1 /* SPDX-License-Identifier: BSD-2-Clause */ 2 /* 3 * Copyright (c) 2017-2020, Linaro Limited 4 */ 5 #ifndef PKCS11_TA_PKCS11_TOKEN_H 6 #define PKCS11_TA_PKCS11_TOKEN_H 7 8 #include <sys/queue.h> 9 #include <tee_api_types.h> 10 #include <tee_internal_api.h> 11 #include <utee_defines.h> 12 13 #include "handle.h" 14 #include "object.h" 15 #include "pkcs11_attributes.h" 16 17 /* Hard coded description */ 18 #define PKCS11_SLOT_DESCRIPTION "OP-TEE PKCS11 TA" 19 #define PKCS11_SLOT_MANUFACTURER "Linaro" 20 #define PKCS11_SLOT_HW_VERSION { 0, 0 } 21 #define PKCS11_SLOT_FW_VERSION { PKCS11_TA_VERSION_MAJOR, \ 22 PKCS11_TA_VERSION_MINOR } 23 24 #define PKCS11_TOKEN_LABEL "OP-TEE PKCS#11 TA token" 25 #define PKCS11_TOKEN_MANUFACTURER PKCS11_SLOT_MANUFACTURER 26 #define PKCS11_TOKEN_MODEL "OP-TEE TA" 27 #define PKCS11_TOKEN_HW_VERSION PKCS11_SLOT_HW_VERSION 28 #define PKCS11_TOKEN_FW_VERSION PKCS11_SLOT_FW_VERSION 29 30 enum pkcs11_token_state { 31 PKCS11_TOKEN_RESET = 0, 32 PKCS11_TOKEN_READ_WRITE, 33 PKCS11_TOKEN_READ_ONLY, 34 }; 35 36 TAILQ_HEAD(client_list, pkcs11_client); 37 TAILQ_HEAD(session_list, pkcs11_session); 38 39 struct pkcs11_client; 40 41 #define PKCS11_MAX_USERS 2 42 #define PKCS11_TOKEN_PIN_SIZE_MAX 128 43 #define PKCS11_TOKEN_PIN_SIZE_MIN 4 44 #define PKCS11_TOKEN_SO_PIN_COUNT_MAX 7 45 #define PKCS11_TOKEN_USER_PIN_COUNT_MAX 7 46 47 /* 48 * Persistent state of the token 49 * 50 * @version - currently unused... 51 * @label - pkcs11 formatted token label, set by client 52 * @flags - pkcs11 token flags 53 * @so_pin_count - counter on security officer login failure 54 * @so_pin_salt - stores salt in hash of SO PIN, 0 if not set 55 * @so_pin_hash - stores hash of SO PIN 56 * @user_pin_count - counter on user login failure 57 * @user_pin_salt - stores salt in hash of user PIN, 0 if not set 58 * @user_pin_hash - stores hash of user PIN 59 */ 60 struct token_persistent_main { 61 uint32_t version; 62 uint8_t label[PKCS11_TOKEN_LABEL_SIZE]; 63 uint32_t flags; 64 uint32_t so_pin_count; 65 uint32_t so_pin_salt; 66 union { 67 uint8_t so_pin_hash[TEE_MAX_HASH_SIZE]; 68 TEE_Identity so_identity; 69 }; 70 uint32_t user_pin_count; 71 uint32_t user_pin_salt; 72 union { 73 uint8_t user_pin_hash[TEE_MAX_HASH_SIZE]; 74 TEE_Identity user_identity; 75 }; 76 }; 77 78 /* 79 * Persistent objects in the token 80 * 81 * @count - number of objects stored in the token 82 * @uuids - array of object references/UUIDs (@count items) 83 */ 84 struct token_persistent_objs { 85 uint32_t count; 86 TEE_UUID uuids[]; 87 }; 88 89 /* 90 * Runtime state of the token, complies with pkcs11 91 * 92 * @state - Pkcs11 login is public, user, SO or custom 93 * @session_count - Counter for opened Pkcs11 sessions 94 * @rw_session_count - Count for opened Pkcs11 read/write sessions 95 * @object_list - List of the objects owned by the token 96 * @db_main - Volatile copy of the persistent main database 97 * @db_objs - Volatile copy of the persistent object database 98 */ 99 struct ck_token { 100 enum pkcs11_token_state state; 101 uint32_t session_count; 102 uint32_t rw_session_count; 103 struct object_list object_list; 104 /* Copy in RAM of the persistent database */ 105 struct token_persistent_main *db_main; 106 struct token_persistent_objs *db_objs; 107 }; 108 109 /* 110 * A session can enter a processing state (encrypt, decrypt, digest, ...) 111 * only from the initialized state. A session must return the initialized 112 * state (from a processing finalization request) before entering another 113 * processing state. 114 */ 115 enum pkcs11_proc_state { 116 PKCS11_SESSION_READY = 0, /* No active processing */ 117 PKCS11_SESSION_ENCRYPTING, 118 PKCS11_SESSION_DECRYPTING, 119 PKCS11_SESSION_DIGESTING, 120 PKCS11_SESSION_DIGESTING_ENCRYPTING, /* case C_DigestEncryptUpdate */ 121 PKCS11_SESSION_DECRYPTING_DIGESTING, /* case C_DecryptDigestUpdate */ 122 PKCS11_SESSION_SIGNING, 123 PKCS11_SESSION_SIGNING_ENCRYPTING, /* case C_SignEncryptUpdate */ 124 PKCS11_SESSION_VERIFYING, 125 PKCS11_SESSION_DECRYPTING_VERIFYING, /* case C_DecryptVerifyUpdate */ 126 PKCS11_SESSION_SIGNING_RECOVER, 127 PKCS11_SESSION_VERIFYING_RECOVER, 128 PKCS11_SESSION_BUSY, 129 }; 130 131 /* 132 * Context of the active processing in the session 133 * 134 * @state - ongoing active processing function or ready state 135 * @mecha_type - mechanism type of the active processing 136 * @always_authen - true if user need to login before each use 137 * @relogged - true once client logged since last operation update 138 * @op_step - last active operation step - update, final or one-shot 139 * @tee_op_handle - handle on active crypto operation or TEE_HANDLE_NULL 140 * @tee_op_handle2 - second handle for specific operations or TEE_HANDLE_NULL 141 * @tee_hash_algo - hash algorithm identifier. 142 * @tee_hash_op_handle - handle on active hashing crypto operation or 143 * TEE_HANDLE_NULL 144 * @extra_ctx - context for the active processing 145 */ 146 struct active_processing { 147 enum pkcs11_proc_state state; 148 uint32_t mecha_type; 149 enum processing_step step; 150 bool always_authen; 151 bool relogged; 152 TEE_OperationHandle tee_op_handle; 153 TEE_OperationHandle tee_op_handle2; 154 uint32_t tee_hash_algo; 155 TEE_OperationHandle tee_hash_op_handle; 156 void *extra_ctx; 157 }; 158 159 /* 160 * Pkcs11 objects search context 161 * 162 * @attributes - matching attributes list searched (null if no search) 163 * @count - number of matching handle found 164 * @handles - array of handle of matching objects 165 * @next - index of the next object handle to return to C_FindObject 166 */ 167 struct pkcs11_find_objects { 168 void *attributes; 169 size_t count; 170 uint32_t *handles; 171 size_t next; 172 }; 173 174 /* 175 * Structure tracking the PKCS#11 sessions 176 * 177 * @link - List of the session belonging to a client 178 * @client - Client the session belongs to 179 * @token - Token this session belongs to 180 * @handle - Identifier of the session published to the client 181 * @object_list - Entry of the session objects list 182 * @state - R/W SO, R/W user, RO user, R/W public, RO public. 