From d943e67b70bb52329388dd521428171fa6a322ff Mon Sep 17 00:00:00 2001 From: Georgios Vasilakis Date: Mon, 30 Dec 2024 16:35:49 +0100 Subject: [PATCH] nrf_security: Refactor get_opaque_size function This refactors the function cracen_get_opaque_size so that it returns psa_status_t and not a size_t value. With ths previous implementation it was not possible to distinguish between a key with invalid arguments or a key which is revoked. Revocation support will be added soon and this separation is needed. Signed-off-by: Georgios Vasilakis --- .../cracen/cracenpsa/include/cracen_psa.h | 2 +- .../src/drivers/cracen/cracenpsa/src/common.c | 24 ++++++++------ .../cracen/cracenpsa/src/key_management.c | 32 +++++++++++++++---- .../src/drivers/cracen/cracenpsa/src/kmu.c | 11 +++++-- .../src/platform_keys/platform_keys.c | 14 ++++---- .../src/platform_keys/platform_keys.h | 3 +- .../src/psa_crypto_driver_wrappers.c | 6 ++-- 7 files changed, 60 insertions(+), 32 deletions(-) diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/include/cracen_psa.h b/subsys/nrf_security/src/drivers/cracen/cracenpsa/include/cracen_psa.h index 1719f9e675d8..a5389c878853 100644 --- a/subsys/nrf_security/src/drivers/cracen/cracenpsa/include/cracen_psa.h +++ b/subsys/nrf_security/src/drivers/cracen/cracenpsa/include/cracen_psa.h @@ -247,7 +247,7 @@ psa_status_t cracen_copy_key(psa_key_attributes_t *attributes, const uint8_t *so psa_status_t cracen_destroy_key(const psa_key_attributes_t *attributes); -size_t cracen_get_opaque_size(const psa_key_attributes_t *attributes); +psa_status_t cracen_get_opaque_size(const psa_key_attributes_t *attributes, size_t *key_size); psa_status_t cracen_jpake_setup(cracen_jpake_operation_t *operation, const psa_key_attributes_t *attributes, const uint8_t *password, diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/common.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/common.c index 80a18f7d02db..181b1a203579 100644 --- a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/common.c +++ b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/common.c @@ -806,7 +806,7 @@ psa_status_t cracen_load_keyref(const psa_key_attributes_t *attributes, const ui return PSA_SUCCESS; } -size_t cracen_get_opaque_size(const psa_key_attributes_t *attributes) +psa_status_t cracen_get_opaque_size(const psa_key_attributes_t *attributes, size_t *key_size) { if (PSA_KEY_LIFETIME_GET_LOCATION(psa_get_key_lifetime(attributes)) == PSA_KEY_LOCATION_CRACEN) { @@ -814,18 +814,20 @@ size_t cracen_get_opaque_size(const psa_key_attributes_t *attributes) case CRACEN_BUILTIN_IDENTITY_KEY_ID: if (psa_get_key_type(attributes) == PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)) { - return sizeof(ikg_opaque_key); + *key_size = sizeof(ikg_opaque_key); + return PSA_SUCCESS; } break; case CRACEN_BUILTIN_MEXT_ID: case CRACEN_BUILTIN_MKEK_ID: if (psa_get_key_type(attributes) == PSA_KEY_TYPE_AES) { - return sizeof(ikg_opaque_key); + *key_size = sizeof(ikg_opaque_key); + return PSA_SUCCESS; } break; #ifdef CONFIG_PSA_NEED_CRACEN_PLATFORM_KEYS default: - return cracen_platform_keys_get_size(attributes); + return cracen_platform_keys_get_size(attributes, key_size); #endif } } @@ -835,15 +837,19 @@ size_t cracen_get_opaque_size(const psa_key_attributes_t *attributes) if (PSA_KEY_TYPE_IS_ECC(psa_get_key_type(attributes))) { if (psa_get_key_type(attributes) == PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1)) { - return PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE( + *key_size = PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE( psa_get_key_type(attributes), psa_get_key_bits(attributes)); + } else { + *key_size = PSA_BITS_TO_BYTES(psa_get_key_bits(attributes)); } - return PSA_BITS_TO_BYTES(psa_get_key_bits(attributes)); } else if (psa_get_key_type(attributes) == PSA_KEY_TYPE_HMAC) { - return PSA_BITS_TO_BYTES(psa_get_key_bits(attributes)); + *key_size = PSA_BITS_TO_BYTES(psa_get_key_bits(attributes)); } else { - return sizeof(kmu_opaque_key_buffer); + *key_size = sizeof(kmu_opaque_key_buffer); } + + return PSA_SUCCESS; } - return 0; + + return PSA_ERROR_INVALID_ARGUMENT; } diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_management.