To allow more than one client to access stored material without the latency of a common intermediary, what if we introduced the concept of “group ownership” to the ITS by adding a group ID?
·
Divide the current 32-bit partition ID into partition ID and group ID. Group ID could occupy bits 30-27 for example to avoid changes to any existing PID values (and negative PID would still indicate
a Non-secure).
·
Group ID could be an optional definition (to avoid inadvertent use) in the tfm_manifest_list.yaml file. If two clients needed to be able to be able access the same files within the ITS, they should
define a non-zero group ID that is the same. (e.g. PSA Crypto and AES partitions would have the same group). The generated Pid.h would have the [((GID & 0xF) << 27) | PID] value.
·
When the ITS generates the 12-byte file ID, if the group ID is non-zero, it masks off the partition ID so that file ownership is based on the partition group only along with the 64-bit UID as before.
To allow concurrency, the AES partition would have its own key store.
Current PID values for reference:
#define TFM_SP_PS (256)
#define TFM_SP_ITS (257)
#define TFM_SP_AUDIT_LOG (258)
#define TFM_SP_CRYPTO (259)
#define TFM_SP_PLATFORM (260)
#define TFM_SP_INITIAL_ATTESTATION (261)
#define TFM_SP_CORE_TEST (262)
#define TFM_SP_CORE_TEST_2 (263)
#define TFM_SP_SECURE_TEST_PARTITION (264)
#define TFM_SP_IPC_SERVICE_TEST (265)
#define TFM_SP_IPC_CLIENT_TEST (266)
#define TFM_IRQ_TEST_1 (267)
#define TFM_SP_PS_TEST (268)
#define TFM_SP_SECURE_CLIENT_2 (269)
#define TFM_SP_MULTI_CORE_TEST (270)
Regards,
Brian
From: Andrew Thoelke [mailto:Andrew.Thoelke@arm.com]
Sent: Monday, July 13, 2020 5:16 AM
To: Jamie Fox <Jamie.Fox@arm.com>; Quach, Brian <brian@ti.com>; tf-m@lists.trustedfirmware.org
Subject: [EXTERNAL] RE: Persistent key storage ownership/access
Hi,
The ITS design requires that all data items are private to its client – it essentially just provides a persistence capability within the same isolation domain. So it is not possible for two distinct clients to access
the same stored material, *unless they do this through a common intermediary*.
Jamie outlines one approach: PSA Crypto Partition hosts the key store, and delegates the operations to the AES partition. But this fails the concurrency requirement as noted.
Another plausible approach is that the AES Partition is a special/trusted client of the PSA Crypto Partition and uses a dedicated service/API to retrieve the AES client’s key material. However, this also fails the concurrency
objective when the PSA Crypto Partition is busy.
Without the IPC model (which allows for nested/interleaved message handling, under service developer control) – the design that would work is to:
a)
Create a key store Partition that interfaces with ITS
b)
Have the PSA Crypto and AES partitions be trusted clients of the key store (the key store does not allow other client connections)
c)
Key management operations go through a PSA Crypto service, which invokes the key store service to store material in ITS
d)
AES operations go through a AES service, which invokes the key store service to retrieve key material
This model works, but delivering the desired concurrency requires that the framework supports multiple Partitions, and can run one Partition while another is busy/blocked.
Note that the key store service is _just_ a proxy to ITS using the key-id + Crypto-client-id supplied by its client. Security depends on the client-ids of the Crypto and AES Partitions being fixed so that the private
key store service can strictly enforce which clients can use it.
Regards,
Andrew
From: psa-crypto <psa-crypto-bounces@lists.trustedfirmware.org>
On Behalf Of Jamie Fox via psa-crypto
Sent: 10 July 2020 14:22
To: Quach, Brian <brian@ti.com>;
tf-m@lists.trustedfirmware.org;
psa-crypto@lists.trustedfirmware.org
Subject: Re: [psa-crypto] Persistent key storage ownership/access
Hi Brian,
It is true that each persistent key has only one owner who can access it, the partition that created it.
But note that even if the driver partition could be given permission to access the key, then it wouldn’t immediately fix the issue. The driver partition would then need to implement another layer of access control, otherwise
partitions would be able to use it as a conduit to access keys that they don’t themselves own.
I think a more expected flow would look like:
1)
NS application calls psa_import_key() to store a key with an ID. Key is stored by ITS with client ID of -1 (DEFAULT_NS_CLIENT_ID).
2)
NS application calls an AES crypto function in the PSA Crypto partition and provides the key ID.
3)
PSA Crypto partition retrieves the key from ITS for use. Client ID = -1.
4)
PSA Crypto partition calls an AES crypto function in the driver partition and provides the key material.
But I assume you discarded this approach because it didn’t give you the level of concurrency between PSA Crypto and the crypto driver that you wanted.
I am adding the psa-crypto mailing list to this, as people on there may have more/better input.
Kind regards,
Jamie
From: TF-M <tf-m-bounces@lists.trustedfirmware.org>
On Behalf Of Quach, Brian via TF-M
Sent: 10 July 2020 06:18
To: tf-m@lists.trustedfirmware.org
Subject: [TF-M] Persistent key storage ownership/access
Hi,
I see that keys can only be accessed/modified by their owning secure partition.
File ID used by ITS is 12-bytes. Assuming the Application imports a persistent key and then opens the key, the File ID would be:
| 32 –bits | 32 -bits | 32 –bits |
==========================================
PSA Crypto SP ID | Key ID | DEFAULT_NS_CLIENT_ID (-1)
Then the key handle returned from the psa_open_key() is used for any cryptographic operations. This makes perfect sense to me for PSA API v1.0 beta 3.
However, for PSA API v1.0 release where open/close key was removed and only the Key ID will be used, I’m confused on how the key access and File ID would work.
Initially, when the app imports the key, the key file would have the same 12-byte file ID as the case above. However, when the application calls a cryptographic function, it now provides the
32-bit key ID instead of the handle. The persistent key is not cached and must be read from the ITS. I had assumed the crypto driver would call psa_export_key() to retrieve the key for use, however, the File ID in this case would be:
| 32 –bits | 32 -bits | 32 –bits |
==========================================
PSA Crypto SP ID | Key ID | Secure Partition ID of Crypto Driver
The file ID would not match what the App imported and the key would not be found.
Am I misunderstanding how the key should be accessed for use after it has been imported or how the File ID is generated?
Another explanation of the scenario if the above was not clear:
1)
NS application calls psa_import_key() to store a key with an ID. Key is stored by ITS with client ID of -1 (DEFAULT_NS_CLIENT_ID).
2)
NS application calls an AES crypto function and provides the key ID.
3)
AES driver crypto function calls psa_export_key() to retrieve the key from ITS for use. Client ID = AES secure partition.
RoT Partition 1:
-
PSA Crypto (with keystore)
RoT Partition 2:
- AES driver (placed its own partition so other crypto ops in PSA Crypto partition can run in parallel…multiple HW accelerators)
RoT Partition 3:
-
ITS
Regards,
Brian Quach
SimpleLink MCU
Texas Instruments Inc.
12500 TI Blvd, MS F-4000
Dallas, TX 75243
214-479-4076