ta: pkcs11: factorize second operation handle

Factorize fields tee_hash_op_handle and tee_op_handle2 of
struct active_processing that both are used as second operation
handle for specific algorithm.

ta: pkcs11: factorize second operation handle

Factorize fields tee_hash_op_handle and tee_op_handle2 of
struct active_processing that both are used as second operation
handle for specific algorithm.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

ta: pkcs11: prevent user ID verification when user PIN is not set

Fix User PIN verification in ACL mode (protected authentication) so
that it always returns PKCS11_CKR_USER_PIN_NOT_INITIALIZED when

ta: pkcs11: prevent user ID verification when user PIN is not set

Fix User PIN verification in ACL mode (protected authentication) so
that it always returns PKCS11_CKR_USER_PIN_NOT_INITIALIZED when User
PIN has not been initialized yet by the Security Officer. Before this
change, this was tested only in the standard PIN path, not for the
authenticated TEE identity mode (CFG_PKCS11_TA_AUTH_TEE_IDENTITY=y).

Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

ta: pkcs11: Improve PIN counter handling robustness

Make sure PIN check attempt is saved persistently before continuing with
the actual PIN verification, improving counter and flags coherency in
cas

ta: pkcs11: Improve PIN counter handling robustness

Make sure PIN check attempt is saved persistently before continuing with
the actual PIN verification, improving counter and flags coherency in
case of subsequent failure with persistent saving.

Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

ta: pkcs11: invalidate handle of destroyed token objects

Marks as invalid any object handle that refers to the token object
that is being destroying so that any use of the related handle will
consid

ta: pkcs11: invalidate handle of destroyed token objects

Marks as invalid any object handle that refers to the token object
that is being destroying so that any use of the related handle will
consider the object handle as invalid.

Link: https://github.com/OP-TEE/optee_os/issues/6005
Reviewed-by: Valerii Chubar <valerii_chubar@epam.com>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Allow authentication mode switch with PIN change

In order to enable one to switch from PIN mode to TEE Identity mode or
vice versa enable the mode switch when token has just been initial

ta: pkcs11: Allow authentication mode switch with PIN change

In order to enable one to switch from PIN mode to TEE Identity mode or
vice versa enable the mode switch when token has just been initialized but
not taken in use (eg. no user PIN set).

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Fix token initialization's authentication

When token has been initialized make sure that SO is properly
authenticated based on authentication mode setting to follow PKCS#11 2.40
specific

ta: pkcs11: Fix token initialization's authentication

When token has been initialized make sure that SO is properly
authenticated based on authentication mode setting to follow PKCS#11 2.40
specification for C_InitToken().

This makes it impossible to change authentication mode with C_InitToken().

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

ta: pkcs11: fix use-after-free in close_ck_session() when CFG_TEE_TA_LOG_LEVEL >= 3

The debug trace in close_ck_session() needs to be moved before the
session is freed. Problem found with CFG_MEMTAG

ta: pkcs11: fix use-after-free in close_ck_session() when CFG_TEE_TA_LOG_LEVEL >= 3

The debug trace in close_ck_session() needs to be moved before the
session is freed. Problem found with CFG_MEMTAG=y.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: describe CFG_PKCS11_TA_TOKEN_COUNT

Add a default value and a description for PKCS11 TA config switch
CFG_PKCS11_TA_TOKEN_COUNT in ta/pkcs11/sub.mk.

Signed-off-by: Etienne Carriere <etie

ta: pkcs11: describe CFG_PKCS11_TA_TOKEN_COUNT

Add a default value and a description for PKCS11 TA config switch
CFG_PKCS11_TA_TOKEN_COUNT in ta/pkcs11/sub.mk.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add operation state in session

Add more operation states to take care of scenarios like failure
of an incremental (update) operation if a one-shot/final operation
has been started.

Sign

ta: pkcs11: Add operation state in session

Add more operation states to take care of scenarios like failure
of an incremental (update) operation if a one-shot/final operation
has been started.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add implementation for wrapping keys

Add implementation for handling C_WrapKey() for mechanisms :
CKM_AES_ECB
CKM_AES_CBC

Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

ta: pkcs11: Add implementation for wrapping keys

Add implementation for handling C_WrapKey() for mechanisms :
CKM_AES_ECB
CKM_AES_CBC

Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Add support for elliptic curve signing & verification

Add support for performing elliptic curve signing & verification
operations for:

- ECDSA with supplied hash value
- Multi stage SHA

ta: pkcs11: Add support for elliptic curve signing & verification

Add support for performing elliptic curve signing & verification
operations for:

- ECDSA with supplied hash value
- Multi stage SHA-1
- Multi stage SHA-224
- Multi stage SHA-256
- Multi stage SHA-384
- Multi stage SHA-512

Specified in:
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification
Version 2.40 Plus Errata 01
2.3 Elliptic Curve

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Ricardo Salveti <ricardo@foundries.io>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: relocate shared session object db to client session

PKCS11 has concept of shared objects between different PKCS11 sessions
which need to work.

As in OP-TEE context there can be multiple

ta: pkcs11: relocate shared session object db to client session

PKCS11 has concept of shared objects between different PKCS11 sessions
which need to work.

As in OP-TEE context there can be multiple callers which should not share
the objects use OP-TEE client session association to separate those from
each other.

Specified in:
PKCS #11 Cryptographic Token Interface Usage Guide Version 2.40
2.6 Sessions

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Fix interpretation of CKA_VALUE_LEN for Generic Secrets

PKCS#11 specification [1] section 2.6.3 states that - For
CKM_GENERIC_SECRET_KEY_GEN mechanism, the ulMinKeySize and
ulMaxKeySize

ta: pkcs11: Fix interpretation of CKA_VALUE_LEN for Generic Secrets

PKCS#11 specification [1] section 2.6.3 states that - For
CKM_GENERIC_SECRET_KEY_GEN mechanism, the ulMinKeySize and
ulMaxKeySize fields of the CK_MECHANISM_INFO structure
specify the supported range of key sizes, in bits.

Based on this, assumption was being made in the code that key length
specified by CKA_VALUE_LEN for keys of type CKK_GENERIC_SECRET is also
in bits. This assumption is not correct as per Section 2.6.2 in [1].
Special handling in code for CKK_GENERIC_SECRET for handling keysize
in bits has been now removed.

[1] - PKCS #11 Cryptographic Token Interface Current Mechanisms
Specification Version 2.40

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Add implementation for random number generation

Add code for handling C_SeedRandom() and C_GenerateRandom() functionality.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed

ta: pkcs11: Add implementation for random number generation

Add code for handling C_SeedRandom() and C_GenerateRandom() functionality.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: fix TEE identity authentication token reference

Correct token reference pass to verify client credentials.

Fixes: 1a27b197 ("ta: pkcs11: Add TEE Identity based authentication support")

ta: pkcs11: fix TEE identity authentication token reference

Correct token reference pass to verify client credentials.

Fixes: 1a27b197 ("ta: pkcs11: Add TEE Identity based authentication support")
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta/pkcs11: Use LIST_FOREACH_SAFE when removing objects from list

When traversing object list to remove objects, use LIST_FOREACH_SAFE
to avoid segmentation fault.

Signed-off-by: Ruchika Gupta <ruch

ta/pkcs11: Use LIST_FOREACH_SAFE when removing objects from list

When traversing object list to remove objects, use LIST_FOREACH_SAFE
to avoid segmentation fault.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Deal with the private objects in C_Logout

The logic to deal with the private objects was missing in the
C_Logout() implementation.
PKCS#11 specification states that :
When C_Logout succe

ta: pkcs11: Deal with the private objects in C_Logout

The logic to deal with the private objects was missing in the
C_Logout() implementation.
PKCS#11 specification states that :
When C_Logout successfully executes, any of the application’s
handles to private objects should become invalid (even if a user
is later logged back into the token, those handles remain invalid).
In addition, all private session objects from sessions belonging
to the application should also be destroyed.

In addition, also release any ongoing cryptographic or
object-finding operations that may be associated with the session
while logging out.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add support for finding objects

Implement commands
- PKCS11_CMD_FIND_OBJECTS_INIT
- PKCS11_CMD_FIND_OBJECTS
- PKCS11_CMD_FIND_OBJECTS_FINAL

Co-developed-by: Etienne Carriere <etienne.ca

ta: pkcs11: Add support for finding objects

Implement commands
- PKCS11_CMD_FIND_OBJECTS_INIT
- PKCS11_CMD_FIND_OBJECTS
- PKCS11_CMD_FIND_OBJECTS_FINAL

Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Co-developed-by: Gabor Szekely <szvgabor@gmail.com>
Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Remove persistent objects on token re-initialization

When re-initializing a token the previously created objects need
to be removed.

Signed-off-by: Robin van der Gracht <robin@protonic.

ta: pkcs11: Remove persistent objects on token re-initialization

When re-initializing a token the previously created objects need
to be removed.

Signed-off-by: Robin van der Gracht <robin@protonic.nl>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add TEE Identity based authentication support

In C_InitToken() if PIN is NULL_PTR then it will activate TEE Identity
based authentication support for token.

Once activated:

- When ever

ta: pkcs11: Add TEE Identity based authentication support

In C_InitToken() if PIN is NULL_PTR then it will activate TEE Identity
based authentication support for token.

Once activated:

- When ever PIN is required client's TEE Identity will be used for
authentication
- PIN failure counters are disabled
- If new PIN is given as input it is in form of PIN ACL string
- It can be disabled with C_InitToken with non-zero PIN

Internally protected authentication path will be used for mode
determination.

Acked-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: set_pin: use token shortcut like in other pin functions

Use common shortcut variable 'token' as in check_so_pin and check_user_pin.

Acked-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Re

ta: pkcs11: set_pin: use token shortcut like in other pin functions

Use common shortcut variable 'token' as in check_so_pin and check_user_pin.

Acked-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: entry_ck_token_initialize: reset SO flags on init

If successful token init has been performed and new PIN is set then reset
all pin change flags.

Call update_persistent_db() only once a

ta: pkcs11: entry_ck_token_initialize: reset SO flags on init

If successful token init has been performed and new PIN is set then reset
all pin change flags.

Call update_persistent_db() only once as a last step during the execution.

Acked-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Fix return value when trying to open parallel session

It is mandatory to have CKF_SERIAL_SESSION set when invoking
C_OpenSession(). When omitted CKR_SESSION_PARALLEL_NOT_SUPPORTED must b

ta: pkcs11: Fix return value when trying to open parallel session

It is mandatory to have CKF_SERIAL_SESSION set when invoking
C_OpenSession(). When omitted CKR_SESSION_PARALLEL_NOT_SUPPORTED must be
returned.

Specified in:
PKCS #11 Cryptographic Token Interface Base Specification Version 2.40
Plus Errata 01
5.6 Session management functions
C_OpenSession

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: add missing header files

Add missing header files inclusion in few source files.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@

ta: pkcs11: add missing header files

Add missing header files inclusion in few source files.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: release active process on session closure

Release the possible active processing resources when closing a session.

Fixes: 512cbf1d30dd ("ta: pkcs11: adds support for symmetric AES ciphe

ta: pkcs11: release active process on session closure

Release the possible active processing resources when closing a session.

Fixes: 512cbf1d30dd ("ta: pkcs11: adds support for symmetric AES cipher modes")
Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...