TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 0338ded2f4183251b6c4a8971087ba998629840f / . / include / psa / crypto_extra.h
blob: e40a50520f5698fcf1adaed52338f870853848ad [file] [log] [blame]
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]1/**
2 * \file psa/crypto_extra.h
3 *
4 * \brief PSA cryptography module: Mbed TLS vendor extensions
Gilles Peskine07c91f52018-06-28 18:02:53 +0200[diff] [blame]5 *
6 * \note This file may not be included directly. Applications must
7 * include psa/crypto.h.
8 *
9 * This file is reserved for vendor-specific definitions.
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]10 */
11/*
12 * Copyright (C) 2018, ARM Limited, All Rights Reserved
13 * SPDX-License-Identifier: Apache-2.0
14 *
15 * Licensed under the Apache License, Version 2.0 (the "License"); you may
16 * not use this file except in compliance with the License.
17 * You may obtain a copy of the License at
18 *
19 * http://www.apache.org/licenses/LICENSE-2.0
20 *
21 * Unless required by applicable law or agreed to in writing, software
22 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
23 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
24 * See the License for the specific language governing permissions and
25 * limitations under the License.
26 *
27 * This file is part of mbed TLS (https://tls.mbed.org)
28 */
29
30#ifndef PSA_CRYPTO_EXTRA_H
31#define PSA_CRYPTO_EXTRA_H
32
33#ifdef __cplusplus
34extern "C" {
35#endif
36
Netanel Gonen2bcd3122018-11-19 11:53:02 +0200[diff] [blame]37/* UID for secure storage seed */
38#define MBED_RANDOM_SEED_ITS_UID 0xFFFFFF52
39
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]40/**
41 * \brief Library deinitialization.
42 *
43 * This function clears all data associated with the PSA layer,
44 * including the whole key store.
45 *
46 * This is an Mbed TLS extension.
47 */
48void mbedtls_psa_crypto_free( void );
49
Netanel Gonen2bcd3122018-11-19 11:53:02 +0200[diff] [blame]50
51#if ( defined(MBEDTLS_ENTROPY_NV_SEED) && defined(MBEDTLS_PSA_HAS_ITS_IO) )
52/**
Gilles Peskine0338ded2018-11-15 18:19:27 +0100[diff] [blame^]53 * \brief Inject an initial entropy seed for the random generator.
54 *
55 * This function injects data to be used as a seed for the random generator
56 * used by the PSA Crypto implementation. On devices that lack a trusted
57 * entropy source (preferably a hardware random number generator),
58 * the Mbed PSA Crypto implementation uses this value to seed its
59 * random generator.
60 *
61 * On devices without a trusted entropy source, this function must be
62 * called exactly once in the lifetime of the device. On devices with
63 * a trusted entropy source, calling this function is optional.
64 * In all cases, this function may only be called before calling any
65 * other function in the PSA Crypto API, including psa_crypto_init().
66 *
67 * When this function returns successfully, it populates a file in
68 * persistent storage. Once the file has been created, this function
69 * can no longer succeed.
70 * If any error occurs, the file is not created, and you may call this
71 * function again after correcting the reason for the error.
Netanel Gonen2bcd3122018-11-19 11:53:02 +0200[diff] [blame]72 *
73 * \warning This function **can** fail! Callers MUST check the return status.
74 *
Gilles Peskine0338ded2018-11-15 18:19:27 +0100[diff] [blame^]75 * \warning If you use this function, you should use it as part of a
76 * factory provisioning process. The value of the injected seed
77 * is critical to the security of the device. It must be
78 * *secret*, *unpredictable* and (statistically) *unique per device*.
79 * You should be generate it randomly using a cryptographically
80 * secure random generator seeded from trusted entropy sources.
81 * You should transmit it securely to the device and ensure
82 * that its value is not leaked or stored anywhere beyond the
83 * needs of transmitting it from the point of generation to
84 * the call of this function, and erase all copies of the value
85 * once this function returns.
Netanel Gonen2bcd3122018-11-19 11:53:02 +0200[diff] [blame]86 *
Gilles Peskine0338ded2018-11-15 18:19:27 +0100[diff] [blame^]87 * This is an Mbed TLS extension.
88 *
89 * \param seed[in] Buffer containing the seed value to inject.
90 * \param seed_size Size of the \p seed buffer.
91 * The minimum size of the seed is
92 * #MBEDTLS_ENTROPY_MIN_PLATFORM.
Netanel Gonen2bcd3122018-11-19 11:53:02 +0200[diff] [blame]93 *
94 * \retval #PSA_SUCCESS
Gilles Peskine0338ded2018-11-15 18:19:27 +0100[diff] [blame^]95 * The seed value was injected successfully. The random generator
96 * of the PSA Crypto implementation is now ready for use.
97 * You may now call psa_crypto_init() and use the PSA Crypto
98 * implementation.
Netanel Gonen2bcd3122018-11-19 11:53:02 +0200[diff] [blame]99 * \retval #PSA_ERROR_INVALID_ARGUMENT
Gilles Peskine0338ded2018-11-15 18:19:27 +0100[diff] [blame^]100 * \p seed_size is not large enough.
Netanel Gonen2bcd3122018-11-19 11:53:02 +0200[diff] [blame]101 * \retval #PSA_ERROR_STORAGE_FAILURE
Gilles Peskine0338ded2018-11-15 18:19:27 +0100[diff] [blame^]102 * \retval `PSA_ITS_ERROR_XXX`
103 * There was a failure reading or writing from storage.
Netanel Gonen2bcd3122018-11-19 11:53:02 +0200[diff] [blame]104 * \retval #PSA_ERROR_NOT_PERMITTED
Gilles Peskine0338ded2018-11-15 18:19:27 +0100[diff] [blame^]105 * The library has already been initialized. It is no longer
106 * possible to call this function.
Netanel Gonen2bcd3122018-11-19 11:53:02 +0200[diff] [blame]107 */
108psa_status_t mbedtls_psa_inject_entropy(const unsigned char *seed,
109 size_t seed_size);
110
111#endif
112
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]113#ifdef __cplusplus
114}
115#endif
116
117#endif /* PSA_CRYPTO_EXTRA_H */