From 2a99315cc570ef37785fb2c77a10fc050bdb4af9 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 17 Jul 2020 14:13:26 +0200 Subject: [PATCH] Add volatile key identifiers Volatile key identifiers are introduced in PSA Crypto API v1.0.0. They are returned by the APIs when importing or generating or deriving a volatile key. Signed-off-by: Ronald Cron --- library/psa_crypto.c | 3 ++- library/psa_crypto_slot_management.c | 10 ++++++++-- library/psa_crypto_slot_management.h | 26 +++++++++++++++++++++++--- 3 files changed, 33 insertions(+), 6 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 36dcd3fca..c813ca382 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1851,6 +1851,7 @@ static psa_status_t psa_start_key_creation( psa_se_drv_table_entry_t **p_drv ) { psa_status_t status; + psa_key_id_t volatile_key_id; psa_key_slot_t *slot; (void) method; @@ -1860,7 +1861,7 @@ static psa_status_t psa_start_key_creation( if( status != PSA_SUCCESS ) return( status ); - status = psa_get_empty_key_slot( handle, p_slot ); + status = psa_get_empty_key_slot( handle, &volatile_key_id, p_slot ); if( status != PSA_SUCCESS ) return( status ); slot = *p_slot; diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c index 4f651d985..43282b448 100644 --- a/library/psa_crypto_slot_management.c +++ b/library/psa_crypto_slot_management.c @@ -114,7 +114,8 @@ void psa_wipe_all_key_slots( void ) } psa_status_t psa_get_empty_key_slot( psa_key_handle_t *handle, - psa_key_slot_t **p_slot ) + psa_key_id_t *volatile_key_id, + psa_key_slot_t **p_slot ) { if( ! global_data.key_slots_initialized ) return( PSA_ERROR_BAD_STATE ); @@ -123,7 +124,11 @@ psa_status_t psa_get_empty_key_slot( psa_key_handle_t *handle, { *p_slot = &global_data.key_slots[*handle - 1]; if( ! psa_is_key_slot_occupied( *p_slot ) ) + { + *volatile_key_id = PSA_KEY_ID_VOLATILE_MIN + ( *handle ) - 1; + return( PSA_SUCCESS ); + } } *p_slot = NULL; return( PSA_ERROR_INSUFFICIENT_MEMORY ); @@ -215,6 +220,7 @@ psa_status_t psa_open_key( mbedtls_svc_key_id_t key, psa_key_handle_t *handle ) { #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) psa_status_t status; + psa_key_id_t volatile_key_id; psa_key_slot_t *slot; *handle = 0; @@ -223,7 +229,7 @@ psa_status_t psa_open_key( mbedtls_svc_key_id_t key, psa_key_handle_t *handle ) if( status != PSA_SUCCESS ) return( status ); - status = psa_get_empty_key_slot( handle, &slot ); + status = psa_get_empty_key_slot( handle, &volatile_key_id, &slot ); if( status != PSA_SUCCESS ) return( status ); diff --git a/library/psa_crypto_slot_management.h b/library/psa_crypto_slot_management.h index 6c2e54960..d649f53a7 100644 --- a/library/psa_crypto_slot_management.h +++ b/library/psa_crypto_slot_management.h @@ -28,6 +28,23 @@ * The value is a compile-time constant for now, for simplicity. */ #define PSA_KEY_SLOT_COUNT 32 +/** Range of volatile key identifiers. + * + * The last PSA_KEY_SLOT_COUNT identifiers of the implementation range + * of key identifiers are reserved for volatile key identifiers. + * A volatile key identifier is equal to PSA_KEY_ID_VOLATILE_MIN plus the + * index of the key slot containing the volatile key definition. + */ + +/** The minimum value for a volatile key identifier. + */ +#define PSA_KEY_ID_VOLATILE_MIN ( PSA_KEY_ID_VENDOR_MAX - \ + PSA_KEY_SLOT_COUNT + 1 ) + +/** The maximum value for a volatile key identifier. + */ +#define PSA_KEY_ID_VOLATILE_MAX PSA_KEY_ID_VENDOR_MAX + /** Access a key slot at the given handle. * * \param handle Key handle to query. @@ -62,15 +79,18 @@ void psa_wipe_all_key_slots( void ); * This function returns a key slot that is available for use and is in its * ground state (all-bits-zero). * - * \param[out] handle On success, a slot number that can be used as a - * handle to the slot. - * \param[out] p_slot On success, a pointer to the slot. + * \param[out] handle On success, a slot number that can be used + * as a handle to the slot. + * \param[out] volatile_key_id On success, volatile key identifier + * associated to the returned slot. + * \param[out] p_slot On success, a pointer to the slot. * * \retval #PSA_SUCCESS * \retval #PSA_ERROR_INSUFFICIENT_MEMORY * \retval #PSA_ERROR_BAD_STATE */ psa_status_t psa_get_empty_key_slot( psa_key_handle_t *handle, + psa_key_id_t *volatile_key_id, psa_key_slot_t **p_slot ); /** Test whether a lifetime designates a key in an external cryptoprocessor.