From d3a797710adb1754d93562bcb0f5c3b85b10a733 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Wed, 2 Aug 2023 18:36:06 +0200
Subject: [PATCH] psa_is_key_slot_occupied: change to using the key identifier

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 docs/architecture/psa-thread-safety.md | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/docs/architecture/psa-thread-safety.md b/docs/architecture/psa-thread-safety.md
index b15594251..dbc8b9608 100644
--- a/docs/architecture/psa-thread-safety.md
+++ b/docs/architecture/psa-thread-safety.md
@@ -131,7 +131,7 @@ The following functions modify a slot's usage state:
 * `psa_key_slot_set_flags` - writes to attr.flags
 * `psa_key_slot_set_bits_in_flags` - writes to attr.flags
 * `psa_key_slot_clear_bits` - writes to attr.flags
-* `psa_is_key_slot_occupied` - reads attr.type
+* `psa_is_key_slot_occupied` - reads attr.type (but see “[Determining whether a key slot is occupied](#determining-whether-a-key-slot-is-occupied)”)
 * `psa_key_slot_get_flags` - reads attr.flags
 
 `psa_crypto_slot_management.c`:
@@ -171,7 +171,11 @@ The following functions modify a slot's usage state:
 * `psa_key_derivation_input_key` - reads attr.type
 * `psa_key_agreement_raw_internal` - reads attr.type and attr.bits
 
-TODO: change `psa_is_key_slot_occupied` to checking the id?
+#### Determining whether a key slot is occupied
+
+`psa_is_key_slot_occupied` currently uses the `attr.type` field to determine whether a key slot is occupied. This works because we maintain the invariant that an occupied slot contains key material. With concurrency, it is desirable to allow a key slot to be reserved, but not yet contain key material or even metadata. When creating a key, determining the key type can be costly, for example when loading a persistent key from storage or (not yet implemented) when importing or unwrapping a key using an interface that determines the key type from the data that it parses. So we should not need to hold the global key store lock while the key type is undetermined.
+
+Instead, `psa_is_key_slot_occupied` should use the key identifier to decide whether a slot is occupied. The key identifier is always readily available: when allocating a slot for a persistent key, it's an input of the function that allocates the key slot; when allocating a slot for a volatile key, the identifier is calculated from the choice of slot.
 
 #### Key slot content