ta: pkcs11: write db_main and db_objs in one operation

Problem:
There is a potential issue in persistent_token.c::init_persistent_db().
There are two steps to initialize a token DB if it doesn’t exi

ta: pkcs11: write db_main and db_objs in one operation

Problem:
There is a potential issue in persistent_token.c::init_persistent_db().
There are two steps to initialize a token DB if it doesn’t exist:
1. Call TEE_CreatePersistentObject() with db_main as the initial data.
2. Truncate the object data and then insert db_obj data.
If a power loss occurs between above two steps, only the db_main data is
present in the database. When the device restarts, it detects the existing
database and successfully reads db_main, but fails to read db_obj, leading
to a TA panic each time.
https://github.com/OP-TEE/optee_os/issues/6977

Solution:
Write both db_main and the initial 4 bytes of db_objs (with a count of 0)
in a single operation during TEE_CreatePersistentObject().

Tested-by: Weizhao Jiang <weizhaoj@amazon.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Signed-off-by: Weizhao Jiang <weizhaoj@amazon.com>

show more ...

Upgrade in-tree TAs to use latest version of TEE Internal Core API

Upgrades in-tree TAs to use latest version of TEE Internal Core API and
the compatibility flag is by default turned off.

Upgrading

Upgrade in-tree TAs to use latest version of TEE Internal Core API

Upgrades in-tree TAs to use latest version of TEE Internal Core API and
the compatibility flag is by default turned off.

Upgrading the TAs is basically a matter of replacing a few uint32_t
pointers with size_t pointers instead. This is done in as few places as
possible. So in particular the PKCS#11 TA might benefit from another
round of refactoring now that the contagious use of uint32_t as size
field is removed.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: Remove dual crypto operations from token capability

We don't support dual cryptographic operations in current
implemenetation. So remove it from token capability.

Signed-off-by: Ruchika

ta: pkcs11: Remove dual crypto operations from token capability

We don't support dual cryptographic operations in current
implemenetation. So remove it from token capability.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: relocate shared session object db to client session

PKCS11 has concept of shared objects between different PKCS11 sessions
which need to work.

As in OP-TEE context there can be multiple

ta: pkcs11: relocate shared session object db to client session

PKCS11 has concept of shared objects between different PKCS11 sessions
which need to work.

As in OP-TEE context there can be multiple callers which should not share
the objects use OP-TEE client session association to separate those from
each other.

Specified in:
PKCS #11 Cryptographic Token Interface Usage Guide Version 2.40
2.6 Sessions

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Update attributes in persistent storage

For token objects, for any modification in attributes,
the attributes also need to be updated in the objects
persistent storage. These modificatio

ta: pkcs11: Update attributes in persistent storage

For token objects, for any modification in attributes,
the attributes also need to be updated in the objects
persistent storage. These modifications are done when
C_SetAttributeValue() is used.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Don't load objects that don't match the search during find

Don't load all persistent object attributes in find_objects_init().
Instead, temporary load object attributes and release them

ta: pkcs11: Don't load objects that don't match the search during find

Don't load all persistent object attributes in find_objects_init().
Instead, temporary load object attributes and release them if not matching
the current search.

Move object attribute loading from token_obj_matches_ref() to
load_persistent_object_attributes() and introduce counterpart
release_persistent_object_attributes().

Changes attributes_match_reference() to always return true when reference
is empty (match all case).

Remove token_obj_matches_ref() since attributes_match_reference() can be
called straight from load_persistent_object_attributes().

Signed-off-by: Robin van der Gracht <robin@protonic.nl>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Add TEE Identity based authentication support

In C_InitToken() if PIN is NULL_PTR then it will activate TEE Identity
based authentication support for token.

Once activated:

- When ever

ta: pkcs11: Add TEE Identity based authentication support

In C_InitToken() if PIN is NULL_PTR then it will activate TEE Identity
based authentication support for token.

Once activated:

- When ever PIN is required client's TEE Identity will be used for
authentication
- PIN failure counters are disabled
- If new PIN is given as input it is in form of PIN ACL string
- It can be disabled with C_InitToken with non-zero PIN

Internally protected authentication path will be used for mode
determination.

Acked-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

pkcs11: persistent_token: Don't read token object UUIDs if we have none

Do not call TEE_ReadObjectData() when there is no object data to read
because the function panics when reading 0 bytes.

Revie

pkcs11: persistent_token: Don't read token object UUIDs if we have none

Do not call TEE_ReadObjectData() when there is no object data to read
because the function panics when reading 0 bytes.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Robin van der Gracht <robin@protonic.nl>

show more ...

ta: pkcs11: Change sizeof argument for consistency

The bytes subtracted here were added a few lines ago. Since *db_objs
was used there we should also do this here for readability.

Reviewed-by: Etie

ta: pkcs11: Change sizeof argument for consistency

The bytes subtracted here were added a few lines ago. Since *db_objs
was used there we should also do this here for readability.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Robin van der Gracht <robin@protonic.nl>

show more ...

ta: pkcs11: minor fixes

Minor ID reordering in enum pkcs11_mechanism_id.

