ta: pkcs11: session commands support

Add and remove session from session list owned by the client
session. Generate client session IDs using handle.c (produced
indices like starting from 1).

entry_

ta: pkcs11: session commands support

Add and remove session from session list owned by the client
session. Generate client session IDs using handle.c (produced
indices like starting from 1).

entry_ck_open_session(): uses set_session_state() to default
new session instances.

entry_ck_close_session() and entry_ck_close_all_sessions() use
close_ck_session() to factorize session resource release.

entry_ck_session_info() reads session state as when called.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ta: pkcs11: register a client instance for each opened TEE session

Each TEE session open toward the TA creates a client reference. It can
be used by command handlers to identify client. Client refer

ta: pkcs11: register a client instance for each opened TEE session

Each TEE session open toward the TA creates a client reference. It can
be used by command handlers to identify client. Client reference is
passed between TA and client library using the TEE session argument
in the GPD TEE Client API. Value used is the client instance address
in the TA (as a void *) and is abstracted with an opaque ID by OP-TEE
Core between being exposed to client.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ta: pkcs11: handle database for various client references

Dump core/kernel/handle.c into PKCS11 TA source tree with some
changes:
- Remove ptr_destructor() support,
- Adapt the TEE Internal APIs (I.

ta: pkcs11: handle database for various client references

Dump core/kernel/handle.c into PKCS11 TA source tree with some
changes:
- Remove ptr_destructor() support,
- Adapt the TEE Internal APIs (I.e. TEE_MemMove() instead of memcpy()),
- Produce 32bit IDs starting from 1, 0 is reserved as undefined reference.

Most handles return by the TA to the client are 32bit unsigned values
as per TA API. handle.c will manage these IDs.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ta: pkcs11: add mechanism info and session command to helpers

Add mechanism info and session management command IDs in debug
helpers of the PKCS11 TA.

Signed-off-by: Etienne Carriere <etienne.carri

ta: pkcs11: add mechanism info and session command to helpers

Add mechanism info and session management command IDs in debug
helpers of the PKCS11 TA.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ta: pkcs11: define TA commands related to session management

Define commands PKCS11_CMD_CLOSE_SESSION, PKCS11_CMD_CLOSE_SESSION,
PKCS11_CMD_CLOSE_SESSION and PKCS11_CMD_CLOSE_SESSION and related
res

ta: pkcs11: define TA commands related to session management

Define commands PKCS11_CMD_CLOSE_SESSION, PKCS11_CMD_CLOSE_SESSION,
PKCS11_CMD_CLOSE_SESSION and PKCS11_CMD_CLOSE_SESSION and related
resources in the PKCS11 TA API.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ta: pkcs11: command to get mechanism info

Implement command PKCS11_CMD_MECHANISM_INFO for client to get
information on a specific mechanism embedded in a token.

Signed-off-by: Etienne Carriere <eti

ta: pkcs11: command to get mechanism info

Implement command PKCS11_CMD_MECHANISM_INFO for client to get
information on a specific mechanism embedded in a token.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: command to get mechanisms embedded in a token

Implement command PKCS11_CMD_MECHANISM_IDS for client to get
IDs of the mechanisms embedded in a token

Signed-off-by: Etienne Carriere <eti

ta: pkcs11: command to get mechanisms embedded in a token

Implement command PKCS11_CMD_MECHANISM_IDS for client to get
IDs of the mechanisms embedded in a token

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: support for mechanism embedded in a token

Implement token_capabilities.c to centralize the mechanisms supported
by a token. As PKCS11 TA can implemented several token, each token
may pro

ta: pkcs11: support for mechanism embedded in a token

Implement token_capabilities.c to centralize the mechanisms supported
by a token. As PKCS11 TA can implemented several token, each token
may provide support for a restricted list of mechanisms and processing
over these mechanisms.

Array pkcs11_modes[] is used to strictly define the processing that
are allowed for a mechanism as per PKCS#11 specification.

Conversion of a mechanism ID into a debug friendly string is implemented
in token_capabilities.c rather than pkcs11_helpers.c as for the other
string helpers since the source file already defines the list of the
valid mechanism IDs, hence an indirection from id2str_mechanism()
to mechanism_string_id().

