-
Notifications
You must be signed in to change notification settings - Fork 67
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implementation of PsaGenerateKey and PsaDestroyKey operations #354
Implementation of PsaGenerateKey and PsaDestroyKey operations #354
Conversation
Hey 👋 I spent some time reading the code, trying to understand the logic behind, and before going too deep in reviewing specific things, I wanted to discuss the global design. I will try to write here what I understood but please correct anything I say!
A few questions now:
|
Hey
Well, I am aware of the size of all those changes, but my intention was to provide not only the infrastructure, but also the users of that infrastructure.
This is correct.
This is correct as well. There are two purposes of this fetching:
The
Yes, indirectly. There is already a mapping between
Yes, this is correct.
Yes we do. This is the nature of I2C - any "i2c" group member is (usually) allowed to write to any i2c device. If there are two unsynchronized users of the same ATECC device, we have a BIG trouble.
There is no in-hardware information whether there is anything usable in a slot or not. It may lead to some unpleasant results, e.g. if the slot is locked by hardware, but there is no Precisely speaking, there is an exception described here. Therefore, under certain circumstances, the public key may be invalidated.
It is possible to implement
Of course, both are already being violated one way or another, so I should rather refer to them as "clues", but any breach should be carefully considered anyway. I hope this helps. |
Oh that was not a criticism! I am ok with the size of the change too! I was just meaning that it's best to agree with the global logic before going into the tiny details 😄 Thanks for answering!
Ah ok. I think that would go under our threat model assumption 4: "Users with privilege rights are trusted to exercise them in a non-malicious way." Though, it seems pretty hard to enforce/verify that Parsec is the only process using it...
Would it be possible to check if a basic (and fast) operation using the key fails or not? As in an operation that would fail if the slot is empty? Not sure if possible or if that makes sense. Something like
For 2., I was under the assumption that this is something (the |
As far as I know, the answer is no, it is not possible. The only exception I am aware of is the slot with
I think the way Parsec uses ATECC and CALib is pretty unusual, at least at the moment. As you may have already noticed, it is not designed for a multi-user environment and safe privilege separation. There is no kernel driver owning exclusively the device and offering a common abstract interface or a user space daemon dynamically managing the globally shared ATECC configuration and contents.
In my opinion, this is not only a question of being far from spec, but also a question of a good design. The approach we try to follow is to define which information belongs to Parsec, which belongs to ATECC+CALib. The free/busy slot management (and, less important, slot reference counting) belongs to Parsec, because only Parsec “knows” which slots are free or busy. It is not available directly but can be extracted from the key info manager. And this is where The hardware information, mostly slot configuration here, belongs to rust-cryptoauthlib and should be stored/cached/accessed using rust-cryptoauthlib. There are things that belong to both - if the hardware slot is locked, the key is considered busy even without having a Please note, presented above “functionality ownership” is just my view and I am open for the discussion. |
Got it, thanks.
I see, that makes sense.
With your explanations, I now agree too with your choices. Let's start like this anyway and see how Thanks for the discussion, I will now start reviewing the code as it is 😃 |
Thank you. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here is my review, sorry for the load of comments 😓
Some of them are logic questions/comments and some are more to make the code more Rust idiomatic. I won't be too annoying about that last part but could be something good to have in the future (for example using more Result
)!
f08a666
to
65decc3
Compare
Hello 👋 Don't hesitate to ping me here or on the Slack channel when my re-review is needed. Don't want to block you. |
Hello |
65decc3
to
f08a666
Compare
…toAuthLib provider. 1. Refactor for a new, thread safe(er) rust-cryptoauthlib 0.2.0 2. Introduction of a CryptoAuthLib dedicated key management infrastructure 3. Implementation of PsaGenerateKey and PsaDestroyKey as users of this infrastructure Signed-off-by: Robert Drazkowski <Robert.Drazkowski@globallogic.com>
Signed-off-by: Robert Drazkowski <Robert.Drazkowski@globallogic.com>
Signed-off-by: artur.kazimierski <artur.kazimierski@globallogic.com>
Signed-off-by: artur.kazimierski <artur.kazimierski@globallogic.com>
Signed-off-by: artur.kazimierski <artur.kazimierski@globallogic.com>
…released rust-calib crate version Signed-off-by: artur.kazimierski <artur.kazimierski@globallogic.com>
Signed-off-by: artur.kazimierski <artur.kazimierski@globallogic.com>
Signed-off-by: artur.kazimierski <artur.kazimierski@globallogic.com>
Signed-off-by: artur.kazimierski <artur.kazimierski@globallogic.com>
667a3db
to
e6adfa4
Compare
Signed-off-by: artur.kazimierski <artur.kazimierski@globallogic.com>
Signed-off-by: artur.kazimierski <artur.kazimierski@globallogic.com>
Signed-off-by: artur.kazimierski <artur.kazimierski@globallogic.com>
@hug-dev |
Great, thanks! I will have a look again soon. Don't worry about the PKCS11 test, most probably it is not your fault, those tests are failing often for various reasons not under our control. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alright second round! Sorry if this is taking a long time... Thanks a lot for sorting out the tests with is_operation_supported
👌
e2e_tests/tests/per_provider/normal_tests/create_destroy_key_calib.rs
Outdated
Show resolved
Hide resolved
@@ -11,10 +11,12 @@ const SHA_256: [u8; 32] = [ | |||
0x0d, 0xc4, 0xbc, 0x13, 0xfd, 0x91, 0x74, 0x52, 0x92, 0x24, 0xc3, 0x8e, 0x0e, 0xe0, 0x75, 0xfa, | |||
0x9e, 0xd8, 0x0b, 0x78, 0x47, 0xe6, 0xae, 0xa7, 0x6a, 0xe9, 0x8c, 0xf9, 0xdd, 0xd9, 0x26, 0x69, | |||
]; | |||
#[cfg(not(feature = "cryptoauthlib-provider"))] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are those tests failing? Are yo utesting hashing with hash_calib
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ATECC supports SHA256 only. And hash_calib.rs willl be removed.
Signed-off-by: Robert Drazkowski <Robert.Drazkowski@globallogic.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you! That looks good to me now 😄
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, only left a couple of comments but I'm ok with the change overall!
Signed-off-by: Robert Drazkowski Robert.Drazkowski@globallogic.com