net: tcp: use PSA functions for ISN generation instead of legacy MbedTLS ones #71827
Conversation
zephyrbot
requested review from
ceolin,
d3zd3z,
jukkar,
pdgendt,
rlubos,
ssharks and
tbursztyka
valeriosetti
force-pushed
the
fix-tcp-psa-only
branch
5 times, most recently
from
c38aecd
to
271c9aa
Compare
modules/mbedtls/zephyr_init.c
Outdated
| return PSA_ERROR_GENERIC_ERROR; | ||
| } | ||
| #else | ||
| sys_rand_get(output, output_size); |
There was a problem hiding this comment.
Doesn't it need to be cryptographicallly secure ? AFAIU it needs, this fallback shouldn't be an option IMHO.
There was a problem hiding this comment.
Yes, sorry, I pushed an updated version that fixes this.
subsys/net/ip/tcp.c
Outdated
| sys_rand_get(unique_key, sizeof(unique_key)); | ||
| #endif |
There was a problem hiding this comment.
this condition really scares me. Does it need to be cryptographically secure or not ?
If yes, we should only use sys_crand_get and make it a requirement, if not, why we don't always use the cheaper sys_rand_get ?
There was a problem hiding this comment.
IMO this is slightly different that the previous case. As far as I understand from RFC6528 at section 3 we just need the ISN to be "not easy to guess". For this we pick some random number and some extra data (input port, output port, etc) and hash all of this. In case the provided random number is not "random enough" then we can apply some hashing function to improve that.
This would mean that sys_rand_get() would be enough, but if CSPRNG is available, why not benefit from it anyway? Wdyt?
There was a problem hiding this comment.
Not easy to guess sys_csrand_get doesn't allow test-modes (If I'm not mistaken). If you have predictive RNG numbers then they are definitely guessable. Please use only sys_csrand_get so we can remove any possible weak holes (e.g. due to RNG behaving "random looking" but still be predictive)
valeriosetti
force-pushed
the
fix-tcp-psa-only
branch
from
271c9aa
to
84dee98
Compare
valeriosetti
force-pushed
the
fix-tcp-psa-only
branch
3 times, most recently
from
e0ea3f7
to
787434f
Compare
valeriosetti
force-pushed
the
fix-tcp-psa-only
branch
from
787434f
to
67b1cba
Compare
valeriosetti
force-pushed
the
fix-tcp-psa-only
branch
3 times, most recently
from
4ed09d8
to
8849ed3
Compare
subsys/net/ip/Kconfig.tcp
Outdated
| @@ -230,8 +230,8 @@ config NET_TCP_ISN_RFC6528 | |||
| default y | |||
| depends on NET_TCP | |||
| select MBEDTLS | |||
| select MBEDTLS_MD | |||
| select MBEDTLS_MAC_MD5_ENABLED | |||
| select MBEDTLS_PSA_CRYPTO_C | |||
There was a problem hiding this comment.
| select MBEDTLS_PSA_CRYPTO_C | |
| select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM |
Selecting MBEDTLS_PSA_CRYPTO_C is incompatible with BUILD_WITH_TFM. Not sure if this dependency will help, but you could try it out
Use only cryptographically secure random number generators for ISN. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Add a choice to select between legacy modules (i.e. ENTROPY + CTR_DRBG/HMAC_DRBG) and CSPRNG as random generators for PSA_CRYPTO_C. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Create a new Kconfig named CONFIG_PSA_WANT_ALG_SHA_256 which allows to enable PSA_WANT_ALG_SHA_256. This allows to use PSA functions to compute SHA256 hashes. When PSA is provided by TFM this allows also to remove legacy mbedtls_sha256() support and therefore reduce footprint for the NS side. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
valeriosetti
force-pushed
the
fix-tcp-psa-only
branch
from
8849ed3
to
db03ff2
Compare
|
Comments received so far should be addressed and CI is green. This PR is ready for review. |
There was a problem hiding this comment.
Noting that
- some MbedTLS configuration changes come from mgmt: mcumgr: replace Tinycrypt by PSA #71947,
- the non-default enabling of
MBEDTLS_USE_PSA_CRYPTOifMBEDTLS_PSA_CRYPTO_Cis temporary (will be possible to revert with Add Kconfigs forPSA_WANTsymbols #72243), - and that the newly introduced Kconfig options relating to PSA in
Kconfig.tls-genericwill be moved toKconfig.psawhen rebasing this PR.
subsys/net/ip/tcp.c
Outdated
| size_t hash_len; | ||
|
|
||
| psa_hash_compute(PSA_ALG_SHA_256, (const unsigned char *)&buf, sizeof(buf), | ||
| hash, sizeof(hash), &hash_len); |
subsys/net/ip/tcp.c
Outdated
| size_t hash_len; | ||
|
|
||
| psa_hash_compute(PSA_ALG_SHA_256, (const unsigned char *)&buf, sizeof(buf), | ||
| hash, sizeof(hash), &hash_len); |
There was a problem hiding this comment.
Both indentations should be OK now
When BUILD_WITH_TFM is enabled we can dispatch hash computation to TFM. This allows to remove the built-in support of SHA256 from the non-secure side (if it's not used for any other purpose, of course). Signed-off-by: Valerio Setti <vsetti@baylibre.com>
CONFIG_MINIMAL_LIBC was required for: - CONFIG_MINIMAL_LIBC_NON_REENTRANT_FUNCTIONS - CONFIG_MINIMAL_LIBC_RAND while CONFIG_ENTROPY_GENERATOR and CONFIG_MBEDTLS_ZEPHYR_ENTROPY are required for CRYPTO_C. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
PICOLIBC misses the dirent.h header which is required to emulate ITS (internal trusted storage) in PSA APIs. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
MBEDTLS_PSA_CRYPTO_C and MBEDTLS_USE_PSA_CRYPTO are 2 different things and the former should not automatically enable the latter. The reson is that the user might want the MbedTLS PSA crypto toolbox to be built, but at the same time he/she does not want TLS/DTLS (and other intermediate modules such as PK, MD and Cipher) to use PSA APIs. For this reason this commit introduces a new Kconfig option named CONFIG_MBEDTLS_USE_PSA_CRYPTO to enable the corresponding build symbol. By default USE_PSA_CRYPTO is disabled. It is only explicilty enabled in tests/samples that were previously setting CRYPTO_C (since in those cases USE_PSA was set). Signed-off-by: Valerio Setti <vsetti@baylibre.com>
valeriosetti
force-pushed
the
fix-tcp-psa-only
branch
from
db03ff2
to
1608b89
Compare
This PR:
mbedtls_xxx()withpsa_hash_compute()sys_rand_get()withsys_csrand_get()This PR is an alternative to #71747 in the sense that there is no
mbedtls_sha256()alternative option. We go directly to PSA functions instead. This is not a problem because we assume that a PSA provider is always present in the build should it either be built-in into MbedTLS (whenMBEDTLS_PSA_CRYPTO_Cis enabled) or provided externally through TFM (whenBUILD_WITH_TFMis enabled).