Skip to content

[nrf toup] don't try to find volatile/builtin keys from wrong sources #31

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tomi-font merged 1 commit into from
Oct 3, 2025
Merged

[nrf toup] don't try to find volatile/builtin keys from wrong sources #31

tomi-font merged 1 commit into from
Oct 3, 2025

Conversation

@tomi-font
Copy link
Contributor

@tomi-font tomi-font commented Sep 30, 2025
edited
Loading

When not finding a given key in memory, the implementation would try to find it from the persistent keys regardless of the actual key type (volatile/builtin/persistent).

Don't try to find inexistent volatile/builtin keys from persistent ones.

In addition to the calls being superflous, the problem that was happening here is that the ITS implementation (Secure Storage subsystem) returns PSA_ERROR_INVALID_ARGUMENT because the ID is not in the persistent key range, and because it doesn't return PSA_ERROR_DOES_NOT_EXIST then the wrong error code is propagated back to the caller.

toup as the issue has been communicated to Mbed TLS and should be fixed there.
See:

@NordicBuilder NordicBuilder mentioned this pull request Sep 30, 2025
Merged
@tomi-font tomi-font force-pushed the fix_inexistant_volatile_key_handling branch from 85ad1f5 to c31245a Compare October 1, 2025 11:27
@tomi-font tomi-font changed the title [nrf toup] fix erroneous call into builtin/persistent keys [nrf toup] don't try to find volatile/builtin keys from wrong sources Oct 1, 2025
@tomi-font tomi-font force-pushed the fix_inexistant_volatile_key_handling branch from c31245a to b3c148a Compare October 1, 2025 12:56
@tomi-font
[nrf toup] don't try to find volatile/builtin keys from wrong sources
7873339 
When not finding a given key in memory, the implementation would try
to find it from the persistent keys regardless of the actual key type
(volatile/builtin/persistent).

Don't try to find inexistent volatile/builtin keys from persistent
ones.

In addition to the calls being superflous, the problem that was
happening here is that the ITS implementation (Secure Storage
subsystem) returns `PSA_ERROR_INVALID_ARGUMENT` because the ID is not
in the persistent key range, and because it doesn't return
`PSA_ERROR_DOES_NOT_EXIST` then the wrong error code is propagated
back to the caller.

`toup` as the issue has been communicated to Mbed TLS and should be
fixed there.
See:
- Mbed-TLS/TF-PSA-Crypto#488
- Mbed-TLS/TF-PSA-Crypto#492

Signed-off-by: Tomi Fontanilles <[email protected]>
@tomi-font tomi-font force-pushed the fix_inexistant_volatile_key_handling branch from b3c148a to 7873339 Compare October 2, 2025 07:37
@tomi-font tomi-font requested review from a team, PFnord and magnev October 2, 2025 10:18
@tomi-font tomi-font merged commit c79b47b into nrfconnect:main Oct 3, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@degjorva degjorva degjorva approved these changes

@PFnord PFnord PFnord approved these changes

@magnev magnev Awaiting requested review from magnev

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tomi-font @degjorva @PFnord