Merge pull request #13433 from LDong-Arm/refactor_device_key

Refactor device_key
2020-08-24 12:56:10 +01:00 · 2020-08-24 12:56:10 +01:00 · 4ba1a5433f
parent 08ef04d027 a59bace6f2
commit 4ba1a5433f
8 changed files with 9 additions and 6 deletions
--- a/docs/design-documents/features/storage/SecureStore/SecureStore_design.md
+++ b/docs/design-documents/features/storage/SecureStore/SecureStore_design.md
@ -32,7 +32,7 @@

 ### Overview and background

-SecureStore is a [KVStore](../KVStore/KVStore_design.md) based storage solution, providing security features on the stored data, such as encryption, authentication, rollback protection and write once, over an underlying KVStore class. It references an additional KVStore class for storing the rollback protection keys. 
+SecureStore is a [KVStore](../KVStore/KVStore_design.md) based storage solution, providing security features on the stored data, such as encryption, authentication, rollback protection and write once, over an underlying KVStore class. It references an additional KVStore class for storing the rollback protection keys.

 ### Requirements and assumptions

@ -44,13 +44,13 @@ SecureStore assumes that the underlying KVStore instances are instantiated and i

 SecureStore is a storage class, derived from KVStore. It adds security features to the underlying key value store.
 
-As such, it offers all KVStore APIs, with additional security options (which can be selected using the creation flags at set). These include:  
+As such, it offers all KVStore APIs, with additional security options (which can be selected using the creation flags at set). These include:

- Encryption: Data is encrypted using the AES-CTR encryption method, with a randomly generated 8-byte IV. Key is derived from [Device Key](../../../../../../mbed-os/features/device_key/README.md), using the NIST SP 800-108 KDF in counter mode spec, where salt is the key trimmed to 32 bytes, with "ENC" as prefix. Flag here is called "require confidentiality flag".  
+- Encryption: Data is encrypted using the AES-CTR encryption method, with a randomly generated 8-byte IV. Key is derived from [Device Key](../../../../../../mbed-os/drivers/device_key/README.md), using the NIST SP 800-108 KDF in counter mode spec, where salt is the key trimmed to 32 bytes, with "ENC" as prefix. Flag here is called "require confidentiality flag".  
 - Rollback protection: (Requires authentication) CMAC is stored in a designated rollback protected storage (also of KVStore type) and compared to when reading the data under the same KVStore key. A missing or different key in the rollback protected storage results in an error. The flag here is called "Require replay protection flag".
 - Write once: Key can only be stored once and can't be removed. The flag here is called "Write once flag".

-SecureStore maintains data integrity using a record CMAC. This 16-byte CMAC is calculated on all stored data (including key & metadata) and stored at the end of the record. When reading the record, SecureStore compares the calculated CMAC with the stored one. In the case of encryption, CMAC is calculated on the encrypted data. The key used for generating the CMAC is derived from [Device Key](../../../../../../mbed-os/features/device_key/README.md), where salt is the key trimmed to 32 bytes, with "AUTH" as prefix.  
+SecureStore maintains data integrity using a record CMAC. This 16-byte CMAC is calculated on all stored data (including key & metadata) and stored at the end of the record. When reading the record, SecureStore compares the calculated CMAC with the stored one. In the case of encryption, CMAC is calculated on the encrypted data. The key used for generating the CMAC is derived from [Device Key](../../../../../../mbed-os/drivers/device_key/README.md), where salt is the key trimmed to 32 bytes, with "AUTH" as prefix.
 
 ![SecureStore Layers](./SecureStore_layers.jpg)

--- a/features/device_key/README.md
+++ b/features/device_key/README.md
@ -42,5 +42,5 @@ To instantiate DeviceKey, you need to call its `get_instance` member function as
 Run the DeviceKey functionality test with the `mbed` command as follows:

 ``` 
-    ```mbed test -n features-device_key-tests-device_key-functionality```
+    ```mbed test -n drivers-device_key-tests-tests-device_key-functionality```
 ```
--- a/drivers/device_key/include/device_key/DeviceKey.h
+++ b/drivers/device_key/include/device_key/DeviceKey.h
--- a/features/device_key/mbed_lib.json
+++ b/features/device_key/mbed_lib.json
--- a/features/device_key/source/DeviceKey.cpp
+++ b/features/device_key/source/DeviceKey.cpp
--- a/drivers/device_key/tests/TESTS/device_key/functionality/main.cpp
+++ b/drivers/device_key/tests/TESTS/device_key/functionality/main.cpp
--- a/storage/kvstore/securestore/include/securestore/SecureStore.h
+++ b/storage/kvstore/securestore/include/securestore/SecureStore.h
@ -23,7 +23,7 @@
 #include MBEDTLS_CONFIG_FILE
 #endif

-#include "features/device_key/source/DeviceKey.h"
+#include "device_key/DeviceKey.h"

 #define SECURESTORE_ENABLED 1

--- a/tools/test/travis-ci/doxy-spellchecker/ignore.en.pws
+++ b/tools/test/travis-ci/doxy-spellchecker/ignore.en.pws
@ -117,4 +117,7 @@ Hinnant
 Vin
 Vref
 ssid
+instantiation
+instantiations
+KVStore
 _doxy_