ta: pkcs11: implement command to get token information

Implement TA command PKCS11_CMD_TOKEN_INFO for client to get
information on a token embedded in the PKCS11 TA.

Rename PKCS11_TOKEN_PIN_SIZE in

ta: pkcs11: implement command to get token information

Implement TA command PKCS11_CMD_TOKEN_INFO for client to get
information on a token embedded in the PKCS11 TA.

Rename PKCS11_TOKEN_PIN_SIZE into PKCS11_TOKEN_PIN_SIZE_MAX as
introducing PKCS11_TOKEN_PIN_SIZE_MIN, in pkcs11_token.h.

Rely on serializer.h for de-serializing the command arguments.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ta: pkcs11: add pad_str() helper in token info wrapper

Add pad_str() to pad a string ('\0' terminated) with blank characters
(' '), removing the '\0' termination as per PKCS#11 specification.

This

ta: pkcs11: add pad_str() helper in token info wrapper

Add pad_str() to pad a string ('\0' terminated) with blank characters
(' '), removing the '\0' termination as per PKCS#11 specification.

This will factorize other padding needed in other function/command
wrappers.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ta: pkcs11: implement command to get slot information

Implement TA command PKCS11_CMD_SLOT_INFO for client get information
on a specific slot.

Rely on serializer.h for de-serializing the command ar

ta: pkcs11: implement command to get slot information

Implement TA command PKCS11_CMD_SLOT_INFO for client get information
on a specific slot.

Rely on serializer.h for de-serializing the command arguments.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: speculation safe lookup of token instance

Change get_token_id() to be safe against speculation execution for
IDs provided by client. This change is needed for TA command handlers
relying

ta: pkcs11: speculation safe lookup of token instance

Change get_token_id() to be safe against speculation execution for
IDs provided by client. This change is needed for TA command handlers
relying on slot/token IDs provided by client applications.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: implement command to get slots list

Implement TA command PKCS11_CMD_SLOT_LIST for client to get the IDs of
the slots embedded in the PKCS11 TA.

Signed-off-by: Etienne Carriere <etienne.

ta: pkcs11: implement command to get slots list

Implement TA command PKCS11_CMD_SLOT_LIST for client to get the IDs of
the slots embedded in the PKCS11 TA.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: de-serialization of command arguments

Add serialize.c|.h that provide functions to extract a sized data
in a serialized buffer as used for command serial arguments.

Signed-off-by: Etien

ta: pkcs11: de-serialization of command arguments

Add serialize.c|.h that provide functions to extract a sized data
in a serialized buffer as used for command serial arguments.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: better test object ids generation

Change init_pin_keys() and init_persistent_db() to rely on the
strict byte size of the object ID reference rather than using hard
coded value 32.

Fixes

ta: pkcs11: better test object ids generation

Change init_pin_keys() and init_persistent_db() to rely on the
strict byte size of the object ID reference rather than using hard
coded value 32.

Fixes: c84ccd0a805e ("ta: pkcs11: persistent database for the pkcs11 tokens")
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ta: ta.ld.S: merge .ARM.extab* sections

Contrary to .ARM.exidx, we have no .ARM.extab entry in the TA linker
script. As a result, the multiple .ARM.extab* sections gathered from
the object files wil

ta: ta.ld.S: merge .ARM.extab* sections

Contrary to .ARM.exidx, we have no .ARM.extab entry in the TA linker
script. As a result, the multiple .ARM.extab* sections gathered from
the object files will remain in the TA. While this is perfectly valid
and does not cause any functional issue, it uselessly pollutes the
readelf/symbolize.py/etc. dumps.

This commit merges all the .ARM.extab* into a unique .ARM.extab.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: API for slot/token information

Define invocation commands to carry the request related to
PKCS#11 API functions related to slot and token information:
- get the list of the slots, relate

ta: pkcs11: API for slot/token information

Define invocation commands to carry the request related to
PKCS#11 API functions related to slot and token information:
- get the list of the slots, related to CK function C_GetSlotList(),
- get information from a slot, related to C_GetSlotInfo(),
- get information from a token, related to C_GetTokenInfo(),
- get the list of mechanisms supported by a token, C_GetMechanismList(),
- get information a mechanism from a token, C_GetMechanismInfo().

The TA API involves several byte serialization of invocation
parameters data inside TEE invocation input/output memory reference
parameters.

This change introduces the command APIs and some debug helpers for
the newly defined slot/token flags.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: enumerate ta command ids

Enumerate RA command IDs rather than using macros.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@lin

ta: pkcs11: enumerate ta command ids

Enumerate RA command IDs rather than using macros.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: persistent database for the pkcs11 tokens

Initialize token(s) state from a persistent database. If no
persistent database is found in the secure storage, initialize
it to a default state

ta: pkcs11: persistent database for the pkcs11 tokens

Initialize token(s) state from a persistent database. If no
persistent database is found in the secure storage, initialize
it to a default state and save the database in secure storage.

PKCS11 TA may implement several tokens each related to its own
database.

