Skip to content

Commit

Permalink
nrf_security: Refactor get_opaque_size function
Browse files Browse the repository at this point in the history
This refactors the function cracen_get_opaque_size so that it
returns psa_status_t and not a size_t value. With ths previous
implementation it was not possible to distinguish between
a key with invalid arguments or a key which is revoked.
Revocation support will be added soon and this separation is
needed.

Signed-off-by: Georgios Vasilakis <[email protected]>
  • Loading branch information
Vge0rge committed Jan 16, 2025
1 parent 01afac7 commit d943e67
Show file tree
Hide file tree
Showing 7 changed files with 60 additions and 32 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -247,7 +247,7 @@ psa_status_t cracen_copy_key(psa_key_attributes_t *attributes, const uint8_t *so

psa_status_t cracen_destroy_key(const psa_key_attributes_t *attributes);

size_t cracen_get_opaque_size(const psa_key_attributes_t *attributes);
psa_status_t cracen_get_opaque_size(const psa_key_attributes_t *attributes, size_t *key_size);

psa_status_t cracen_jpake_setup(cracen_jpake_operation_t *operation,
const psa_key_attributes_t *attributes, const uint8_t *password,
Expand Down
24 changes: 15 additions & 9 deletions subsys/nrf_security/src/drivers/cracen/cracenpsa/src/common.c
Original file line number Diff line number Diff line change
Expand Up @@ -806,26 +806,28 @@ psa_status_t cracen_load_keyref(const psa_key_attributes_t *attributes, const ui
return PSA_SUCCESS;
}

size_t cracen_get_opaque_size(const psa_key_attributes_t *attributes)
psa_status_t cracen_get_opaque_size(const psa_key_attributes_t *attributes, size_t *key_size)
{
if (PSA_KEY_LIFETIME_GET_LOCATION(psa_get_key_lifetime(attributes)) ==
PSA_KEY_LOCATION_CRACEN) {
switch (MBEDTLS_SVC_KEY_ID_GET_KEY_ID(psa_get_key_id(attributes))) {
case CRACEN_BUILTIN_IDENTITY_KEY_ID:
if (psa_get_key_type(attributes) ==
PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)) {
return sizeof(ikg_opaque_key);
*key_size = sizeof(ikg_opaque_key);
return PSA_SUCCESS;
}
break;
case CRACEN_BUILTIN_MEXT_ID:
case CRACEN_BUILTIN_MKEK_ID:
if (psa_get_key_type(attributes) == PSA_KEY_TYPE_AES) {
return sizeof(ikg_opaque_key);
*key_size = sizeof(ikg_opaque_key);
return PSA_SUCCESS;
}
break;
#ifdef CONFIG_PSA_NEED_CRACEN_PLATFORM_KEYS
default:
return cracen_platform_keys_get_size(attributes);
return cracen_platform_keys_get_size(attributes, key_size);
#endif
}
}
Expand All @@ -835,15 +837,19 @@ size_t cracen_get_opaque_size(const psa_key_attributes_t *attributes)
if (PSA_KEY_TYPE_IS_ECC(psa_get_key_type(attributes))) {
if (psa_get_key_type(attributes) ==
PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1)) {
return PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(
*key_size = PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(
psa_get_key_type(attributes), psa_get_key_bits(attributes));
} else {
*key_size = PSA_BITS_TO_BYTES(psa_get_key_bits(attributes));
}
return PSA_BITS_TO_BYTES(psa_get_key_bits(attributes));
} else if (psa_get_key_type(attributes) == PSA_KEY_TYPE_HMAC) {
return PSA_BITS_TO_BYTES(psa_get_key_bits(attributes));
*key_size = PSA_BITS_TO_BYTES(psa_get_key_bits(attributes));
} else {
return sizeof(kmu_opaque_key_buffer);
*key_size = sizeof(kmu_opaque_key_buffer);
}

return PSA_SUCCESS;
}
return 0;

