-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Default random no trng #8742
Default random no trng #8742
Conversation
@netanelgonen Could you please squash the commits in this PR to a more manageable size. Could you also please rebase and ensure that your commit messages comply with the guidelines in our documentation... |
Hi, Once PR#8730 is in the diff in changes will be minor |
This is still in internal review therefor I cannot squash this for now. |
@dannybenor , please review |
|
||
|
||
#ifndef MBED_OS_RTOS_COMPONENT_PSA_SRV_IMPL_DEFAULTRANDOMSEED_H_ | ||
#define MBED_OS_RTOS_COMPONENT_PSA_SRV_IMPL_DEFAULTRANDOMSEED_H_ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This define name is really weird and doesn't match here the file is. Please revise. Perhaps "DEFAULT_RANDOM_SEED_H" would be fine. Look at other files for an example.
#endif | ||
|
||
#ifndef RANDOM_SEED_ITS_UID | ||
#define MBED_RANDOM_SEED_ITS_UID 0xBAADA555 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't look random. Non-random values have a higher chance of collisions...
extern "C" { | ||
#endif | ||
|
||
#ifndef RANDOM_SEED_ITS_UID |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be MBED_RANDOM_SEED_ITS_UID
and not RANDOM_SEED_ITS_UID
?
@@ -0,0 +1,19 @@ | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Style: Remove extra newline here
} | ||
|
||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Style: remove extra newlines here
#include "default_random_seed.h" | ||
#include "psa_prot_internal_storage.h" | ||
|
||
int mbed_default_seed_read( unsigned char *buf, size_t buf_len ) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Style: Use Mbed OS style consistently. We seem to be mixing Mbed TLS and Mbed OS style in this file.
int mbed_default_seed_read( unsigned char *buf, size_t buf_len ) | ||
{ | ||
psa_its_status_t rc = psa_its_get(MBED_RANDOM_SEED_ITS_UID, 0, buf_len, buf); | ||
return rc; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Simply returning rc
isn't going to work when there is an error. PSA ITS errors are positive integers. The code checking for errors from mbedtls_nv_seed_read()
interprets values less than zero as errors. This will mean that no entropy was provided (due to the error), but the system will think entropy was provided (because a non-negative value was returned): catastrophic for security!
int mbed_default_seed_write( unsigned char *buf, size_t buf_len ) | ||
{ | ||
psa_its_status_t rc = psa_its_set(MBED_RANDOM_SEED_ITS_UID, buf_len, buf, 0); | ||
return rc; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please check how errors are handled here as well.
@@ -6,14 +6,20 @@ | |||
int mbed_default_seed_read( unsigned char *buf, size_t buf_len ) | |||
{ | |||
psa_its_status_t rc = psa_its_get(MBED_RANDOM_SEED_ITS_UID, 0, buf_len, buf); | |||
return rc; | |||
/* Make sure that in case of an error the value will be negative | |||
* mbedTLS errors are negative values */ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use "Mbed TLS"
/* Make sure that in case of an error the value will be negative | ||
* mbedTLS errors are negative values */ | ||
rc = rc < 0 ? rc : (-1 * rc); | ||
return ( rc ); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if we return -rc
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This just in case that the psa_its_* will return a negative value
@@ -8,7 +8,7 @@ extern "C" { | |||
#endif | |||
|
|||
#ifndef RANDOM_SEED_ITS_UID | |||
#define MBED_RANDOM_SEED_ITS_UID 0x90210 | |||
#define MBED_RANDOM_SEED_ITS_UID 0x90210 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we get this define from the Mbed Crypto library instead?
This still doesn't look very random...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This feature does not enforce the use of Mbed Crypto,
There are 2 things the injection and the get/set the seed from secure storage
this definition is relevant for this file...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
replacing number using this tool https://www.random.org/bytes/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If this feature does not require the use of Mbed Crypto, how does the initial random seed get populated? If there is some way other than Mbed Crypto, then we should not worry about making any PSA Entropy Injection API since we can just use that other way, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Patater these 2 api callbacks currently are in no way related to any library except psa_its* secure storage, this is the only link. But psa-crypto is not part of the includes. let's not make a circular dependency where psa-crypto uses callbacks and callbacks include psa crypto
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm suggesting we make Mbed Crypto the one source of truth for which storage slot contains the NV seed. Both have to agree. It's backwards to make Mbed Crypto depend on Mbed OS to determine this. Shouldn't be circular, but from Mbed Crypto picking the slot and Mbed OS using the same slot.
