1 /* SPDX-License-Identifier: BSD-2-Clause */ 2 /* 3 * Copyright (c) 2018-2020, Linaro Limited 4 */ 5 6 #ifndef PKCS11_TA_H 7 #define PKCS11_TA_H 8 9 #include <stdbool.h> 10 #include <stdint.h> 11 12 #define PKCS11_TA_UUID { 0xfd02c9da, 0x306c, 0x48c7, \ 13 { 0xa4, 0x9c, 0xbb, 0xd8, 0x27, 0xae, 0x86, 0xee } } 14 15 /* PKCS11 trusted application version information */ 16 #define PKCS11_TA_VERSION_MAJOR 0 17 #define PKCS11_TA_VERSION_MINOR 1 18 #define PKCS11_TA_VERSION_PATCH 0 19 20 /* Attribute specific values */ 21 #define PKCS11_UNAVAILABLE_INFORMATION UINT32_C(0xFFFFFFFF) 22 #define PKCS11_UNDEFINED_ID PKCS11_UNAVAILABLE_INFORMATION 23 #define PKCS11_FALSE false 24 #define PKCS11_TRUE true 25 26 /* 27 * Note on PKCS#11 TA commands ABI 28 * 29 * For evolution of the TA API and to not mess with the GPD TEE 4 parameters 30 * constraint, all the PKCS11 TA invocation commands use a subset of available 31 * the GPD TEE invocation parameter types. 32 * 33 * Param#0 is used for the so-called control arguments of the invoked command 34 * and for providing a PKCS#11 compliant status code for the request command. 35 * Param#0 is an in/out memory reference (aka memref[0]). The input buffer 36 * stores serialized arguments for the command. The output buffer store the 37 * 32bit TA return code for the command. As a consequence, param#0 shall 38 * always be an input/output memory reference of at least 32bit, more if 39 * the command expects more input arguments. 40 * 41 * When the TA returns with TEE_SUCCESS result, client shall always get the 42 * 32bit value stored in param#0 output buffer and use the value as TA 43 * return code for the invoked command. 44 * 45 * Param#1 can be used for input data arguments of the invoked command. 46 * It is unused or is a input memory reference, aka memref[1]. 47 * Evolution of the API may use memref[1] for output data as well. 48 * 49 * Param#2 is mostly used for output data arguments of the invoked command 50 * and for output handles generated from invoked commands. 51 * Few commands uses it for a secondary input data buffer argument. 52 * It is unused or is a input/output/in-out memory reference, aka memref[2]. 53 * 54 * Param#3 is currently unused and reserved for evolution of the API. 55 */ 56 57 enum pkcs11_ta_cmd { 58 /* 59 * PKCS11_CMD_PING Ack TA presence and return version info 60 * 61 * [in] memref[0] = 32bit, unused, must be 0 62 * [out] memref[0] = 32bit return code, enum pkcs11_rc 63 * [out] memref[2] = [ 64 * 32bit version major value, 65 * 32bit version minor value 66 * 32bit version patch value 67 * ] 68 */ 69 PKCS11_CMD_PING = 0, 70 71 /* 72 * PKCS11_CMD_SLOT_LIST - Get the table of the valid slot IDs 73 * 74 * [in] memref[0] = 32bit, unused, must be 0 75 * [out] memref[0] = 32bit return code, enum pkcs11_rc 76 * [out] memref[2] = 32bit array slot_ids[slot counts] 77 * 78 * The TA instance may represent several PKCS#11 slots and 79 * associated tokens. This commadn reports the IDs of embedded tokens. 80 * This command relates the PKCS#11 API function C_GetSlotList(). 81 */ 82 PKCS11_CMD_SLOT_LIST = 1, 83 84 /* 85 * PKCS11_CMD_SLOT_INFO - Get cryptoki structured slot information 86 * 87 * [in] memref[0] = 32bit slot ID 88 * [out] memref[0] = 32bit return code, enum pkcs11_rc 89 * [out] memref[2] = (struct pkcs11_slot_info)info 90 * 91 * The TA instance may represent several PKCS#11 slots/tokens. 92 * This command relates the PKCS#11 API function C_GetSlotInfo(). 93 */ 94 PKCS11_CMD_SLOT_INFO = 2, 95 96 /* 97 * PKCS11_CMD_TOKEN_INFO - Get cryptoki structured token information 98 * 99 * [in] memref[0] = 32bit slot ID 100 * [out] memref[0] = 32bit return code, enum pkcs11_rc 101 * [out] memref[2] = (struct pkcs11_token_info)info 102 * 103 * The TA instance may represent several PKCS#11 slots/tokens. 104 * This command relates the PKCS#11 API function C_GetTokenInfo(). 105 */ 106 PKCS11_CMD_TOKEN_INFO = 3, 107 108 /* 109 * PKCS11_CMD_MECHANISM_IDS - Get list of the supported mechanisms 110 * 111 * [in] memref[0] = 32bit slot ID 112 * [out] memref[0] = 32bit return code, enum pkcs11_rc 113 * [out] memref[2] = 32bit array mechanism IDs 114 * 115 * This command relates to the PKCS#11 API function 116 * C_GetMechanismList(). 117 */ 118 PKCS11_CMD_MECHANISM_IDS = 4, 119 120 /* 121 * PKCS11_CMD_MECHANISM_INFO - Get information on a specific mechanism 122 * 123 * [in] memref[0] = [ 124 * 32bit slot ID, 125 * 32bit mechanism ID (PKCS11_CKM_*) 126 * ] 127 * [out] memref[0] = 32bit return code, enum pkcs11_rc 128 * [out] memref[2] = (struct pkcs11_mechanism_info)info 129 * 130 * This command relates to the PKCS#11 API function 131 * C_GetMechanismInfo(). 132 */ 133 PKCS11_CMD_MECHANISM_INFO = 5, 134 135 /* 136 * PKCS11_CMD_OPEN_SESSION - Open a session 137 * 138 * [in] memref[0] = [ 139 * 32bit slot ID, 140 * 32bit session flags, 141 * ] 142 * [out] memref[0] = 32bit return code, enum pkcs11_rc 143 * [out] memref[2] = 32bit session handle 144 * 145 * This command relates to the PKCS#11 API function C_OpenSession(). 146 */ 147 PKCS11_CMD_OPEN_SESSION = 6, 148 149 /* 150 * PKCS11_CMD_CLOSE_SESSION - Close an opened session 151 * 152 * [in] memref[0] = 32bit session handle 153 * [out] memref[0] = 32bit return code, enum pkcs11_rc 154 * 155 * This command relates to the PKCS#11 API function C_CloseSession(). 156 */ 157 PKCS11_CMD_CLOSE_SESSION = 7, 158 159 /* 160 * PKCS11_CMD_CLOSE_ALL_SESSIONS - Close all client sessions on token 161 * 162 * [in] memref[0] = 32bit slot ID 163 * [out] memref[0] = 32bit return code, enum pkcs11_rc 164 * 165 * This command relates to the PKCS#11 API function 166 * C_CloseAllSessions(). 167 */ 168 PKCS11_CMD_CLOSE_ALL_SESSIONS = 8, 169 170 /* 171 * PKCS11_CMD_SESSION_INFO - Get Cryptoki information on a session 172 * 173 * [in] memref[0] = 32bit session handle 174 * [out] memref[0] = 32bit return code, enum pkcs11_rc 175 * [out] memref[2] = (struct pkcs11_session_info)info 176 * 177 * This command relates to the PKCS#11 API function C_GetSessionInfo(). 178 */ 179 PKCS11_CMD_SESSION_INFO = 9, 180 }; 181 182 /* 183 * Command return codes 184 * PKCS11_<x> relates CryptoKi client API CKR_<x> 185 */ 186 enum pkcs11_rc { 187 PKCS11_CKR_OK = 0, 188 PKCS11_CKR_CANCEL = 0x0001, 189 PKCS11_CKR_SLOT_ID_INVALID = 0x0003, 190 PKCS11_CKR_GENERAL_ERROR = 0x0005, 191 PKCS11_CKR_FUNCTION_FAILED = 0x0006, 192 PKCS11_CKR_ARGUMENTS_BAD = 0x0007, 193 PKCS11_CKR_ATTRIBUTE_READ_ONLY = 0x0010, 194 PKCS11_CKR_ATTRIBUTE_SENSITIVE = 0x0011, 195 PKCS11_CKR_ATTRIBUTE_TYPE_INVALID = 0x0012, 196 PKCS11_CKR_ATTRIBUTE_VALUE_INVALID = 0x0013, 197 PKCS11_CKR_ACTION_PROHIBITED = 0x001b, 198 PKCS11_CKR_DATA_INVALID = 0x0020, 199 PKCS11_CKR_DATA_LEN_RANGE = 0x0021, 200 PKCS11_CKR_DEVICE_ERROR = 0x0030, 201 PKCS11_CKR_DEVICE_MEMORY = 0x0031, 202 PKCS11_CKR_DEVICE_REMOVED = 0x0032, 203 PKCS11_CKR_ENCRYPTED_DATA_INVALID = 0x0040, 204 PKCS11_CKR_ENCRYPTED_DATA_LEN_RANGE = 0x0041, 205 PKCS11_CKR_KEY_HANDLE_INVALID = 0x0060, 206 PKCS11_CKR_KEY_SIZE_RANGE = 0x0062, 207 PKCS11_CKR_KEY_TYPE_INCONSISTENT = 0x0063, 208 PKCS11_CKR_KEY_FUNCTION_NOT_PERMITTED = 0x0068, 209 PKCS11_CKR_KEY_NOT_WRAPPABLE = 0x0069, 210 PKCS11_CKR_KEY_UNEXTRACTABLE = 0x006a, 211 PKCS11_CKR_MECHANISM_INVALID = 0x0070, 212 PKCS11_CKR_MECHANISM_PARAM_INVALID = 0x0071, 213 PKCS11_CKR_OBJECT_HANDLE_INVALID = 0x0082, 214 PKCS11_CKR_OPERATION_ACTIVE = 0x0090, 215 PKCS11_CKR_OPERATION_NOT_INITIALIZED = 0x0091, 216 PKCS11_CKR_PIN_INCORRECT = 0x00a0, 217 PKCS11_CKR_PIN_INVALID = 0x00a1, 218 PKCS11_CKR_PIN_LEN_RANGE = 0x00a2, 219 PKCS11_CKR_PIN_EXPIRED = 0x00a3, 220 PKCS11_CKR_PIN_LOCKED = 0x00a4, 221 PKCS11_CKR_SESSION_CLOSED = 0x00b0, 222 PKCS11_CKR_SESSION_COUNT = 0x00b1, 223 PKCS11_CKR_SESSION_HANDLE_INVALID = 0x00b3, 224 PKCS11_CKR_SESSION_READ_ONLY = 0x00b5, 225 PKCS11_CKR_SESSION_EXISTS = 0x00b6, 226 PKCS11_CKR_SESSION_READ_ONLY_EXISTS = 0x00b7, 227 PKCS11_CKR_SESSION_READ_WRITE_SO_EXISTS = 0x00b8, 228 PKCS11_CKR_SIGNATURE_INVALID = 0x00c0, 229 PKCS11_CKR_SIGNATURE_LEN_RANGE = 0x00c1, 230 PKCS11_CKR_TEMPLATE_INCOMPLETE = 0x00d0, 231 PKCS11_CKR_TEMPLATE_INCONSISTENT = 0x00d1, 232 PKCS11_CKR_TOKEN_NOT_PRESENT = 0x00e0, 233 PKCS11_CKR_TOKEN_NOT_RECOGNIZED = 0x00e1, 234 PKCS11_CKR_TOKEN_WRITE_PROTECTED = 0x00e2, 235 PKCS11_CKR_USER_ALREADY_LOGGED_IN = 0x0100, 236 PKCS11_CKR_USER_NOT_LOGGED_IN = 0x0101, 237 PKCS11_CKR_USER_PIN_NOT_INITIALIZED = 0x0102, 238 PKCS11_CKR_USER_TYPE_INVALID = 0x0103, 239 PKCS11_CKR_USER_ANOTHER_ALREADY_LOGGED_IN = 0x0104, 240 PKCS11_CKR_USER_TOO_MANY_TYPES = 0x0105, 241 PKCS11_CKR_DOMAIN_PARAMS_INVALID = 0x0130, 242 PKCS11_CKR_CURVE_NOT_SUPPORTED = 0x0140, 243 PKCS11_CKR_BUFFER_TOO_SMALL = 0x0150, 244 PKCS11_CKR_SAVED_STATE_INVALID = 0x0160, 245 PKCS11_CKR_INFORMATION_SENSITIVE = 0x0170, 246 PKCS11_CKR_STATE_UNSAVEABLE = 0x0180, 247 PKCS11_CKR_PIN_TOO_WEAK = 0x01b8, 248 PKCS11_CKR_PUBLIC_KEY_INVALID = 0x01b9, 249 PKCS11_CKR_FUNCTION_REJECTED = 0x0200, 250 /* Vendor specific IDs not returned to client */ 251 PKCS11_RV_NOT_FOUND = 0x80000000, 252 PKCS11_RV_NOT_IMPLEMENTED = 0x80000001, 253 }; 254 255 /* 256 * Arguments for PKCS11_CMD_SLOT_INFO 257 */ 258 #define PKCS11_SLOT_DESC_SIZE 64 259 #define PKCS11_SLOT_MANUFACTURER_SIZE 32 260 #define PKCS11_SLOT_VERSION_SIZE 2 261 262 struct pkcs11_slot_info { 263 uint8_t slot_description[PKCS11_SLOT_DESC_SIZE]; 264 uint8_t manufacturer_id[PKCS11_SLOT_MANUFACTURER_SIZE]; 265 uint32_t flags; 266 uint8_t hardware_version[PKCS11_SLOT_VERSION_SIZE]; 267 uint8_t firmware_version[PKCS11_SLOT_VERSION_SIZE]; 268 }; 269 270 /* 271 * Values for pkcs11_slot_info::flags. 272 * PKCS11_CKFS_<x> reflects CryptoKi client API slot flags CKF_<x>. 273 */ 274 #define PKCS11_CKFS_TOKEN_PRESENT (1U << 0) 275 #define PKCS11_CKFS_REMOVABLE_DEVICE (1U << 1) 276 #define PKCS11_CKFS_HW_SLOT (1U << 2) 277 278 /* 279 * Arguments for PKCS11_CMD_TOKEN_INFO 280 */ 281 #define PKCS11_TOKEN_LABEL_SIZE 32 282 #define PKCS11_TOKEN_MANUFACTURER_SIZE 32 283 #define PKCS11_TOKEN_MODEL_SIZE 16 284 #define PKCS11_TOKEN_SERIALNUM_SIZE 16 285 286 struct pkcs11_token_info { 287 uint8_t label[PKCS11_TOKEN_LABEL_SIZE]; 288 uint8_t manufacturer_id[PKCS11_TOKEN_MANUFACTURER_SIZE]; 289 uint8_t model[PKCS11_TOKEN_MODEL_SIZE]; 290 uint8_t serial_number[PKCS11_TOKEN_SERIALNUM_SIZE]; 291 uint32_t flags; 292 uint32_t max_session_count; 293 uint32_t session_count; 294 uint32_t max_rw_session_count; 295 uint32_t rw_session_count; 296 uint32_t max_pin_len; 297 uint32_t min_pin_len; 298 uint32_t total_public_memory; 299 uint32_t free_public_memory; 300 uint32_t total_private_memory; 301 uint32_t free_private_memory; 302 uint8_t hardware_version[2]; 303 uint8_t firmware_version[2]; 304 uint8_t utc_time[16]; 305 }; 306 307 /* 308 * Values for pkcs11_token_info::flags. 309 * PKCS11_CKFT_<x> reflects CryptoKi client API token flags CKF_<x>. 310 */ 311 #define PKCS11_CKFT_RNG (1U << 0) 312 #define PKCS11_CKFT_WRITE_PROTECTED (1U << 1) 313 #define PKCS11_CKFT_LOGIN_REQUIRED (1U << 2) 314 #define PKCS11_CKFT_USER_PIN_INITIALIZED (1U << 3) 315 #define PKCS11_CKFT_RESTORE_KEY_NOT_NEEDED (1U << 5) 316 #define PKCS11_CKFT_CLOCK_ON_TOKEN (1U << 6) 317 #define PKCS11_CKFT_PROTECTED_AUTHENTICATION_PATH (1U << 8) 318 #define PKCS11_CKFT_DUAL_CRYPTO_OPERATIONS (1U << 9) 319 #define PKCS11_CKFT_TOKEN_INITIALIZED (1U << 10) 320 #define PKCS11_CKFT_SECONDARY_AUTHENTICATION (1U << 11) 321 #define PKCS11_CKFT_USER_PIN_COUNT_LOW (1U << 16) 322 #define PKCS11_CKFT_USER_PIN_FINAL_TRY (1U << 17) 323 #define PKCS11_CKFT_USER_PIN_LOCKED (1U << 18) 324 #define PKCS11_CKFT_USER_PIN_TO_BE_CHANGED (1U << 19) 325 #define PKCS11_CKFT_SO_PIN_COUNT_LOW (1U << 20) 326 #define PKCS11_CKFT_SO_PIN_FINAL_TRY (1U << 21) 327 #define PKCS11_CKFT_SO_PIN_LOCKED (1U << 22) 328 #define PKCS11_CKFT_SO_PIN_TO_BE_CHANGED (1U << 23) 329 #define PKCS11_CKFT_ERROR_STATE (1U << 24) 330 331 /* Values for user identity */ 332 enum pkcs11_user_type { 333 PKCS11_CKU_SO = 0x000, 334 PKCS11_CKU_USER = 0x001, 335 PKCS11_CKU_CONTEXT_SPECIFIC = 0x002, 336 }; 337 338 /* 339 * Values for 32bit session flags argument to PKCS11_CMD_OPEN_SESSION 340 * and pkcs11_session_info::flags. 341 * PKCS11_CKFSS_<x> reflects CryptoKi client API session flags CKF_<x>. 342 */ 343 #define PKCS11_CKFSS_RW_SESSION (1U << 1) 344 #define PKCS11_CKFSS_SERIAL_SESSION (1U << 2) 345 346 /* 347 * Arguments for PKCS11_CMD_SESSION_INFO 348 */ 349 350 struct pkcs11_session_info { 351 uint32_t slot_id; 352 uint32_t state; 353 uint32_t flags; 354 uint32_t device_error; 355 }; 356 357 /* Valid values for pkcs11_session_info::state */ 358 enum pkcs11_session_state { 359 PKCS11_CKS_RO_PUBLIC_SESSION = 0, 360 PKCS11_CKS_RO_USER_FUNCTIONS = 1, 361 PKCS11_CKS_RW_PUBLIC_SESSION = 2, 362 PKCS11_CKS_RW_USER_FUNCTIONS = 3, 363 PKCS11_CKS_RW_SO_FUNCTIONS = 4, 364 }; 365 366 /* 367 * Arguments for PKCS11_CMD_MECHANISM_INFO 368 */ 369 370 struct pkcs11_mechanism_info { 371 uint32_t min_key_size; 372 uint32_t max_key_size; 373 uint32_t flags; 374 }; 375 376 /* 377 * Values for pkcs11_mechanism_info::flags. 378 * PKCS11_CKFM_<x> reflects CryptoKi client API mechanism flags CKF_<x>. 379 */ 380 #define PKCS11_CKFM_HW (1U << 0) 381 #define PKCS11_CKFM_ENCRYPT (1U << 8) 382 #define PKCS11_CKFM_DECRYPT (1U << 9) 383 #define PKCS11_CKFM_DIGEST (1U << 10) 384 #define PKCS11_CKFM_SIGN (1U << 11) 385 #define PKCS11_CKFM_SIGN_RECOVER (1U << 12) 386 #define PKCS11_CKFM_VERIFY (1U << 13) 387 #define PKCS11_CKFM_VERIFY_RECOVER (1U << 14) 388 #define PKCS11_CKFM_GENERATE (1U << 15) 389 #define PKCS11_CKFM_GENERATE_KEY_PAIR (1U << 16) 390 #define PKCS11_CKFM_WRAP (1U << 17) 391 #define PKCS11_CKFM_UNWRAP (1U << 18) 392 #define PKCS11_CKFM_DERIVE (1U << 19) 393 #define PKCS11_CKFM_EC_F_P (1U << 20) 394 #define PKCS11_CKFM_EC_F_2M (1U << 21) 395 #define PKCS11_CKFM_EC_ECPARAMETERS (1U << 22) 396 #define PKCS11_CKFM_EC_NAMEDCURVE (1U << 23) 397 #define PKCS11_CKFM_EC_UNCOMPRESS (1U << 24) 398 #define PKCS11_CKFM_EC_COMPRESS (1U << 25) 399 400 /* 401 * Valid values for mechanism IDs 402 * PKCS11_CKM_<x> reflects CryptoKi client API mechanism IDs CKM_<x>. 403 */ 404 enum pkcs11_mechanism_id { 405 PKCS11_CKM_AES_ECB = 0x01081, 406 }; 407 #endif /*PKCS11_TA_H*/ 408