search

Mbed-TLS / mbedtls

An open source, portable, easy to use, readable and flexible TLS library, and reference implementation of the PSA Cryptography API. Releases are on a varying cadence, typically around 3 - 6 months between releases.
https://www.trustedfirmware.org/projects/mbed-tls/
Other
5.56k stars 2.61k forks source link

PSA: Separate keystore initialization from RNG initialization #6008

Open gilles-peskine-arm opened 2 years ago

gilles-peskine-arm commented 2 years ago

In the PSA code, allow initializing the RNG independently from the keystore.

At this stage, any request to initialize something related to keys or storage (volatile keys, persistent keys, drivers) will initialize all of that, just not the RNG.

After initializing only the RNG, psa_generate_random() must work but not psa_import_key(). After initializing only the keystore, psa_import_key() must work but not psa_generate_random(), and this must not initialize the entropy subsystem.

Prerequisite: https://github.com/Mbed-TLS/mbedtls/issues/6007

zhang-wenchao commented 1 month ago

Any update?

gilles-peskine-arm commented 1 month ago

@zhang-wenchao This is scheduled for Mbed TLS 4.0 (or strictly speaking TF-PSA-Crypto 1.0) which will be released in Q2 2025. We've done a draft API design and a prototype, but we haven't started the production-ready implementation yet.