Hey Antonio,
Yes, I was referring to use of psa_set_key_algorithm(&key_attributes, alg); to set the policy and good to hear that it's good practice to set them.
The failing TF-M tests are TFM_S_CRYPTO_TEST_1001/2/5/7/30/31/33/34/35/36/40/42/43/44/45/46/47/48 ,same for TFM_S_CRYPTO_TEST_10... They all use psa_key_interface_test wher only usage and type is set if I got the code here right: https://git.trustedfirmware.org/TF-M/tf-m-tests.git/tree/test/secure_fw/suit...
PSA-arch-tests For test_c002/3/4/48/20/21/24-42/44/46-61_* fail, As example for test_c002_testing_crypto_key_management_apis the attributes are set up here https://github.com/ARM-software/psa-arch-tests/blob/main/api-tests/dev_apis/... if I got it right.
And test_c005_testing_crypto_key_management_apis, which is passing the algorithm is set here: https://github.com/ARM-software/psa-arch-tests/blob/main/api-tests/dev_apis/...
I hope this descripts the issue a bit better. ________________________________ From: Antonio De Angelis Antonio.DeAngelis@arm.com Sent: 13 October 2022 14:52 To: tf-m@lists.trustedfirmware.org tf-m@lists.trustedfirmware.org Cc: Swarowsky, Markus Markus.Swarowsky@nordicsemi.no; Chris.Brand--- via TF-M tf-m@lists.trustedfirmware.org; nd nd@arm.com Subject: RE: [TF-M] TF-M psa crypto test do not set the algorithms in psa_key_attributes_t
Hi Markus,
psa_set_key_algorithm() should be called when properly setting up the policy for permitted algorithm on a key. From what I could quickly see it seems that the positive-tests in the Crypto regression are setting them correctly.
An example snippet of what I am referring to:
/* Setup the key policy */
psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_VERIFY_HASH);
psa_set_key_algorithm(&key_attributes, alg);
psa_set_key_type(&key_attributes, key_type);
Are you referring to some particular test that is not setting the algorithm field in the key attributes? Could you point me to that? It might very well be that setting it has been overlooked when writing some _negative_ test that wasn’t aiming at preparing the object correctly because it was just trying to cause a failure, hence it did not care about that algorithm policy field. But in general, I can confirm that it’s good practice to set the algorithm and if any of the tests are not aligned to this pattern, they must be fixed upstream for consistency.
Thanks,
Antonio
From: Swarowsky, Markus via TF-M tf-m@lists.trustedfirmware.org Sent: Thursday, October 13, 2022 13:14 To: Chris.Brand--- via TF-M tf-m@lists.trustedfirmware.org Subject: [TF-M] TF-M psa crypto test do not set the algorithms in psa_key_attributes_t
Hello,
I was adding sanity checks to the psa_crypto_driver_wrappers to validate bits/type and policy->alg of the given psa_key_attributes_t attributes for the psa_generate_key, psa_import_key, and psa_copy_key calls. To check it the given combination is within the psa specification.
In the PSA crypto spec it says: The key permitted-algorithm policy is required for keys that will be used for a cryptographic operation, see Permitted algorithmshttps://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Farmmbed.github.io%2Fmbed-crypto%2Fhtml%2Fapi%2Fkeys%2Fpolicy.html%23permitted-algorithms&data=05%7C01%7CMarkus.Swarowsky%40nordicsemi.no%7Cc9f010e2091244f7b1f308daad19e144%7C28e5afa2bf6f419a8cf6b31c6e9e5e8d%7C0%7C0%7C638012623908264852%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=6zIvs4QyCr7rbWpn8VHKgdzQ0Ea%2B3SCVx0IZVXIAFug%3D&reserved=0. [https://armmbed.github.io/mbed-crypto/html/api/keys/management.html?highligh...https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Farmmbed.github.io%2Fmbed-crypto%2Fhtml%2Fapi%2Fkeys%2Fmanagement.html%3Fhighlight%3Dpsa_generate_key%23c.psa_generate_key&data=05%7C01%7CMarkus.Swarowsky%40nordicsemi.no%7Cc9f010e2091244f7b1f308daad19e144%7C28e5afa2bf6f419a8cf6b31c6e9e5e8d%7C0%7C0%7C638012623908264852%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8kB7sJi8JvXNUhxhRFo7lRX3j%2B3109pCqCDDsoE7K0U%3D&reserved=0] Which is most likely the case for all key types except of PSA_KEY_TYPE_RAW_DATA
But after adding the sanity checks the TF-M crypto tests(test_c*_testing_* and TFM_S/NS_CRYPTO_TEST_10*) failed. I took a look at these tests, it turned out that they don't set the algorithm flag for the key attributes.
