diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index fc9bf4f0f..18dccae0a 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -198,6 +198,8 @@ psa_status_t mbedtls_psa_register_se_key( * * This function clears all data associated with the PSA layer, * including the whole key store. + * This function is not thread safe, it wipes every key slot regardless of + * state and reader count. It should only be called when no slot is in use. * * This is an Mbed TLS extension. */ diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c index e8813b901..599cc363b 100644 --- a/library/psa_crypto_slot_management.c +++ b/library/psa_crypto_slot_management.c @@ -144,6 +144,9 @@ void psa_wipe_all_key_slots(void) { size_t slot_idx; +#if defined(MBEDTLS_THREADING_C) + mbedtls_mutex_lock(&mbedtls_threading_key_slot_mutex); +#endif for (slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++) { psa_key_slot_t *slot = &global_data.key_slots[slot_idx]; slot->registered_readers = 1; @@ -151,6 +154,9 @@ void psa_wipe_all_key_slots(void) (void) psa_wipe_key_slot(slot); } global_data.key_slots_initialized = 0; +#if defined(MBEDTLS_THREADING_C) + mbedtls_mutex_unlock(&mbedtls_threading_key_slot_mutex); +#endif } psa_status_t psa_reserve_free_key_slot(psa_key_id_t *volatile_key_id, diff --git a/library/psa_crypto_slot_management.h b/library/psa_crypto_slot_management.h index 002429b93..18a914496 100644 --- a/library/psa_crypto_slot_management.h +++ b/library/psa_crypto_slot_management.h @@ -92,6 +92,8 @@ psa_status_t psa_get_and_lock_key_slot(mbedtls_svc_key_id_t key, psa_status_t psa_initialize_key_slots(void); /** Delete all data from key slots in memory. + * This function is not thread safe, it wipes every key slot regardless of + * state and reader count. It should only be called when no slot is in use. * * This does not affect persistent storage. */ void psa_wipe_all_key_slots(void);