-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
psa_crypto: Fix psa_key_derivation_output_key ECC without builtin keys #7192
Conversation
…out builtin keys Fix psa_key_derivation_output_key not being able to derive ECC keys without MBEDTLS_BUILTIN ECC key types enabled. The PSA crypto drivers can generate these keys without requiring the builtin key types. Upstream PR: Mbed-TLS/mbedtls#7192 Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
…out builtin keys Fix psa_key_derivation_output_key not being able to derive ECC keys without MBEDTLS_BUILTIN ECC key types enabled. The PSA crypto drivers can generate these keys without requiring the builtin key types. Upstream PR: Mbed-TLS/mbedtls#7192 Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think the proposed changes are correct.
Furthermore, I think the correct fix to the underlying problem that this PR is trying to address will be more complex and likely require some advance study and design work. For example, it might involve using the new/upcoming "cooked key derivation" driver interface.
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ | ||
defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \ | ||
#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR) || \ | ||
defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) || \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think that change is correct. This function calls a number of functions from ECP and Bignum. The way we know these are available is by guarding with MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_xxx
. In the absence of those guards, we'd need to explicitly guard with defined(MBEDTLS_ECP_C)
and no actual progress would be made.
I think the current guards are correct here: they're consistent with the definition of the function.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I want to call psa_key_derivation_output_key
. Using ECC key types and accelerated key types, i.e MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR, so no buildin key types enabled.
And this function is preventing the calls to the PSA crypto driver calls.
There was a similar issue like this for validating tag length: 86679c7
I need both of these changes to be able to use cryptocell acceleration on Mbed TLS 3.2.1.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the absence of those guards, we'd need to explicitly guard with
defined(MBEDTLS_ECP_C)
and no actual progress would be made.
So, I was wrong about the last part: yes, we need an explicit ECP_C
guard, but progress is still being made, as it allows more interesting configurations to build.
@joerchan Thanks for your contribution. I don't think the changes are correct, and I'm not not sure this is the right approach, but I think we should try to clarify what is the underlying goal that you're trying to achieve here. What kind of configuration exactly would you like to start working, that currently doesn't? |
It fixes my issue. |
I'd like to clarify: even with this change,
That's good to know. However it doesn't change my assessment: we want the guards to be correct not just in the configuration you're using, but all configurations. With your patch as it stands, we're calling functions from
I've checked and unless I've missed something Wdyt? |
So what I meant was that the following code below, like psa_driver_wrapper_get_key_buffer_size, and psa_key_derivation_output_bytes, will invoke the crypto drivers that have hardware acceleration.
You suggestion for adding ifdef guards for ECP until the epic you pointed to has been implemented seems like a reasonable thing to do. We're currently on 3.2.1, but will probably want this change for 3.3 and 3.4. |
Thanks for clarifying your needs!
Yes, please do, then I'll approve it, and we can look for a second reviewer (@valeriosetti maybe?) and get it merged. (Note: we have a code freeze for 3.4 coming very soon, so if you push today there's a chance it will get in.)
I don't think there is. There were discussions about some of your colleagues working on it once they're done with PBKDF2 PSA software implementation, but I don't think there's a firm timeline for that, and we haven't planned any work on that in the next quarter. You probably want to talk to Shebu about this. |
Adding myself as reviewer of this one. Just waiting for the last agreed changes to be added then I will start the review |
Note: the current plan is for the code freeze to happen on Monday. |
I've taken the liberty to apply the suggested change myself in order to improve our chances of getting this in 3.4. |
My original plan was to wait for #7272 to test this, but @AndrzejKurek correctly points out that trying to get this into the release and postponing testing are not compatible, so I'm adding tests. Unfortunately, for this I had to use a more decent version of development (driver support for EC J-PAKE was merged in the meantime), so I'm force-pushing. @joerchan Sorry for the inconvenience. Note: the test I'm adding is an updated version of that one which was failing, and is now passing, confirming that this patch is indeed an improvement. Update: force-pushed a second time to resolve a conflict that appeared in the meantime. |
Fix psa_key_derivation_output_key not being able to derive ECC keys without MBEDTLS_BUILTIN ECC key types enabled. The PSA crypto drivers can generate these keys without requiring the builtin key types. Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Note that ECC key derivation is not using drivers yet, as we don't have driver support for cooked key derivation acceleration, see Mbed-TLS#5451 and follow-ups. So, we still need MBEDTLS_ECP_C enabled at least for this, and probably in several other places for now. Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
|
||
loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) | ||
# These hashes are needed for some ECDSA signature tests. | ||
loc_accel_flags="$loc_accel_flags -DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_ALG_SHA_224" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor: These can be probably just added to loc_accel_list
, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will try to answer this one because it is something that I found also in the ECDH/ECDSA threads. @mpg please correct me if I'm wrong.
I think that the answer is "no" because otherwise you would find them also accelerated few lines below when building the mbedtls library (not the accelerated one). In other words you add them to the driver build because otherwise they would not be present there (driver use a different mbedtls_config
IIRC), but at the same time those are not the thing you want to test for acceleration when building the mbedtls library (I guess for example when running other tests that do not involve EC)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indeed. loc_accel_list
is used for two things: (1) what we want included in libtestdriver1 (2) for what the main libraries should call drivers from libtestdriver1. Usually those are the same, but with composite algorithms (mostly the hash-and-sign algorithms), sometimes we want hashes enables in libtestdriver1, but we don't really want the main library to call drivers for these. That is when doing SHA-256 the main library will use its built-in implementation, but when doing ECDSA-SHA-256, the it will call libtestdriver1, so libtestdriver1 needs (at least minimal) support of SHA-256.
scripts/config.py unset MBEDTLS_ECJPAKE_C | ||
|
||
# dependencies | ||
#scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 # not in default anyway |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor: should this be removed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indeed, we could remove this comment and just change default
to default (no TLS 1.3 or USE_PSA)
a few lines above.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, only minor points raised.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a couple of minor comments which however are not blocking the PR, so I'm approving it. Hopefully the CI will be OK
#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR) || \ | ||
defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) || \ | ||
defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ | ||
defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || \ | ||
defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is partially pre-existent, but is there a reason for which this function has different guards in crypto_extra.h
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think so. We should probably synchronize the guards to avoid issue in some builds.
#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR) || \ | ||
defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) || \ | ||
defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ | ||
defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || \ | ||
defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is another minor thing that is not blocking PR, but I was wondering: now that we changed from MBEDTLS_PSA_BUILTIN_KEY_
to PSA_WANT_KEY_TYPE
, can't we also drop the following MBEDTLS_PSA_BUILTIN_ALG
guards?
To me it looks like the latter (MBEDTLS_PSA_BUILTIN_ALG
) are a subgroup of the former (PSA_WANT_KEY_TYPE
), but probably I'm missing something here, isn't it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have to say, I'm not entirely sure why the BUILTIN_ALG
flags were included here. That's probably something we want to look at, at some point.
Indeed, I think this might unblock testing in #7103, so it's worth reviving it once this one is merge to see how it goes. |
@AndrzejKurek @valeriosetti Thank you for your reviews! Since you've both approved with non-blocking comments, I'm merging this now, and left a note in #7272 to address the remaining comments. |
@mpg No problem force-pushing. Thank you getting this change in. |
…out builtin keys Fix psa_key_derivation_output_key not being able to derive ECC keys without MBEDTLS_BUILTIN ECC key types enabled. The PSA crypto drivers can generate these keys without requiring the builtin key types. Upstream PR: Mbed-TLS/mbedtls#7192 Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no> (cherry picked from commit de1b3f5) Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Ah, sorry, it's embarrassing, I got mixed up, the discussions were about another partner possibly contributing to the "cooked" key derivation (that includes ECC key derivation) work, but that's unlikely to happen before Q3 this year. The rest of the paragraph is still valid I think: we (Arm) are not planning work on this in Q2, and it you'd like us to prioritize it you should talk to Shebu (obviously, more people asking for the same thing means we're more likely to prioritize it). |
…out builtin keys Fix psa_key_derivation_output_key not being able to derive ECC keys without MBEDTLS_BUILTIN ECC key types enabled. The PSA crypto drivers can generate these keys without requiring the builtin key types. Upstream PR: Mbed-TLS/mbedtls#7192 Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no> (cherry picked from commit de1b3f5) Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
…out builtin keys Fix psa_key_derivation_output_key not being able to derive ECC keys without MBEDTLS_BUILTIN ECC key types enabled. The PSA crypto drivers can generate these keys without requiring the builtin key types. Upstream PR: Mbed-TLS/mbedtls#7192 Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no> (cherry picked from commit de1b3f5) Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
…out builtin keys Fix psa_key_derivation_output_key not being able to derive ECC keys without MBEDTLS_BUILTIN ECC key types enabled. The PSA crypto drivers can generate these keys without requiring the builtin key types. Upstream PR: Mbed-TLS/mbedtls#7192 Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no> (cherry picked from commit de1b3f5) (cherry picked from commit 5881d82)
Fix psa_key_derivation_output_key not being able to derive ECC keys without MBEDTLS_BUILTIN ECC key types enabled.
The PSA crypto drivers can generate these keys without requiring the builtin key types.
Gatekeeper checklist