wip

maciejbaczmanski · maciejbaczmanski · commit ba4cf9b2044c · 2024-08-13T14:20:38.000+02:00
diff --git a/src/crypto/CHIPCryptoPALPSA.h b/src/crypto/CHIPCryptoPALPSA.h
@@ -40,7 +40,7 @@ namespace Crypto {
  * @def CHIP_CONFIG_CRYPTO_PSA_KEY_ID_BASE
  *
  * @brief
- *   Base of the PSA key identifier range used by Matter.
+ *   Start of the mandatory PSA key identifier range used by Matter.
  *
  * Cryptographic keys stored in the PSA Internal Trusted Storage must have
  * a user-assigned identifer from the range PSA_KEY_ID_USER_MIN to
@@ -56,31 +56,79 @@ namespace Crypto {
 #define CHIP_CONFIG_CRYPTO_PSA_KEY_ID_BASE 0x30000
 #endif // CHIP_CONFIG_CRYPTO_PSA_KEY_ID_BASE
 
-#if CHIP_CONFIG_ENABLE_ICD_CIP
-static constexpr uint32_t kMaxICDClientKeys = CHIP_CONFIG_ICD_CLIENTS_SUPPORTED_PER_FABRIC * CHIP_CONFIG_MAX_FABRICS;
-#endif // CHIP_CONFIG_ENABLE_ICD_CIP
+/**
+ * @def CHIP_CONFIG_CRYPTO_PSA_KEY_ID_OPTIONAL
+ *
+ * @brief
+ *   Start of the optional PSA key identifier range used by Matter.
+ *
+ * Optional cryptographic keys (like ICD specific key) should be defined in
+ * a different range than the mandatory ones. This approach helps to prevent any mix-up between
+ * keys that are always active and those that are dependent on extra configurations.
+ * Moreover, if there's a need to activate a previously disabled range, it only necessitates the
+ * migration of other optional key ranges.
+ */
+#ifndef CHIP_CONFIG_CRYPTO_PSA_KEY_ID_OPTIONAL
+#define CHIP_CONFIG_CRYPTO_PSA_KEY_ID_OPTIONAL 0x38000
+#endif // CHIP_CONFIG_CRYPTO_PSA_KEY_ID_OPTIONAL
+
+/**
+ * @def CHIP_CONFIG_CRYPTO_PSA_KEY_ID_END
+ *
+ * @brief
+ *   End of the PSA key identifier range used by Matter.
+ *
+ * This setting establishes the maximum limit for the key range specific to Matter, in order to
+ * prevent any overlap with other firmware components that also employ the PSA crypto API.
+ */
+#ifndef CHIP_CONFIG_CRYPTO_PSA_KEY_ID_END
+#define CHIP_CONFIG_CRYPTO_PSA_KEY_ID_END 0x3FFFF
+#endif // CHIP_CONFIG_CRYPTO_PSA_KEY_ID_END
+
+static_assert(CHIP_CONFIG_CRYPTO_PSA_KEY_ID_BASE < CHIP_CONFIG_CRYPTO_PSA_KEY_ID_OPTIONAL &&
+              CHIP_CONFIG_CRYPTO_PSA_KEY_ID_OPTIONAL < CHIP_CONFIG_CRYPTO_PSA_KEY_ID_END,
+              "Incorrect Matter specific PSA key range");
+
+static_assert(PSA_KEY_ID_USER_MIN <= CHIP_CONFIG_CRYPTO_PSA_KEY_ID_BASE && CHIP_CONFIG_CRYPTO_PSA_KEY_ID_END <= PSA_KEY_ID_USER_MAX,
+              "Matter specific PSA key range doesn't fit within PSA allowed range")
 
 /**
- * @brief Defines subranges of the PSA key identifier space used by Matter.
+ * @brief Defines mandatory subranges of the PSA key identifier space used by Matter.
  */
 enum class KeyIdBase : psa_key_id_t
 {
     Minimum     = CHIP_CONFIG_CRYPTO_PSA_KEY_ID_BASE,
     Operational = Minimum, ///< Base of the PSA key ID range for Node Operational Certificate private keys
     DACPrivKey  = Operational + kMaxValidFabricIndex + 1,
+    Maximum = DACPrivKey,
+};
+
+static_assert(to_underlying(KeyIdBase::Minimum) >= CHIP_CONFIG_CRYPTO_PSA_KEY_ID_BASE && to_underlying(KeyIdBase::Maximum) < CHIP_CONFIG_CRYPTO_PSA_KEY_ID_OPTIONAL,
+              "PSA key ID base out of allowed range");
+
+#if CHIP_CONFIG_ENABLE_ICD_CIP
+static constexpr uint32_t kMaxICDClientKeys = CHIP_CONFIG_ICD_CLIENTS_SUPPORTED_PER_FABRIC * CHIP_CONFIG_MAX_FABRICS;
+#endif // CHIP_CONFIG_ENABLE_ICD_CIP
+
+/**
+ * @brief Defines optional subranges of the PSA key identifier space used by Matter.
+ */
+enum class KeyIdOptional : psa_key_id_t
+{
+    Minimum     = CHIP_CONFIG_CRYPTO_PSA_KEY_ID_OPTIONAL,
 #if CHIP_CONFIG_ENABLE_ICD_CIP
-    ICDHmacKeyRangeStart = DACPrivKey + 1,
+    ICDHmacKeyRangeStart = Minimum,
     ICDAesKeyRangeStart  = ICDHmacKeyRangeStart + kMaxICDClientKeys,
     ICDKeysRangeEnd      = ICDAesKeyRangeStart + kMaxICDClientKeys,
 #else
     // If Check-In Protocol is disabled, set ICDKeysRangeEnd to previous key, to allow setting next key ID to `ICDKeysRangeEnd + 1`
-    ICDKeysRangeEnd = DACPrivKey,
+    ICDKeysRangeEnd = Minimum,
 #endif // CHIP_CONFIG_ENABLE_ICD_CIP
     Maximum = ICDKeysRangeEnd,
 };
 
