sys/psa_crypto: Ed25519 (EdDSA) support #19954
Conversation
mguetschow
requested review from
leandrolanzieri,
jia200x,
MrKevinWeiss,
aabadie and
haukepetersen
as code owners
github-actions
bot
added
Platform: ARM
mguetschow
force-pushed
the
psa-crypto-ed25519
branch
from
7ff1059
to
b9711d4
Compare
mguetschow
force-pushed
the
psa-crypto-ed25519
branch
from
b9711d4
to
3627baa
Compare
|
To me this looks good. I'm also not so sure about using gotos. I learned to avoid them, but in this case it reduces redundancy without seeming too confusing. How is the community's general opinion on those? |
|
@mguetschow can you isolate a67890f into its own PR as a bug fix, in case the review of the rest takes longer? Since we discussed this part, and I know a little bit about the package Makefiles in general, I would instantly ACK this, but I don't feel knowledgeable about the rest. This way the bug fix gets into master faster. |
miri64
added
the
Type: enhancement
using |
19959: pkg/driver_cryptocell_310: Fix Makefile r=miri64 a=mguetschow ### Contribution description - make sure to download/extract during prepare, instead of build - this fixes the issue of missing include dependencies for other pkgs at build time ### Testing procedure - for an app Makefile, include both `c25519` and `driver_cryptocell_310` - on `master`, `make all` fails with a missing include path from the `driver_cryptocell_310` package - with this change, it works ### Issues/PRs references - isolated from #19954 as suggested by `@miri64` Co-authored-by: Mikolai Gütschow <[email protected]>
19959: pkg/driver_cryptocell_310: Fix Makefile r=benpicco a=mguetschow ### Contribution description - make sure to download/extract during prepare, instead of build - this fixes the issue of missing include dependencies for other pkgs at build time ### Testing procedure - for an app Makefile, include both `c25519` and `driver_cryptocell_310` - on `master`, `make all` fails with a missing include path from the `driver_cryptocell_310` package - with this change, it works ### Issues/PRs references - isolated from #19954 as suggested by `@miri64` 19960: dist/tools/jlink: fix DBG_PID assignment r=benpicco a=LP-HAW 19961: ztimer_periodic: fix example in documentation r=benpicco a=benpicco Co-authored-by: Mikolai Gütschow <[email protected]> Co-authored-by: LP-HAW <[email protected]> Co-authored-by: Benjamin Valentin <[email protected]>
19959: pkg/driver_cryptocell_310: Fix Makefile r=benpicco a=mguetschow ### Contribution description - make sure to download/extract during prepare, instead of build - this fixes the issue of missing include dependencies for other pkgs at build time ### Testing procedure - for an app Makefile, include both `c25519` and `driver_cryptocell_310` - on `master`, `make all` fails with a missing include path from the `driver_cryptocell_310` package - with this change, it works ### Issues/PRs references - isolated from #19954 as suggested by `@miri64` Co-authored-by: Mikolai Gütschow <[email protected]>
pkg/driver_cryptocell_310/Makefile
Outdated
|
|
||
| ifneq ($(RIOTBASE),) | ||
| include $(RIOTBASE)/Makefile.base | ||
| endif | ||
|
|
||
| .PHONY: all clean distclean prepare | ||
| .PHONY: all clean distcleanq |
There was a problem hiding this comment.
Is distcleanq supposed to be distclean?
There was a problem hiding this comment.
Yes, obviously, good catch. Unfortunately this got already merged with #19959, but I've added another commit fixing the typo here.
guarding {sign,verify}_{hash,message} functions
see https://github.com/Mbed-TLS/mbedtls/blob/72718dd87e087215ce9155a826ee5a66cfbe9631/include/psa/crypto_values.h\#L1678
mguetschow
force-pushed
the
psa-crypto-ed25519
branch
from
3627baa
to
d8d5478
Compare
| CRYSError_t ret; | ||
|
|
||
| /* contains seed (private key), concatenated with public key */ | ||
| uint8_t secret_key[CRYS_ECEDW_ORD_SIZE_IN_BYTES + CRYS_ECEDW_MOD_SIZE_IN_BYTES] = { 0x0 }; |
There was a problem hiding this comment.
One thing I just noticed: is there a reason why you write the key into this buffer first and then later memcpy it into priv_key_buffer, instead of directly writing it there?
