Merge pull request #197 from netanelgonen/entropy-inject

Add entropy inject API (#197)
This commit is contained in:
Gilles Peskine 2018-11-21 19:21:05 +01:00 committed by GitHub
commit a678f233a7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 277 additions and 1 deletions

View file

@ -1103,6 +1103,16 @@
*/
//#define MBEDTLS_ENTROPY_NV_SEED
/**
* \def MBEDTLS_PSA_HAS_ITS_IO
*
* Enable the non-volatile secure storage usage.
*
* This is crucial on systems that do not have a HW TRNG support.
*
*/
//#define MBEDTLS_PSA_HAS_ITS_IO
/**
* \def MBEDTLS_MEMORY_DEBUG
*

View file

@ -34,6 +34,9 @@
extern "C" {
#endif
/* UID for secure storage seed */
#define PSA_CRYPTO_ITS_RANDOM_SEED_UID 0xFFFFFF52
/**
* \brief Library deinitialization.
*
@ -44,6 +47,75 @@ extern "C" {
*/
void mbedtls_psa_crypto_free( void );
#if ( defined(MBEDTLS_ENTROPY_NV_SEED) && defined(MBEDTLS_PSA_HAS_ITS_IO) )
/**
* \brief Inject an initial entropy seed for the random generator into
* secure storage.
*
* This function injects data to be used as a seed for the random generator
* used by the PSA Crypto implementation. On devices that lack a trusted
* entropy source (preferably a hardware random number generator),
* the Mbed PSA Crypto implementation uses this value to seed its
* random generator.
*
* On devices without a trusted entropy source, this function must be
* called exactly once in the lifetime of the device. On devices with
* a trusted entropy source, calling this function is optional.
* In all cases, this function may only be called before calling any
* other function in the PSA Crypto API, including psa_crypto_init().
*
* When this function returns successfully, it populates a file in
* persistent storage. Once the file has been created, this function
* can no longer succeed.
*
* If any error occurs, this function does not change the system state.
* You can call this function again after correcting the reason for the
* error if possible.
*
* \warning This function **can** fail! Callers MUST check the return status.
*
* \warning If you use this function, you should use it as part of a
* factory provisioning process. The value of the injected seed
* is critical to the security of the device. It must be
* *secret*, *unpredictable* and (statistically) *unique per device*.
* You should be generate it randomly using a cryptographically
* secure random generator seeded from trusted entropy sources.
* You should transmit it securely to the device and ensure
* that its value is not leaked or stored anywhere beyond the
* needs of transmitting it from the point of generation to
* the call of this function, and erase all copies of the value
* once this function returns.
*
* This is an Mbed TLS extension.
*
* \param seed[in] Buffer containing the seed value to inject.
* \param seed_size Size of the \p seed buffer.
* The size of the seed in bytes must be greater
* or equal to both #MBEDTLS_ENTROPY_MIN_PLATFORM
* and #MBEDTLS_ENTROPY_BLOCK_SIZE.
* It must be less or equal to
* #MBEDTLS_ENTROPY_MAX_SEED_SIZE.
*
* \retval #PSA_SUCCESS
* The seed value was injected successfully. The random generator
* of the PSA Crypto implementation is now ready for use.
* You may now call psa_crypto_init() and use the PSA Crypto
* implementation.
* \retval #PSA_ERROR_INVALID_ARGUMENT
* \p seed_size is out of range.
* \retval #PSA_ERROR_STORAGE_FAILURE
* \retval `PSA_ITS_ERROR_XXX`
* There was a failure reading or writing from storage.
* \retval #PSA_ERROR_NOT_PERMITTED
* The library has already been initialized. It is no longer
* possible to call this function.
*/
psa_status_t mbedtls_psa_inject_entropy(const unsigned char *seed,
size_t seed_size);
#endif
#ifdef __cplusplus
}
#endif

View file

@ -69,6 +69,7 @@
#include "mbedtls/ecdh.h"
#include "mbedtls/ecp.h"
#include "mbedtls/entropy.h"
#include "mbedtls/entropy_poll.h"
#include "mbedtls/error.h"
#include "mbedtls/gcm.h"
#include "mbedtls/md2.h"
@ -85,7 +86,9 @@
#include "mbedtls/sha512.h"
#include "mbedtls/xtea.h"
#if ( defined(MBEDTLS_ENTROPY_NV_SEED) && defined(MBEDTLS_PSA_HAS_ITS_IO) )
#include "psa_prot_internal_storage.h"
#endif
#define ARRAY_LENGTH( array ) ( sizeof( array ) / sizeof( *( array ) ) )
@ -4225,6 +4228,73 @@ psa_status_t psa_generate_random( uint8_t *output,
return( mbedtls_to_psa_error( ret ) );
}
#if ( defined(MBEDTLS_ENTROPY_NV_SEED) && defined(MBEDTLS_PSA_HAS_ITS_IO) )
/* Support function for error conversion between psa_its error codes to psa crypto */
static psa_status_t its_to_psa_error( psa_its_status_t ret )
{
switch( ret )
{
case PSA_ITS_SUCCESS:
return( PSA_SUCCESS );
case PSA_ITS_ERROR_KEY_NOT_FOUND:
return( PSA_ERROR_EMPTY_SLOT );
case PSA_ITS_ERROR_STORAGE_FAILURE:
return( PSA_ERROR_STORAGE_FAILURE );
case PSA_ITS_ERROR_INSUFFICIENT_SPACE:
return( PSA_ERROR_INSUFFICIENT_STORAGE );
case PSA_ITS_ERROR_INVALID_KEY:
case PSA_PS_ERROR_OFFSET_INVALID:
case PSA_ITS_ERROR_INCORRECT_SIZE:
case PSA_ITS_ERROR_BAD_POINTER:
return( PSA_ERROR_INVALID_ARGUMENT );
case PSA_ITS_ERROR_FLAGS_NOT_SUPPORTED:
return( PSA_ERROR_NOT_SUPPORTED );
case PSA_ITS_ERROR_WRITE_ONCE:
return( PSA_ERROR_OCCUPIED_SLOT );
default:
return( PSA_ERROR_UNKNOWN_ERROR );
}
}
psa_status_t mbedtls_psa_inject_entropy( const unsigned char *seed,
size_t seed_size )
{
psa_status_t status;
psa_its_status_t its_status;
struct psa_its_info_t p_info;
if( global_data.initialized )
return( PSA_ERROR_NOT_PERMITTED );
if( ( ( seed_size < MBEDTLS_ENTROPY_MIN_PLATFORM ) ||
( seed_size < MBEDTLS_ENTROPY_BLOCK_SIZE ) ) ||
( seed_size > MBEDTLS_ENTROPY_MAX_SEED_SIZE ) )
return( PSA_ERROR_INVALID_ARGUMENT );
its_status = psa_its_get_info( PSA_CRYPTO_ITS_RANDOM_SEED_UID, &p_info );
status = its_to_psa_error( its_status );
if( PSA_ITS_ERROR_KEY_NOT_FOUND == its_status ) /* No seed exists */
{
its_status = psa_its_set( PSA_CRYPTO_ITS_RANDOM_SEED_UID, seed_size, seed, 0 );
status = its_to_psa_error( its_status );
}
else if( PSA_ITS_SUCCESS == its_status )
{
/* You should not be here. Seed needs to be injected only once */
status = PSA_ERROR_NOT_PERMITTED;
}
return( status );
}
#endif
psa_status_t psa_generate_key( psa_key_slot_t key,
psa_key_type_t type,
size_t bits,

View file

@ -402,6 +402,9 @@ static const char *features[] = {
#if defined(MBEDTLS_ENTROPY_NV_SEED)
"MBEDTLS_ENTROPY_NV_SEED",
#endif /* MBEDTLS_ENTROPY_NV_SEED */
#if defined(MBEDTLS_PSA_HAS_ITS_IO)
"MBEDTLS_PSA_HAS_ITS_IO",
#endif /* MBEDTLS_PSA_HAS_ITS_IO */
#if defined(MBEDTLS_MEMORY_DEBUG)
"MBEDTLS_MEMORY_DEBUG",
#endif /* MBEDTLS_MEMORY_DEBUG */

View file

@ -111,6 +111,7 @@ add_test_suite(pkparse)
add_test_suite(pkwrite)
add_test_suite(poly1305)
add_test_suite(psa_crypto)
add_test_suite(psa_crypto_entropy)
add_test_suite(psa_crypto_hash)
add_test_suite(psa_crypto_metadata)
add_test_suite(psa_crypto_persistent_key)

View file

@ -0,0 +1,18 @@
PSA validate entropy injection: good, minimum size
validate_entropy_seed_injection:MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE:PSA_SUCCESS:MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE:PSA_ERROR_NOT_PERMITTED
PSA validate entropy injection: good, max size
validate_entropy_seed_injection:MBEDTLS_ENTROPY_MAX_SEED_SIZE:PSA_SUCCESS:MBEDTLS_ENTROPY_MAX_SEED_SIZE:PSA_ERROR_NOT_PERMITTED
PSA validate entropy injection: bad, too big
validate_entropy_seed_injection:MBEDTLS_ENTROPY_MAX_SEED_SIZE+1:PSA_ERROR_INVALID_ARGUMENT:MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE:PSA_SUCCESS
PSA validate entropy injection: bad, too small using MBEDTLS_ENTROPY_MIN_PLATFORM
validate_entropy_seed_injection:MBEDTLS_ENTROPY_MIN_PLATFORM-1:PSA_ERROR_INVALID_ARGUMENT:MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE:PSA_SUCCESS
PSA validate entropy injection: bad, too small using MBEDTLS_ENTROPY_BLOCK_SIZE
validate_entropy_seed_injection:MBEDTLS_ENTROPY_BLOCK_SIZE-1:PSA_ERROR_INVALID_ARGUMENT:MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE:PSA_SUCCESS
PSA validate entropy injection: before and after crypto_init
run_entropy_inject_with_crypto_init:

