From 08bde36e737bd8c00d73974d6c4854e0f7cd3e23 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 18 Aug 2020 23:04:08 +0200 Subject: [PATCH 1/5] Clarify that the location is where the key material is accessible Signed-off-by: Gilles Peskine --- include/psa/crypto_types.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index 29e1f2939..874fea4e3 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -115,8 +115,9 @@ typedef uint32_t psa_algorithm_t; * whether the key is _volatile_ or _persistent_. * See ::psa_key_persistence_t for more information. * - Bits 8-31 (#PSA_KEY_LIFETIME_GET_LOCATION(\c lifetime)): - * location indicator. This value indicates where the key is stored - * and where operations on the key are performed. + * location indicator. This value indicates where the key material is stored + * (or at least where it is accessible in cleartext) and where operations + * on the key are performed. * See ::psa_key_location_t for more information. * * Volatile keys are automatically destroyed when the application instance From d0107b96afb2f190a210430f207b3bf8fe6e24bf Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 18 Aug 2020 23:05:06 +0200 Subject: [PATCH 2/5] Replace spec language by Mbed TLS documentation: lifetimes In the documentation of lifetimes, replace language meant for the PSA specification by language that is specifically about Mbed TLS. Reduce the discussion of what could happen in other implementation, and discuss what can and cannot happen in integrations of Mbed TLS. Signed-off-by: Gilles Peskine --- include/psa/crypto_types.h | 47 +++++++++++++------------------------ include/psa/crypto_values.h | 5 ++-- 2 files changed, 18 insertions(+), 34 deletions(-) diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index 874fea4e3..17641df77 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -123,7 +123,7 @@ typedef uint32_t psa_algorithm_t; * Volatile keys are automatically destroyed when the application instance * terminates or on a power reset of the device. Persistent keys are * preserved until the application explicitly destroys them or until an - * implementation-specific device management event occurs (for example, + * integration-specific device management event occurs (for example, * a factory reset). * * Persistent keys have a key identifier of type #psa_key_id_t. @@ -134,10 +134,9 @@ typedef uint32_t psa_algorithm_t; * * This specification defines two basic lifetime values: * - Keys with the lifetime #PSA_KEY_LIFETIME_VOLATILE are volatile. - * All implementations should support this lifetime. + * This lifetime is always supported. * - Keys with the lifetime #PSA_KEY_LIFETIME_PERSISTENT are persistent. - * All implementations that have access to persistent storage with - * appropriate security guarantees should support this lifetime. + * This lifetime is always supported if persistent storage is available. */ typedef uint32_t psa_key_lifetime_t; @@ -150,35 +149,21 @@ typedef uint32_t psa_key_lifetime_t; * actually affect persistent keys at different levels is outside the * scope of the PSA Cryptography specification. * - * This specification defines the following values of persistence levels: + * The PSA Cryptography specification defines the following values of + * persistence levels: * - \c 0 = #PSA_KEY_PERSISTENCE_VOLATILE: volatile key. * A volatile key is automatically destroyed by the implementation when * the application instance terminates. In particular, a volatile key * is automatically destroyed on a power reset of the device. * - \c 1 = #PSA_KEY_PERSISTENCE_DEFAULT: * persistent key with a default lifetime. - * Implementations should support this value if they support persistent - * keys at all. - * Applications should use this value if they have no specific needs that - * are only met by implementation-specific features. - * - \c 2-127: persistent key with a PSA-specified lifetime. - * The PSA Cryptography specification does not define the meaning of these - * values, but other PSA specifications may do so. - * - \c 128-254: persistent key with a vendor-specified lifetime. - * No PSA specification will define the meaning of these values, so - * implementations may choose the meaning freely. - * As a guideline, higher persistence levels should cause a key to survive - * more management events than lower levels. + * - \c 2-254: currently not supported by Mbed TLS. * - \c 255 = #PSA_KEY_PERSISTENCE_READ_ONLY: * read-only or write-once key. * A key with this persistence level cannot be destroyed. - * Implementations that support such keys may either allow their creation - * through the PSA Cryptography API, preferably only to applications with - * the appropriate privilege, or only expose keys created through - * implementation-specific means such as a factory ROM engraving process. - * Note that keys that are read-only due to policy restrictions - * rather than due to physical limitations should not have this - * persistence levels. + * Mbed TLS does not currently offer a way to create such keys, but + * integrations