PSA fails to account for configurations with RSA but without MBEDTLS_GENPRIME #4512
Labels
Comments
Patater
added a commit
to Patater/mbedtls
that referenced
this issue
May 14, 2021
At the moment, the only difference in Mbed TLS configuration options set
by MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR and
MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY is that
MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR defines MBEDTLS_GENPRIME and
MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY does not.
When working backwards however, when configuring what functionality is
available in Mbed TLS's PSA implementation based on Mbed TLS
configuration defines (i.e. when MBEDTLS_PSA_CRYPTO_CONFIG is not
defined), both MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR and
MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY are set regardless of the
MBEDTLS_GENPRIME setting.
On space-constrained platforms, it is a useful configuration to be able
to import/export and work with RSA, but exclude RSA key generation,
potentially saving flash space.
Change config_psa.h to only set
MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR if MBEDTLS_GENPRIME is also
set. This restores the configuration behavior present in Mbed TLS
v2.24.0 and earlier versions.
Without this change, linker errors will occur when attempts to call,
which doesn't exist when MBEDTLS_GENPRIME is unset.
psa_crypto_rsa.c.obj: in function `rsa_generate_key':
psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key'
Fixes Mbed-TLS#4512
Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
Patater
added a commit
to Patater/mbedtls
that referenced
this issue
May 14, 2021
At the moment, the only difference in Mbed TLS configuration options set
by MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR and
MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY is that
MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR defines MBEDTLS_GENPRIME and
MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY does not.
When working backwards however, when configuring what functionality is
available in Mbed TLS's PSA implementation based on Mbed TLS
configuration defines (i.e. when MBEDTLS_PSA_CRYPTO_CONFIG is not
defined), both MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR and
MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY are set regardless of the
MBEDTLS_GENPRIME setting.
On space-constrained platforms, it is a useful configuration to be able
to import/export and work with RSA, but exclude RSA key generation,
potentially saving flash space.
Change config_psa.h to only set
MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR if MBEDTLS_GENPRIME is also
set. This restores the configuration behavior present in Mbed TLS
v2.24.0 and earlier versions.
Without this change, linker errors will occur when attempts to call,
which doesn't exist when MBEDTLS_GENPRIME is unset.
psa_crypto_rsa.c.obj: in function `rsa_generate_key':
psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key'
Fixes Mbed-TLS#4512
Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
4 tasks
Patater
added a commit
to Patater/mbedtls
that referenced
this issue
May 14, 2021
At the moment, the only difference in Mbed TLS configuration options set
by MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR and
MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY is that
MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR defines MBEDTLS_GENPRIME and
MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY does not.
When working backwards however, when configuring what functionality is
available in Mbed TLS's PSA implementation based on Mbed TLS
configuration defines (i.e. when MBEDTLS_PSA_CRYPTO_CONFIG is not
defined), both MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR and
MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY are set regardless of the
MBEDTLS_GENPRIME setting.
On space-constrained platforms, it is a useful configuration to be able
to import/export and work with RSA, but exclude RSA key generation,
potentially saving flash space.
Change config_psa.h to only set
MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR if MBEDTLS_GENPRIME is also
set. This restores the configuration behavior present in Mbed TLS
v2.24.0 and earlier versions.
Without this change, linker errors will occur when attempts to call,
which doesn't exist when MBEDTLS_GENPRIME is unset.
psa_crypto_rsa.c.obj: in function `rsa_generate_key':
psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key'
Fixes Mbed-TLS#4512
Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
Patater
added a commit
to Patater/mbed-os
that referenced
this issue
May 14, 2021
Until we have a fix for Mbed-TLS/mbedtls#4512, we need to patch the fix during import time. Otherwise, we run into linker errors when PSA attempts to use RSA key generation, which we've excluded. This patch is extracted from Mbed-TLS/mbedtls#4513
gilles-peskine-arm
added
bug
component-psa
Patater
added a commit
to Patater/mbedtls
that referenced
this issue
May 19, 2021
On space-constrained platforms, it is a useful configuration to be able
to import/export and perform RSA key pair operations, but to exclude RSA
key generation, potentially saving flash space. It is not possible to
express this with the PSA_WANT_ configuration system at the present
time. However, in previous versions of Mbed TLS (v2.24.0 and earlier) it
was possible to configure a software PSA implementation which was
capable of making RSA signatures but not capable of generating RSA keys.
To do this, one unset MBEDTLS_GENPRIME.
Since the addition of MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR, this
expressivity was lost. Expressing that you wanted to work with RSA key
pairs forced you to include the ability to generate key pairs as well.
Change psa_crypto_rsa.c to only call mbedtls_rsa_gen_key() if
MBEDTLS_GENPRIME is also set. This restores the configuration behavior
present in Mbed TLS v2.24.0 and earlier versions.
It left as a future exercise to add the ability to PSA to be able to
express a desire for a software or accelerator configuration that
includes RSA key pair operations, like signature, but excludes key pair
generation.
Without this change, linker errors will occur when attempts to call,
which doesn't exist when MBEDTLS_GENPRIME is unset.
psa_crypto_rsa.c.obj: in function `rsa_generate_key':
psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key'
Fixes Mbed-TLS#4512
Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
Patater
added a commit
to Patater/mbedtls
that referenced
this issue
May 19, 2021
On space-constrained platforms, it is a useful configuration to be able
to import/export and perform RSA key pair operations, but to exclude RSA
key generation, potentially saving flash space. It is not possible to
express this with the PSA_WANT_ configuration system at the present
time. However, in previous versions of Mbed TLS (v2.24.0 and earlier) it
was possible to configure a software PSA implementation which was
capable of making RSA signatures but not capable of generating RSA keys.