-static_assert(to_underlying(KeyIdBase::Minimum) >= PSA_KEY_ID_USER_MIN && to_underlying(KeyIdBase::Maximum) <= PSA_KEY_ID_USER_MAX,
-              "PSA key ID base out of allowed range");
+static_assert(to_underlying(KeyIdOptional::Minimum) >= CHIP_CONFIG_CRYPTO_PSA_KEY_ID_OPTIONAL && to_underlying(KeyIdOptional::Maximum) <= CHIP_CONFIG_CRYPTO_PSA_KEY_ID_END,
+              "PSA key ID optional out of allowed range");
 
 /**
  * @brief Finds first free persistent Key slot ID within range.
diff --git a/src/crypto/PSASessionKeystore.cpp b/src/crypto/PSASessionKeystore.cpp
@@ -37,7 +37,8 @@ class KeyAttributesBase
 
     CHIP_ERROR SetKeyPersistence(psa_key_id_t keyId)
     {
-        VerifyOrReturnError(to_underlying(KeyIdBase::Maximum) >= keyId && keyId >= to_underlying(KeyIdBase::Minimum),
+        VerifyOrReturnError((to_underlying(KeyIdBase::Maximum) >= keyId && keyId >= to_underlying(KeyIdBase::Minimum)) ||
+                            (to_underlying(KeyIdOptional::Maximum) >= keyId && keyId >= to_underlying(KeyIdOptional::Minimum)),
                             CHIP_ERROR_INVALID_ARGUMENT);
 
         psa_set_key_lifetime(&mAttrs, PSA_KEY_LIFETIME_PERSISTENT);
@@ -196,7 +197,7 @@ CHIP_ERROR PSASessionKeystore::PersistICDKey(Aes128KeyHandle & key)
     AesKeyAttributes attrs;
     psa_key_id_t previousKeyId = key.As<psa_key_id_t>();
 
-    SuccessOrExit(err = Crypto::FindFreeKeySlotInRange(key.AsMutable<psa_key_id_t>(), to_underlying(KeyIdBase::ICDAesKeyRangeStart),
+    SuccessOrExit(err = Crypto::FindFreeKeySlotInRange(key.AsMutable<psa_key_id_t>(), to_underlying(KeyIdOptional::ICDAesKeyRangeStart),
                                                        kMaxICDClientKeys));
 
     SuccessOrExit(err = attrs.SetKeyPersistence(key.As<psa_key_id_t>()));
@@ -222,7 +223,7 @@ CHIP_ERROR PSASessionKeystore::PersistICDKey(Hmac128KeyHandle & key)
     psa_key_id_t previousKeyId = key.As<psa_key_id_t>();
 
     SuccessOrExit(err = Crypto::FindFreeKeySlotInRange(key.AsMutable<psa_key_id_t>(),
-                                                       to_underlying(KeyIdBase::ICDHmacKeyRangeStart), kMaxICDClientKeys));
+                                                       to_underlying(KeyIdOptional::ICDHmacKeyRangeStart), kMaxICDClientKeys));
     SuccessOrExit(err = attrs.SetKeyPersistence(key.As<psa_key_id_t>()));
     VerifyOrExit(psa_copy_key(previousKeyId, &attrs.Get(), &key.AsMutable<psa_key_id_t>()) == PSA_SUCCESS,
                  err = CHIP_ERROR_INTERNAL);
diff --git a/src/platform/nrfconnect/CHIPPlatformConfig.h b/src/platform/nrfconnect/CHIPPlatformConfig.h
@@ -59,6 +59,14 @@
 #define CHIP_CONFIG_CRYPTO_PSA_KEY_ID_BASE 0x30000
 #endif // CHIP_CONFIG_CRYPTO_PSA_KEY_ID_BASE
 
+#ifndef CHIP_CONFIG_CRYPTO_PSA_KEY_ID_OPTIONAL
+#define CHIP_CONFIG_CRYPTO_PSA_KEY_ID_OPTIONAL 0x38000
+#endif // CHIP_CONFIG_CRYPTO_PSA_KEY_ID_OPTIONAL
+
+#ifndef CHIP_CONFIG_CRYPTO_PSA_KEY_ID_END
+#define CHIP_CONFIG_CRYPTO_PSA_KEY_ID_END 0x3FFFF
+#endif // CHIP_CONFIG_CRYPTO_PSA_KEY_ID_END
+
 // ==================== General Configuration Overrides ====================
 
 #ifndef CHIP_CONFIG_MAX_UNSOLICITED_MESSAGE_HANDLERS
