Skip to content

Multithreaded access to PSA slots - stateful approach #5673

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 25 commits into from
Closed

Multithreaded access to PSA slots - stateful approach #5673

wants to merge 25 commits into from

Conversation

AndrzejKurek
Copy link
Contributor

@AndrzejKurek AndrzejKurek commented Mar 30, 2022
edited by daverodgman
Loading

Protect access to key slot data & metadata by a global mutex.
Introduce a state machine to handle psa key slot states in a more robust way.
Split key destruction into two parts to be able to delay the destruction once no readers are active.

State graph:

                │
           ┌────▼─────┐  ┌──────────┐
      ┌────┤  EMPTY   ◄──┤DESTROYING│
      │    └─┬────┬──▲┘  └──▲──▲────┘
┌─────▼────┐ │ ┌──▼──┴────┐ │  │
│ CREATING │ │ │  WIPING  ├─┘  │
└──┬─┬─────┘ │ └──────▲───┘    │
   │ │  ┌────▼─────┐  ├────────┘
   │ └──►  UNUSED  ├──┤
   │    └──▲────┬──┘  │
   │    ┌──┴────▼──┐  │
   │  ┌─┤ READING  ├──┤
   │  │ └─▲────────┘  │
   │  └───┘           │
   └──────────────────┘

State transitions from:
Empty state:
-> Wiping: cleaning slots in psa_wipe_all_key_slots: psa_crypto_init.
-> Unused: importing an existing key that does not require creation: psa_load_persistent_key_into_slot, psa_load_builtin_key_into_slot.
-> Creating: psa_import_key, psa_copy_key, psa_key_derivation_output_key, psa_generate_key.

Creating state:
-> Wiping: psa_fail_key_creation.
-> Destroying: UNUSED; TODO - could/should it happen?
-> Unused: psa_finish_key_creation from psa_import_key, psa_copy_key, psa_key_derivation_output_key, psa_generate_key.

Unused state:
-> Reading: Any operation that needs to read the key material. Copying, exporting, signing, verifying, enc/dec... via psa_get_and_lock_key_slot_with_policy.
-> Wiping: psa_purge_key, psa_close_key, but also psa_get_empty_key_slot if there's an unused persistent key.
-> Destroying: psa_destroy_key.

Reading state:
-> Reading: another reader added via psa_get_and_lock_key_slot_with_policy.
-> Unused: psa_unlock_key_slot by the last reader.
-> Wiping: psa_purge_key, psa_close_key;
-> Destroying: psa_destroy_key.

Wiping state:
-> Destroying: psa_destroy_key.
-> Empty: psa_wipe_key from psa_close_key, psa_purge_key, but also delayed wiping when the last reader is unlocked in psa_unlock_key_slot. Failures in psa_get_and_lock_key_slot, psa_get_empty_key_slot.

Destroying state:
-> Empty: psa_finish_key_destruction (also calls psa_wipe_key), psa_destroy_key if there are no readers, and if there was - unlocking the last one via psa_unlock_key_slot.

Open questions:

  • If a destruction is scheduled (but there are some active readers), should a second destruction call return a new error, for example PSA_ERROR_PENDING?
  • Should calling psa_open_key on a key slot that has pending destruction/wiping fail?
  • Is it possible to go from PSA_STATE_CREATING to PSA_STATE_DESTROYING?
  • Should psa_wipe_key_slot not work if the key slots are in use? Currently, calling psa_wipe_all_key_slots will wipe all key slots once it can acquire a mutex, regardless of slot states. psa_wipe_key_slot is surrounded by protective logic everywhere apart from psa_wipe_all_key_slots.
  • Should the caller be notified, that, when the key slot was unlocked, an additional delayed wiping/destruction was performed? PSA_SUCCESS_KEY_DESTROYED? PSA_SUCCESS_KEY_WIPED?
  • Should psa_get_and_lock_key_slot be renamed? In fact this function gets the key slot and tries to transition it to a desired state.

Double, simultaneous key creation test cannot be added without multithreading in tests.

This PR supercedes #5084 and #5226.
Partially fixes #3263.

