Prevent mbedtls_psa_register_se_key with volatile keys

mbedtls_psa_register_se_key() is not usable with volatile keys, since there is no way to return the implementation-chosen key identifier which would be needed to use the key. Document this limitation. Reject an attempt to create such an unusable key. Fixes #9253. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-07-29 11:41:15 +03:00 · 2024-06-13 16:06:45 +02:00
parent 86c603702e
commit d72ad738bd
5 changed files with 32 additions and 1 deletions
--- a/include/psa/crypto.h
+++ b/include/psa/crypto.h
@ -129,6 +129,9 @@ static psa_key_attributes_t psa_key_attributes_init(void);
 *
 * \param[out] attributes  The attribute structure to write to.
 * \param key              The persistent identifier for the key.
+ *                         This can be any value in the range from
+ *                         #PSA_KEY_ID_USER_MIN to #PSA_KEY_ID_USER_MAX
+ *                         inclusive.
 */
 static void psa_set_key_id(psa_key_attributes_t *attributes,
                           mbedtls_svc_key_id_t key);
--- a/include/psa/crypto_extra.h
+++ b/include/psa/crypto_extra.h
@ -154,6 +154,14 @@ static inline void psa_clear_key_slot_number(
 * specified in \p attributes.
 *
 * \param[in] attributes        The attributes of the existing key.
+ *                              - The lifetime must be a persistent lifetime
+ *                                in a secure element. Volatile lifetimes are
+ *                                not currently supported.
+ *                              - The key identifier must be in the valid
+ *                                range for persistent keys.
+ *                              - The key type and size must be specified and
+ *                                must be consistent with the key material
+ *                                in the secure element.
 *
 * \retval #PSA_SUCCESS
 *         The key was successfully registered.