Add reference counter for platform context #7099
Conversation
1. Move the `mbedtls_platform_context` to be platform code, in `features/mbedtls/platfrom/`. 2. Add static refernce counter, to setup and teardown the platform code only once. 3. Adjust Cryptocell porting accordingly.
There was a problem hiding this comment.
Hi Ron,
Thanks for this submission that intend to solves #7069. Unfortunately reference
counting is not the right tool to solve the issue; not at the mbed tls level.
Reference counting implies that a single instance/context is shared across multiple
parts of the program. In our case, it is expected that application code using mbed
tls submit a different/specific context every time mbedtls_platform_setup is
called.
With the code as it is proposed, a context will never be initialized if their is at least
another context initialized. This can have dramatic consequences if crypto_platform_ctx
actually contains valuable informations like CRYS_RND_State_t: The code may setup one
instance and teardown one that hasn't been initialized.
I strongly believe that keeping track of initialization is an implementation detail
and this as no place in the platform code at mbed tls level.
There was a problem hiding this comment.
I think we need to consider the interface changes carefully before we make this change.
cc: @Patater
| { | ||
| int ret = 0; | ||
| if( ctx == NULL ) | ||
| return ( -1 ); |
There was a problem hiding this comment.
I don't think we should be returning -1, however, we have failed to define in Mbed TLS any error codes for function.
Maybe we should define error codes now locally in Mbed OS, and upstream them to Mbed TLS in time for the following release of Mbed OS? Possibly INVALID_INPUT for the case above, and HW_FAILURE in case of failure from the accelerator. What do you think?
There was a problem hiding this comment.
I agree, but as you said, there is currently no error codes available
There was a problem hiding this comment.
You could define some locally in Mbed OS, and also submit a PR to upstream the same codes.
As and when the version of Mbed TLS with the new codes becomes available, we can remove the local definitions.
We control both sides (upstream and downstream) so there's no risk of reusing the same values.
There was a problem hiding this comment.
I created Mbed-TLS/mbedtls#1993 to add the platform error code
| if( reference_count == 1 ) | ||
| { | ||
| /* call platform specific code to setup crypto driver*/ | ||
| ret = crypto_platform_setup( &ctx->platform_impl_ctx ); |
There was a problem hiding this comment.
This makes crypto_platform_setup() part of the API for crypto drivers. That will need documenting in the Mbed OS Porting Guide, and also as an interface change will need wider review.
Is there anyway of avoiding this interface change? I'm not sure there is, but we should consider alternatives if we can.
There was a problem hiding this comment.
I agree it needs documenting in the handbook.
As for interface change, it's basically only a change in the existing name of the function ( cc_platform_setup renamed to crypto+platform_setup, and a bit of who is responsible of implementing CC initialization has changed). Although it is an API change, I believe it is a minor one
Unfortunately, I don't see any other way to have initialization of the platform, in an opaque way, and make it portable to other APIs. ( we can have the whole mbedtls_platform_setup() functino implemented in driver code, but then we guideusers to implement the reference count , which is very common to all the drivers )
| if( ctx == NULL ) | ||
| return; | ||
|
|
||
| if( reference_count == 0 ) |
There was a problem hiding this comment.
I don't think you need two if statements, and it looks a bit odd.
Have you considered using a less than operator? eg.
reference_count--;
if( reference_count <= 0 )
{
crypto_platform_teardown();
}
There was a problem hiding this comment.
I agree it looks a bit odd, but what you are suggesting is prone to errors:
crypto_platform_teardown()might be called twice, ifreference_countis 0 or -1.- corner cases where we get the reference counter to -2, and then when some chooses to setup, it won't initialize the platform, because the counter will be increased to -1.
Perhaps assigning reference_count to 0 after calling crypto_platform_teardown()?
There was a problem hiding this comment.
I agree, it would be safer to reassign reference_count.
