1 /* SPDX-License-Identifier: BSD-2-Clause */ 2 /* 3 * Copyright (c) 2017-2020, Linaro Limited 4 */ 5 #ifndef PKCS11_TA_PKCS11_TOKEN_H 6 #define PKCS11_TA_PKCS11_TOKEN_H 7 8 #include <sys/queue.h> 9 #include <tee_api_types.h> 10 #include <tee_internal_api.h> 11 #include <utee_defines.h> 12 13 #include "handle.h" 14 #include "object.h" 15 #include "pkcs11_attributes.h" 16 17 /* Hard coded description */ 18 #define PKCS11_SLOT_DESCRIPTION "OP-TEE PKCS11 TA" 19 #define PKCS11_SLOT_MANUFACTURER "Linaro" 20 #define PKCS11_SLOT_HW_VERSION { 0, 0 } 21 #define PKCS11_SLOT_FW_VERSION { PKCS11_TA_VERSION_MAJOR, \ 22 PKCS11_TA_VERSION_MINOR } 23 24 #define PKCS11_TOKEN_LABEL "OP-TEE PKCS#11 TA token" 25 #define PKCS11_TOKEN_MANUFACTURER PKCS11_SLOT_MANUFACTURER 26 #define PKCS11_TOKEN_MODEL "OP-TEE TA" 27 #define PKCS11_TOKEN_HW_VERSION PKCS11_SLOT_HW_VERSION 28 #define PKCS11_TOKEN_FW_VERSION PKCS11_SLOT_FW_VERSION 29 30 enum pkcs11_token_state { 31 PKCS11_TOKEN_RESET = 0, 32 PKCS11_TOKEN_READ_WRITE, 33 PKCS11_TOKEN_READ_ONLY, 34 }; 35 36 TAILQ_HEAD(client_list, pkcs11_client); 37 TAILQ_HEAD(session_list, pkcs11_session); 38 39 struct pkcs11_client; 40 41 #define PKCS11_MAX_USERS 2 42 #define PKCS11_TOKEN_PIN_SIZE_MAX 128 43 #define PKCS11_TOKEN_PIN_SIZE_MIN 4 44 #define PKCS11_TOKEN_SO_PIN_COUNT_MAX 7 45 #define PKCS11_TOKEN_USER_PIN_COUNT_MAX 7 46 47 /* 48 * Persistent state of the token 49 * 50 * @version - currently unused... 51 * @label - pkcs11 formatted token label, set by client 52 * @flags - pkcs11 token flags 53 * @so_pin_count - counter on security officer login failure 54 * @so_pin_salt - stores salt in hash of SO PIN, 0 if not set 55 * @so_pin_hash - stores hash of SO PIN 56 * @user_pin_count - counter on user login failure 57 * @user_pin_salt - stores salt in hash of user PIN, 0 if not set 58 * @user_pin_hash - stores hash of user PIN 59 */ 60 struct token_persistent_main { 61 uint32_t version; 62 uint8_t label[PKCS11_TOKEN_LABEL_SIZE]; 63 uint32_t flags; 64 uint32_t so_pin_count; 65 uint32_t so_pin_salt; 66 union { 67 uint8_t so_pin_hash[TEE_MAX_HASH_SIZE]; 68 TEE_Identity so_identity; 69 }; 70 uint32_t user_pin_count; 71 uint32_t user_pin_salt; 72 union { 73 uint8_t user_pin_hash[TEE_MAX_HASH_SIZE]; 74 TEE_Identity user_identity; 75 }; 76 }; 77 78 /* 79 * Persistent objects in the token 80 * 81 * @count - number of objects stored in the token 82 * @uuids - array of object references/UUIDs (@count items) 83 */ 84 struct token_persistent_objs { 85 uint32_t count; 86 TEE_UUID uuids[]; 87 }; 88 89 /* 90 * Runtime state of the token, complies with pkcs11 91 * 92 * @state - Pkcs11 login is public, user, SO or custom 93 * @session_count - Counter for opened Pkcs11 sessions 94 * @rw_session_count - Count for opened Pkcs11 read/write sessions 95 * @object_list - List of the objects owned by the token 96 * @db_main - Volatile copy of the persistent main database 97 * @db_objs - Volatile copy of the persistent object database 98 */ 99 struct ck_token { 100 enum pkcs11_token_state state; 101 uint32_t session_count; 102 uint32_t rw_session_count; 103 struct object_list object_list; 104 /* Copy in RAM of the persistent database */ 105 struct token_persistent_main *db_main; 106 struct token_persistent_objs *db_objs; 107 }; 108 109 /* 110 * A session can enter a processing state (encrypt, decrypt, digest, ...) 