To do this, one unset MBEDTLS_GENPRIME.
Since the addition of MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR, this
expressivity was lost. Expressing that you wanted to work with RSA key
pairs forced you to include the ability to generate key pairs as well.
Change psa_crypto_rsa.c to only call mbedtls_rsa_gen_key() if
MBEDTLS_GENPRIME is also set. This restores the configuration behavior
present in Mbed TLS v2.24.0 and earlier versions.
It left as a future exercise to add the ability to PSA to be able to
express a desire for a software or accelerator configuration that
includes RSA key pair operations, like signature, but excludes key pair
generation.
Without this change, linker errors will occur when attempts to call,
which doesn't exist when MBEDTLS_GENPRIME is unset.
psa_crypto_rsa.c.obj: in function `rsa_generate_key':
psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key'
Fixes Mbed-TLS#4512
Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
Patater
added a commit
to Patater/mbedtls
that referenced
this issue
May 20, 2021
On space-constrained platforms, it is a useful configuration to be able
to import/export and perform RSA key pair operations, but to exclude RSA
key generation, potentially saving flash space. It is not possible to
express this with the PSA_WANT_ configuration system at the present
time. However, in previous versions of Mbed TLS (v2.24.0 and earlier) it
was possible to configure a software PSA implementation which was
capable of making RSA signatures but not capable of generating RSA keys.
To do this, one unset MBEDTLS_GENPRIME.
Since the addition of MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR, this
expressivity was lost. Expressing that you wanted to work with RSA key
pairs forced you to include the ability to generate key pairs as well.
Change psa_crypto_rsa.c to only call mbedtls_rsa_gen_key() if
MBEDTLS_GENPRIME is also set. This restores the configuration behavior
present in Mbed TLS v2.24.0 and earlier versions.
It left as a future exercise to add the ability to PSA to be able to
express a desire for a software or accelerator configuration that
includes RSA key pair operations, like signature, but excludes key pair
generation.
Without this change, linker errors will occur when attempts to call,
which doesn't exist when MBEDTLS_GENPRIME is unset.
psa_crypto_rsa.c.obj: in function `rsa_generate_key':
psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key'
Fixes Mbed-TLS#4512
Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
Patater
added a commit
to Patater/mbedtls
that referenced
this issue
May 20, 2021
On space-constrained platforms, it is a useful configuration to be able
to import/export and perform RSA key pair operations, but to exclude RSA
key generation, potentially saving flash space. It is not possible to
express this with the PSA_WANT_ configuration system at the present
time. However, in previous versions of Mbed TLS (v2.24.0 and earlier) it
was possible to configure a software PSA implementation which was
capable of making RSA signatures but not capable of generating RSA keys.
To do this, one unset MBEDTLS_GENPRIME.
Since the addition of MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR, this
expressivity was lost. Expressing that you wanted to work with RSA key
pairs forced you to include the ability to generate key pairs as well.
Change psa_crypto_rsa.c to only call mbedtls_rsa_gen_key() if
MBEDTLS_GENPRIME is also set. This restores the configuration behavior
present in Mbed TLS v2.24.0 and earlier versions.
It left as a future exercise to add the ability to PSA to be able to
express a desire for a software or accelerator configuration that
includes RSA key pair operations, like signature, but excludes key pair
generation.
Without this change, linker errors will occur when attempts to call,
which doesn't exist when MBEDTLS_GENPRIME is unset.
psa_crypto_rsa.c.obj: in function `rsa_generate_key':
psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key'
Fixes Mbed-TLS#4512
Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
Patater
added a commit
to Patater/mbedtls
that referenced
this issue
May 21, 2021
On space-constrained platforms, it is a useful configuration to be able
to import/export and perform RSA key pair operations, but to exclude RSA
key generation, potentially saving flash space. It is not possible to
express this with the PSA_WANT_ configuration system at the present
time. However, in previous versions of Mbed TLS (v2.24.0 and earlier) it
was possible to configure a software PSA implementation which was
capable of making RSA signatures but not capable of generating RSA keys.
To do this, one unset MBEDTLS_GENPRIME.
Since the addition of MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR, this
expressivity was lost. Expressing that you wanted to work with RSA key
pairs forced you to include the ability to generate key pairs as well.
Change psa_crypto_rsa.c to only call mbedtls_rsa_gen_key() if
MBEDTLS_GENPRIME is also set. This restores the configuration behavior
present in Mbed TLS v2.24.0 and earlier versions.
It left as a future exercise to add the ability to PSA to be able to
express a desire for a software or accelerator configuration that
includes RSA key pair operations, like signature, but excludes key pair
generation.
Without this change, linker errors will occur when attempts to call,
which doesn't exist when MBEDTLS_GENPRIME is unset.
psa_crypto_rsa.c.obj: in function `rsa_generate_key':
psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key'
Fixes Mbed-TLS#4512
Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
3 tasks
MubeenHCLite
pushed a commit
to MubeenHCLite/mbed-os
that referenced
this issue
Jun 14, 2021
Until we have a fix for Mbed-TLS/mbedtls#4512, we need to patch the fix during import time. Otherwise, we run into linker errors when PSA attempts to use RSA key generation, which we've excluded. This patch is extracted from Mbed-TLS/mbedtls#4513
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Bug
mbed TLS build:
Version: 2.25.0 or newer
Configuration: Default without
MBEDTLS_GENPRIMEExpected behavior
PSA should offer features based on the Mbed TLS features available.
Actual behavior
When
MBEDTLS_GENPRIMEis not set, PSA attempts to callmbedtls_rsa_gen_key()which isn't available.Steps to reproduce
Build Mbed TLS with its default configuration, but unset
MBEDTLS_GENPRIMEObserve linker error
The text was updated successfully, but these errors were encountered: