Prevent mbedtls_psa_register_se_key with volatile keys mbedtls_psa_register_se_key() is not usable with volatile keys, since there is no way to return the implementation-chosen key identifier which would be needed to use the key. Document this limitation. Reject an attempt to create such an unusable key. Fixes #9253. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

commit: 37a4fcc5b4b22d39c78e2bcd82c994e3b4629762 [log] [tgz]
author: Gilles Peskine <Gilles.Peskine@arm.com> Thu Jun 13 16:06:45 2024 +0200
committer: Gilles Peskine <Gilles.Peskine@arm.com> Wed Aug 07 11:17:32 2024 +0200
tree: 53c2154701e9c575aa39268a6315e10bec990225
parent: f555a4e26f9909322e0cb382c5133ee403c9d674 [diff] [blame]
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 45e1aa9..502ddc2 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c

@@ -2149,6 +2149,14 @@
         return PSA_ERROR_NOT_SUPPORTED;
     }
 
+    /* Not usable with volatile keys, even with an appropriate location,
+     * due to the API design.
+     * https://github.com/Mbed-TLS/mbedtls/issues/9253
+     */
+    if (PSA_KEY_LIFETIME_IS_VOLATILE(psa_get_key_lifetime(attributes))) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
     status = psa_start_key_creation(PSA_KEY_CREATION_REGISTER, attributes,
                                     &slot, &driver);
     if (status != PSA_SUCCESS) {
commit	37a4fcc5b4b22d39c78e2bcd82c994e3b4629762	[log] [tgz]
author	Gilles Peskine <Gilles.Peskine@arm.com>	Thu Jun 13 16:06:45 2024 +0200
committer	Gilles Peskine <Gilles.Peskine@arm.com>	Wed Aug 07 11:17:32 2024 +0200
tree	53c2154701e9c575aa39268a6315e10bec990225
parent	f555a4e26f9909322e0cb382c5133ee403c9d674 [diff] [blame]