1 /* SPDX-License-Identifier: BSD-2-Clause */
2 /*
3 * Copyright (c) 2017-2020, Linaro Limited
4 */
5 #ifndef PKCS11_TA_PKCS11_TOKEN_H
6 #define PKCS11_TA_PKCS11_TOKEN_H
7
8 #include <sys/queue.h>
9 #include <tee_api_types.h>
10 #include <tee_internal_api.h>
11 #include <utee_defines.h>
12
13 #include "handle.h"
14 #include "object.h"
15 #include "pkcs11_attributes.h"
16
17 /* Hard coded description */
18 #define PKCS11_SLOT_DESCRIPTION "OP-TEE PKCS11 TA"
19 #define PKCS11_SLOT_MANUFACTURER "Linaro"
20 #define PKCS11_SLOT_HW_VERSION { 0, 0 }
21 #define PKCS11_SLOT_FW_VERSION { PKCS11_TA_VERSION_MAJOR, \
22 PKCS11_TA_VERSION_MINOR }
23
24 #define PKCS11_TOKEN_LABEL "OP-TEE PKCS#11 TA token"
25 #define PKCS11_TOKEN_MANUFACTURER PKCS11_SLOT_MANUFACTURER
26 #define PKCS11_TOKEN_MODEL "OP-TEE TA"
27 #define PKCS11_TOKEN_HW_VERSION PKCS11_SLOT_HW_VERSION
28 #define PKCS11_TOKEN_FW_VERSION PKCS11_SLOT_FW_VERSION
29
30 enum pkcs11_token_state {
31 PKCS11_TOKEN_RESET = 0,
32 PKCS11_TOKEN_READ_WRITE,
33 PKCS11_TOKEN_READ_ONLY,
34 };
35
36 TAILQ_HEAD(client_list, pkcs11_client);
37 TAILQ_HEAD(session_list, pkcs11_session);
38
39 struct pkcs11_client;
40
41 #define PKCS11_MAX_USERS 2
42 #define PKCS11_TOKEN_PIN_SIZE_MAX 128
43 #define PKCS11_TOKEN_PIN_SIZE_MIN 4
44 #define PKCS11_TOKEN_SO_PIN_COUNT_MAX 7
45 #define PKCS11_TOKEN_USER_PIN_COUNT_MAX 7
46
47 /*
48 * Persistent state of the token
49 *
50 * @version - currently unused...
51 * @label - pkcs11 formatted token label, set by client
52 * @flags - pkcs11 token flags
53 * @so_pin_count - counter on security officer login failure
54 * @so_pin_salt - stores salt in hash of SO PIN, 0 if not set
55 * @so_pin_hash - stores hash of SO PIN
56 * @user_pin_count - counter on user login failure
57 * @user_pin_salt - stores salt in hash of user PIN, 0 if not set
58 * @user_pin_hash - stores hash of user PIN
59 */
60 struct token_persistent_main {
61 uint32_t version;
62 uint8_t label[PKCS11_TOKEN_LABEL_SIZE];
63 uint32_t flags;
64 uint32_t so_pin_count;
65 uint32_t so_pin_salt;
66 union {
67 uint8_t so_pin_hash[TEE_MAX_HASH_SIZE];
68 TEE_Identity so_identity;
69 };
70 uint32_t user_pin_count;
71 uint32_t user_pin_salt;
72 union {
73 uint8_t user_pin_hash[TEE_MAX_HASH_SIZE];
74 TEE_Identity user_identity;
75 };
76 };
77
78 /*
79 * Persistent objects in the token
80 *
81 * @count - number of objects stored in the token
82 * @uuids - array of object references/UUIDs (@count items)
83 */
84 struct token_persistent_objs {
85 uint32_t count;
86 TEE_UUID uuids[];
87 };
88
89 /*
90 * Runtime state of the token, complies with pkcs11
91 *
92 * @state - Pkcs11 login is public, user, SO or custom
93 * @session_count - Counter for opened Pkcs11 sessions
94 * @rw_session_count - Count for opened Pkcs11 read/write sessions
95 * @object_list - List of the objects owned by the token
96 * @db_main - Volatile copy of the persistent main database
97 * @db_objs - Volatile copy of the persistent object database
98 */
99 struct ck_token {
100 enum pkcs11_token_state state;
101 uint32_t session_count;
102 uint32_t rw_session_count;
103 struct object_list object_list;
104 /* Copy in RAM of the persistent database */
105 struct token_persistent_main *db_main;
106 struct token_persistent_objs *db_objs;
107 };
108
109 /*
110 * A session can enter a processing state (encrypt, decrypt, digest, ...)
