Improve "abstraction layers" section
- fix inaccuracy about PSA hash implementation - add note about context-less operations - provide summary Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit is contained in:
parent
a6c601c079
commit
0950359220
1 changed files with 15 additions and 2 deletions
|
@ -156,8 +156,8 @@ crypto API.
|
||||||
This strategy is currently used for ECDSA signature verification in the PK
|
This strategy is currently used for ECDSA signature verification in the PK
|
||||||
layer, and could be extended to all operations in the PK layer.
|
layer, and could be extended to all operations in the PK layer.
|
||||||
|
|
||||||
This strategy is not very well suited to the Cipher and MD layers, as the PSA
|
This strategy is not very well suited to the Cipher layer, as the PSA
|
||||||
implementation is currently done on top of those layers.
|
implementation is currently done on top of that layer.
|
||||||
|
|
||||||
Replace calls for each operation
|
Replace calls for each operation
|
||||||
--------------------------------
|
--------------------------------
|
||||||
|
@ -184,6 +184,9 @@ Opt-in use of PSA from the abstraction layer
|
||||||
- Downside: when the context is typically set up by the application, requires
|
- Downside: when the context is typically set up by the application, requires
|
||||||
changes in application code.
|
changes in application code.
|
||||||
|
|
||||||
|
This strategy is not useful when no context is used, for example with the
|
||||||
|
one-shot function `mbedtls_md()`.
|
||||||
|
|
||||||
There are two variants of this strategy: one where using the new setup
|
There are two variants of this strategy: one where using the new setup
|
||||||
function also allows for key isolation (the key is only held by PSA,
|
function also allows for key isolation (the key is only held by PSA,
|
||||||
supporting both G1 and G2 in that area), and one without isolation (the key is
|
supporting both G1 and G2 in that area), and one without isolation (the key is
|
||||||
|
@ -207,6 +210,16 @@ support for key isolation, but at the (unavoidable) code of change in
|
||||||
application code, while the other requires no application change to get
|
application code, while the other requires no application change to get
|
||||||
support for drivers, but fails to provide isolation support.
|
support for drivers, but fails to provide isolation support.
|
||||||
|
|
||||||
|
Summary
|
||||||
|
-------
|
||||||
|
|
||||||
|
Stategies currently used with each abstraction layer:
|
||||||
|
|
||||||
|
- PK (for G1): silently call PSA
|
||||||
|
- PK (for G2): opt-in use of PSA (new key type)
|
||||||
|
- Cipher (G1): opt-in use of PSA (new setup function)
|
||||||
|
- MD (G1): replace calls at each call site
|
||||||
|
|
||||||
Migrating away from the legacy API
|
Migrating away from the legacy API
|
||||||
==================================
|
==================================
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue