Nuvoton: Fix mbedtls crypto ECC AC management failed #8985
Conversation
Mbed TLS doesn't guarantee mbedtls_internal_ecp_init()/mbedtls_internal_ecp_free() are paired. To avoid multiple operations to the same ECC accelerator simultaneously, we narrow ECC accelerator open period to just real ECC accelerator operation in internal_run_eccop()/internal_run_modop().
|
@ccli8, thank you for your changes. |
| MBEDTLS_MPI_CHK(ecc_done ? 0 : -1); | ||
|
|
||
|
|
||
| MBEDTLS_MPI_CHK(ecc_done ? 0 : MBEDTLS_ERR_SSL_HW_ACCEL_FAILED); |
There was a problem hiding this comment.
MBEDTLS_ERR_SSL_HW_ACCEL_FAILED is for hardware accelerators that do TLS record processing, could we please return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED instead?
| MBEDTLS_MPI_CHK(ecc_done ? 0 : -1); | ||
|
|
||
|
|
||
| MBEDTLS_MPI_CHK(ecc_done ? 0 : MBEDTLS_ERR_SSL_HW_ACCEL_FAILED); |
There was a problem hiding this comment.
MBEDTLS_ERR_SSL_HW_ACCEL_FAILED is for hardware accelerators that do TLS record processing, could we please return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED instead?
…ED when ECC H/W acceleratioin is failed MBEDTLS_ERR_SSL_HW_ACCEL_FAILED is for hardware accelerators that do TLS record processing. Replace it with MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED when ECC H/W acceleratioin is failed.
@0xc0170 No. This PR just fixes tls connection failure (simple-mbed-cloud-client-tests-dev_mgmt-connect/Initialize Simple PDMC or simple-mbed-cloud-client-tests-dev_mgmt-update/Initialize Simple PDMC) on mbed-os 5.11 rc or master branch. Other PDMC failures are under checking. |
Is that by design, or an error? It to me like the intent is that they be paired, and by code inspection they seem to be for a single operation. Is this a thread-safety issue? If it is, then taking a mutex in Looking at the patch, you are implementing your own locking on the internal op. That locking is unpleasant because it isn't using a mutex, just busy-waiting. That busy-waiting will fail the instant anyone uses different thread priorities. It would be better to use a mutex, but then that may be a bit heavyweight if it's in an inner loop. (Not sure if it is). Given that contention on the ECP unit is likely to be low, I think you really would be best off just taking a mutex in init, and releasing it in free, minimising the overhead. |
It is by design. The calls are not necessarily paired. If there are more than one |
|
Looking at the code, the That's distinct from the |
|
The config file description for
(Someone has apparently renamed |
|
Indeed these are completely different functions than the ones that can overlap. These should be called in pairs and as far as I can tell they are. |
|
I have found an issue that might be the reason for this. I'll put up a PR with the fix soon. |
|
Rereading the patch more closely, I see that the busy-wait loop was already there, and does follow the locking pattern I was suggesting. If there is indeed an mbed TLS issue, then you may not need to move it now, but I'd still like to see it turned into a real mutex as soon as possible. That loop is going to bite us at some point - I know some of the PDMC code likes using different thread priorities, and it's just asking for deadlock. |
|
@kjbracey-arm I am replacing busy-wait loop with mutex, but fail to pass PDMC Greentest. The error scenario is that for the same void mbedtls_sha256_init(mbedtls_sha256_context *ctx)
{
/* Try locking mutex. On success, go H/W SHA, else go S/W SHA. */
}
void mbedtls_sha256_free(mbedtls_sha256_context *ctx)
{
/* If H/W SHA, unlock mutex */
}
|
|
If you really can't context save and restore, rather than use a mutex, you could use a semaphore. However, if you wait for the semaphore, that opens you up to priority inversion problems - a little better than the busy wait loop, but can still deadlock. Another alternative is a separate task that picks up SHA operations from a queue. Gets rid of deadlock. But... Regardless of mechanism, if the hardware is exclusively held for the entire duration of a SHA context, that could cause significant scheduling problems. A long-running normal priority SHA operation could totally lock out some high-priority time-critical small SHA from a high-priority thread. That's conceptually the sort of thing that would kill WiSUN, say - unable to send a secure ack because someone is encrypting a big packet payload to send. (We hit that bug in Nanostack - failed because had only 1 context. Added second context to make it work). So I think the solution may have to be that you use a semaphore, but don't wait, and if the semaphore is not available, use a software fallback. But then if you never wait for the semaphore, then it doesn't have to be an actual RTOS semaphore - a simple flag like you have now would do. |
Description
In mbed-os 5.11, Mbed TLS doesn't guarantee
mbedtls_internal_ecp_init()/mbedtls_internal_ecp_free()are paired. When they are not paired, system would hang in Nuvoton's ECC AC management. This PR majorly tries to release the limit by narrwoing ECC AC open period to just real ECC AC operation. With this modification, pairing
mbedtls_internal_ecp_init()/mbedtls_internal_ecp_free()is not required, for example, multiplembedtls_internal_ecp_init()and finally onembedtls_internal_ecp_free()is allowed.Related target
Related issue
#8927
Pull request type