@netanelgonen One more rebase, and this should be good. |
@Patater comment was treated |
Looks alright. Awaiting rebase. |
beac936
to
2dbcd3a
Compare
rebased |
Still too many commits in this PR. This depends on #8730 getting merged first, after which this PR needs another rebase (including commit cleanup to meet Mbed OS standards). |
2dbcd3a
to
65f2456
Compare
@Patater squashed all my changes into a single commit |
@@ -0,0 +1,42 @@ | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this the final location we should place the file? @alzix is working on adding a new TARGET_PSA
folder mechanism. I think we should place these files into a TARGET_PSA
folder (perhaps features/mbedtls/platform/TARGET_PSA
). Sorry for the late design change, but TARGET_PSA
is a late design change that affects this PR.
Ensure you are aligned with #8723 so we don't have too many disparate folders for what should all be the same folder.
psa_its_get_info(MBED_RANDOM_SEED_ITS_UID, &info); | ||
if (info.size < buf_len) | ||
{ | ||
actual_size = info.size; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please note that mbed_default_seed_read(unsigned char *buf, size_t buf_len)
is not able to tell anyone it has read less then required as buf_len
is an IN argument only.
Thus reading less then requested is not a solution.
Consider calling panic as it looks like missconfiguration issue. System integrator MUST know what seed size is needed for his system, and must inject appropriate size.
By gracefully treating this error we may introduce security vulnerabilities, when error code will not be treated properly.
@@ -5,7 +5,16 @@ | |||
|
|||
int mbed_default_seed_read(unsigned char *buf, size_t buf_len) | |||
{ | |||
psa_its_status_t rc = psa_its_get(MBED_RANDOM_SEED_ITS_UID, 0, buf_len, buf); | |||
psa_its_status_t rc; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will mbed_default_seed_read()
ever be called multiple times? Perhaps mbedtls will poll, asking for 32-byte chunks at a time. Do we need to handle that? If so, we should make sure we don't re-use bits of injected entropy for each call to mbed_default_seed_read()
.
Alternatively, we can set MBEDTLS_ENTROPY_BLOCK_SIZE
to exactly how much will be injected and exactly how much entropy Mbed TLS will ask for (must be same number), and can return an error if the mbed_default_seed_read()
is called more than once.
I believe I prefer the second approach (easier to test and verify).
What are your thoughts in this area, @gilles-peskine-arm ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Context: what is this function supposed to do?
- add SPDX license identifier - add missing license headers - update year in license headers
* Modify linker scripts to be compatible with bootloader and PSA * Add memory protection * Modify original post-build step to allow link with PSA binaries * Config kvstore for ITS on FUTURE_SEQUANA_PSA
Implement the following: KVStore base class TDBStore class FileSystemStore class SecureStore class Global APIs Configuration framework Design documentation
* Modify linker scripts to be compatible with bootloader and PSA * Add memory protection * Modify original post-build step to allow link with PSA binaries * Config kvstore for ITS on FUTURE_SEQUANA_PSA
This is a workaround supplied by Cypress The issue will be fixed correctly with an updated PDL
Bug description - Sequential flash operations fails
If setting the MBEDTLS_PLATFORM_NV_SEED_ALT and MBEDTLS_ENTROPY_NV_SEED flags and not setting MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO and MBEDTLS_PLATFORM_NV_SEED_READ_MACRO flags mbed-os will add an entropy source to the relevent partition - SPE in case of daul core or in case of single core V7 to the main partition. The defualt behaviour will be to read or write the data from the ITS.
a78666d
to
1479dd9
Compare
internal review approved. rebase done |
@netanelgonen @avolinski Please take a look at the travis failures. |
This PR also depends on the upcoming mbedTLS PR with mbed crypto, since it includes "crypto.h" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK
Will need me to look at again after rebase on top of merged preceeding PR
closed and replaced by #8804 |
Adding default implementation to seed read/write from secure storage
to active this need to define the following macros:
MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbed_defualt_seed_read
MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbed_defualt_seed_write
depends on #8730