Skip to content

Commit

Permalink
Merge pull request #3501 from stevew817/feature/transparent_drivers_t…
Browse files Browse the repository at this point in the history 
…rial

Add partial implementation of accelerator API defined in #3493
  • Loading branch information
@gilles-peskine-arm
gilles-peskine-arm authored Sep 7, 2020
2 parents 853f9bd + 0d7c64d commit 1ffec8f
Show file tree
Hide file tree
Showing 25 changed files with 1,336 additions and 69 deletions.
2 changes: 1 addition & 1 deletion CMakeLists.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -261,7 +261,7 @@ add_subdirectory(library)
# to define the test executables.
#
if(ENABLE_TESTING OR ENABLE_PROGRAMS)
file(GLOB MBEDTLS_TEST_FILES ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/*.c)
file(GLOB MBEDTLS_TEST_FILES ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/*.c ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/drivers/*.c)
add_library(mbedtls_test OBJECT ${MBEDTLS_TEST_FILES})
target_include_directories(mbedtls_test
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tests/include
Expand Down
4 changes: 4 additions & 0 deletions ChangeLog.d/add_sign_verify_keygen_transparent_driver.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
Features
* Partial implementation of the new PSA Crypto accelerator APIs for
enabling key generation and asymmetric signing/verification through crypto
accelerators. Contributed by Steven Cooreman in #3501.
11 changes: 11 additions & 0 deletions include/mbedtls/config.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1329,6 +1329,17 @@
*/
#define MBEDTLS_PKCS1_V21

/** \def MBEDTLS_PSA_CRYPTO_DRIVERS
*
* Enable support for the experimental PSA crypto driver interface.
*
* Requires: MBEDTLS_PSA_CRYPTO_C.
*
* \warning This interface is experimental and may change or be removed
* without notice.
*/
//#define MBEDTLS_PSA_CRYPTO_DRIVERS

/**
* \def MBEDTLS_PSA_CRYPTO_SPM
*
Expand Down
1 change: 1 addition & 0 deletions library/CMakeLists.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ set(src_crypto
platform_util.c
poly1305.c
psa_crypto.c
psa_crypto_driver_wrappers.c
psa_crypto_se.c
psa_crypto_slot_management.c
psa_crypto_storage.c
Expand Down
1 change: 1 addition & 0 deletions library/Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,7 @@ OBJS_CRYPTO= \
platform_util.o \
poly1305.o \
psa_crypto.o \
psa_crypto_driver_wrappers.o \
psa_crypto_se.o \
psa_crypto_slot_management.o \
psa_crypto_storage.o \
Expand Down
99 changes: 35 additions & 64 deletions library/psa_crypto.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@

#include "psa_crypto_core.h"
#include "psa_crypto_invasive.h"
#include "psa_crypto_driver_wrappers.h"
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
#include "psa_crypto_se.h"
#endif
Expand Down Expand Up @@ -124,7 +125,7 @@ static psa_global_data_t global_data;
if( global_data.initialized == 0 ) \
return( PSA_ERROR_BAD_STATE );

static psa_status_t mbedtls_to_psa_error( int ret )
psa_status_t mbedtls_to_psa_error( int ret )
{
/* If there's both a high-level code and low-level code, dispatch on
* the high-level code. */
Expand Down Expand Up @@ -3637,10 +3638,6 @@ psa_status_t psa_sign_hash( psa_key_handle_t handle,
{
psa_key_slot_t *slot;
psa_status_t status;
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
const psa_drv_se_t *drv;
psa_drv_se_context_t *drv_context;
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */

*signature_length = signature_size;
/* Immediately reject a zero-length signature buffer. This guarantees
Expand All @@ -3659,24 +3656,19 @@ psa_status_t psa_sign_hash( psa_key_handle_t handle,
goto exit;
}

