Enable owner labelling of keys in Mbed TLS
This change modifies the build configuration for Mbed TLS when it is
used as a backend for the crypto provider to enable labelling of key IDs
using an externally provided identifier. This allows the key store to be
partitioned to protect keys from unauthorized access. Currently, the
partitioning is based on the caller ID that identifies a calling client.
For FF-A deployments, this is the source partition ID. Because the
configuration change alters the PSA Crypto API exposed by mbedcrypto, a
number of changes were needed to allow the modified API to coexist in
builds alongside clients that depend on the standard API. Some old unit
test cases that were not practical to modify have been removed. From a
coverage perspective, most of the same areas are covered by the
extensive set of service level tests.
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>
Signed-off-by: Julian Hall <julian.hall@arm.com>
Change-Id: I2762c91bba2dba0a6305aefe61f256355defaf3a
diff --git a/components/service/crypto/backend/mbedcrypto/component.cmake b/components/service/crypto/backend/mbedcrypto/component.cmake
index 36fd3df..dd6f60c 100644
--- a/components/service/crypto/backend/mbedcrypto/component.cmake
+++ b/components/service/crypto/backend/mbedcrypto/component.cmake
@@ -21,3 +21,9 @@
"${TS_ROOT}/components/service/common/include"
"${TS_ROOT}/components/service/secure_storage/include"
CACHE STRING "PSA ITS for MbedTLS" FORCE)
+
+# Override the default crypto backend interface with an alternative that is
+# compatible with the configuration of mbedtls that this component imposes.
+target_compile_definitions(${TGT} PUBLIC
+ ALTERNATIVE_CRYPTO_BACKEND="${CMAKE_CURRENT_LIST_DIR}/mbedtls_psa_crypto_backend.h"
+ )
diff --git a/components/service/crypto/backend/mbedcrypto/mbedcrypto_backend.c b/components/service/crypto/backend/mbedcrypto/mbedcrypto_backend.c
index d9596bb..1989003 100644
--- a/components/service/crypto/backend/mbedcrypto/mbedcrypto_backend.c
+++ b/components/service/crypto/backend/mbedcrypto/mbedcrypto_backend.c
@@ -4,10 +4,9 @@
* SPDX-License-Identifier: BSD-3-Clause
*/
+#include <service/crypto/backend/mbedcrypto/mbedtls_psa_crypto_backend.h>
#include <service/crypto/backend/mbedcrypto/trng_adapter/trng_adapter.h>
#include <service/secure_storage/frontend/psa/its/its_frontend.h>
-#include <psa/crypto.h>
-
psa_status_t mbedcrypto_backend_init(struct storage_backend *storage_backend,
int trng_instance_num)
diff --git a/components/service/crypto/backend/mbedcrypto/mbedtls_psa_crypto_backend.h b/components/service/crypto/backend/mbedcrypto/mbedtls_psa_crypto_backend.h
new file mode 100644
index 0000000..afe45fe
--- /dev/null
+++ b/components/service/crypto/backend/mbedcrypto/mbedtls_psa_crypto_backend.h
@@ -0,0 +1,82 @@
+/*
+ * Copyright (c) 2023, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef MBEDTLS_PSA_CRYPTO_BACKEND_H
+#define MBEDTLS_PSA_CRYPTO_BACKEND_H
+
+/**
+ * A crypto backend that uses a configuration of mbedtls to provide the
+ * backend interface used by a crypto provider. The build configuration
+ * enables namespacing of key ids.
+ */
+
+#ifdef MBEDTLS_PSA_CRYPTO_H
+#include MBEDTLS_PSA_CRYPTO_H
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Mbedtls supports key id namespacing via the mbedtls_svc_key_id_t
+ * type that combines a key id with an owner id.
+ */
+typedef mbedtls_svc_key_id_t namespaced_key_id_t;
+#define NAMESPACED_KEY_ID_INIT MBEDTLS_SVC_KEY_ID_INIT
+
+/**
+ * Map to the mbedtls owner id type for the namespace.
+ */
+typedef mbedtls_key_owner_id_t key_id_namespace_t;
+#define KEY_ID_NAMESPACE_INIT 0
+
+/**
+ * \brief Initialize a namespaced key id
+ *
+ * This default implementation just discards the namespace.
+ *
+ * \param namespaced_key_id The object to initialize
+ * \param key_namespace The namespace
+ * \param key_id The key id
+ */
+static inline void namespaced_key_id_init(namespaced_key_id_t *namespaced_key_id,
+ key_id_namespace_t key_namespace,
+ psa_key_id_t key_id)
+{
+ *namespaced_key_id = mbedtls_svc_key_id_make(key_namespace, key_id);
+}
+
+/**
+ * \brief Get the key id from a namespaced_key_id_t
+ *
+ * \param namespaced_key_id Namespaced key id
+ * \return Key id without namespace
+ */
+static inline psa_key_id_t namespaced_key_id_get_key_id(namespaced_key_id_t namespaced_key_id)
+{
+ return MBEDTLS_SVC_KEY_ID_GET_KEY_ID(namespaced_key_id);
+}
+
+/**
+ * \brief Set the key id namespace associated with a key attributes object
+ *
+ * The default implementation discards the namespace
+ *
+ * \param attributes Key attributes object
+ * \param key_namespace Key id namespace
+ */
+static inline void namespaced_key_id_set_namespace(psa_key_attributes_t *attributes,
+ key_id_namespace_t key_namespace)
+{
+ mbedtls_set_key_owner_id(attributes, key_namespace);
+}
+
+#ifdef __cplusplus
+} /* extern "C" */
+#endif
+
+#endif /* MBEDTLS_PSA_CRYPTO_BACKEND_H */