commit d7b79f2c07c8988844050ae7575a21ea90a3d090
author Soby Mathew <soby.mathew@arm.com> Thu May 21 15:06:54 2020 +0100
committer Soby Mathew <soby.mathew@arm.com> Tue Jun 09 03:36:58 2020 +0000
tree f35c3bd4e590deb988cab932d9ecefd6cad1dfff
parent 9d96328126f3e27998402fd02dac794edf722358

crypto: decouple the PSA Crypto interface from TF-M flags

This patch cleanup the PSA Crypto interface headers files and
decouples it from TF-M build flag dependencies. The
`psa_key_attributes_t` struct definition previously depended
on various config options. The struct now only has fields
which can be set and read by the client. Hence the client
view of the structure is now defined separately in the
crypto_client_struct.h header.

The platform dependant definitions of the PSA Crypto types
are fixed and hence the crypto_platform.h header is removed
and the contents are moved to other PSA crypto headers.

The previous intermediate solution for hiding the type
differences between crypto server and client view via
`psa_client_core_key_attributes_t` is now removed.

Change-Id: I2644b5a2da3babe561c569ebf5690b3daa576a12
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

secure_fw/CMakeLists.txt

diff --git a/secure_fw/CMakeLists.txt b/secure_fw/CMakeLists.txt
index bf9b545..8bd5d18 100644
--- a/secure_fw/CMakeLists.txt
+++ b/secure_fw/CMakeLists.txt
@@ -429,7 +429,7 @@
 		install(FILES       ${INTERFACE_INC_DIR}/psa/crypto_extra.h
 							${INTERFACE_INC_DIR}/psa/crypto_compat.h
 							${INTERFACE_INC_DIR}/psa/crypto.h
-							${INTERFACE_INC_DIR}/psa/crypto_platform.h
+							${INTERFACE_INC_DIR}/psa/crypto_client_struct.h
 							${INTERFACE_INC_DIR}/psa/crypto_sizes.h
 							${INTERFACE_INC_DIR}/psa/crypto_struct.h
 							${INTERFACE_INC_DIR}/psa/crypto_types.h

secure_fw/partitions/crypto/crypto_key.c

diff --git a/secure_fw/partitions/crypto/crypto_key.c b/secure_fw/partitions/crypto/crypto_key.c
index ef3b309..ff062ac 100644
--- a/secure_fw/partitions/crypto/crypto_key.c
+++ b/secure_fw/partitions/crypto/crypto_key.c
@@ -37,10 +37,9 @@
  * \defgroup public Public functions
  *
  */
-
 /*!@{*/
 psa_status_t tfm_crypto_key_attributes_from_client(
-                             const psa_client_key_attributes_t *client_key_attr,
+                             const struct psa_client_key_attributes_s *client_key_attr,
                              int32_t client_id,
                              psa_key_attributes_t *key_attributes)
 {
@@ -48,19 +47,17 @@
         return PSA_ERROR_PROGRAMMER_ERROR;
     }
 
-    /* Domain parameters are not supported, ignore any passed by the client */
-    key_attributes->domain_parameters = NULL;
-    key_attributes->domain_parameters_size = 0;
+    *key_attributes = psa_key_attributes_init();
 
     /* Copy core key attributes from the client core key attributes */
-    key_attributes->core.type = client_key_attr->core.type;
-    key_attributes->core.lifetime = client_key_attr->core.lifetime;
-    key_attributes->core.policy = client_key_attr->core.policy;
-    key_attributes->core.bits = client_key_attr->core.bits;
-    key_attributes->core.flags = client_key_attr->core.flags;
+    key_attributes->core.type = client_key_attr->type;
+    key_attributes->core.lifetime = client_key_attr->lifetime;
+    key_attributes->core.policy.usage = client_key_attr->usage;
+    key_attributes->core.policy.alg = client_key_attr->alg;
+    key_attributes->core.bits = client_key_attr->bits;
 
     /* Use the client key id as the key_id and its partition id as the owner */
-    key_attributes->core.id.key_id = client_key_attr->core.id;
+    key_attributes->core.id.key_id = client_key_attr->id;
     key_attributes->core.id.owner = client_id;
 
     return PSA_SUCCESS;
@@ -68,25 +65,24 @@
 
 psa_status_t tfm_crypto_key_attributes_to_client(
                                    const psa_key_attributes_t *key_attributes,
-                                   psa_client_key_attributes_t *client_key_attr)
+                                   struct psa_client_key_attributes_s *client_key_attr)
 {
     if (client_key_attr == NULL || key_attributes == NULL) {
         return PSA_ERROR_PROGRAMMER_ERROR;
     }
 
