1 /* SPDX-License-Identifier: BSD-2-Clause */ 2 /* 3 * Copyright (c) 2017-2020, Linaro Limited 4 */ 5 #ifndef PKCS11_TA_PKCS11_TOKEN_H 6 #define PKCS11_TA_PKCS11_TOKEN_H 7 8 #include <sys/queue.h> 9 #include <tee_api_types.h> 10 #include <tee_internal_api.h> 11 #include <utee_defines.h> 12 13 #include "handle.h" 14 #include "object.h" 15 #include "pkcs11_attributes.h" 16 17 /* Hard coded description */ 18 #define PKCS11_SLOT_DESCRIPTION "OP-TEE PKCS11 TA" 19 #define PKCS11_SLOT_MANUFACTURER "Linaro" 20 #define PKCS11_SLOT_HW_VERSION { 0, 0 } 21 #define PKCS11_SLOT_FW_VERSION { PKCS11_TA_VERSION_MAJOR, \ 22 PKCS11_TA_VERSION_MINOR } 23 24 #define PKCS11_TOKEN_LABEL "OP-TEE PKCS#11 TA token" 25 #define PKCS11_TOKEN_MANUFACTURER PKCS11_SLOT_MANUFACTURER 26 #define PKCS11_TOKEN_MODEL "OP-TEE TA" 27 #define PKCS11_TOKEN_HW_VERSION PKCS11_SLOT_HW_VERSION 28 #define PKCS11_TOKEN_FW_VERSION PKCS11_SLOT_FW_VERSION 29 30 enum pkcs11_token_state { 31 PKCS11_TOKEN_RESET = 0, 32 PKCS11_TOKEN_READ_WRITE, 33 PKCS11_TOKEN_READ_ONLY, 34 }; 35 36 TAILQ_HEAD(client_list, pkcs11_client); 37 TAILQ_HEAD(session_list, pkcs11_session); 38 39 struct pkcs11_client; 40 41 #define PKCS11_MAX_USERS 2 42 #define PKCS11_TOKEN_PIN_SIZE_MAX 128 43 #define PKCS11_TOKEN_PIN_SIZE_MIN 10 44 #define PKCS11_TOKEN_SO_PIN_COUNT_MAX 7 45 #define PKCS11_TOKEN_USER_PIN_COUNT_MAX 7 46 47 /* 48 * Persistent state of the token 49 * 50 * @version - currently unused... 51 * @label - pkcs11 formatted token label, set by client 52 * @flags - pkcs11 token flags 53 * @so_pin_count - counter on security officer login failure 54 * @so_pin_salt - stores salt in hash of SO PIN, 0 if not set 55 * @so_pin_hash - stores hash of SO PIN 56 * @user_pin_count - counter on user login failure 57 * @user_pin_salt - stores salt in hash of user PIN, 0 if not set 58 * @user_pin_hash - stores hash of user PIN 59 */ 60 struct token_persistent_main { 61 uint32_t version; 62 uint8_t label[PKCS11_TOKEN_LABEL_SIZE]; 63 uint32_t flags; 64 uint32_t so_pin_count; 65 uint32_t so_pin_salt; 66 union { 67 uint8_t so_pin_hash[TEE_MAX_HASH_SIZE]; 68 TEE_Identity so_identity; 69 }; 70 uint32_t user_pin_count; 71 uint32_t user_pin_salt; 72 union { 73 uint8_t user_pin_hash[TEE_MAX_HASH_SIZE]; 74 TEE_Identity user_identity; 75 }; 76 }; 77 78 /* 79 * Persistent objects in the token 80 * 81 * @count - number of objects stored in the token 82 * @uuids - array of object references/UUIDs (@count items) 83 */ 84 struct token_persistent_objs { 85 uint32_t count; 86 TEE_UUID uuids[]; 87 }; 88 89 /* 90 * Runtime state of the token, complies with pkcs11 91 * 92 * @state - Pkcs11 login is public, user, SO or custom 93 * @session_count - Counter for opened Pkcs11 sessions 94 * @rw_session_count - Count for opened Pkcs11 read/write sessions 95 * @object_list - List of the objects owned by the token 96 * @db_main - Volatile copy of the persistent main database 97 * @db_objs - Volatile copy of the persistent object database 98 */ 99 struct ck_token { 100 enum pkcs11_token_state state; 101 uint32_t session_count; 102 uint32_t rw_session_count; 103 struct object_list object_list; 104 /* Copy in RAM of the persistent database */ 105 struct token_persistent_main *db_main; 106 struct token_persistent_objs *db_objs; 107 }; 108 109 /* 110 * A session can enter a processing state (encrypt, decrypt, digest, ...) 111 * only from the initialized state. A session must return the initialized 112 * state (from a processing finalization request) before entering another 113 * processing state. 114 */ 115 enum pkcs11_proc_state { 116 PKCS11_SESSION_READY = 0, /* No active processing */ 117 PKCS11_SESSION_ENCRYPTING, 118 PKCS11_SESSION_DECRYPTING, 119 PKCS11_SESSION_DIGESTING, 120 PKCS11_SESSION_DIGESTING_ENCRYPTING, /* case C_DigestEncryptUpdate */ 121 PKCS11_SESSION_DECRYPTING_DIGESTING, /* case C_DecryptDigestUpdate */ 122 PKCS11_SESSION_SIGNING, 123 PKCS11_SESSION_SIGNING_ENCRYPTING, /* case C_SignEncryptUpdate */ 124 PKCS11_SESSION_VERIFYING, 125 PKCS11_SESSION_DECRYPTING_VERIFYING, /* case C_DecryptVerifyUpdate */ 126 PKCS11_SESSION_SIGNING_RECOVER, 127 PKCS11_SESSION_VERIFYING_RECOVER, 128 }; 129 130 /* 131 * Context of the active processing in the session 132 * 133 * @state - ongoing active processing function or ready state 134 * @mecha_type - mechanism type of the active processing 135 * @always_authen - true if user need to login before each use 136 * @relogged - true once client logged since last operation update 137 * @updated - true once an active operation is updated 138 * @tee_op_handle - handle on active crypto operation or TEE_HANDLE_NULL 139 * @extra_ctx - context for the active processing 140 */ 141 struct active_processing { 142 enum pkcs11_proc_state state; 143 uint32_t mecha_type; 144 bool always_authen; 145 bool relogged; 146 bool updated; 147 TEE_OperationHandle tee_op_handle; 148 void *extra_ctx; 149 }; 150 151 /* 152 * Structure tracking the PKCS#11 sessions 153 * 154 * @link - List of the session belonging to a client 155 * @client - Client the session belongs to 156 * @token - Token this session belongs to 157 * @handle - Identifier of the session published to the client 158 * @object_list - Entry of the session objects list 159 * @object_handle_db - Database for object handles published by the session 160 * @state - R/W SO, R/W user, RO user, R/W public, RO public. 161 * @processing - Reference to initialized processing context if any 162 */ 163 struct pkcs11_session { 164 TAILQ_ENTRY(pkcs11_session) link; 165 struct pkcs11_client *client; 166 struct ck_token *token; 167 enum pkcs11_mechanism_id handle; 168 struct object_list object_list; 169 struct handle_db object_handle_db; 170 enum pkcs11_session_state state; 171 struct active_processing *processing; 172 }; 173 174 /* Initialize static token instance(s) from default/persistent database */ 175 TEE_Result pkcs11_init(void); 176 void pkcs11_deinit(void); 177 178 /* Speculation safe lookup of token instance from token identifier */ 179 struct ck_token *get_token(unsigned int token_id); 180 181 /* Return token identified from token instance address */ 182 unsigned int get_token_id(struct ck_token *token); 183 184 /* Access to persistent database */ 185 struct ck_token *init_persistent_db(unsigned int token_id); 186 void update_persistent_db(struct ck_token *token); 187 void close_persistent_db(struct ck_token *token); 188 189 enum pkcs11_rc hash_pin(enum pkcs11_user_type user, const uint8_t *pin, 190 size_t pin_size, uint32_t *salt, 191 uint8_t hash[TEE_MAX_HASH_SIZE]); 192 enum pkcs11_rc verify_pin(enum pkcs11_user_type user, const uint8_t *pin, 193 size_t pin_size, uint32_t salt, 194 const uint8_t hash[TEE_MAX_HASH_SIZE]); 195 196 #if defined(CFG_PKCS11_TA_AUTH_TEE_IDENTITY) 197 enum pkcs11_rc setup_so_identity_auth_from_client(struct ck_token *token); 198 enum pkcs11_rc setup_identity_auth_from_pin(struct ck_token *token, 199 enum pkcs11_user_type user_type, 200 const uint8_t *pin, 201 size_t pin_size); 202 enum pkcs11_rc verify_identity_auth(struct ck_token *token, 203 enum pkcs11_user_type user_type); 204 #else 205 static inline enum pkcs11_rc 206 setup_so_identity_auth_from_client(struct ck_token *token __unused) 207 { 208 return PKCS11_CKR_PIN_INVALID; 209 } 210 211 static inline enum pkcs11_rc 212 setup_identity_auth_from_pin(struct ck_token *token __unused, 213 enum pkcs11_user_type user_type __unused, 214 const uint8_t *pin __unused, 215 size_t pin_size __unused) 216 { 217 return PKCS11_CKR_PIN_INVALID; 218 } 219 220 static inline enum pkcs11_rc 221 verify_identity_auth(struct ck_token *token __unused, 222 enum pkcs11_user_type user_type __unused) 223 { 224 return PKCS11_CKR_PIN_INCORRECT; 225 } 226 #endif /* CFG_PKCS11_TA_AUTH_TEE_IDENTITY */ 227 228 /* Token persistent objects */ 229 enum pkcs11_rc create_object_uuid(struct ck_token *token, 230 struct pkcs11_object *obj); 231 void destroy_object_uuid(struct ck_token *token, struct pkcs11_object *obj); 232 enum pkcs11_rc unregister_persistent_object(struct ck_token *token, 233 TEE_UUID *uuid); 234 enum pkcs11_rc register_persistent_object(struct ck_token *token, 235 TEE_UUID *uuid); 236 enum pkcs11_rc get_persistent_objects_list(struct ck_token *token, 237 TEE_UUID *array, size_t *size); 238 239 /* 240 * Pkcs11 session support 241 */ 242 struct pkcs11_client *tee_session2client(void *tee_session); 243 struct pkcs11_client *register_client(void); 244 void unregister_client(struct pkcs11_client *client); 245 246 struct pkcs11_session *pkcs11_handle2session(uint32_t handle, 247 struct pkcs11_client *client); 248 249 static inline bool session_is_active(struct pkcs11_session *session) 250 { 251 return session->processing; 252 } 253 254 enum pkcs11_rc set_processing_state(struct pkcs11_session *session, 255 enum processing_func function, 256 struct pkcs11_object *obj1, 257 struct pkcs11_object *obj2); 258 259 static inline bool pkcs11_session_is_read_write(struct pkcs11_session *session) 260 { 261 return session->state == PKCS11_CKS_RW_PUBLIC_SESSION || 262 session->state == PKCS11_CKS_RW_USER_FUNCTIONS || 263 session->state == PKCS11_CKS_RW_SO_FUNCTIONS; 264 } 265 266 static inline bool pkcs11_session_is_public(struct pkcs11_session *session) 267 { 268 return session->state == PKCS11_CKS_RO_PUBLIC_SESSION || 269 session->state == PKCS11_CKS_RW_PUBLIC_SESSION; 270 } 271 272 static inline bool pkcs11_session_is_user(struct pkcs11_session *session) 273 { 274 return session->state == PKCS11_CKS_RO_USER_FUNCTIONS || 275 session->state == PKCS11_CKS_RW_USER_FUNCTIONS; 276 } 277 278 static inline bool pkcs11_session_is_so(struct pkcs11_session *session) 279 { 280 return session->state == PKCS11_CKS_RW_SO_FUNCTIONS; 281 } 282 283 static inline 284 struct object_list *pkcs11_get_session_objects(struct pkcs11_session *session) 285 { 286 return &session->object_list; 287 } 288 289 static inline 290 struct ck_token *pkcs11_session2token(struct pkcs11_session *session) 291 { 292 return session->token; 293 } 294 295 /* Entry point for the TA commands */ 296 enum pkcs11_rc entry_ck_slot_list(uint32_t ptypes, TEE_Param *params); 297 enum pkcs11_rc entry_ck_slot_info(uint32_t ptypes, TEE_Param *params); 298 enum pkcs11_rc entry_ck_token_info(uint32_t ptypes, TEE_Param *params); 299 enum pkcs11_rc entry_ck_token_mecha_ids(uint32_t ptypes, TEE_Param *params); 300 enum pkcs11_rc entry_ck_token_mecha_info(uint32_t ptypes, TEE_Param *params); 301 enum pkcs11_rc entry_ck_open_session(struct pkcs11_client *client, 302 uint32_t ptypes, TEE_Param *params); 303 enum pkcs11_rc entry_ck_close_session(struct pkcs11_client *client, 304 uint32_t ptypes, TEE_Param *params); 305 enum pkcs11_rc entry_ck_close_all_sessions(struct pkcs11_client *client, 306 uint32_t ptypes, TEE_Param *params); 307 enum pkcs11_rc entry_ck_session_info(struct pkcs11_client *client, 308 uint32_t ptypes, TEE_Param *params); 309 enum pkcs11_rc entry_ck_token_initialize(uint32_t ptypes, TEE_Param *params); 310 enum pkcs11_rc entry_ck_init_pin(struct pkcs11_client *client, 311 uint32_t ptypes, TEE_Param *params); 312 enum pkcs11_rc entry_ck_set_pin(struct pkcs11_client *client, 313 uint32_t ptypes, TEE_Param *params); 314 enum pkcs11_rc entry_ck_login(struct pkcs11_client *client, 315 uint32_t ptypes, TEE_Param *params); 316 enum pkcs11_rc entry_ck_logout(struct pkcs11_client *client, 317 uint32_t ptypes, TEE_Param *params); 318 319 #endif /*PKCS11_TA_PKCS11_TOKEN_H*/ 320