111 * only from the initialized state. A session must return the initialized
112 * state (from a processing finalization request) before entering another
113 * processing state.
114 */
115 enum pkcs11_proc_state {
116 PKCS11_SESSION_READY = 0, /* No active processing */
117 PKCS11_SESSION_ENCRYPTING,
118 PKCS11_SESSION_DECRYPTING,
119 PKCS11_SESSION_DIGESTING,
120 PKCS11_SESSION_DIGESTING_ENCRYPTING, /* case C_DigestEncryptUpdate */
121 PKCS11_SESSION_DECRYPTING_DIGESTING, /* case C_DecryptDigestUpdate */
122 PKCS11_SESSION_SIGNING,
123 PKCS11_SESSION_SIGNING_ENCRYPTING, /* case C_SignEncryptUpdate */
124 PKCS11_SESSION_VERIFYING,
125 PKCS11_SESSION_DECRYPTING_VERIFYING, /* case C_DecryptVerifyUpdate */
126 PKCS11_SESSION_SIGNING_RECOVER,
127 PKCS11_SESSION_VERIFYING_RECOVER,
128 PKCS11_SESSION_BUSY,
129 };
130
131 /*
132 * Context of the active processing in the session
133 *
134 * @state - ongoing active processing function or ready state
135 * @mecha_type - mechanism type of the active processing
136 * @always_authen - true if user need to login before each use
137 * @relogged - true once client logged since last operation update
138 * @op_step - last active operation step - update, final or one-shot
139 * @tee_op_handle - handle on active crypto operation or TEE_HANDLE_NULL
140 * @tee_op_handle2 - second handle for specific operations or TEE_HANDLE_NULL
141 * @tee_hash_algo - hash algorithm identifier.
142 * @extra_ctx - context for the active processing
143 */
144 struct active_processing {
145 enum pkcs11_proc_state state;
146 uint32_t mecha_type;
147 enum processing_step step;
148 bool always_authen;
149 bool relogged;
150 TEE_OperationHandle tee_op_handle;
151 TEE_OperationHandle tee_op_handle2;
152 uint32_t tee_hash_algo;
153 void *extra_ctx;
154 };
155
156 /*
157 * Pkcs11 objects search context
158 *
159 * @attributes - matching attributes list searched (null if no search)
160 * @count - number of matching handle found
161 * @handles - array of handle of matching objects
162 * @next - index of the next object handle to return to C_FindObject
163 */
164 struct pkcs11_find_objects {
165 void *attributes;
166 size_t count;
167 uint32_t *handles;
168 size_t next;
169 };
170
171 /*
172 * Structure tracking the PKCS#11 sessions
173 *
174 * @link - List of the session belonging to a client
175 * @client - Client the session belongs to
176 * @token - Token this session belongs to
177 * @handle - Identifier of the session published to the client
178 * @object_list - Entry of the session objects list
179 * @state - R/W SO, R/W user, RO user, R/W public, RO public.
