Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Plans for TF-PSA-Crypto legacy headers #145

Open
wants to merge 15 commits into
base: development
Choose a base branch
from

Conversation

gilles-peskine-arm
Copy link
Contributor

@gilles-peskine-arm gilles-peskine-arm commented Jan 9, 2025

Work in progress on Mbed-TLS/mbedtls#9882.

Status: this is a work in progress that I'm progressively refining. However, for the parts that are already written, I'm not planning any restructuring or any changes other than clarifications or refinement (e.g. finer task breakdown, closing down open questions), so they are ready for review.

PR checklist

  • changelog not required because: doc only
  • framework PR not required
  • mbedtls PR not required
  • tests provided | not required because:

Covers high-level plans for header privatization.

Signed-off-by: Gilles Peskine <[email protected]>
Copy link
Contributor

@mpg mpg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First draft is looking pretty good so far, thanks!

docs/architecture/0e-plans.md Show resolved Hide resolved
docs/architecture/0e-plans.md Outdated Show resolved Hide resolved
docs/architecture/0e-plans.md Outdated Show resolved Hide resolved
docs/architecture/0e-plans.md Outdated Show resolved Hide resolved
docs/architecture/0e-plans.md Show resolved Hide resolved
docs/architecture/0e-plans.md Outdated Show resolved Hide resolved
docs/architecture/0e-plans.md Outdated Show resolved Hide resolved
docs/architecture/0e-plans.md Outdated Show resolved Hide resolved
docs/architecture/0e-plans.md Outdated Show resolved Hide resolved
docs/architecture/0e-plans.md Show resolved Hide resolved
Signed-off-by: Gilles Peskine <[email protected]>
It's public specifically for the sake of X.509, not for application code.

Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Copy link
Contributor Author

Thanks for the review. I've addressed your comments, but not yet added the missing sections that I'm still working on.

Copy link
Contributor

@mpg mpg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for addressing my comments!

docs/architecture/0e-plans.md Outdated Show resolved Hide resolved
docs/architecture/0e-plans.md Show resolved Hide resolved
docs/architecture/0e-plans.md Outdated Show resolved Hide resolved
The following header files define cryptography-adjacent interfaces which we have no plans to replace.

* `asn1.`, `asn1write.h`: ASN.1, needed for key parsing/writing as well as for X.509.
* `base64.h`, `pem.h`: Encoding help, needed for key parsing/writing as well as for X.509. Arguably Base64 could be made private, for the use of PEM only, but it is currently used for non-PEM purposes in Mbed TLS. Thus I propose to keep it officially public in TF-PSA-Crypto 1.x.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed. I'm not sure what the current status is, but I remember being deeply unsatisfied with our base64 API last time I looked at it (to the point of starting trying to fix it locally, which I evidently never got time to finish). The main problem being we're pretty inconsistent in where the reported sizes include the terminating nul byte or not, and things are not clearly documented. I don't remember if PEM suffer from similar issues these days.

Taking a step back, it could be argued that neither PEM nor base64 should rely on nul-termination, but rather only on size arguments.

I'm not sure if that's enough of a reason to not include them in 1.0 and re-include a better version later. (Obviously in an ideal world we'd have time to improve their API before the 1.0 and things would be easier, but we don't live in that world.)

Copy link
Contributor

@davidhorstmann-arm davidhorstmann-arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few small comments, mostly nits. Looks good otherwise


The following header files define cryptography-adjacent interfaces which we have no plans to replace.

* `asn1.`, `asn1write.h`: ASN.1, needed for key parsing/writing as well as for X.509.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit:

Suggested change
* `asn1.`, `asn1write.h`: ASN.1, needed for key parsing/writing as well as for X.509.
* `asn1.h`, `asn1write.h`: ASN.1, needed for key parsing/writing as well as for X.509.


`oid.h` and `MBEDTLS_OID_C` are in charge of defining all the OIDs used internally or by application code. This is a known problem which can result in applications wasting code size on many OIDs that they don't care about. We are planning a redesign: https://github.com/Mbed-TLS/mbedtls/issues/9380 .

At this point, we do not consider this critical for TF-PSA-Crypto 1.0, and we are likely to work on it during the lifetime of TF-PSA-Crypto 1.x. This may change if we reevaluate the priority based on concrete use cases. In the meantime, `oid.h` will become private, but will remain used in Mbed TLS.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the meantime, oid.h will become private, but will remain used in Mbed TLS.

What does this mean? In the categories of header described above, 'private' means that it can't be used by Mbed TLS, so this seems like a contradiction.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've tried to consistently use “private” for unofficial interfaces that may still be exposed, and “internal” for interfaces where there is some technical measure limiting outside use (e.g. function only declared in a header in core or **/src). So there's no contradiction here: oid.h is not an official interface, but it's exposed to Mbed TLS. Did I get the terminology wrong somewhere above?


### Private types in `psa_util.h`

The functions `mbedtls_ecc_group_to_psa()` and mbedtls_ecc_group_from_psa()` are no longer relevant for public use since the legacy side of the conversion is no longer a public interface. They are not used in Mbed TLS. They should be moved to an internal header.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: missing backtick

Suggested change
The functions `mbedtls_ecc_group_to_psa()` and mbedtls_ecc_group_from_psa()` are no longer relevant for public use since the legacy side of the conversion is no longer a public interface. They are not used in Mbed TLS. They should be moved to an internal header.
The functions `mbedtls_ecc_group_to_psa()` and `mbedtls_ecc_group_from_psa()` are no longer relevant for public use since the legacy side of the conversion is no longer a public interface. They are not used in Mbed TLS. They should be moved to an internal header.

| `hkdf.h` | `mbedtls_hkdf_` | Delete | https://github.com/Mbed-TLS/mbedtls/issues/9150 |
| `hmac_drbg.h` | `mbedtls_hmac_drbg_` | Private | [can be made fully private](#headers-that-can-be-made-fully-private) with a little work for [RNG header privatization](#rng-header-privatization) |
| `lms.h` | `mbedtls_lms_` | Public | [no PSA equivalent](#cryptographic-mechanisms-with-no-PSA-equivalent) |
| `md.h` | `mbedtls_md_` | Expose | [context types](#headers-with-context-types), but likely [Public hash-only `md.h`](#public-hash-only-md.h) |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: The link doesn't work, maybe:

Suggested change
| `md.h` | `mbedtls_md_` | Expose | [context types](#headers-with-context-types), but likely [Public hash-only `md.h`](#public-hash-only-md.h) |
| `md.h` | `mbedtls_md_` | Expose | [context types](#headers-with-context-types), but likely [Public hash-only `md.h`](#changes-to-public-crypto-headers) |

@gilles-peskine-arm gilles-peskine-arm added needs-review Every commit must be reviewed by at least two team members needs-work priority-high High priority - will be reviewed soon labels Jan 22, 2025
Signed-off-by: Gilles Peskine <[email protected]>
I had reorganized some sections without updating their links. Also fix some
incorrect title-to-fragment conversions (trying to follow GitHub markdown
rules).

Signed-off-by: Gilles Peskine <[email protected]>
* Inside the Mbed TLS library, to parse and write X.509 objects.
* In application code, very occasionally. (Examples: [Fire-evacuation-guidance-system-IoT](https://github.com/2nd-Chance/Fire-evacuation-guidance-system-IoT/blob/33031a8255fe1ae516ddd58f1baa808801cd3abf/iotivity/resource/csdk/security/src/credresource.c#L3185) (dead project), [SiLabs Bluetooth attestation server](https://github.com/SiliconLabs/bluetooth_applications/blob/3eb0f3c9e234ada1f10714fb9376fcbc8e95807f/bluetooth_secure_attestation/bt_secure_attestation_server/src/ecdh_util3.c#L375))

The use of PEM inside the Mbed TLS is intrinsic. It doesn't leak through the API of Mbed TLS, but Mbed TLS cannot be implemented without PEM. This is different from other private modules that Mbed TLS currently calls internally, but will no longer need to call once Mbed TLS has fully migrated to PSA. Thus, in the long term, TF-PSA-Crypto needs to expose its PEM API to Mbed TLS. (We reject the hypotheses of independent PEM implementations, or of making PEM its own library, as too much maintenance work.)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: "the Mbed TLS"


* Inside the crypto library, to implement PEM.
* In the `pem2der` sample program.
* In Mbed TLS SSL test programs, for context serialization. (It's not clear to me why we encode in Base64 rather than binary.)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not clear to me either, seems completely arbitrary to me. (And if we want something printable, we already have utility functions for hex in the test programs and could use that instead.)

Copy link
Contributor

@davidhorstmann-arm davidhorstmann-arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noticed a missing header while investigating

| `sha256.h` | `mbedtls_sha256_` | Expose | [context types](#headers-with-context-types) |
| `sha3.h` | `mbedtls_sha3_` | Expose | [context types](#headers-with-context-types) |
| `sha512.h` | `mbedtls_sha512_` | Expose | [context types](#headers-with-context-types) |
| `threading.h` | `mbedtls_threading_` | Public | [Platform headers](#platform-headers) |
Copy link
Contributor

@davidhorstmann-arm davidhorstmann-arm Jan 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This list is missing timing.h I believe. What will happen to this header?

Signed-off-by: Gilles Peskine <[email protected]>
After discussing this with Manuel, we believe that spending the time to
unify the error code space will save us precious design and execution time
for header privatization.

Signed-off-by: Gilles Peskine <[email protected]>
Signed-off-by: Gilles Peskine <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs-review Every commit must be reviewed by at least two team members needs-work priority-high High priority - will be reviewed soon
Projects
Status: In Development
Development

Successfully merging this pull request may close these issues.

3 participants