crypto service: Crypto access control

Implement crypto keys access control in crypto service:
- Only the key owner (the partition which created the key)
  is allowed to manage (import/export/open/close/destroy/etc.)
  the key.
- Only the key owner (the partition which created the key)
  is allowed to use the key handle for crypto operations which
  require a key handle.

Author: itayzafrir

components/TARGET_PSA/services/crypto/COMPONENT_SPE/psa_crypto_access_control.c

@@ -0,0 +1,80 @@
+/*
+ * Copyright (c) 2019, Arm Limited and affiliates
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <string.h>
+
+#include "psa_crypto_access_control.h"
+#include "psa_crypto_slot_management.h"
+#include "spm_panic.h"
+
+typedef struct psa_crypto_access_control_s {
+    psa_key_handle_t key_handle;
+    int32_t partition_id;
+} psa_crypto_access_control_t;
+
+static psa_crypto_access_control_t crypto_access_control_arr[PSA_KEY_SLOT_COUNT];
+
+#define PSA_CRYPTO_ACCESS_CONTROL_RESET() (memset(crypto_access_control_arr, 0, sizeof(crypto_access_control_arr)))
+
+void psa_crypto_access_control_init(void)
+{
+    PSA_CRYPTO_ACCESS_CONTROL_RESET();
+}
+
+void psa_crypto_access_control_destroy(void)
+{
+    PSA_CRYPTO_ACCESS_CONTROL_RESET();
+}
+
+void psa_crypto_access_control_register_handle(psa_key_handle_t key_handle, int32_t partition_id)
+{
+    for (size_t i = 0; i < PSA_KEY_SLOT_COUNT; i++) {
+        if (crypto_access_control_arr[i].key_handle == 0 &&
+                crypto_access_control_arr[i].partition_id == 0) {
+            crypto_access_control_arr[i].key_handle = key_handle;
+            crypto_access_control_arr[i].partition_id = partition_id;
+            return;
+        }
+    }
+
+    SPM_PANIC("psa_crypto_access_control_register_handle failed");
+}
+
+void psa_crypto_access_control_unregister_handle(psa_key_handle_t key_handle)
+{
+    for (size_t i = 0; i < PSA_KEY_SLOT_COUNT; i++) {
+        if (crypto_access_control_arr[i].key_handle == key_handle) {
+            crypto_access_control_arr[i].key_handle = 0;
+            crypto_access_control_arr[i].partition_id = 0;
+            return;
+        }
+    }
+
+    SPM_PANIC("psa_crypto_access_control_unregister_handle failed");
+}
+
+uint8_t psa_crypto_access_control_is_handle_permitted(psa_key_handle_t key_handle, int32_t partition_id)
+{
+    for (size_t i = 0; i < PSA_KEY_SLOT_COUNT; i++) {
+        if (crypto_access_control_arr[i].key_handle == key_handle &&
+                crypto_access_control_arr[i].partition_id == partition_id) {
+            return 1;
+        }
+    }
+
+    return 0;
+}

components/TARGET_PSA/services/crypto/COMPONENT_SPE/psa_crypto_access_control.h

@@ -0,0 +1,36 @@
+/*
+ * Copyright (c) 2019, Arm Limited and affiliates
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef PSA_CRYPTO_ACCESS_CONTROL_H
+#define PSA_CRYPTO_ACCESS_CONTROL_H
+
+#include <stdint.h>
+
+#include "psa_crypto_core.h"
+#include "crypto_platform.h"
+
+void psa_crypto_access_control_init(void);
+
+void psa_crypto_access_control_destroy(void);
+
+void psa_crypto_access_control_register_handle(psa_key_handle_t key_handle, int32_t partition_id);
+
+void psa_crypto_access_control_unregister_handle(psa_key_handle_t key_handle);
+
+uint8_t psa_crypto_access_control_is_handle_permitted(psa_key_handle_t key_handle, int32_t partition_id);
+
+#endif /* PSA_CRYPTO_ACCESS_CONTROL_H */