pal: crypto use secure keys in storage

[KRKNWK-19108] Signed-off-by: Krzysztof Taborowski <[email protected]>
nrfconnect · Aug 1, 2024 · 09b08e8 · 09b08e8
1 parent daf9730
commit 09b08e8
Show file tree

Hide file tree

Showing 4 changed files with 107 additions and 4 deletions.
diff --git a/subsys/sal/sid_pal/include/sid_crypto_keys.h b/subsys/sal/sid_pal/include/sid_crypto_keys.h
@@ -19,7 +19,6 @@ typedef enum {
     SID_CRYPTO_MFG_SECP_256R1_PRIV_KEY_ID,
     SID_CRYPTO_KV_WAN_MASTER_KEY_ID,
     SID_CRYPTO_KV_APP_KEY_KEY_ID,
-    SID_CRYPTO_KV_PAN_KEY_ID,
     SID_CRYPTO_KV_D2D_KEY_ID,
     SID_CRYPTO_KEY_ID_LAST
 } sid_crypto_key_id_t;
@@ -75,6 +74,13 @@ int sid_crypto_keys_set(psa_key_id_t id, uint8_t *data, size_t size);
  */
 int sid_crypto_keys_get(psa_key_id_t *id, uint8_t *data, size_t size);
 
+/**
+ * @brief Destroy key.
+ * 
+ * @param id [in] psa key id to be permanently removed.
+ * @return 0 on success, or -errno on failure.
+ */
+int sid_crypto_keys_delete(psa_key_id_t id);
 
 /**
  * @brief Deinit sidewalk key storage.

diff --git a/subsys/sal/sid_pal/src/sid_crypto_keys.c b/subsys/sal/sid_pal/src/sid_crypto_keys.c
@@ -69,7 +69,6 @@ static void sid_crypto_keys_attributes_set(sid_crypto_key_id_t sid_key_id,
 		break;
 	case SID_CRYPTO_KV_WAN_MASTER_KEY_ID:
 	case SID_CRYPTO_KV_APP_KEY_KEY_ID:
-	case SID_CRYPTO_KV_PAN_KEY_ID:
 	case SID_CRYPTO_KV_D2D_KEY_ID:
 		usage_flags = PSA_KEY_USAGE_SIGN_MESSAGE;
 		alg = PSA_ALG_CMAC;
@@ -196,7 +195,7 @@ int sid_crypto_keys_get(psa_key_id_t *id, uint8_t *data, size_t size)
 	/* if key not found, assign null id */
 	*id = PSA_KEY_ID_NULL;
 
-	/* Check if a key data cosists only of key id and zeros */
+	/* Check if a key data consists only of key id and zeros */
 	psa_key_id_t *data_id = (psa_key_id_t *)data;
 	if (!SID_CRYPTO_KEYS_ID_IS_SIDEWALK_KEY(*data_id)) {
 		return -ENOENT;
@@ -213,6 +212,25 @@ int sid_crypto_keys_get(psa_key_id_t *id, uint8_t *data, size_t size)
 	return ESUCCESS;
 }
 
+int sid_crypto_keys_delete(psa_key_id_t id)
+{
+	if (PSA_KEY_ID_NULL == id) {
+		return -EINVAL;
+	}
+
+	if (!SID_CRYPTO_KEYS_ID_IS_SIDEWALK_KEY(id)) {
+		return -ENOENT;
+	}
+
+	psa_status_t status = psa_destroy_key(id);
+	if (status != PSA_SUCCESS) {
+		LOG_ERR("psa_destroy_key failed! (err %d id %d)", status, id);
+		return -EFAULT;
+	}
+
+	return ESUCCESS;
+}
+
 int sid_crypto_keys_deinit(void)
 {
 	/* Nothing to do, left for stable api for future features */

diff --git a/subsys/sal/sid_pal/src/sid_storage.c b/subsys/sal/sid_pal/src/sid_storage.c
@@ -13,12 +13,35 @@
 #include <stdio.h>
 #include <zephyr/kernel.h>
 #include <zephyr/settings/settings.h>
+#ifdef CONFIG_SIDEWALK_CRYPTO_PSA_KEY_STORAGE
+#include <sid_crypto_keys.h>
+
+#define STORAGE_KV_INTERNAL_PROTOCOL_GROUP_ID 0
+#define STORAGE_KV_WAN_MASTER_KEY 28
+#define STORAGE_KV_APP_MASTER_KEY 30
+#define STORAGE_KV_D2D_MASTER_KEY 48
+#endif /* CONFIG_SIDEWALK_CRYPTO_PSA_KEY_STORAGE */
 
 #include <zephyr/logging/log.h>
 #include <settings_utils.h>
 
 LOG_MODULE_REGISTER(sid_storage, CONFIG_SIDEWALK_LOG_LEVEL);
 
+static psa_key_id_t storage2key_id(uint16_t group, uint16_t key)
+{
+	if (STORAGE_KV_INTERNAL_PROTOCOL_GROUP_ID == group) {
+		switch (key) {
+		case STORAGE_KV_WAN_MASTER_KEY:
+			return SID_CRYPTO_KV_WAN_MASTER_KEY_ID;
+		case STORAGE_KV_APP_MASTER_KEY:
+			return SID_CRYPTO_KV_APP_KEY_KEY_ID;
+		case STORAGE_KV_D2D_MASTER_KEY:
+			return SID_CRYPTO_KV_D2D_KEY_ID;
+		}
+	}
+	return PSA_KEY_ID_NULL;
+}
+
 sid_error_t sid_pal_storage_kv_init()
 {
 	int rc = settings_subsys_init();
@@ -46,6 +69,19 @@ sid_error_t sid_pal_storage_kv_record_get(uint16_t group, uint16_t key, void *p_
 	if (!p_data) {
 		return SID_ERROR_NULL_POINTER;
 	}
+
+#ifdef CONFIG_SIDEWALK_CRYPTO_PSA_KEY_STORAGE
+	psa_key_id_t key_id = storage2key_id(group, key);
+	if (SID_CRYPTO_KEYS_ID_IS_SIDEWALK_KEY(key_id)) {
+		int err = sid_crypto_keys_set(key_id, (uint8_t *)p_data, len);
+		if (err) {
+			LOG_ERR("Failed to read secure key id %d", key_id);
+		} else {
+			return SID_ERROR_NONE;
+		}
+	}
+#endif /* CONFIG_SIDEWALK_CRYPTO_PSA_KEY_STORAGE */
+
 	char serial[32] = { 0 };
 	settings_serialize_group_key(serial, sizeof(serial), group, key);
 	int rc = settings_utils_load_immediate_value(serial, p_data, len);
@@ -78,6 +114,19 @@ sid_error_t sid_pal_storage_kv_record_set(uint16_t group, uint16_t key, void con
 	if (len == 0) {
 		return SID_ERROR_INVALID_ARGS;
 	}
+
+#ifdef CONFIG_SIDEWALK_CRYPTO_PSA_KEY_STORAGE
+	psa_key_id_t key_id = storage2key_id(group, key);
+	if (SID_CRYPTO_KEYS_ID_IS_SIDEWALK_KEY(key_id)) {
+		int err = sid_crypto_keys_import(key_id, (uint8_t *)p_data, len);
+		if (err) {
+			LOG_ERR("Failed to write secure key id %d", key_id);
+		} else {
+			return SID_ERROR_NONE;
+		}
+	}
+#endif /* CONFIG_SIDEWALK_CRYPTO_PSA_KEY_STORAGE */
+
 	char serial[32] = { 0 };
 	settings_serialize_group_key(serial, sizeof(serial), group, key);
 
@@ -97,6 +146,18 @@ sid_error_t sid_pal_storage_kv_record_set(uint16_t group, uint16_t key, void con
 
 sid_error_t sid_pal_storage_kv_record_delete(uint16_t group, uint16_t key)
 {
+#ifdef CONFIG_SIDEWALK_CRYPTO_PSA_KEY_STORAGE
+	psa_key_id_t key_id = storage2key_id(group, key);
+	if (SID_CRYPTO_KEYS_ID_IS_SIDEWALK_KEY(key_id)) {
+		int err = sid_crypto_keys_delete(key_id);
+		if (err) {
+			LOG_ERR("Failed to delete secure key id %d", key_id);
+		} else {
+			return SID_ERROR_NONE;
+		}
+	}
+#endif /* CONFIG_SIDEWALK_CRYPTO_PSA_KEY_STORAGE */
+
 	char serial[32] = { 0 };
 	settings_serialize_group_key(serial, sizeof(serial), group, key);
 	int rc = settings_delete(serial);
@@ -123,6 +184,24 @@ int delete_subtree_cb(const char *key, size_t len, settings_read_cb read_cb, voi
 
 sid_error_t sid_pal_storage_kv_group_delete(uint16_t group)
 {
+#ifdef CONFIG_SIDEWALK_CRYPTO_PSA_KEY_STORAGE
+	if (STORAGE_KV_INTERNAL_PROTOCOL_GROUP_ID == group) {
+		int err = sid_crypto_keys_delete(SID_CRYPTO_KV_WAN_MASTER_KEY_ID);
+		if (err) {
+			LOG_ERR("Failed to delete secure key id %d",
+				SID_CRYPTO_KV_WAN_MASTER_KEY_ID);
+		}
+		err = sid_crypto_keys_delete(SID_CRYPTO_KV_APP_KEY_KEY_ID);
+		if (err) {
+			LOG_ERR("Failed to delete secure key id %d", SID_CRYPTO_KV_APP_KEY_KEY_ID);
+		}
+		err = sid_crypto_keys_delete(SID_CRYPTO_KV_D2D_KEY_ID);
+		if (err) {
+			LOG_ERR("Failed to delete secure key id %d", SID_CRYPTO_KV_D2D_KEY_ID);
+		}
+	}
+#endif /* CONFIG_SIDEWALK_CRYPTO_PSA_KEY_STORAGE */
+
 	char serial[32] = { 0 };
 	settings_serialize_group(serial, sizeof(serial), group);
 	int rc = settings_load_subtree_direct(serial, delete_subtree_cb, (void *)serial);

diff --git a/tests/functional/crypto_keys/src/main.c b/tests/functional/crypto_keys/src/main.c
@@ -24,7 +24,7 @@ static void *setup(void)
 
 static void teardown(void *f)
 {
-	psa_destroy_key(test_key_id);
+	sid_crypto_keys_delete(test_key_id);
 	sid_pal_crypto_deinit();
 }