You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
In IoT, PSA is the standard to ensure IoT device security. I followed TF-M as it is PSA certified and widely adopted by the industry. One of the key ideas is that the runtime of a device is divided into Secure Processing Environment (SPE) and Non Secure Processing Environment (NSPE). All keys are stored in SPE and never leave SPE, nor accessed directly by NSPE. NSPE can only call APIs from SPE as security services.
Currently in libcoap, the PSK is being passed around, e.g. calling setup_psk before creating a session using coap_new_client_session_psk2. This is against TF-M's principle and makes device less secure.
Describe the solution you'd like
libcoap should provide "opaque" apis, like Mbedtls' mbedtls_pk_setup_opaque vs mbedtls_pk_parse_key. This way the keys are no more passing around and will be stored in SPE safely.
Refer to Mbedtls' PSA-enabled primitives here: Mbedtls
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
In IoT, PSA is the standard to ensure IoT device security. I followed TF-M as it is PSA certified and widely adopted by the industry. One of the key ideas is that the runtime of a device is divided into Secure Processing Environment (SPE) and Non Secure Processing Environment (NSPE). All keys are stored in SPE and never leave SPE, nor accessed directly by NSPE. NSPE can only call APIs from SPE as security services.
Currently in libcoap, the PSK is being passed around, e.g. calling setup_psk before creating a session using coap_new_client_session_psk2. This is against TF-M's principle and makes device less secure.
Describe the solution you'd like
libcoap should provide "opaque" apis, like Mbedtls' mbedtls_pk_setup_opaque vs mbedtls_pk_parse_key. This way the keys are no more passing around and will be stored in SPE safely.
Refer to Mbedtls' PSA-enabled primitives here: Mbedtls
The text was updated successfully, but these errors were encountered: