Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide incremental by-subsystem initialization for the crypto library #202

Draft
wants to merge 10 commits into
base: main
Choose a base branch
from

Conversation

athoelke
Copy link
Contributor

See #16 for discussion of this API, which enables partial initialization of the library. This is useful in constrained contexts, for example during early boot, when not all library functionality is required to support the application use case.

Fixes #16

@athoelke athoelke added enhancement New feature or request API design Related the design of the API Crypto API Issue or PR related to the Cryptography API labels Jul 15, 2024
@athoelke athoelke added this to the Crypto API 1.3 milestone Jul 15, 2024
@athoelke athoelke force-pushed the crypto-partial-init branch from 314871a to a4b7323 Compare September 4, 2024 12:47
Copy link
Contributor

@gilles-peskine-arm gilles-peskine-arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This design was prototyped in Mbed-TLS/mbedtls#6636 and I consider that prototype to be sufficient validation for the API design.

The specification looks good to me except for a few places where some Mbed TLS specific history remains.

doc/crypto/api/keys/attributes.rst Show resolved Hide resolved
doc/crypto/api/library/library.rst Outdated Show resolved Hide resolved
doc/crypto/api/library/library.rst Outdated Show resolved Hide resolved
doc/crypto/api/library/library.rst Outdated Show resolved Hide resolved
.. summary::
Crypto subsystem identifier for accelerator drivers.

Initializing this subsystem results in initialization of all registered accelerator drivers.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's awkward that the PSA specification now discusses drivers, but it doesn't say anything anywhere about the existence of drivers. We should at least give an overview of what “accelerator drivers”, “secure element drivers” and “entropy drivers” are, conceptually, even if we leave the concrete aspects as something that's implementation-defined.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that is worth a small PR of its own to discuss such things somewhere between the design goals/sample architectures/implementation considerations?

It is guaranteed that the following operations do not to require this subsystem:

* Hash operations.
* Signature verification operations.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we should qualify this further. A use case that I'm aware of, but didn't account for in my original documentation, is the following. A secure element has an encrypted-authenticated channel with the main processor. Setting up this channel needs local symmetric encryption capabilities, but also local randomness to establish a session key. As a consequence, accessing any key in the secure element will need the local RNG to be initialized. Now that means that PSA_CRYPTO_SUBSYSTEM_SECURE_ELEMENTS will implicitly initialize PSA_CRYPTO_SUBSYSTEM_RANDOM, so you don't actually need to initialize PSA_CRYPTO_SUBSYSTEM_RANDOM explicitly to verify a signature with a key from the secure element. So the statement here is technically true, but perhaps misleading for this unusual but existing scenario.

Copy link
Contributor Author

@athoelke athoelke Nov 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The scenario that a subsystem might be initialized implicitly as another subsystem depends on it is described in the description of psa_crypto_init_subsystem(), using the example of communications in a client/server implementation. We could add this example to that description, or we could add a note here (in PSA_CRYPTO_SUBSYSTEM_RANDOM) that RANDOM may be required by other subsystems, for example to initialize communication with a secure element.

It is guaranteed that the following operations do not to require this subsystem:

* Hash operations.
* Signature verification operations.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we should also mention get-attributes and some exports? Exporting a public key should never require an RNG, but exporting the public key of a key pair might involve blinding.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added key encapsulation and PAKE to the list of operations that require the RANDOM subsystem; and modified the 'some operations using the private or secret key' statement to 'some operations using key pairs' to more readily include export of public keys (where this is calculated on demand).

I can add attribute retrieval, and also export of a symmetric key type or a public key type, to the list of not-needing randomness.

:definition: /* implementation-defined value */

.. summary::
Crypto subsystem identifier for access to built-in keys.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similar to drivers, in the PSA API, we never define “built-in key”. The concept is straightforward, but there should be a sentence somewhere saying that implementations might define built-in keys.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might be worth adding to a separate PR, alongside the coverage of accelerators and secure elements

:definition: /* implementation-defined value */

.. summary::
Crypto subsystem identifier for all available subsystems.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this guaranteed to include all the PSA_CRYPTO_SUBSYSTEM_xxx values defined in this specification? For example, if an implementation doesn't support secure elements, should PSA_CRYPTO_SUBSYSTEM_SECURE_ELEMENTS be included?

I think it should, because it's trivial to implement and makes it less fiddly for application developers (even though applications that use partial initialization are rarely going to be very portable). In particular it would reduce the chances that an application breaks if the next version of the implementation adds new capabilities.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is effectively implied by the rule that using this identifier in a call to psa_crypto_init_subsystem() is equivalent to a call to psa_crypto_init(). But maybe we should spell that out, to avoid an implementation short cut that doesn't consider this kind of time evolution of the implementation?

@athoelke athoelke force-pushed the crypto-partial-init branch from a4b7323 to 5360369 Compare November 5, 2024 09:59
@athoelke
Copy link
Contributor Author

athoelke commented Nov 5, 2024

Rebased and updated this PR

Copy link
Contributor

@gilles-peskine-arm gilles-peskine-arm left a comment

@athoelke
Copy link
Contributor Author

athoelke commented Nov 5, 2024

I've reviewed up to 5360369. Ok so far. Still to be addressed:

I think I've covered all except the need for some discussion of accelerators, secure elements, and built-in keys within the document.

I plan to deal with that in a separate PR, unless you would prefer to keep it coupled with this one?

@athoelke
Copy link
Contributor Author

athoelke commented Nov 5, 2024

Ah, I realise that this one still needs a change to the PR.

@gilles-peskine-arm
Copy link
Contributor

Ok for a separate PR. But I don't think considerations around “drivers” and “built-in keys” should leak outside the specification of subsystem initialization for now.

@athoelke
Copy link
Contributor Author

athoelke commented Nov 6, 2024

Ok for a separate PR. But I don't think considerations around “drivers” and “built-in keys” should leak outside the specification of subsystem initialization for now.

I think I could reword the text for the subsystem definitions to avoid talking about 'drivers' - which suggests a specific way of a portable implementation providing support for varied hardware. I just need to review the spec for a mention of 'secure element' and 'accelerator', and add/amend if necessary.

@athoelke
Copy link
Contributor Author

athoelke commented Nov 6, 2024

I've added a couple more commits.

  • In one I add some terms to the glossary for accelerators, secure elements and built-int keys - using these in appropriate places.
  • I have removed 'registering drivers' from the text in the subsystem initialization
  • In the other, I add a recommendation for implementation of 'all subsystem' initialization.

I think this addresses all of the outstanding comments.

@athoelke athoelke force-pushed the crypto-partial-init branch from 74df62f to 0ad77a5 Compare December 16, 2024 14:09
@athoelke athoelke marked this pull request as draft December 17, 2024 09:55
@athoelke
Copy link
Contributor Author

This is will not be in the next release of mbed TLS (4.0), and we prefer to only include new API when there is an implementation of the interface,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
API design Related the design of the API Crypto API Issue or PR related to the Cryptography API enhancement New feature or request
Projects
Development

Successfully merging this pull request may close these issues.

Incremental/partial initialization of a Crypto implementation
2 participants