180 * @processing - Reference to initialized processing context if any
181 * @find_ctx - Reference to active search context (null if no active search)
182 */
183 struct pkcs11_session {
184 TAILQ_ENTRY(pkcs11_session) link;
185 struct pkcs11_client *client;
186 struct ck_token *token;
187 enum pkcs11_mechanism_id handle;
188 struct object_list object_list;
189 enum pkcs11_session_state state;
190 struct active_processing *processing;
191 struct pkcs11_find_objects *find_ctx;
192 };
193
194 /* Initialize static token instance(s) from default/persistent database */
195 TEE_Result pkcs11_init(void);
196 void pkcs11_deinit(void);
197
198 /* Speculation safe lookup of token instance from token identifier */
199 struct ck_token *get_token(unsigned int token_id);
200
201 /* Return token identified from token instance address */
202 unsigned int get_token_id(struct ck_token *token);
203
204 /* Return client's (shared) object handle database associated with session */
205 struct handle_db *get_object_handle_db(struct pkcs11_session *session);
206
207 /* Access to persistent database */
208 struct ck_token *init_persistent_db(unsigned int token_id);
209 void update_persistent_db(struct ck_token *token);
210 void close_persistent_db(struct ck_token *token);
211
212 /* Load and release persistent object attributes in memory */
213 enum pkcs11_rc load_persistent_object_attributes(struct pkcs11_object *obj);
214 void release_persistent_object_attributes(struct pkcs11_object *obj);
215 enum pkcs11_rc update_persistent_object_attributes(struct pkcs11_object *obj);
216
217 enum pkcs11_rc hash_pin(enum pkcs11_user_type user, const uint8_t *pin,
218 size_t pin_size, uint32_t *salt,
219 uint8_t hash[TEE_MAX_HASH_SIZE]);
220 enum pkcs11_rc verify_pin(enum pkcs11_user_type user, const uint8_t *pin,
221 size_t pin_size, uint32_t salt,
222 const uint8_t hash[TEE_MAX_HASH_SIZE]);
223
224 #if defined(CFG_PKCS11_TA_AUTH_TEE_IDENTITY)
225 enum pkcs11_rc setup_so_identity_auth_from_client(struct ck_token *token);
226 enum pkcs11_rc setup_identity_auth_from_pin(struct ck_token *token,
227 enum pkcs11_user_type user_type,
228 const uint8_t *pin,
229 size_t pin_size);
230 enum pkcs11_rc verify_identity_auth(struct ck_token *token,
231 enum pkcs11_user_type user_type);
232 #else
233 static inline enum pkcs11_rc
setup_so_identity_auth_from_client(struct ck_token * token __unused)234 setup_so_identity_auth_from_client(struct ck_token *token __unused)
235 {
236 return PKCS11_CKR_PIN_INVALID;
237 }
238
239 static inline enum pkcs11_rc
setup_identity_auth_from_pin(struct ck_token * token __unused,enum pkcs11_user_type user_type __unused,const uint8_t * pin __unused,size_t pin_size __unused)240 setup_identity_auth_from_pin(struct ck_token *token __unused,
241 enum pkcs11_user_type user_type __unused,
242 const uint8_t *pin __unused,
243 size_t pin_size __unused)
244 {
245 return PKCS11_CKR_PIN_INVALID;
246 }
247
248 static inline enum pkcs11_rc
verify_identity_auth(struct ck_token * token __unused,enum pkcs11_user_type user_type __unused)249 verify_identity_auth(struct ck_token *token __unused,
250 enum pkcs11_user_type user_type __unused)
251 {
252 return PKCS11_CKR_PIN_INCORRECT;
253 }
254 #endif /* CFG_PKCS11_TA_AUTH_TEE_IDENTITY */
255
256 /* Token persistent objects */
257 enum pkcs11_rc create_object_uuid(struct ck_token *token,
258 struct pkcs11_object *obj);
259 void destroy_object_uuid(struct ck_token *token, struct pkcs11_object *obj);
260 enum pkcs11_rc unregister_persistent_object(struct ck_token *token,
261 TEE_UUID *uuid);
262 enum pkcs11_rc register_persistent_object(struct ck_token *token,
263 TEE_UUID *uuid);
264 enum pkcs11_rc get_persistent_objects_list(struct ck_token *token,
265 TEE_UUID *array, size_t *size);
266
267 /*
268 * Pkcs11 session support
269 */
270 struct session_list *get_session_list(struct pkcs11_session *session);
271 struct pkcs11_client *tee_session2client(void *tee_session);
272 struct pkcs11_client *register_client(void);
273 void unregister_client(struct pkcs11_client *client);
274
275 struct pkcs11_session *pkcs11_handle2session(uint32_t handle,
276 struct pkcs11_client *client);
277
session_is_active(struct pkcs11_session * session)278 static inline bool session_is_active(struct pkcs11_session *session)
279 {
280 return session->processing;
281 }
282
283 enum pkcs11_rc set_processing_state(struct pkcs11_session *session,
284 enum processing_func function,
285 struct pkcs11_object *obj1,
286 struct pkcs11_object *obj2);
287
pkcs11_session_is_read_write(struct pkcs11_session * session)288 static inline bool pkcs11_session_is_read_write(struct pkcs11_session *session)
289 {
290 return session->state == PKCS11_CKS_RW_PUBLIC_SESSION ||
291 session->state == PKCS11_CKS_RW_USER_FUNCTIONS ||
292 session->state == PKCS11_CKS_RW_SO_FUNCTIONS;
293 }
294
pkcs11_session_is_public(struct pkcs11_session * session)295 static inline bool pkcs11_session_is_public(struct pkcs11_session *session)
296 {
297 return session->state == PKCS11_CKS_RO_PUBLIC_SESSION ||
298 session->state == PKCS11_CKS_RW_PUBLIC_SESSION;
299 }
300
pkcs11_session_is_user(struct pkcs11_session * session)301 static inline bool pkcs11_session_is_user(struct pkcs11_session *session)
302 {
303 return session->state == PKCS11_CKS_RO_USER_FUNCTIONS ||
304 session->state == PKCS11_CKS_RW_USER_FUNCTIONS;
305 }
306
pkcs11_session_is_so(struct pkcs11_session * session)307 static inline bool pkcs11_session_is_so(struct pkcs11_session *session)
308 {
309 return session->state == PKCS11_CKS_RW_SO_FUNCTIONS;
310 }
311
312 static inline
pkcs11_get_session_objects(struct pkcs11_session * session)313 struct object_list *pkcs11_get_session_objects(struct pkcs11_session *session)
314 {
315 return &session->object_list;
316 }
317
318 static inline
pkcs11_session2token(struct pkcs11_session * session)319 struct ck_token *pkcs11_session2token(struct pkcs11_session *session)
320 {
321 return session->token;
322 }
323
324 /* Invalidate any handle referring the object since the object no more exists */
325 void token_invalidate_object_handles(struct pkcs11_object *obj);
326
327 /* Entry point for the TA commands */
328 enum pkcs11_rc entry_ck_slot_list(uint32_t ptypes, TEE_Param *params);
329 enum pkcs11_rc entry_ck_slot_info(uint32_t ptypes, TEE_Param *params);
330 enum pkcs11_rc entry_ck_token_info(uint32_t ptypes, TEE_Param *params);
331 enum pkcs11_rc entry_ck_token_mecha_ids(uint32_t ptypes, TEE_Param *params);
332 enum pkcs11_rc entry_ck_token_mecha_info(uint32_t ptypes, TEE_Param *params);
333 enum pkcs11_rc entry_ck_open_session(struct pkcs11_client *client,
334 uint32_t ptypes, TEE_Param *params);
335 enum pkcs11_rc entry_ck_close_session(struct pkcs11_client *client,
336 uint32_t ptypes, TEE_Param *params);
337 enum pkcs11_rc entry_ck_close_all_sessions(struct pkcs11_client *client,
338 uint32_t ptypes, TEE_Param *params);
339 enum pkcs11_rc entry_ck_session_info(struct pkcs11_client *client,
340 uint32_t ptypes, TEE_Param *params);
341 enum pkcs11_rc entry_ck_token_initialize(uint32_t ptypes, TEE_Param *params);
342 enum pkcs11_rc entry_ck_init_pin(struct pkcs11_client *client,
343 uint32_t ptypes, TEE_Param *params);
344 enum pkcs11_rc entry_ck_set_pin(struct pkcs11_client *client,
345 uint32_t ptypes, TEE_Param *params);
346 enum pkcs11_rc entry_ck_login(struct pkcs11_client *client,
347 uint32_t ptypes, TEE_Param *params);
348 enum pkcs11_rc entry_ck_logout(struct pkcs11_client *client,
349 uint32_t ptypes, TEE_Param *params);
350 enum pkcs11_rc entry_ck_seed_random(struct pkcs11_client *client,
351 uint32_t ptypes, TEE_Param *params);
352 enum pkcs11_rc entry_ck_generate_random(struct pkcs11_client *client,
353 uint32_t ptypes, TEE_Param *params);
354
355 #endif /*PKCS11_TA_PKCS11_TOKEN_H*/
356