secure_storage: add a ZMS-based implementation of the ITS store module #81235
Conversation
|
@tomi-font, |
|
@tomi-font I would advise on the following alternative approach:
The id's In the saving process the data is first written, then the metadata. In the reading process the metadata id's are searched for the correct psa_its_id, ... , a "reread" can be performed if needed (depending on the flags), followed by the read/validation of the data. At start any data that does not have a corresponding (or invalid) metadata can be removed. This approach is also applicable to nvs, allows simultaneous use of nvs/... for secure storage, settings and other data storage (e.g when |
tomi-font
force-pushed
the
secure_storage_its_store_zms
branch
2 times, most recently
from
e778058
to
fb58bc3
Compare
Good point. I was thinking about how to handle potential conflicts, but I think that I will just remove the possibility to use
This makes no sense.
No it's not. And related to that, I will address the topic of UID assignment (for secure storage) in a follow-up PR.
I don't want to reinvent the storage wheel, plus I don't see the advantage in what you're proposing. Might as well just use the settings-based implementation. |
Ok if you think they are a good fit.
No need to address this in a follow-up PR, do it now before it gets used.
There are already users that are using the NVS backend for both settings and data storage, the allocation of ID ranges could be formalized. If on the other hand it is needed that the secure storage has its own backend (as implied by the PR), a slightly modified copy of the flash backend used in tf-m would be more appropriate. If the settings-based implementation fits the need, why propose a different alternative? |
What I am talking about is not specific to what is added in this PR. It's about the PSA Secure Storage API overall. And the rationale for not including it as part of this PR is to keep the scope of a PR focused on one topic.
I agree that it could and even should be formalized.
No, it's not needed. This PR is just to allow direct use of a partition for more control and efficiency of the storage. For the majority of cases it will actually still default to using settings because |
If it is worth using a partition for more control and efficiency of storage it would be good to target as much users as possible. NVS is still much broader used (it is more efficient for most users) and has a large install base. It doesn't seem a good choice to leave these users without a possible more efficient storage solution. Splitting up the storage into metadata (uid, caller uid, flags, (optional) nonce, (optional) tag) and the data itself would give the following advantages:
|
I'm not a fan of the suggestions. Plus they're just notices. (And have sparked some debate on Discord.) They can be hidden with the |
tomi-font
force-pushed
the
secure_storage_its_store_zms
branch
from
fb58bc3
to
34ddbcf
Compare
tomi-font
force-pushed
the
secure_storage_its_store_zms
branch
4 times, most recently
from
fcb9c32
to
ec6f856
Compare
| The sector size impacts the runtime behavior of ZMS and restricts the maximum | ||
| ITS entry data size (which is the sector size minus ZMS and ITS overhead). | ||
| Changing it will result in loss of existing data stored on a partition. | ||
| It must be a multiple of the flash page size. |
There was a problem hiding this comment.
only for a certain type of flash (that requires erase)
There was a problem hiding this comment.
only for a certain type of flash (that requires erase)
I would rather say "for devices that require erase". There are devices that have erase and have paging (only for that purpose) but you can just write them without explicitly erasing first and without loosing written data in process.
It has been extensively discussed and documented why we want an implementation that is not fully compliant with the official specification.
This is something that relevant stakeholders have approved. |
|
@ceolin I am directing my concerns to you as the chairperson of the security group. By bringing in the psa-its standard into zephyr there are IMHO 2 reasons:
The limitation of the psa-its API entries to zephyr specifications breaks reason number 2 and might result in incompatibilities between systems using a shared API. This is dangerous and might lead to not operational systems that are using a shared API. It is easy to imagine a solution where all systems would be instructed to load the key stored at 0xffffffff and the zephyr solution would fail. Cutting corners like is proposed in the solution has lead to problems in the past (e.g. the Mars Climate Orbiter incident) and should be avoided at all cost. |
Exactly. Currently it's not safe for different users of the API that are not aware of each other. And this is is true whether the UID range is limited or not. Thus my mention of a follow-up PR that will address this issue which has always been present, since even before the introduction of the secure storage subsystem.
You have a fundamental misunderstanding here. UID values are not chosen randomly/dynamically. But most importantly, you need to stop trying to block legitimate contributions with blanket concerns. This is even more ridiculous when it's clear that you don't know what you're talking about. |
|
It is reasonable to ask questions and give comments in PR's, but the topics tackled here has been given ample attention both in the Zephyr Security Committee, The Zephyr Security Group in multiple meetings over a long time. The additions suggested in this PR (and related PRs on secure storage) is in my opinion well vetted and understood and accepted across the board for the people who decides what security means in Zephyr I think we can gain much from the standardization of the API(s) in their functional form. Everything that is complicated about this in terms of security (or lack thereof) is thoroughly documented and will continue to get reasonable and rational attention in time to come |
tomi-font
force-pushed
the
secure_storage_its_store_zms
branch
from
ec6f856
to
287f090
Compare
tomi-font
force-pushed
the
secure_storage_its_store_zms
branch
from
287f090
to
4e601e3
Compare
|
|
||
| static uint32_t zms_id_from(secure_storage_its_uid_t uid) | ||
| { | ||
| return (uint32_t)uid.uid | (uid.caller_id << ITS_CALLER_ID_POS); |
There was a problem hiding this comment.
uid.uid is a psa_storage_uid_t which is a uint64_t, this cannot be casted to a (uint32_t) without duplicate uses of zms_id.
There was a problem hiding this comment.
The result obtained from this is not used before uid is checked to not have any upper bits set (in has_forbidden_bits_set()), so here uid.uid can be considered to be (even less than) a uint32_t.
There was a problem hiding this comment.
- Where is it documented that this specific implementation of the ITS store module has this limitation on bits?
- How to handle that one implementation of the ITS store module has this limitation, while another does not?
- Why use a 64bit uid when only 30bit are supported?
There was a problem hiding this comment.
- subsys/secure_storage/Kconfig.its_store:24
- By letting the users of the API only use a well-defined range of UIDs. Will come in a follow-up PR as stated previously.
- The 64-bit size originally comes from the specification. It could indeed be reduced when allowed values are officially defined.
@Laczen these are valid questions to be asked :) It is so true that we spend a reasonable amount of time debating it in the security working group. The conclusion is that the best we can do regarding clash is what is being done in this pr. As @frkv said this is going to be extensively documented / emphasized to minimize the risk. @tomi-font it does not hurt to mark it as experimental for now IMHO. Lets give it some time for testing before assume it is ready for production. |
For sure. In fact, the whole subsystem is already marked as experimental. 🙂 |
@ceolin, thank you for your reply. As an outsider to the security group I find it hard to believe that preference was given to a storage solution that is supported by bending or limiting the shared API instead of using a storage solution in a way to support the shared API. I admit that I don't know much about the PSA Crypto, PSA Secure Storage, MBEDTLS, but even I can see directly that what is being done here will clash with using the secure storage solution for a PSA Crypto key store. As the PSA Crypto keys are defined to use the full 32 bit uid range (part for user key, part for vendor key, and the other part for future extensions). |
tomi-font
force-pushed
the
secure_storage_its_store_zms
branch
from
4e601e3
to
36429bb
Compare
tomi-font
force-pushed
the
secure_storage_its_store_zms
branch
from
36429bb
to
d996816
Compare
It becomes the new default when the secure_storage_its_partition devicetree chosen property is defined as it is a preferred alternative. See the help message of the `CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_ZMS` Kconfig option for more information. Signed-off-by: Tomi Fontanilles <[email protected]>
Add a test scenario for the ITS store module implementation that uses ZMS for storage. Reorganize the others at the same time. Signed-off-by: Tomi Fontanilles <[email protected]>
Remove the hard restriction on CONFIG_SECURE_STORAGE_ITS_MAX_DATA_SIZE. SETTINGS_MAX_VAL_LEN is in practice not used by any settings backend implementation. Signed-off-by: Tomi Fontanilles <[email protected]>
Output a CMake error when the ITS store module is enabled but no implementation ended up enabled (due to unfulfilled prerequisites). This is to make it more clear than undefined references at link time. Not a fatal error because CMake cannot fail for the twister filtering to work on the tests. Signed-off-by: Tomi Fontanilles <[email protected]>
…tition Align with the behavior of the settings subsystem. Signed-off-by: Tomi Fontanilles <[email protected]>
Use %zu for size_t. Signed-off-by: Tomi Fontanilles <[email protected]>
Align the debug logging with that of the ZMS-based implementation. Signed-off-by: Tomi Fontanilles <[email protected]>
tomi-font
force-pushed
the
secure_storage_its_store_zms
branch
from
d996816
to
e853d2f
Compare
See the commit messages.
A follow-up PR will introduce the (static) allocation of
psa_storage_uid_tvalues for end users of the PSA Secure Storage API.