-
Notifications
You must be signed in to change notification settings - Fork 6.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
secure_storage: add a ZMS-based implementation of the ITS store module #81235
base: main
Are you sure you want to change the base?
secure_storage: add a ZMS-based implementation of the ITS store module #81235
Conversation
@tomi-font, |
@tomi-font I would advise on the following alternative approach:
The id's In the saving process the data is first written, then the metadata. In the reading process the metadata id's are searched for the correct psa_its_id, ... , a "reread" can be performed if needed (depending on the flags), followed by the read/validation of the data. At start any data that does not have a corresponding (or invalid) metadata can be removed. This approach is also applicable to nvs, allows simultaneous use of nvs/... for secure storage, settings and other data storage (e.g when |
e778058
to
fb58bc3
Compare
Good point. I was thinking about how to handle potential conflicts, but I think that I will just remove the possibility to use
This makes no sense.
No it's not. And related to that, I will address the topic of UID assignment (for secure storage) in a follow-up PR.
I don't want to reinvent the storage wheel, plus I don't see the advantage in what you're proposing. Might as well just use the settings-based implementation. |
Ok if you think they are a good fit.
No need to address this in a follow-up PR, do it now before it gets used.
There are already users that are using the NVS backend for both settings and data storage, the allocation of ID ranges could be formalized. If on the other hand it is needed that the secure storage has its own backend (as implied by the PR), a slightly modified copy of the flash backend used in tf-m would be more appropriate. If the settings-based implementation fits the need, why propose a different alternative? |
What I am talking about is not specific to what is added in this PR. It's about the PSA Secure Storage API overall. And the rationale for not including it as part of this PR is to keep the scope of a PR focused on one topic.
I agree that it could and even should be formalized.
No, it's not needed. This PR is just to allow direct use of a partition for more control and efficiency of the storage. For the majority of cases it will actually still default to using settings because |
If it is worth using a partition for more control and efficiency of storage it would be good to target as much users as possible. NVS is still much broader used (it is more efficient for most users) and has a large install base. It doesn't seem a good choice to leave these users without a possible more efficient storage solution. Splitting up the storage into metadata (uid, caller uid, flags, (optional) nonce, (optional) tag) and the data itself would give the following advantages:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for adding ZMS backend to secure_storage.
Some few comments but all minors.
Also maybe add a separate commit where you clang-format old code to get rid of github warnings
I'm not a fan of the suggestions. Plus they're just notices. (And have sparked some debate on Discord.) They can be hidden with the |
fb58bc3
to
34ddbcf
Compare
fcb9c32
to
ec6f856
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only some minor comments that you are free to take into account or not
The sector size impacts the runtime behavior of ZMS and restricts the maximum | ||
ITS entry data size (which is the sector size minus ZMS and ITS overhead). | ||
Changing it will result in loss of existing data stored on a partition. | ||
It must be a multiple of the flash page size. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
only for a certain type of flash (that requires erase)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
only for a certain type of flash (that requires erase)
I would rather say "for devices that require erase". There are devices that have erase and have paging (only for that purpose) but you can just write them without explicitly erasing first and without loosing written data in process.
Exactly. Currently it's not safe for different users of the API that are not aware of each other. And this is is true whether the UID range is limited or not. Thus my mention of a follow-up PR that will address this issue which has always been present, since even before the introduction of the secure storage subsystem.
You have a fundamental misunderstanding here. UID values are not chosen randomly/dynamically. But most importantly, you need to stop trying to block legitimate contributions with blanket concerns. This is even more ridiculous when it's clear that you don't know what you're talking about. |
It is reasonable to ask questions and give comments in PR's, but the topics tackled here has been given ample attention both in the Zephyr Security Committee, The Zephyr Security Group in multiple meetings over a long time. The additions suggested in this PR (and related PRs on secure storage) is in my opinion well vetted and understood and accepted across the board for the people who decides what security means in Zephyr I think we can gain much from the standardization of the API(s) in their functional form. Everything that is complicated about this in terms of security (or lack thereof) is thoroughly documented and will continue to get reasonable and rational attention in time to come |
ec6f856
to
287f090
Compare
287f090
to
4e601e3
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks OK.
|
||
static uint32_t zms_id_from(secure_storage_its_uid_t uid) | ||
{ | ||
return (uint32_t)uid.uid | (uid.caller_id << ITS_CALLER_ID_POS); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
uid.uid
is a psa_storage_uid_t
which is a uint64_t
, this cannot be casted to a (uint32_t) without duplicate uses of zms_id.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The result obtained from this is not used before uid
is checked to not have any upper bits set (in has_forbidden_bits_set()
), so here uid.uid
can be considered to be (even less than) a uint32_t
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Where is it documented that this specific implementation of the ITS store module has this limitation on bits?
- How to handle that one implementation of the ITS store module has this limitation, while another does not?
- Why use a 64bit uid when only 30bit are supported?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- subsys/secure_storage/Kconfig.its_store:24
- By letting the users of the API only use a well-defined range of UIDs. Will come in a follow-up PR as stated previously.
- The 64-bit size originally comes from the specification. It could indeed be reduced when allowed values are officially defined.
@Laczen these are valid questions to be asked :) It is so true that we spend a reasonable amount of time debating it in the security working group. The conclusion is that the best we can do regarding clash is what is being done in this pr. As @frkv said this is going to be extensively documented / emphasized to minimize the risk. @tomi-font it does not hurt to mark it as experimental for now IMHO. Lets give it some time for testing before assume it is ready for production. |
For sure. In fact, the whole subsystem is already marked as experimental. 🙂 |
@ceolin, thank you for your reply. As an outsider to the security group I find it hard to believe that preference was given to a storage solution that is supported by bending or limiting the shared API instead of using a storage solution in a way to support the shared API. I admit that I don't know much about the PSA Crypto, PSA Secure Storage, MBEDTLS, but even I can see directly that what is being done here will clash with using the secure storage solution for a PSA Crypto key store. As the PSA Crypto keys are defined to use the full 32 bit uid range (part for user key, part for vendor key, and the other part for future extensions). |
4e601e3
to
36429bb
Compare
d996816
to
e853d2f
Compare
It becomes the new default when the secure_storage_its_partition devicetree chosen property is defined as it is a preferred alternative. See the help message of the `CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_ZMS` Kconfig option for more information. Signed-off-by: Tomi Fontanilles <[email protected]>
Add a test scenario for the ITS store module implementation that uses ZMS for storage. Reorganize the others at the same time. Signed-off-by: Tomi Fontanilles <[email protected]>
Remove the hard restriction on CONFIG_SECURE_STORAGE_ITS_MAX_DATA_SIZE. SETTINGS_MAX_VAL_LEN is in practice not used by any settings backend implementation. Signed-off-by: Tomi Fontanilles <[email protected]>
Output a CMake error when the ITS store module is enabled but no implementation ended up enabled (due to unfulfilled prerequisites). This is to make it more clear than undefined references at link time. Not a fatal error because CMake cannot fail for the twister filtering to work on the tests. Signed-off-by: Tomi Fontanilles <[email protected]>
…tition Align with the behavior of the settings subsystem. Signed-off-by: Tomi Fontanilles <[email protected]>
Use %zu for size_t. Signed-off-by: Tomi Fontanilles <[email protected]>
Align the debug logging with that of the ZMS-based implementation. Signed-off-by: Tomi Fontanilles <[email protected]>
e853d2f
to
28c984e
Compare
Rebased to fix a conflict in |
See the commit messages.
A follow-up PR will introduce the (static) allocation of
psa_storage_uid_t
values for end users of the PSA Secure Storage API.