-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PSA fails to account for configurations with RSA but without MBEDTLS_GENPRIME #4512
Labels
Comments
Patater
added a commit
to Patater/mbedtls
that referenced
this issue
May 14, 2021
At the moment, the only difference in Mbed TLS configuration options set by MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR and MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY is that MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR defines MBEDTLS_GENPRIME and MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY does not. When working backwards however, when configuring what functionality is available in Mbed TLS's PSA implementation based on Mbed TLS configuration defines (i.e. when MBEDTLS_PSA_CRYPTO_CONFIG is not defined), both MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR and MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY are set regardless of the MBEDTLS_GENPRIME setting. On space-constrained platforms, it is a useful configuration to be able to import/export and work with RSA, but exclude RSA key generation, potentially saving flash space. Change config_psa.h to only set MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR if MBEDTLS_GENPRIME is also set. This restores the configuration behavior present in Mbed TLS v2.24.0 and earlier versions. Without this change, linker errors will occur when attempts to call, which doesn't exist when MBEDTLS_GENPRIME is unset. psa_crypto_rsa.c.obj: in function `rsa_generate_key': psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key' Fixes Mbed-TLS#4512 Signed-off-by: Jaeden Amero <[email protected]>
Patater
added a commit
to Patater/mbedtls
that referenced
this issue
May 14, 2021
At the moment, the only difference in Mbed TLS configuration options set by MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR and MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY is that MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR defines MBEDTLS_GENPRIME and MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY does not. When working backwards however, when configuring what functionality is available in Mbed TLS's PSA implementation based on Mbed TLS configuration defines (i.e. when MBEDTLS_PSA_CRYPTO_CONFIG is not defined), both MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR and MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY are set regardless of the MBEDTLS_GENPRIME setting. On space-constrained platforms, it is a useful configuration to be able to import/export and work with RSA, but exclude RSA key generation, potentially saving flash space. Change config_psa.h to only set MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR if MBEDTLS_GENPRIME is also set. This restores the configuration behavior present in Mbed TLS v2.24.0 and earlier versions. Without this change, linker errors will occur when attempts to call, which doesn't exist when MBEDTLS_GENPRIME is unset. psa_crypto_rsa.c.obj: in function `rsa_generate_key': psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key' Fixes Mbed-TLS#4512 Signed-off-by: Jaeden Amero <[email protected]>
4 tasks
Patater
added a commit
to Patater/mbedtls
that referenced
this issue
May 14, 2021
At the moment, the only difference in Mbed TLS configuration options set by MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR and MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY is that MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR defines MBEDTLS_GENPRIME and MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY does not. When working backwards however, when configuring what functionality is available in Mbed TLS's PSA implementation based on Mbed TLS configuration defines (i.e. when MBEDTLS_PSA_CRYPTO_CONFIG is not defined), both MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR and MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY are set regardless of the MBEDTLS_GENPRIME setting. On space-constrained platforms, it is a useful configuration to be able to import/export and work with RSA, but exclude RSA key generation, potentially saving flash space. Change config_psa.h to only set MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR if MBEDTLS_GENPRIME is also set. This restores the configuration behavior present in Mbed TLS v2.24.0 and earlier versions. Without this change, linker errors will occur when attempts to call, which doesn't exist when MBEDTLS_GENPRIME is unset. psa_crypto_rsa.c.obj: in function `rsa_generate_key': psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key' Fixes Mbed-TLS#4512 Signed-off-by: Jaeden Amero <[email protected]>
Patater
added a commit
to Patater/mbed-os
that referenced
this issue
May 14, 2021
Until we have a fix for Mbed-TLS/mbedtls#4512, we need to patch the fix during import time. Otherwise, we run into linker errors when PSA attempts to use RSA key generation, which we've excluded. This patch is extracted from Mbed-TLS/mbedtls#4513
gilles-peskine-arm
added
bug
component-psa
PSA keystore/dispatch layer (storage, drivers, …)
Product Backlog
labels
May 18, 2021
Patater
added a commit
to Patater/mbedtls
that referenced
this issue
May 19, 2021
On space-constrained platforms, it is a useful configuration to be able to import/export and perform RSA key pair operations, but to exclude RSA key generation, potentially saving flash space. It is not possible to express this with the PSA_WANT_ configuration system at the present time. However, in previous versions of Mbed TLS (v2.24.0 and earlier) it was possible to configure a software PSA implementation which was capable of making RSA signatures but not capable of generating RSA keys. To do this, one unset MBEDTLS_GENPRIME. Since the addition of MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR, this expressivity was lost. Expressing that you wanted to work with RSA key pairs forced you to include the ability to generate key pairs as well. Change psa_crypto_rsa.c to only call mbedtls_rsa_gen_key() if MBEDTLS_GENPRIME is also set. This restores the configuration behavior present in Mbed TLS v2.24.0 and earlier versions. It left as a future exercise to add the ability to PSA to be able to express a desire for a software or accelerator configuration that includes RSA key pair operations, like signature, but excludes key pair generation. Without this change, linker errors will occur when attempts to call, which doesn't exist when MBEDTLS_GENPRIME is unset. psa_crypto_rsa.c.obj: in function `rsa_generate_key': psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key' Fixes Mbed-TLS#4512 Signed-off-by: Jaeden Amero <[email protected]>
Patater
added a commit
to Patater/mbedtls
that referenced
this issue
May 19, 2021
On space-constrained platforms, it is a useful configuration to be able to import/export and perform RSA key pair operations, but to exclude RSA key generation, potentially saving flash space. It is not possible to express this with the PSA_WANT_ configuration system at the present time. However, in previous versions of Mbed TLS (v2.24.0 and earlier) it was possible to configure a software PSA implementation which was capable of making RSA signatures but not capable of generating RSA keys. To do this, one unset MBEDTLS_GENPRIME. Since the addition of MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR, this expressivity was lost. Expressing that you wanted to work with RSA key pairs forced you to include the ability to generate key pairs as well. Change psa_crypto_rsa.c to only call mbedtls_rsa_gen_key() if MBEDTLS_GENPRIME is also set. This restores the configuration behavior present in Mbed TLS v2.24.0 and earlier versions. It left as a future exercise to add the ability to PSA to be able to express a desire for a software or accelerator configuration that includes RSA key pair operations, like signature, but excludes key pair generation. Without this change, linker errors will occur when attempts to call, which doesn't exist when MBEDTLS_GENPRIME is unset. psa_crypto_rsa.c.obj: in function `rsa_generate_key': psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key' Fixes Mbed-TLS#4512 Signed-off-by: Jaeden Amero <[email protected]>
Patater
added a commit
to Patater/mbedtls
that referenced
this issue
May 20, 2021
On space-constrained platforms, it is a useful configuration to be able to import/export and perform RSA key pair operations, but to exclude RSA key generation, potentially saving flash space. It is not possible to express this with the PSA_WANT_ configuration system at the present time. However, in previous versions of Mbed TLS (v2.24.0 and earlier) it was possible to configure a software PSA implementation which was capable of making RSA signatures but not capable of generating RSA keys. To do this, one unset MBEDTLS_GENPRIME. Since the addition of MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR, this expressivity was lost. Expressing that you wanted to work with RSA key pairs forced you to include the ability to generate key pairs as well. Change psa_crypto_rsa.c to only call mbedtls_rsa_gen_key() if MBEDTLS_GENPRIME is also set. This restores the configuration behavior present in Mbed TLS v2.24.0 and earlier versions. It left as a future exercise to add the ability to PSA to be able to express a desire for a software or accelerator configuration that includes RSA key pair operations, like signature, but excludes key pair generation. Without this change, linker errors will occur when attempts to call, which doesn't exist when MBEDTLS_GENPRIME is unset. psa_crypto_rsa.c.obj: in function `rsa_generate_key': psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key' Fixes Mbed-TLS#4512 Signed-off-by: Jaeden Amero <[email protected]>
Patater
added a commit
to Patater/mbedtls
that referenced
this issue
May 20, 2021
On space-constrained platforms, it is a useful configuration to be able to import/export and perform RSA key pair operations, but to exclude RSA key generation, potentially saving flash space. It is not possible to express this with the PSA_WANT_ configuration system at the present time. However, in previous versions of Mbed TLS (v2.24.0 and earlier) it was possible to configure a software PSA implementation which was capable of making RSA signatures but not capable of generating RSA keys. To do this, one unset MBEDTLS_GENPRIME. Since the addition of MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR, this expressivity was lost. Expressing that you wanted to work with RSA key pairs forced you to include the ability to generate key pairs as well. Change psa_crypto_rsa.c to only call mbedtls_rsa_gen_key() if MBEDTLS_GENPRIME is also set. This restores the configuration behavior present in Mbed TLS v2.24.0 and earlier versions. It left as a future exercise to add the ability to PSA to be able to express a desire for a software or accelerator configuration that includes RSA key pair operations, like signature, but excludes key pair generation. Without this change, linker errors will occur when attempts to call, which doesn't exist when MBEDTLS_GENPRIME is unset. psa_crypto_rsa.c.obj: in function `rsa_generate_key': psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key' Fixes Mbed-TLS#4512 Signed-off-by: Jaeden Amero <[email protected]>
Patater
added a commit
to Patater/mbedtls
that referenced
this issue
May 21, 2021
On space-constrained platforms, it is a useful configuration to be able to import/export and perform RSA key pair operations, but to exclude RSA key generation, potentially saving flash space. It is not possible to express this with the PSA_WANT_ configuration system at the present time. However, in previous versions of Mbed TLS (v2.24.0 and earlier) it was possible to configure a software PSA implementation which was capable of making RSA signatures but not capable of generating RSA keys. To do this, one unset MBEDTLS_GENPRIME. Since the addition of MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR, this expressivity was lost. Expressing that you wanted to work with RSA key pairs forced you to include the ability to generate key pairs as well. Change psa_crypto_rsa.c to only call mbedtls_rsa_gen_key() if MBEDTLS_GENPRIME is also set. This restores the configuration behavior present in Mbed TLS v2.24.0 and earlier versions. It left as a future exercise to add the ability to PSA to be able to express a desire for a software or accelerator configuration that includes RSA key pair operations, like signature, but excludes key pair generation. Without this change, linker errors will occur when attempts to call, which doesn't exist when MBEDTLS_GENPRIME is unset. psa_crypto_rsa.c.obj: in function `rsa_generate_key': psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key' Fixes Mbed-TLS#4512 Signed-off-by: Jaeden Amero <[email protected]>
3 tasks
MubeenHCLite
pushed a commit
to MubeenHCLite/mbed-os
that referenced
this issue
Jun 14, 2021
Until we have a fix for Mbed-TLS/mbedtls#4512, we need to patch the fix during import time. Otherwise, we run into linker errors when PSA attempts to use RSA key generation, which we've excluded. This patch is extracted from Mbed-TLS/mbedtls#4513
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Bug
mbed TLS build:
Version: 2.25.0 or newer
Configuration: Default without
MBEDTLS_GENPRIME
Expected behavior
PSA should offer features based on the Mbed TLS features available.
Actual behavior
When
MBEDTLS_GENPRIME
is not set, PSA attempts to callmbedtls_rsa_gen_key()
which isn't available.Steps to reproduce
Build Mbed TLS with its default configuration, but unset
MBEDTLS_GENPRIME
Observe linker error
The text was updated successfully, but these errors were encountered: