Default random no trng #8742
Default random no trng #8742
Conversation
|
@netanelgonen Could you please squash the commits in this PR to a more manageable size. Could you also please rebase and ensure that your commit messages comply with the guidelines in our documentation... |
|
Hi, Once PR#8730 is in the diff in changes will be minor |
|
This is still in internal review therefor I cannot squash this for now. |
|
@dannybenor , please review |
|
|
||
|
|
||
| #ifndef MBED_OS_RTOS_COMPONENT_PSA_SRV_IMPL_DEFAULTRANDOMSEED_H_ | ||
| #define MBED_OS_RTOS_COMPONENT_PSA_SRV_IMPL_DEFAULTRANDOMSEED_H_ |
There was a problem hiding this comment.
This define name is really weird and doesn't match here the file is. Please revise. Perhaps "DEFAULT_RANDOM_SEED_H" would be fine. Look at other files for an example.
| #endif | ||
|
|
||
| #ifndef RANDOM_SEED_ITS_UID | ||
| #define MBED_RANDOM_SEED_ITS_UID 0xBAADA555 |
There was a problem hiding this comment.
This doesn't look random. Non-random values have a higher chance of collisions...
| extern "C" { | ||
| #endif | ||
|
|
||
| #ifndef RANDOM_SEED_ITS_UID |
There was a problem hiding this comment.
Should this be MBED_RANDOM_SEED_ITS_UID and not RANDOM_SEED_ITS_UID?
| @@ -0,0 +1,19 @@ | |||
|
|
|||
There was a problem hiding this comment.
Style: Remove extra newline here
| } | ||
|
|
||
|
|
||
|
|
There was a problem hiding this comment.
Style: remove extra newlines here
| #include "default_random_seed.h" | ||
| #include "psa_prot_internal_storage.h" | ||
|
|
||
| int mbed_default_seed_read( unsigned char *buf, size_t buf_len ) |
There was a problem hiding this comment.
Style: Use Mbed OS style consistently. We seem to be mixing Mbed TLS and Mbed OS style in this file.
| int mbed_default_seed_read( unsigned char *buf, size_t buf_len ) | ||
| { | ||
| psa_its_status_t rc = psa_its_get(MBED_RANDOM_SEED_ITS_UID, 0, buf_len, buf); | ||
| return rc; |
There was a problem hiding this comment.
Simply returning rc isn't going to work when there is an error. PSA ITS errors are positive integers. The code checking for errors from mbedtls_nv_seed_read() interprets values less than zero as errors. This will mean that no entropy was provided (due to the error), but the system will think entropy was provided (because a non-negative value was returned): catastrophic for security!
| int mbed_default_seed_write( unsigned char *buf, size_t buf_len ) | ||
| { | ||
| psa_its_status_t rc = psa_its_set(MBED_RANDOM_SEED_ITS_UID, buf_len, buf, 0); | ||
| return rc; |
There was a problem hiding this comment.
Please check how errors are handled here as well.
| @@ -6,14 +6,20 @@ | |||
| int mbed_default_seed_read( unsigned char *buf, size_t buf_len ) | |||
| { | |||
| psa_its_status_t rc = psa_its_get(MBED_RANDOM_SEED_ITS_UID, 0, buf_len, buf); | |||
| return rc; | |||
| /* Make sure that in case of an error the value will be negative | |||
| * mbedTLS errors are negative values */ | |||
| /* Make sure that in case of an error the value will be negative | ||
| * mbedTLS errors are negative values */ | ||
| rc = rc < 0 ? rc : (-1 * rc); | ||
| return ( rc ); |
There was a problem hiding this comment.
This just in case that the psa_its_* will return a negative value
| @@ -8,7 +8,7 @@ extern "C" { | |||
| #endif | |||
|
|
|||
| #ifndef RANDOM_SEED_ITS_UID | |||
| #define MBED_RANDOM_SEED_ITS_UID 0x90210 | |||
| #define MBED_RANDOM_SEED_ITS_UID 0x90210 | |||
There was a problem hiding this comment.
Could we get this define from the Mbed Crypto library instead?
This still doesn't look very random...
There was a problem hiding this comment.
This feature does not enforce the use of Mbed Crypto,
There are 2 things the injection and the get/set the seed from secure storage
this definition is relevant for this file...
There was a problem hiding this comment.
replacing number using this tool https://www.random.org/bytes/
There was a problem hiding this comment.
If this feature does not require the use of Mbed Crypto, how does the initial random seed get populated? If there is some way other than Mbed Crypto, then we should not worry about making any PSA Entropy Injection API since we can just use that other way, right?
There was a problem hiding this comment.
@Patater these 2 api callbacks currently are in no way related to any library except psa_its* secure storage, this is the only link. But psa-crypto is not part of the includes. let's not make a circular dependency where psa-crypto uses callbacks and callbacks include psa crypto
There was a problem hiding this comment.
