API to keep the key schedule in multi-part operation. #285
Description
Observation
Based on the current design of the multi-part operation, the following sequences setup -> update (n times) -> finish" are used to generate the result. Normally, the setup` operation will be the key schedule in the AES type of operation and it usually takes longer than single block encryption.
In the use case I worked with (specifically Secure Onboard Communication in automotive), they usually use CMAC to create the tag for the message, and the CMAC key leave for the whole session (usually a power cycle). The draw-back I saw with PSA's design is that we need to always call the setup operation in order to be able to update and finish to get the CMAC, otherwise, we will get the BAD_STATE error.
Proposal
My proposal is to have similar API to finish operation (for instance finish_and_reset), which return the result of the operation BUT still keep the operation state in the active and just reset everything else except for the key material inside the operation state variable.
This will look like this.
- The current sequence for CMAC compute for 2 messages:
- Setup: key schedule (expensive operation)
- Update: feed the first message
- Finish: get the first MAC tag
- Setup: key schedule 2nd time (expensive operation)
- Update: feed the second message
- Finish: get the second MAC tag
- (and continue the loop of 3 operations)
- The proposed approach for CMAC compute for 2 messages:
- Setup: key schedule (expensive operation)
- Update: feed the first message
- Finish_and_reset: get the first MAC tag and reset the state
- Update: feed the second message
- Finish_and_reset: get the second MAC tag and reset the state
- (and continue the loop of 2 operations)
Other consideration
I see that there is the key policy PSA_KEY_USAGE_CACHE can be relevant to this, but it seems it is not intuitive for the multi-part operation.