Lines Matching refs:a
5 …a persistent key store. It is possible to create a persistent key and read it back later. This mus…
7 …a system crash or power loss. That is, we assume that the underlying platform behaves nominally, e…
9 This document explores the problem space, defines a library design and a test design.
15 …any given point in time, the system is either in a state where the function has not started yet, o…
17 …a function returns, the data has been written to the persistent storage. As a consequence, if the …
19 …mple, if a key creation function in the PSA Crypto API reports to the application that a key has b…
23 PSA relies on a PSA ITS (Internal Trusted Storage) interface, which exposes a simple API. There are…
25 * `set()` writes a whole file (either creating it, or replacing the previous content).
26 * `remove()` removes a file (returning a specific error code if the file does not exist).
30 …atomic, the content of a file is always a version that was previously passed to `set()`. We do not…
34 …a transparent key, all key management operations (creation or destruction) on persistent keys rely…
40 As a consequence, apart from the listed cases, the API calls inherit directly from the [resilience …
46 …a key stored in a stateful secure element, i.e. a secure element that stores keys. This excludes k…
56 For a secure element key, key management requires a commitment on both sites. For example, consider…
58 1. The core sends a request to the secure element to create a key.
65 As a consequence, the content of the storage cannot remain the same between the end of step 1 and t…
67 Accomplishing a transaction across system boundaries is a well-known problem in database management…
71 …a key in a stateful secure element, a successful creation process goes as follows (see [“Key manag…
74 2. The driver allocates a unique identifier _D_ for the key. This is unrelated to the key identifie…
75 …t key identifier _A_ has the identifier _D_ in the driver, and that _A_ is in a half-created state.
78 6. The core updates the storage to indicate that _A_ is now in a fully created state. This conclude…
80 If there is a loss of power:
93 If there is a loss of power:
99 In both cases, upon restart, the core needs to perform a transaction recovery. When a power loss ha…
101 … driver does not update its persistent state during a key management operation (or at least not in…
107 …with the secure element is fast, for key management operations that require a small amount of comp…
111 …es whose name is or encodes the key identifier. It must start by traversing a small number of file…
113 #### Minimum effort for a transaction
115 …lying-file-storage), each atomic operation in the internal storage concerns a single file: either …
117 …ion function must transform the internal storage from a state where file `id` does not exist, to a…
119 …or a key that is not in a stateful element, the transaction consists of a single write operation. …
121 …a power failure around the time of changing the state of the secure element, there must be informa…
123 * Write (create or update) a file `t` referencing `id`.
129 …a key management involves writing an intermediate state for `id` before modifying the secure eleme…
133 … transaction(s) that need to be resumed. This information will be stored in a persistent “transact…
137 …a transaction is in progress. In each case, the core can either decide to commit the transaction (…
140 …rt. This seems impractical in general. Also, the second driver call require a new call to `"alloca…
156 …e-secure-element-strategy). This requires the secure element driver to have a `"get_key_attributes…
157 …covery process might not even need to know whether it's recovering a key creation or a key destruc…
158 …a `"get_key_attributes"` entry point. Compared to always following the state of the secure element…
159 …ollow the state of the secure element for key destruction. I can't think of a good reason to choos…
161 …a `"get_key_attributes"` entry point is potentially problematic because some secure elements don't…
211 …the key has been added to the transaction list, and ignoring any failure of a removal action if th…
213 1. Remove the key file, treating `DOES_NOT_EXIST` as a success.
214 2. Call the driver's `"destroy_key"` entry point, treating `DOES_NOT_EXIST` as a success.
217 #### Always-destroy strategy with a simpler transaction file
236 …the key has been added to the transaction list, and ignoring any failure of a removal action if th…
239 2. Call the driver's `"destroy_key"` entry point, treating `DOES_NOT_EXIST` as a success.
240 3. Remove the key file, treating `DOES_NOT_EXIST` as a success.
245 * The transaction file handling is simpler since its entries have a fixed size.
246 …t to create the key material”, those happen at different times. But there's a different flow for s…
250 …re element driver may themselves be non-atomic. So the driver must be given a chance to perform re…
252 …driver will know if a transaction was in progress and the core cannot be sure about the state of t…
254 …strategy. Under this strategy, if the key might be in a transitional state, the core will request …
262 Non-atomic processes consist of a series of atomic, committing steps.
264 …a modification of persistent state, either in storage or in the (simulated) secure element, try bo…
266 …a binary tree of possibilities: after each state modification, there may or may not be a restart, …
268 …ion that each storage update step, as well as the recovery after a restart, each make a single (at…
283 …eed to test what happens in execution sequences that take recovery step 1 more than twice in a row.
289 * Normal operation must maintain a certain invariant on the state of the world (internal storage an…
295 …of how the system state was reached. We only need to artificially construct a representative sampl…
297 … it is easier to specify and test what happens if the library is updated on a device with leftover…
301 …ecovery-strategies), the information about active transactions is stored in a transaction list fil…
303 …s to keys in that secure element contained in key files. More generally, if a key is not in the tr…
313 * If the file `id` does not exist, then no resources corresponding to that key are in a secure elem…
314 * If `id` is not in the transaction list and the file `id` exists and references a key in a statefu…
324 …is correct to destroy the key in the secure element (treating a `DOES_NOT_EXIST` error as a succes…
331 … the file `id` does not exist, then no resources corresponding to that key are in a secure element.
338 …t exist, then destroy the key in the secure element (treating a `DOES_NOT_EXIST` error as a succes…
340 …is correct to destroy the key in the secure element (treating a `DOES_NOT_EXIST` error as a succes…
345 For a given key, we have to consider three a priori independent boolean states:
355 ### Choice of a transaction design
359 …or transactions”](#optimization-considerations-for-transactions), we choose a transaction algorith…
367 …e same time, we pick the simplest possible layout for the transaction list: a simple array of key …
372 This choice of algorithm does not require the secure element driver to have a `"get_key_attributes"…
378 * If the file `id` does not exist, then no resources corresponding to that key are in a secure elem…
379 * If `id` is not in the transaction list and the file `id` exists and references a key in a statefu…
380 * If `id` is in the transaction list and a key exists by that identifier, the key's location is a s…
384 …ick the [always-destroy recovery strategy with a simple transaction file](#always-destroy-strategy…
387 …ll the secure element's key destruction entry point (treating a `DOES_NOT_EXIST` error as a succes…
391 …lements) and the specific choices justified in [“Choice of a transaction design”](choice-of-a-tran…
395 The transaction list is a simple array of key identifiers.
397 To add a key identifier to the list:
403 To remove a key identifier from the list:
415 … storage. Note that this is done at a different time from what happens when creating a transparent…
431 …a key slot in memory: the core needs to know the key's location in order to determine whether the …
445 1. Load the key into a key slot in memory (to get its location and the driver key identifier, altho…
457 The transaction list file contains a [fixed header](#transaction-list-header-format) followed by a …
463 …e first two bytes of a [dynamic secure element transaction file](#dynamic-secure-element-transacti…
464 …d_t)`. Storing this size avoids reading bad data if Mbed TLS is upgraded to a different integratio…
468 …a time, so the size of an element is not critical for efficiency. Therefore, in addition to the ke…
482 …a “transaction file” (`PSA_CRYPTO_ITS_TRANSACTION_UID` = 0xffffff54), used by dynamic secure eleme…
484 For the new kind of secure element driver, we pick a different file name to avoid any mixup.
492 …` is enabled, each call to `psa_its_set()` or `psa_its_remove()` also calls a test hook, passing t…
494 …a stateful secure element driver is present in the build, we use this hook to verify that the stor…
500 * When invoked from the test hook on a key file: on that key.
502 * When invoked from a test secure element: on the specified key.
510 When no secure element driver is present in the build, the presence of a transaction list file duri…
514 When the stateful test secure element driver is present in the build, we run test cases on a repres…
517 * Create a transaction list file with a certain content.
526 For a given key located in a secure element, the following combination of states are possible:
534 …test case for each creation method other than import, to ensure that we don't reject a valid value.
536 Note: testing of a damaged filesystem (including a filesystem that doesn't meet the invariant) is o…