I'm suggesting we make Mbed Crypto the one source of truth for which storage slot contains the NV seed. Both have to agree. It's backwards to make Mbed Crypto depend on Mbed OS to determine this. Shouldn't be circular, but from Mbed Crypto picking the slot and Mbed OS using the same slot.
|
@netanelgonen One more rebase, and this should be good. |
|
@Patater comment was treated |
|
Looks alright. Awaiting rebase. |
netanelgonen
force-pushed
the
default-random-no-trng
branch
2 times, most recently
from
beac936
to
2dbcd3a
Compare
|
rebased |
|
Still too many commits in this PR. This depends on #8730 getting merged first, after which this PR needs another rebase (including commit cleanup to meet Mbed OS standards). |
netanelgonen
force-pushed
the
default-random-no-trng
branch
from
2dbcd3a
to
65f2456
Compare
|
@Patater squashed all my changes into a single commit |
| @@ -0,0 +1,42 @@ | |||
|
|
|||
There was a problem hiding this comment.
Is this the final location we should place the file? @alzix is working on adding a new TARGET_PSA folder mechanism. I think we should place these files into a TARGET_PSA folder (perhaps features/mbedtls/platform/TARGET_PSA). Sorry for the late design change, but TARGET_PSA is a late design change that affects this PR.
Ensure you are aligned with #8723 so we don't have too many disparate folders for what should all be the same folder.
| psa_its_get_info(MBED_RANDOM_SEED_ITS_UID, &info); | ||
| if (info.size < buf_len) | ||
| { | ||
| actual_size = info.size; |
There was a problem hiding this comment.
Please note that mbed_default_seed_read(unsigned char *buf, size_t buf_len) is not able to tell anyone it has read less then required as buf_len is an IN argument only.
Thus reading less then requested is not a solution.
Consider calling panic as it looks like missconfiguration issue. System integrator MUST know what seed size is needed for his system, and must inject appropriate size.
By gracefully treating this error we may introduce security vulnerabilities, when error code will not be treated properly.
| @@ -5,7 +5,16 @@ | |||
|
|
|||
| int mbed_default_seed_read(unsigned char *buf, size_t buf_len) | |||
| { | |||
| psa_its_status_t rc = psa_its_get(MBED_RANDOM_SEED_ITS_UID, 0, buf_len, buf); | |||
| psa_its_status_t rc; | |||
There was a problem hiding this comment.
Will mbed_default_seed_read() ever be called multiple times? Perhaps mbedtls will poll, asking for 32-byte chunks at a time. Do we need to handle that? If so, we should make sure we don't re-use bits of injected entropy for each call to mbed_default_seed_read().
Alternatively, we can set MBEDTLS_ENTROPY_BLOCK_SIZE to exactly how much will be injected and exactly how much entropy Mbed TLS will ask for (must be same number), and can return an error if the mbed_default_seed_read() is called more than once.
I believe I prefer the second approach (easier to test and verify).
What are your thoughts in this area, @gilles-peskine-arm ?
There was a problem hiding this comment.
Context: what is this function supposed to do?
- add SPDX license identifier - add missing license headers - update year in license headers
* Modify linker scripts to be compatible with bootloader and PSA * Add memory protection * Modify original post-build step to allow link with PSA binaries * Config kvstore for ITS on FUTURE_SEQUANA_PSA
Implement the following: KVStore base class TDBStore class FileSystemStore class SecureStore class Global APIs Configuration framework Design documentation
* Modify linker scripts to be compatible with bootloader and PSA * Add memory protection * Modify original post-build step to allow link with PSA binaries * Config kvstore for ITS on FUTURE_SEQUANA_PSA
This is a workaround supplied by Cypress The issue will be fixed correctly with an updated PDL
Bug description - Sequential flash operations fails
If setting the MBEDTLS_PLATFORM_NV_SEED_ALT and MBEDTLS_ENTROPY_NV_SEED flags and not setting MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO and MBEDTLS_PLATFORM_NV_SEED_READ_MACRO flags mbed-os will add an entropy source to the relevent partition - SPE in case of daul core or in case of single core V7 to the main partition. The defualt behaviour will be to read or write the data from the ITS.
alekshex
force-pushed
the
default-random-no-trng
branch
from
a78666d
to
1479dd9
Compare
|
internal review approved. rebase done |
|
@netanelgonen @avolinski Please take a look at the travis failures. |
This PR also depends on the upcoming mbedTLS PR with mbed crypto, since it includes "crypto.h" |
|
closed and replaced by #8804 |
Adding default implementation to seed read/write from secure storage
to active this need to define the following macros:
MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbed_defualt_seed_read
MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbed_defualt_seed_write
depends on #8730