ta: pkcs11: add debug string for PKCS11_CKA_KEY_GEN_MECHANISM

Add missing attribute debug string for PKCS11_CKA_KEY_GEN_MECHANISM.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by:

ta: pkcs11: add debug string for PKCS11_CKA_KEY_GEN_MECHANISM

Add missing attribute debug string for PKCS11_CKA_KEY_GEN_MECHANISM.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Fix serialization handling for non-indirect attributes

Both sides of serialization and de-serialization must match the logic.

Only TEMPLATE based arguments has indirect attributes so de

ta: pkcs11: Fix serialization handling for non-indirect attributes

Both sides of serialization and de-serialization must match the logic.

Only TEMPLATE based arguments has indirect attributes so detect them and
handle them specifically.

Otherwise use standard attribute handling code for other attributes.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: get_attribute: fix return value when querying value size

When C_GetAttributeValue() is issued with attribute with pValue == NULL:
- Size of the attribute value should be returned
- Retur

ta: pkcs11: get_attribute: fix return value when querying value size

When C_GetAttributeValue() is issued with attribute with pValue == NULL:
- Size of the attribute value should be returned
- Return value should be CKR_OK

If pValue != NULL and value does not fit then CKR_BUFFER_TOO_SMALL should
be returned.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: get_attribute: fix returning values into larger buffer

It is completely fine for callee to allocate more memory than what is
needed.

Now attributes value is wholly copied and copied dat

ta: pkcs11: get_attribute: fix returning values into larger buffer

It is completely fine for callee to allocate more memory than what is
needed.

Now attributes value is wholly copied and copied data amount is returned.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: fix get attribute data alignment problem

In OP-TEE there is no behind the scenes handler that would fix data
alignment problems.

Use aligned variables when accessing struct variables.

ta: pkcs11: fix get attribute data alignment problem

In OP-TEE there is no behind the scenes handler that would fix data
alignment problems.

Use aligned variables when accessing struct variables.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

Install in-tree TAs into $(TA_DEV_KIT_DIR)/ta

In order for a build environment to easily pick all the in-tree TAs, and
not depend too much on the layout of the out directory, copy them into
the "dev

Install in-tree TAs into $(TA_DEV_KIT_DIR)/ta

In order for a build environment to easily pick all the in-tree TAs, and
not depend too much on the layout of the out directory, copy them into
the "dev kit" directory similar to what is already done for TA shared
libraries when CFG_ULIBS_SHARED=y. Libraries are copied to
$(TA_DEV_KIT_DIR)/lib/*.ta so let's use $(TA_DEV_KIT_DIR)/ta/*.ta
for the in-tree TAs.

Suggested-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: link.mk: add dependency of the .ta file on the signing script

The signing script is used to generate the .ta file from the .elf input.
Therefore this dependency needs to be declared. Fixes the f

ta: link.mk: add dependency of the .ta file on the signing script

The signing script is used to generate the .ta file from the .elf input.
Therefore this dependency needs to be declared. Fixes the following
issue:

$ make -s out/arm-plat-vexpress/ta/pkcs11/fd02c9da-306c-48c7-a49c-bbd827ae86ee.ta
python3: can't open file 'out/arm-plat-vexpress/export-ta_arm32/scripts/sign_encrypt.py': [Errno 2] No such file or directory
make: *** [ta/arch/arm/link.mk:114: out/arm-plat-vexpress/ta/pkcs11/fd02c9da-306c-48c7-a49c-bbd827ae86ee.ta] Error 2

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: Don't load objects that don't match the search during find

Don't load all persistent object attributes in find_objects_init().
Instead, temporary load object attributes and release them

ta: pkcs11: Don't load objects that don't match the search during find

Don't load all persistent object attributes in find_objects_init().
Instead, temporary load object attributes and release them if not matching
the current search.

Move object attribute loading from token_obj_matches_ref() to
load_persistent_object_attributes() and introduce counterpart
release_persistent_object_attributes().

Changes attributes_match_reference() to always return true when reference
is empty (match all case).

Remove token_obj_matches_ref() since attributes_match_reference() can be
called straight from load_persistent_object_attributes().

