ta: pkcs11: remove local helper function supported_mechanism_key_size()

Remove local helper function supported_mechanism_key_size() that is
superseded by newly introduced mechanism_supported_key_siz

ta: pkcs11: remove local helper function supported_mechanism_key_size()

Remove local helper function supported_mechanism_key_size() that is
superseded by newly introduced mechanism_supported_key_sizes() that
does the jobs and is up to date.

Fixes: 512cbf1d30 ("ta: pkcs11: adds support for symmetric AES cipher modes")
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ta: pkcs11: adds support for symmetric AES cipher modes

Adds support for the AES modes ECB, CBC, CTR and CTS.

Much infrastructure is added to handle mechanisms.

Reviewed-by: Vesa Jääskeläinen <ves

ta: pkcs11: adds support for symmetric AES cipher modes

Adds support for the AES modes ECB, CBC, CTR and CTS.

Much infrastructure is added to handle mechanisms.

Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: support command to import and destroy object

Implement commands PKCS11_CMD_CREATE_OBJECT and PKCS11_CMD_DESTROY_OBJECT.

Reviewed-by: Ricardo Salveti <ricardo@foundries.io>
Co-developed-

ta: pkcs11: support command to import and destroy object

Implement commands PKCS11_CMD_CREATE_OBJECT and PKCS11_CMD_DESTROY_OBJECT.

Reviewed-by: Ricardo Salveti <ricardo@foundries.io>
Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: replace complicated params pointer calculation

Replaces params pointer calculations on the form
ctrl = &params[0];
out = &params[2];
with a plain
ctrl = params;
out = params + 2;
in all

ta: pkcs11: replace complicated params pointer calculation

Replaces params pointer calculations on the form
ctrl = &params[0];
out = &params[2];
with a plain
ctrl = params;
out = params + 2;
in all entry function still using this form.

Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: use enum pkcs11_rc instead of uint32_t

Uses enum pkcs11_rc instead of uint32_t where appropriate, that is, as
function return type and local return value type.

Reviewed-by: Rouven Czerw

ta: pkcs11: use enum pkcs11_rc instead of uint32_t

Uses enum pkcs11_rc instead of uint32_t where appropriate, that is, as
function return type and local return value type.

Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: use serialargs_get_session_from_handle()

Change command processing entry functions to use helper function
serialargs_get_session_from_handle() to get session from the
session handle seri

ta: pkcs11: use serialargs_get_session_from_handle()

Change command processing entry functions to use helper function
serialargs_get_session_from_handle() to get session from the
session handle serialized input argument instead of the 2 step
serialargs_get()/pkcs11_handle2session().

No functional change as current functions always first checked
session validity prior other arguments validity, assuming client
arguments were well serialized.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: set default token serial number based on token ID

With this change, token serial number is string "0...0000000<N>" over
16 characters, led with '0' and ending with token ID decimal value

ta: pkcs11: set default token serial number based on token ID

With this change, token serial number is string "0...0000000<N>" over
16 characters, led with '0' and ending with token ID decimal value.

It is common for the client application to decide the slot to use
based on the token serial number. Therefore change the default value
to be based on the token ID to avoid having the same serial numbers
on every token.

Co-developed-by: Ricardo Salveti <ricardo@foundries.io>
Signed-off-by: Ricardo Salveti <ricardo@foundries.io>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
[jf: cast sizeof() to int in snprintf() with field with specifier '*']
Signed-off-by: Jerome Forissier <jerome@forissier.org>

show more ...

ta: pkcs11: set slot information to gpd.tee.deviceID if available

Use gpd.tee.deviceID to provide a device specific UUID as part of the
slot information (field with enough size for UUID).

Co-develo

ta: pkcs11: set slot information to gpd.tee.deviceID if available

Use gpd.tee.deviceID to provide a device specific UUID as part of the
slot information (field with enough size for UUID).

Co-developed-by: Ricardo Salveti <ricardo@foundries.io>
Signed-off-by: Ricardo Salveti <ricardo@foundries.io>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ta: pkcs11: remove unused variable token in entry_ck_slot_info()

Remove unused variable token in entry_ck_slot_info().
No functional change.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro

ta: pkcs11: remove unused variable token in entry_ck_slot_info()

Remove unused variable token in entry_ck_slot_info().
No functional change.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ta: pkcs11: implement commands PKCS11_CMD_LOGIN/_LOGOUT

Implements login/logout support.

Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Co-developed-by: Etienne Carriere <etienne.carrier

ta: pkcs11: implement commands PKCS11_CMD_LOGIN/_LOGOUT

Implements login/logout support.

Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: implement command PKCS11_CMD_SET_PIN

PKCS11_CMD_SET_PIN implements C_SetPIN() client API function that is in
charge of modifying a login PIN.

Acked-by: Rouven Czerwinski <r.czerwinski@p

ta: pkcs11: implement command PKCS11_CMD_SET_PIN

PKCS11_CMD_SET_PIN implements C_SetPIN() client API function that is in
charge of modifying a login PIN.

Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: implement command PKCS11_CMD_INIT_PIN

PKCS11_CMD_INIT_PIN implements C_InitPIN() client API function that is in
charge of initializing the normal user login PIN. Security Officer must
b

ta: pkcs11: implement command PKCS11_CMD_INIT_PIN

PKCS11_CMD_INIT_PIN implements C_InitPIN() client API function that is in
charge of initializing the normal user login PIN. Security Officer must
be logged to current session in order to call this function

Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: implement command PKCS11_CMD_INIT_TOKEN

PKCS11_CMD_INIT_TOKEN implements C_InitToken() client API function that
is in charge of initializing the Security Officer login PIN if not
already

ta: pkcs11: implement command PKCS11_CMD_INIT_TOKEN

PKCS11_CMD_INIT_TOKEN implements C_InitToken() client API function that
is in charge of initializing the Security Officer login PIN if not
already done and destroy objects that can be. As objects are not yet
supported in the TA, this later feature is not implemented.

Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: fix MECHANISM_IDS to return OK when no output buffer

Fix PKCS11 TA command PKCS11_CMD_MECHANISM_IDS to handle case
where client provides a NULL buffer reference when querying the
list of

ta: pkcs11: fix MECHANISM_IDS to return OK when no output buffer

Fix PKCS11 TA command PKCS11_CMD_MECHANISM_IDS to handle case
where client provides a NULL buffer reference when querying the
list of supported mechanism IDs. In such case TA should return OK,
not PKCS11_CKR_BUFFER_TOO_SMALL.

This change is needed since commit [1] that makes an OP-TEE TA able
to receive memref parameters with a NULL buffer reference.

Link: [1] 20b567068a37 ("libutee: flag NULL pointer using invalid shm id")
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ta: pkcs11: fixup header file inclusion ordering

Fix order of included header files where applicable.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Rouven Czerwinski <r

ta: pkcs11: fixup header file inclusion ordering

Fix order of included header files where applicable.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: session commands support

Add and remove session from session list owned by the client
session. Generate client session IDs using handle.c (produced
indices like starting from 1).

entry_

ta: pkcs11: session commands support

Add and remove session from session list owned by the client
session. Generate client session IDs using handle.c (produced
indices like starting from 1).

entry_ck_open_session(): uses set_session_state() to default
new session instances.

entry_ck_close_session() and entry_ck_close_all_sessions() use
close_ck_session() to factorize session resource release.

entry_ck_session_info() reads session state as when called.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ta: pkcs11: register a client instance for each opened TEE session

Each TEE session open toward the TA creates a client reference. It can
be used by command handlers to identify client. Client refer

ta: pkcs11: register a client instance for each opened TEE session

Each TEE session open toward the TA creates a client reference. It can
be used by command handlers to identify client. Client reference is
passed between TA and client library using the TEE session argument
in the GPD TEE Client API. Value used is the client instance address
in the TA (as a void *) and is abstracted with an opaque ID by OP-TEE
Core between being exposed to client.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ta: pkcs11: command to get mechanism info

Implement command PKCS11_CMD_MECHANISM_INFO for client to get
information on a specific mechanism embedded in a token.

Signed-off-by: Etienne Carriere <eti

ta: pkcs11: command to get mechanism info

Implement command PKCS11_CMD_MECHANISM_INFO for client to get
information on a specific mechanism embedded in a token.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: command to get mechanisms embedded in a token

Implement command PKCS11_CMD_MECHANISM_IDS for client to get
IDs of the mechanisms embedded in a token

Signed-off-by: Etienne Carriere <eti

ta: pkcs11: command to get mechanisms embedded in a token

Implement command PKCS11_CMD_MECHANISM_IDS for client to get
IDs of the mechanisms embedded in a token

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: implement command to get token information

Implement TA command PKCS11_CMD_TOKEN_INFO for client to get
information on a token embedded in the PKCS11 TA.

Rename PKCS11_TOKEN_PIN_SIZE in

ta: pkcs11: implement command to get token information

Implement TA command PKCS11_CMD_TOKEN_INFO for client to get
information on a token embedded in the PKCS11 TA.

Rename PKCS11_TOKEN_PIN_SIZE into PKCS11_TOKEN_PIN_SIZE_MAX as
introducing PKCS11_TOKEN_PIN_SIZE_MIN, in pkcs11_token.h.

Rely on serializer.h for de-serializing the command arguments.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ta: pkcs11: add pad_str() helper in token info wrapper

Add pad_str() to pad a string ('\0' terminated) with blank characters
(' '), removing the '\0' termination as per PKCS#11 specification.

This

ta: pkcs11: add pad_str() helper in token info wrapper

Add pad_str() to pad a string ('\0' terminated) with blank characters
(' '), removing the '\0' termination as per PKCS#11 specification.

This will factorize other padding needed in other function/command
wrappers.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ta: pkcs11: implement command to get slot information

Implement TA command PKCS11_CMD_SLOT_INFO for client get information
on a specific slot.

Rely on serializer.h for de-serializing the command ar

ta: pkcs11: implement command to get slot information

Implement TA command PKCS11_CMD_SLOT_INFO for client get information
on a specific slot.

Rely on serializer.h for de-serializing the command arguments.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: speculation safe lookup of token instance

Change get_token_id() to be safe against speculation execution for
IDs provided by client. This change is needed for TA command handlers
relying

ta: pkcs11: speculation safe lookup of token instance

Change get_token_id() to be safe against speculation execution for
IDs provided by client. This change is needed for TA command handlers
relying on slot/token IDs provided by client applications.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: implement command to get slots list

Implement TA command PKCS11_CMD_SLOT_LIST for client to get the IDs of
the slots embedded in the PKCS11 TA.

Signed-off-by: Etienne Carriere <etienne.

ta: pkcs11: implement command to get slots list

Implement TA command PKCS11_CMD_SLOT_LIST for client to get the IDs of
the slots embedded in the PKCS11 TA.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: persistent database for the pkcs11 tokens

Initialize token(s) state from a persistent database. If no
persistent database is found in the secure storage, initialize
it to a default state

ta: pkcs11: persistent database for the pkcs11 tokens

Initialize token(s) state from a persistent database. If no
persistent database is found in the secure storage, initialize
it to a default state and save the database in secure storage.

PKCS11 TA may implement several tokens each related to its own
database.

A token persistent database is stored in several part in TEE secure
storage. The main database stores token label, flags and PINs status.
Another database stores the UUIDs of the TEE persistent objects
used to store the token PKCS11 objects allowing the token to find
back PKCS11 persistent objects. This object database is out of the
scope of this change.

At runtime, a token instance is reference by a struct ck_token instance
in RAM which stores the state of the token and references to the
resources the token as loaded as PIN cipher keys (see paragraph below),
session states and the volatile copy of the persistent databases.

Among data saved in persistent database is the reference to
the keys used to cipher the PINs that will be used. A symmetric
encryption scheme is used using keys PKCS11 TA does not have access
to. This allows PKCS11 TA to save in RAM an encrypted value of
the owners PINs.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...