return PSA_ERROR_INVALID_ARGUMENT;
}
Original file line number Diff line number Diff line change
Expand Up @@ -880,12 +880,18 @@ psa_status_t cracen_import_key(const psa_key_attributes_t *attributes, const uin
MBEDTLS_SVC_KEY_ID_GET_KEY_ID(psa_get_key_id(attributes)));
psa_key_attributes_t stored_attributes;

if (key_buffer_size < cracen_get_opaque_size(attributes)) {
return PSA_ERROR_BUFFER_TOO_SMALL;
size_t opaque_key_size;
psa_status_t status = cracen_get_opaque_size(attributes, &opaque_key_size);

if (status != PSA_SUCCESS) {
return status;
}

psa_status_t status = cracen_kmu_provision(attributes, slot_id, data, data_length);
if (key_buffer_size < opaque_key_size) {
return PSA_ERROR_BUFFER_TOO_SMALL;
}

status = cracen_kmu_provision(attributes, slot_id, data, data_length);
if (status != PSA_SUCCESS) {
return status;
}
Expand Down Expand Up @@ -1182,6 +1188,9 @@ psa_status_t cracen_get_builtin_key(psa_drv_slot_number_t slot_number,
psa_key_attributes_t *attributes, uint8_t *key_buffer,
size_t key_buffer_size, size_t *key_buffer_length)
{
size_t opaque_key_size;
psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;

/* According to the PSA Crypto Driver specification, the PSA core will set the `id`
* and the `lifetime` field of the attribute struct. We will fill all the other
* attributes, and update the `lifetime` field to be more specific.
Expand All @@ -1199,12 +1208,17 @@ psa_status_t cracen_get_builtin_key(psa_drv_slot_number_t slot_number,
PSA_KEY_USAGE_VERIFY_HASH |
PSA_KEY_USAGE_VERIFY_MESSAGE);

status = cracen_get_opaque_size(attributes, &opaque_key_size);
if (status != PSA_SUCCESS) {
return status;
}

/* According to the PSA Crypto Driver interface proposed document the driver
* should fill the attributes even if the buffer of the key is too small. So
* we check the buffer here and not earlier in the function.
*/
if (key_buffer_size >= cracen_get_opaque_size(attributes)) {
*key_buffer_length = cracen_get_opaque_size(attributes);
if (key_buffer_size >= opaque_key_size) {
*key_buffer_length = opaque_key_size;
*((ikg_opaque_key *)key_buffer) =
(ikg_opaque_key){.slot_number = slot_number,
.owner_id = MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(
Expand All @@ -1226,11 +1240,15 @@ psa_status_t cracen_get_builtin_key(psa_drv_slot_number_t slot_number,
psa_set_key_usage_flags(attributes,
PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_VERIFY_DERIVATION);

status = cracen_get_opaque_size(attributes, &opaque_key_size);
if (status != PSA_SUCCESS) {
return status;
}
/* See comment about the placement of this check in the previous switch
* case.
*/
if (key_buffer_size >= cracen_get_opaque_size(attributes)) {
*key_buffer_length = cracen_get_opaque_size(attributes);
if (key_buffer_size >= opaque_key_size) {
*key_buffer_length = opaque_key_size;
*((ikg_opaque_key *)key_buffer) =
(ikg_opaque_key){.slot_number = slot_number,
.owner_id = MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(
Expand Down
11 changes: 9 additions & 2 deletions subsys/nrf_security/src/drivers/cracen/cracenpsa/src/kmu.c
Original file line number Diff line number Diff line change
Expand Up @@ -901,6 +901,7 @@ psa_status_t cracen_kmu_get_builtin_key(psa_drv_slot_number_t slot_number,
{
kmu_metadata metadata;
psa_status_t status = read_primary_slot_metadata(slot_number, &metadata);
size_t opaque_key_size;

if (status != PSA_SUCCESS) {
return status;
Expand All @@ -921,8 +922,14 @@ psa_status_t cracen_kmu_get_builtin_key(psa_drv_slot_number_t slot_number,
return status;
}