183 * @processing - Reference to initialized processing context if any 184 * @find_ctx - Reference to active search context (null if no active search) 185 */ 186 struct pkcs11_session { 187 TAILQ_ENTRY(pkcs11_session) link; 188 struct pkcs11_client *client; 189 struct ck_token *token; 190 enum pkcs11_mechanism_id handle; 191 struct object_list object_list; 192 enum pkcs11_session_state state; 193 struct active_processing *processing; 194 struct pkcs11_find_objects *find_ctx; 195 }; 196 197 /* Initialize static token instance(s) from default/persistent database */ 198 TEE_Result pkcs11_init(void); 199 void pkcs11_deinit(void); 200 201 /* Speculation safe lookup of token instance from token identifier */ 202 struct ck_token *get_token(unsigned int token_id); 203 204 /* Return token identified from token instance address */ 205 unsigned int get_token_id(struct ck_token *token); 206 207 /* Return client's (shared) object handle database associated with session */ 208 struct handle_db *get_object_handle_db(struct pkcs11_session *session); 209 210 /* Access to persistent database */ 211 struct ck_token *init_persistent_db(unsigned int token_id); 212 void update_persistent_db(struct ck_token *token); 213 void close_persistent_db(struct ck_token *token); 214 215 /* Load and release persistent object attributes in memory */ 216 enum pkcs11_rc load_persistent_object_attributes(struct pkcs11_object *obj); 217 void release_persistent_object_attributes(struct pkcs11_object *obj); 218 enum pkcs11_rc update_persistent_object_attributes(struct pkcs11_object *obj); 219 220 enum pkcs11_rc hash_pin(enum pkcs11_user_type user, const uint8_t *pin, 221 size_t pin_size, uint32_t *salt, 222 uint8_t hash[TEE_MAX_HASH_SIZE]); 223 enum pkcs11_rc verify_pin(enum pkcs11_user_type user, const uint8_t *pin, 224 size_t pin_size, uint32_t salt, 225 const uint8_t hash[TEE_MAX_HASH_SIZE]); 226 227 #if defined(CFG_PKCS11_TA_AUTH_TEE_IDENTITY) 228 enum pkcs11_rc setup_so_identity_auth_from_client(struct ck_token *token); 229 enum pkcs11_rc setup_identity_auth_from_pin(struct ck_token *token, 230 enum pkcs11_user_type user_type, 231 const uint8_t *pin, 232 size_t pin_size); 233 enum pkcs11_rc verify_identity_auth(struct ck_token *token, 234 enum pkcs11_user_type user_type); 235 #else 236 static inline enum pkcs11_rc 237 setup_so_identity_auth_from_client(struct ck_token *token __unused) 238 { 239 return PKCS11_CKR_PIN_INVALID; 240 } 241 242 static inline enum pkcs11_rc 243 setup_identity_auth_from_pin(struct ck_token *token __unused, 244 enum pkcs11_user_type user_type __unused, 245 const uint8_t *pin __unused, 246 size_t pin_size __unused) 247 { 248 return PKCS11_CKR_PIN_INVALID; 249 } 250 251 static inline enum pkcs11_rc 252 verify_identity_auth(struct ck_token *token __unused, 253 enum pkcs11_user_type user_type __unused) 254 { 255 return PKCS11_CKR_PIN_INCORRECT; 256 } 257 #endif /* CFG_PKCS11_TA_AUTH_TEE_IDENTITY */ 258 259 /* Token persistent objects */ 260 enum pkcs11_rc create_object_uuid(struct ck_token *token, 261 struct pkcs11_object *obj); 262 void destroy_object_uuid(struct ck_token *token, struct pkcs11_object *obj); 263 enum pkcs11_rc unregister_persistent_object(struct ck_token *token, 264 TEE_UUID *uuid); 265 enum pkcs11_rc register_persistent_object(struct ck_token *token, 266 TEE_UUID *uuid); 267 enum pkcs11_rc get_persistent_objects_list(struct ck_token *token, 268 TEE_UUID *array, size_t *size); 269 270 /* 271 * Pkcs11 session support 272 */ 273 struct session_list *get_session_list(struct pkcs11_session *session); 274 struct pkcs11_client *tee_session2client(void *tee_session); 275 struct pkcs11_client *register_client(void); 276 void unregister_client(struct pkcs11_client *client); 277 278 struct pkcs11_session *pkcs11_handle2session(uint32_t handle, 279 struct pkcs11_client *client); 280 281 static inline bool session_is_active(struct pkcs11_session *session) 282 { 283 return session->processing; 284 } 285 286 enum pkcs11_rc set_processing_state(struct pkcs11_session *session, 287 enum processing_func function, 288 struct pkcs11_object *obj1, 289 struct pkcs11_object *obj2); 290 291 static inline bool pkcs11_session_is_read_write(struct pkcs11_session *session) 292 { 293 return session->state == PKCS11_CKS_RW_PUBLIC_SESSION || 294 session->state == PKCS11_CKS_RW_USER_FUNCTIONS || 295 session->state == PKCS11_CKS_RW_SO_FUNCTIONS; 296 } 297 298 static inline bool pkcs11_session_is_public(struct pkcs11_session *session) 299 { 300 return session->state == PKCS11_CKS_RO_PUBLIC_SESSION || 301 session->state == PKCS11_CKS_RW_PUBLIC_SESSION; 302 } 303 304 static inline bool pkcs11_session_is_user(struct pkcs11_session *session) 305 { 306 return session->state == PKCS11_CKS_RO_USER_FUNCTIONS || 307 session->state == PKCS11_CKS_RW_USER_FUNCTIONS; 308 } 309 310 static inline bool pkcs11_session_is_so(struct pkcs11_session *session) 311 { 312 return session->state == PKCS11_CKS_RW_SO_FUNCTIONS; 313 } 314 315 static inline 316 struct object_list *pkcs11_get_session_objects(struct pkcs11_session *session) 317 { 318 return &session->object_list; 319 } 320 321 static inline 322 struct ck_token *pkcs11_session2token(struct pkcs11_session *session) 323 { 324 return session->token; 325 } 326 327 /* Invalidate any handle referring the object since the object no more exists */ 328 void token_invalidate_object_handles(struct pkcs11_object *obj); 329 330 /* Entry point for the TA commands */ 331 enum pkcs11_rc entry_ck_slot_list(uint32_t ptypes, TEE_Param *params); 332 enum pkcs11_rc entry_ck_slot_info(uint32_t ptypes, TEE_Param *params); 333 enum pkcs11_rc entry_ck_token_info(uint32_t ptypes, TEE_Param *params); 334 enum pkcs11_rc entry_ck_token_mecha_ids(uint32_t ptypes, TEE_Param *params); 335 enum pkcs11_rc entry_ck_token_mecha_info(uint32_t ptypes, TEE_Param *params); 336 enum pkcs11_rc entry_ck_open_session(struct pkcs11_client *client, 337 uint32_t ptypes, TEE_Param *params); 338 enum pkcs11_rc entry_ck_close_session(struct pkcs11_client *client, 339 uint32_t ptypes, TEE_Param *params); 340 enum pkcs11_rc entry_ck_close_all_sessions(struct pkcs11_client *client, 341 uint32_t ptypes, TEE_Param *params); 342 enum pkcs11_rc entry_ck_session_info(struct pkcs11_client *client, 343 uint32_t ptypes, TEE_Param *params); 344 enum pkcs11_rc entry_ck_token_initialize(uint32_t ptypes, TEE_Param *params); 345 enum pkcs11_rc entry_ck_init_pin(struct pkcs11_client *client, 346 uint32_t ptypes, TEE_Param *params); 347 enum pkcs11_rc entry_ck_set_pin(struct pkcs11_client *client, 348 uint32_t ptypes, TEE_Param *params); 349 enum pkcs11_rc entry_ck_login(struct pkcs11_client *client, 350 uint32_t ptypes, TEE_Param *params); 351 enum pkcs11_rc entry_ck_logout(struct pkcs11_client *client, 352 uint32_t ptypes, TEE_Param *params); 353 enum pkcs11_rc entry_ck_seed_random(struct pkcs11_client *client, 354 uint32_t ptypes, TEE_Param *params); 355 enum pkcs11_rc entry_ck_generate_random(struct pkcs11_client *client, 356 uint32_t ptypes, TEE_Param *params); 357 358 #endif /*PKCS11_TA_PKCS11_TOKEN_H*/ 359