1 /* SPDX-License-Identifier: BSD-2-Clause */ 2 /* 3 * Copyright (c) 2017-2020, Linaro Limited 4 */ 5 #ifndef PKCS11_TA_PKCS11_TOKEN_H 6 #define PKCS11_TA_PKCS11_TOKEN_H 7 8 #include <sys/queue.h> 9 #include <tee_api_types.h> 10 #include <tee_internal_api.h> 11 #include <utee_defines.h> 12 13 #include "handle.h" 14 #include "object.h" 15 #include "pkcs11_attributes.h" 16 17 /* Hard coded description */ 18 #define PKCS11_SLOT_DESCRIPTION "OP-TEE PKCS11 TA" 19 #define PKCS11_SLOT_MANUFACTURER "Linaro" 20 #define PKCS11_SLOT_HW_VERSION { 0, 0 } 21 #define PKCS11_SLOT_FW_VERSION { PKCS11_TA_VERSION_MAJOR, \ 22 PKCS11_TA_VERSION_MINOR } 23 24 #define PKCS11_TOKEN_LABEL "OP-TEE PKCS#11 TA token" 25 #define PKCS11_TOKEN_MANUFACTURER PKCS11_SLOT_MANUFACTURER 26 #define PKCS11_TOKEN_MODEL "OP-TEE TA" 27 #define PKCS11_TOKEN_HW_VERSION PKCS11_SLOT_HW_VERSION 28 #define PKCS11_TOKEN_FW_VERSION PKCS11_SLOT_FW_VERSION 29 30 enum pkcs11_token_state { 31 PKCS11_TOKEN_RESET = 0, 32 PKCS11_TOKEN_READ_WRITE, 33 PKCS11_TOKEN_READ_ONLY, 34 }; 35 36 TAILQ_HEAD(client_list, pkcs11_client); 37 TAILQ_HEAD(session_list, pkcs11_session); 38 39 struct pkcs11_client; 40 41 #define PKCS11_MAX_USERS 2 42 #define PKCS11_TOKEN_PIN_SIZE_MAX 128 43 #define PKCS11_TOKEN_PIN_SIZE_MIN 4 44 #define PKCS11_TOKEN_SO_PIN_COUNT_MAX 7 45 #define PKCS11_TOKEN_USER_PIN_COUNT_MAX 7 46 47 /* 48 * Persistent state of the token 49 * 50 * @version - currently unused... 51 * @label - pkcs11 formatted token label, set by client 52 * @flags - pkcs11 token flags 53 * @so_pin_count - counter on security officer login failure 54 * @so_pin_salt - stores salt in hash of SO PIN, 0 if not set 55 * @so_pin_hash - stores hash of SO PIN 56 * @user_pin_count - counter on user login failure 57 * @user_pin_salt - stores salt in hash of user PIN, 0 if not set 58 * @user_pin_hash - stores hash of user PIN 59 */ 60 struct token_persistent_main { 61 uint32_t version; 62 uint8_t label[PKCS11_TOKEN_LABEL_SIZE]; 63 uint32_t flags; 64 uint32_t so_pin_count; 65 uint32_t so_pin_salt; 66 union { 67 uint8_t so_pin_hash[TEE_MAX_HASH_SIZE]; 68 TEE_Identity so_identity; 69 }; 70 uint32_t user_pin_count; 71 uint32_t user_pin_salt; 72 union { 73 uint8_t user_pin_hash[TEE_MAX_HASH_SIZE]; 74 TEE_Identity user_identity; 75 }; 76 }; 77 78 /* 79 * Persistent objects in the token 80 * 81 * @count - number of objects stored in the token 82 * @uuids - array of object references/UUIDs (@count items) 83 */ 84 struct token_persistent_objs { 85 uint32_t count; 86 TEE_UUID uuids[]; 87 }; 88 89 /* 90 * Runtime state of the token, complies with pkcs11 91 * 92 * @state - Pkcs11 login is public, user, SO or custom 93 * @session_count - Counter for opened Pkcs11 sessions 94 * @rw_session_count - Count for opened Pkcs11 read/write sessions 95 * @object_list - List of the objects owned by the token 96 * @db_main - Volatile copy of the persistent main database 97 * @db_objs - Volatile copy of the persistent object database 98 */ 99 struct ck_token { 100 enum pkcs11_token_state state; 101 uint32_t session_count; 102 uint32_t rw_session_count; 103 struct object_list object_list; 104 /* Copy in RAM of the persistent database */ 105 struct token_persistent_main *db_main; 106 struct token_persistent_objs *db_objs; 107 }; 108 109 /* 110 * A session can enter a processing state (encrypt, decrypt, digest, ...) 111 * only from the initialized state. A session must return the initialized 112 * state (from a processing finalization request) before entering another 113 * processing state. 