A token persistent database is stored in several part in TEE secure
storage. The main database stores token label, flags and PINs status.
Another database stores the UUIDs of the TEE persistent objects
used to store the token PKCS11 objects allowing the token to find
back PKCS11 persistent objects. This object database is out of the
scope of this change.

At runtime, a token instance is reference by a struct ck_token instance
in RAM which stores the state of the token and references to the
resources the token as loaded as PIN cipher keys (see paragraph below),
session states and the volatile copy of the persistent databases.

Among data saved in persistent database is the reference to
the keys used to cipher the PINs that will be used. A symmetric
encryption scheme is used using keys PKCS11 TA does not have access
to. This allows PKCS11 TA to save in RAM an encrypted value of
the owners PINs.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ldelf, ta: add support for DT_INIT_ARRAY and DT_FINI_ARRAY

Adds support for running initialization and finalization functions in
TA ELF files. Such functions are used, for instance, by C++ compilers

ldelf, ta: add support for DT_INIT_ARRAY and DT_FINI_ARRAY

Adds support for running initialization and finalization functions in
TA ELF files. Such functions are used, for instance, by C++ compilers
to construct and destruct global objects. They can also be used in C
thanks to __attribute__((constructor)) and __attribute__((destructor)).

A global structure is added to libutee. ldelf is responsible for
filling it with the addresses of the functions pointer arrays present
in the ELF files whenever such a file is loaded. Since the number of
arrays is unknown at compile time (it depends on how many ELF files are
loaded, and whether they have constructors or destructors), memory is
allocated on the TA heap.

Two helper functions are introduced: __utee_call_elf_init_fn() and
__utee_call_elf_fini_fn(). They are used when the TA instance is
created and torn down, as well as by dlopen().

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMU, QEMUv8, HiKey960 32/64)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: report PKCS11 return code to client

For the PKCS11 TA to provide client a meaningful return code as per
PKCS#11 specification, the GPD TEE command invocation return code
is forced to TEE

ta: pkcs11: report PKCS11 return code to client

For the PKCS11 TA to provide client a meaningful return code as per
PKCS#11 specification, the GPD TEE command invocation return code
is forced to TEE_SUCCESS and client is expected to read effective
PKCS11 return code (which can report a success or a failure) from
invocation parameter #0 that must be a input/output memory
reference. The status is return as a 32bit value in the output
buffer.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: change TA API to mandate param#0 as in/out memref

Change TA API so that invocation parameter #0 is always used as
an input/output memory reference. Output buffer is always used to
store

ta: pkcs11: change TA API to mandate param#0 as in/out memref

Change TA API so that invocation parameter #0 is always used as
an input/output memory reference. Output buffer is always used to
store a PKCS#11 compliant status to the client.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: define pkcs11 return codes

This change introduces PKCS11 return codes used internally in the
TA to get a PKCS#11 compliant status of the requested operation
and also reported to the call

ta: pkcs11: define pkcs11 return codes

This change introduces PKCS11 return codes used internally in the
TA to get a PKCS#11 compliant status of the requested operation
and also reported to the caller client providing a cryptoki
compliant return value for the client API functions.

There are PCSK11 TA specific return values that are defined and
used only internally in the TA: PKCS11_RVçNOT_FOUND and
PKCS11_RV_NOT_IMPLEMENTED.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Revert "ftrace: define CFG_FTRACE_BUF_SIZE in mk/config.mk"

This reverts commit 59e8ef0dcb3773964fd133d0a9360989cb86108f.

The default value for CFG_FTRACE_BUF_SIZE needs to be in the TA link
script

Revert "ftrace: define CFG_FTRACE_BUF_SIZE in mk/config.mk"

This reverts commit 59e8ef0dcb3773964fd133d0a9360989cb86108f.

The default value for CFG_FTRACE_BUF_SIZE needs to be in the TA link
script ta.ld.S, because this file is *not* pre-processed before being
added to the TA dev kit. Replacement of CFG_* values only happens when
the TA is built, at which point mk/config.mk is irrelevant. It makes
sense of course, since it allows to change TA settings and re-build
only the TA.

Fixes the following TA link error:

$ make CFLAGS_ta_arm32=-pg
[...]
bin/arm-linux-gnueabihf-ld.bfd:out/ta.lds:57: undefined symbol `CFG_FTRACE_BUF_SIZE' referenced in expression

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>

show more ...

core: Add support to access a TPM event log in secure memory.

Support for OPTEE to be able to receive a TPM event log through
a DTB so it can forward it to a TA (such as a TPM service)
in order to e

core: Add support to access a TPM event log in secure memory.

Support for OPTEE to be able to receive a TPM event log through
a DTB so it can forward it to a TA (such as a TPM service)
in order to extend the measurements.

CFG_CORE_TPM_EVENT_LOG enables this feature.
CFG_TPM_LOG_BASE_ADDR hardcodes the phys address of the event log
in case CFG_DT is not set.
CFG_TPM_MAX_LOG_SIZE harcodes the size of the event log in case
CFG_DT is not set.

When this feature is enabled, the PTA_SYSTEM_GET_TPM_EVENT_LOG
command is available to any TA.

Signed-off-by: Javier Almansa Sobrino <javier.almansasobrino@arm.com>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: set TA version property mandated by GPD

Set version property "gpd.ta.version" of the TA to the version
information set in TA API through macros PKCS11_TA_VERSION_MAJOR,
PKCS11_TA_VERSION

ta: pkcs11: set TA version property mandated by GPD

Set version property "gpd.ta.version" of the TA to the version
information set in TA API through macros PKCS11_TA_VERSION_MAJOR,
PKCS11_TA_VERSION_MINOR and PKCS11_TA_VERSION_PATCH.

This change also adds a short description in "gpd.ta.description".

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

ftrace: define CFG_FTRACE_BUF_SIZE in mk/config.mk

The main configuration file is a better place to define the size of the
ftrace buffer than the TA linker script.

Signed-off-by: Jerome Forissier <

ftrace: define CFG_FTRACE_BUF_SIZE in mk/config.mk

The main configuration file is a better place to define the size of the
ftrace buffer than the TA linker script.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Remove libmpa in favor of libmbedtls

We currently have two "big numbers" library, Mbed TLS and MPA. Both can
be used by libutee to implement the TEE Internal Core API Arithmetical
functions, and by

Remove libmpa in favor of libmbedtls

We currently have two "big numbers" library, Mbed TLS and MPA. Both can
be used by libutee to implement the TEE Internal Core API Arithmetical
functions, and by the TEE core or pseudo-TAs. This situation is
reflected by two configuration variables allowing to choose between
libmbedtls and libmpa:

- CFG_TA_MBEDTLS_MPI (default y) configures libutee,
- CFG_CORE_MBEDTLS_MPI (default y) configures the TEE core/PTAs.

In addition there is CFG_TA_MBEDTLS (default y, mandatory when
CFG_TA_MBEDTLS_MPI is y) to build libmbedtls and install it into the
SDK for direct use by TAs (libmbedtls also has function to deal with
certificates for instance).

MBed TLS has been supported and used by default for just over a year;
and we have recently found an issue with the MPA implementation of the
integer multiplication with modulus (mpa_mulmod()) [1] [2]. Therefore,
now is a good time to remove libmpa and use libmbedtls instead.

Link: [1] https://github.com/OP-TEE/optee_os/pull/3541#issuecomment-577592381
Link: [2] https://github.com/OP-TEE/optee_test/pull/389
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: add debug trace at command entry/exit

Add debug traces at entry and exit of the command invocation handler
of the TA. Prints TA command as a readable string thanks to ck_helpers.c

Signe

ta: pkcs11: add debug trace at command entry/exit

Add debug traces at entry and exit of the command invocation handler
of the TA. Prints TA command as a readable string thanks to ck_helpers.c

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: string debug trace for ta command ids

ck_helper.c/.h provide will helper functions for IDs. This change
starts with providing a string ID for a numerical command ID.

Matching IDs a stri

ta: pkcs11: string debug trace for ta command ids

ck_helper.c/.h provide will helper functions for IDs. This change
starts with providing a string ID for a numerical command ID.

Matching IDs a strings are stored in a constant array. Macros
PKCS11_ID() ease definition of ID/string conversion arrays content.
Function id2str() finds the string for a IDs possibly skip a given
prefix, i.e. printing "ENCRYPT" instead of "PKCS11_CKFM_ENCRYPT".

TA command IDs are the first introduced ID/string conversion util.
Function id2str_ta_cmd() return string "PKCS11_CMD_..." for a known
command ID.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: invocation command PKCS11

Introduce a first invocation command for the TA: PKCS11_CMD_PING
can be used the check TA presence and possibly retrieve TA version
information if client provid

ta: pkcs11: invocation command PKCS11

Introduce a first invocation command for the TA: PKCS11_CMD_PING
can be used the check TA presence and possibly retrieve TA version
information if client provides an output buffer.

Add helpers to trace command and parameters configuration.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Markus S. Wamser <markus.wamser@mixed-mode.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: specific IDs in TA API

Define PKCS11_UNAVAILABLE_INFORMATION to reflect the PKCS#11 specific
IDCK_UNAVAILABLE_INFORMATION. It is used as PKCS11_UNDEFINED_ID for
invalid or not applicable

ta: pkcs11: specific IDs in TA API

Define PKCS11_UNAVAILABLE_INFORMATION to reflect the PKCS#11 specific
IDCK_UNAVAILABLE_INFORMATION. It is used as PKCS11_UNDEFINED_ID for
invalid or not applicable IDs.

Define PKCS11_TRUE/PKCS11_FALSE for boolean attributes.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Markus S. Wamser <markus.wamser@mixed-mode.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: base for PKCS#11 services and TA API

PKCS11 TA aims at providing PKCS#11 compliant services through a
trusted application operating as a secure service provider. This
is the first step f

ta: pkcs11: base for PKCS#11 services and TA API

PKCS11 TA aims at providing PKCS#11 compliant services through a
trusted application operating as a secure service provider. This
is the first step for the PKCS#11 TA that introduces the TA skeleton
source file tree.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Markus S. Wamser <markus.wamser@mixed-mode.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...