| Ronald Cron | 0dbbf1e | 2020-11-30 18:05:08 +0100 | [diff] [blame^] | 1 | PSA Cryptograpy API implementation and PSA driver interface |
| 2 | =========================================================== |
| 3 | |
| 4 | ## Introduction |
| 5 | |
| 6 | The [PSA Cryptography API specification](https://armmbed.github.io/mbed-crypto/psa/#application-programming-interface) defines an interface to cryptographic operations which the Mbed TLS library provides a reference implementation for. The PSA Cryptography API specification is complemented by the PSA driver interface specification which defines an interface for cryptoprocessor drivers. |
| 7 | |
| 8 | This document describes the high level organization of the Mbed TLS PSA Cryptography API implementation which is tighly related to the PSA driver interface. |
| 9 | |
| 10 | ## High level organization of the Mbed TLS PSA Cryptography API implementation |
| 11 | In one sentence, the Mbed TLS PSA Cryptography API implementation is made of a core and PSA drivers as defined in the PSA driver interface. The key point is that software cryptographic operations are organized as PSA drivers: they interact with the core through the PSA driver interface. |
| 12 | |
| 13 | ### Rationale |
| 14 | |
| 15 | * Addressing software and hardware cryptographic implementations through the same C interface reduces the core code size and its call graph complexity. The core and its dispatching to software and hardware implementations are consequently easier to test and validate. |
| 16 | * The organization of the software cryptographic implementations in drivers promotes modularization of those implementations. |
| 17 | * As hardware capabilities, software cryptographic functionalities can be described by a JSON driver description file as defined in the PSA driver interface. |
| 18 | * Along with JSON driver description files, the PSA driver specification defines the deliverables for a driver to be included into the Mbed TLS PSA Cryptography implementation. This provides a natural framework to integrate third party or alternative software implementations of cryptographic operations. |
| 19 | |
| 20 | ## The Mbed TLS PSA Cryptography API implementation core |
| 21 | |
| 22 | The core implements all the APIs as defined in the PSA Cryptography API specification but do not perform on its own any cryptographic operation. The core relies on PSA drivers to actually |
| 23 | perform the cryptographic operations. The core is responsible of: |
| 24 | |
| 25 | * the key store. |
| 26 | * checking PSA API arguments and translate them into valid arguments for the necessary calls to the PSA driver interface. |
| 27 | * dispatchng the cryptographic operations to the appropriate PSA drivers. |
| 28 | |
| 29 | The sketch of an Mbed TLS PSA cryptographic API implementation is thus: |
| 30 | ```C |
| 31 | psa_status_t psa_api( ... ) |
| 32 | { |
| 33 | psa_status_t status; |
| 34 | |
| 35 | /* Pre driver interface call processing: validation of arguments, building |
| 36 | * of arguments for the call to the driver interface, ... */ |
| 37 | |
| 38 | ... |
| 39 | |
| 40 | /* Call to the driver interface */ |
| 41 | status = psa_driver_wrapper_<entry_point>( ... ); |
| 42 | if( status != PSA_SUCCESS ) |
| 43 | return( status ); |
| 44 | |
| 45 | /* Post driver interface call processing: validation of the values returned |
| 46 | * by the driver, finalization ot the values to return to the caller, |
| 47 | * clean-up in case of error ... */ |
| 48 | } |
| 49 | ``` |
| 50 | Obviously, for some PSA APIs the implementation is more complicated with several potential conditionnal calls to different driver entry points but most of PSA API code aimed to be organized along those lines. The implementation of the `psa_driver_wrapper_<entry_point>` function is generated by the build system based on the JSON driver description files of the various PSA drivers making up the Mbed TLS PSA Cryptography API implementation. |