View file

@ -0,0 +1,102 @@
/* BEGIN_HEADER */
#include <stdint.h>
#include "psa/crypto.h"
#include "psa_prot_internal_storage.h"
#include "mbedtls/entropy.h"
#include "mbedtls/entropy_poll.h"
/* MAX value support macro */
#if !defined(MAX)
#define MAX(a,b) (((a)>(b))?(a):(b))
#endif
/* Calculating the minimum allowed entropy size in bytes */
#define MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE MAX(MBEDTLS_ENTROPY_MIN_PLATFORM, MBEDTLS_ENTROPY_BLOCK_SIZE)
/* END_HEADER */
/* BEGIN_DEPENDENCIES
* depends_on:MBEDTLS_ENTROPY_NV_SEED:MBEDTLS_PSA_HAS_ITS_IO:MBEDTLS_PSA_CRYPTO_C
* END_DEPENDENCIES
*/
/* BEGIN_CASE */
void validate_entropy_seed_injection( int seed_length_a,
int expected_status_a,
int seed_length_b,
int expected_status_b )
{
psa_its_status_t its_status;
psa_status_t status;
uint8_t output[32] = { 0 };
uint8_t zeros[32] = { 0 };
uint8_t *seed = NULL;
int i;
int seed_size;
if( seed_length_a > seed_length_b )
{
seed_size = seed_length_a;
}
else
{
seed_size = seed_length_b;
}
ASSERT_ALLOC( seed, seed_size );
/* fill seed with some data */
for( i = 0; i < seed_size; ++i )
{
seed[i] = i;
}
its_status = psa_its_remove( PSA_CRYPTO_ITS_RANDOM_SEED_UID );
TEST_ASSERT( ( its_status == PSA_ITS_SUCCESS ) ||
( its_status == PSA_ITS_ERROR_KEY_NOT_FOUND ) );
status = mbedtls_psa_inject_entropy( seed, seed_length_a );
TEST_ASSERT( status == expected_status_a );
status = mbedtls_psa_inject_entropy( seed, seed_length_b );
TEST_ASSERT( status == expected_status_b );
TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS );
TEST_ASSERT( psa_generate_random( output,
sizeof( output ) ) == PSA_SUCCESS );
TEST_ASSERT( memcmp( output, zeros, sizeof( output ) ) != 0 );
exit:
mbedtls_free( seed );
psa_its_remove( PSA_CRYPTO_ITS_RANDOM_SEED_UID );
mbedtls_psa_crypto_free( );
}
/* END_CASE */
/* BEGIN_CASE */
void run_entropy_inject_with_crypto_init( )
{
psa_its_status_t its_status;
psa_status_t status;
int i;
uint8_t seed[MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE] = { 0 };
/* fill seed with some data */
for( i = 0; i < sizeof( seed ); ++i )
{
seed[i] = i;
}
its_status = psa_its_remove( PSA_CRYPTO_ITS_RANDOM_SEED_UID );
TEST_ASSERT( ( its_status == PSA_ITS_SUCCESS ) ||
( its_status == PSA_ITS_ERROR_KEY_NOT_FOUND ) );
status = mbedtls_psa_inject_entropy( seed, sizeof( seed ) );
TEST_ASSERT( status == PSA_SUCCESS );
its_status = psa_its_remove( PSA_CRYPTO_ITS_RANDOM_SEED_UID );
TEST_ASSERT( its_status == PSA_ITS_SUCCESS );
status = psa_crypto_init( );
TEST_ASSERT( status == PSA_ERROR_INSUFFICIENT_ENTROPY );
status = mbedtls_psa_inject_entropy( seed, sizeof( seed ) );
TEST_ASSERT( status == PSA_SUCCESS );
status = psa_crypto_init( );
TEST_ASSERT( status == PSA_SUCCESS );
mbedtls_psa_crypto_free( );
/* The seed is written by nv_seed callback functions therefore the injection will fail */
status = mbedtls_psa_inject_entropy( seed, sizeof( seed ) );
TEST_ASSERT( status == PSA_ERROR_NOT_PERMITTED );
exit:
psa_its_remove( PSA_CRYPTO_ITS_RANDOM_SEED_UID );
mbedtls_psa_crypto_free( );
}
/* END_CASE */