pal: crypto use secure keys in mfg

[KRKNWK-19108] Signed-off-by: Krzysztof Taborowski <[email protected]>
nrfconnect · Aug 1, 2024 · daf9730 · daf9730
1 parent 3368893
commit daf9730
Show file tree

Hide file tree

Showing 6 changed files with 267 additions and 71 deletions.
diff --git a/samples/sid_end_device/prj.conf b/samples/sid_end_device/prj.conf
@@ -13,6 +13,7 @@ CONFIG_LOG=y
 CONFIG_LOG_PRINTK=y
 CONFIG_LOG_BUFFER_SIZE=2048
 CONFIG_NVS_LOG_LEVEL_WRN=y
+CONFIG_SIDEWALK_CRYPTO_LOG_LEVEL_DBG=y
 
 # Bluetooth
 CONFIG_BT_DEVICE_NAME="Nordic"

diff --git a/subsys/sal/sid_pal/include/sid_crypto_keys.h b/subsys/sal/sid_pal/include/sid_crypto_keys.h
@@ -9,6 +9,8 @@
 
 #include <psa/crypto.h>
 
+#define SID_CRYPTO_KEYS_ID_IS_SIDEWALK_KEY(_id) (PSA_KEY_ID_USER_MIN <= _id && _id < SID_CRYPTO_KEY_ID_LAST)
+
 /**
  * @brief Persistent psa key ids used in Sidewalk.
  */
@@ -30,15 +32,32 @@ typedef enum {
 int sid_crypto_keys_init(void);
 
 /**
- * @brief Set key value.
+ * @brief Import key value form buffer.
+ * 
+ * @note key value under given key id will be overwritten.
  * 
- * @details On success:
- * The raw key data buffer will be overwritten with key id and zeros.
- * key value under given key id will be overwritten.
+ * @param id [in] Key id to import data.
+ * @param data [in] raw key data buffer on input.
+ * @param size [in] size of raw key data buffer.
+ * @return 0 on success, or -errno on failure.
+ */
+int sid_crypto_keys_import(psa_key_id_t id, uint8_t *data, size_t size);
+
+/**
+ * @brief Generate a new key value.
+ * 
+ * @note key value under given key id will be overwritten.
+ * 
+ * @param id [in] Key id to generate new.
+ * @return 0 on success, or -errno on failure.
+ */
+int sid_crypto_keys_generate(psa_key_id_t id);
+
+/**
+ * @brief Set key id in data buffer.
  * 
- * @param id [in] Key id to set with the new data.
- * @param data [in/out] raw key data buffer on input.
- *  overwrite with key id on output.
+ * @param id [in] Key id to write to the data buffer.
+ * @param data [out] key id fulfilled with zeros.
  * @param size [in] size of raw key data buffer.
  * @return 0 on success, or -errno on failure.
  */

diff --git a/subsys/sal/sid_pal/src/sid_crypto.c b/subsys/sal/sid_pal/src/sid_crypto.c
@@ -9,6 +9,9 @@
  */
 
 #include <sid_pal_crypto_ifc.h>
+#ifdef CONFIG_SIDEWALK_CRYPTO_PSA_KEY_STORAGE
+#include <sid_crypto_keys.h>
+#endif /* CONFIG_SIDEWALK_CRYPTO_PSA_KEY_STORAGE */
 
 #include <zephyr/device.h>
 #include <zephyr/kernel.h>
@@ -151,6 +154,13 @@ static psa_status_t prepare_key(const uint8_t *key, size_t key_length, size_t ke
 		return PSA_ERROR_DATA_INVALID;
 	}
 
+#ifdef CONFIG_SIDEWALK_CRYPTO_PSA_KEY_STORAGE
+	int err = sid_crypto_keys_get(key_handle, (uint8_t *)key, key_length);
+	if (!err && key_handle != PSA_KEY_ID_NULL) {
+		return PSA_SUCCESS;
+	}
+#endif /* CONFIG_SIDEWALK_CRYPTO_PSA_KEY_STORAGE */
+
 	psa_set_key_usage_flags(&attributes, usage_flags);
 	psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_VOLATILE);
 	psa_set_key_algorithm(&attributes, alg);
@@ -365,6 +375,12 @@ static psa_status_t aead_decrypt(psa_key_handle_t key_handle, sid_pal_aead_param
 
 sid_error_t sid_pal_crypto_init(void)
 {
+#ifdef CONFIG_SIDEWALK_CRYPTO_PSA_KEY_STORAGE
+	int err = sid_crypto_keys_init();
+	if (err) {
+		LOG_WRN("Keys init failed! (err: %d)", err);
+	}
+#endif /* CONFIG_SIDEWALK_CRYPTO_PSA_KEY_STORAGE */
 	psa_status_t status = psa_crypto_init();
 
 	if (PSA_SUCCESS == status) {
@@ -379,6 +395,13 @@ sid_error_t sid_pal_crypto_init(void)
 
 sid_error_t sid_pal_crypto_deinit(void)
 {
+#ifdef CONFIG_SIDEWALK_CRYPTO_PSA_KEY_STORAGE
+	int err = sid_crypto_keys_deinit();
+	if (err) {
+		LOG_WRN("Keys deinit failed! (err: %d)", err);
+	}
+#endif /* CONFIG_SIDEWALK_CRYPTO_PSA_KEY_STORAGE */
+
 	is_initialized = false;
 	return SID_ERROR_NONE;
 }
@@ -499,9 +522,17 @@ sid_error_t sid_pal_crypto_hmac(sid_pal_hmac_params_t *params)
 			}
 		}
 
+#ifdef CONFIG_SIDEWALK_CRYPTO_PSA_KEY_STORAGE
+		if (!SID_CRYPTO_KEYS_ID_IS_SIDEWALK_KEY(key_handle)) {
+			if (PSA_SUCCESS != psa_destroy_key(key_handle)) {
+				LOG_WRN("Destroy key failed!");
+			}
+		}
+#else
 		if (PSA_SUCCESS != psa_destroy_key(key_handle)) {
 			LOG_WRN("Destroy key failed!");
 		}
+#endif /* CONFIG_SIDEWALK_CRYPTO_PSA_KEY_STORAGE */
 	}
 
 	return get_error(status, __func__);
@@ -576,9 +607,17 @@ sid_error_t sid_pal_crypto_aes_crypt(sid_pal_aes_params_t *params)
 			return SID_ERROR_INVALID_ARGS;
 		}
 
+#ifdef CONFIG_SIDEWALK_CRYPTO_PSA_KEY_STORAGE
+		if (!SID_CRYPTO_KEYS_ID_IS_SIDEWALK_KEY(key_handle)) {
+			if (PSA_SUCCESS != psa_destroy_key(key_handle)) {
+				LOG_WRN("Destroy key failed!");
+			}
+		}
+#else
 		if (PSA_SUCCESS != psa_destroy_key(key_handle)) {
 			LOG_WRN("Destroy key failed!");
 		}
+#endif /* CONFIG_SIDEWALK_CRYPTO_PSA_KEY_STORAGE */
 	}
 
 	return get_error(status, __func__);
@@ -649,9 +688,17 @@ sid_error_t sid_pal_crypto_aead_crypt(sid_pal_aead_params_t *params)
 			return SID_ERROR_INVALID_ARGS;
 		}
 
+#ifdef CONFIG_SIDEWALK_CRYPTO_PSA_KEY_STORAGE
+		if (!SID_CRYPTO_KEYS_ID_IS_SIDEWALK_KEY(key_handle)) {
+			if (PSA_SUCCESS != psa_destroy_key(key_handle)) {
+				LOG_WRN("Destroy key failed!");
+			}
+		}
+#else
 		if (PSA_SUCCESS != psa_destroy_key(key_handle)) {
 			LOG_WRN("Destroy key failed!");
 		}
+#endif /* CONFIG_SIDEWALK_CRYPTO_PSA_KEY_STORAGE */
 	}
 
 	return get_error(status, __func__);
@@ -715,16 +762,18 @@ sid_error_t sid_pal_crypto_ecc_dsa(sid_pal_dsa_params_t *params)
 			     ECC_FAMILY_TYPE(params->mode, type), &key_handle);
 
 	if (PSA_SUCCESS == status) {
-		LOG_DBG("Key import success.");
+		LOG_DBG("Key import success. handle %04x", key_handle);
 
 		switch (params->mode) {
 		case SID_PAL_CRYPTO_VERIFY:
+			LOG_DBG("dsa verify");
 			status = psa_verify_message(key_handle, alg, params->in, params->in_size,
 						    params->signature, params->sig_size);
 
 			break;
 		case SID_PAL_CRYPTO_SIGN: {
 			size_t out_len;
+			LOG_DBG("dsa sign");
 
 			status = psa_sign_message(key_handle, alg, params->in, params->in_size,
 						  params->signature, params->sig_size, &out_len);
@@ -733,9 +782,17 @@ sid_error_t sid_pal_crypto_ecc_dsa(sid_pal_dsa_params_t *params)
 			return SID_ERROR_INVALID_ARGS;
 		}
 
+#ifdef CONFIG_SIDEWALK_CRYPTO_PSA_KEY_STORAGE
+		if (!SID_CRYPTO_KEYS_ID_IS_SIDEWALK_KEY(key_handle)) {
+			if (PSA_SUCCESS != psa_destroy_key(key_handle)) {
+				LOG_WRN("Destroy key failed!");
+			}
+		}
+#else
 		if (PSA_SUCCESS != psa_destroy_key(key_handle)) {
 			LOG_WRN("Destroy key failed!");
 		}
+#endif /* CONFIG_SIDEWALK_CRYPTO_PSA_KEY_STORAGE */
 	}
 
 	return get_error(status, __func__);
@@ -796,10 +853,19 @@ sid_error_t sid_pal_crypto_ecc_ecdh(sid_pal_ecdh_params_t *params)
 		status = psa_raw_key_agreement(PSA_ALG_ECDH, priv_key_handle, pub_key, pub_key_size,
 					       params->shared_secret, params->shared_secret_sz,
 					       &out_len);
-	}
+		LOG_DBG("ecdh key agreement %s", (PSA_SUCCESS == status) ? "success." : "failed!");
 
-	if (PSA_SUCCESS != psa_destroy_key(priv_key_handle)) {
-		LOG_WRN("Destroy key failed!");
+#ifdef CONFIG_SIDEWALK_CRYPTO_PSA_KEY_STORAGE
+		if (!SID_CRYPTO_KEYS_ID_IS_SIDEWALK_KEY(priv_key_handle)) {
+			if (PSA_SUCCESS != psa_destroy_key(priv_key_handle)) {
+				LOG_WRN("Destroy key failed!");
+			}
+		}
+#else
+		if (PSA_SUCCESS != psa_destroy_key(priv_key_handle)) {
+			LOG_WRN("Destroy key failed!");
+		}
+#endif /* CONFIG_SIDEWALK_CRYPTO_PSA_KEY_STORAGE */
 	}
 
 	return get_error(status, __func__);
@@ -877,9 +943,17 @@ sid_error_t sid_pal_crypto_ecc_key_gen(sid_pal_ecc_key_gen_params_t *params)
 				(PSA_SUCCESS == status) ? "success." : "failed!");
 		}
 
+#ifdef CONFIG_SIDEWALK_CRYPTO_PSA_KEY_STORAGE
+		if (!SID_CRYPTO_KEYS_ID_IS_SIDEWALK_KEY(keys_handle)) {
+			if (PSA_SUCCESS != psa_destroy_key(keys_handle)) {
+				LOG_WRN("Destroy key failed!");
+			}
+		}
+#else
 		if (PSA_SUCCESS != psa_destroy_key(keys_handle)) {
 			LOG_WRN("Destroy key failed!");
 		}
+#endif /* CONFIG_SIDEWALK_CRYPTO_PSA_KEY_STORAGE */
 	}
 	psa_reset_key_attributes(&key_attributes);