psa-shared-memory.md - OpenGrok cross reference for /third_party/mbedtls/docs/architecture/psa-shared-memory.md

Lines Matching +full:iris +full:- +full:rules +full:- +full:performance
13 …-software.github.io/psa-api/crypto/1.1/overview/conventions.html#input-buffer-sizes) and [output b…
19 …-defined system interfaces. For example, this can be a Unix/POSIX-like system that isolates proces…
33 * in some scenarios, a client of the client, which makes a RPC to the crypto client which re-shares…
37 #### Read-read inconsistency
39 If an input argument is in shared memory, there is a risk of a **read-read inconsistency**:
45 …y example (parsing): suppose the input contains data with a type-length-value or length-value enco…
47 …RPC to perform authenticated encryption, using a mechanism with an encrypt-and-MAC structure. The …
52 #### Write-read inconsistency
54 If an output argument is in shared memory, there is a risk of a **write-read inconsistency**:
60 …-key operation in place. (This is how `mbedtls_rsa_pkcs1_sign` works.) A malicious client may writ…
62 …gnature with the attestation application, and the attestation application re-shares this buffer wi…
64 #### Write-write disclosure
66 If an output argument is in shared memory, there is a risk of a **write-write disclosure**:
72 …iderations related to overlap, or because the implementation relies on a low-level API that works …
74 …laintext is shared from the client to the provisioning application, which re-shares it with the cr…
76 #### Write-read feedback
84 …ple is [CBC encryption](https://link.springer.com/content/pdf/10.1007/3-540-45708-9_2.pdf): if the…
86 …o take into account? Although this extends the possible behaviors of the one-shot interface, the c…
96 …cially with whole-program optimization) may optimize the copy away, if it does not understand that…
102 The following rules guarantee that shared memory cannot result in a security violation other than […
109 These rules are very difficult to enforce.
111 …ple: these are the rules that a GlobalPlatform TEE Trusted Application (application running on the…
122 …yptographic mechanism, which may be provided by Mbed TLS (built-in driver) or by a third-party dri…
124 …Crypto API specification](https://arm-software.github.io/psa-api/crypto/1.1/overview/conventions.h…
126 …ple threads or with shared memory, the implementation carefully accesses non-overlapping buffer pa…
130 In the remainder of this chapter, we will discuss how to implement this high-level requirement wher…
138 …l of Mbed TLS. This means skipping the copy would have to be a compile-time or run-time option whi…
144 … the output buffer. For such mechanism, it is sensible to mandate that drivers respect these rules.
154 * Any parsing of formatted data has a high risk of [read-read inconsistency](#read-read-inconsisten…
155 …implementation to have a [write-read inconsistency](#write-read-inconsistency) or a [write-write d…
170 …MAC and key derivation operations are at a low risk of [read-read inconsistency](#read-read-incons…
172 …ire symmetric cryptography drivers to read their input without a risk of read-read inconsistency**.
174 …ll, but don't necessarily have a static size limit (e.g. GCM recommends a 12-byte nonce, but also …
180 …iving a structured key, which is considered a [small buffer](#operations-involving-small-buffers).)
186 AEAD decryption is at risk of [write-write disclosure](#write-write-disclosure) when the tag does n…
188 AEAD encryption and decryption are at risk of [read-read inconsistency](#read-read-inconsistency) i…
190 * when encrypting with an encrypt-and-authenticate or authenticate-then-encrypt structure (one read…
191 * when decrypting with an encrypt-then-authenticate structure (one read to decrypt and one read to …
194 …D outputs are at risk of [write-read inconsistency](#write-read-inconsistency) and [write-write di…
198 …-place operation (which it is supposed to, since it is supposed to support arbitrary overlap, alth…
202 …-read inconsistency**. Make a note to revisit this when we start supporting an SIV mode, at which …
206 …-and-sign framework, the input to sign/verify-message is passed to a hash, and thus can follow the…
208 …-message drivers to read their input without a risk of read-read inconsistency**. Make a note to r…
229 * The built-in implementations of cryptographic mechanisms with arguments whose access needs to be …
231 Justification: see “[Susceptibility of different mechanisms](#susceptibility-of-different-mechanism…
243 …-time optimization / full-program optimization enabled (e.g. `-flto` with `gcc`). Try also enablin…
248 …-specific techniques to prevent optimization, for example memory barriers or empty `asm` blocks. T…
254 We may either copy buffers on an ad-hoc basis using `memcpy()` in each PSA function, or use a unifi…
258 * Copy bypass is simpler as we can just replace these functions with no-ops in a single place.
