[nrf noup] Allow import and destroy of builtin keys

Adds the capability of import and destroying persistent keys
that are "builtin" i.e. handled fully by PSA driver implementation.

Signed-off-by: Vidar Lillebø <vidar.lillebo@nordicsemi.no>
Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>

library/psa_crypto.c

@@ -870,6 +870,12 @@ psa_status_t psa_destroy_key(mbedtls_svc_key_id_t key)
     }
 #endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
 
+#if defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
+    if (psa_key_id_is_builtin(MBEDTLS_SVC_KEY_ID_GET_KEY_ID(slot->attr.id))) {
+        psa_driver_wrapper_destroy_builtin_key(&slot->attr);
+    }
+#endif /* defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS) */
+
 exit:
     /* Unregister from reading the slot. If we are the last active reader
      * then this will wipe the slot. */
@@ -1129,7 +1135,7 @@ static psa_status_t psa_validate_key_attributes(
             return PSA_ERROR_INVALID_ARGUMENT;
         }
     } else {
-        if (!psa_is_valid_key_id(psa_get_key_id(attributes), 0)) {
+        if (!psa_is_valid_key_id(psa_get_key_id(attributes), 1)) {
             return PSA_ERROR_INVALID_ARGUMENT;
         }
     }
@@ -1277,7 +1283,11 @@ static psa_status_t psa_finish_key_creation(
 #endif
 
 #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
-    if (!PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) {
+    if (!PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)
+#if defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
+    && !psa_key_id_is_builtin(MBEDTLS_SVC_KEY_ID_GET_KEY_ID(slot->attr.id))
+#endif
+    ) {
         /* Key material is saved in export representation in the slot, so
          * just pass the slot buffer for storage. */
         status = psa_save_persistent_key(&slot->attr,
@@ -4396,7 +4406,6 @@ psa_status_t psa_key_derivation_input_key(
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
     psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
     psa_key_slot_t *slot = NULL;
-    psa_key_attributes_t attributes;
 
     status = psa_get_and_lock_key_slot_with_policy(
         key, &slot, 0, operation->alg);
@@ -4418,12 +4427,8 @@ psa_status_t psa_key_derivation_input_key(
         operation->can_output_key = 1;
     }
 
-    attributes = (psa_key_attributes_t) {
-        .core = slot->attr
-    };
-
     status = psa_key_derivation_input_internal(operation,
-                                               step, &attributes,
+                                               step, &slot->attr,
                                                slot->key.data,
                                                slot->key.bytes);
 

library/psa_crypto_driver_wrappers.c

@@ -2098,4 +2098,15 @@ psa_status_t psa_driver_wrapper_free_random(
     return PSA_SUCCESS;
 }
 
+psa_status_t psa_driver_wrapper_destroy_builtin_key(const psa_key_attributes_t *attributes)
+{
+    psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(attributes->core.lifetime);
+
+    switch (location) {
+    /* Add cases for drivers here */
+    }
+
+    return PSA_ERROR_NOT_SUPPORTED;
+}
+
 #endif /* MBEDTLS_PSA_CRYPTO_C */

library/psa_crypto_driver_wrappers.h

@@ -154,6 +154,9 @@ psa_status_t psa_driver_wrapper_derive_key(
     const uint8_t *input, size_t input_length,
     uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length);
 
+psa_status_t psa_driver_wrapper_destroy_builtin_key(
+    const psa_key_attributes_t *attributes);
+
 /*
  * Cipher functions
  */

library/psa_crypto_slot_management.c

@@ -531,7 +531,7 @@ psa_status_t psa_validate_key_persistence(psa_key_lifetime_t lifetime)
         return PSA_SUCCESS;
     } else {
         /* Persistent keys require storage support */
-#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) || defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
         if (PSA_KEY_LIFETIME_IS_READ_ONLY(lifetime)) {
             return PSA_ERROR_INVALID_ARGUMENT;
         } else {