Commit graph

25 commits

Author SHA1 Message Date
Janos Follath
a365efc6f1 Threading design: fix internal links
Signed-off-by: Janos Follath <janos.follath@arm.com>
2023-10-26 10:22:55 +01:00
Janos Follath
54bd71b40f Update operation threading strategy
The library does not need to provide protection, leave it to the crypto
service.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2023-10-23 10:30:50 +01:00
Janos Follath
e604269a59 Threading Design: emphasise performance requirement
Signed-off-by: Janos Follath <janos.follath@arm.com>
2023-10-23 10:16:58 +01:00
Janos Follath
23f7e41633
Threading design: improve language
Co-authored-by: Paul Elliott <62069445+paul-elliott-arm@users.noreply.github.com>
Signed-off-by: Janos Follath <janos.follath@arm.com>
2023-10-23 10:11:18 +01:00
Janos Follath
49d467c37d Threading design: update and clarify 3.6 plan
- Separation of attr and slot state is added
- Driver support is cut back

Signed-off-by: Janos Follath <janos.follath@arm.com>
2023-10-20 15:41:40 +01:00
Janos Follath
de0e3e352d Threading design: Update empty slot tracking
Using a dedicated field allows clean separatin between key attributes
and slot state. This allows us to use the same mechanics for attributes
and key content. Which in turn means lower code size and easier
maintenance.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2023-10-20 15:12:42 +01:00
Janos Follath
52586895f7 Clarify threading design document structure
Separate design analysis from plans and make the distinction clear
between what is implemented, what is planned to be implemented soon,
what is planned to be implemented in the future, and what is ideas that
are rejected.

(The distinction between the last two categories doesn't have to be
clear, we can't and shouldn't plan that far ahead.)

Signed-off-by: Janos Follath <janos.follath@arm.com>
2023-10-20 14:26:57 +01:00
Janos Follath
19192a5158 Clarify reentrancy requirements for drivers
Signed-off-by: Janos Follath <janos.follath@arm.com>
2023-10-20 13:16:48 +01:00
Janos Follath
d7a39ae21e Add plan for 3.6 to threading design
Signed-off-by: Janos Follath <janos.follath@arm.com>
2023-10-17 14:34:26 +01:00
Janos Follath
574100bb0d Add clarifications to thread safety design
Signed-off-by: Janos Follath <janos.follath@arm.com>
2023-10-17 12:50:28 +01:00
Janos Follath
811a954383 Add reentrancy section to thread safety design
Signed-off-by: Janos Follath <janos.follath@arm.com>
2023-10-17 12:50:21 +01:00
Janos Follath
28b4da954b Add PSA threading design
Signed-off-by: Janos Follath <janos.follath@arm.com>
2023-10-10 15:15:55 +01:00
Janos Follath
b4527fbd82 Add clarifications to the threading requirements
Signed-off-by: Janos Follath <janos.follath@arm.com>
2023-08-31 14:01:24 +01:00
Janos Follath
b6954730f0
Fix typo
Co-authored-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Janos Follath <janos.follath@arm.com>
2023-08-31 13:54:21 +01:00
Janos Follath
35633dd977 Add threading non-requirement
State explicitly the non-requirement that it's ok for psa_destroy_key to
block waiting for a driver.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2023-08-31 08:31:19 +01:00
Janos Follath
15d9ec29be Improve thread safety presentation
- Use unique section titles so that there are unique anchors
- Make list style consistent between similar sections

Signed-off-by: Janos Follath <janos.follath@arm.com>
2023-08-31 08:22:21 +01:00
Janos Follath
0385c2815c Tighten thread safety requirements
We shouldn't violate the requirement that the key identifier can be
reused. In practice, a key manager may destroy a key that's in use by
another process, and the privileged world containing the key manager and
the crypto service should not be perturbed by an unprivileged process.

With respect to blocking, again, a key manager should not be blocked
indefinitely by an unprivileged application.

These are desirable properties even in the short term.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2023-08-30 16:44:04 +01:00
Janos Follath
7ec993d804 Refine thread safety requirements
Split and refine short term requirements for key deletion.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2023-08-23 16:04:48 +01:00
Gilles Peskine
9aa93c8e78 Added a note about new primitives for secure destruction
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-08-07 16:32:09 +02:00
Gilles Peskine
584bf985f5 Elaborate on psa_destroy_key requirements
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-08-07 16:29:19 +02:00
Gilles Peskine
d3a797710a psa_is_key_slot_occupied: change to using the key identifier
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-08-02 18:36:06 +02:00
Gilles Peskine
41618da50e Clarify backward compatibility requirement
There are two somewhat distinct aspects here: if it compiled, it still
compiles; and if it worked functionally, it still works. They're related in
that if application code currently compiles but cannot possibly work, we
could reasonably make it not compile anymore.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-02-16 22:32:12 +01:00
Gilles Peskine
41d0334b4c Write up requirements
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-02-15 16:06:09 +01:00
Andrzej Kurek
eec6b2c6b4 Updated slot->attr and slot->key access
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-02-15 16:06:03 +01:00
Gilles Peskine
a42a8de120 PSA thread safety analysis
Looks like a mutex isn't enough?

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-03 12:18:41 +01:00