261 On the other hand, the only advantage of ad-hoc copying is slightly greater flexibility.
271 …-shot APIs nicely. However, allocating memory in the middle of a multi-part operation is likely to…
273 **Open question: Does memory allocation in `update()` cause a performance problem? If so, to what e…
281 …n operation. Additionally, since the input and output buffers would be fixed-size it would be poss…
289 This is fairly self-explanatory. Review all functions that use shared memory and ensure that they e…
293 … library allocates memory in a different pool. Test drivers check that needs-copying arguments are…
316 The reason to poison the memory before calling the library, rather than after the copy-in (and symm…
322 …ual memory poisoning. Valgrind memory poisoning is already used for constant-flow testing in Mbed …
323 …ch allows us to mark memory as uninitialized. This is also used for constant-flow testing. It is s…
330 Approach (5) is simple and requires no extra tooling. It is likely to have good performance as it d…
336 > This function is not guaranteed to poison the whole region - it may poison only subregion of [add…
338 …(https://learn.microsoft.com/en-us/cpp/sanitizers/asan-runtime?view=msvc-170#alignment-requirement…
340 …both Valgrind and ASan, to give the extra flexibility to choose either performance or accuracy as …
346 …possible to build such a testsuite using existing tests as a starting point - `mbedtls_test_psa_ex…
380 ### Validation of careful access for built-in drivers
384 Note: We are focusing on read-read inconsistencies for now, as most of the cases where we aren't co…
393 4. It cannot assure the quality of third-party drivers, whereas automated tests can be ported to an…
406 2. Use `ptrace` with `PTRACE_SINGLESTEP` to re-execute the failed load/store instrution.
417 2. Single-step the load/store instruction.
430 valgrind --tool=lackey --trace-mem=yes --log-file=logfile ./myprogram
444 …-/arm-ecosystem-fvps). There exists a pre-packaged example program for the Corstone 310 FVP availa…
446 Running on an FVP allows two approaches to careful-access testing:
448 * Convenient scripted use of a debugger with [Iris](https://developer.arm.com/documentation/101196/…
449 …-ins-for-Fast-Models/TarmacTrace). To validate the single-access properties, the [processor memory…
451 #### Discussion of careful-access validation
455 1. Take 1-2 days to create a basic prototype of a test that uses the approach.
456 2. Document the prototype - write a short guide that can be followed to arrive at the same prototyp…
458 …* Ease of implementation - Was the prototype simple to implement? Having implemented it, is it sim…
459 …* Flexibility - Could the prototype be extended to cover other careful-access testing that may be …
460    * Performance - Does the test method perform well? Will it cause significant slowdown to CI jobs?
461 …* Ease of reproduction - Does the prototype require a particular platform or tool to be set up? Ho…
462 …* Comprehensibility - Accounting for the lower code quality of a prototype, would developers unfam…
463 …* Portability - How well can this approach be ported to multiple platforms? This would allow us to…
465 …to implement the careful-access testing. Implement tests using this approach for each of the PSA i…
475 … allocation of special buffers. FVP testing even requires the tests to be run on a non-host target.
477 With this complexity in mind it does not seem feasible to run careful-access tests using existing t…
479 #### Validation of validation for careful-access
481 …o ensure that the careful-access validation works, it is necessary to write tests to check that we…
486 Then, write a careful-access test for this function and ensure that it fails.
488 ## Analysis of argument protection in built-in drivers
490 TODO: analyze the built-in implementations of mechanisms for which there is a requirement on driver…
505 ---|---|---|---
506 Hash and MAC | Careful access | Careful access | Low risk of multiple-access as the input and outpu…
514 … a structured format and therefore susceptible to read-read inconsistencies and potentially write-…
518 As discussed in [Copying code](#copying-code), it is simpler to use a single unified API for copyin…
565 …fer in the struct `local_output`. It also stores a pointer to `output` in `local_output->original`.
566 …of the output buffer `local_output->buffer` into the buffer `local_output->original`, calls `free(…
594 …x `_external`) for the original buffer. This allows copying to be added near-seamlessly as follows:
616 …pying to be easily disabled by defining alternate macros that function as no-ops. Since buffer cop…
622 As discussed in the [design exploration of copying validation](#validation-of-copying), the best st…
624 …uded to in [Validation of copying by memory poisoning](#validation-of-copying-by-memory-poisoning):
634 …utlined in [Validation of copying by memory poisoning](#validation-of-copying-by-memory-poisoning).
636 …ed in [the design exploration](#validation-with-existing-tests), the preferred approach for implem…
638 #### Transparent allocation-based memory poisoning
664 There now exists a more generic mechanism for making exactly this kind of transformation - the PSA …
668 Poisoning code is added to these test wrappers where relevant in order to pre-poison and post-unpoi…
672 …e can auto-detect ASan at compile-time and set an option: `MBEDTLS_TEST_MEMORY_CAN_POISON`. When t…
674 Auto-detection and memory-poisoning with Valgrind is left for future work.
680 * Read its input buffer and after calling the input-buffer-copying function to create a local copy …
681 * Write to its output buffer before and after calling the output-buffer-copying function to copy-ba…
683 …e are expecting a failure due to memory-poisoning, we would run this test separately from the rest…
685 …that test failures happen correctly. It may be run via the script `tests/scripts/run-metatests.sh`.