Hi Ruchika,

On 11/07/2023 19:14, Ruchika Gupta via mbed-tls wrote:

Hi,

 

I am currently working on PSA driver for our SoC’s security crypto-processor. This processor needs to do some handling when a key is destroyed.  

In the current implementation in mbedTLS,  I don’t see a driver wrapper function available in psa_destroy_key(). Is there a specific reason for not having wrapper for driver function available for psa_destroy_key() ?

Mbed TLS does not yet support drivers for secure elements that store the key material themselves, only secure elements for which the outside world must store a wrapped (encrypted) copy of the key. The absence of a destroy_key driver wrapper is not the only thing that's missing: a bigger part is correct handling of power failures.

On our roadmap (https://mbed-tls.readthedocs.io/en/latest/project/roadmap/) this is listed as “Handle Opaque Persistent Key in Secure Element - Implementation” and currently scheduled for early 2024. (Note that the roadmap more than a quarter ahead is very tentative.) A design specification is in https://github.com/Mbed-TLS/mbedtls/blob/development/docs/architecture/psa-storage-resilience.md

 

Another query pertaining to the tests in the testsuite in mbedTLS. I was exploring if I could reuse the tests for the crypto-processor implementation.  Have these been written with this kind of reuse in mind ?

Basically I would like the ability to add driver location to the cases. The few cases I have looked at for psa seem to be very specific. Any pointers/suggestions if anyone is reusing this test suite to test their specific PSA drivers?

That is something we'd like to do in the long term, but we do not have concrete plans yet, and we don't know when we might work on it. There are several aspects:
If anyone has ideas on this topic and time to work on this, feel free to discuss it with us. We (the Mbed TLS developer team) probably won't have much time to spend on this for at least another year, but we can at least look at proposals and see if it's something that we might integrate at some point.

Best regards,

--
Gilles Peskine
Mbed TLS developer and PSA crypto architect

 

Regards,

Ruchika