of Mbed TLS can use it for built-in keys that the + * application cannot modify (for example, a hardware unique key (HUK)). * * \note Key persistence levels are 8-bit values. Key management * interfaces operate on lifetimes (type ::psa_key_lifetime_t) which @@ -188,12 +173,12 @@ typedef uint8_t psa_key_persistence_t; /** Encoding of key location indicators. * - * If an implementation of this API can make calls to external + * If an integration of Mbed TLS can make calls to external * cryptoprocessors such as secure elements, the location of a key * indicates which secure element performs the operations on the key. - * If an implementation offers multiple physical locations for persistent - * storage, the location indicator reflects at which physical location - * the key is stored. + * Depending on the design of the driver for the secure element, the key + * material may either be stored either in the secure element, or + * in wrapped form alongside the key metadata in the primary local storage. * * This specification defines the following values of location indicators: * - \c 0: primary local storage. @@ -201,15 +186,15 @@ typedef uint8_t psa_key_persistence_t; * The primary local storage is typically the same storage area that * contains the key metadata. * - \c 1: primary secure element. - * Implementations should support this value if there is a secure element - * attached to the operating environment. + * Integrations of Mbed TLS should support this value if there is a secure + * element attached to the operating environment. * As a guideline, secure elements may provide higher resistance against * side channel and physical attacks than the primary local storage, but may * have restrictions on supported key types, sizes, policies and operations * and may have different performance characteristics. * - \c 2-0x7fffff: other locations defined by a PSA specification. * The PSA Cryptography API does not currently assign any meaning to these - * locations, but future versions of this specification or other PSA + * locations, but future versions of that specification or other PSA * specifications may do so. * - \c 0x800000-0xffffff: vendor-defined locations. * No PSA specification will assign a meaning to locations in this range. diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 73d7d9d14..06f086ee8 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -1558,13 +1558,12 @@ * * A persistent key remains in storage until it is explicitly destroyed or * until the corresponding storage area is wiped. This specification does - * not define any mechanism to wipe a storage area, but implementations may + * not define any mechanism to wipe a storage area, but integrations may * provide their own mechanism (for example to perform a factory reset, * to prepare for device refurbishment, or to uninstall an application). * * This lifetime value is the default storage area for the calling - * application. Implementations may offer other storage areas designated - * by other lifetime values as implementation-specific extensions. + * application. Integrations of Mbed TLS may support other persistent lifetimes. * See ::psa_key_lifetime_t for more information. */ #define PSA_KEY_LIFETIME_PERSISTENT ((psa_key_lifetime_t)0x00000001) From 9b3e5a7b3ecf12c0a04b871290ae16b2a170d38a Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 11 Dec 2020 18:46:01 +0100 Subject: [PATCH 3/5] Clarify the explanation of locations It's about who has access to the key material in plaintext, not directly where the operation is performed. Signed-off-by: Gilles Peskine --- include/psa/crypto_types.h | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index 17641df77..f7f8a8474 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -115,9 +115,8 @@ typedef uint32_t psa_algorithm_t; * whether the key is _volatile_ or _persistent_. * See ::psa_key_persistence_t for more information. * - Bits 8-31 (#PSA_KEY_LIFETIME_GET_LOCATION(\c lifetime)): - * location indicator. This value indicates where the key material is stored - * (or at least where it is accessible in cleartext) and where operations - * on the key are performed. + * location indicator. This value indicates which part of the system + * has access to the key material and can perform operations using the key. * See ::psa_key_location_t for more information. * * Volatile keys are automatically destroyed when the application instance @@ -176,9 +175,10 @@ typedef uint8_t psa_key_persistence_t; * If an integration of Mbed TLS can make calls to external * cryptoprocessors such as secure elements, the location of a key * indicates which secure element performs the operations on the key. - * Depending on the design of the driver for the secure element, the key + * Depending on the design of the secure element, the key * material may either be stored either in the secure element, or - * in wrapped form alongside the key metadata in the primary local storage. + * in wrapped (encrypted) form alongside the key metadata in the + * primary local storage. * * This