Make mbedtls_psa_register_se_key usable with volatile keys #9254
Labels
api-break
This issue/PR breaks the API and must wait for a new major version
bug
component-psa
PSA keystore/dispatch layer (storage, drivers, …)
size-xs
Estimated task size: extra small (a few hours at most)
Comments
gilles-peskine-arm
added
bug
component-psa
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The function
mbedtls_psa_register_se_keycreates a PSA key object that is backed by a secure element. If you give it a volatile lifetime, the core chooses a volatile key identifier, which is needed to use the key subsequently. However, the API does not output that key identifier, so the created volatile key just leaks memory.My original thinking was that you would call this function once to register a key during a provisioning phase. However, there are devices with no local storage of keys, not even key metadata, but that have a secure element, and this function is useful on such devices as well. The application would register the key each time it uses it.
In the next major version of Mbed TLS, change the function to have an extra argument to output the key identifier, like the other key creation functions (
psa_generate_key, etc.).The text was updated successfully, but these errors were encountered: