Crypto: Cleanup tfm_builtin_key_loader

The tfm_builtin_key_loader driver assumes that the underlying implementation is the one provided by mbed TLS. This patch aims to decouple as much as possible from it in view of possibly using it with different PSA Crypto core implementations. Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com> Change-Id: Ib8d262da2dff9ae9ad1f34b7641785d9b66b97f9
frkv · Dec 22, 2022 · 7e80490 · 7e80490
1 parent 844e940
commit 7e80490
Show file tree

Hide file tree

Showing 5 changed files with 80 additions and 66 deletions.
diff --git a/platform/ext/common/template/crypto_keys.c b/platform/ext/common/template/crypto_keys.c
@@ -34,7 +34,7 @@
 #endif
 
 enum tfm_plat_err_t tfm_plat_builtin_key_get_usage(psa_key_id_t key_id,
-                                                   mbedtls_key_owner_id_t user,
+                                                   int32_t owner,
                                                    psa_key_usage_t *usage)
 {
     *usage = 0;
@@ -45,7 +45,7 @@ enum tfm_plat_err_t tfm_plat_builtin_key_get_usage(psa_key_id_t key_id,
         *usage = PSA_KEY_USAGE_DERIVE;
         break;
     case TFM_BUILTIN_KEY_ID_IAK:
-        switch(user) {
+        switch(owner) {
 #ifdef TFM_PARTITION_INITIAL_ATTESTATION
         case TFM_SP_INITIAL_ATTESTATION:
             *usage = PSA_KEY_USAGE_SIGN_HASH;
@@ -78,11 +78,11 @@ enum tfm_plat_err_t tfm_plat_builtin_key_get_usage(psa_key_id_t key_id,
 }
 
 enum tfm_plat_err_t tfm_plat_builtin_key_get_lifetime_and_slot(
-    mbedtls_svc_key_id_t key_id,
+    struct tfm_crypto_key_id_s key_id,
     psa_key_lifetime_t *lifetime,
     psa_drv_slot_number_t *slot_number)
 {
-    switch (MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key_id)) {
+    switch (key_id.key_id) {
     case TFM_BUILTIN_KEY_ID_HUK:
         *slot_number = TFM_BUILTIN_KEY_SLOT_HUK;
         *lifetime = PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(

diff --git a/platform/ext/target/arm/rss/common/crypto_keys.c b/platform/ext/target/arm/rss/common/crypto_keys.c
@@ -28,7 +28,7 @@
 #endif
 
 enum tfm_plat_err_t tfm_plat_builtin_key_get_usage(psa_key_id_t key_id,
-                                                   mbedtls_key_owner_id_t owner,
+                                                   int32_t owner,
                                                    psa_key_usage_t *usage)
 {
     *usage = 0;
@@ -107,11 +107,11 @@ enum tfm_plat_err_t tfm_plat_builtin_key_get_usage(psa_key_id_t key_id,
 }
 
 enum tfm_plat_err_t tfm_plat_builtin_key_get_lifetime_and_slot(
-    mbedtls_svc_key_id_t key_id,
+    struct tfm_crypto_key_id_s key_id,
     psa_key_lifetime_t *lifetime,
     psa_drv_slot_number_t *slot_number)
 {
-    switch (MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key_id)) {
+    switch (key_id.key_id) {
     case TFM_BUILTIN_KEY_ID_HUK:
         *slot_number = TFM_BUILTIN_KEY_SLOT_HUK;
         *lifetime = PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(PSA_KEY_LIFETIME_PERSISTENT,

diff --git a/platform/include/tfm_plat_crypto_keys.h b/platform/include/tfm_plat_crypto_keys.h
@@ -7,14 +7,14 @@
 
 #ifndef __TFM_PLAT_CRYPTO_KEYS_H__
 #define __TFM_PLAT_CRYPTO_KEYS_H__
+
+#include "psa/crypto.h"
+
 /**
  * \note The interfaces defined in this file must be implemented for each
  *       SoC.
  */
-
-#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
-
-#include "tfm_mbedcrypto_include.h"
+#include "tfm_crypto_key.h"
 
 #include "tfm_plat_defs.h"
 
@@ -29,13 +29,13 @@ extern "C" {
  * \brief Gets key usage for a given builtin key ID and owner.
  *
  * \param[in]  key_id        ID of key
- * \param[in]  user          Which user to get the usage permissions for
+ * \param[in]  owner         Which owner to get the usage permissions for
  * \param[out] usage         The permissions that the given user has for the key
  *
  * \return Returns error code specified in \ref tfm_plat_err_t
  */
 enum tfm_plat_err_t tfm_plat_builtin_key_get_usage(psa_key_id_t key_id,
-                                                   mbedtls_key_owner_id_t user,
+                                                   int32_t owner,
                                                    psa_key_usage_t *usage);
 
 /**
@@ -48,7 +48,7 @@ enum tfm_plat_err_t tfm_plat_builtin_key_get_usage(psa_key_id_t key_id,
  * \return Returns error code specified in \ref tfm_plat_err_t
  */
 enum tfm_plat_err_t tfm_plat_builtin_key_get_lifetime_and_slot(
-    mbedtls_svc_key_id_t key_id,
+    struct tfm_crypto_key_id_s key_id,
     psa_key_lifetime_t *lifetime,
     psa_drv_slot_number_t *slot_number);
 

diff --git a/secure_fw/partitions/crypto/crypto_library.c b/secure_fw/partitions/crypto/crypto_library.c
@@ -168,8 +168,12 @@ psa_status_t mbedtls_psa_platform_get_builtin_key(
     psa_drv_slot_number_t *slot_number)
 {
     enum tfm_plat_err_t plat_err;
+    struct tfm_crypto_key_id_s tfm_key_id = {
+        .key_id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key_id),
+        .owner = MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(key_id)};
 
-    plat_err = tfm_plat_builtin_key_get_lifetime_and_slot(key_id, lifetime,
+    plat_err = tfm_plat_builtin_key_get_lifetime_and_slot(tfm_key_id,
+                                                          lifetime,
                                                           slot_number);
     if (plat_err != TFM_PLAT_ERR_SUCCESS) {
         return PSA_ERROR_DOES_NOT_EXIST;

diff --git a/secure_fw/partitions/crypto/psa_driver_api/tfm_builtin_key_loader.c b/secure_fw/partitions/crypto/psa_driver_api/tfm_builtin_key_loader.c
@@ -24,6 +24,10 @@
 #define TFM_BUILTIN_MAX_KEYS 8
 #endif /* TFM_BUILTIN_MAX_KEYS */
 
+#ifndef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
+#error "MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER must be selected in Mbed TLS config file"
+#endif
+
 struct tfm_builtin_key_t {
     uint8_t key[TFM_BUILTIN_MAX_KEY_LEN];
     size_t key_len;
@@ -34,57 +38,6 @@ struct tfm_builtin_key_t {
 
 static struct tfm_builtin_key_t builtin_key_slots[TFM_BUILTIN_MAX_KEYS] = {0};
 