114 */ 115 enum pkcs11_proc_state { 116 PKCS11_SESSION_READY = 0, /* No active processing */ 117 PKCS11_SESSION_ENCRYPTING, 118 PKCS11_SESSION_DECRYPTING, 119 PKCS11_SESSION_DIGESTING, 120 PKCS11_SESSION_DIGESTING_ENCRYPTING, /* case C_DigestEncryptUpdate */ 121 PKCS11_SESSION_DECRYPTING_DIGESTING, /* case C_DecryptDigestUpdate */ 122 PKCS11_SESSION_SIGNING, 123 PKCS11_SESSION_SIGNING_ENCRYPTING, /* case C_SignEncryptUpdate */ 124 PKCS11_SESSION_VERIFYING, 125 PKCS11_SESSION_DECRYPTING_VERIFYING, /* case C_DecryptVerifyUpdate */ 126 PKCS11_SESSION_SIGNING_RECOVER, 127 PKCS11_SESSION_VERIFYING_RECOVER, 128 }; 129 130 /* 131 * Context of the active processing in the session 132 * 133 * @state - ongoing active processing function or ready state 134 * @mecha_type - mechanism type of the active processing 135 * @always_authen - true if user need to login before each use 136 * @relogged - true once client logged since last operation update 137 * @updated - true once an active operation is updated 138 * @tee_op_handle - handle on active crypto operation or TEE_HANDLE_NULL 139 * @extra_ctx - context for the active processing 140 */ 141 struct active_processing { 142 enum pkcs11_proc_state state; 143 uint32_t mecha_type; 144 bool always_authen; 145 bool relogged; 146 bool updated; 147 TEE_OperationHandle tee_op_handle; 148 void *extra_ctx; 149 }; 150 151 /* 152 * Pkcs11 objects search context 153 * 154 * @attributes - matching attributes list searched (null if no search) 155 * @count - number of matching handle found 156 * @handles - array of handle of matching objects 157 * @next - index of the next object handle to return to C_FindObject 158 */ 159 struct pkcs11_find_objects { 160 void *attributes; 161 size_t count; 162 uint32_t *handles; 163 size_t next; 164 }; 165 166 /* 167 * Structure tracking the PKCS#11 sessions 168 * 169 * @link - List of the session belonging to a client 170 * @client - Client the session belongs to 171 * @token - Token this session belongs to 172 * @handle - Identifier of the session published to the client 173 * @object_list - Entry of the session objects list 174 * @state - R/W SO, R/W user, RO user, R/W public, RO public. 175 * @processing - Reference to initialized processing context if any 176 * @find_ctx - Reference to active search context (null if no active search) 177 */ 178 struct pkcs11_session { 179 TAILQ_ENTRY(pkcs11_session) link; 180 struct pkcs11_client *client; 181 struct ck_token *token; 182 enum pkcs11_mechanism_id handle; 183 struct object_list object_list; 184 enum pkcs11_session_state state; 185 struct active_processing *processing; 186 struct pkcs11_find_objects *find_ctx; 187 }; 188 189 /* Initialize static token instance(s) from default/persistent database */ 190 TEE_Result pkcs11_init(void); 191 void pkcs11_deinit(void); 192 193 /* Speculation safe lookup of token instance from token identifier */ 194 struct ck_token *get_token(unsigned int token_id); 195 196 /* Return token identified from token instance address */ 197 unsigned int get_token_id(struct ck_token *token); 198 199 /* Return client's (shared) object handle database associated with session */ 200 struct handle_db *get_object_handle_db(struct pkcs11_session *session); 201 202 /* Access to persistent database */ 203 struct ck_token *init_persistent_db(unsigned int token_id); 204 void update_persistent_db(struct ck_token *token); 205 void close_persistent_db(struct ck_token *token); 206 207 /* Load and release persistent object attributes in memory */ 208 enum pkcs11_rc load_persistent_object_attributes(struct pkcs11_object *obj); 209 void release_persistent_object_attributes(struct pkcs11_object *obj); 210 enum pkcs11_rc update_persistent_object_attributes(struct pkcs11_object *obj); 211 212 enum pkcs11_rc hash_pin(enum pkcs11_user_type user, const uint8_t *pin, 213 size_t pin_size, uint32_t *salt, 214 uint8_t hash[TEE_MAX_HASH_SIZE]); 215 enum pkcs11_rc verify_pin(enum pkcs11_user_type user, const uint8_t *pin, 216 size_t pin_size, uint32_t salt, 217 const uint8_t hash[TEE_MAX_HASH_SIZE]); 218 219 #if defined(CFG_PKCS11_TA_AUTH_TEE_IDENTITY) 220 enum pkcs11_rc setup_so_identity_auth_from_client(struct ck_token *token); 221 enum pkcs11_rc setup_identity_auth_from_pin(struct ck_token *token, 222 enum pkcs11_user_type user_type, 223 const uint8_t *pin, 224 size_t pin_size); 225 enum pkcs11_rc verify_identity_auth(struct ck_token *token, 226 enum pkcs11_user_type user_type); 227 #else 228 static inline enum pkcs11_rc 229 setup_so_identity_auth_from_client(struct ck_token *token __unused) 230 { 231 return PKCS11_CKR_PIN_INVALID; 232 } 233 234 static