Configurable key location for TLS 1.3 ephemeral key

[KloolK]

Suggested enhancement

The location of the key used for ECDHE during the TLS 1.3 Handshake (handshake->xxdh_psa_privkey) is currently hardcoded to PSA_KEY_LOCATION_LOCAL_STORAGE because it uses the default lifetime PSA_KEY_LIFETIME_VOLATILE:

mbedtls/library/ssl_tls13_generic.c

Lines 1570 to 1578 in 6986829

	key_attributes = psa_key_attributes_init();
	psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
	psa_set_key_algorithm(&key_attributes, alg);
	psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
	psa_set_key_bits(&key_attributes, handshake->xxdh_psa_bits);
	/* Generate ECDH/FFDH private key. */
	status = psa_generate_key(&key_attributes,
	&handshake->xxdh_psa_privkey);

mbedtls/tf-psa-crypto/include/psa/crypto_struct.h

Lines 295 to 305 in 6986829

	#define PSA_KEY_ATTRIBUTES_INIT { PSA_KEY_ATTRIBUTES_MAYBE_SLOT_NUMBER \
	PSA_KEY_TYPE_NONE, 0, \
	PSA_KEY_LIFETIME_VOLATILE, \
	PSA_KEY_POLICY_INIT, \
	MBEDTLS_SVC_KEY_ID_INIT }
	static inline struct psa_key_attributes_s psa_key_attributes_init(void)
	{
	const struct psa_key_attributes_s v = PSA_KEY_ATTRIBUTES_INIT;
	return v;
	}

This prevents using an opaque crypto driver for the generation step and subsequent computation of the public key. Using a transparent driver here is typically not an option with an actual HSM since they usually don't support exporting a generated private key.

One might consider performing only the public key computation part with the opaque driver, but this is not a general solution because some HSMs require both the private and public part in order to import an ECC key.