search

Mbed-TLS / mbedtls

An open source, portable, easy to use, readable and flexible TLS library, and reference implementation of the PSA Cryptography API. Releases are on a varying cadence, typically around 3 - 6 months between releases.
https://www.trustedfirmware.org/projects/mbed-tls/
Other
5.02k stars 2.5k forks source link

PSA: use static key slots to store keys #9302

Open valeriosetti opened 1 week ago

valeriosetti commented 1 week ago

Description

This PR proposes an alternative solution for key slots which preallocates all the required buffers instead of dynamically allocating them at runtime. A new build symbol named MBEDTLS_PSA_STATIC_KEY_SLOTS is used for this purpose and it's disabled by default so that it cannot affect normal Mbed TLS users.

This change helps removing the code required to manage heap memory in embedded applications (assuming no other component is using heap, of course) and therefore reducing ROM footprint. This comes with a slightly higher RAM usage, of course, but this can optionally be fine tuned using MBEDTLS_PSA_KEY_SLOT_COUNT.

Background

p256-m driver was recently added to Zephyr as alternative to TinyCrypt for secp256r1. Albeit p256-m claimed to have a smaller footprint compared to TinyCrypt results showed that this does not hold if standard PSA interface provided by Mbed TLS is used to access this driver. Here's a comparison of an ad-hoc test program that was added to Zephyr performing the same operations on secp256r1 curve (2x key derivation + 1x key agreement) with Mbed TLS

west build -p always -b nrf52840dk/nrf52840 -T tests/crypto/secp256r1/crypto.secp256r1.mbedtls
...
Memory region         Used Size  Region Size  %age Used
           FLASH:       44363 B         1 MB      4.23%
             RAM:       15680 B       256 KB      5.98%
        IDT_LIST:          0 GB        32 KB      0.00%

and TinyCrypt

west build -p always -b nrf52840dk/nrf52840 -T tests/crypto/secp256r1/crypto.secp256r1.tinycrypt
...
Memory region         Used Size  Region Size  %age Used
           FLASH:       40707 B         1 MB      3.88%
             RAM:         14 KB       256 KB      5.47%
        IDT_LIST:          0 GB        32 KB      0.00%

Digging a bit into the generated binaries it turned out that Mbed TLS had a larger footprint than TinyCrypt because of:

The latter is not present in TinyCrypt and most of it (around 2kB) is due to heap management code enabled in the Zephyr core.

Results

With this patch in place it is possible to get rid of extra heap management code (assuming no one else is using it in the program, of course). Here's the same example used before built with this patch:

west build -p always -b nrf52840dk/nrf52840 -T tests/crypto/secp256r1/crypto.secp256r1.mbedtls
...
Memory region         Used Size  Region Size  %age Used
           FLASH:       41935 B         1 MB      4.00%
             RAM:       17856 B       256 KB      6.81%
        IDT_LIST:          0 GB        32 KB      0.00%

There's clearly a 2.4 kB ROM code reduction at the expense of a larger RAM usage. However RAM usage can be further reduced by overriding default MBEDTLS_PSA_KEY_SLOT_COUNT if the developer knows a-priori the amount of keys that are needed for the application.

PR checklist

Please tick as appropriate and edit the reasons (e.g.: "backport: not needed because this is a new feature")

gilles-peskine-arm commented 4 days ago

As the key store design is getting a bit complex, I've written a design document in https://github.com/Mbed-TLS/mbedtls/pull/9309 . It's aligned with this pull request (if not, I made a mistake somewhere, please let me know), except that I've documented MBEDTLS_PSA_KEY_SLOT_BUFFER_SIZE as a publicly configurable option as discussed above.