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_management.c index 90d41501a02b..d52287b80077 100644 --- a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_management.c +++ b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_management.c @@ -880,12 +880,18 @@ psa_status_t cracen_import_key(const psa_key_attributes_t *attributes, const uin MBEDTLS_SVC_KEY_ID_GET_KEY_ID(psa_get_key_id(attributes))); psa_key_attributes_t stored_attributes; - if (key_buffer_size < cracen_get_opaque_size(attributes)) { - return PSA_ERROR_BUFFER_TOO_SMALL; + size_t opaque_key_size; + psa_status_t status = cracen_get_opaque_size(attributes, &opaque_key_size); + + if (status != PSA_SUCCESS) { + return status; } - psa_status_t status = cracen_kmu_provision(attributes, slot_id, data, data_length); + if (key_buffer_size < opaque_key_size) { + return PSA_ERROR_BUFFER_TOO_SMALL; + } + status = cracen_kmu_provision(attributes, slot_id, data, data_length); if (status != PSA_SUCCESS) { return status; } @@ -1182,6 +1188,9 @@ psa_status_t cracen_get_builtin_key(psa_drv_slot_number_t slot_number, psa_key_attributes_t *attributes, uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length) { + size_t opaque_key_size; + psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; + /* According to the PSA Crypto Driver specification, the PSA core will set the `id` * and the `lifetime` field of the attribute struct. We will fill all the other * attributes, and update the `lifetime` field to be more specific. @@ -1199,12 +1208,17 @@ psa_status_t cracen_get_builtin_key(psa_drv_slot_number_t slot_number, PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE); + status = cracen_get_opaque_size(attributes, &opaque_key_size); + if (status != PSA_SUCCESS) { + return status; + } + /* According to the PSA Crypto Driver interface proposed document the driver * should fill the attributes even if the buffer of the key is too small. So * we check the buffer here and not earlier in the function. */ - if (key_buffer_size >= cracen_get_opaque_size(attributes)) { - *key_buffer_length = cracen_get_opaque_size(attributes); + if (key_buffer_size >= opaque_key_size) { + *key_buffer_length = opaque_key_size; *((ikg_opaque_key *)key_buffer) = (ikg_opaque_key){.slot_number = slot_number, .owner_id = MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( @@ -1226,11 +1240,15 @@ psa_status_t cracen_get_builtin_key(psa_drv_slot_number_t slot_number, psa_set_key_usage_flags(attributes, PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_VERIFY_DERIVATION); + status = cracen_get_opaque_size(attributes, &opaque_key_size); + if (status != PSA_SUCCESS) { + return status; + } /* See comment about the placement of this check in the previous switch * case. */ - if (key_buffer_size >= cracen_get_opaque_size(attributes)) { - *key_buffer_length = cracen_get_opaque_size(attributes); + if (key_buffer_size >= opaque_key_size) { + *key_buffer_length = opaque_key_size; *((ikg_opaque_key *)key_buffer) = (ikg_opaque_key){.slot_number = slot_number, .owner_id = MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/kmu.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/kmu.c index bb6800c30f88..d6545ef17f4d 100644 --- a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/kmu.c +++ b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/kmu.c @@ -901,6 +901,7 @@ psa_status_t cracen_kmu_get_builtin_key(psa_drv_slot_number_t slot_number, { kmu_metadata metadata; psa_status_t status = read_primary_slot_metadata(slot_number, &metadata); + size_t opaque_key_size; if (status != PSA_SUCCESS) { return status; @@ -921,8 +922,14 @@ psa_status_t cracen_kmu_get_builtin_key(psa_drv_slot_number_t slot_number, return status; } - if (key_buffer_size >= cracen_get_opaque_size(attributes)) { - *key_buffer_length = cracen_get_opaque_size(attributes); + + status = cracen_get_opaque_size(attributes, &opaque_key_size); + if (status != PSA_SUCCESS) { + return status; + } + + if (key_buffer_size >= opaque_key_size) { + *key_buffer_length = opaque_key_size; kmu_opaque_key_buffer *key = (kmu_opaque_key_buffer *)key_buffer; key->key_usage_scheme = metadata.key_usage_scheme; diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/platform_keys/platform_keys.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/platform_keys/platform_keys.c index dd3311818810..9d842a2c9d6b 100644 --- a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/platform_keys/platform_keys.c +++ b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/platform_keys/platform_keys.c @@ -520,26 +520,24 @@ psa_status_t cracen_platform_get_builtin_key(psa_drv_slot_number_t slot_number, return PSA_ERROR_CORRUPTION_DETECTED; } -size_t cracen_platform_keys_get_size(psa_key_attributes_t const *attributes) +psa_status_t cracen_platform_keys_get_size(psa_key_attributes_t const *attributes, size_t *key_size) { platform_key key; key_type type = find_key(MBEDTLS_SVC_KEY_ID_GET_KEY_ID(psa_get_key_id(attributes)), &key); psa_key_type_t key_type = psa_get_key_type(attributes); - if (type == INVALID) { - return 0; - } - if (type == IKG) { - return sizeof(ikg_opaque_key); + *key_size = sizeof(ikg_opaque_key); + return PSA_SUCCESS; } if (key_type == PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_TWISTED_EDWARDS) || key_type == PSA_KEY_TYPE_AES) { - return PSA_BITS_TO_BYTES(psa_get_key_bits(attributes)); + *key_size = PSA_BITS_TO_BYTES(psa_get_key_bits(attributes)); + return PSA_SUCCESS; } - return 0; + return PSA_ERROR_INVALID_ARGUMENT; } psa_status_t cracen_platform_get_key_slot(mbedtls_svc_key_id_t key_id, psa_key_lifetime_t *lifetime, diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/platform_keys/platform_keys.h b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/platform_keys/platform_keys.h index ea2a31bbfff6..7b236f791c67 100644 --- a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/platform_keys/platform_keys.h +++ b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/platform_keys/platform_keys.h @@ -13,7 +13,8 @@ psa_status_t cracen_platform_get_builtin_key(psa_drv_slot_number_t slot_number, psa_key_attributes_t *attributes, uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length); -size_t cracen_platform_keys_get_size(psa_key_attributes_t const *attributes); +psa_status_t cracen_platform_keys_get_size(psa_key_attributes_t const *attributes, + size_t *key_size); psa_status_t cracen_platform_get_key_slot(mbedtls_svc_key_id_t key_id, psa_key_lifetime_t *lifetime, psa_drv_slot_number_t *slot_number); diff --git a/subsys/nrf_security/src/psa_crypto_driver_wrappers.c b/subsys/nrf_security/src/psa_crypto_driver_wrappers.c index 7edd9f1d9434..9b075837cadd 100644 --- a/subsys/nrf_security/src/psa_crypto_driver_wrappers.c +++ b/subsys/nrf_security/src/psa_crypto_driver_wrappers.c @@ -463,8 +463,7 @@ psa_driver_wrapper_get_key_buffer_size_from_key_data(const psa_key_attributes_t #if defined(PSA_NEED_CRACEN_KMU_DRIVER) case PSA_KEY_LOCATION_CRACEN_KMU: #endif - *key_buffer_size = cracen_get_opaque_size(attributes); - return *key_buffer_size != 0 ? PSA_SUCCESS : PSA_ERROR_INVALID_ARGUMENT; + return cracen_get_opaque_size(attributes, key_buffer_size); #endif default: (void)key_type; @@ -503,8 +502,7 @@ psa_status_t psa_driver_wrapper_get_key_buffer_size(const psa_key_attributes_t * #if defined(PSA_NEED_CRACEN_KMU_DRIVER) case PSA_KEY_LOCATION_CRACEN_KMU: #endif - *key_buffer_size = cracen_get_opaque_size(attributes); - return *key_buffer_size != 0 ? PSA_SUCCESS : PSA_ERROR_NOT_SUPPORTED; + return cracen_get_opaque_size(attributes, key_buffer_size); #endif #if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION: