ta: pkcs11: Fix the error code returned

While generating a key of type PKCS11_CKO_SECRET_KEY, if
CKA_VALUE_LEN field is not specified in the attribute
template, the error returned needs to be
PKCS11

ta: pkcs11: Fix the error code returned

While generating a key of type PKCS11_CKO_SECRET_KEY, if
CKA_VALUE_LEN field is not specified in the attribute
template, the error returned needs to be
PKCS11_CKR_TEMPLATE_INCOMPLETE.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Temporary workaround in sanitize_indirect_attr()

Since the type of key to be generated is implicit in the key generation
mechanism, the template does not need to supply a key type or cla

ta: pkcs11: Temporary workaround in sanitize_indirect_attr()

Since the type of key to be generated is implicit in the key generation
mechanism, the template does not need to supply a key type or class.
(CKA_CLASS and CKA_KEY_TYPE attributes). sanitize_indirect_attr()
expects these attributes to be available else gives an error.

The right way of handling this would be perhaps passing a hint
of the class and key type to this function if key is being generated
using key generated mechanisms. However, we don't have support for
wrap/derive key which uses the indirect attributes at present in the
code. So, we would not be able to test it. For now, just move the class
checking afer the attribute checking which helps avoid this error.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: rename argument bp to attrs for generic attributes

Rename input argument bp/bp_count to attrs/attrs_count in several
local functions in pkcs11_attributes.c since the reference cover
any

ta: pkcs11: rename argument bp to attrs for generic attributes

Rename input argument bp/bp_count to attrs/attrs_count in several
local functions in pkcs11_attributes.c since the reference cover
any kind of attribute, not only boolean attributes (bp stood for
boolean property).

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: fix initial value for return code

Fix initial value for enumerated variable of type enum pkcs11_rc.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere

ta: pkcs11: fix initial value for return code

Fix initial value for enumerated variable of type enum pkcs11_rc.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: fix ordering in switch case

Fix ordering switch/case block of get_key_min_max_sizes().

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.car

ta: pkcs11: fix ordering in switch case

Fix ordering switch/case block of get_key_min_max_sizes().

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: add missing header files

Add missing header files inclusion in few source files.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@

ta: pkcs11: add missing header files

Add missing header files inclusion in few source files.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: remove empty tee_release_ctr_operation()

Remove function tee_release_ctr_operation() that is empty since
the generic sequence already releases CTR operation extra context.

Reviewed-by:

ta: pkcs11: remove empty tee_release_ctr_operation()

Remove function tee_release_ctr_operation() that is empty since
the generic sequence already releases CTR operation extra context.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: release active process on session closure

Release the possible active processing resources when closing a session.

Fixes: 512cbf1d30dd ("ta: pkcs11: adds support for symmetric AES ciphe

ta: pkcs11: release active process on session closure

Release the possible active processing resources when closing a session.

Fixes: 512cbf1d30dd ("ta: pkcs11: adds support for symmetric AES cipher modes")
Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: fix return code when parsing attribute templates

Fix return code that was not set in few error cases in
create_attributes_from_template().

Fixes: 63f89caa9022 ("ta: pkcs11: attribute he

ta: pkcs11: fix return code when parsing attribute templates

Fix return code that was not set in few error cases in
create_attributes_from_template().

Fixes: 63f89caa9022 ("ta: pkcs11: attribute helper functions")
Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add support for big key sizes for HMAC hash Mechanisms

Currently the support for maximum key size supported in HMAC hash
functions is limited by the underlying Global TEE implementation.

ta: pkcs11: Add support for big key sizes for HMAC hash Mechanisms

Currently the support for maximum key size supported in HMAC hash
functions is limited by the underlying Global TEE implementation.
The RFC 2202 and 4231 specify some HMAC test vectors where key size
is greater than the sizes as supported in current TEE implementation.
For such key sizes, greater than the maximum key size supported by TEE,
first hash the key and then use the resultant as the actual key to
HMAC.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add minimum key size checking for HMAC Mechanisms

For HMAC mechanisms for hash operations, if the size of the key object
is less than the minimum size supported by the implementation,
er

ta: pkcs11: Add minimum key size checking for HMAC Mechanisms

For HMAC mechanisms for hash operations, if the size of the key object
is less than the minimum size supported by the implementation,
error PKCS11_CKR_KEY_SIZE_RANGE should be returned. If this check
is not done before TEE_AllocateOperation(), passing a key size not
supported by TEE results in a PKCS11_CKR_MECHANISM_INVALID error,
which is ambiguous as Mehcanism is supported here and the issue is
with key size.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Fix usage of CKK_GENERIC_SECRET for HMAC Functions

The use of CKK_GENERIC_SECRET is allowed with HMAC mechanisms.
In earlier implementation, CKK_GENERIC_SECRET was mapped to
TEE_GENERIC_

ta: pkcs11: Fix usage of CKK_GENERIC_SECRET for HMAC Functions

The use of CKK_GENERIC_SECRET is allowed with HMAC mechanisms.
In earlier implementation, CKK_GENERIC_SECRET was mapped to
TEE_GENERIC_KEY. TEE_AllocateOperation() would return an error
when TEE key of type TEE_GENERIC_KEY is used with HMAC algorithms.
So, special handling is required for such keys where the PKCS11
mechanism should be used to determine the corresponding TEE
KEY Type for CKK_GENERIC_SECRET when used with HMAC mechanisms.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add support for HMAC keys in get_key_min_max_sizes()

The PKCS11_CKK_<h>_HMAC key entries were missing in
get_key_min_max_sizes(). These have been added.

Signed-off-by: Ruchika Gupta <ru

ta: pkcs11: Add support for HMAC keys in get_key_min_max_sizes()

The PKCS11_CKK_<h>_HMAC key entries were missing in
get_key_min_max_sizes(). These have been added.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Correct the key size for HMAC mechanisms

The minimum and maximum key sizes supported by HMAC mechanism
should be in sync with the Global Platform API's used for
implementing them. The si

ta: pkcs11: Correct the key size for HMAC mechanisms

The minimum and maximum key sizes supported by HMAC mechanism
should be in sync with the Global Platform API's used for
implementing them. The sizes are now in sync with the key
sizes as specified in TEE_AllocateTransientObjects() in [1].

[1] GlobalPlatform Technology TEE Internal Core API Specification
Version 1.1.2.50

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Remove unused function entry_verify_oneshot()

entry_verify_oneshot() is currently not used in any of the
flows. Hence remove it.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

ta: pkcs11: Remove unused function entry_verify_oneshot()

entry_verify_oneshot() is currently not used in any of the
flows. Hence remove it.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Ricardo Salveti <ricardo@foundries.io>

show more ...

ta: pkcs11 : add support for HMAC modes for Sign/Verify

Add support for HMAC modes for hash functions - MD5, SHA1,
SHA256, SHA224, SHA284 and SHA512 in Sign/Verify operations.

PKCS#11 offers 2 HMAC

ta: pkcs11 : add support for HMAC modes for Sign/Verify

Add support for HMAC modes for hash functions - MD5, SHA1,
SHA256, SHA224, SHA284 and SHA512 in Sign/Verify operations.

PKCS#11 offers 2 HMAC methods for each hash function <h>,
CKM_<h>_HMAC and CKM_<h>_HMAC_GENERAL. Fixed tag length of the
output size of hash function i.e CKM_h_HMAC is currently supported.

Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Ricardo Salveti <ricardo@foundries.io>

show more ...

ta: pkcs11: define TA command for signing/verification

Adds commands
- PKCS11_CMD_SIGN_INIT
- PKCS11_CMD_VERIFY_INIT
- PKCS11_CMD_SIGN_UPDATE
- PKCS11_CMD_VERIFY_UPDATE
- PKCS11_CMD_SIGN_FINAL
- PKC

ta: pkcs11: define TA command for signing/verification

Adds commands
- PKCS11_CMD_SIGN_INIT
- PKCS11_CMD_VERIFY_INIT
- PKCS11_CMD_SIGN_UPDATE
- PKCS11_CMD_VERIFY_UPDATE
- PKCS11_CMD_SIGN_FINAL
- PKCS11_CMD_VERIFY_FINAL
- PKCS11_CMD_SIGN_ONESHOT
- PKCS11_CMD_VERIFY_ONESHOT
in enum pkcs11_ta_cmd.

Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Ricardo Salveti <ricardo@foundries.io>

show more ...

ta: pkcs11: define TA mechanisms for HMAC modes

Adds the mechanisms
- PKCS11_CKM_MD5_HMAC
- PKCS11_CKM_SHA_1_HMAC
- PKCS11_CKM_SHA256_HMAC
- PKCS11_CKM_SHA224_HMAC
- PKCS11_CKM_SHA384_HMAC
- PKCS11_

ta: pkcs11: define TA mechanisms for HMAC modes

Adds the mechanisms
- PKCS11_CKM_MD5_HMAC
- PKCS11_CKM_SHA_1_HMAC
- PKCS11_CKM_SHA256_HMAC
- PKCS11_CKM_SHA224_HMAC
- PKCS11_CKM_SHA384_HMAC
- PKCS11_CKM_SHA512_HMAC
in enum pkcs11_mechanism_id.

Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Ricardo Salveti <ricardo@foundries.io>

show more ...

ta: pkcs11: fix return code on one-shot process of a updated operation

Fix return value when one-short processing is requested over an operation
that has already gone through a operation update proc

ta: pkcs11: fix return code on one-shot process of a updated operation

Fix return value when one-short processing is requested over an operation
that has already gone through a operation update processing. Prior this
change the PKCS11 TA return PKCS11_CKR_KEY_FUNCTION_NOT_PERMITTED which
is not accurate when key permits the operation but not the specification.

For clarity, this change splits one-shot and update steps case in
check_mechanism_against_processing().

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: fix error handling when reading ALLOWED_MECHANISMS list

If parent_key_complies_allowed_processings() cannot return a clear
status on the mechanism IDs allowed by a key object, then somet

ta: pkcs11: fix error handling when reading ALLOWED_MECHANISMS list

If parent_key_complies_allowed_processings() cannot return a clear
status on the mechanism IDs allowed by a key object, then something
is broken. This cannot happen hence panic.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: sks: stringify error core KEY_SIZE_RANGE

Add string converter for PKCS11_CKR_KEY_SIZE_RANGE that can be returned
by check_created_attrs().

Actually check_created_attrs() is currently never call

ta: sks: stringify error core KEY_SIZE_RANGE

Add string converter for PKCS11_CKR_KEY_SIZE_RANGE that can be returned
by check_created_attrs().

Actually check_created_attrs() is currently never called. It is however
intended to key/object wrapping, derivation and generation.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: CKA_SIGN and CKA_VERIFY default to empty

Change CKA_SIGN and CKA_VERIFY attributes default value to false
as other keys cryptography processing support boolean attributes.
No reason only

ta: pkcs11: CKA_SIGN and CKA_VERIFY default to empty

Change CKA_SIGN and CKA_VERIFY attributes default value to false
as other keys cryptography processing support boolean attributes.
No reason only sign and verify support default to true.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: fix for spec WRAP_WITH_TRUSTED/ALWAYS_AUTHENTICATE defaults

Set PKCS11_CKA_WRAP_WITH_TRUSTED and PKCS11_CKA_ALWAYS_AUTHENTICATE
default values in the static values list of the specificat

ta: pkcs11: fix for spec WRAP_WITH_TRUSTED/ALWAYS_AUTHENTICATE defaults

Set PKCS11_CKA_WRAP_WITH_TRUSTED and PKCS11_CKA_ALWAYS_AUTHENTICATE
default values in the static values list of the specification.
No functional change.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Handle optional attributes without default values

In the current implementation all optional attributes of an object
if not specified in the template while creating object, are assigned

ta: pkcs11: Handle optional attributes without default values

In the current implementation all optional attributes of an object
if not specified in the template while creating object, are assigned
empty value by default. This works fine for the attributes where
specification mentions that default value is empty or the
attribute is modifiable later.

However for attributes like CKA_ALLOWED_MECHANISM, adding an empty
default value results in a failure later in crypto operations when
attribute of the object are checked against the mechanism.

To avoid such errors, the optional attributes array are split in 2 parts,
one with the default empty value and ones which don't require a
default value. All attributes in the specification which either should
have default empty value or are allowed to be modified later by call to
C_SetAttributes() or C_CopyObjects() would fall in the former category
and be initialized with empty/NULL value.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta_dev_kit.mk: make sure that libutils is linked second time

libgcc depends on __getauxval symbol from libuils. As, generally libutils
is linked before libgcc, we will get "unresolved symbol" error.

ta_dev_kit.mk: make sure that libutils is linked second time

libgcc depends on __getauxval symbol from libuils. As, generally libutils
is linked before libgcc, we will get "unresolved symbol" error. To resolve
this dependency we need to link libutils second time - after libgcc.

Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...