[Cryptech Tech] Revised keystore API and keystore flash "filesystem"

Leif Johansson leifj at sunet.se
Sat Sep 17 13:24:28 UTC 2016

Skickat från min iPhone

> 16 sep. 2016 kl. 22:38 skrev Rob Austein <sra at hactrn.net>:
> Preliminary version of revised keystore API and flash management code
> committed and pushed to branch ksng in sw/{libhal,stm32,pkcs11}
> repositories.  Still needs work before it'll be ready to consider for
> merging into the master branch, but the basic mechanism seems to work.
> Not yet heavily tested.
> NB: Keys and PINs saved to flash with the old keystore flash code will
> not be preserved if you try this code (in theory they'll be the last
> things overwritten, but the wear-leveling code will get around to
> overwriting them eventually).  Sorry, it's a development platform,
> adding a big chunk of backwards-compatibility code (read: seldom-used
> code path, larger attack surface) seemed like a bad idea.  Can still
> add backwards-compatibility if folks strongly disagree, of course.

No argument from me

> Next steps:
> * Switching from erasing entire flash sectors to erasing individual
>  flash subsectors (in theory this is a trivial change, same C code
>  should work, just a different opcode);
> * Adding support for key objects larger than one flash subsector;
> * Adding general attribute storage to key objects so we can start
>  phasing out the current SQLite3 database used by the PKCS #11 code.

So this means no more sqlite3-dependency anywhere in the code or just the p11 part (just curious)?

> _______________________________________________
> Tech mailing list
> Tech at cryptech.is
> https://lists.cryptech.is/listinfo/tech

More information about the Tech mailing list