-psa_status_t tfm_builtin_key_loader_load_key(uint8_t *buf, size_t key_len,
-                                             psa_key_attributes_t *attr)
-{
-    psa_status_t err;
-    psa_drv_slot_number_t slot_number;
-    psa_key_lifetime_t lifetime;
-    mbedtls_svc_key_id_t key_id;
-
-    /* Set the owner to 0, as we handle permissions on a granular basis. Having
-     * builtin keys being defined with different owners seems to cause a memory
-     * leak in the MbedTLS core.
-     */
-    key_id = psa_get_key_id(attr);
-    key_id.MBEDTLS_PRIVATE(owner) = 0;
-    psa_set_key_id(attr, key_id);
-
-    if (key_len > TFM_BUILTIN_MAX_KEY_LEN) {
-        return PSA_ERROR_BUFFER_TOO_SMALL;
-    }
-
-    err = mbedtls_psa_platform_get_builtin_key(psa_get_key_id(attr), &lifetime,
-                                               &slot_number);
-    if (err != PSA_SUCCESS) {
-        return err;
-    }
-
-    memcpy(&(builtin_key_slots[slot_number].attr), attr,
-           sizeof(psa_key_attributes_t));
-    memcpy(&(builtin_key_slots[slot_number].key), buf, key_len);
-    builtin_key_slots[slot_number].key_len = key_len;
-    builtin_key_slots[slot_number].is_loaded = 1;
-
-    return PSA_SUCCESS;
-}
-
-psa_status_t tfm_builtin_key_loader_get_key_buffer_size(
-        mbedtls_svc_key_id_t key_id, size_t *len)
-{
-    psa_status_t err;
-    psa_drv_slot_number_t slot_number;
-    psa_key_lifetime_t lifetime;
-
-    err = mbedtls_psa_platform_get_builtin_key(key_id, &lifetime, &slot_number);
-    if (err != PSA_SUCCESS) {
-        return err;
-    }
-
-    *len = builtin_key_slots[slot_number].key_len;
-    return PSA_SUCCESS;
-}
-
 static psa_status_t builtin_key_get_attributes(
         struct tfm_builtin_key_t *key_slot, psa_key_attributes_t *attr)
 {
@@ -156,6 +109,62 @@ static psa_status_t builtin_key_copy_to_buffer(
     return PSA_SUCCESS;
 }
 
+/*!
+ * \defgroup tfm_builtin_key_loader
+ *
+ */
+/*!@{*/
+psa_status_t tfm_builtin_key_loader_load_key(uint8_t *buf, size_t key_len,
+                                             psa_key_attributes_t *attr)
+{
+    psa_status_t err;
+    psa_drv_slot_number_t slot_number;
+    psa_key_lifetime_t lifetime;
+    mbedtls_svc_key_id_t key_id;
+
+    /* Set the owner to 0, as we handle permissions on a granular basis. Having
+     * builtin keys being defined with different owners seems to cause a memory
+     * leak in the MbedTLS core.
+     */
+    key_id = psa_get_key_id(attr);
+    key_id = mbedtls_svc_key_id_make(0, MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key_id));
+    psa_set_key_id(attr, key_id);
+
+    if (key_len > TFM_BUILTIN_MAX_KEY_LEN) {
+        return PSA_ERROR_BUFFER_TOO_SMALL;
+    }
+
+    err = mbedtls_psa_platform_get_builtin_key(psa_get_key_id(attr), &lifetime,
+                                               &slot_number);
+    if (err != PSA_SUCCESS) {
+        return err;
+    }
+
+    memcpy(&(builtin_key_slots[slot_number].attr), attr,
+           sizeof(psa_key_attributes_t));
+    memcpy(&(builtin_key_slots[slot_number].key), buf, key_len);
+    builtin_key_slots[slot_number].key_len = key_len;
+    builtin_key_slots[slot_number].is_loaded = 1;
+
+    return PSA_SUCCESS;
+}
+
+psa_status_t tfm_builtin_key_loader_get_key_buffer_size(
+        mbedtls_svc_key_id_t key_id, size_t *len)
+{
+    psa_status_t err;
+    psa_drv_slot_number_t slot_number;
+    psa_key_lifetime_t lifetime;
+
+    err = mbedtls_psa_platform_get_builtin_key(key_id, &lifetime, &slot_number);
+    if (err != PSA_SUCCESS) {
+        return err;
+    }
+
+    *len = builtin_key_slots[slot_number].key_len;
+    return PSA_SUCCESS;
+}
+
 psa_status_t tfm_builtin_key_loader_get_key_buffer(
         psa_drv_slot_number_t slot_number, psa_key_attributes_t *attributes,
         uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length)
@@ -211,3 +220,4 @@ psa_status_t tfm_builtin_key_loader_get_key_buffer(
 
     return err;
 }
+/*!@}*/