lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-30 22:43:08 +03:00
Code Activity

Merge pull request #285 from gilles-peskine-arm/psa-se_driver-validate_save_persistent

Browse Source 
SE driver: make persistent data work
This commit is contained in:
Gilles Peskine
2019-10-09 18:35:33 +02:00
committed by GitHub
parent 1bbe284d63 e1ee8f157c
commit 36029387de
9 changed files with 244 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
library/psa_crypto.c
View File

@ -1579,7 +1579,7 @@ static psa_status_t psa_start_key_creation(
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
/* For a key in a secure element, we need to do three things
* when creating a key (but not when registering an existing key):
* when creating or registering a key:
* create the key file in internal storage, create the
* key inside the secure element, and update the driver's
* persistent data. Start a transaction that will encompass these
@ -1592,7 +1592,7 @@ static psa_status_t psa_start_key_creation(
* secure element driver updates its persistent state, but we do not yet
* save the driver's persistent state, so that if the power fails,
* we can roll back to a state where the key doesn't exist. */
if( *p_drv != NULL && method != PSA_KEY_CREATION_REGISTER )
if( *p_drv != NULL )
{
status = psa_find_se_slot_for_key( attributes, method, *p_drv,
&slot->data.se.slot_number );
@ -1609,6 +1609,12 @@ static psa_status_t psa_start_key_creation(
return( status );
}
}
if( *p_drv == NULL && method == PSA_KEY_CREATION_REGISTER )
{
/* Key registration only makes sense with a secure element. */
return( PSA_ERROR_INVALID_ARGUMENT );
}
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
return( status );
@ -1883,7 +1889,6 @@ psa_status_t mbedtls_psa_register_se_key(
psa_status_t status;
psa_key_slot_t *slot = NULL;
psa_se_drv_table_entry_t *driver = NULL;
const psa_drv_se_t *drv;
psa_key_handle_t handle = 0;
/* Leaving attributes unspecified is not currently supported.
@ -1900,37 +1905,6 @@ psa_status_t mbedtls_psa_register_se_key(
if( status != PSA_SUCCESS )
goto exit;
if( driver == NULL )
{
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
}
drv = psa_get_se_driver_methods( driver );
if ( psa_get_key_slot_number( attributes,
&slot->data.se.slot_number ) != PSA_SUCCESS )
{
/* The application didn't specify a slot number. This doesn't
* make sense when registering a slot. */
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
}
/* If the driver has a slot number validation method, call it.
* If it doesn't, it means the secure element is unable to validate
* anything and so we have to trust the application. */
if( drv->key_management != NULL &&
drv->key_management->p_validate_slot_number != NULL )
{
status = drv->key_management->p_validate_slot_number(
psa_get_se_driver_context( driver ),
attributes,
PSA_KEY_CREATION_REGISTER,
slot->data.se.slot_number );
if( status != PSA_SUCCESS )
goto exit;
}
status = psa_finish_key_creation( slot, driver );
exit:
@ -5713,6 +5687,12 @@ psa_status_t psa_crypto_init( void )
if( status != PSA_SUCCESS )
goto exit;
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
status = psa_init_all_se_drivers( );
if( status != PSA_SUCCESS )
goto exit;
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
#if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS)
status = psa_crypto_load_transaction( );
if( status == PSA_SUCCESS )

36
library/psa_crypto_se.c
View File

@ -222,9 +222,16 @@ psa_status_t psa_find_se_slot_for_key(
if( p_validate_slot_number == NULL )
return( PSA_ERROR_NOT_SUPPORTED );
status = p_validate_slot_number( &driver->context,
driver->internal.persistent_data,
attributes, method,
*slot_number );
}
else if( method == PSA_KEY_CREATION_REGISTER )
{
/* The application didn't specify a slot number. This doesn't
* make sense when registering a slot. */
return( PSA_ERROR_INVALID_ARGUMENT );
}
else
{
/* The application didn't tell us which slot to use. Let the driver
@ -265,6 +272,31 @@ psa_status_t psa_destroy_se_key( psa_se_drv_table_entry_t *driver,
return( status == PSA_SUCCESS ? storage_status : status );
}
psa_status_t psa_init_all_se_drivers( void )
{
size_t i;
for( i = 0; i < PSA_MAX_SE_DRIVERS; i++ )
{
psa_se_drv_table_entry_t *driver = &driver_table[i];
if( driver->lifetime == 0 )
continue; /* skipping unused entry */
const psa_drv_se_t *methods = psa_get_se_driver_methods( driver );
if( methods->p_init != NULL )
{
psa_status_t status = methods->p_init(
&driver->context,
driver->internal.persistent_data,
driver->lifetime );
if( status != PSA_SUCCESS )
return( status );
status = psa_save_se_persistent_data( driver );
if( status != PSA_SUCCESS )
return( status );
}
}
return( PSA_SUCCESS );
}
/****************************************************************/
@ -309,6 +341,8 @@ psa_status_t psa_register_se_driver(
driver_table[i].lifetime = lifetime;
driver_table[i].methods = methods;
driver_table[i].internal.persistent_data_size =
methods->persistent_data_size;
if( methods->persistent_data_size != 0 )
{
@ -326,8 +360,6 @@ psa_status_t psa_register_se_driver(
if( status != PSA_SUCCESS && status != PSA_ERROR_DOES_NOT_EXIST )
goto error;
}
driver_table[i].internal.persistent_data_size =
methods->persistent_data_size;
return( PSA_SUCCESS );

6
library/psa_crypto_se.h
View File

@ -66,6 +66,12 @@
*/
void psa_unregister_all_se_drivers( void );
/** Initialize all secure element drivers.
*
* Called from psa_crypto_init().
*/
psa_status_t psa_init_all_se_drivers( void );
/** A structure that describes a registered secure element driver.
*
* A secure element driver table entry contains a pointer to the