Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

psa_crypto: Fix psa_key_derivation_output_key ECC without builtin keys #7192

Merged
merged 3 commits into from
Mar 20, 2023

Conversation

joerchan
Copy link
Contributor

@joerchan joerchan commented Mar 1, 2023

Fix psa_key_derivation_output_key not being able to derive ECC keys without MBEDTLS_BUILTIN ECC key types enabled.
The PSA crypto drivers can generate these keys without requiring the builtin key types.

Gatekeeper checklist

joerchan added a commit to joerchan/sdk-mbedtls that referenced this pull request Mar 1, 2023
…out builtin keys

Fix psa_key_derivation_output_key not being able to derive ECC keys
without MBEDTLS_BUILTIN ECC key types enabled.
The PSA crypto drivers can generate these keys without requiring the
builtin key types.

Upstream PR:
Mbed-TLS/mbedtls#7192

Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
@valeriosetti
Copy link
Contributor

@mpg
To me this issue sounds similar to the issue you found here and analyzed here

@mpg mpg self-requested a review March 6, 2023 08:59
joerchan added a commit to joerchan/sdk-mbedtls that referenced this pull request Mar 7, 2023
…out builtin keys

Fix psa_key_derivation_output_key not being able to derive ECC keys
without MBEDTLS_BUILTIN ECC key types enabled.
The PSA crypto drivers can generate these keys without requiring the
builtin key types.

Upstream PR:
Mbed-TLS/mbedtls#7192

Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
@bensze01 bensze01 self-assigned this Mar 8, 2023
Copy link
Contributor

@mpg mpg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think the proposed changes are correct.

Furthermore, I think the correct fix to the underlying problem that this PR is trying to address will be more complex and likely require some advance study and design work. For example, it might involve using the new/upcoming "cooked key derivation" driver interface.

#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \
#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR) || \
defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) || \
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think that change is correct. This function calls a number of functions from ECP and Bignum. The way we know these are available is by guarding with MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_xxx. In the absence of those guards, we'd need to explicitly guard with defined(MBEDTLS_ECP_C) and no actual progress would be made.

I think the current guards are correct here: they're consistent with the definition of the function.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I want to call psa_key_derivation_output_key. Using ECC key types and accelerated key types, i.e MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR, so no buildin key types enabled.
And this function is preventing the calls to the PSA crypto driver calls.

There was a similar issue like this for validating tag length: 86679c7
I need both of these changes to be able to use cryptocell acceleration on Mbed TLS 3.2.1.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the absence of those guards, we'd need to explicitly guard with defined(MBEDTLS_ECP_C) and no actual progress would be made.

So, I was wrong about the last part: yes, we need an explicit ECP_C guard, but progress is still being made, as it allows more interesting configurations to build.

@mpg
Copy link
Contributor

mpg commented Mar 13, 2023

@joerchan Thanks for your contribution. I don't think the changes are correct, and I'm not not sure this is the right approach, but I think we should try to clarify what is the underlying goal that you're trying to achieve here. What kind of configuration exactly would you like to start working, that currently doesn't?

@joerchan
Copy link
Contributor Author

@joerchan Thanks for your contribution. I don't think the changes are correct, and I'm not not sure this is the right approach, but I think we should try to clarify what is the underlying goal that you're trying to achieve here. What kind of configuration exactly would you like to start working, that currently doesn't?

It fixes my issue.

@mpg
Copy link
Contributor

mpg commented Mar 14, 2023

I want to call psa_key_derivation_output_key. Using ECC key types and accelerated key types, i.e MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR, so no buildin key types enabled.
And this function is preventing the calls to the PSA crypto driver calls.

I'd like to clarify: even with this change, psa_key_derivation_output_key() will not be calling a driver, it will still use the internal software implementation (ecp.c, bignum.c). If that's OK with you, then indeed this change fixes your issue. Otherwise, what you need is basically this EPIC which is a lot more work, for which planning needs to be discussed.

It fixes my issue.

That's good to know. However it doesn't change my assessment: we want the guards to be correct not just in the configuration you're using, but all configurations. With your patch as it stands, we're calling functions from ecp.c without any guard ensuring that MBEDTLS_ECP_C is enabled; we need to fix that. For example we could, on top of your current patch, change the body of psa_generate_derived_ecc_key_weierstrass_helper() to

#if defined(MBEDTLS_ECP_C)
/* Current body */
#else
/* Cast each argument to void */
return PSA_ERROR_NOT_SUPPORTED;
#endif

I've checked and unless I've missed something psa_generate_derived_ecc_key_montgomery_helper() is OK (doesn't use any function from ecp.c).

Wdyt?

@joerchan
Copy link
Contributor Author

So what I meant was that the following code below, like psa_driver_wrapper_get_key_buffer_size, and psa_key_derivation_output_bytes, will invoke the crypto drivers that have hardware acceleration.
I can see that you are right that ECP is dependency for the weierstrass ECC key.
We have this in our configuration so this dependency should be met:

#if defined(PSA_WANT_ALG_ECDH)
#define MBEDTLS_ECDH_C
#define MBEDTLS_ECP_C
#define MBEDTLS_BIGNUM_C
#endif

You suggestion for adding ifdef guards for ECP until the epic you pointed to has been implemented seems like a reasonable thing to do. We're currently on 3.2.1, but will probably want this change for 3.3 and 3.4.
Is there a target release for the transparent crypto key acceleration support?
Should I add that change to this PR?

@mpg
Copy link
Contributor

mpg commented Mar 16, 2023

Thanks for clarifying your needs!

You suggestion for adding ifdef guards for ECP until the epic you pointed to has been implemented seems like a reasonable thing to do. [...] Should I add that change to this PR?

Yes, please do, then I'll approve it, and we can look for a second reviewer (@valeriosetti maybe?) and get it merged. (Note: we have a code freeze for 3.4 coming very soon, so if you push today there's a chance it will get in.)

Is there a target release for the transparent crypto key acceleration support?

I don't think there is. There were discussions about some of your colleagues working on it once they're done with PBKDF2 PSA software implementation, but I don't think there's a firm timeline for that, and we haven't planned any work on that in the next quarter. You probably want to talk to Shebu about this.

@mpg mpg added enhancement size-s Estimated task size: small (~2d) component-psa PSA keystore/dispatch layer (storage, drivers, …) labels Mar 16, 2023
@valeriosetti valeriosetti self-requested a review March 16, 2023 13:13
@valeriosetti
Copy link
Contributor

we can look for a second reviewer (@valeriosetti maybe?)

Adding myself as reviewer of this one. Just waiting for the last agreed changes to be added then I will start the review

@mpg
Copy link
Contributor

mpg commented Mar 17, 2023

(Note: we have a code freeze for 3.4 coming very soon, so if you push today there's a chance it will get in.)

Note: the current plan is for the code freeze to happen on Monday.

@mpg
Copy link
Contributor

mpg commented Mar 17, 2023

I've taken the liberty to apply the suggested change myself in order to improve our chances of getting this in 3.4.

@AndrzejKurek AndrzejKurek self-requested a review March 17, 2023 11:31
@mpg mpg added the priority-high High priority - will be reviewed soon label Mar 17, 2023
@mpg mpg assigned mpg and unassigned bensze01 Mar 17, 2023
@mpg mpg force-pushed the psa-update-mbedtls branch from 010bbd2 to d5c654a Compare March 17, 2023 14:19
@mpg
Copy link
Contributor

mpg commented Mar 17, 2023

My original plan was to wait for #7272 to test this, but @AndrzejKurek correctly points out that trying to get this into the release and postponing testing are not compatible, so I'm adding tests. Unfortunately, for this I had to use a more decent version of development (driver support for EC J-PAKE was merged in the meantime), so I'm force-pushing. @joerchan Sorry for the inconvenience.

Note: the test I'm adding is an updated version of that one which was failing, and is now passing, confirming that this patch is indeed an improvement.

Update: force-pushed a second time to resolve a conflict that appeared in the meantime.

joerchan and others added 3 commits March 17, 2023 15:21
Fix psa_key_derivation_output_key not being able to derive ECC keys
without MBEDTLS_BUILTIN ECC key types enabled.
The PSA crypto drivers can generate these keys without requiring the
builtin key types.

Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Note that ECC key derivation is not using drivers yet, as we don't have driver support for
cooked key derivation acceleration, see
Mbed-TLS#5451 and follow-ups.

So, we still need MBEDTLS_ECP_C enabled at least for this, and probably
in several other places for now.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
@mpg mpg force-pushed the psa-update-mbedtls branch from d5c654a to 0f60d09 Compare March 17, 2023 14:37

loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
# These hashes are needed for some ECDSA signature tests.
loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_224"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor: These can be probably just added to loc_accel_list, right?

Copy link
Contributor

@valeriosetti valeriosetti Mar 17, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will try to answer this one because it is something that I found also in the ECDH/ECDSA threads. @mpg please correct me if I'm wrong.

I think that the answer is "no" because otherwise you would find them also accelerated few lines below when building the mbedtls library (not the accelerated one). In other words you add them to the driver build because otherwise they would not be present there (driver use a different mbedtls_config IIRC), but at the same time those are not the thing you want to test for acceleration when building the mbedtls library (I guess for example when running other tests that do not involve EC)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed. loc_accel_list is used for two things: (1) what we want included in libtestdriver1 (2) for what the main libraries should call drivers from libtestdriver1. Usually those are the same, but with composite algorithms (mostly the hash-and-sign algorithms), sometimes we want hashes enables in libtestdriver1, but we don't really want the main library to call drivers for these. That is when doing SHA-256 the main library will use its built-in implementation, but when doing ECDSA-SHA-256, the it will call libtestdriver1, so libtestdriver1 needs (at least minimal) support of SHA-256.

scripts/config.py unset MBEDTLS_ECJPAKE_C

# dependencies
#scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 # not in default anyway
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor: should this be removed?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed, we could remove this comment and just change default to default (no TLS 1.3 or USE_PSA) a few lines above.

Copy link
Contributor

@AndrzejKurek AndrzejKurek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, only minor points raised.

Copy link
Contributor

@valeriosetti valeriosetti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a couple of minor comments which however are not blocking the PR, so I'm approving it. Hopefully the CI will be OK

Comment on lines +380 to 384
#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR) || \
defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is partially pre-existent, but is there a reason for which this function has different guards in crypto_extra.h?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think so. We should probably synchronize the guards to avoid issue in some builds.

Comment on lines +5739 to 5743
#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR) || \
defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is another minor thing that is not blocking PR, but I was wondering: now that we changed from MBEDTLS_PSA_BUILTIN_KEY_ to PSA_WANT_KEY_TYPE, can't we also drop the following MBEDTLS_PSA_BUILTIN_ALG guards?
To me it looks like the latter (MBEDTLS_PSA_BUILTIN_ALG) are a subgroup of the former (PSA_WANT_KEY_TYPE), but probably I'm missing something here, isn't it?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have to say, I'm not entirely sure why the BUILTIN_ALG flags were included here. That's probably something we want to look at, at some point.

@valeriosetti
Copy link
Contributor

@mpg it seems to me that this PR and the test you added in it are very close to what I was trying to achieve in #7103. Am I wrong? If this is the case I can try to rebase that one after this PR will be merged and see if I can change it to a full PR instead of draft

@mpg
Copy link
Contributor

mpg commented Mar 20, 2023

@mpg it seems to me that this PR and the test you added in it are very close to what I was trying to achieve in #7103. Am I wrong? If this is the case I can try to rebase that one after this PR will be merged and see if I can change it to a full PR instead of draft

Indeed, I think this might unblock testing in #7103, so it's worth reviving it once this one is merge to see how it goes.

@mpg
Copy link
Contributor

mpg commented Mar 20, 2023

@AndrzejKurek @valeriosetti Thank you for your reviews! Since you've both approved with non-blocking comments, I'm merging this now, and left a note in #7272 to address the remaining comments.

@mpg mpg added the approved Design and code approved - may be waiting for CI or backports label Mar 20, 2023
@mpg mpg merged commit c9ef476 into Mbed-TLS:development Mar 20, 2023
@joerchan
Copy link
Contributor Author

@mpg No problem force-pushing. Thank you getting this change in.

@joerchan joerchan deleted the psa-update-mbedtls branch March 20, 2023 09:50
joerchan added a commit to joerchan/sdk-mbedtls that referenced this pull request Mar 21, 2023
…out builtin keys

Fix psa_key_derivation_output_key not being able to derive ECC keys
without MBEDTLS_BUILTIN ECC key types enabled.
The PSA crypto drivers can generate these keys without requiring the
builtin key types.

Upstream PR:
Mbed-TLS/mbedtls#7192

Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
(cherry picked from commit de1b3f5)
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
@mpg
Copy link
Contributor

mpg commented Mar 23, 2023

I don't think there is. There were discussions about some of your colleagues working on it once they're done with PBKDF2 PSA software implementation, but I don't think there's a firm timeline for that, and we haven't planned any work on that in the next quarter. You probably want to talk to Shebu about this.

Ah, sorry, it's embarrassing, I got mixed up, the discussions were about another partner possibly contributing to the "cooked" key derivation (that includes ECC key derivation) work, but that's unlikely to happen before Q3 this year. The rest of the paragraph is still valid I think: we (Arm) are not planning work on this in Q2, and it you'd like us to prioritize it you should talk to Shebu (obviously, more people asking for the same thing means we're more likely to prioritize it).

joerchan added a commit to joerchan/sdk-mbedtls that referenced this pull request Mar 29, 2023
…out builtin keys

Fix psa_key_derivation_output_key not being able to derive ECC keys
without MBEDTLS_BUILTIN ECC key types enabled.
The PSA crypto drivers can generate these keys without requiring the
builtin key types.

Upstream PR:
Mbed-TLS/mbedtls#7192

Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
(cherry picked from commit de1b3f5)
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
joerchan added a commit to joerchan/sdk-mbedtls that referenced this pull request Mar 29, 2023
…out builtin keys

Fix psa_key_derivation_output_key not being able to derive ECC keys
without MBEDTLS_BUILTIN ECC key types enabled.
The PSA crypto drivers can generate these keys without requiring the
builtin key types.

Upstream PR:
Mbed-TLS/mbedtls#7192

Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
(cherry picked from commit de1b3f5)
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
de-nordic pushed a commit to de-nordic/sdk-mbedtls that referenced this pull request May 26, 2023
…out builtin keys

Fix psa_key_derivation_output_key not being able to derive ECC keys
without MBEDTLS_BUILTIN ECC key types enabled.
The PSA crypto drivers can generate these keys without requiring the
builtin key types.

Upstream PR:
Mbed-TLS/mbedtls#7192

Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
(cherry picked from commit de1b3f5)
(cherry picked from commit 5881d82)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Design and code approved - may be waiting for CI or backports component-psa PSA keystore/dispatch layer (storage, drivers, …) enhancement priority-high High priority - will be reviewed soon size-s Estimated task size: small (~2d)
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants