>From the perspective of an application developer whose platform doesn't
have a native malloc, the advantage for Mbed TLS to include its own
malloc is one less dependency to integrate (so one less source of
potential incompatibilities, one less component to integrate into the
build, one less set of parameters to configure, one less feed of
security updates to keep up with, etc.).
I expect that choosing the Mbed TLS allocator would give poorer
performance and higher RAM consumption than choosing the best allocator
that exists out there. But it gives better time to market, and
potentially a better security posture (the highest-performance allocator
may or may not turn out to be actively maintained).
--
Gilles Peskine
Mbed TLS developer
On 16/04/2020 14:19, Janos Follath via mbed-tls wrote:
> Hi,
>
> Thank you for sharing your view, it makes perfect sense.
>
> You mention that you would consider keeping the module internally for the sake of baremetal applications. How would this serve the user better than choosing a third party malloc implementation? (Assuming that there are better implementation out there than ours, which I haven't confirmed, but it is not hard to imagine that such exists.)
>
> Regards,
> Janos
>
>
> On 15/04/2020, 21:11, "mbed-tls on behalf of Gilles Peskine via mbed-tls" <mbed-tls-bounces(a)lists.trustedfirmware.org on behalf of mbed-tls(a)lists.trustedfirmware.org> wrote:
>
> On 09/04/2020 13:17, Janos Follath via mbed-tls wrote:
> > Hi,
> >
> > Based on what I read on this thread it seems an accepted point of view that the toolchain provided C standard library implementations are less trusted than the toolchains themselves. Can somebody please help me understand the reasoning behind this distinction?
>
> Well, I disagree with this statement. I trust the toolchain to implement
> the C standard library correctly, and with good performance for the
> target platform. I do not want to provide my own implementation of
> standard functions.
>
> I only trust the toolchain to be functionally correct. I don't know
> about its security. I certainly can't rely on the toolchain to have
> security characteristics that are not guaranteed by the language
> definition. For example, I do trust memset_s() to zero out sensitive
> memory if the toolchain provides it, but I don't trust memset() for this
> task.
>
> On the topic at hand, my personal opinion of memory_buffer_alloc is that
> it doesn't belong in Mbed TLS. I hope that when PSA crypto is a
> standalone product, it won't use malloc internally, and so it certainly
> won't provide a malloc implementation. I wouldn't necessarily say the
> same thing of Mbed TLS 4.0: it's difficult to design an X.509 interface
> that doesn't use malloc. But if we can do it, I think we should.
>
> I recognize that there are many bare-metal applications that don't use
> malloc themselves, but use Mbed TLS. For their sake, it does make some
> sense for Mbed TLS to have its own malloc implementation. But the focus
> is for internal use, not on serving as a general-purpose allocator for
> applications that also use malloc for non-mbedtls-related purposes.
>
> --
> Gilles Peskine
> Mbed TLS developer
>
>
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
> --
> mbed-tls mailing list
> mbed-tls(a)lists.trustedfirmware.org
> https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls
>
>
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Hi,
Thank you for sharing your view, it makes perfect sense.
You mention that you would consider keeping the module internally for the sake of baremetal applications. How would this serve the user better than choosing a third party malloc implementation? (Assuming that there are better implementation out there than ours, which I haven't confirmed, but it is not hard to imagine that such exists.)
Regards,
Janos
On 15/04/2020, 21:11, "mbed-tls on behalf of Gilles Peskine via mbed-tls" <mbed-tls-bounces(a)lists.trustedfirmware.org on behalf of mbed-tls(a)lists.trustedfirmware.org> wrote:
On 09/04/2020 13:17, Janos Follath via mbed-tls wrote:
> Hi,
>
> Based on what I read on this thread it seems an accepted point of view that the toolchain provided C standard library implementations are less trusted than the toolchains themselves. Can somebody please help me understand the reasoning behind this distinction?
Well, I disagree with this statement. I trust the toolchain to implement
the C standard library correctly, and with good performance for the
target platform. I do not want to provide my own implementation of
standard functions.
I only trust the toolchain to be functionally correct. I don't know
about its security. I certainly can't rely on the toolchain to have
security characteristics that are not guaranteed by the language
definition. For example, I do trust memset_s() to zero out sensitive
memory if the toolchain provides it, but I don't trust memset() for this
task.
On the topic at hand, my personal opinion of memory_buffer_alloc is that
it doesn't belong in Mbed TLS. I hope that when PSA crypto is a
standalone product, it won't use malloc internally, and so it certainly
won't provide a malloc implementation. I wouldn't necessarily say the
same thing of Mbed TLS 4.0: it's difficult to design an X.509 interface
that doesn't use malloc. But if we can do it, I think we should.
I recognize that there are many bare-metal applications that don't use
malloc themselves, but use Mbed TLS. For their sake, it does make some
sense for Mbed TLS to have its own malloc implementation. But the focus
is for internal use, not on serving as a general-purpose allocator for
applications that also use malloc for non-mbedtls-related purposes.
--
Gilles Peskine
Mbed TLS developer
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
--
mbed-tls mailing list
mbed-tls(a)lists.trustedfirmware.org
https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls
Hi Gilles,
Thanks for this precision, as well as the reminder of the existing github issue.
With no opposition here in a week, and none on github for nearly 3 months either, plus no opposition when we marked it as deprecated in 2.21 in February, I'm also moving this to the "Accepted" section on the wiki discussion tracking page: https://developer.trustedfirmware.org/w/mbed-tls/tech-plans-3.0/ - but again, it's still time to voice concerns until we've actually removed it from the code base.
Regards,
Manuel.
Hi Gilles,
Thanks for your feedback and for providing a link to the existing issue, which I completely forgot about - I'll reference that in the wiki as well.
Since it's been a week, with one agreement and no opposition, I'm also moving this to the "Accepted" section in the summary wiki page: https://developer.trustedfirmware.org/w/mbed-tls/tech-plans-3.0/ - though again, it you have concerns it's still time to voice them.
Regards,
Manuel.
Hi all,
Since this list of old options was probably not controversial in the first place and there has been no opposition in more than a week (a time that was sufficient for other thread in the same series to get several reactions), I'm moving this from "Under discussion" to "Accepted" in the summary wiki page: https://developer.trustedfirmware.org/w/mbed-tls/tech-plans-3.0/
This is not meant to shut down discussion and if you disagree or have concerns it's still time to voice them - this is just to simplify tracking of the discussions.
Best regards,
Manuel.
On 09/04/2020 13:17, Janos Follath via mbed-tls wrote:
> Hi,
>
> Based on what I read on this thread it seems an accepted point of view that the toolchain provided C standard library implementations are less trusted than the toolchains themselves. Can somebody please help me understand the reasoning behind this distinction?
Well, I disagree with this statement. I trust the toolchain to implement
the C standard library correctly, and with good performance for the
target platform. I do not want to provide my own implementation of
standard functions.
I only trust the toolchain to be functionally correct. I don't know
about its security. I certainly can't rely on the toolchain to have
security characteristics that are not guaranteed by the language
definition. For example, I do trust memset_s() to zero out sensitive
memory if the toolchain provides it, but I don't trust memset() for this
task.
On the topic at hand, my personal opinion of memory_buffer_alloc is that
it doesn't belong in Mbed TLS. I hope that when PSA crypto is a
standalone product, it won't use malloc internally, and so it certainly
won't provide a malloc implementation. I wouldn't necessarily say the
same thing of Mbed TLS 4.0: it's difficult to design an X.509 interface
that doesn't use malloc. But if we can do it, I think we should.
I recognize that there are many bare-metal applications that don't use
malloc themselves, but use Mbed TLS. For their sake, it does make some
sense for Mbed TLS to have its own malloc implementation. But the focus
is for internal use, not on serving as a general-purpose allocator for
applications that also use malloc for non-mbedtls-related purposes.
--
Gilles Peskine
Mbed TLS developer
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Yes, we should remove it. Unlike other features, I think we should
remove HAVEGE _especially_ if someone is using it, because unlike the
rest of the library, I cannot vouch for its security. I don't even know
if our havege.c is implementing the HAVEGE specification correctly. And
I cannot think of a platform where HAVEGE would give a useful amount of
entropy, and where there isn't already a proper hardware RNG or an OS
kernel with its own entropy gathering built with knowledge of the actual
platform.
(Also noted on https://github.com/ARMmbed/mbedtls/issues/2599 .)
--
Gilles Peskine
Mbed TLS developer
On 08/04/2020 12:41, Manuel Pegourie-Gonnard via mbed-tls wrote:
> Hi all,
>
> In this new installment of "let's discuss ideas for Mbed TLS 3.0" [1]:
> should we remove havege.c from the code base?
>
> [1]: https://developer.trustedfirmware.org/w/mbed-tls/tech-plans-3.0/
>
> The crypto library currently includes an implementation of the HAVEGE entropy
> gatherer [2], which is disabled in the default build (MBEDTLS_HAVEGE_C in
> config.h), but used as a source by our entropy module if enabled.
>
> [2]: https://www.irisa.fr/caps/projects/hipsor/
>
> We'd like to drop this module and remove it from the code base entirely for
> the following reasons:
>
> - HAVEGE was designed for superscalar processors with high
> microarchitectural complexity, and is unsuitable for microcontrollers (or
> virtualized environments). We feel like when a complex enough CPU is used for
> HAVEGE to stand a chance of being secure, it's very likely that an operating
> system is also available, which probably already manages a random generator
> better that what we can do in user space.
>
> - On a more practical note, our implementation relies on `timing_hardclock()`
> provided by timing.c only for a limited number of architectures and
> environments (funnily enough, not including any Arm architecture), with a
> silent fallback to a definition relying on `gettimeofday()` which is clearly
> not high-resolution enough to make HAVEGE secure.
>
> - As with any random source, it is very difficult to assess whether HAVEGE is
> actually secure on any given platform. Further, the maintenance team
> doesn't have any specific knowledge of HAVEGE and there hasn't been any
> independent evaluation of our implementation of it.
>
> - As a result of the above points, we're afraid people using our HAVEGE
> implementation on the wrong platforms, might be getting a false sense of
> security, which might prevent them from using more secure options, such as the
> OS RNG (when using an OS) or a hardware RNG (on microcontrollers).
>
> If you're using MBEDTLS_HAVEGE_C or know someone who does, or if for any other
> reason you think we shouldn't drop it in Mbed TLS 3.0, please speak up now!
>
> Regards,
> Manuel.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Hello,
As noted in https://github.com/ARMmbed/mbedtls/issues/3006, I'm aware of
only one project that is using Mbed TLS's pkcs11-helper support:
OpenVPN. But this support has been removed from the development version.
--
Gilles Peskine
Mbed TLS developer
On 08/04/2020 12:37, Manuel Pegourie-Gonnard via mbed-tls wrote:
> Hi all,
>
> In this new installment of "let's discuss ideas for Mbed TLS 3.0" [1]:
> should we remove pkcs11.c from the code base?
>
> [1]: https://developer.trustedfirmware.org/w/mbed-tls/tech-plans-3.0/
>
> The X.509 library currently includes a module called "pkcs11", excluded from
> the default build, which provides a few wrappers around libpkcs11-helper [2],
> a library that "simplifies the interaction with PKCS#11 providers for end-user
> applications". In practice, it supports the use of X.509 certificates
> associated with an RSA key (not ECDSA) managed by libpkcs11-helper.
>
> [2]: https://github.com/OpenSC/pkcs11-helper
>
> We'd like to drop this module and remove it from the code base entirely for
> the following reasons:
>
> - It has limited functionality, and soon PSA Crypto will provide more flexible
> support for secure management of private keys (not just RSA, and not just
> associated with X.509 certificates).
>
> - It currently has not automated tests so we're not even sure if it still
> works properly.
>
> - The documentation is scarce and no member of the current maintenance team
> knows for sure how it's supposed to work.
>
> - We never receive any support request about it so we're not sure if anyone is
> still using it. (As a weaker signal in the same direction, we deprecated it
> in 2.21.0, released 2020-02-20, and nobody complained so far.)
>
> If you're using MBEDTLS_PKCS11_C or know someone who does, or if for any other
> reason you think we shouldn't drop it in Mbed TLS 3.0, please speak up now!
>
> Regards,
> Manuel.
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Hello,
We're planning to make some changes to the way you can run Mbed TLS unit
tests on embedded platforms. We want to make it easier to run the tests
on platforms that have limited space for code and don't have a
filesystem to read data from.
At the moment, there are two ways to build the test suites. If you run
'make test', this builds one a host executable using host_test.function
for each test_suite_*.function and one “compiled” data file for each
test_suite_*.data, and the executable reads the compiled data file at
runtime. It's also possible to build an executable with
target_test.function, which includes calls to the Mbed-tools Greentea
library to communicate over the serial port, and you can use the script
mbedtls_test.py to run the tests with Greentea. Neither method works
directly for embedded platforms other than Mbed OS.
If you've run the Mbed TLS unit tests without reading the .datax file
from the filesystem, and without using Mbed OS and Greentea, how did you
do it? If you haven't run the unit tests but would like to do so, what
changes would you like to see what Mbed TLS provides?
I have a few more specific questions:
• Does Mbed TLS need to include some abstraction for serial
communication? If not, what would the interface of the test functions
be? (Tests can currently take inputs that are zero-terminated text
string, binary string with length, or int, and we'd like to add the
possibility to add other integer types such as uint64_t, but nothing
more complex. The outcome of a test is pass/fail/skip, and if fail/skip
location information about the failure.)
• Is it useful to have a way to build the test data into the executable,
so that the only interaction that the executable needs is to write out
the test results? It's more convenient but doesn't work everywhere (the
biggest test suite has >200kB of test data).
• Should test executables be self-contained in their reporting
(including error messages)? Or should they minimize code size, and then
you'd need an extra host-side script to make sense of results?
• The current .function-to-.c transformation script
(generate_test_code.py) generates a single C file with all of the test
code (but not the test data). Is this a useful requirement?
We welcome any thoughts you may have on the topic.
--
Gilles Peskine
Mbed TLS developer
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Hi Dan,
Thank you for explaining, I see it now. I think we definitely should leave the choice open for Mbed TLS users and I agree that such a joint stdlib implementation project would be a much better place for a toolchain independent memory allocator.
Regards,
Janos
On 09/04/2020, 14:31, "mbed-tls on behalf of Dan Handley via mbed-tls" <mbed-tls-bounces(a)lists.trustedfirmware.org on behalf of mbed-tls(a)lists.trustedfirmware.org> wrote:
Hi Janos
It's not so much that the toolchain stdlib implementations are less trusted from a security point of view, it's that there is variation in their non-functional characteristics, e.g.
* security
* robustness
* code size
* performance
* open-ness
* ...
If you remove this variation it's easier to reason about the non-functional characteristics of the code. This is perhaps more important for projects that build final executable images but may also be important for libraries, especially ones that export executable link libraries like Mbed TLS.
On the other hand, Mbed TLS is deployed in many other places than Trusted Firmware and it may be hard to choose a stdlib implementation that works for all users. Perhaps the compromise is to create a shared stdlib implementation for Trusted Firmware deployments but leave the choice open for other Mbed TLS users?
Regards
Dan
> -----Original Message-----
> From: mbed-tls <mbed-tls-bounces(a)lists.trustedfirmware.org> On Behalf Of
> Janos Follath via mbed-tls
> Sent: 09 April 2020 12:18
> To: mbed-tls(a)lists.trustedfirmware.org
> Subject: Re: [mbed-tls] 3.0 plans: remove memory_buffer_alloc.c from the code
> base
>
> Hi,
>
> Based on what I read on this thread it seems an accepted point of view that
> the toolchain provided C standard library implementations are less trusted
> than the toolchains themselves. Can somebody please help me understand the
> reasoning behind this distinction?
>
> Regards,
> Janos
>
> On 09/04/2020, 12:07, "Dan Handley via mbed-tls" <mbed-
> tls(a)lists.trustedfirmware.org> wrote:
>
> Hi
>
> There has already been some discussion about a shared C standard library
> implementation, at least for TF-A and TF-M. So far there's been general
> agreement that this is a good idea but no actual commitment from anyone to
> make this happen, since each project is reasonably happy with what they've
> got.
>
> Regarding MBEDTLS_MEMORY_BUFFER_ALLOC_C, TF-A at least enables this so
> removing this from the codebase would be an issue there. Memory allocators
> are probably not the core expertise of other Trusted Firmware projects either
> but it needs to be if they're going to use them!
>
> I propose that we move this allocator into a new shared
> TrustedFirmware.org standard C library project and work with the other
> projects to ensure it has the correct initial maintainers. This will probably
> have to be driven by the maintainers of whichever project is most motivated
> to make this happen. It sounds like that could be Mbed TLS and this will need
> to be done before any separation of the PSA Crypto implementation. In the
> short term, as we move C stdlib functionality out of the other projects and
> into this new project, we will need to support multiple implementations of
> some functions. Eventually we should move towards a common implementation,
> and I agree we should look at what security-oriented implementations are
> already available.
>
> I also agree it would make sense for Mbed TLS to not use the toolchain-
> provided stdlib implementation by default, but only once it uses a default
> implementation it trusts.
>
> Regards
>
> Dan.
>
> > -----Original Message-----
> > From: mbed-tls <mbed-tls-bounces(a)lists.trustedfirmware.org> On Behalf
> Of
> > Ronald Cron via mbed-tls
> > Sent: 09 April 2020 08:47
> > To: mbed-tls(a)lists.trustedfirmware.org
> > Subject: Re: [mbed-tls] 3.0 plans: remove memory_buffer_alloc.c from
> the code
> > base
> >
> > Hi, I think this is related to the more general need for an
> implementation of
> > the C standard library for trusted firmware projects. As far as I know
> TF-A
> > and TF-M don't use the standard library provided by compilation
> toolchains.
> > The rationale is to have complete control over the trusted firmware
> code.
> > Currently they both have their own partial implementation of the parts
> of the
> > C standard library they need.
> >
> > This memory_buffer_alloc.c module in question here is another partial
> > implementation of the C standard library. Currently TF-A and TF-M don't
> > use/provide dynamic memory allocations but PSA-FF explicitly mentions
> that an
> > SPM implementation may support dynamic memory allocation. Thus it is
> possible
> > that TF-M at some point consider providing dynamic memory allocation
> support.
> >
> > All of this to say that a possible way forward may be to remove
> > memory_buffer_alloc.c from the code base when there is a C standard
> library
> > implementation common to trustedfirmware.org projects (is there already
> a
> > security oriented open source implementation out there ?).
> >
> > In Mbed TLS, it would also make sense to me to, by default, not use C
> > standard libraries provided by compilation toolchains
> > (MBEDTLS_PLATFORM_NO_STD_FUNCTIONS defined by default).
> >
> > Thanks, Ronald.
> >
> >
> > -----Original Message-----
> > From: mbed-tls <mbed-tls-bounces(a)lists.trustedfirmware.org> On Behalf
> Of
> > Manuel Pegourie-Gonnard via mbed-tls
> > Sent: 08 April 2020 12:42
> > To: mbed-tls(a)lists.trustedfirmware.org
> > Cc: nd <nd(a)arm.com>
> > Subject: [mbed-tls] 3.0 plans: remove memory_buffer_alloc.c from the
> code
> > base
> >
> > Hi all,
> >
> > In this new installment of "let's discuss ideas for Mbed TLS 3.0" [1]:
> > should we remove memory_buffer_alloc.c from the code base?
> >
> > [1]: https://developer.trustedfirmware.org/w/mbed-tls/tech-plans-3.0/
> >
> > Currently the crypto library includes a module called
> memory_buffer_alloc.c,
> > disabled in the default build (config.h option
> MBEDTLS_MEMORY_BUFFER_ALLOC_C),
> > which provides implementations of calloc() and free() based on a user-
> > provided buffer (which could be static or on the stack), suitable for
> use in
> > the rest of the crypto, X.509 and TLS libraries as replacements to the
> > standard functions.
> >
> > In addition to providing replacement calloc() and free(), the module
> also
> > offers some facilities for measurement and debugging.
> >
> > We're considering dropping this module and removing it from the code
> base
> > entirely for the following reasons:
> >
> > - Memory allocators are not our core area of expertise.
> >
> > - This allocator is pretty basic and has a large allocation overhead.
> For
> > example for ECC computations, the overhead can be as large as the
> actual
> > memory used.
> >
> > - Using this allocator also tends to slow things down, so we don't run
> many
> > tests with it enabled.
> >
> > - In the future when we split between PSA Crypto on one side and Mbed
> TLS and
> > X.509 on the other, it's unclear on which side this allocator should
> fall.
> > Which can be taken as a sign that it doesn't really belong here.
> >
> > On the other hand, we're hesitating for the following reasons:
> >
> > - We know from bug reports and questions that some people are using it.
> >
> > - Unlike other modules we'd like to drop, there isn't a strong security
> > incentive to dropping this allocator, it's merely a matter of how we
> spend
> > our maintenance resources.
> >
> > What do you think? Should we keep maintaining this allocator as part of
> Mbed
> > TLS? Should we drop it and focus on our core instead? If you're using
> this
> > allocator, why did you pick it over other alternatives?
> >
> > Regards,
> > Manuel.
> > --
> > mbed-tls mailing list
> > mbed-tls(a)lists.trustedfirmware.org
> > https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls
> > IMPORTANT NOTICE: The contents of this email and any attachments are
> > confidential and may also be privileged. If you are not the intended
> > recipient, please notify the sender immediately and do not disclose the
> > contents to any other person, use it for any purpose, or store or copy
> the
> > information in any medium. Thank you.
> > --
> > mbed-tls mailing list
> > mbed-tls(a)lists.trustedfirmware.org
> > https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy the
> information in any medium. Thank you.
> --
> mbed-tls mailing list
> mbed-tls(a)lists.trustedfirmware.org
> https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls
>
>
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy the
> information in any medium. Thank you.
> --
> mbed-tls mailing list
> mbed-tls(a)lists.trustedfirmware.org
> https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls
--
mbed-tls mailing list
mbed-tls(a)lists.trustedfirmware.org
https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.