There was a problem hiding this comment.
Yes, the reason is that the cryptocell API returns the seed (private key) concatenated with the public key in a single buffer, see here. secret_key therefore needs to be (at least) 64B while priv_key_buffer only needs to hold the seed (private key) which is 32B.
But looking at it, I notice that the second memcpy is redundant, since it should already be written by the cryptocell API. Will remove that.
There was a problem hiding this comment.
But looking at it, I notice that the second
memcpyis redundant, since it should already be written by the cryptocell API. Will remove that.
Done with b2349f4.
benpicco
added
the
CI: ready for build
mguetschow
force-pushed
the
psa-crypto-ed25519
branch
from
b2349f4
to
da41dd1
Compare
|
Sorry, my bad, I committed an unrelated change which increased the stack size for gcoap by mistake 🙈 Should work now. |
|
Does someone have a clue why the CI is failing for The build output shows little information: I've not written any |
|
Could it be linked to the file |
|
Off the top of my head: If you add a feature starting with TLDR; add |
19954: sys/psa_crypto: Ed25519 (EdDSA) support r=benpicco a=mguetschow ### Contribution description - implement [`psa_sign_message()`](https://armmbed.github.io/mbed-crypto/html/api/ops/sign.html#c.psa_sign_message) and [`psa_verify_message()`](https://armmbed.github.io/mbed-crypto/html/api/ops/sign.html#c.psa_verify_message) for the two already supported [`PSA_ALG_ECDSA`](https://armmbed.github.io/mbed-crypto/html/api/ops/sign.html#c.PSA_ALG_ECDSA) algorithms, together with the CryptoCell and `micro-ecc` backends (*not* for the SE backend) - add support for [`PSA_ALG_PURE_EDDSA`](https://armmbed.github.io/mbed-crypto/html/api/ops/sign.html#c.PSA_ALG_PURE_EDDSA), together with the CryptoCell hardware and `c25519` software backend (*not* for the SE backend) - wipe private key data from stack for both ECDSA and EdDSA algorithms using `explicit_bzero()` (opinions from experienced Riot maintainers about usage of `goto` to avoid duplicating that function call before every `return`?) ### Testing procedure - `examples/psa_crypto` has been updated to include EdDSA - successfully tested configurations: - `nrf52840dk` with cryptocell (hardware) and `c25519` (software) backend - `native` with software backend ### Issues/PRs references Thanks `@Einhornhool` for the PSA Crypto framework implementation #18547 which is great to work with! 19966: sys/event: add event_is_queued() r=benpicco a=fabian18 Co-authored-by: Mikolai Gütschow <[email protected]> Co-authored-by: Fabian Hüßler <[email protected]>
|
bors merge |
|
bors cancel |
|
Build succeeded! The publicly hosted instance of bors-ng is deprecated and will go away soon. If you want to self-host your own instance, instructions are here. If you want to switch to GitHub's built-in merge queue, visit their help page. |
19465: drivers/mtd: use XFA for pointers to defined MTDs r=benpicco a=gschorcht ### Contribution description This PR provides the support to hold pointers to defined MTDs within a XFA. The XFA allows - to access MTDs of different types (`mtd_flashpage`, `mtd_sdcard`, `mtd_emulated`, ...) by an index - to determine the number of MTDs defined in the system. ### Testing procedure To be defined once PR #19443 is merged because emulated MTDs will allow to test this PR on arbitrary boards. ### Porting Guide For external boards: - remove the `MTD_NUMOF` definition from `board.h` - add `MTD_XFA_ADD(<mtd_dev>, <idx>);` to the definition of `<mtd_dev>`. - `MTD_0`, `MTD_1`, … defines are no longer needed. ### Issues/PRs references Related to PR #19443 19981: Fletcher32: Add incremental API r=benpicco a=bergzand ### Contribution description This PR extends the current fletcher32 checksum with an incremental API mode. This way the bytes to be checksummed can be supplied via multiple successive calls and do not have to be provided in a single consecutive buffer. I've also rephrased the warning with the original function a bit as that function uses an `unaligned_get_u16` to access the data. The data thus does not require alignment, but the length does need to be supplied as number of 16 bit words. ### Testing procedure The test has been extended ### Issues/PRs references None 19995: sys/psa_crypto: Fix macro for public key max size and SE example r=benpicco a=Einhornhool ### Contribution description #### 1. Wrong public key size when using secure elements, introduced by #19954 Fixed conditions for key size macros in `crypto_sizes.h`. #### 2. EdDSA and ECDSA examples fail when using a secure element because of unsopported changes introduced by #19954 Updated `example/psa_crypto` to use only supported functions for secure elements. ### Testing procedure Build `example/psa_crypto` for secure elements and run application Output on master: ``` 2023-10-19 14:33:24,372 # main(): This is RIOT! (Version: 2019.07-devel-22378-gb6772) 2023-10-19 14:33:24,372 # HMAC SHA256 took 56393 us 2023-10-19 14:33:24,372 # Cipher AES 128 took 68826 us 2023-10-19 14:33:24,372 # *** RIOT kernel panic: 2023-10-19 14:33:24,373 # HARD FAULT HANDLER 2023-10-19 14:33:24,373 # 2023-10-19 14:33:24,373 # *** rebooting... ``` Output with fixes: ``` 2023-10-19 13:35:24,715 # main(): This is RIOT! (Version: 2019.07-devel-22384-g8ef66-dev/psa-crypto-fixes) 2023-10-19 13:35:24,715 # HMAC SHA256 took 56374 us 2023-10-19 13:35:24,715 # Cipher AES 128 took 68805 us 2023-10-19 13:35:24,715 # ECDSA took 281164 us 2023-10-19 13:35:24,715 # All Done ``` Co-authored-by: Gunar Schorcht <[email protected]> Co-authored-by: Koen Zandberg <[email protected]> Co-authored-by: Lena Boeckmann <[email protected]>
20037: nib/_nib-6ln: bail out early if address is no longer assigned [backport 2023.10] r=benpicco a=MrKevinWeiss # Backport of #19999 20038: nanocoap: prevent integer underflow in coap_opt_put_uri_pathquery() [backport 2023.10] r=benpicco a=MrKevinWeiss # Backport of #19994 20039: sys/psa_crypto: Fix macro for public key max size and SE example [backport 2023.10] r=benpicco a=MrKevinWeiss # Backport of #19995 ### Contribution description #### 1. Wrong public key size when using secure elements, introduced by #19954 Fixed conditions for key size macros in `crypto_sizes.h`. #### 2. EdDSA and ECDSA examples fail when using a secure element because of unsopported changes introduced by #19954 Updated `example/psa_crypto` to use only supported functions for secure elements. ### Testing procedure Build `example/psa_crypto` for secure elements and run application Output on master: ``` 2023-10-19 14:33:24,372 # main(): This is RIOT! (Version: 2019.07-devel-22378-gb6772) 2023-10-19 14:33:24,372 # HMAC SHA256 took 56393 us 2023-10-19 14:33:24,372 # Cipher AES 128 took 68826 us 2023-10-19 14:33:24,372 # *** RIOT kernel panic: 2023-10-19 14:33:24,373 # HARD FAULT HANDLER 2023-10-19 14:33:24,373 # 2023-10-19 14:33:24,373 # *** rebooting... ``` Output with fixes: ``` 2023-10-19 13:35:24,715 # main(): This is RIOT! (Version: 2019.07-devel-22384-g8ef66-dev/psa-crypto-fixes) 2023-10-19 13:35:24,715 # HMAC SHA256 took 56374 us 2023-10-19 13:35:24,715 # Cipher AES 128 took 68805 us 2023-10-19 13:35:24,715 # ECDSA took 281164 us 2023-10-19 13:35:24,715 # All Done ``` Co-authored-by: Benjamin Valentin <[email protected]> Co-authored-by: Lena Boeckmann <[email protected]>
Contribution description
psa_sign_message()andpsa_verify_message()for the two already supportedPSA_ALG_ECDSAalgorithms, together with the CryptoCell andmicro-eccbackends (not for the SE backend)PSA_ALG_PURE_EDDSA, together with the CryptoCell hardware andc25519software backend (not for the SE backend)explicit_bzero()(opinions from experienced Riot maintainers about usage ofgototo avoid duplicating that function call before everyreturn?)Testing procedure
examples/psa_cryptohas been updated to include EdDSAnrf52840dkwith cryptocell (hardware) andc25519(software) backendnativewith software backendIssues/PRs references
Thanks @Einhornhool for the PSA Crypto framework implementation #18547 which is great to work with!