-    /* Domain parameters are not supported, avoid passing any to the client */
-    client_key_attr->domain_parameters = NULL;
-    client_key_attr->domain_parameters_size = 0;
+    struct psa_client_key_attributes_s v = PSA_CLIENT_KEY_ATTRIBUTES_INIT;
+    *client_key_attr = v;
 
-    /* Copy core key attributes to the client core key attributes */
-    client_key_attr->core.type = key_attributes->core.type;
-    client_key_attr->core.lifetime = key_attributes->core.lifetime;
-    client_key_attr->core.policy = key_attributes->core.policy;
-    client_key_attr->core.bits = key_attributes->core.bits;
-    client_key_attr->core.flags = key_attributes->core.flags;
+    /* Copy core key attributes from the client core key attributes */
+    client_key_attr->type = key_attributes->core.type;
+    client_key_attr->lifetime = key_attributes->core.lifetime;
+    client_key_attr->usage = key_attributes->core.policy.usage;
+    client_key_attr->alg = key_attributes->core.policy.alg;
+    client_key_attr->bits = key_attributes->core.bits;
 
     /* Return the key_id as the client key id, do not return the owner */
-    client_key_attr->core.id = key_attributes->core.id.key_id;
+    client_key_attr->id = key_attributes->core.id.key_id;
 
     return PSA_SUCCESS;
 }
@@ -203,11 +199,11 @@
     }
 
     if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
-        (in_vec[1].len != sizeof(psa_client_key_attributes_t)) ||
+        (in_vec[1].len != sizeof(struct psa_client_key_attributes_s)) ||
         (out_vec[0].len != sizeof(psa_key_handle_t))) {
         return PSA_ERROR_CONNECTION_REFUSED;
     }
-    const psa_client_key_attributes_t *client_key_attr = in_vec[1].base;
+    const struct psa_client_key_attributes_s *client_key_attr = in_vec[1].base;
     const uint8_t *data = in_vec[2].base;
     size_t data_length = in_vec[2].len;
     psa_key_handle_t *key_handle = out_vec[0].base;
@@ -398,13 +394,13 @@
     }
 
     if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
-        (out_vec[0].len != sizeof(psa_client_key_attributes_t))) {
+        (out_vec[0].len != sizeof(struct psa_client_key_attributes_s))) {
         return PSA_ERROR_CONNECTION_REFUSED;
     }
     const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
 
     psa_key_handle_t key = iov->key_handle;
-    psa_client_key_attributes_t *client_key_attr = out_vec[0].base;
+    struct psa_client_key_attributes_s *client_key_attr = out_vec[0].base;
     psa_status_t status;
     psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
 
@@ -437,11 +433,11 @@
     }
 
     if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
-        (out_vec[0].len != sizeof(psa_client_key_attributes_t))) {
+        (out_vec[0].len != sizeof(struct psa_client_key_attributes_s))) {
         return PSA_ERROR_CONNECTION_REFUSED;
     }
 
-    psa_client_key_attributes_t *client_key_attr = out_vec[0].base;
+    struct psa_client_key_attributes_s *client_key_attr = out_vec[0].base;
     psa_status_t status;
     psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
     int32_t partition_id;
@@ -530,14 +526,14 @@
 
     if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
         (out_vec[0].len != sizeof(psa_key_handle_t)) ||
-        (in_vec[1].len != sizeof(psa_client_key_attributes_t))) {
+        (in_vec[1].len != sizeof(struct psa_client_key_attributes_s))) {
         return PSA_ERROR_CONNECTION_REFUSED;
     }
     const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
 
     psa_key_handle_t source_handle = iov->key_handle;
     psa_key_handle_t *target_handle = out_vec[0].base;
-    const psa_client_key_attributes_t *client_key_attr = in_vec[1].base;
+    const struct psa_client_key_attributes_s *client_key_attr = in_vec[1].base;
     psa_status_t status;
     psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
     uint32_t i = 0;
@@ -592,12 +588,12 @@
     }
 
     if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
-        (in_vec[1].len != sizeof(psa_client_key_attributes_t)) ||
+        (in_vec[1].len != sizeof(struct psa_client_key_attributes_s)) ||
         (out_vec[0].len != sizeof(psa_key_handle_t))) {
         return PSA_ERROR_CONNECTION_REFUSED;
     }
     psa_key_handle_t *key_handle = out_vec[0].base;
-    const psa_client_key_attributes_t *client_key_attr = in_vec[1].base;
+    const struct psa_client_key_attributes_s *client_key_attr = in_vec[1].base;
     psa_status_t status;
     psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
     uint32_t i = 0;

secure_fw/partitions/crypto/crypto_key_derivation.c

diff --git a/secure_fw/partitions/crypto/crypto_key_derivation.c b/secure_fw/partitions/crypto/crypto_key_derivation.c
index 4bc0b01..a789ec4 100644
--- a/secure_fw/partitions/crypto/crypto_key_derivation.c
+++ b/secure_fw/partitions/crypto/crypto_key_derivation.c
@@ -381,14 +381,14 @@
     }
 
     if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
-        (in_vec[1].len != sizeof(psa_client_key_attributes_t)) ||
+        (in_vec[1].len != sizeof(struct psa_client_key_attributes_s)) ||
         (out_vec[0].len != sizeof(psa_key_handle_t))) {
         return PSA_ERROR_CONNECTION_REFUSED;
     }
     const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
 
     uint32_t handle = iov->op_handle;
-    const psa_client_key_attributes_t *client_key_attr = in_vec[1].base;
+    const struct psa_client_key_attributes_s *client_key_attr = in_vec[1].base;
     psa_key_derivation_operation_t *operation = NULL;
     psa_key_handle_t *key_handle = out_vec[0].base;
     psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;

secure_fw/partitions/crypto/tfm_crypto_api.h

diff --git a/secure_fw/partitions/crypto/tfm_crypto_api.h b/secure_fw/partitions/crypto/tfm_crypto_api.h
index 98e615a..fa6f136 100644
--- a/secure_fw/partitions/crypto/tfm_crypto_api.h
+++ b/secure_fw/partitions/crypto/tfm_crypto_api.h
@@ -24,6 +24,8 @@
 typedef psa_status_t (*tfm_crypto_us_t)(psa_invec[],size_t,psa_outvec[],size_t);
 #endif
 
+#include "psa/crypto_client_struct.h"
+
 #define UNIFORM_SIGNATURE_API(api_name) \
     psa_status_t api_name(psa_invec[], size_t, psa_outvec[], size_t)
 
@@ -45,32 +47,6 @@
 };
 
 /**
- * \brief Core key attributes struct as seen by the client, with
- *        psa_app_key_id_t as the key ID type.
- */
-typedef struct {
-    psa_key_type_t type;
-    psa_key_lifetime_t lifetime;
-    psa_app_key_id_t id; /* Client key ID */
-    psa_key_policy_t policy;
-    psa_key_bits_t bits;
-    psa_key_attributes_flag_t flags;
-} psa_client_core_key_attributes_t;
-
-/**
- * \brief This struct represents the psa_key_attributes_t struct exposed to the
- *        client. The Mbed Crypto library needs a different abstraction for
- *        psa_key_attributes_t, so this intermediate struct is defined.
- *
- * TODO: Cleanup crypto implementation details from client-side PSA abstraction.
- */
-typedef struct {
-    psa_client_core_key_attributes_t core; /* Client core key attributes */
-    void *domain_parameters;
-    size_t domain_parameters_size;
-} psa_client_key_attributes_t;
-
-/**
  * \brief Initialise the service
  *
  * \return Return values as described in \ref psa_status_t
@@ -103,7 +79,7 @@
  * \return Return values as described in \ref psa_status_t
  */
 psa_status_t tfm_crypto_key_attributes_from_client(
-                             const psa_client_key_attributes_t *client_key_attr,
+                             const struct psa_client_key_attributes_s *client_key_attr,
                              int32_t client_id,
                              psa_key_attributes_t *key_attributes);
 
@@ -117,7 +93,7 @@
  */
 psa_status_t tfm_crypto_key_attributes_to_client(
                                   const psa_key_attributes_t *key_attributes,
-                                  psa_client_key_attributes_t *client_key_attr);
+                                  struct psa_client_key_attributes_s *client_key_attr);
 
 /**
  * \brief Checks that the requested handle belongs to the requesting