specification defines the following values of location indicators: * - \c 0: primary local storage. From e39bdaa0edd6a5d9af84ed908c0759b634c6674c Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 11 Dec 2020 18:47:55 +0100 Subject: [PATCH 4/5] Specialize some wording from the specification Some of the material was originally the PSA specification, and discusses how different implementations might behave. Replace such statements by a description of how Mbed TLS behaves. Signed-off-by: Gilles Peskine --- include/psa/crypto_types.h | 31 +++++++++++++------------------ 1 file changed, 13 insertions(+), 18 deletions(-) diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index f7f8a8474..83876be81 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -131,11 +131,10 @@ typedef uint32_t psa_algorithm_t; * The application can call psa_open_key() to open a persistent key that * it created previously. * - * This specification defines two basic lifetime values: - * - Keys with the lifetime #PSA_KEY_LIFETIME_VOLATILE are volatile. - * This lifetime is always supported. - * - Keys with the lifetime #PSA_KEY_LIFETIME_PERSISTENT are persistent. - * This lifetime is always supported if persistent storage is available. + * The default lifetime of a key is #PSA_KEY_LIFETIME_VOLATILE. The lifetime + * #PSA_KEY_LIFETIME_PERSISTENT is supported if persistent storage is + * available. Other lifetime values may be supported depending on the + * library configuration. */ typedef uint32_t psa_key_lifetime_t; @@ -180,9 +179,10 @@ typedef uint8_t psa_key_persistence_t; * in wrapped (encrypted) form alongside the key metadata in the * primary local storage. * - * This specification defines the following values of location indicators: + * The PSA Cryptography API specification defines the following values of + * location indicators: * - \c 0: primary local storage. - * All implementations should support this value. + * This location is always available. * The primary local storage is typically the same storage area that * contains the key metadata. * - \c 1: primary secure element. @@ -209,7 +209,7 @@ typedef uint32_t psa_key_location_t; * * - Applications may freely choose key identifiers in the range * #PSA_KEY_ID_USER_MIN to #PSA_KEY_ID_USER_MAX. - * - Implementations may define additional key identifiers in the range + * - The implementation may define additional key identifiers in the range * #PSA_KEY_ID_VENDOR_MIN to #PSA_KEY_ID_VENDOR_MAX. * - 0 is reserved as an invalid key identifier. * - Key identifiers outside these ranges are reserved for future use. @@ -248,23 +248,18 @@ typedef uint32_t psa_key_usage_t; * - The key's policy, comprising usage flags and a specification of * the permitted algorithm(s). * - Information about the key itself: the key type and its size. - * - Implementations may define additional attributes. + * - Additional implementation-defined attributes. * * The actual key material is not considered an attribute of a key. * Key attributes do not contain information that is generally considered * highly confidential. * - * An attribute structure can be a simple data structure where each function + * An attribute structure works like a simple data structure where each function * `psa_set_key_xxx` sets a field and the corresponding function * `psa_get_key_xxx` retrieves the value of the corresponding field. - * However, implementations may report values that are equivalent to the - * original one, but have a different encoding. For example, an - * implementation may use a more compact representation for types where - * many bit-patterns are invalid or not supported, and store all values - * that it does not support as a special marker value. In such an - * implementation, after setting an invalid value, the corresponding - * get function returns an invalid value which may not be the one that - * was originally stored. + * However, a future version of the library may report values that are + * equivalent to the original one, but have a different encoding. Invalid + * values may be mapped to different, also invalid values. * * An attribute structure may contain references to auxiliary resources, * for example pointers to allocated memory or indirect references to From 0bb257096aa0f9e31a6a1bc1cb864426ba8c227f Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 14 Dec 2020 17:36:02 +0100 Subject: [PATCH 5/5] Copyediting Signed-off-by: Gilles Peskine --- include/psa/crypto_types.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index 83876be81..efa24c470 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -175,7 +175,7 @@ typedef uint8_t psa_key_persistence_t; * cryptoprocessors such as secure elements, the location of a key * indicates which secure element performs the operations on the key. * Depending on the design of the secure element, the key - * material may either be stored either in the secure element, or + * material may be stored either in the secure element, or * in wrapped (encrypted) form alongside the key metadata in the * primary local storage. *