From 354f7671f48945ffa9e68e0a4564e7f16279a152 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Fri, 12 Jul 2019 23:46:38 +0200
Subject: [PATCH] SE keys: support destroy

When destroying a key in a secure element, call the driver's destroy
method and update the driver's persistent data in storage.
---
 library/psa_crypto.c    | 11 +++++++++++
 library/psa_crypto_se.c | 16 ++++++++++++++++
 library/psa_crypto_se.h |  8 ++++++++
 3 files changed, 35 insertions(+)

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 93c9ce444..70ef9be0d 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -939,10 +939,20 @@ psa_status_t psa_destroy_key( psa_key_handle_t handle )
     psa_key_slot_t *slot;
     psa_status_t status = PSA_SUCCESS;
     psa_status_t storage_status = PSA_SUCCESS;
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    psa_se_drv_table_entry_t *driver;
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
 
     status = psa_get_key_slot( handle, &slot );
     if( status != PSA_SUCCESS )
         return( status );
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    driver = psa_get_se_driver_entry( slot->lifetime );
+    if( driver != NULL )
+        status = psa_destroy_se_key( driver, slot->data.se.slot_number );
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
 #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
     if( slot->lifetime == PSA_KEY_LIFETIME_PERSISTENT )
     {
@@ -950,6 +960,7 @@ psa_status_t psa_destroy_key( psa_key_handle_t handle )
             psa_destroy_persistent_key( slot->persistent_storage_id );
     }
 #endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
+
     status = psa_wipe_key_slot( slot );
     if( status != PSA_SUCCESS )
         return( status );
diff --git a/library/psa_crypto_se.c b/library/psa_crypto_se.c
index fb57fc962..7287ac0d7 100644
--- a/library/psa_crypto_se.c
+++ b/library/psa_crypto_se.c
@@ -159,6 +159,22 @@ psa_status_t psa_find_se_slot_for_key(
     return( status );
 }
 
+psa_status_t psa_destroy_se_key( psa_se_drv_table_entry_t *driver,
+                                 psa_key_slot_number_t slot_number )
+{
+    psa_status_t status;
+    psa_status_t storage_status;
+    if( driver->methods->key_management == NULL ||
+        driver->methods->key_management->p_destroy == NULL )
+        return( PSA_ERROR_NOT_PERMITTED );
+    status = driver->methods->key_management->p_destroy(
+        &driver->context,
+        driver->internal.persistent_data,
+        slot_number );
+    storage_status = psa_save_se_persistent_data( driver );
+    return( status == PSA_SUCCESS ? storage_status : status );
+}
+
 
 
 /****************************************************************/
diff --git a/library/psa_crypto_se.h b/library/psa_crypto_se.h
index 02819d9b3..f1d7e7c36 100644
--- a/library/psa_crypto_se.h
+++ b/library/psa_crypto_se.h
@@ -114,6 +114,14 @@ psa_status_t psa_find_se_slot_for_key(
     psa_se_drv_table_entry_t *driver,
     psa_key_slot_number_t *slot_number );
 
+/** Destoy a key in a secure element.
+ *
+ * This function calls the relevant driver method to destroy a key
+ * and updates the driver's persistent data.
+ */
+psa_status_t psa_destroy_se_key( psa_se_drv_table_entry_t *driver,
+                                 psa_key_slot_number_t slot_number );
+
 /** Load the persistent data of a secure element driver.
  *
  * \param driver        The driver table entry containing the persistent