Skip to content

Trying to use vanilla psa wrapper#159

Draft
geonnave wants to merge 2 commits intolake-rs:mainfrom
geonnave:try-psa-upstream
Draft

Trying to use vanilla psa wrapper#159
geonnave wants to merge 2 commits intolake-rs:mainfrom
geonnave:try-psa-upstream

Conversation

@geonnave
Copy link
Collaborator

@geonnave geonnave commented Nov 28, 2023
edited
Loading

The approach is twofold:

  1. Avoid depending on point compression on psa side, since the PSA API seems to not support compressed points.
  2. Use a newly patched crypto-psa that only has patches for no-std and baremetal features (no patches at the mbedtls level). I hope to be able to merge that upstream, so that we can use the vanilla psa wrapper.

Reasoning behind this PR:

  • PSA seems to be getting popular, as per recent adoption in RIOT and also its presence in the cc312 sdk. I think it is good if we have an unpatched backend based on it. Right now this comes at the cost of providing our own implementations of extract and expand, and manually decompressing public keys using a third party library.
  • Simplify publication at crates.io.
  • Have a baremetal, software-based, fully functional crypto backend (rustcrypto seems to depend on RIOT for the RNG).

Edit: possible upstream no-std feature for crypto-psa tracked here.

@geonnave
feat: use crate p256 to decompress the public key
8cc7057 
Doing this since psa does not support compressed form.
This has an overhead of around 14KB due to pulling the p256 crate.
@geonnave
chore: update rust-psa (patched only for baremetal)
54ea9db
@geonnave
Copy link
Collaborator Author

geonnave commented Nov 28, 2023

Oh, I was too happy when the local tests passed, but the actual compilation for the embedded target failed. Seems to be an issue with building mbedtls.

@geonnave
Copy link
Collaborator Author

geonnave commented Nov 29, 2023

Good news -- I was able to compile and run on the nRF52840.

Bad news -- mbedtls still requires a patch to build correctly in the way we want to use it:

diff --git a/scripts/config.py b/scripts/config.py
index 6d5edc7c0..36312df04 100755
--- a/scripts/config.py
+++ b/scripts/config.py
@@ -241,6 +241,7 @@ def full_adapter(name, active, section):
 # need to be repeated here.
 EXCLUDE_FROM_BAREMETAL = frozenset([
     #pylint: disable=line-too-long
+    'MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS',
     'MBEDTLS_ENTROPY_NV_SEED', # requires a filesystem and FS_IO or alternate NV seed hooks
     'MBEDTLS_FS_IO', # requires a filesystem
     'MBEDTLS_HAVE_TIME', # requires a clock
@@ -270,6 +271,20 @@ def baremetal_adapter(name, active, section):
     if name == 'MBEDTLS_NO_PLATFORM_ENTROPY':
         # No OS-provided entropy source
         return True
+    if name == 'MBEDTLS_ENTROPY_HARDWARE_ALT':
+        # Custom entropy source provided
+        return True
+    if name == 'MBEDTLS_ENTROPY_FORCE_SHA256':
+        # Force SHA-256 accumulator
+        return True
+    if name == 'MBEDTLS_MEMORY_BUFFER_ALLOC_C':
+        return True
+    if name == 'MBEDTLS_PLATFORM_C':
+        return True
+    if name == 'MBEDTLS_PLATFORM_MEMORY':
+        return True
+    if name == 'MBEDTLS_PLATFORM_NO_STD_FUNCTIONS':
+        return True
     return include_in_full(name) and keep_in_baremetal(name)
 
 def include_in_crypto(name):

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

type:cleanup

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@geonnave