#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
if( psa_get_se_driver( slot->attr.lifetime, &drv, &drv_context ) )
{
if( drv->asymmetric == NULL ||
drv->asymmetric->p_sign == NULL )
{
status = PSA_ERROR_NOT_SUPPORTED;
goto exit;
}
status = drv->asymmetric->p_sign( drv_context,
slot->data.se.slot_number,
alg,
hash, hash_length,
signature, signature_size,
signature_length );
}
else
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
/* Try any of the available accelerators first */
status = psa_driver_wrapper_sign_hash( slot,
alg,
hash,
hash_length,
signature,
signature_size,
signature_length );
if( status != PSA_ERROR_NOT_SUPPORTED ||
psa_key_lifetime_is_external( slot->attr.lifetime ) )
goto exit;

/* If the operation was not supported by any accelerator, try fallback. */
#if defined(MBEDTLS_RSA_C)
if( slot->attr.type == PSA_KEY_TYPE_RSA_KEY_PAIR )
{
Expand Down Expand Up @@ -3763,29 +3755,22 @@ psa_status_t psa_verify_hash( psa_key_handle_t handle,
{
psa_key_slot_t *slot;
psa_status_t status;
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
const psa_drv_se_t *drv;
psa_drv_se_context_t *drv_context;
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */

status = psa_get_key_from_slot( handle, &slot, PSA_KEY_USAGE_VERIFY_HASH, alg );
if( status != PSA_SUCCESS )
return( status );

#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
if( psa_get_se_driver( slot->attr.lifetime, &drv, &drv_context ) )
{
if( drv->asymmetric == NULL ||
drv->asymmetric->p_verify == NULL )
return( PSA_ERROR_NOT_SUPPORTED );
return( drv->asymmetric->p_verify( drv_context,
slot->data.se.slot_number,
alg,
hash, hash_length,
signature, signature_length ) );
}
else
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
/* Try any of the available accelerators first */
status = psa_driver_wrapper_verify_hash( slot,
alg,
hash,
hash_length,
signature,
signature_length );
if( status != PSA_ERROR_NOT_SUPPORTED ||
psa_key_lifetime_is_external( slot->attr.lifetime ) )
return status;

#if defined(MBEDTLS_RSA_C)
if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
{
Expand Down Expand Up @@ -6004,29 +5989,15 @@ psa_status_t psa_generate_key( const psa_key_attributes_t *attributes,
if( status != PSA_SUCCESS )
goto exit;

#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
if( driver != NULL )
{
const psa_drv_se_t *drv = psa_get_se_driver_methods( driver );
size_t pubkey_length = 0; /* We don't support this feature yet */
if( drv->key_management == NULL ||
drv->key_management->p_generate == NULL )
{
status = PSA_ERROR_NOT_SUPPORTED;
goto exit;
}
status = drv->key_management->p_generate(
psa_get_se_driver_context( driver ),
slot->data.se.slot_number, attributes,
NULL, 0, &pubkey_length );
}
else
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
{
status = psa_generate_key_internal(
slot, attributes->core.bits,
attributes->domain_parameters, attributes->domain_parameters_size );
}
status = psa_driver_wrapper_generate_key( attributes,
slot );
if( status != PSA_ERROR_NOT_SUPPORTED ||
psa_key_lifetime_is_external( attributes->core.lifetime ) )
goto exit;

status = psa_generate_key_internal(
slot, attributes->core.bits,
attributes->domain_parameters, attributes->domain_parameters_size );

exit:
if( status == PSA_SUCCESS )
Expand Down
12 changes: 12 additions & 0 deletions library/psa_crypto_core.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -161,4 +161,16 @@ psa_status_t psa_import_key_into_slot( psa_key_slot_t *slot,
const uint8_t *data,
size_t data_length );


/** Convert an mbed TLS error code to a PSA error code
*
* \note This function is provided solely for the convenience of
* Mbed TLS and may be removed at any time without notice.
*
* \param ret An mbed TLS-thrown error code
*
* \return The corresponding PSA error code
*/
psa_status_t mbedtls_to_psa_error( int ret );

#endif /* PSA_CRYPTO_CORE_H */
Loading

0 comments on commit 1ffec8f

Please sign in to comment.