1 /* SPDX-License-Identifier: BSD-2-Clause */ 2 /* 3 * Copyright (c) 2017-2020, Linaro Limited 4 */ 5 #ifndef PKCS11_TA_PKCS11_TOKEN_H 6 #define PKCS11_TA_PKCS11_TOKEN_H 7 8 #include <sys/queue.h> 9 #include <tee_api_types.h> 10 #include <tee_internal_api.h> 11 #include <utee_defines.h> 12 13 #include "handle.h" 14 #include "object.h" 15 #include "pkcs11_attributes.h" 16 17 /* Hard coded description */ 18 #define PKCS11_SLOT_DESCRIPTION "OP-TEE PKCS11 TA" 19 #define PKCS11_SLOT_MANUFACTURER "Linaro" 20 #define PKCS11_SLOT_HW_VERSION { 0, 0 } 21 #define PKCS11_SLOT_FW_VERSION { PKCS11_TA_VERSION_MAJOR, \ 22 PKCS11_TA_VERSION_MINOR } 23 24 #define PKCS11_TOKEN_LABEL "OP-TEE PKCS#11 TA token" 25 #define PKCS11_TOKEN_MANUFACTURER PKCS11_SLOT_MANUFACTURER 26 #define PKCS11_TOKEN_MODEL "OP-TEE TA" 27 #define PKCS11_TOKEN_HW_VERSION PKCS11_SLOT_HW_VERSION 28 #define PKCS11_TOKEN_FW_VERSION PKCS11_SLOT_FW_VERSION 29 30 enum pkcs11_token_state { 31 PKCS11_TOKEN_RESET = 0, 32 PKCS11_TOKEN_READ_WRITE, 33 PKCS11_TOKEN_READ_ONLY, 34 }; 35 36 TAILQ_HEAD(client_list, pkcs11_client); 37 TAILQ_HEAD(session_list, pkcs11_session); 38 39 struct pkcs11_client; 40 41 #define PKCS11_MAX_USERS 2 42 #define PKCS11_TOKEN_PIN_SIZE_MAX 128 43 #define PKCS11_TOKEN_PIN_SIZE_MIN 10 44 #define PKCS11_TOKEN_SO_PIN_COUNT_MAX 7 45 #define PKCS11_TOKEN_USER_PIN_COUNT_MAX 7 46 47 /* 48 * Persistent state of the token 49 * 50 * @version - currently unused... 51 * @label - pkcs11 formatted token label, set by client 52 * @flags - pkcs11 token flags 53 * @so_pin_count - counter on security officer login failure 54 * @so_pin_salt - stores salt in hash of SO PIN, 0 if not set 55 * @so_pin_hash - stores hash of SO PIN 56 * @user_pin_count - counter on user login failure 57 * @user_pin_salt - stores salt in hash of user PIN, 0 if not set 58 * @user_pin_hash - stores hash of user PIN 59 */ 60 struct token_persistent_main { 61 uint32_t version; 62 uint8_t label[PKCS11_TOKEN_LABEL_SIZE]; 63 uint32_t flags; 64 uint32_t so_pin_count; 65 uint32_t so_pin_salt; 66 uint8_t so_pin_hash[TEE_MAX_HASH_SIZE]; 67 uint32_t user_pin_count; 68 uint32_t user_pin_salt; 69 uint8_t user_pin_hash[TEE_MAX_HASH_SIZE]; 70 }; 71 72 /* 73 * Persistent objects in the token 74 * 75 * @count - number of objects stored in the token 76 * @uuids - array of object references/UUIDs (@count items) 77 */ 78 struct token_persistent_objs { 79 uint32_t count; 80 TEE_UUID uuids[]; 81 }; 82 83 /* 84 * Runtime state of the token, complies with pkcs11 85 * 86 * @state - Pkcs11 login is public, user, SO or custom 87 * @session_count - Counter for opened Pkcs11 sessions 88 * @rw_session_count - Count for opened Pkcs11 read/write sessions 89 * @object_list - List of the objects owned by the token 90 * @db_main - Volatile copy of the persistent main database 91 * @db_objs - Volatile copy of the persistent object database 92 */ 93 struct ck_token { 94 enum pkcs11_token_state state; 95 uint32_t session_count; 96 uint32_t rw_session_count; 97 struct object_list object_list; 98 /* Copy in RAM of the persistent database */ 99 struct token_persistent_main *db_main; 100 struct token_persistent_objs *db_objs; 101 }; 102 103 /* 104 * A session can enter a processing state (encrypt, decrypt, digest, ...) 105 * only from the initialized state. A session must return the initialized 106 * state (from a processing finalization request) before entering another 107 * processing state. 108 */ 109 enum pkcs11_proc_state { 110 PKCS11_SESSION_READY = 0, /* No active processing */ 111 PKCS11_SESSION_ENCRYPTING, 112 PKCS11_SESSION_DECRYPTING, 113 PKCS11_SESSION_DIGESTING, 114 PKCS11_SESSION_DIGESTING_ENCRYPTING, /* case C_DigestEncryptUpdate */ 115 PKCS11_SESSION_DECRYPTING_DIGESTING, /* case C_DecryptDigestUpdate */ 116 PKCS11_SESSION_SIGNING, 117 PKCS11_SESSION_SIGNING_ENCRYPTING, /* case C_SignEncryptUpdate */ 118 PKCS11_SESSION_VERIFYING, 119 PKCS11_SESSION_DECRYPTING_VERIFYING, /* case C_DecryptVerifyUpdate */ 120 PKCS11_SESSION_SIGNING_RECOVER, 121 PKCS11_SESSION_VERIFYING_RECOVER, 122 }; 123 124 /* 125 * Context of the active processing in the session 126 * 127 * @state - ongoing active processing function or ready state 128 * @mecha_type - mechanism type of the active processing 129 * @always_authen - true if user need to login before each use 130 * @relogged - true once client logged since last operation update 131 * @updated - true once an active operation is updated 132 * @tee_op_handle - handle on active crypto operation or TEE_HANDLE_NULL 133 * @extra_ctx - context for the active processing 134 */ 135 struct active_processing { 136 enum pkcs11_proc_state state; 137 uint32_t mecha_type; 138 bool always_authen; 139 bool relogged; 140 bool updated; 141 TEE_OperationHandle tee_op_handle; 142 void *extra_ctx; 143 }; 144 145 /* 146 * Structure tracking the PKCS#11 sessions 147 * 148 * @link - List of the session belonging to a client 149 * @client - Client the session belongs to 150 * @token - Token this session belongs to 151 * @handle - Identifier of the session published to the client 152 * @object_list - Entry of the session objects list 153 * @object_handle_db - Database for object handles published by the session 154 * @state - R/W SO, R/W user, RO user, R/W public, RO public. 155 * @processing - Reference to initialized processing context if any 156 */ 157 struct pkcs11_session { 158 TAILQ_ENTRY(pkcs11_session) link; 159 struct pkcs11_client *client; 160 struct ck_token *token; 161 enum pkcs11_mechanism_id handle; 162 struct object_list object_list; 163 struct handle_db object_handle_db; 164 enum pkcs11_session_state state; 165 struct active_processing *processing; 166 }; 167 168 /* Initialize static token instance(s) from default/persistent database */ 169 TEE_Result pkcs11_init(void); 170 void pkcs11_deinit(void); 171 172 /* Speculation safe lookup of token instance from token identifier */ 173 struct ck_token *get_token(unsigned int token_id); 174 175 /* Return token identified from token instance address */ 176 unsigned int get_token_id(struct ck_token *token); 177 178 /* Access to persistent database */ 179 struct ck_token *init_persistent_db(unsigned int token_id); 180 void update_persistent_db(struct ck_token *token); 181 void close_persistent_db(struct ck_token *token); 182 183 enum pkcs11_rc hash_pin(enum pkcs11_user_type user, const uint8_t *pin, 184 size_t pin_size, uint32_t *salt, 185 uint8_t hash[TEE_MAX_HASH_SIZE]); 186 enum pkcs11_rc verify_pin(enum pkcs11_user_type user, const uint8_t *pin, 187 size_t pin_size, uint32_t salt, 188 const uint8_t hash[TEE_MAX_HASH_SIZE]); 189 190 /* Token persistent objects */ 191 enum pkcs11_rc create_object_uuid(struct ck_token *token, 192 struct pkcs11_object *obj); 193 void destroy_object_uuid(struct ck_token *token, struct pkcs11_object *obj); 194 enum pkcs11_rc unregister_persistent_object(struct ck_token *token, 195 TEE_UUID *uuid); 196 enum pkcs11_rc register_persistent_object(struct ck_token *token, 197 TEE_UUID *uuid); 198 enum pkcs11_rc get_persistent_objects_list(struct ck_token *token, 199 TEE_UUID *array, size_t *size); 200 201 /* 202 * Pkcs11 session support 203 */ 204 struct pkcs11_client *tee_session2client(void *tee_session); 205 struct pkcs11_client *register_client(void); 206 void unregister_client(struct pkcs11_client *client); 207 208 struct pkcs11_session *pkcs11_handle2session(uint32_t handle, 209 struct pkcs11_client *client); 210 211 static inline bool session_is_active(struct pkcs11_session *session) 212 { 213 return session->processing; 214 } 215 216 enum pkcs11_rc set_processing_state(struct pkcs11_session *session, 217 enum processing_func function, 218 struct pkcs11_object *obj1, 219 struct pkcs11_object *obj2); 220 221 static inline bool pkcs11_session_is_read_write(struct pkcs11_session *session) 222 { 223 return session->state == PKCS11_CKS_RW_PUBLIC_SESSION || 224 session->state == PKCS11_CKS_RW_USER_FUNCTIONS || 225 session->state == PKCS11_CKS_RW_SO_FUNCTIONS; 226 } 227 228 static inline bool pkcs11_session_is_public(struct pkcs11_session *session) 229 { 230 return session->state == PKCS11_CKS_RO_PUBLIC_SESSION || 231 session->state == PKCS11_CKS_RW_PUBLIC_SESSION; 232 } 233 234 static inline bool pkcs11_session_is_user(struct pkcs11_session *session) 235 { 236 return session->state == PKCS11_CKS_RO_USER_FUNCTIONS || 237 session->state == PKCS11_CKS_RW_USER_FUNCTIONS; 238 } 239 240 static inline bool pkcs11_session_is_so(struct pkcs11_session *session) 241 { 242 return session->state == PKCS11_CKS_RW_SO_FUNCTIONS; 243 } 244 245 static inline 246 struct object_list *pkcs11_get_session_objects(struct pkcs11_session *session) 247 { 248 return &session->object_list; 249 } 250 251 static inline 252 struct ck_token *pkcs11_session2token(struct pkcs11_session *session) 253 { 254 return session->token; 255 } 256 257 /* Entry point for the TA commands */ 258 enum pkcs11_rc entry_ck_slot_list(uint32_t ptypes, TEE_Param *params); 259 enum pkcs11_rc entry_ck_slot_info(uint32_t ptypes, TEE_Param *params); 260 enum pkcs11_rc entry_ck_token_info(uint32_t ptypes, TEE_Param *params); 261 enum pkcs11_rc entry_ck_token_mecha_ids(uint32_t ptypes, TEE_Param *params); 262 enum pkcs11_rc entry_ck_token_mecha_info(uint32_t ptypes, TEE_Param *params); 263 enum pkcs11_rc entry_ck_open_session(struct pkcs11_client *client, 264 uint32_t ptypes, TEE_Param *params); 265 enum pkcs11_rc entry_ck_close_session(struct pkcs11_client *client, 266 uint32_t ptypes, TEE_Param *params); 267 enum pkcs11_rc entry_ck_close_all_sessions(struct pkcs11_client *client, 268 uint32_t ptypes, TEE_Param *params); 269 enum pkcs11_rc entry_ck_session_info(struct pkcs11_client *client, 270 uint32_t ptypes, TEE_Param *params); 271 enum pkcs11_rc entry_ck_token_initialize(uint32_t ptypes, TEE_Param *params); 272 enum pkcs11_rc entry_ck_init_pin(struct pkcs11_client *client, 273 uint32_t ptypes, TEE_Param *params); 274 enum pkcs11_rc entry_ck_set_pin(struct pkcs11_client *client, 275 uint32_t ptypes, TEE_Param *params); 276 enum pkcs11_rc entry_ck_login(struct pkcs11_client *client, 277 uint32_t ptypes, TEE_Param *params); 278 enum pkcs11_rc entry_ck_logout(struct pkcs11_client *client, 279 uint32_t ptypes, TEE_Param *params); 280 281 #endif /*PKCS11_TA_PKCS11_TOKEN_H*/ 282