Mistake on this page?
Report an issue in GitHub or email us
psa_crypto_slot_management.h
1 /*
2  * PSA crypto layer on top of Mbed TLS crypto
3  */
4 /*
5  * Copyright The Mbed TLS Contributors
6  * SPDX-License-Identifier: Apache-2.0
7  *
8  * Licensed under the Apache License, Version 2.0 (the "License"); you may
9  * not use this file except in compliance with the License.
10  * You may obtain a copy of the License at
11  *
12  * http://www.apache.org/licenses/LICENSE-2.0
13  *
14  * Unless required by applicable law or agreed to in writing, software
15  * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16  * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17  * See the License for the specific language governing permissions and
18  * limitations under the License.
19  */
20 
21 #ifndef PSA_CRYPTO_SLOT_MANAGEMENT_H
22 #define PSA_CRYPTO_SLOT_MANAGEMENT_H
23 
24 #include "psa/crypto.h"
25 #include "psa_crypto_core.h"
26 #include "psa_crypto_se.h"
27 
28 /* Number of key slots (plus one because 0 is not used).
29  * The value is a compile-time constant for now, for simplicity. */
30 #define PSA_KEY_SLOT_COUNT 32
31 
32 /** Range of volatile key identifiers.
33  *
34  * The last PSA_KEY_SLOT_COUNT identifiers of the implementation range
35  * of key identifiers are reserved for volatile key identifiers.
36  * A volatile key identifier is equal to #PSA_KEY_ID_VOLATILE_MIN plus the
37  * index of the key slot containing the volatile key definition.
38  */
39 
40 /** The minimum value for a volatile key identifier.
41  */
42 #define PSA_KEY_ID_VOLATILE_MIN ( PSA_KEY_ID_VENDOR_MAX - \
43  PSA_KEY_SLOT_COUNT + 1 )
44 
45 /** The maximum value for a volatile key identifier.
46  */
47 #define PSA_KEY_ID_VOLATILE_MAX PSA_KEY_ID_VENDOR_MAX
48 
49 /** Test whether a key identifier is a volatile key identifier.
50  *
51  * \param key_id Key identifier to test.
52  *
53  * \retval 1
54  * The key identifier is a volatile key identifier.
55  * \retval 0
56  * The key identifier is not a volatile key identifier.
57  */
58 static inline int psa_key_id_is_volatile( psa_key_id_t key_id )
59 {
60  return( ( key_id >= PSA_KEY_ID_VOLATILE_MIN ) &&
61  ( key_id <= PSA_KEY_ID_VOLATILE_MAX ) );
62 }
63 
64 /** Get the description of a key given its identifier and lock it.
65  *
66  * The descriptions of volatile keys and loaded persistent keys are stored in
67  * key slots. This function returns a pointer to the key slot containing the
68  * description of a key given its identifier.
69  *
70  * In case of a persistent key, the function loads the description of the key
71  * into a key slot if not already done.
72  *
73  * On success, the returned key slot is locked. It is the responsibility of
74  * the caller to unlock the key slot when it does not access it anymore.
75  *
76  * \param key Key identifier to query.
77  * \param[out] p_slot On success, `*p_slot` contains a pointer to the
78  * key slot containing the description of the key
79  * identified by \p key.
80  *
81  * \retval #PSA_SUCCESS
82  * \p *p_slot contains a pointer to the key slot containing the
83  * description of the key identified by \p key.
84  * The key slot counter has been incremented.
85  * \retval #PSA_ERROR_BAD_STATE
86  * The library has not been initialized.
87  * \retval #PSA_ERROR_INVALID_HANDLE
88  * \p key is not a valid key identifier.
89  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
90  * \p key is a persistent key identifier. The implementation does not
91  * have sufficient resources to load the persistent key. This can be
92  * due to a lack of empty key slot, or available memory.
93  * \retval #PSA_ERROR_DOES_NOT_EXIST
94  * There is no key with key identifier \p key.
95  * \retval #PSA_ERROR_CORRUPTION_DETECTED
96  * \retval #PSA_ERROR_STORAGE_FAILURE
97  * \retval #PSA_ERROR_DATA_CORRUPT
98  */
99 psa_status_t psa_get_and_lock_key_slot( mbedtls_svc_key_id_t key,
100  psa_key_slot_t **p_slot );
101 
102 /** Initialize the key slot structures.
103  *
104  * \retval #PSA_SUCCESS
105  * Currently this function always succeeds.
106  */
107 psa_status_t psa_initialize_key_slots( void );
108 
109 /** Delete all data from key slots in memory.
110  *
111  * This does not affect persistent storage. */
112 void psa_wipe_all_key_slots( void );
113 
114 /** Find a free key slot.
115  *
116  * This function returns a key slot that is available for use and is in its
117  * ground state (all-bits-zero). On success, the key slot is locked. It is
118  * the responsibility of the caller to unlock the key slot when it does not
119  * access it anymore.
120  *
121  * \param[out] volatile_key_id On success, volatile key identifier
122  * associated to the returned slot.
123  * \param[out] p_slot On success, a pointer to the slot.
124  *
125  * \retval #PSA_SUCCESS
126  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
127  * \retval #PSA_ERROR_BAD_STATE
128  */
129 psa_status_t psa_get_empty_key_slot( psa_key_id_t *volatile_key_id,
130  psa_key_slot_t **p_slot );
131 
132 /** Lock a key slot.
133  *
134  * This function increments the key slot lock counter by one.
135  *
136  * \param[in] slot The key slot.
137  *
138  * \retval #PSA_SUCCESS
139  The key slot lock counter was incremented.
140  * \retval #PSA_ERROR_CORRUPTION_DETECTED
141  * The lock counter already reached its maximum value and was not
142  * increased.
143  */
144 static inline psa_status_t psa_lock_key_slot( psa_key_slot_t *slot )
145 {
146  if( slot->lock_count >= SIZE_MAX )
148 
149  slot->lock_count++;
150 
151  return( PSA_SUCCESS );
152 }
153 
154 /** Unlock a key slot.
155  *
156  * This function decrements the key slot lock counter by one.
157  *
158  * \note To ease the handling of errors in retrieving a key slot
159  * a NULL input pointer is valid, and the function returns
160  * successfully without doing anything in that case.
161  *
162  * \param[in] slot The key slot.
163  * \retval #PSA_SUCCESS
164  * \p slot is NULL or the key slot lock counter has been
165  * decremented successfully.
166  * \retval #PSA_ERROR_CORRUPTION_DETECTED
167  * The lock counter was equal to 0.
168  *
169  */
170 psa_status_t psa_unlock_key_slot( psa_key_slot_t *slot );
171 
172 /** Test whether a lifetime designates a key in an external cryptoprocessor.
173  *
174  * \param lifetime The lifetime to test.
175  *
176  * \retval 1
177  * The lifetime designates an external key. There should be a
178  * registered driver for this lifetime, otherwise the key cannot
179  * be created or manipulated.
180  * \retval 0
181  * The lifetime designates a key that is volatile or in internal
182  * storage.
183  */
184 static inline int psa_key_lifetime_is_external( psa_key_lifetime_t lifetime )
185 {
186  return( PSA_KEY_LIFETIME_GET_LOCATION( lifetime )
188 }
189 
190 /** Validate a key's location.
191  *
192  * This function checks whether the key's attributes point to a location that
193  * is known to the PSA Core, and returns the driver function table if the key
194  * is to be found in an external location.
195  *
196  * \param[in] lifetime The key lifetime attribute.
197  * \param[out] p_drv On success, when a key is located in external
198  * storage, returns a pointer to the driver table
199  * associated with the key's storage location.
200  *
201  * \retval #PSA_SUCCESS
202  * \retval #PSA_ERROR_INVALID_ARGUMENT
203  */
204 psa_status_t psa_validate_key_location( psa_key_lifetime_t lifetime,
205  psa_se_drv_table_entry_t **p_drv );
206 
207 /** Validate the persistence of a key.
208  *
209  * \param[in] lifetime The key lifetime attribute.
210  *
211  * \retval #PSA_SUCCESS
212  * \retval #PSA_ERROR_INVALID_ARGUMENT The key is persistent but persistent
213  * keys are not supported.
214  */
215 psa_status_t psa_validate_key_persistence( psa_key_lifetime_t lifetime );
216 
217 /** Validate a key identifier.
218  *
219  * \param[in] key The key identifier.
220  * \param[in] vendor_ok Non-zero to indicate that key identifiers in the
221  * vendor range are allowed, volatile key identifiers
222  * excepted \c 0 otherwise.
223  *
224  * \retval #PSA_SUCCESS The identifier is valid.
225  * \retval #PSA_ERROR_INVALID_ARGUMENT The key identifier is not valid.
226  */
227 psa_status_t psa_validate_key_id( mbedtls_svc_key_id_t key, int vendor_ok );
228 
229 #endif /* PSA_CRYPTO_SLOT_MANAGEMENT_H */
#define PSA_SUCCESS
The action was completed successfully.
uint32_t psa_key_id_t
Encoding of identifiers of persistent keys.
#define PSA_ERROR_CORRUPTION_DETECTED
A tampering attempt was detected.
uint32_t psa_key_lifetime_t
Encoding of key lifetimes.
int32_t psa_status_t
Function return status.
#define PSA_KEY_LOCATION_LOCAL_STORAGE
The local storage area for persistent keys.
The data structure representing a key slot, containing key material and metadata for one key...
Important Information for this Arm website

This site uses cookies to store information on your computer. By continuing to use our site, you consent to our cookies. If you are not happy with the use of these cookies, please review our Cookie Policy to learn how they can be disabled. By disabling cookies, some features of the site will not work.