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: define mechanism info resources in ta api

Define mechanism info structure returned by the TA on command
PKCS11_CMD_MECHANISM_INFO related to client API function
C_GetMechanismInfo().

Th

ta: pkcs11: define mechanism info resources in ta api

Define mechanism info structure returned by the TA on command
PKCS11_CMD_MECHANISM_INFO related to client API function
C_GetMechanismInfo().

This change also define mechanism identifier for AES ECB in the TA API
even if this mechanism is not yet supported by the TA. This change is
needed to serve as an example of a mechanism for which a client can
invoke the PKCS11 TA to get information from.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: factorize persistent file name

get_db_file_name() and get_pin_file_name() factorize TEE object file
IDs.

open_db_file() and open_pin_file() factorize opening of TA persistent
database o

ta: pkcs11: factorize persistent file name

get_db_file_name() and get_pin_file_name() factorize TEE object file
IDs.

open_db_file() and open_pin_file() factorize opening of TA persistent
database object and PIN cipher key objects.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: fix token flags as per specification

Fix the token flags position that are expected to match the PKCS#11
specification and did not.

Fixes: a67dc424ff106 ("ta: pkcs11: API for slot/token

ta: pkcs11: fix token flags as per specification

Fix the token flags position that are expected to match the PKCS#11
specification and did not.

Fixes: a67dc424ff106 ("ta: pkcs11: API for slot/token information")
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: identify user as per define user types

Define users with CKU User Type in Cryptoki API:
PKCS11_CKU_SO and PKCS11_CKU_USER. They will be used as identifiers
for login and related PKCS#11

ta: pkcs11: identify user as per define user types

Define users with CKU User Type in Cryptoki API:
PKCS11_CKU_SO and PKCS11_CKU_USER. They will be used as identifiers
for login and related PKCS#11 API functions.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ta: pkcs11: use sizeof(rc) instead of sizeof(uint32_t)

Prefer sizeof() to use rc reference rather than explicit 32bit.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jer

ta: pkcs11: use sizeof(rc) instead of sizeof(uint32_t)

Prefer sizeof() to use rc reference rather than explicit 32bit.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

ta: pkcs11: implement command to get token information

Implement TA command PKCS11_CMD_TOKEN_INFO for client to get
information on a token embedded in the PKCS11 TA.

Rename PKCS11_TOKEN_PIN_SIZE in

ta: pkcs11: implement command to get token information

Implement TA command PKCS11_CMD_TOKEN_INFO for client to get
information on a token embedded in the PKCS11 TA.

Rename PKCS11_TOKEN_PIN_SIZE into PKCS11_TOKEN_PIN_SIZE_MAX as
introducing PKCS11_TOKEN_PIN_SIZE_MIN, in pkcs11_token.h.

Rely on serializer.h for de-serializing the command arguments.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ta: pkcs11: add pad_str() helper in token info wrapper

Add pad_str() to pad a string ('\0' terminated) with blank characters
(' '), removing the '\0' termination as per PKCS#11 specification.

This

ta: pkcs11: add pad_str() helper in token info wrapper

Add pad_str() to pad a string ('\0' terminated) with blank characters
(' '), removing the '\0' termination as per PKCS#11 specification.

This will factorize other padding needed in other function/command
wrappers.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ta: pkcs11: implement command to get slot information

Implement TA command PKCS11_CMD_SLOT_INFO for client get information
on a specific slot.

Rely on serializer.h for de-serializing the command ar

ta: pkcs11: implement command to get slot information

Implement TA command PKCS11_CMD_SLOT_INFO for client get information
on a specific slot.

Rely on serializer.h for de-serializing the command arguments.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: speculation safe lookup of token instance

Change get_token_id() to be safe against speculation execution for
IDs provided by client. This change is needed for TA command handlers
relying

ta: pkcs11: speculation safe lookup of token instance

Change get_token_id() to be safe against speculation execution for
IDs provided by client. This change is needed for TA command handlers
relying on slot/token IDs provided by client applications.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: implement command to get slots list

Implement TA command PKCS11_CMD_SLOT_LIST for client to get the IDs of
the slots embedded in the PKCS11 TA.

Signed-off-by: Etienne Carriere <etienne.

ta: pkcs11: implement command to get slots list

Implement TA command PKCS11_CMD_SLOT_LIST for client to get the IDs of
the slots embedded in the PKCS11 TA.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: de-serialization of command arguments

Add serialize.c|.h that provide functions to extract a sized data
in a serialized buffer as used for command serial arguments.

Signed-off-by: Etien

ta: pkcs11: de-serialization of command arguments

Add serialize.c|.h that provide functions to extract a sized data
in a serialized buffer as used for command serial arguments.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: better test object ids generation

Change init_pin_keys() and init_persistent_db() to rely on the
strict byte size of the object ID reference rather than using hard
coded value 32.

Fixes

ta: pkcs11: better test object ids generation

Change init_pin_keys() and init_persistent_db() to rely on the
strict byte size of the object ID reference rather than using hard
coded value 32.

Fixes: c84ccd0a805e ("ta: pkcs11: persistent database for the pkcs11 tokens")
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ta: pkcs11: API for slot/token information

Define invocation commands to carry the request related to
PKCS#11 API functions related to slot and token information:
- get the list of the slots, relate

ta: pkcs11: API for slot/token information

Define invocation commands to carry the request related to
PKCS#11 API functions related to slot and token information:
- get the list of the slots, related to CK function C_GetSlotList(),
- get information from a slot, related to C_GetSlotInfo(),
- get information from a token, related to C_GetTokenInfo(),
- get the list of mechanisms supported by a token, C_GetMechanismList(),
- get information a mechanism from a token, C_GetMechanismInfo().

The TA API involves several byte serialization of invocation
parameters data inside TEE invocation input/output memory reference
parameters.

This change introduces the command APIs and some debug helpers for
the newly defined slot/token flags.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: enumerate ta command ids

Enumerate RA command IDs rather than using macros.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@lin

ta: pkcs11: enumerate ta command ids

Enumerate RA command IDs rather than using macros.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: persistent database for the pkcs11 tokens

Initialize token(s) state from a persistent database. If no
persistent database is found in the secure storage, initialize
it to a default state

ta: pkcs11: persistent database for the pkcs11 tokens

Initialize token(s) state from a persistent database. If no
persistent database is found in the secure storage, initialize
it to a default state and save the database in secure storage.

PKCS11 TA may implement several tokens each related to its own
database.

A token persistent database is stored in several part in TEE secure
storage. The main database stores token label, flags and PINs status.
Another database stores the UUIDs of the TEE persistent objects
used to store the token PKCS11 objects allowing the token to find
back PKCS11 persistent objects. This object database is out of the
scope of this change.

At runtime, a token instance is reference by a struct ck_token instance
in RAM which stores the state of the token and references to the
resources the token as loaded as PIN cipher keys (see paragraph below),
session states and the volatile copy of the persistent databases.

Among data saved in persistent database is the reference to
the keys used to cipher the PINs that will be used. A symmetric
encryption scheme is used using keys PKCS11 TA does not have access
to. This allows PKCS11 TA to save in RAM an encrypted value of
the owners PINs.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: report PKCS11 return code to client

For the PKCS11 TA to provide client a meaningful return code as per
PKCS#11 specification, the GPD TEE command invocation return code
is forced to TEE

ta: pkcs11: report PKCS11 return code to client

For the PKCS11 TA to provide client a meaningful return code as per
PKCS#11 specification, the GPD TEE command invocation return code
is forced to TEE_SUCCESS and client is expected to read effective
PKCS11 return code (which can report a success or a failure) from
invocation parameter #0 that must be a input/output memory
reference. The status is return as a 32bit value in the output
buffer.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: change TA API to mandate param#0 as in/out memref

Change TA API so that invocation parameter #0 is always used as
an input/output memory reference. Output buffer is always used to
store

ta: pkcs11: change TA API to mandate param#0 as in/out memref

Change TA API so that invocation parameter #0 is always used as
an input/output memory reference. Output buffer is always used to
store a PKCS#11 compliant status to the client.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...