Fix inline comments referring to PKCS11_OK instead of PKCS11_CKR_OK.

Add 0x prefix in error trace in init_persistent_db().

ta: pkcs11: minor fixes

Minor ID reordering in enum pkcs11_mechanism_id.

Fix inline comments referring to PKCS11_OK instead of PKCS11_CKR_OK.

Add 0x prefix in error trace in init_persistent_db().

Use serialargs_get_session_from_handle() instead of the 2 step calls
to serialargs_get() and pkcs11_handle2session().

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ta: pkcs11: persistent object support

A persistent object (token object in PKCS#11 spec) is stored as
a binary blob of attribute list identified by a UUID.

The persistent database stores the UUIDs

ta: pkcs11: persistent object support

A persistent object (token object in PKCS#11 spec) is stored as
a binary blob of attribute list identified by a UUID.

The persistent database stores the UUIDs of the persistent objects
of the token.

Reviewed-by: Ricardo Salveti <ricardo@foundries.io>
Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: remove unused PIN encryption key functions

PINs are hashed with a salt instead of being encrypted with a secret
key. So remove the now unused management of these secret keys.

Acked-by:

ta: pkcs11: remove unused PIN encryption key functions

PINs are hashed with a salt instead of being encrypted with a secret
key. So remove the now unused management of these secret keys.

Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: helper to update token persistent database

update_persistent_db() updates the persistent database or panics on
failure.

Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Co-deve

ta: pkcs11: helper to update token persistent database

update_persistent_db() updates the persistent database or panics on
failure.

Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: helpers for PIN hashing

Adds helpers to hash PIN and to verify the hash of a PIN. The PIN is
hashed together with user type and a generated salt. A used salt never
takes the value 0 so t

ta: pkcs11: helpers for PIN hashing

Adds helpers to hash PIN and to verify the hash of a PIN. The PIN is
hashed together with user type and a generated salt. A used salt never
takes the value 0 so that can be used to tell if a PIN is set.

Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: remove inline comment about persistent object database

Remove inline comment that is not relevant since PKCS11 object
database is not implemented yet.

Signed-off-by: Etienne Carriere <e

ta: pkcs11: remove inline comment about persistent object database

Remove inline comment that is not relevant since PKCS11 object
database is not implemented yet.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: fixup user id in init_pin_key()

Minor simplification of init_pin_keys() prototype. Change argument
unsigned int uid to enum pkcs11_user_type type since it's what is
provided by the calle

ta: pkcs11: fixup user id in init_pin_key()

Minor simplification of init_pin_keys() prototype. Change argument
unsigned int uid to enum pkcs11_user_type type since it's what is
provided by the called and expected by the function.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: factorize persistent file name

get_db_file_name() and get_pin_file_name() factorize TEE object file
IDs.

open_db_file() and open_pin_file() factorize opening of TA persistent
database o

ta: pkcs11: factorize persistent file name

get_db_file_name() and get_pin_file_name() factorize TEE object file
IDs.

open_db_file() and open_pin_file() factorize opening of TA persistent
database object and PIN cipher key objects.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: identify user as per define user types

Define users with CKU User Type in Cryptoki API:
PKCS11_CKU_SO and PKCS11_CKU_USER. They will be used as identifiers
for login and related PKCS#11

ta: pkcs11: identify user as per define user types

Define users with CKU User Type in Cryptoki API:
PKCS11_CKU_SO and PKCS11_CKU_USER. They will be used as identifiers
for login and related PKCS#11 API functions.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ta: pkcs11: better test object ids generation

Change init_pin_keys() and init_persistent_db() to rely on the
strict byte size of the object ID reference rather than using hard
coded value 32.

Fixes

ta: pkcs11: better test object ids generation

Change init_pin_keys() and init_persistent_db() to rely on the
strict byte size of the object ID reference rather than using hard
coded value 32.

Fixes: c84ccd0a805e ("ta: pkcs11: persistent database for the pkcs11 tokens")
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ta: pkcs11: persistent database for the pkcs11 tokens

Initialize token(s) state from a persistent database. If no
persistent database is found in the secure storage, initialize
it to a default state

ta: pkcs11: persistent database for the pkcs11 tokens

Initialize token(s) state from a persistent database. If no
persistent database is found in the secure storage, initialize
it to a default state and save the database in secure storage.

PKCS11 TA may implement several tokens each related to its own
database.

A token persistent database is stored in several part in TEE secure
storage. The main database stores token label, flags and PINs status.
Another database stores the UUIDs of the TEE persistent objects
used to store the token PKCS11 objects allowing the token to find
back PKCS11 persistent objects. This object database is out of the
scope of this change.

At runtime, a token instance is reference by a struct ck_token instance
in RAM which stores the state of the token and references to the
resources the token as loaded as PIN cipher keys (see paragraph below),
session states and the volatile copy of the persistent databases.

Among data saved in persistent database is the reference to
the keys used to cipher the PINs that will be used. A symmetric
encryption scheme is used using keys PKCS11 TA does not have access
to. This allows PKCS11 TA to save in RAM an encrypted value of
the owners PINs.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...