Dual-API hash dispatch strategy#6549
Conversation
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
gilles-peskine-arm
added
needs-work
needs-design-approval
component-crypto
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
|
|
||
| #### Compile-time availability determination | ||
|
|
||
| Can we determine how to dispatch at compile time? |
There was a problem hiding this comment.
This is the wrong question, or at least, it's being asked too early. The important question is: what does code calling existing APIs expect?
- Code in the legacy domain expects that all legacy mechanisms are available at all times.
- Code in the PSA domain expect that all PSA mechanisms are available after
psa_crypto_init, and (sometimes) that mechanisms not indicated as available throughPSA_WANT_xxxare rejected. - Code in the mixed domain needs to conform to the expectations of its callers.
A useful conclusion is that the union of PSA and legacy is always correct for the hybrid domain, regardless of the details of how it's done under the hood:
- When the union is called by legacy code, mechanisms that have a legacy implementation are available, regardless of the PSA state.
- When the union is called by PSA code, PSA is guaranteed to have been initialized, and mechanisms that have a PSA implementation are available.
Backward compatibility does not require making any promises regarding the runtime availability of PSA-only mechanisms when the union is called by legacy code, provided that legacy code does not care about negative availability.
Finish working out the RSA-PSS example in terms of what it implies about the interface. The key takeaway is that a mixed-domain module must support algorithms if they are available through either interface, and that's all there is to it. The details of how dispatch is done don't matter, what matters is only the availability, and it's just the disjunction of availabilities. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
gilles-peskine-arm
added
needs-review
gilles-peskine-arm
changed the title
|
|
||
| #### Get rid of the hash_info module | ||
|
|
||
| The hash_info module is redundant with MD light. Move `mbedtls_md_error_from_psa` to `md.c`, defined only when `MBEDTLS_MD_SOME_PSA` is defined. The rest is no longer used. |
There was a problem hiding this comment.
Actually the function mbedtls_hash_info_md_from_psa is also used inside PSA code when it's calling legacy interfaces (RSA, ECDSA). It's the dual of psa_alg_of_md_info and we need both functions in our code base at least until 4.0.
There was a problem hiding this comment.
Fortunately, if we optimize type conversions as above, this function will be quite trivial as well.
mpg
left a comment
mpg
left a comment
There was a problem hiding this comment.
I haven't finished reviewing, but I'm still releasing my comments so far. I'll start again with line 404.
No intended meaning change. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
It's a rare scenario, but it's currently possible: if you use mbedtls_cipher_xxx() to encrypt the communication between the application and the crypto service, changing those functions to call PSA will break your system. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
It seems that it won't be necessary anyway. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
mpg
left a comment
mpg
left a comment
There was a problem hiding this comment.
Only two points left:
- I think support for
PSA_CRYPTO_CLIENTis out of scope for now, let's focus on drivers and keep depending onPSA_CRYPTO_Cfor everything PSA. - We need to record somewhere our decision to require that every hash that's available on the legacy side will be available on the PSA side as well (that is,
MBEDTLS_SHA256_CimpliesPSA_WANT_ALG_SHA_256etc).
This is not strictly mandatory, but it helps. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
|
I've added the legacy-implies-PSA requirement. I don't think I should remove any |
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Thanks.
Thanks.
Points of agreement:
Point of disagreement or misunderstanding: I don't think we should add any support for So, I'm going to go ahead and mark those discussions as resolved, and then approve the PR, because I'm OK with the document as it is, just not with the modifications suggested by those comments. |
I think we should do that eventually but not part of the first batch of work.
Indeed. But I think it should capture at least the gist of what should happen with client-only builds in the future. So I'll add that, but as a separate section. |
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
gilles-peskine-arm
added
priority-high
|
I'm removing “needs design approval” since this has Manuel's approval. |
AndrzejKurek
left a comment
AndrzejKurek
left a comment
There was a problem hiding this comment.
Looks good, I only have minor questions. I think that the #6977 prototype should show any loose ends.
|
|
||
| In this work, we want two things: | ||
|
|
||
| * Make non-covered modules call PSA, but only [when this will actually work](#why-psa-is-not-always-possible). This effectively brings those modules to a partial use-PSA behavior regardless of whether the option is enabled. |
There was a problem hiding this comment.
This sounds a bit strange, since it means that even if we disable MBEDTLS_USE_PSA_CRYPTO, we still aim to use it (so it's useless);
If what you mean is that if MBEDTLS_USE_PSA_CRYPTO is disabled, hence it will not actually work, it's not that transparent here.
There was a problem hiding this comment.
Yes, PSA will be used in some places even if MBEDTLS_USE_PSA_CRYPTO is disabled. I agree that's a bit unintuitive so perhaps we can update the documentation of that macro:
- when it is enabled, the modules that obey it (PK, X.509, TLS 1.2/shared) will use PSA Crypto whenever they can and more importantly, the user promises to call
psa_crypto_init()before calling any function from those modules; - when it is disabled, any module may or may not use PSA Crypto at their discretion, but since the user has made no promise to call
psa_crypto_init()before calling functions from legacy modules, it's up to these modules to check whether calling PSA crypto is safe or not.
|
|
||
| There is no strong reason to allow mechanisms available through legacy but not PSA when `MBEDTLS_PSA_CRYPTO_C` is enabled. This would only save at best a very small amount of code size in the PSA dispatch code. This may be more desirable when `MBEDTLS_PSA_CRYPTO_CLIENT` is enabled (having a mechanism available only locally and not in the crypto service), but we do not have an explicit request for this and it would be entirely reasonable to forbid it. | ||
|
|
||
| In this analysis, we have not found a compelling reason to require all legacy mechanisms to also be available through PSA. However, this can simplify both the implementation and the use of dispatch code thanks to some simplifying properties: |
There was a problem hiding this comment.
Do we also want to differentiate between PSA->drivers, and PSA->software, when both are present? Again, probably irrelevant for hashes, but I would assume that key location will handle that?
There was a problem hiding this comment.
Even with keys, legacy interfaces are always passing keys in plaintext, so all that matters is volatile, transparent keys (lifetime=0).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
gilles-peskine-arm
dismissed stale reviews from AndrzejKurek and mpg
via
91af0f9
mpg
added
approved
5 participants
Architecture document for dispatching hash operations to the optimal backend: legacy or PSA.
To be extended to ciphers later. That can follow the same principle, but there will be extra complications. I think we should implement hash first and work out any snags before we go further with the design of cipher.