xref: /optee_os/ta/pkcs11/src/pkcs11_token.h (revision 19cb73dd990d1512b6ca0cc4ecaac1fded4049b0) 
1 /* SPDX-License-Identifier: BSD-2-Clause */
2 /*
3  * Copyright (c) 2017-2020, Linaro Limited
4  */
5 #ifndef PKCS11_TA_PKCS11_TOKEN_H
6 #define PKCS11_TA_PKCS11_TOKEN_H
7 
8 #include <sys/queue.h>
9 #include <tee_api_types.h>
10 #include <tee_internal_api.h>
11 #include <utee_defines.h>
12 
13 #include "handle.h"
14 #include "object.h"
15 #include "pkcs11_attributes.h"
16 
17 /* Hard coded description */
18 #define PKCS11_SLOT_DESCRIPTION		"OP-TEE PKCS11 TA"
19 #define PKCS11_SLOT_MANUFACTURER	"Linaro"
20 #define PKCS11_SLOT_HW_VERSION		{ 0, 0 }
21 #define PKCS11_SLOT_FW_VERSION		{ PKCS11_TA_VERSION_MAJOR, \
22 					  PKCS11_TA_VERSION_MINOR }
23 
24 #define PKCS11_TOKEN_LABEL		"OP-TEE PKCS#11 TA token"
25 #define PKCS11_TOKEN_MANUFACTURER	PKCS11_SLOT_MANUFACTURER
26 #define PKCS11_TOKEN_MODEL		"OP-TEE TA"
27 #define PKCS11_TOKEN_HW_VERSION		PKCS11_SLOT_HW_VERSION
28 #define PKCS11_TOKEN_FW_VERSION		PKCS11_SLOT_FW_VERSION
29 
30 enum pkcs11_token_state {
31 	PKCS11_TOKEN_RESET = 0,
32 	PKCS11_TOKEN_READ_WRITE,
33 	PKCS11_TOKEN_READ_ONLY,
34 };
35 
36 TAILQ_HEAD(client_list, pkcs11_client);
37 TAILQ_HEAD(session_list, pkcs11_session);
38 
39 struct pkcs11_client;
40 
41 #define PKCS11_MAX_USERS		2
42 #define PKCS11_TOKEN_PIN_SIZE_MAX	128
43 #define PKCS11_TOKEN_PIN_SIZE_MIN	10
44 #define PKCS11_TOKEN_SO_PIN_COUNT_MAX	7
45 #define PKCS11_TOKEN_USER_PIN_COUNT_MAX	7
46 
47 /*
48  * Persistent state of the token
49  *
50  * @version - currently unused...
51  * @label - pkcs11 formatted token label, set by client
52  * @flags - pkcs11 token flags
53  * @so_pin_count - counter on security officer login failure
54  * @so_pin_salt - stores salt in hash of SO PIN, 0 if not set
55  * @so_pin_hash - stores hash of SO PIN
56  * @user_pin_count - counter on user login failure
57  * @user_pin_salt - stores salt in hash of user PIN, 0 if not set
58  * @user_pin_hash - stores hash of user PIN
59  */
60 struct token_persistent_main {
61 	uint32_t version;
62 	uint8_t label[PKCS11_TOKEN_LABEL_SIZE];
63 	uint32_t flags;
64 	uint32_t so_pin_count;
65 	uint32_t so_pin_salt;
66 	union {
67 		uint8_t so_pin_hash[TEE_MAX_HASH_SIZE];
68 		TEE_Identity so_identity;
69 	};
70 	uint32_t user_pin_count;
71 	uint32_t user_pin_salt;
72 	union {
73 		uint8_t user_pin_hash[TEE_MAX_HASH_SIZE];
74 		TEE_Identity user_identity;
75 	};
76 };
77 
78 /*
79  * Persistent objects in the token
80  *
81  * @count - number of objects stored in the token
82  * @uuids - array of object references/UUIDs (@count items)
83  */
84 struct token_persistent_objs {
85 	uint32_t count;
86 	TEE_UUID uuids[];
87 };
88 
89 /*
90  * Runtime state of the token, complies with pkcs11
91  *
92  * @state - Pkcs11 login is public, user, SO or custom
93  * @session_count - Counter for opened Pkcs11 sessions
94  * @rw_session_count - Count for opened Pkcs11 read/write sessions
95  * @object_list - List of the objects owned by the token
96  * @db_main - Volatile copy of the persistent main database
97  * @db_objs - Volatile copy of the persistent object database
98  */
99 struct ck_token {
100 	enum pkcs11_token_state state;
101 	uint32_t session_count;
102 	uint32_t rw_session_count;
103 	struct object_list object_list;
104 	/* Copy in RAM of the persistent database */
105 	struct token_persistent_main *db_main;
106 	struct token_persistent_objs *db_objs;
107 };
108 
109 /*
110  * A session can enter a processing state (encrypt, decrypt, digest, ...)
111  * only from the initialized state. A session must return the initialized
112  * state (from a processing finalization request) before entering another
113  * processing state.
114  */
115 enum pkcs11_proc_state {
116 	PKCS11_SESSION_READY = 0,		/* No active processing */
117 	PKCS11_SESSION_ENCRYPTING,
118 	PKCS11_SESSION_DECRYPTING,
119 	PKCS11_SESSION_DIGESTING,
120 	PKCS11_SESSION_DIGESTING_ENCRYPTING,	/* case C_DigestEncryptUpdate */
121 	PKCS11_SESSION_DECRYPTING_DIGESTING,	/* case C_DecryptDigestUpdate */
122 	PKCS11_SESSION_SIGNING,
123 	PKCS11_SESSION_SIGNING_ENCRYPTING,	/* case C_SignEncryptUpdate */
124 	PKCS11_SESSION_VERIFYING,
125 	PKCS11_SESSION_DECRYPTING_VERIFYING,	/* case C_DecryptVerifyUpdate */
126 	PKCS11_SESSION_SIGNING_RECOVER,
127 	PKCS11_SESSION_VERIFYING_RECOVER,
128 };
129 
130 /*
131  * Context of the active processing in the session
132  *
133  * @state - ongoing active processing function or ready state
134  * @mecha_type - mechanism type of the active processing
135  * @always_authen - true if user need to login before each use
136  * @relogged - true once client logged since last operation update
137  * @updated - true once an active operation is updated
138  * @tee_op_handle - handle on active crypto operation or TEE_HANDLE_NULL
139  * @extra_ctx - context for the active processing
140  */
141 struct active_processing {
142 	enum pkcs11_proc_state state;
143 	uint32_t mecha_type;
144 	bool always_authen;
145 	bool relogged;
146 	bool updated;
147 	TEE_OperationHandle tee_op_handle;
148 	void *extra_ctx;
149 };
150 
151 /*
152  * Pkcs11 objects search context
153  *
154  * @attributes - matching attributes list searched (null if no search)
155  * @count - number of matching handle found
156  * @handles - array of handle of matching objects
157  * @next - index of the next object handle to return to C_FindObject
158  */
159 struct pkcs11_find_objects {
160 	void *attributes;
161 	size_t count;
162 	uint32_t *handles;
163 	size_t next;
164 };
165 
166 /*
167  * Structure tracking the PKCS#11 sessions
168  *
169  * @link - List of the session belonging to a client
170  * @client - Client the session belongs to
171  * @token - Token this session belongs to
172  * @handle - Identifier of the session published to the client
173  * @object_list - Entry of the session objects list
174  * @object_handle_db - Database for object handles published by the session
175  * @state - R/W SO, R/W user, RO user, R/W public, RO public.