111 * only from the initialized state. A session must return the initialized 112 * state (from a processing finalization request) before entering another 113 * processing state. 114 */ 115 enum pkcs11_proc_state { 116 PKCS11_SESSION_READY = 0, /* No active processing */ 117 PKCS11_SESSION_ENCRYPTING, 118 PKCS11_SESSION_DECRYPTING, 119 PKCS11_SESSION_DIGESTING, 120 PKCS11_SESSION_DIGESTING_ENCRYPTING, /* case C_DigestEncryptUpdate */ 121 PKCS11_SESSION_DECRYPTING_DIGESTING, /* case C_DecryptDigestUpdate */ 122 PKCS11_SESSION_SIGNING, 123 PKCS11_SESSION_SIGNING_ENCRYPTING, /* case C_SignEncryptUpdate */ 124 PKCS11_SESSION_VERIFYING, 125 PKCS11_SESSION_DECRYPTING_VERIFYING, /* case C_DecryptVerifyUpdate */ 126 PKCS11_SESSION_SIGNING_RECOVER, 127 PKCS11_SESSION_VERIFYING_RECOVER, 128 PKCS11_SESSION_BUSY, 129 }; 130 131 /* 132 * Context of the active processing in the session 133 * 134 * @state - ongoing active processing function or ready state 135 * @mecha_type - mechanism type of the active processing 136 * @always_authen - true if user need to login before each use 137 * @relogged - true once client logged since last operation update 138 * @op_step - last active operation step - update, final or one-shot 139 * @tee_op_handle - handle on active crypto operation or TEE_HANDLE_NULL 140 * @tee_op_handle2 - second handle for specific operations or TEE_HANDLE_NULL 141 * @tee_hash_algo - hash algorithm identifier. 142 * @extra_ctx - context for the active processing 143 */ 144 struct active_processing { 145 enum pkcs11_proc_state state; 146 uint32_t mecha_type; 147 enum processing_step step; 148 bool always_authen; 149 bool relogged; 150 TEE_OperationHandle tee_op_handle; 151 TEE_OperationHandle tee_op_handle2; 152 uint32_t tee_hash_algo; 153 void *extra_ctx; 154 }; 155 156 /* 157 * Pkcs11 objects search context 158 * 159 * @attributes - matching attributes list searched (null if no search) 160 * @count - number of matching handle found 161 * @handles - array of handle of matching objects 162 * @next - index of the next object handle to return to C_FindObject 163 */ 164 struct pkcs11_find_objects { 165 void *attributes; 166 size_t count; 167 uint32_t *handles; 168 size_t next; 169 }; 170 171 /* 172 * Structure tracking the PKCS#11 sessions 173 * 174 * @link - List of the session belonging to a client 175 * @client - Client the session belongs to 176 * @token - Token this session belongs to 177 * @handle - Identifier of the session published to the client 178 * @object_list - Entry of the session objects list 179 * @state - R/W SO, R/W user, RO user, R/W public, RO public. 180 * @processing - Reference to initialized processing context if any 181 * @find_ctx - Reference to active search context (null if no active search) 182 */ 183 struct pkcs11_session { 184 TAILQ_ENTRY(pkcs11_session) link; 185 struct pkcs11_client *client; 186 struct ck_token *token; 187 enum pkcs11_mechanism_id handle; 188 struct object_list object_list; 189 enum pkcs11_session_state state; 190 struct active_processing *processing; 191 struct pkcs11_find_objects *find_ctx; 192 }; 193 194 /* Initialize static token instance(s) from default/persistent database */ 195 TEE_Result pkcs11_init(void); 196 void pkcs11_deinit(void); 197 198 /* Speculation safe lookup of token instance from token identifier */ 199 struct ck_token *get_token(unsigned int token_id); 200 201 /* Return token identified from token instance address */ 202 unsigned int get_token_id(struct ck_token *token); 203 204 /* Return client's (shared) object handle database associated with session */ 205 struct handle_db *get_object_handle_db(struct pkcs11_session *session); 206 207 /* Access to persistent database */ 208 struct ck_token *init_persistent_db(unsigned int token_id); 209 void update_persistent_db(struct ck_token *token); 210 void close_persistent_db(struct ck_token *token); 211 212 /* Load and release persistent object attributes in memory */ 213 enum pkcs11_rc load_persistent_object_attributes(struct pkcs11_object *obj); 214 void release_persistent_object_attributes(struct pkcs11_object *obj); 215 enum pkcs11_rc update_persistent_object_attributes(struct pkcs11_object *obj); 216 217 enum pkcs11_rc hash_pin(enum pkcs11_user_type user, const uint8_t *pin, 218 size_t pin_size, uint32_t *salt, 219 uint8_t hash[TEE_MAX_HASH_SIZE]); 220 enum pkcs11_rc verify_pin(enum pkcs11_user_type user, const uint8_t *pin, 221 size_t pin_size, uint32_t salt, 222 const uint8_t hash[TEE_MAX_HASH_SIZE]); 223 224 #if defined(CFG_PKCS11_TA_AUTH_TEE_IDENTITY) 225 enum pkcs11_rc setup_so_identity_auth_from_client(struct ck_token *token); 226 enum pkcs11_rc setup_identity_auth_from_pin(struct ck_token *token, 227 enum pkcs11_user_type user_type, 228 const uint8_t *pin, 229 size_t pin_size); 230 enum pkcs11_rc verify_identity_auth(struct ck_token *token, 231 enum pkcs11_user_type user_type); 232 #else 233 static inline enum pkcs11_rc 234 setup_so_identity_auth_from_client(struct ck_token *token __unused) 235 { 236 return PKCS11_CKR_PIN_INVALID; 237 } 238 239 static inline enum pkcs11_rc 240 setup_identity_auth_from_pin(struct ck_token *token __unused, 241 enum pkcs11_user_type user_type __unused, 242 const uint8_t *pin __unused, 243 size_t pin_size __unused) 244 { 245 return PKCS11_CKR_PIN_INVALID; 246 } 247 248 static inline enum pkcs11_rc 249 verify_identity_auth(struct ck_token *token __unused, 250 enum pkcs11_user_type user_type __unused) 251 { 252 return PKCS11_CKR_PIN_INCORRECT; 253 } 254 #endif /* CFG_PKCS11_TA_AUTH_TEE_IDENTITY */ 255 256 /* Token persistent objects */ 257 enum pkcs11_rc create_object_uuid(struct ck_token *token, 258 struct pkcs11_object *obj); 259 void destroy_object_uuid(struct ck_token *token, struct pkcs11_object *obj); 260 enum pkcs11_rc unregister_persistent_object(struct ck_token *token, 261 TEE_UUID *uuid); 262 enum pkcs11_rc register_persistent_object(struct ck_token *token, 263 TEE_UUID *uuid); 264 enum pkcs11_rc get_persistent_objects_list(struct ck_token *token, 265 TEE_UUID *array, size_t *size); 266 267 /* 268 * Pkcs11 session support 269 */ 270 struct session_list *get_session_list(struct pkcs11_session *session); 271 struct pkcs11_client *tee_session2client(void *tee_session); 272 struct pkcs11_client *register_client(void); 273 void unregister_client(struct pkcs11_client *client); 274 275 struct pkcs11_session *pkcs11_handle2session(uint32_t handle, 276 struct pkcs11_client *client); 277 278 static inline bool session_is_active(struct pkcs11_session *session) 279 { 280 return session->processing; 281 } 282 283 enum pkcs11_rc set_processing_state(struct pkcs11_session *session, 284 enum processing_func function, 285 struct pkcs11_object *obj1, 286 struct pkcs11_object *obj2); 287 288 static inline bool pkcs11_session_is_read_write(struct pkcs11_session *session) 289 { 290 return session->state == PKCS11_CKS_RW_PUBLIC_SESSION || 291 session->state == PKCS11_CKS_RW_USER_FUNCTIONS || 292 session->state == PKCS11_CKS_RW_SO_FUNCTIONS; 293 } 294 295 static inline bool pkcs11_session_is_public(struct pkcs11_session *session) 296 { 297 return session->state == PKCS11_CKS_RO_PUBLIC_SESSION || 298 session->state == PKCS11_CKS_RW_PUBLIC_SESSION; 299 } 300 301 static inline bool pkcs11_session_is_user(struct pkcs11_session *session) 302 { 303 return session->state == PKCS11_CKS_RO_USER_FUNCTIONS || 304 session->state == PKCS11_CKS_RW_USER_FUNCTIONS; 305 } 306 307 static inline bool pkcs11_session_is_so(struct pkcs11_session *session) 308 { 309 return session->state == PKCS11_CKS_RW_SO_FUNCTIONS; 310 } 311 312 static inline 313 struct object_list *pkcs11_get_session_objects(struct pkcs11_session *session) 314 { 315 return &session->object_list; 316 } 317 318 static inline 319 struct ck_token *pkcs11_session2token(struct pkcs11_session *session) 320 { 321 return session->token; 322 } 323 324 /* Invalidate any handle referring the object since the object no more exists */ 325 void token_invalidate_object_handles(struct pkcs11_object *obj); 326 327 /* Entry point for the TA commands */ 328 enum pkcs11_rc entry_ck_slot_list(uint32_t ptypes, TEE_Param *params); 329 enum pkcs11_rc entry_ck_slot_info(uint32_t ptypes, TEE_Param *params); 330 enum pkcs11_rc entry_ck_token_info(uint32_t ptypes, TEE_Param *params); 331 enum pkcs11_rc entry_ck_token_mecha_ids(uint32_t ptypes, TEE_Param *params); 332 enum pkcs11_rc entry_ck_token_mecha_info(uint32_t ptypes, TEE_Param *params); 333 enum pkcs11_rc entry_ck_open_session(struct pkcs11_client *client, 334 uint32_t ptypes, TEE_Param *params); 335 enum pkcs11_rc entry_ck_close_session(struct pkcs11_client *client, 336 uint32_t ptypes, TEE_Param *params); 337 enum pkcs11_rc entry_ck_close_all_sessions(struct pkcs11_client *client, 338 uint32_t ptypes, TEE_Param *params); 339 enum pkcs11_rc entry_ck_session_info(struct pkcs11_client *client, 340 uint32_t ptypes, TEE_Param *params); 341 enum pkcs11_rc entry_ck_token_initialize(uint32_t ptypes, TEE_Param *params); 342 enum pkcs11_rc entry_ck_init_pin(struct pkcs11_client *client, 343 uint32_t ptypes, TEE_Param *params); 344 enum pkcs11_rc entry_ck_set_pin(struct pkcs11_client *client, 345 uint32_t ptypes, TEE_Param *params); 346 enum pkcs11_rc entry_ck_login(struct pkcs11_client *client, 347 uint32_t ptypes, TEE_Param *params); 348 enum pkcs11_rc entry_ck_logout(struct pkcs11_client *client, 349 uint32_t ptypes, TEE_Param *params); 350 enum pkcs11_rc entry_ck_seed_random(struct pkcs11_client *client, 351 uint32_t ptypes, TEE_Param *params); 352 enum pkcs11_rc entry_ck_generate_random(struct pkcs11_client *client, 353 uint32_t ptypes, TEE_Param *params); 354 355 #endif /*PKCS11_TA_PKCS11_TOKEN_H*/ 356