Define some structure for lifetime values #358
Conversation
* Lower 8 bits: persistence level
* 0: volatile
* 1: persistent (default)
* 2-127: persistent (reserved for future PSA specifications)
* 128-254: persistent (reserved for vendors)
* 255: read-only
* Upper 24 bits: location indicator
* 0: built-in
* 1: primary secure element
* 2-0x7fffff: reserved for future PSA specifications
* 0x800000-0xffffff: vendor-specific
gilles-peskine-arm
added
enhancement
yanesca
left a comment
yanesca
left a comment
There was a problem hiding this comment.
I have a couple of suggestions for improvement and a question.
| #define PSA_KEY_LIFETIME_PERSISTENT ((psa_key_lifetime_t)0x00000001) | ||
|
|
||
| #define PSA_KEY_LIFETIME_PERSISTENCE_VOLATILE ((psa_key_lifetime_persistence_t)0x00) | ||
| #define PSA_KEY_LIFETIME_PERSISTENCE_PRIMARY ((psa_key_lifetime_persistence_t)0x01) |
There was a problem hiding this comment.
We have a location with the same value that we describe as the "primary secure element". This made me confused at first about the purpose of this constant.
| #define PSA_KEY_LIFETIME_PERSISTENCE_PRIMARY ((psa_key_lifetime_persistence_t)0x01) | |
| #define PSA_KEY_LIFETIME_PERSISTENCE_PERSISTENT ((psa_key_lifetime_persistence_t)0x01) |
There was a problem hiding this comment.
Yeah, I don't like PERSISTENCE_PRIMARY either. But PERSISTENCE_PERSISTENT is weird and misleading: other PERSISTENT_xxx values are also persistent. And I don't like PERSISTENCE_DEFAULT either (for example, when you create a key, the persistence defaults to VOLATILE, not to DEFAULT). Does anyone have a better suggestion?
There was a problem hiding this comment.
Well it might be a little bit overkill, but how about PSA_KEY_LIFETIME_PERSISTENCE_PERSISTENT_DEFAULT?
There was a problem hiding this comment.
Another candidate perhaps: PSA_KEY_LIFETIME_PERSISTENCE_STANDARD?
There was a problem hiding this comment.
I don't like “standard”: which standard? I went with “default”.
| * the application instance terminates. In particular, a volatile key | ||
| * is automatically on a power reset of the device. | ||
| * | ||
| * A key that is not volatile is persistent. Persistent keys are |
There was a problem hiding this comment.
This means that there can't be a lifetime for keys that survives the termination of the application but not a power reset. I can hardly imagine a use case where that would be needed, I just would like to confirm that this is what we want?
There was a problem hiding this comment.
Seem sensible changes.
I am still thinking about "volatile" keys that last beyond the life of the calling partition.
There was a problem hiding this comment.
A lifetime that survives the instance of the calling application but not a power reset could exist, but:
- This is an imprecise definition. If the application is running in a virtual machine, is the scope of the power reset the VM or its physical host?
- How does another instance of the application refer to the same key? It would need to use a key identifier, so this would be more like a persistent key from the application's perspective.
- Yes, it's possible. I've worked with a system that basically had this third intermediate scope (volatile-to-application-instance, volatile-to-device, persistent). But AFAIK this intermediate scope was never used outside of the test suite. So I'm with “can hardly imagine a use case”.
- If an implementation really wants this feature, it can provide it through the vendor range for persistence levels.
There was a problem hiding this comment.
Yes that covers what I meant by "thinking".
In general PSA has been writtien for M-class with a fixed set of secure partitions all of which active - so there really is no concept of application life time except reboot.
However, when we extend to Cortex A we will need to deal with other life times - but I believe that can be left to the next release.
yanesca
added
needs: work
| * interfaces operate on lifetimes (type ::psa_key_lifetime_t) which | ||
| * encode the persistence as the lower 8 bits of a 32-bit value. | ||
| */ | ||
| typedef uint8_t psa_key_lifetime_persistence_t; |
There was a problem hiding this comment.
Is the lifetime scoping in this identifier name required?
At present psa_key_persistence_t (and likewise for psa_key_location_t) would be clear and unambiguous - the only downside is that the name does not provide any hints that this is part of a psa_key_lifetime_t value.
There was a problem hiding this comment.
I prefer to make the connection with lifetimes explicit.
There was a problem hiding this comment.
On second thoughts I shortened the names.
| * implementation-specific means such as a factory ROM engraving process. | ||
| * Note that keys that are read-only due to policy restrictions | ||
| * rather than due to physical limitations should not have this | ||
| * persistence levels. |
There was a problem hiding this comment.
Perhap just for internal clarity, if not for the public documentation: is this lifetime appropriate for keys that have the same lifetime as the device identifier? - Some devices might be designed to support a factory process that erases the device reprograms it as a new device identity with new "read-only" keys.
There was a problem hiding this comment.
If the device identifier is set in stone, that's the corresponding lifetime. If the device identifier is rewritten on a factory reset, this corresponds to a different lifetime (which may be 1 or something else depending on what levels of “factory reset” exist).
include/psa/crypto_values.h
Outdated
| (PSA_KEY_LIFETIME_GET_PERSISTENCE(lifetime) == \ | ||
| PSA_KEY_LIFETIME_PERSISTENCE_VOLATILE) | ||
|
|
||
| #define PSA_KEY_LOCATION_BUILT_IN ((psa_key_lifetime_location_t)0x000000) |
There was a problem hiding this comment.
Do we also want a PSA defined symbol for the specification allocated location 0x000001? Maybe PSA_KEY_LOCATION_SECURE_ELEMENT?
There was a problem hiding this comment.
So far I consider this an implementation-specific definition, but I don't have a strong opinion about it.
There was a problem hiding this comment.
So, unlike other imp-specific parts of the API, this one has a specified value, but not a specified symbol? A bit unusual in the documentation, but we don't provide handy spec-defined symbols for all of the [vendor] ranges in other value types either.
It's a bit like persistence == 1, which we can't find an ideal name for either, but really have to name because it is effectively used by PSA_KEY_LIFETIME_PERSISTENT.
include/psa/crypto_values.h
Outdated
| (PSA_KEY_LIFETIME_GET_PERSISTENCE(lifetime) == \ | ||
| PSA_KEY_LIFETIME_PERSISTENCE_VOLATILE) | ||
|
|
||
| #define PSA_KEY_LOCATION_BUILT_IN ((psa_key_lifetime_location_t)0x000000) |
There was a problem hiding this comment.
These definitions do not have LIFETIME scoping term in the identifier. This should be added for consistency, or the lifetime/LIFETIME scope term should be removed from all of them (as described above).
include/psa/crypto_values.h
Outdated
| PSA_KEY_LIFETIME_PERSISTENCE_VOLATILE) | ||
|
|
||
| #define PSA_KEY_LOCATION_BUILT_IN ((psa_key_lifetime_location_t)0x000000) | ||
| #define PSA_KEY_LOCATION_VENDOR_FLAG ((psa_key_lifetime_location_t)0x800000) |
There was a problem hiding this comment.
The other ranged values no longer have VENDOR_FLAG defintions - this will not appear in the PSA specification.
There was a problem hiding this comment.
Right. Like the other helper macros, these macros have no Doxygen, so they aren't intended to be included in the PSA specification.
gilles-peskine-arm
added
needs: review
|
Since Mbed Crypto is no longer updated, I've rebased this pull request on top of Mbed TLS. To be continued at Mbed-TLS/mbedtls#3302 |
4 participants
After some internal discussion (private link), here's a proposal for how to assign lifetimes.
This proposal is backward-compatible with the current values for volatile keys (0) and persistent keys (1). Platforms with a secure element (i.e. a cryptoprocessor that can process keys which are not accessible to the PSA crypto core) should use the lifetime 0x1ff (whether the key material is stored inside the secure element, or in generic PSA storage in a form wrapped by the secure element).
This pull request defines the lifetime structure, but does not yet implement any new feature. A future pull request will adapt the (currently experimental) secure element support code accordingly.
We intend to include the types and values defined in this pull request with the same semantics in an upcoming release of the PSA Cryptography API specification.
@athoelke @MarcusJGStreets