So...
reference_count--;
if( reference_count <= 0 )
{
crypto_platform_teardown();
reference_count = 0;
}
|
@pan- The idea in the mbedtls layer, is the platform itslef is shared across all the modules. Specifically for NRF53840, there shouldn't be a problem, as the driver is initialized once, and terminated once. The I agree there might be a need for additional tweaking, such as protecting the |
Thanks for the clarification. In that case wouldn't it make sense to remove |
|
Hi @pan- That's not really how we intended the platform context to be used. It's not well documented, mainly because no one has provided an implementation until now, but the context is supposed to be a one-per-platform singleton. The intention was you should initialise once. The implication of what you're suggesting is that the API we're providing isn't adequate, and you actually need a |
1. Add error codes for platform setup \ teardown. 2. Reassign `reference_count` to 0 after terminating platform, and remove condition for 0
|
@sbutcher-arm I addressed your comments |
|
Hi @sbutcher-arm I agree that if the context passed into Given that in the current design the platform context singleton lives outside mbed tls platform layer; library and system code API using mbed tls must be updated to accept the platform context singleton instantiated by the application. In some cases - like BLE - that would force us to expose implementation details that are target specific in our abstract interfaces. I wonder if it wouldn't be easier to encapsulate the platform context singleton into mbed tls platform layer and completely hide its existence and management from the API exposed to applications. In other words remove the context parameter in setup and teardown. What do you think ? PS: If the context is a singleton it may be better to add a reference counter field in the platform context structure rather than having another singleton in the global scope. |
|
@RonEld What is the status of this PR? Are there any outstanding issues to be resolved (the changes requested in the review for instance) ? |
|
@0xc0170 I have addressed all the issues. The current status is that there is an architectural decision on how the API should actually look. |
|
Since no progress has been made on this PR for over two weeks, and there's no sign of external conversations, I'm going to close this PR. Once updates are available, it can be opened. |
Make the platform context a global variable, adding the refernce counter to it.
|
@cmonr I have available update for this PR. Do you want me to create a new PR or should this one be opened? |
|
@RonEld You can commit it to this PR and it can be reopened. |
|
@pan- I have updated the context to be a global one, holding the reference counter within. You can now call the |
|
cc @sbutcher-arm @Patater |
1. Rename error codes to fit Mbed TLS error code names. 2. Remove the Invalid input error code, as it's not used anymore.
To my understanding, this PR is targeting 5.10 |
|
|
||
|
|
||
| int mbedtls_platform_setup( mbedtls_platform_context *ctx ) | ||
| int mbedtls_platform_setup( mbedtls_platform_context *obsolete_ctx ) |
There was a problem hiding this comment.
Why is the context called obsolete? I think that's misleading. It's simply unused.
There was a problem hiding this comment.
It's obsolete, because it's not used and ignored anymore. I can rename
There was a problem hiding this comment.
If it were obsolete it would no longer be used in any context - but that's not true. We're just choosing not to use it in Mbed OS. It could be used in other OS's and platforms.
I really think it's misleading still. Thanks for changing it.
|
|
||
|
|
||
| int mbedtls_platform_setup( mbedtls_platform_context *ctx ) | ||
| int mbedtls_platform_setup( mbedtls_platform_context *obsolete_ctx ) |
There was a problem hiding this comment.
Should we check obsolete_ctx is NULL?
There was a problem hiding this comment.
I don't think so, it is just being ignored. This way, it will be backwards compatible to applications \ modules using this function, that are still sending a content as parameter. Note the example applications weren't updated yet with NULL as parameter
|
|
||
| extern CRYS_RND_State_t rndState; | ||
| extern CRYS_RND_WorkBuff_t rndWorkBuff; | ||
| extern mbedtls_platform_context ctx; |
There was a problem hiding this comment.
Is this still needed?
There was a problem hiding this comment.
yes. Since there isn't any getter function for the context, we still need access to members of it. The RNG functions need the rndState, which is now member of the context
|
@sbutcher-arm Thank you for your comments. Please refer me to where I use the word "blocker" so i will rephrase. |
Rename `obsolete_ctx` to `unused_ctx` as it is simply unused.
|
@sbutcher-arm i renamed the parameter name to |
|
/morph build |
Build : FAILUREBuild number : 2986 |
IAR fails to build when a variable is initialized with empty curly braces.
Added `{ { 0 } }` to fix that.
|
build failure on IAR was fixed |
|
/morph build |
Build : SUCCESSBuild number : 2988 Triggering tests/morph test |
Test : SUCCESSBuild number : 2746 |
Exporter Build : SUCCESSBuild number : 2596 |
|
Waiting for the last approval from @sbutcher-arm |
Description
mbedtls_platform_contextto be platform code, infeatures/mbedtls/platfrom/.Should work with system modules using Mbed TLS, such as BLE, that wouldn't terminate the cryptographic driver for the application, in the middle of operation.
Adresses first part of #7069
CC @sbutcher-arm @Patater @pan-
Question: Should we protect the reference counter with a mutex?
Pull request type