if (key_buffer_size >= cracen_get_opaque_size(attributes)) {
*key_buffer_length = cracen_get_opaque_size(attributes);

status = cracen_get_opaque_size(attributes, &opaque_key_size);
if (status != PSA_SUCCESS) {
return status;
}

if (key_buffer_size >= opaque_key_size) {
*key_buffer_length = opaque_key_size;
kmu_opaque_key_buffer *key = (kmu_opaque_key_buffer *)key_buffer;

key->key_usage_scheme = metadata.key_usage_scheme;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -520,26 +520,24 @@ psa_status_t cracen_platform_get_builtin_key(psa_drv_slot_number_t slot_number,
return PSA_ERROR_CORRUPTION_DETECTED;
}

size_t cracen_platform_keys_get_size(psa_key_attributes_t const *attributes)
psa_status_t cracen_platform_keys_get_size(psa_key_attributes_t const *attributes, size_t *key_size)
{
platform_key key;
key_type type = find_key(MBEDTLS_SVC_KEY_ID_GET_KEY_ID(psa_get_key_id(attributes)), &key);
psa_key_type_t key_type = psa_get_key_type(attributes);

if (type == INVALID) {
return 0;
}

if (type == IKG) {
return sizeof(ikg_opaque_key);
*key_size = sizeof(ikg_opaque_key);
return PSA_SUCCESS;
}

if (key_type == PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_TWISTED_EDWARDS) ||
key_type == PSA_KEY_TYPE_AES) {
return PSA_BITS_TO_BYTES(psa_get_key_bits(attributes));
*key_size = PSA_BITS_TO_BYTES(psa_get_key_bits(attributes));
return PSA_SUCCESS;
}

return 0;
return PSA_ERROR_INVALID_ARGUMENT;
}

psa_status_t cracen_platform_get_key_slot(mbedtls_svc_key_id_t key_id, psa_key_lifetime_t *lifetime,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,8 @@ psa_status_t cracen_platform_get_builtin_key(psa_drv_slot_number_t slot_number,
psa_key_attributes_t *attributes, uint8_t *key_buffer,
size_t key_buffer_size, size_t *key_buffer_length);

size_t cracen_platform_keys_get_size(psa_key_attributes_t const *attributes);
psa_status_t cracen_platform_keys_get_size(psa_key_attributes_t const *attributes,
size_t *key_size);

psa_status_t cracen_platform_get_key_slot(mbedtls_svc_key_id_t key_id, psa_key_lifetime_t *lifetime,
psa_drv_slot_number_t *slot_number);
Expand Down
6 changes: 2 additions & 4 deletions subsys/nrf_security/src/psa_crypto_driver_wrappers.c
Original file line number Diff line number Diff line change
Expand Up @@ -463,8 +463,7 @@ psa_driver_wrapper_get_key_buffer_size_from_key_data(const psa_key_attributes_t
#if defined(PSA_NEED_CRACEN_KMU_DRIVER)
case PSA_KEY_LOCATION_CRACEN_KMU:
#endif
*key_buffer_size = cracen_get_opaque_size(attributes);
return *key_buffer_size != 0 ? PSA_SUCCESS : PSA_ERROR_INVALID_ARGUMENT;
return cracen_get_opaque_size(attributes, key_buffer_size);
#endif
default:
(void)key_type;
Expand Down Expand Up @@ -503,8 +502,7 @@ psa_status_t psa_driver_wrapper_get_key_buffer_size(const psa_key_attributes_t *
#if defined(PSA_NEED_CRACEN_KMU_DRIVER)
case PSA_KEY_LOCATION_CRACEN_KMU:
#endif
*key_buffer_size = cracen_get_opaque_size(attributes);
return *key_buffer_size != 0 ? PSA_SUCCESS : PSA_ERROR_NOT_SUPPORTED;
return cracen_get_opaque_size(attributes, key_buffer_size);
#endif
#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
Expand Down

0 comments on commit d943e67

Please sign in to comment.