Open in app

Sign in

Write

Sign in

PSA Crypto API in Mbed TLS

Michael Zhao
3 min readOct 28, 2022

--

What’s what

PSA

Platform Security Architecture (PSA) is a framework for securing connected devices defined by Arm. It includes a set of:

  • Threat models
  • Security analyses
  • Hardware and firmware architecture specifications
  • An open source firmware reference implementation
  • An independent evaluation and certification scheme

PSA Crypto API

The PSA Cryptographic API is a component of PSA that provides a portable interface to cryptographic operations on a wide range of hardware.

Mbed TLS

Mbed TLS is an open source C library that implements cryptographic primitives, X.509 certificate manipulation and the SSL/TLS and DTLS protocols. Mbed TLS includes a reference implementation of the PSA Cryptography API.

PSA Crypto API

The latest version of PSA Crypto API specification can be downloaded from Arm Developer website. The document defines the APIs for various cryptographic functionalities. It would be extremely boring if I introduced every one of the APIs, or even list them. For the sake of giving you an generic impression of what these APIs are (rather than diving into the algorithms), I think categorizing them with a mind map may be a better way.

The following diagram gives the major categories of PSA Crypto API v1.1, the names of the each API and the supported algorithms.

PSA Implementation in Mbed TLS

In Mbed TLS, the implementation of PSA Crypto API can be split into 2 layers: wrapper layer and driver layer.

The wrapper layer (or API layer) contains:

  • PSA Crypto API declarations: They are defined by the specification, included in a header file named crypto.h.
  • API functions definition: This is the entry of each API function.
  • Wrapper of the API: The wrapper function is called by the API function. According to the user configuration, the wrapper will call the function provided by the specified driver for the cryptographic operation.

Now Mbed TLS supports 2 types of driver for PSA Crypto service:

  • Mbed TLS Builtin PSA Crypto Service: The standard implementation for PSA Crypto API provided by Mbed TLS
  • Mbed TLS Test PSA Crypto Service: This is the driver used for test.

The following diagram illustrates the structure of the PSA Crypto API implementation in Mbed TLS (left side). To the right side of the diagram, I showed how is psa_hash_setup(), a function used for in hashing long (multi-part) content, handled in each component.

PSA Crypto Examples in Mbed TLS

In the subfolder programs/psa of Mbed TLS source code repository, some example programs are provided. Checking the source code of these examples, you can see how the PSA Crypto API should be used.

After building everything with make command, the binary of the examples are ready in the same directory. Try one and begin your Mbed TLS journey!

➜ ./crypto_examples
cipher encrypt/decrypt AES CBC no padding:
        success!
cipher encrypt/decrypt AES CBC PKCS7 multipart:
        success!
cipher encrypt/decrypt AES CTR multipart:
        success!
Psa
Crypto
Mbed Tls
Security
Cryptography

--

--

Michael Zhao
Michael Zhao

Written by Michael Zhao

143 Followers
230 Following

Major in virtualization, security and ARM.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams