SE key registration: call p_validate_slot_number

gilles-peskine-arm · gilles-peskine-arm · commit d98a71e0e952 · 2019-08-05T16:48:32.000+02:00
When registering a key in a secure element, if the driver has a
p_validate_slot_number method, call it.
diff --git a/include/psa/crypto_se_driver.h b/include/psa/crypto_se_driver.h
@@ -818,6 +818,27 @@ typedef enum
     PSA_KEY_CREATION_GENERATE, /**< During psa_generate_key() */
     PSA_KEY_CREATION_DERIVE, /**< During psa_key_derivation_output_key() */
     PSA_KEY_CREATION_COPY, /**< During psa_copy_key() */
+
+#ifndef __DOXYGEN_ONLY__
+    /** A key is being registered with mbedtls_psa_register_se_key().
+     *
+     * The core only passes this value to
+     * psa_drv_se_key_management_t::p_validate_slot_number, not to
+     * psa_drv_se_key_management_t::p_allocate. The call to
+     * `p_validate_slot_number` is not followed by any other call to the
+     * driver: the key is considered successfully registered if the call to
+     * `p_validate_slot_number` succeeds, or if `p_validate_slot_number` is
+     * null.
+     *
+     * With this creation method, the driver must return #PSA_SUCCESS if
+     * the given attributes are compatible with the existing key in the slot,
+     * and #PSA_ERROR_DOES_NOT_EXIST if the driver can determine that there
+     * is no key with the specified slot number.
+     *
+     * This is an Mbed Crypto extension.
+     */
+    PSA_KEY_CREATION_REGISTER,
+#endif
 } psa_key_creation_method_t;
 
 /** \brief A function that allocates a slot for a key.
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
@@ -1914,6 +1914,21 @@ psa_status_t mbedtls_psa_register_se_key(
         goto exit;
     }
 
+    /* If the driver has a slot number validation method, call it.
+     * If it doesn't, it means the secure element is unable to validate
+     * anything and so we have to trust the application. */
+    if( drv->key_management != NULL &&
+        drv->key_management->p_validate_slot_number != NULL )
+    {
+        status = drv->key_management->p_validate_slot_number(
+            psa_get_se_driver_context( driver ),
+            attributes,
+            PSA_KEY_CREATION_REGISTER,
+            slot->data.se.slot_number );
+        if( status != PSA_SUCCESS )
+            goto exit;
+    }
+
     status = psa_finish_key_creation( slot, driver );
 
 exit:
