ta: pkcs11: define TA commands related to session management

Define commands PKCS11_CMD_CLOSE_SESSION, PKCS11_CMD_CLOSE_SESSION,
PKCS11_CMD_CLOSE_SESSION and PKCS11_CMD_CLOSE_SESSION and related
res

ta: pkcs11: define TA commands related to session management

Define commands PKCS11_CMD_CLOSE_SESSION, PKCS11_CMD_CLOSE_SESSION,
PKCS11_CMD_CLOSE_SESSION and PKCS11_CMD_CLOSE_SESSION and related
resources in the PKCS11 TA API.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ta: pkcs11: command to get mechanism info

Implement command PKCS11_CMD_MECHANISM_INFO for client to get
information on a specific mechanism embedded in a token.

Signed-off-by: Etienne Carriere <eti

ta: pkcs11: command to get mechanism info

Implement command PKCS11_CMD_MECHANISM_INFO for client to get
information on a specific mechanism embedded in a token.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: command to get mechanisms embedded in a token

Implement command PKCS11_CMD_MECHANISM_IDS for client to get
IDs of the mechanisms embedded in a token

Signed-off-by: Etienne Carriere <eti

ta: pkcs11: command to get mechanisms embedded in a token

Implement command PKCS11_CMD_MECHANISM_IDS for client to get
IDs of the mechanisms embedded in a token

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: support for mechanism embedded in a token

Implement token_capabilities.c to centralize the mechanisms supported
by a token. As PKCS11 TA can implemented several token, each token
may pro

ta: pkcs11: support for mechanism embedded in a token

Implement token_capabilities.c to centralize the mechanisms supported
by a token. As PKCS11 TA can implemented several token, each token
may provide support for a restricted list of mechanisms and processing
over these mechanisms.

Array pkcs11_modes[] is used to strictly define the processing that
are allowed for a mechanism as per PKCS#11 specification.

Conversion of a mechanism ID into a debug friendly string is implemented
in token_capabilities.c rather than pkcs11_helpers.c as for the other
string helpers since the source file already defines the list of the
valid mechanism IDs, hence an indirection from id2str_mechanism()
to mechanism_string_id().

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: define mechanism info resources in ta api

Define mechanism info structure returned by the TA on command
PKCS11_CMD_MECHANISM_INFO related to client API function
C_GetMechanismInfo().

Th

ta: pkcs11: define mechanism info resources in ta api

Define mechanism info structure returned by the TA on command
PKCS11_CMD_MECHANISM_INFO related to client API function
C_GetMechanismInfo().

This change also define mechanism identifier for AES ECB in the TA API
even if this mechanism is not yet supported by the TA. This change is
needed to serve as an example of a mechanism for which a client can
invoke the PKCS11 TA to get information from.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: factorize persistent file name

get_db_file_name() and get_pin_file_name() factorize TEE object file
IDs.

open_db_file() and open_pin_file() factorize opening of TA persistent
database o

ta: pkcs11: factorize persistent file name

get_db_file_name() and get_pin_file_name() factorize TEE object file
IDs.

open_db_file() and open_pin_file() factorize opening of TA persistent
database object and PIN cipher key objects.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: fix token flags as per specification

Fix the token flags position that are expected to match the PKCS#11
specification and did not.

Fixes: a67dc424ff106 ("ta: pkcs11: API for slot/token

ta: pkcs11: fix token flags as per specification

Fix the token flags position that are expected to match the PKCS#11
specification and did not.

Fixes: a67dc424ff106 ("ta: pkcs11: API for slot/token information")
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: identify user as per define user types

Define users with CKU User Type in Cryptoki API:
PKCS11_CKU_SO and PKCS11_CKU_USER. They will be used as identifiers
for login and related PKCS#11

ta: pkcs11: identify user as per define user types

Define users with CKU User Type in Cryptoki API:
PKCS11_CKU_SO and PKCS11_CKU_USER. They will be used as identifiers
for login and related PKCS#11 API functions.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ta: pkcs11: use sizeof(rc) instead of sizeof(uint32_t)

Prefer sizeof() to use rc reference rather than explicit 32bit.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jer

ta: pkcs11: use sizeof(rc) instead of sizeof(uint32_t)

Prefer sizeof() to use rc reference rather than explicit 32bit.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

ta: pkcs11: implement command to get token information

Implement TA command PKCS11_CMD_TOKEN_INFO for client to get
information on a token embedded in the PKCS11 TA.

Rename PKCS11_TOKEN_PIN_SIZE in

ta: pkcs11: implement command to get token information

Implement TA command PKCS11_CMD_TOKEN_INFO for client to get
information on a token embedded in the PKCS11 TA.

Rename PKCS11_TOKEN_PIN_SIZE into PKCS11_TOKEN_PIN_SIZE_MAX as
introducing PKCS11_TOKEN_PIN_SIZE_MIN, in pkcs11_token.h.

Rely on serializer.h for de-serializing the command arguments.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ta: pkcs11: add pad_str() helper in token info wrapper

Add pad_str() to pad a string ('\0' terminated) with blank characters
(' '), removing the '\0' termination as per PKCS#11 specification.

This

ta: pkcs11: add pad_str() helper in token info wrapper

Add pad_str() to pad a string ('\0' terminated) with blank characters
(' '), removing the '\0' termination as per PKCS#11 specification.

This will factorize other padding needed in other function/command
wrappers.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ta: pkcs11: implement command to get slot information

Implement TA command PKCS11_CMD_SLOT_INFO for client get information
on a specific slot.

Rely on serializer.h for de-serializing the command ar

ta: pkcs11: implement command to get slot information

Implement TA command PKCS11_CMD_SLOT_INFO for client get information
on a specific slot.

Rely on serializer.h for de-serializing the command arguments.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: speculation safe lookup of token instance

Change get_token_id() to be safe against speculation execution for
IDs provided by client. This change is needed for TA command handlers
relying

ta: pkcs11: speculation safe lookup of token instance

Change get_token_id() to be safe against speculation execution for
IDs provided by client. This change is needed for TA command handlers
relying on slot/token IDs provided by client applications.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: implement command to get slots list

Implement TA command PKCS11_CMD_SLOT_LIST for client to get the IDs of
the slots embedded in the PKCS11 TA.

Signed-off-by: Etienne Carriere <etienne.

ta: pkcs11: implement command to get slots list

Implement TA command PKCS11_CMD_SLOT_LIST for client to get the IDs of
the slots embedded in the PKCS11 TA.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: de-serialization of command arguments

Add serialize.c|.h that provide functions to extract a sized data
in a serialized buffer as used for command serial arguments.

Signed-off-by: Etien

ta: pkcs11: de-serialization of command arguments

Add serialize.c|.h that provide functions to extract a sized data
in a serialized buffer as used for command serial arguments.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: better test object ids generation

Change init_pin_keys() and init_persistent_db() to rely on the
strict byte size of the object ID reference rather than using hard
coded value 32.

Fixes

ta: pkcs11: better test object ids generation

Change init_pin_keys() and init_persistent_db() to rely on the
strict byte size of the object ID reference rather than using hard
coded value 32.

Fixes: c84ccd0a805e ("ta: pkcs11: persistent database for the pkcs11 tokens")
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ta: ta.ld.S: merge .ARM.extab* sections

Contrary to .ARM.exidx, we have no .ARM.extab entry in the TA linker
script. As a result, the multiple .ARM.extab* sections gathered from
the object files wil

ta: ta.ld.S: merge .ARM.extab* sections

Contrary to .ARM.exidx, we have no .ARM.extab entry in the TA linker
script. As a result, the multiple .ARM.extab* sections gathered from
the object files will remain in the TA. While this is perfectly valid
and does not cause any functional issue, it uselessly pollutes the
readelf/symbolize.py/etc. dumps.

This commit merges all the .ARM.extab* into a unique .ARM.extab.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: API for slot/token information

Define invocation commands to carry the request related to
PKCS#11 API functions related to slot and token information:
- get the list of the slots, relate

ta: pkcs11: API for slot/token information

Define invocation commands to carry the request related to
PKCS#11 API functions related to slot and token information:
- get the list of the slots, related to CK function C_GetSlotList(),
- get information from a slot, related to C_GetSlotInfo(),
- get information from a token, related to C_GetTokenInfo(),
- get the list of mechanisms supported by a token, C_GetMechanismList(),
- get information a mechanism from a token, C_GetMechanismInfo().

The TA API involves several byte serialization of invocation
parameters data inside TEE invocation input/output memory reference
parameters.

This change introduces the command APIs and some debug helpers for
the newly defined slot/token flags.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: enumerate ta command ids

Enumerate RA command IDs rather than using macros.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@lin

ta: pkcs11: enumerate ta command ids

Enumerate RA command IDs rather than using macros.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: persistent database for the pkcs11 tokens

Initialize token(s) state from a persistent database. If no
persistent database is found in the secure storage, initialize
it to a default state

ta: pkcs11: persistent database for the pkcs11 tokens

Initialize token(s) state from a persistent database. If no
persistent database is found in the secure storage, initialize
it to a default state and save the database in secure storage.

PKCS11 TA may implement several tokens each related to its own
database.

A token persistent database is stored in several part in TEE secure
storage. The main database stores token label, flags and PINs status.
Another database stores the UUIDs of the TEE persistent objects
used to store the token PKCS11 objects allowing the token to find
back PKCS11 persistent objects. This object database is out of the
scope of this change.

At runtime, a token instance is reference by a struct ck_token instance
in RAM which stores the state of the token and references to the
resources the token as loaded as PIN cipher keys (see paragraph below),
session states and the volatile copy of the persistent databases.

Among data saved in persistent database is the reference to
the keys used to cipher the PINs that will be used. A symmetric
encryption scheme is used using keys PKCS11 TA does not have access
to. This allows PKCS11 TA to save in RAM an encrypted value of
the owners PINs.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ldelf, ta: add support for DT_INIT_ARRAY and DT_FINI_ARRAY

Adds support for running initialization and finalization functions in
TA ELF files. Such functions are used, for instance, by C++ compilers

ldelf, ta: add support for DT_INIT_ARRAY and DT_FINI_ARRAY

Adds support for running initialization and finalization functions in
TA ELF files. Such functions are used, for instance, by C++ compilers
to construct and destruct global objects. They can also be used in C
thanks to __attribute__((constructor)) and __attribute__((destructor)).

A global structure is added to libutee. ldelf is responsible for
filling it with the addresses of the functions pointer arrays present
in the ELF files whenever such a file is loaded. Since the number of
arrays is unknown at compile time (it depends on how many ELF files are
loaded, and whether they have constructors or destructors), memory is
allocated on the TA heap.

Two helper functions are introduced: __utee_call_elf_init_fn() and
__utee_call_elf_fini_fn(). They are used when the TA instance is
created and torn down, as well as by dlopen().

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMU, QEMUv8, HiKey960 32/64)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: report PKCS11 return code to client

For the PKCS11 TA to provide client a meaningful return code as per
PKCS#11 specification, the GPD TEE command invocation return code
is forced to TEE

ta: pkcs11: report PKCS11 return code to client

For the PKCS11 TA to provide client a meaningful return code as per
PKCS#11 specification, the GPD TEE command invocation return code
is forced to TEE_SUCCESS and client is expected to read effective
PKCS11 return code (which can report a success or a failure) from
invocation parameter #0 that must be a input/output memory
reference. The status is return as a 32bit value in the output
buffer.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: change TA API to mandate param#0 as in/out memref

Change TA API so that invocation parameter #0 is always used as
an input/output memory reference. Output buffer is always used to
store

ta: pkcs11: change TA API to mandate param#0 as in/out memref

Change TA API so that invocation parameter #0 is always used as
an input/output memory reference. Output buffer is always used to
store a PKCS#11 compliant status to the client.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: define pkcs11 return codes

This change introduces PKCS11 return codes used internally in the
TA to get a PKCS#11 compliant status of the requested operation
and also reported to the call

ta: pkcs11: define pkcs11 return codes

This change introduces PKCS11 return codes used internally in the
TA to get a PKCS#11 compliant status of the requested operation
and also reported to the caller client providing a cryptoki
compliant return value for the client API functions.

There are PCSK11 TA specific return values that are defined and
used only internally in the TA: PKCS11_RVçNOT_FOUND and
PKCS11_RV_NOT_IMPLEMENTED.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Revert "ftrace: define CFG_FTRACE_BUF_SIZE in mk/config.mk"

This reverts commit 59e8ef0dcb3773964fd133d0a9360989cb86108f.

The default value for CFG_FTRACE_BUF_SIZE needs to be in the TA link
script

Revert "ftrace: define CFG_FTRACE_BUF_SIZE in mk/config.mk"

This reverts commit 59e8ef0dcb3773964fd133d0a9360989cb86108f.

The default value for CFG_FTRACE_BUF_SIZE needs to be in the TA link
script ta.ld.S, because this file is *not* pre-processed before being
added to the TA dev kit. Replacement of CFG_* values only happens when
the TA is built, at which point mk/config.mk is irrelevant. It makes
sense of course, since it allows to change TA settings and re-build
only the TA.

Fixes the following TA link error:

$ make CFLAGS_ta_arm32=-pg
[...]
bin/arm-linux-gnueabihf-ld.bfd:out/ta.lds:57: undefined symbol `CFG_FTRACE_BUF_SIZE' referenced in expression

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>

show more ...