation_lookup(TFM_CRYPTO_KEY_DERIVATION_OPERATION,
handle,
@@ -568,12 +545,7 @@
const uint8_t *peer_key = in_vec[1].base;
size_t peer_key_length = in_vec[1].len;
mbedtls_svc_key_id_t encoded_key;
-
- psa_status_t status = tfm_crypto_check_handle_owner(private_key);
-
- if (status != PSA_SUCCESS) {
- return status;
- }
+ psa_status_t status;
status = tfm_crypto_encode_id_and_owner(private_key, &encoded_key);
if (status != PSA_SUCCESS) {
diff --git a/secure_fw/partitions/crypto/crypto_mac.c b/secure_fw/partitions/crypto/crypto_mac.c
index 011a3ce..4c9ba2d 100644
--- a/secure_fw/partitions/crypto/crypto_mac.c
+++ b/secure_fw/partitions/crypto/crypto_mac.c
@@ -44,11 +44,6 @@
psa_algorithm_t alg = iov->alg;
mbedtls_svc_key_id_t encoded_key;
- status = tfm_crypto_check_handle_owner(key_id);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
/* Init the handle in the operation with the one passed from the iov */
*handle_out = iov->op_handle;
@@ -105,11 +100,6 @@
psa_algorithm_t alg = iov->alg;
mbedtls_svc_key_id_t encoded_key;
- status = tfm_crypto_check_handle_owner(key_id);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
/* Init the handle in the operation with the one passed from the iov */
*handle_out = iov->op_handle;
@@ -340,11 +330,6 @@
size_t mac_size = out_vec[0].len;
mbedtls_svc_key_id_t encoded_key;
- status = tfm_crypto_check_handle_owner(key_id);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
status = tfm_crypto_encode_id_and_owner(key_id, &encoded_key);
if (status != PSA_SUCCESS) {
return status;
@@ -379,11 +364,6 @@
size_t mac_length = in_vec[2].len;
mbedtls_svc_key_id_t encoded_key;
- status = tfm_crypto_check_handle_owner(key_id);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
status = tfm_crypto_encode_id_and_owner(key_id, &encoded_key);
if (status != PSA_SUCCESS) {
return status;
diff --git a/secure_fw/partitions/crypto/tfm_crypto_api.h b/secure_fw/partitions/crypto/tfm_crypto_api.h
index ff1d17b..cfdf747 100644
--- a/secure_fw/partitions/crypto/tfm_crypto_api.h
+++ b/secure_fw/partitions/crypto/tfm_crypto_api.h
@@ -96,37 +96,6 @@
struct psa_client_key_attributes_s *client_key_attr);
/**
- * \brief Checks that the requested handle belongs to the requesting
- * partition
- *
- * \param[in] key key given as input
- *
- * \return Return values as described in \ref psa_status_t
- */
-psa_status_t tfm_crypto_check_handle_owner(psa_key_id_t key);
-
-/**
- * \brief Checks that there is enough local storage in RAM to keep another key,
- * and returns the index of the storage to use.
- *
- * \param[out] index Index of the local storage to use
- *
- * \return Return values as described in \ref psa_status_t
- */
-psa_status_t tfm_crypto_check_key_storage(uint32_t *index);
-
-/**
- * \brief Sets the index of the local storage in use with a key requested by the
- * calling partition, and stores the corresponding key_handle.
- *
- * \param[in] index Index of the local storage to use
- * \param[in] key_handle Corresponding key handle to associate
- *
- * \return Return values as described in \ref psa_status_t
- */
-psa_status_t tfm_crypto_set_key_storage(uint32_t index,
- psa_key_id_t key_handle);
-/**
* \brief Allocate an operation context in the backend
*
* \param[in] type Type of the operation context to allocate