Legacy-to-PSA transition guide #7766
Conversation
Covers most modules, but missing most of ecp, ecdh and dhm. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
gilles-peskine-arm
added
needs-review
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
per Mbed-TLS#7439 (comment) and Mbed-TLS#7774 (comment) State that EXPORT implies BASIC. Also fix missing `WANT_` parts. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Also correct some statements about rsa/ecp/pk check functions. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
|
I have now covered |
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
It's not pretty. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
| mbedtls_mpi_init(&d); | ||
| mbedtls_ecp_export(ec, &grp, &d, &Q); | ||
| size_t bits; | ||
| curve = mbedtls_ecc_group_to_psa(grp.id, &bits); |
There was a problem hiding this comment.
Turns out we did have the ECP→PSA bridge function here, since the beginning. On the other hand the way to extract metadata from the legacy object is ridiculous because we haven't finished 3.0 properly.
gilles-peskine-arm
added
priority-very-high
|
I'm raising the priority to very-high because the detailed investigation for the legacy-to-PSA API design depends on this and this investigation is overdue. |
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
|
For the record, I'm happy with my section except for the part about static (EC)DH. Since it looks like this is unlikely to reveal any new gaps in existing APIs (in my experience, doing static (EC)DH is actually easier with PSA as there are fewer differences between static and ephemeral, it's really the legacy API that makes things awkward, as usual), I'd be happy to leave that to a follow-up as long as it's tracked. |
|
I hereby note for the avoidance of doubt that I'm happy with the 'Hashes and MAC' section and therefore have ticked it. |
davidhorstmann-arm
dismissed
their stale review
Happy with this section, one more to review
|
@mpg I've filed an issue for static ECDH. Is the document ok to merge now as far as you're concerned? |
mpg
added
approved
A new document explains how to migrate application code from the legacy crypto API to the PSA API.
I initially thought this would go in the knowledge base, but we're going to have different versions in the 3.x series and in the 4.x series, so upon reflection it should be versioned. The document mostly focuses on what is in Mbed TLS today, but includes a few notes about upcoming changes.
As I was writing this document, some gaps between the two APIs became evident. I created a few issues for these gaps, with a link in the document.
Reviewers
The top-level sections are largely independent, so we are splitting the review load. For each section, we will have at least one person reviewing for clarity and one for correctness.
I recommend that all reviewers read “Introduction” and at least skim “General considerations” to get an idea of the goals of the document.
PR checklist