[nrf noup] Constant size for psa_core_key_attributes_t struct

-There is an inconsistency between PSA Crypto API specification in Mbed TLS and in the interface exposed by TF-M for key representation where an additional type has been added to hold information about owner. This functionality is controlled by setting the configuration MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER which configures the type Mbed TLS internal type mbedtls_svc_key_id_t to a structure type of two words and not as a single word compatible with the PSA Crypto API type psk_key_id_t. This commit adds a reserved word in psa_core_key_attributes_t after the instance of mbedtls_svc_key_id_t to ensure that this structure is binary compatible with PSA Crypto drivers that are built with MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER. This is a [noup] commit as this problem for our pre-built PSA crypto drivers which is required to be compiled with the configuration MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER enabled to ensure support with and without TF-M using the same library. ref: NCSDK-17464 Signed-off-by: Markus Swarowsky <[email protected]> Signed-off-by: Frank Audun Kvamtrø <[email protected]> (cherry picked from commit 89419b3)
nrfconnect · Feb 20, 2023 · c2a2056 · c2a2056
1 parent eec8b1d
commit c2a2056
Showing 1 changed file with 24 additions and 0 deletions.
diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h
@@ -319,20 +319,44 @@ typedef uint16_t psa_key_attributes_flag_t;
 #define MBEDTLS_PSA_KA_MASK_DUAL_USE (          \
         0 )
 
+/* Only used when the key id doesn't encode the owners id, to fill the reserved
+ * field in psa_core_key_attributes_t
+*/
+#define MBEDTLS_KEY_ATTRIBUTE_RESERVED_INIT (int32_t) 0
+
 typedef struct
 {
     psa_key_type_t MBEDTLS_PRIVATE(type);
     psa_key_bits_t MBEDTLS_PRIVATE(bits);
     psa_key_lifetime_t MBEDTLS_PRIVATE(lifetime);
     mbedtls_svc_key_id_t MBEDTLS_PRIVATE(id);
+/* This ensures that size of struct doesn't change size depending on setting 
+ * MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER 
+ */
+#if !defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
+    int32_t  MBEDTLS_PRIVATE(reserved);
+#endif /* !MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */
     psa_key_policy_t MBEDTLS_PRIVATE(policy);
     psa_key_attributes_flag_t MBEDTLS_PRIVATE(flags);
 } psa_core_key_attributes_t;
 
+/* 
+ * Changing MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER changes the size 
+ * of psa_core_key_attributes_t, which can lead to incompatibilties.
+ * This provides a compatible version of initialisation.
+ */
+#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
 #define PSA_CORE_KEY_ATTRIBUTES_INIT { PSA_KEY_TYPE_NONE, 0,            \
                                        PSA_KEY_LIFETIME_VOLATILE,       \
                                        MBEDTLS_SVC_KEY_ID_INIT,         \
                                        PSA_KEY_POLICY_INIT, 0 }
+#else
+#define PSA_CORE_KEY_ATTRIBUTES_INIT { PSA_KEY_TYPE_NONE, 0,                \
+                                       PSA_KEY_LIFETIME_VOLATILE,           \
+                                       MBEDTLS_SVC_KEY_ID_INIT,             \
+                                       MBEDTLS_KEY_ATTRIBUTE_RESERVED_INIT, \
+                                       PSA_KEY_POLICY_INIT, 0 }
+#endif /* !MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */
 
 struct psa_key_attributes_s
 {