Changed local_ids for Atomic counter and removed key_slot_semaphore.

[sbailey-arm]

key_slot_semaphore removed - #187 1.

local_ids changed to an AtomicU32 that store the current highest key ID including destroyed keys). On load, loops through all stored keys and sets the counter to the max ID. On creating a key ID, adds 1 to the counter. If key store fails and no thread has created another key in the mean time, decrements the counter to the value before the attempt to create a new key ID failed. On key destroy, counter not altered as extra complication deemed unnecessary. #187 2.

Signed-off-by: Samuel Bailey [email protected]

[sbailey-arm]

Wasn't sure on the error to return if there are no more key IDs available.

[hug-dev]

I think BadState is an error referring to multi-parts operations. It might be better to use InsufficientMemory. Also, could you please add an error! log to note that we've reached the limit?

[ionut-arm]

Is it a good idea to return InsufficientMemory? I guess in conjuction with a log message it would be easy to understand what's going on, but based on the error code alone it might be confusing.

[sbailey-arm]

I was thinking about adding a new error but didn't want to touch parsec-interface without discussing first.

Something like 'MaxKeyIdReached'.

[ionut-arm]

I think the problem with a new response code like that is we shouldn't be exposing internal issues (or, not ones that mean nothing to a client). InsufficientMemory is probably ok if we document what it means in our context - we just add an entry here

[hug-dev]

Thanks!

[hug-dev]

I think BadState is an error referring to multi-parts operations. It might be better to use InsufficientMemory. Also, could you please add an error! log to note that we've reached the limit?

[hug-dev]

As you said in your issue comment, do you think this is always safe?

[sbailey-arm]

There's one problem I've thought of (see second paragraph) but in general, yes. In that particular case, the new ID would be created with the value of PSA_KEY_ID_USER_MAX + 1, and max_current_id would be set to that. If no other thread tries to create a new ID, max_current_id will still be PSA_KEY_ID_USER_MAX + 1, which will then be decremented back down to PSA_KEY_ID_USER_MAX. If a new thread does try to create a new ID, it will increment it to PSA_KEY_ID_USER_MAX + 2. The original thread will then fail the compare and not touch PSA_KEY_ID_USER_MAX.

It could overflow though, theoretically there's theoretically a chance that mac_current_id could keep going up if new threads stop any older threads from decrementing it. Maybe it'd be better to just hard reset it to PSA_KEY_ID_USER_MAX if it fails the check? No key will ever be created if max_current_id is at the ID limit so we should be able to set it back.
Thread #1 comes in, increments it to MAX + 1 and realises its too high. Then thread #2 comes in, increments it to MAX + 2 and also realises its too high. Thread #1 runs again and resets to MAX. Then thread #2 does the same (though it's already at MAX).

Decrementing in the other case (line 74) should also be safe. If no threads have created key IDs in the mean time, the compare will match and the counter will be decremented correctly. If a thread has come in in the mean time, the compare will fail and the counter will not be decremented.

Am I missing something?

[ionut-arm]

Maybe it'd be better to just hard reset it to PSA_KEY_ID_USER_MAX if it fails the check? No key will ever be created if max_current_id is at the ID limit so we should be able to set it back.

Yeah, just commented the same thing in the issue, that sounds sensible!

As for the second decrement - it works, but is it needed? I'd say that having an operation that isn't deterministic isn't a good idea (regardless of correctness) and if you end up crashing through the handle limit then you have bigger issues on your system.

[sbailey-arm]

Yeah, I saw 😋

Ok. Yeah if you're going that high, saving a key ID here and there isn't going to make a difference, I'll remove it.

[hug-dev]

I guess it is fine to not care about overflows as PSA_KEY_ID_USER_MAX is equal to the defined value of 0x3FFFFFFF.

[sbailey-arm]

Better safe than sorry or overkill? 😉

[hug-dev]

It might be more efficient to find the maximum locally, in a psa_key_id_t variable and then store it in the id_counter at the end. I believe the atomic operations impose restrictions on compiler optimizations.

[sbailey-arm]

Ah, didn't realise there would be much overhead in just using the atomic variable. I will change it.

[hug-dev]

Looks good to me!

[ionut-arm]

💯