PSA crypto service: encode the key owner (ITS backend only)

When building for the PSA crypto service (defined(PSA_CRYPTO_SECURE)), define psa_key_owner_id_t as int32_t, which is how a PSA platform encodes partition identity. Note that this only takes effect when the build option MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER is active. Support this configuration in the ITS backend.
2019-02-19 14:16:17 +01:00 · 2019-02-19 14:16:17 +01:00 · 572f067205
commit 572f067205
parent 69d7c8b2d7
2 changed files with 27 additions and 2 deletions
--- a/include/psa/crypto_platform.h
+++ b/include/psa/crypto_platform.h
@ -70,6 +70,12 @@ typedef uint32_t psa_app_key_id_t;

 #if defined(MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER)

+#if defined(PSA_CRYPTO_SECURE)
+/* Building for the PSA Crypto service on a PSA platform. */
+/* A key owner is a PSA partition identifier. */
+typedef int32_t psa_key_owner_id_t;
+#endif
+
 typedef struct
 {
    uint32_t key_id;
--- a/library/psa_crypto_storage_its.c
+++ b/library/psa_crypto_storage_its.c
@ -36,9 +36,28 @@
 #include "mbedtls/platform.h"
 #endif

-static psa_storage_uid_t psa_its_identifier_of_slot( psa_key_file_id_t key )
+/* Determine a file name (ITS file identifier) for the given key file
+ * identifier. The file name must be distinct from any file that is used
+ * for a purpose other than storing a key. Currently, the only such file
+ * is the random seed file whose name is PSA_CRYPTO_ITS_RANDOM_SEED_UID
+ * and whose value is 0xFFFFFF52. */
+static psa_storage_uid_t psa_its_identifier_of_slot( psa_key_file_id_t file_id )
 {
-    return( key );
+#if defined(MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER) && \
+    defined(PSA_CRYPTO_SECURE)
+    /* Encode the owner in the upper 32 bits. This means that if
+     * owner values are nonzero (as they are on a PSA platform),
+     * no key file will ever have a value less than 0x100000000, so
+     * the whole range 0..0xffffffff is available for non-key files. */
+    uint32_t unsigned_owner = (uint32_t) file_id.owner;
+    return( (uint64_t) unsigned_owner << 32 | file_id.key_id );
+#else
+    /* Use the key id directly as a file name.
+     * psa_is_key_file_id_valid() in psa_crypto_slot_management.c
+     * is responsible for ensuring that key identifiers do not have a
+     * value that is reserved for non-key files. */
+    return( file_id );
+#endif
 }

 psa_status_t psa_crypto_storage_load( const psa_key_file_id_t key, uint8_t *data,