Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PSA Sign Hash (Interruptible) Design #6279

Conversation

paul-elliott-arm
Copy link
Member

@paul-elliott-arm paul-elliott-arm commented Sep 13, 2022

Description

A design for the psa_sign_hash (interruptible) interface. (Implementation to follow once design agreed). Fixes #6061

Draft for an upcoming PSA Crypto specification version.

Status

READY

Requires Backporting

NO

Migrations

NO

Todos

  • Tests

@paul-elliott-arm paul-elliott-arm self-assigned this Sep 13, 2022
@paul-elliott-arm paul-elliott-arm force-pushed the psa_sign_hash_interruptable branch 2 times, most recently from e3295ff to c5ac7f5 Compare September 13, 2022 17:07
@paul-elliott-arm
Copy link
Member Author

CI Fail is due to 'missing' error code. I could fix this by defining it in file for the time being, if this is acceptable.

@paul-elliott-arm paul-elliott-arm added enhancement needs-design-approval needs-review Every commit must be reviewed by at least two team members, needs-reviewer This PR needs someone to pick it up for review component-psa PSA keystore/dispatch layer (storage, drivers, …) size-m Estimated task size: medium (~1w) labels Sep 15, 2022
@gilles-peskine-arm
Copy link
Contributor

You need to define the new error code, either in crypto_values.h or in crypto_extra.h.

@paul-elliott-arm paul-elliott-arm changed the title PSA Sign Hash (Interruptable) Design PSA Sign Hash (Interruptible) Design Sep 15, 2022
@paul-elliott-arm paul-elliott-arm force-pushed the psa_sign_hash_interruptable branch from 6b934da to 33de902 Compare September 15, 2022 15:51
include/psa/crypto_extra.h Outdated Show resolved Hide resolved
include/psa/crypto_extra.h Outdated Show resolved Hide resolved
include/psa/crypto_extra.h Outdated Show resolved Hide resolved
include/psa/crypto_extra.h Outdated Show resolved Hide resolved
include/psa/crypto_extra.h Outdated Show resolved Hide resolved
include/psa/crypto_extra.h Outdated Show resolved Hide resolved
include/psa/crypto_extra.h Outdated Show resolved Hide resolved
include/psa/crypto_extra.h Outdated Show resolved Hide resolved
include/psa/crypto_extra.h Outdated Show resolved Hide resolved
@paul-elliott-arm paul-elliott-arm force-pushed the psa_sign_hash_interruptable branch from 33de902 to 2a5e792 Compare September 15, 2022 19:20
@daverodgman daverodgman removed the needs-reviewer This PR needs someone to pick it up for review label Sep 16, 2022
@paul-elliott-arm paul-elliott-arm force-pushed the psa_sign_hash_interruptable branch from 2a5e792 to e467aca Compare September 16, 2022 17:01
Copy link
Contributor

@gilles-peskine-arm gilles-peskine-arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I marked my comments as [T] for technical content that might affect the work in progress on implementation, and [E] for purely editorial comments.

There is quite a bit of repeated content (e.g. same note on sign and verify functions). When a comment of mine applies in multiple places, I have generally only reported it once. All comments in this review should be understood as “also applies in other places where applicable”.

I have verified that all my and @tom-cosgrove-arm 's comments from previous reviews have been addressed (or in one case, re-raised).

*/

/** The type of the state data structure for interruptible hash
* verification operations.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[E]

Suggested change
* verification operations.
* signing operations.

* Implementation details can change in future versions without notice. */
typedef struct psa_sign_hash_interruptible_operation_s psa_sign_hash_interruptible_operation_t;

/** The type of the state data structure for interruptible hash signing
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[E]

Suggested change
/** The type of the state data structure for interruptible hash signing
/** The type of the state data structure for interruptible hash verification

* code; or to free the relevant context if the
* operation is to be aborted.
*
* \note The interpretation of this maximum number is
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[E] What maximum number? Notes can be read out of order.

More generally this paragraph could use a rewrite, keeping the (lack of) context in mind.

* \note The interpretation of this maximum number is
* obviously also implementation defined. On a
* hard real time system, this can indicate a hard
* deadline, which is good, as a real-time system
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[E] This reads a bit too judgmental for a specification.

* operation is to be aborted.
*
* \note The interpretation of this maximum number is
* obviously also implementation defined. On a
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[E] Avoid “obviously”: if it was obvious, it wouldn't need stating explicitly.

* operation.
*
* \retval #PSA_ERROR_NOT_SUPPORTED
* \retval #PSA_ERROR_INVALID_ARGUMENT
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[T] Also NOT_PERMITTED.

* please call this function again with the same operation object.
*
* \retval #PSA_ERROR_INVALID_HANDLE
* \retval #PSA_ERROR_NOT_PERMITTED
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[T] No, NOT_PERMITTED would be detected at the start.

* returned by the function performing the
* computation. It is then the caller's
* responsibility to either call again with the
* same parameters until it returns 0 or an error
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[T] Same operation context, not same parameters. The other parameters can be different. For example, the output of psa_sign_hash_complete can be a stack variable in an intermediate function which is a different pointer at each call.

Comment on lines +4125 to +4126
* interface stability promises, and will only
* leave beta after implementation.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[T] Remove “will only leave beta after implementation”. It's not like the interface really exists until implementation, and it will stay beta for some time after implementation. It'll leave beta when we say it's out of beta and no sooner.

Comment on lines +4391 to +4393
* Operation was interrupted due to the setting of \c
* psa_interruptible_set_max_ops(), there is still work to be done,
* please call this function again with the same operation object.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[T]

Suggested change
* Operation was interrupted due to the setting of \c
* psa_interruptible_set_max_ops(), there is still work to be done,
* please call this function again with the same operation object.
* The operation was interrupted due to the setting of
* \c psa_interruptible_set_max_ops(). There is still work to be done.
* Call this function again with the same operation object.

@gilles-peskine-arm
Copy link
Contributor

I'm marking this as approved for design. We'll still make minor changes to the API, but the fundamentals are good.

@mpg
Copy link
Contributor

mpg commented Dec 12, 2022

General note about this PR: it's in the Mbed TLS repo but is written as a specification that may have multiple implementations. At some point while implementing this, we'll need to replace all places that says "XXX is implementation defined" with a description of what our implementation actually does.

@mpg
Copy link
Contributor

mpg commented Dec 12, 2022

I'm sorry for having such thought that late in the process, but I've just been thinking about the naming for start/complete functions: should rename start to setup for consistency with multi-part operations? setup() is usually the function that makes the operation "active" meaning from this point you need to either bring it to a successful completion or abort() it.

If this is similar enough to existing multi-part operations, the similarity should be reflected in the names chosen; just as well, if this is different enough, this should be reflected in the names. Note: currently we have similar names for the type xxx_operation_t and the function xxx_abort() but not for other functions (start() vs setup(), perhaps even complete() vs finish() though arguably that pair is more different and varies more across multi-part operations).

Also, I don't think start() actually starts computing anything, it just prepares calling complete(), so semantically that would be an argument for calling it setup() as well.

Also, since Gilles mentions that we're likely to want to have multi-part interruptible sign/verify at some point, can we quickly check how the naming scheme would work for that? [Edit: should we have interruptible_setup() to distinguish from non-interruptible multi-part?]

Btw, I've also been wondering if complete() should be called something like compute() (or perhaps progress())? Considering most of the time it will not complete the operation. (OTOH, there's logic in the fact that it only returns success when it did complete the operation, so that's consistent with the name indeed.)

Copy link
Contributor

@mpg mpg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, except perhaps the naming question, which again I'm sorry for not raising earlier. Other than that, I don't have much to add to what Gilles already pointed out (which which I agree, even if I didn't systematically put a 👍 on it).

* single call is implementation defined.
*
* \warning With implementations that interpret this number
* as a hard limit, setting this number too small
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: the implementation in Mbed TLS is based on a soft limit: we first do one "uninterruptible block" (which can be a rather large number of basic ops, possibly larger than the limit), and only then check if we have budget for the next block. This was done mostly because with such a soft limit approach, progress is guaranteed.

I agree that hard limit implementations would benefit from the kind of thing you suggest, but since we're a soft limit implementation, we won't really be able to test it.

include/psa/crypto.h Show resolved Hide resolved
include/psa/crypto_values.h Show resolved Hide resolved
@gilles-peskine-arm
Copy link
Contributor

Btw, I've also been wondering if complete() should be called something like compute() (or perhaps progress())? Considering most of the time it will not complete the operation. (OTOH, there's logic in the fact that it only returns success when it did complete the operation, so that's consistent with the name indeed.)

That was the logic: xxx_complete() is named based on the behavior when it succeeds.

start() vs setup(), perhaps even complete() vs finish() though arguably that pair is more different and varies more across multi-part operation

complete() is pretty different from finish(), and I think this should be reflected in the naming. start() is less different from setup(), but I think it's clearer to have different names for start/complete and setup/update/finish or setup/update/verify.

@paul-elliott-arm
Copy link
Member Author

All of the discussed changes that I saw as decided upon I have made in the implementation PR (#6737). Will revisit the ongoing discussions in the new year, and update this version if there is more review to be done here.

*
* In particular, calling \c psa_sign_hash_abort() after the operation has
* already been terminated by a call to \c psa_sign_hash_abort() or
* \c psa_sign_hash_complete() is safe and has no effect.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[T] That's actually not quite true: the abort function resets the value queried by get_num_ops to 0. Also applies to verify.

@athoelke
Copy link
Contributor

Should we have an implementation note somewhere in here that ops should be key-value and data-value invariant, to avoid it becoming a side-channel?

* the maximum number of ops allowed to be executed by an interruptible
* function in a single call.
*/
#define PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED INT32_MAX
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[t]

Suggested change
#define PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED INT32_MAX
#define PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED UINT32_MAX

@mpg
Copy link
Contributor

mpg commented Feb 16, 2023

I assume we no longer intend to merge this one, now that we have #6737.

@gilles-peskine-arm
Copy link
Contributor

gilles-peskine-arm commented Feb 16, 2023

We don't, but I still have to review the differences between this and #6737. I'm happy that the API #6737 is good enough to release as a beta, but I want to check for differences and re-read some of the discussions with the benefit of having seen the implementation.

This doesn't require keeping the PR open.

@daverodgman daverodgman added the historical-reviewing Currently reviewing (for legacy PR/issues) label May 12, 2023
@daverodgman
Copy link
Contributor

@paul-elliott-arm can this be closed?

@paul-elliott-arm
Copy link
Member Author

Closing this for now as I think its reached its useful limit. Conversations about renaming functions etc can be done in new issues / PRs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
component-psa PSA keystore/dispatch layer (storage, drivers, …) enhancement historical-reviewing Currently reviewing (for legacy PR/issues) needs-review Every commit must be reviewed by at least two team members, needs-work size-m Estimated task size: medium (~1w)
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Design interruptible ECC Sign Hash PSA interface.
6 participants