176  * @processing - Reference to initialized processing context if any
177  * @find_ctx - Reference to active search context (null if no active search)
178  */
179 struct pkcs11_session {
180 	TAILQ_ENTRY(pkcs11_session) link;
181 	struct pkcs11_client *client;
182 	struct ck_token *token;
183 	enum pkcs11_mechanism_id handle;
184 	struct object_list object_list;
185 	struct handle_db object_handle_db;
186 	enum pkcs11_session_state state;
187 	struct active_processing *processing;
188 	struct pkcs11_find_objects *find_ctx;
189 };
190 
191 /* Initialize static token instance(s) from default/persistent database */
192 TEE_Result pkcs11_init(void);
193 void pkcs11_deinit(void);
194 
195 /* Speculation safe lookup of token instance from token identifier */
196 struct ck_token *get_token(unsigned int token_id);
197 
198 /* Return token identified from token instance address */
199 unsigned int get_token_id(struct ck_token *token);
200 
201 /* Access to persistent database */
202 struct ck_token *init_persistent_db(unsigned int token_id);
203 void update_persistent_db(struct ck_token *token);
204 void close_persistent_db(struct ck_token *token);
205 
206 enum pkcs11_rc hash_pin(enum pkcs11_user_type user, const uint8_t *pin,
207 			size_t pin_size, uint32_t *salt,
208 			uint8_t hash[TEE_MAX_HASH_SIZE]);
209 enum pkcs11_rc verify_pin(enum pkcs11_user_type user, const uint8_t *pin,
210 			  size_t pin_size, uint32_t salt,
211 			  const uint8_t hash[TEE_MAX_HASH_SIZE]);
212 
213 #if defined(CFG_PKCS11_TA_AUTH_TEE_IDENTITY)
214 enum pkcs11_rc setup_so_identity_auth_from_client(struct ck_token *token);
215 enum pkcs11_rc setup_identity_auth_from_pin(struct ck_token *token,
216 					    enum pkcs11_user_type user_type,
217 					    const uint8_t *pin,
218 					    size_t pin_size);
219 enum pkcs11_rc verify_identity_auth(struct ck_token *token,
220 				    enum pkcs11_user_type user_type);
221 #else
222 static inline enum pkcs11_rc
223 setup_so_identity_auth_from_client(struct ck_token *token __unused)
224 {
225 	return PKCS11_CKR_PIN_INVALID;
226 }
227 
228 static inline enum pkcs11_rc
229 setup_identity_auth_from_pin(struct ck_token *token __unused,
230 			     enum pkcs11_user_type user_type __unused,
231 			     const uint8_t *pin __unused,
232 			     size_t pin_size __unused)
233 {
234 	return PKCS11_CKR_PIN_INVALID;
235 }
236 
237 static inline enum pkcs11_rc
238 verify_identity_auth(struct ck_token *token __unused,
239 		     enum pkcs11_user_type user_type __unused)
240 {
241 	return PKCS11_CKR_PIN_INCORRECT;
242 }
243 #endif /* CFG_PKCS11_TA_AUTH_TEE_IDENTITY */
244 
245 /* Token persistent objects */
246 enum pkcs11_rc create_object_uuid(struct ck_token *token,
247 				  struct pkcs11_object *obj);
248 void destroy_object_uuid(struct ck_token *token, struct pkcs11_object *obj);
249 enum pkcs11_rc unregister_persistent_object(struct ck_token *token,
250 					    TEE_UUID *uuid);
251 enum pkcs11_rc register_persistent_object(struct ck_token *token,
252 					  TEE_UUID *uuid);
253 enum pkcs11_rc get_persistent_objects_list(struct ck_token *token,
254 					   TEE_UUID *array, size_t *size);
255 
256 /*
257  * Pkcs11 session support
258  */
259 struct pkcs11_client *tee_session2client(void *tee_session);
260 struct pkcs11_client *register_client(void);
261 void unregister_client(struct pkcs11_client *client);
262 
263 struct pkcs11_session *pkcs11_handle2session(uint32_t handle,
264 					     struct pkcs11_client *client);
265 
266 static inline bool session_is_active(struct pkcs11_session *session)
267 {
268 	return session->processing;
269 }
270 
271 enum pkcs11_rc set_processing_state(struct pkcs11_session *session,
272 				    enum processing_func function,
273 				    struct pkcs11_object *obj1,
274 				    struct pkcs11_object *obj2);
275 
276 static inline bool pkcs11_session_is_read_write(struct pkcs11_session *session)
277 {
278 	return session->state == PKCS11_CKS_RW_PUBLIC_SESSION ||
279 	       session->state == PKCS11_CKS_RW_USER_FUNCTIONS ||
280 	       session->state == PKCS11_CKS_RW_SO_FUNCTIONS;
281 }
282 
283 static inline bool pkcs11_session_is_public(struct pkcs11_session *session)
284 {
285 	return session->state == PKCS11_CKS_RO_PUBLIC_SESSION ||
286 	       session->state == PKCS11_CKS_RW_PUBLIC_SESSION;
287 }
288 
289 static inline bool pkcs11_session_is_user(struct pkcs11_session *session)
290 {
291 	return session->state == PKCS11_CKS_RO_USER_FUNCTIONS ||
292 	       session->state == PKCS11_CKS_RW_USER_FUNCTIONS;
293 }
294 
295 static inline bool pkcs11_session_is_so(struct pkcs11_session *session)
296 {
297 	return session->state == PKCS11_CKS_RW_SO_FUNCTIONS;
298 }
299 
300 static inline
301 struct object_list *pkcs11_get_session_objects(struct pkcs11_session *session)
302 {
303 	return &session->object_list;
304 }
305 
306 static inline
307 struct ck_token *pkcs11_session2token(struct pkcs11_session *session)
308 {
309 	return session->token;
310 }
311 
312 /* Entry point for the TA commands */
313 enum pkcs11_rc entry_ck_slot_list(uint32_t ptypes, TEE_Param *params);
314 enum pkcs11_rc entry_ck_slot_info(uint32_t ptypes, TEE_Param *params);
315 enum pkcs11_rc entry_ck_token_info(uint32_t ptypes, TEE_Param *params);
316 enum pkcs11_rc entry_ck_token_mecha_ids(uint32_t ptypes, TEE_Param *params);
317 enum pkcs11_rc entry_ck_token_mecha_info(uint32_t ptypes, TEE_Param *params);
318 enum pkcs11_rc entry_ck_open_session(struct pkcs11_client *client,
319 				     uint32_t ptypes, TEE_Param *params);
320 enum pkcs11_rc entry_ck_close_session(struct pkcs11_client *client,
321 				      uint32_t ptypes, TEE_Param *params);
322 enum pkcs11_rc entry_ck_close_all_sessions(struct pkcs11_client *client,
323 					   uint32_t ptypes, TEE_Param *params);
324 enum pkcs11_rc entry_ck_session_info(struct pkcs11_client *client,
325 				     uint32_t ptypes, TEE_Param *params);
326 enum pkcs11_rc entry_ck_token_initialize(uint32_t ptypes, TEE_Param *params);
327 enum pkcs11_rc entry_ck_init_pin(struct pkcs11_client *client,
328 				 uint32_t ptypes, TEE_Param *params);
329 enum pkcs11_rc entry_ck_set_pin(struct pkcs11_client *client,
330 				uint32_t ptypes, TEE_Param *params);
331 enum pkcs11_rc entry_ck_login(struct pkcs11_client *client,
332 			      uint32_t ptypes, TEE_Param *params);
333 enum pkcs11_rc entry_ck_logout(struct pkcs11_client *client,
334 			       uint32_t ptypes, TEE_Param *params);
335 
336 #endif /*PKCS11_TA_PKCS11_TOKEN_H*/
337