Status update 2023-03-29

  • informally, broadly agreed on design, but have not done formal design review (significant task)
  • needs significant work to add tests (probably follow-up PR to add thorough multi-threaded tests)
  • interest from multiple partners and internal team

@AndrzejKurek AndrzejKurek force-pushed the multithreading-2022-global branch from aa5203c to 09ff41d Compare March 31, 2022 11:41
@AndrzejKurek
Copy link
Contributor Author

AndrzejKurek commented Mar 31, 2022
edited
Loading

Force pushed to trigger the CI.

@AndrzejKurek AndrzejKurek force-pushed the multithreading-2022-global branch from 492ba03 to f1e5159 Compare April 5, 2022 12:46
@AndrzejKurek AndrzejKurek added needs-review Every commit must be reviewed by at least two team members, needs-reviewer This PR needs someone to pick it up for review and removed DO-NOT-MERGE labels Apr 5, 2022
@AndrzejKurek AndrzejKurek force-pushed the multithreading-2022-global branch from f1e5159 to e2ca5b1 Compare April 5, 2022 18:01
This was referenced Apr 6, 2022
Closed
Closed
@AndrzejKurek AndrzejKurek removed the needs-ci Needs to pass CI tests label Apr 8, 2022
@daverodgman daverodgman added component-psa PSA keystore/dispatch layer (storage, drivers, …) priority-medium Medium priority - this can be reviewed as time permits and removed mbed TLS team labels May 13, 2022
Andrzej Kurek added 11 commits August 17, 2022 07:57
Introduce slot states in place of the lock count
eb992d4 
Create a state machine as a first step of improving the code state towards
concurrency. This way multiple threads will be able to read the key slot
at once as long as the critical data is protected by mutexes (to be done).

Split key destruction code into half, first one handling state changes,
and the second one doing all the work. This way the destruction itself
can be delayed until there are no readers of the slot.

Majority of the state changes are handled by psa_get_and_lock_key_slot,
which now receives an intent from callers, to perform key locking and
a state transition as one, atomic operation.

Introduce a new error indicating that a destruction or a purge operation
is postponed until the slot is no longer used.
Signed-off-by: Andrzej Kurek <[email protected]>
Remove unused function
95f968b 
Signed-off-by: Andrzej Kurek <[email protected]>
Fix unchecked status in psa_finish_key_creation
83ef7cb 
Signed-off-by: Andrzej Kurek <[email protected]>
Introduce a global mutex for PSA key slots
760b98d 
Any modification of key slot data, or state has to be done under
a lock. Reading however can be performed by multiple callers,
as long as the slot remains in one of the valid states.
Signed-off-by: Andrzej Kurek <[email protected]>
Improve status handling for persistent and builtin keys
4c186ef 
Signed-off-by: Andrzej Kurek <[email protected]>
Document mutex locking requirements for psa slot related functions
5599c6e 
Signed-off-by: Andrzej Kurek <[email protected]>
Move internal psa slot functions to psa_crypto_core.h
3464aed 
Signed-off-by: Andrzej Kurek <[email protected]>
Add tests for low and high-level key slot handling
62a7cce 
Use test hooks to validate states before locking the key slot.
Signed-off-by: Andrzej Kurek <[email protected]>
Move driver variable to extracted function
997a576 
Signed-off-by: Andrzej Kurek <[email protected]>
Fix slot state changing when persistent keys are loaded
3ea907a 
Signed-off-by: Andrzej Kurek <[email protected]>
Improve mutex macro handling without MBEDTLS_THREADING_C
55ec900 
Add a missing include in psa_crypto.c
Signed-off-by: Andrzej Kurek <[email protected]>
Andrzej Kurek and others added 14 commits August 17, 2022 07:57
Prefix global mutex macros with MBEDTLS_
ad5a03f 
Signed-off-by: Andrzej Kurek <[email protected]>
Fix psa_slot_has_no_readers return type
2f90b19 
Signed-off-by: Andrzej Kurek <[email protected]>
Fix compatibility with MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
eea6eac 
Signed-off-by: Andrzej Kurek <[email protected]>
Fix slot management dependencies
f93b0a8 
Signed-off-by: Andrzej Kurek <[email protected]>
Tests: initialize array to satisfy valgrind
b757905 
Signed-off-by: Andrzej Kurek <[email protected]>
PSA slot states: disable the DESTROYING->WIPING transition
484faca 
Destroying is considered a more destructive operation
and internally wipes the slot too. Reducing it to WIPING
should not be possible.
Signed-off-by: Andrzej Kurek <[email protected]>
PSA slot state changes - extend testing
5d5dfef 
Add tests for double closing/purging/destroying a key plus
permutations of these operations.
Signed-off-by: Andrzej Kurek <[email protected]>
PSA key slots: clarify possible intents for slot locking
8306070 
Signed-off-by: Andrzej Kurek <[email protected]>
Introduce slot locking intents in place of plain states
ae113c1 
This simplifies code a little, and also lets psa_get_and_lock_key_slot
identify calls from psa_open_key that do not intend to change
the key slot state.
Signed-off-by: Andrzej Kurek <[email protected]>
@gilles-peskine-arm
PSA thread safety analysis
c6098d4 
Looks like a mutex isn't enough?

Signed-off-by: Andrzej Kurek <[email protected]>
Updated slot->attr and slot->key access
e78b59e 
Signed-off-by: Andrzej Kurek <[email protected]>
@gilles-peskine-arm
Write up requirements
6c18812 
Signed-off-by: Andrzej Kurek <[email protected]>
@gilles-peskine-arm
Clarify backward compatibility requirement
0f7a1b6 
There are two somewhat distinct aspects here: if it compiled, it still
compiles; and if it worked functionally, it still works. They're related in
that if application code currently compiles but cannot possibly work, we
could reasonably make it not compile anymore.

Signed-off-by: Andrzej Kurek <[email protected]>
Add information about design decisions to docs
b00f2b4 
Signed-off-by: Andrzej Kurek <[email protected]>
@AndrzejKurek AndrzejKurek force-pushed the multithreading-2022-global branch from e2ca5b1 to b00f2b4 Compare August 17, 2022 12:05
@AndrzejKurek
Copy link
Contributor Author

Rebased on top of current development without any conflicts.

@carlaageamundsen
Copy link

Hi
What is the plan for this PR?

@AndrzejKurek
Copy link
Contributor Author

Hi What is the plan for this PR?

A design review was agreed upon in the nearest future, followed up by an assesment of the volume of work needed to finish this task. Any relevant information will be posted in this PR in the process to keep you updated.

@AndrzejKurek AndrzejKurek mentioned this pull request Jun 13, 2023
Merged
3 tasks
@tom-daubney-arm tom-daubney-arm added needs-work historical-reviewed Reviewed & agreed to keep legacy PR/issue and removed needs-review Every commit must be reviewed by at least two team members, needs-reviewer This PR needs someone to pick it up for review labels Jul 14, 2023
@tom-daubney-arm
Copy link
Contributor

We are now converting older PRs to draft PRs where the following conditions are met: They have not been updated in the last 3 months, and they need more than non-trivial work to complete.

@tom-daubney-arm tom-daubney-arm marked this pull request as draft July 14, 2023 10:33
@paul-elliott-arm paul-elliott-arm self-requested a review July 21, 2023 16:07
@ronald-cron-arm ronald-cron-arm removed their request for review August 28, 2023 09:30
@yanesca
Copy link
Contributor

yanesca commented Nov 28, 2023

Closing in favour of https://github.com/orgs/Mbed-TLS/projects/1#column-19657300

@yanesca yanesca closed this Nov 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@paul-elliott-arm paul-elliott-arm Awaiting requested review from paul-elliott-arm

Assignees
No one assigned
Labels
component-psa PSA keystore/dispatch layer (storage, drivers, …) historical-reviewed Reviewed & agreed to keep legacy PR/issue needs-work priority-medium Medium priority - this can be reviewed as time permits
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

The PSA code is not thread-safe
6 participants
@AndrzejKurek @carlaageamundsen @tom-daubney-arm @yanesca @daverodgman @gilles-peskine-arm