Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trying to use vanilla psa wrapper #159

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Trying to use vanilla psa wrapper #159

wants to merge 2 commits into from

Conversation

geonnave
Copy link
Collaborator

@geonnave geonnave commented Nov 28, 2023
edited
Loading

The approach is twofold:

  1. Avoid depending on point compression on psa side, since the PSA API seems to not support compressed points.
  2. Use a newly patched crypto-psa that only has patches for no-std and baremetal features (no patches at the mbedtls level). I hope to be able to merge that upstream, so that we can use the vanilla psa wrapper.

Reasoning behind this PR:

  • PSA seems to be getting popular, as per recent adoption in RIOT and also its presence in the cc312 sdk. I think it is good if we have an unpatched backend based on it. Right now this comes at the cost of providing our own implementations of extract and expand, and manually decompressing public keys using a third party library.
  • Simplify publication at crates.io.
  • Have a baremetal, software-based, fully functional crypto backend (rustcrypto seems to depend on RIOT for the RNG).

Edit: possible upstream no-std feature for crypto-psa tracked here.

@geonnave
feat: use crate p256 to decompress the public key
8cc7057 
Doing this since psa does not support compressed form.
This has an overhead of around 14KB due to pulling the p256 crate.
@geonnave
chore: update rust-psa (patched only for baremetal)
54ea9db
@geonnave
Copy link
Collaborator Author

Oh, I was too happy when the local tests passed, but the actual compilation for the embedded target failed. Seems to be an issue with building mbedtls.

@geonnave
Copy link
Collaborator Author

Good news -- I was able to compile and run on the nRF52840.

Bad news -- mbedtls still requires a patch to build correctly in the way we want to use it:

diff --git a/scripts/config.py b/scripts/config.py
index 6d5edc7c0..36312df04 100755
--- a/scripts/config.py
+++ b/scripts/config.py
@@ -241,6 +241,7 @@ def full_adapter(name, active, section):
 # need to be repeated here.
 EXCLUDE_FROM_BAREMETAL = frozenset([
     #pylint: disable=line-too-long
+    'MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS',
     'MBEDTLS_ENTROPY_NV_SEED', # requires a filesystem and FS_IO or alternate NV seed hooks
     'MBEDTLS_FS_IO', # requires a filesystem
     'MBEDTLS_HAVE_TIME', # requires a clock
@@ -270,6 +271,20 @@ def baremetal_adapter(name, active, section):
     if name == 'MBEDTLS_NO_PLATFORM_ENTROPY':
         # No OS-provided entropy source
         return True
+    if name == 'MBEDTLS_ENTROPY_HARDWARE_ALT':
+        # Custom entropy source provided
+        return True
+    if name == 'MBEDTLS_ENTROPY_FORCE_SHA256':
+        # Force SHA-256 accumulator
+        return True
+    if name == 'MBEDTLS_MEMORY_BUFFER_ALLOC_C':
+        return True
+    if name == 'MBEDTLS_PLATFORM_C':
+        return True
+    if name == 'MBEDTLS_PLATFORM_MEMORY':
+        return True
+    if name == 'MBEDTLS_PLATFORM_NO_STD_FUNCTIONS':
+        return True
     return include_in_full(name) and keep_in_baremetal(name)
 
 def include_in_crypto(name):

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
cleanup
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@geonnave