parallaxsecond / parsec-se-driver Goto Github PK
View Code? Open in Web Editor NEWPSA Secure Element Driver implementation using Parsec
License: Apache License 2.0
PSA Secure Element Driver implementation using Parsec
License: Apache License 2.0
It should be possible to cross-compile the SE driver to another target via the --target
flag. It should be tested on the CI.
A target to start with would be armv7-unknown-linux-gnueabihf
.
After the work in parallaxsecond/parsec-client-rust#41 is done the SE driver can identify the authenticator supported by Parsec and use an appropriate identity mechanism.
This request is to create an SE driver layer that allows clients of PSA Crypto to use Parsec in a platform-agnostic fashion. The driver would choose the correct provider based on information obtained from the service. Client code would then not have any compile-time coupling with a particular Parsec provider type (such as TPM). A common client build would be usable with multiple Parsec back-end providers.
To consume the Parsec service into C code, we are using the PSA Crypto API as the programming surface, and Mbed Crypto as the glue layer to the Parsec client library. Mbed Crypto uses secure element (SE) drivers as a way of routing crypto operations to the correct place. Clients register these drivers and then use key lifetime
properties as a way of specifying the SE driver that should be used.
This repo holds SE drivers that can be used to route PSA Crypto operations to Parsec.
However, Parsec itself is an abstraction that can have multiple implementations depending on the platform. These implementations are known as providers. Parsec has different providers for different types of platform hardware such as TPM or HSM.
The model we've adopted for the SE driver so far is that there is a precise 1-1 mapping between an SE driver and a Parsec provider. So, if you want to use a TPM platform, then you would use the TPM SE driver, which in turn would select for the TPM Parsec provider.
This model is conceptually quite clean, but it does mean that the client code needs full awareness of the platform in order to register the correct SE driver and use the correct key lifetimes for it. This is a tight coupling that might not always be desirable. Parsec is intended to be a platform-agnostic API, so client application code shouldn't be required to have this level of awareness unless it wants to.
It should be possible for an SE driver to select the Parsec provider automatically based on its configured knowledge of the platform. Client code can then just use a generic "Parsec" key lifetime and everything else is automatic.
With this variant of the SE driver, adopters of Parsec can have common application code on any platform.
Client C code would be completely agnostic and have no compile-time tie to any particular platform. The same builds could be used on TPM and non-TPM platforms, for example. The way of using Parsec would simply be to specify Parsec as the key lifetime, and everything else would be automatic.
Placeholder issue to investigate how to define stability for the SE driver and how to enforce it.
Mbed TLS should be updated & verified soonest against 2.25.0, as the currently used version 2.22.0 has a known CVE-2020-16150.
Currently, this SE driver only works with Parsec 0.4.0. It needs to be updated to work with 0.5.0
. The main thing to do would be to increase parsec-client
version to 0.5.0
.
If something went wrong with the SE driver registration, it is possible that Mbed Crypto is called for crypto operations instead of Parsec. We should check that Parsec is actually called.
This could be done via ./parsec-tool list-keys
checking that the result is not empty.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.