My question now is, is the algorithm flag skipped on purpose or just missed during the test case creation as It should be set according to the psa crypto spec?
Thanks for the help and the feedback
Markus Swarowsky | R & D Engineer M +47 404 66 922 | Trondheim, Norway
nordicsemi.comhttps://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.nordicsemi.com%2F&data=05%7C01%7CMarkus.Swarowsky%40nordicsemi.no%7Cc9f010e2091244f7b1f308daad19e144%7C28e5afa2bf6f419a8cf6b31c6e9e5e8d%7C0%7C0%7C638012623908264852%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=KtNB1ZloppM1txAWuHVH6phzGyDQXMeRao42OMQxKDM%3D&reserved=0 | devzone.nordicsemi.comhttps://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdevzone.nordicsemi.com%2F&data=05%7C01%7CMarkus.Swarowsky%40nordicsemi.no%7Cc9f010e2091244f7b1f308daad19e144%7C28e5afa2bf6f419a8cf6b31c6e9e5e8d%7C0%7C0%7C638012623908421091%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=x%2F%2FI9KutFMYtms%2BYo1nqnsLfNWe992%2FtaDdVN5JNtME%3D&reserved=0
Facebookhttps://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Fnordicsemiconductor%2F&data=05%7C01%7CMarkus.Swarowsky%40nordicsemi.no%7Cc9f010e2091244f7b1f308daad19e144%7C28e5afa2bf6f419a8cf6b31c6e9e5e8d%7C0%7C0%7C638012623908421091%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=VBzMAbmaWeD7MmiDaymJW%2FMZa1t1saRtcgL%2FEf5BT78%3D&reserved=0 | LinkedInhttps://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fnordic-semiconductor-asa%2F&data=05%7C01%7CMarkus.Swarowsky%40nordicsemi.no%7Cc9f010e2091244f7b1f308daad19e144%7C28e5afa2bf6f419a8cf6b31c6e9e5e8d%7C0%7C0%7C638012623908421091%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8IOdzjc7Kr%2BqA%2B3vnT2JE%2Blk86%2BSukJ7zgkhJdxmj%2B4%3D&reserved=0 | Twitterhttps://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FNordicTweets&data=05%7C01%7CMarkus.Swarowsky%40nordicsemi.no%7Cc9f010e2091244f7b1f308daad19e144%7C28e5afa2bf6f419a8cf6b31c6e9e5e8d%7C0%7C0%7C638012623908421091%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=eLDah%2BvAI726RTMYhrB4Td%2FVlGihilDcxywrNnFL%2BQ8%3D&reserved=0 | YouTubehttps://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtube.com%2Fuser%2FNordicSemi&data=05%7C01%7CMarkus.Swarowsky%40nordicsemi.no%7Cc9f010e2091244f7b1f308daad19e144%7C28e5afa2bf6f419a8cf6b31c6e9e5e8d%7C0%7C0%7C638012623908421091%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=GK37RaDgoF5sirp%2FSZ%2B0duqoqbc3VMYr%2BEushf739as%3D&reserved=0 | Instagramhttps://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.instagram.com%2Fnordicsemi%2F&data=05%7C01%7CMarkus.Swarowsky%40nordicsemi.no%7Cc9f010e2091244f7b1f308daad19e144%7C28e5afa2bf6f419a8cf6b31c6e9e5e8d%7C0%7C0%7C638012623908421091%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=b%2BuhwHV6Vd98SuV0WEQvEQEfmbem5iKNxNqFFUzVYJE%3D&reserved=0