Open adeaarm opened 1 year ago
This function already exists. It's called mbedtls_set_key_owner_id
.
Do we need to give it a psa_xxx
name? (I admit we have been inconsistent about the naming of functions that are not intended for PSA standardization, but are specific to the PSA interface in Mbed TLS.)
What we definitely should do is write a guide that explains, among other things, how to use this function.
Thanks @gilles-peskine-arm , we missed that in our offline conversation. I think keeping the name mbedtls_<something>
makes more sense than using psa_<something>
. In general, I believe prefixing everything that is not coming from the standard spec with mbedtls_
(or even mbedtls_psa
) helps with modularization, as it keeps clear what is part of the standard and what is not. In this case, being the owner ID not part of the standard, I believe we shouldn't have it under the psa_ prefix. Obviously, the guide proposal is very useful, especially when vehiculating these concepts to partners.
I had a go at using this API. While it's true that this sets the owner ID only as required in the original request, it still not fulfills completely TF-M's use case, which is essentially translating key IDs from a client view to a server view by adding the owner ID with an existing psa_key_id_t. For example:
A psa_key_id_t key_id
gets passed from the client to server, which then retrieves the owner and needs to create a new key ID structure made of the pair (owner, key_id). The present API could be used to set the owner, but there is no API available to set the key_id only, without changing the volatility of the key (i.e. psa_set_key_id). Please let me know your thoughts on this.
adding the owner ID with an existing psa_key_id_t
That's mbedtls_svc_key_id_make
. Which again looks like on this topic the problem is our lack of user documentation (the functions are documented but not so discoverable) rather than a lack of functionality.
Thanks - I was actually aware of this, I have completely removed it... 😄
Suggested enhancement
Introduce an Mbed TLS specific setter API that allows setting the
owner
field for volatile keys, in those cases whenMBEDTLS_SVC_KEY_ID_ENCODES_OWNER
is set. Current behaviour is that permanent keys allow to set the key ID completely throughpsa_set_key_id()
, but this call will make the key persistent. For volatile keys, the owner is implicitly initialized by inspecting the key attributes during the key import operation. This means that the privateowner
field must be accessed throughMBEDTLS_PRIVATE
and manually set. This is relevant only for those implementations that use Mbed TLS PSA Crypto APIs as a part of a service implementation, i.e. TF-M.Justification
Allowing an API for this aligns when
MBEDTLS_SVC_KEY_ID_ENCODES_OWNER
not set case and enforces good programming paradigms.