generate key ext: skip driver invocation with non-default method

In the driver wrapper for psa_generate_key() and psa_generate_key_ext(): * Invoke the built-in code if using a non-default method, even if there might be an accelerator. This is ok because we only support non-default methods for RSA and we don't support driver-only RSA, therefore a non-default method will always have built-in code behind it. * Return NOT_SUPPORTED if trying to use a non-default method with an opaque driver. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-14 23:07:33 +01:00 · 2024-02-14 23:07:33 +01:00 · 69f11c8dfb
commit 69f11c8dfb
parent c81393b2ed
3 changed files with 29 additions and 5 deletions
--- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja
+++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja
@ -738,8 +738,18 @@ static inline psa_status_t psa_driver_wrapper_generate_key(
    psa_key_location_t location =
        PSA_KEY_LIFETIME_GET_LOCATION(attributes->core.lifetime);

-    /* TODO: if method is non-default, we need a driver that supports
-     * passing a method. */
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
+    int is_default_method =
+        psa_key_generation_method_is_default(method, method_data_length);
+    if( location != PSA_KEY_LOCATION_LOCAL_STORAGE && !is_default_method )
+    {
+        /* We don't support passing a custom method to drivers yet. */
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+#else
+    int is_default_method = 1;
+    (void) is_default_method;
+#endif

    /* Try dynamically-registered SE interface first */
 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
@ -766,8 +776,10 @@ static inline psa_status_t psa_driver_wrapper_generate_key(
    {
        case PSA_KEY_LOCATION_LOCAL_STORAGE:
 #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-            /* Transparent drivers are limited to generating asymmetric keys */
-            if( PSA_KEY_TYPE_IS_ASYMMETRIC( attributes->core.type ) )
+            /* Transparent drivers are limited to generating asymmetric keys. */
+            /* We don't support passing a custom method to drivers yet. */
+            if( PSA_KEY_TYPE_IS_ASYMMETRIC( attributes->core.type ) &&
+                is_default_method )
            {
            /* Cycle through all known transparent accelerators */
 #if defined(PSA_CRYPTO_DRIVER_TEST)