Move handling of 'SE' drivers into driver wrappers

This is a more natural place for handling the drivers belonging to the 'previous' SE driver spec. It makes for a cleaner psa_crypto.c, and potentially an easier overview of how to migrate from the old SE driver interface to the 'opaque accelerator' interface. Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-17 16:43:05 +02:00 · 2020-07-17 16:43:05 +02:00 · 7a2505788c
commit 7a2505788c
parent d57203d955
2 changed files with 36 additions and 22 deletions
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@ -3638,10 +3638,6 @@ psa_status_t psa_sign_hash( psa_key_handle_t handle,
 {
    psa_key_slot_t *slot;
    psa_status_t status;
-#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-    const psa_drv_se_t *drv;
-    psa_drv_se_context_t *drv_context;
-#endif /* MBEDTLS_PSA_CRYPTO_SE_C */

    *signature_length = signature_size;
    /* Immediately reject a zero-length signature buffer. This guarantees
@ -3671,24 +3667,7 @@ psa_status_t psa_sign_hash( psa_key_handle_t handle,
    if( status != PSA_ERROR_NOT_SUPPORTED )
        goto exit;

-#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-    if( psa_get_se_driver( slot->attr.lifetime, &drv, &drv_context ) )
-    {
-        if( drv->asymmetric == NULL ||
-            drv->asymmetric->p_sign == NULL )
-        {
-            status = PSA_ERROR_NOT_SUPPORTED;
-            goto exit;
-        }
-        status = drv->asymmetric->p_sign( drv_context,
-                                          slot->data.se.slot_number,
-                                          alg,
-                                          hash, hash_length,
-                                          signature, signature_size,
-                                          signature_length );
-    }
-    else
-#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+    /* If the operation was not supported by any accelerator, try fallback. */
 #if defined(MBEDTLS_RSA_C)
    if( slot->attr.type == PSA_KEY_TYPE_RSA_KEY_PAIR )
    {
--- a/library/psa_crypto_driver_wrappers.c
+++ b/library/psa_crypto_driver_wrappers.c
@ -28,9 +28,17 @@
 #if defined(MBEDTLS_TEST_HOOKS)
 #undef MBEDTLS_PSA_CRYPTO_DRIVER_PRESENT
 #define MBEDTLS_PSA_CRYPTO_DRIVER_PRESENT
+#undef MBEDTLS_PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT
+#define MBEDTLS_PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT
 #include "drivers/test_driver.h"
 #endif

+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+#undef MBEDTLS_PSA_CRYPTO_DRIVER_PRESENT
+#define MBEDTLS_PSA_CRYPTO_DRIVER_PRESENT
+#include "psa_crypto_se.h"
+#endif
+
 /* Include driver definition file for each registered driver */

 /* Start delegation functions */
@ -43,6 +51,30 @@ psa_status_t psa_driver_wrapper_sign_hash( psa_key_slot_t *slot,
                                           size_t *signature_length )
 {
 #if defined(MBEDTLS_PSA_CRYPTO_DRIVER_PRESENT)
+    /* Try dynamically-registered SE interface first */
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    const psa_drv_se_t *drv;
+    psa_drv_se_context_t *drv_context;
+
+    if( psa_get_se_driver( slot->attr.lifetime, &drv, &drv_context ) )
+    {
+        if( drv->asymmetric == NULL ||
+            drv->asymmetric->p_sign == NULL )
+        {
+            /* Key is defined in SE, but we have no way to exercise it */
+            return PSA_ERROR_INVALID_ARGUMENT;
+        }
+        return( drv->asymmetric->p_sign( drv_context,
+                                         slot->data.se.slot_number,
+                                         alg,
+                                         hash, hash_length,
+                                         signature, signature_size,
+                                         signature_length ) );
+    }
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+    /* Then try accelerator API */
+#if defined(MBEDTLS_PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
    psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
    psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(slot->attr.lifetime);
    psa_key_attributes_t attributes = {
@ -87,6 +119,9 @@ psa_status_t psa_driver_wrapper_sign_hash( psa_key_slot_t *slot,
            /* Key is declared with a lifetime not known to us */
            return status;
    }
+#else /* MBEDTLS_PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+    return PSA_ERROR_NOT_SUPPORTED;
+#endif /* MBEDTLS_PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
 #else /* MBEDTLS_PSA_CRYPTO_DRIVER_PRESENT */
    (void)slot;
    (void)alg;