Signed-off-by: Robin van der Gracht <robin@protonic.nl>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: link.mk: export trace_ext_prefix and trace_level

Global data defined in user_ta_header.c need to be made visible to
shared libraries because they may be referenced by them. For example,
trace_le

ta: link.mk: export trace_ext_prefix and trace_level

Global data defined in user_ta_header.c need to be made visible to
shared libraries because they may be referenced by them. For example,
trace_level is ultimately referenced by the trace macros (IMSG() and
similar). Therefore, when IMSG() is called in a shared library, the
dynamic loader (ldelf) needs to locate the trace_level symbol in the
TA. But since a TA is a "main executable" and not a shared library,
the linker by default will not add all global symbols to the dynamic
symbol table (.dynsym section). Instead those symbols are put in the
static symbol table (.symtab) which is typically not used at run time
and discarded when executables are stripped. In any case, ldelf only
uses the dynamic symbol table.

Add trace_ext_prefix and trace_level to the list of exported symbols to
fix the IMSG() issue.

Link: https://github.com/OP-TEE/optee_client/issues/242#issuecomment-755378055
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: Deal with the private objects in C_Logout

The logic to deal with the private objects was missing in the
C_Logout() implementation.
PKCS#11 specification states that :
When C_Logout succe

ta: pkcs11: Deal with the private objects in C_Logout

The logic to deal with the private objects was missing in the
C_Logout() implementation.
PKCS#11 specification states that :
When C_Logout successfully executes, any of the application’s
handles to private objects should become invalid (even if a user
is later logged back into the token, those handles remain invalid).
In addition, all private session objects from sessions belonging
to the application should also be destroyed.

In addition, also release any ongoing cryptographic or
object-finding operations that may be associated with the session
while logging out.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Reduce the minimum pin length required

SoftHSM Unit test suite passes a 4 byte pin while
initializing pin. Since current implementation
restricts the minimum pin length to 10, C_InitPin(

ta: pkcs11: Reduce the minimum pin length required

SoftHSM Unit test suite passes a 4 byte pin while
initializing pin. Since current implementation
restricts the minimum pin length to 10, C_InitPin()
fails resulting in the testcases to be aborted.
Reduce the minimum pin length requirement inorder to
run the SoftHSM test suite.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Access check for private objects

Private objects of a session/token are accessible only
in a R/O or R/W user session i.e if a user is logged in.
R/O or R/W public session or a R/W SO ses

ta: pkcs11: Access check for private objects

Private objects of a session/token are accessible only
in a R/O or R/W user session i.e if a user is logged in.
R/O or R/W public session or a R/W SO session cannot
access these private objects. Check for SO session
was missing in the logic when checking for access of
private objects. This has now been added.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add support for getting object size and attribute value

Implement commands
- PKCS11_CMD_GET_OBJECT_SIZE
- PKCS11_CMD_GET_ATTRIBUTE_VALUE

Co-developed-by: Etienne Carriere <etienne.carri

ta: pkcs11: Add support for getting object size and attribute value

Implement commands
- PKCS11_CMD_GET_OBJECT_SIZE
- PKCS11_CMD_GET_ATTRIBUTE_VALUE

Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Co-developed-by: Gabor Szekely <szvgabor@gmail.com>
Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add support for finding objects

Implement commands
- PKCS11_CMD_FIND_OBJECTS_INIT
- PKCS11_CMD_FIND_OBJECTS
- PKCS11_CMD_FIND_OBJECTS_FINAL

Co-developed-by: Etienne Carriere <etienne.ca

ta: pkcs11: Add support for finding objects

Implement commands
- PKCS11_CMD_FIND_OBJECTS_INIT
- PKCS11_CMD_FIND_OBJECTS
- PKCS11_CMD_FIND_OBJECTS_FINAL

Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Co-developed-by: Gabor Szekely <szvgabor@gmail.com>
Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: define TA commands for finding objects

Adds commands
- PKCS11_CMD_FIND_OBJECTS_INIT
- PKCS11_CMD_FIND_OBJECTS
- PKCS11_CMD_FIND_OBJECTS_FINAL
in enum pkcs11_ta_cmd.

Co-developed-by: Eti

ta: pkcs11: define TA commands for finding objects

Adds commands
- PKCS11_CMD_FIND_OBJECTS_INIT
- PKCS11_CMD_FIND_OBJECTS
- PKCS11_CMD_FIND_OBJECTS_FINAL
in enum pkcs11_ta_cmd.

Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Co-developed-by: Gabor Szekely <szvgabor@gmail.com>
Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Remove persistent objects on token re-initialization

When re-initializing a token the previously created objects need
to be removed.

Signed-off-by: Robin van der Gracht <robin@protonic.

ta: pkcs11: Remove persistent objects on token re-initialization

When re-initializing a token the previously created objects need
to be removed.

Signed-off-by: Robin van der Gracht <robin@protonic.nl>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add TEE Identity based authentication support

In C_InitToken() if PIN is NULL_PTR then it will activate TEE Identity
based authentication support for token.

Once activated:

- When ever

ta: pkcs11: Add TEE Identity based authentication support

In C_InitToken() if PIN is NULL_PTR then it will activate TEE Identity
based authentication support for token.

Once activated:

- When ever PIN is required client's TEE Identity will be used for
authentication
- PIN failure counters are disabled
- If new PIN is given as input it is in form of PIN ACL string
- It can be disabled with C_InitToken with non-zero PIN

Internally protected authentication path will be used for mode
determination.

Acked-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: set_pin: use token shortcut like in other pin functions

Use common shortcut variable 'token' as in check_so_pin and check_user_pin.

Acked-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Re

ta: pkcs11: set_pin: use token shortcut like in other pin functions

Use common shortcut variable 'token' as in check_so_pin and check_user_pin.

Acked-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: entry_ck_token_initialize: reset SO flags on init

If successful token init has been performed and new PIN is set then reset
all pin change flags.

Call update_persistent_db() only once a

ta: pkcs11: entry_ck_token_initialize: reset SO flags on init

If successful token init has been performed and new PIN is set then reset
all pin change flags.

Call update_persistent_db() only once as a last step during the execution.

Acked-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

pkcs11: persistent_token: Don't read token object UUIDs if we have none

Do not call TEE_ReadObjectData() when there is no object data to read
because the function panics when reading 0 bytes.

Revie

pkcs11: persistent_token: Don't read token object UUIDs if we have none

Do not call TEE_ReadObjectData() when there is no object data to read
because the function panics when reading 0 bytes.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Robin van der Gracht <robin@protonic.nl>

show more ...

ta: pkcs11: Change sizeof argument for consistency

The bytes subtracted here were added a few lines ago. Since *db_objs
was used there we should also do this here for readability.

Reviewed-by: Etie

ta: pkcs11: Change sizeof argument for consistency

The bytes subtracted here were added a few lines ago. Since *db_objs
was used there we should also do this here for readability.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Robin van der Gracht <robin@protonic.nl>

show more ...

Introduce CFG_TA_BGET_TEST

Introduces CFG_TA_BGET_TEST which compiles the integrated bget test
suite together with the rest of bget. When enabled, the test entry point
is bget_main_test() in libutil

Introduce CFG_TA_BGET_TEST

Introduces CFG_TA_BGET_TEST which compiles the integrated bget test
suite together with the rest of bget. When enabled, the test entry point
is bget_main_test() in libutils.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: Add more checks before destroying object in a session

Few checks were missing in the implementaion of C_DestroyObject()
as per PKCS#11 Specification. These have been added now.
These che

ta: pkcs11: Add more checks before destroying object in a session

Few checks were missing in the implementaion of C_DestroyObject()
as per PKCS#11 Specification. These have been added now.
These checks are
- only session objects can be destroyed during a read only session
- only public objects can be destroyed unless the normal user is
logged in
- Certain objects may not be destroyed. Calling C_DestroyObject on
such objects will result in the CKR_ACTION_PROHIBITED error code.
An application can consult the object's CKA_DESTROYABLE
attribute to determine if an object may be destroyed or not.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: Fix return value when trying to open parallel session

It is mandatory to have CKF_SERIAL_SESSION set when invoking
C_OpenSession(). When omitted CKR_SESSION_PARALLEL_NOT_SUPPORTED must b

ta: pkcs11: Fix return value when trying to open parallel session

It is mandatory to have CKF_SERIAL_SESSION set when invoking
C_OpenSession(). When omitted CKR_SESSION_PARALLEL_NOT_SUPPORTED must be
returned.

Specified in:
PKCS #11 Cryptographic Token Interface Base Specification Version 2.40
Plus Errata 01
5.6 Session management functions
C_OpenSession

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Check for CKA_PRIVATE when creating objects

PKCS#11 Specification[1] states that Private session/token objects
cannot be created in Public sessions. So, add a check for access
type when

ta: pkcs11: Check for CKA_PRIVATE when creating objects

PKCS#11 Specification[1] states that Private session/token objects
cannot be created in Public sessions. So, add a check for access
type when creating objects.

[1] PKCS #11 Cryptographic Token Interface Usage Guide Version 2.40
(Table 3 - ACCESS TO DIFFERENT TYPES OBJECTS BY DIFFERENT TYPES
OF SESSIONS)

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...