RIOT icon indicating copy to clipboard operation
RIOT copied to clipboard
verified publisher icon RIOT-OS

sys/psa_crypto: Implement persistent key storage

Open Einhornhool opened this issue 2 years ago • 3 comments

Contribution description

This is an implementation of persistent key storage in PSA Crypto. It uses VFS with littlefs2 and MTD. PSA keys are encoded in CBOR, written to files and stored in flash (or emulated flash, depending on the MTD implementation).

So far this works on native and the nRF52840dk and it requires that the board supports MTD. This is why it is optional and must be enabled explicitly when building PSA Crypto.

Testing procedure

tests/sys/psa_crypto_persistent_storage and tests/sys/psa_crypto_cbor_encoder should pass successfully on the supported platforms. examples/psa_crypto should still build and run without problems.

Issues/PRs references

Probably needs to be updated once #19992 is merged, since this does not yet include the module separation.

Einhornhool avatar Nov 21 '23 15:11 Einhornhool

@mguetschow thank you for the nice and detailed feedback! I didn't finish everything today, but I'm working on it =)

Einhornhool avatar Jan 03 '24 16:01 Einhornhool

Two more things I thought about:

  1. The keys are stored in plain-text on the (external) flash memory and could be easily read out by anyone getting their hands on the flash module. Securing this is out of scope for this PR, I'd say, but at least it should be mentioned in the documentation (maybe in a warning box?).
  2. CONFIG_PSA_SINGLE_KEY_COUNT and friends only refers to in-memory key slots, this PR supports a virtually unlimited number of (additional) persistent keys, right? Maybe that should be explicitly mentioned in the docs, too.

mguetschow avatar Jan 05 '24 09:01 mguetschow

Just a small comment: Could you maybe avoid rebasing before pushing the changes so that Github can show me a nice diff of the actual new changes?

Sorry, I did a rebase, because the first version of this PR was still based on the code before the changes we made in #19992 and I wanted to have most current version. But I will consider this in the future =)

Einhornhool avatar Jan 23 '24 09:01 Einhornhool

Murdock results

:heavy_check_mark: PASSED

cbadc4f6584444f5af91ab9ba630177c74c42b79 sys/psa_crypto: implement persistent key storage

Success Failures Total Runtime
10065 0 10066 13m:57s

Artifacts

riot-ci avatar Mar 14 '24 10:03 riot-ci

Great, congrats! :tada:

mguetschow avatar Apr 17 '24 11:04 mguetschow

Hey, short question: Why does this only work on the nrf52840dk and native ?

Ollrogge avatar May 02 '24 14:05 Ollrogge

I think™ the implementation should work on all boards supporting MTD, but has only been tested on native and nrf52840dk for now. @Einhornhool could correct me if I'm wrong, and you should be able to test it on a suitable board using USEMODULE += psa_persistent_storage.

mguetschow avatar May 03 '24 11:05 mguetschow

Hey, short question: Why does this only work on the nrf52840dk and native ?

As Mikolai said, it should work with Boards that support MTD. I just haven't tested it with all of them and can't guarantee that it works. Of course you can try it.

Einhornhool avatar May 03 '24 11:05 Einhornhool