inline enum pkcs11_rc 235 setup_identity_auth_from_pin(struct ck_token *token __unused, 236 enum pkcs11_user_type user_type __unused, 237 const uint8_t *pin __unused, 238 size_t pin_size __unused) 239 { 240 return PKCS11_CKR_PIN_INVALID; 241 } 242 243 static inline enum pkcs11_rc 244 verify_identity_auth(struct ck_token *token __unused, 245 enum pkcs11_user_type user_type __unused) 246 { 247 return PKCS11_CKR_PIN_INCORRECT; 248 } 249 #endif /* CFG_PKCS11_TA_AUTH_TEE_IDENTITY */ 250 251 /* Token persistent objects */ 252 enum pkcs11_rc create_object_uuid(struct ck_token *token, 253 struct pkcs11_object *obj); 254 void destroy_object_uuid(struct ck_token *token, struct pkcs11_object *obj); 255 enum pkcs11_rc unregister_persistent_object(struct ck_token *token, 256 TEE_UUID *uuid); 257 enum pkcs11_rc register_persistent_object(struct ck_token *token, 258 TEE_UUID *uuid); 259 enum pkcs11_rc get_persistent_objects_list(struct ck_token *token, 260 TEE_UUID *array, size_t *size); 261 262 /* 263 * Pkcs11 session support 264 */ 265 struct session_list *get_session_list(struct pkcs11_session *session); 266 struct pkcs11_client *tee_session2client(void *tee_session); 267 struct pkcs11_client *register_client(void); 268 void unregister_client(struct pkcs11_client *client); 269 270 struct pkcs11_session *pkcs11_handle2session(uint32_t handle, 271 struct pkcs11_client *client); 272 273 static inline bool session_is_active(struct pkcs11_session *session) 274 { 275 return session->processing; 276 } 277 278 enum pkcs11_rc set_processing_state(struct pkcs11_session *session, 279 enum processing_func function, 280 struct pkcs11_object *obj1, 281 struct pkcs11_object *obj2); 282 283 static inline bool pkcs11_session_is_read_write(struct pkcs11_session *session) 284 { 285 return session->state == PKCS11_CKS_RW_PUBLIC_SESSION || 286 session->state == PKCS11_CKS_RW_USER_FUNCTIONS || 287 session->state == PKCS11_CKS_RW_SO_FUNCTIONS; 288 } 289 290 static inline bool pkcs11_session_is_public(struct pkcs11_session *session) 291 { 292 return session->state == PKCS11_CKS_RO_PUBLIC_SESSION || 293 session->state == PKCS11_CKS_RW_PUBLIC_SESSION; 294 } 295 296 static inline bool pkcs11_session_is_user(struct pkcs11_session *session) 297 { 298 return session->state == PKCS11_CKS_RO_USER_FUNCTIONS || 299 session->state == PKCS11_CKS_RW_USER_FUNCTIONS; 300 } 301 302 static inline bool pkcs11_session_is_so(struct pkcs11_session *session) 303 { 304 return session->state == PKCS11_CKS_RW_SO_FUNCTIONS; 305 } 306 307 static inline 308 struct object_list *pkcs11_get_session_objects(struct pkcs11_session *session) 309 { 310 return &session->object_list; 311 } 312 313 static inline 314 struct ck_token *pkcs11_session2token(struct pkcs11_session *session) 315 { 316 return session->token; 317 } 318 319 /* Entry point for the TA commands */ 320 enum pkcs11_rc entry_ck_slot_list(uint32_t ptypes, TEE_Param *params); 321 enum pkcs11_rc entry_ck_slot_info(uint32_t ptypes, TEE_Param *params); 322 enum pkcs11_rc entry_ck_token_info(uint32_t ptypes, TEE_Param *params); 323 enum pkcs11_rc entry_ck_token_mecha_ids(uint32_t ptypes, TEE_Param *params); 324 enum pkcs11_rc entry_ck_token_mecha_info(uint32_t ptypes, TEE_Param *params); 325 enum pkcs11_rc entry_ck_open_session(struct pkcs11_client *client, 326 uint32_t ptypes, TEE_Param *params); 327 enum pkcs11_rc entry_ck_close_session(struct pkcs11_client *client, 328 uint32_t ptypes, TEE_Param *params); 329 enum pkcs11_rc entry_ck_close_all_sessions(struct pkcs11_client *client, 330 uint32_t ptypes, TEE_Param *params); 331 enum pkcs11_rc entry_ck_session_info(struct pkcs11_client *client, 332 uint32_t ptypes, TEE_Param *params); 333 enum pkcs11_rc entry_ck_token_initialize(uint32_t ptypes, TEE_Param *params); 334 enum pkcs11_rc entry_ck_init_pin(struct pkcs11_client *client, 335 uint32_t ptypes, TEE_Param *params); 336 enum pkcs11_rc entry_ck_set_pin(struct pkcs11_client *client, 337 uint32_t ptypes, TEE_Param *params); 338 enum pkcs11_rc entry_ck_login(struct pkcs11_client *client, 339 uint32_t ptypes, TEE_Param *params); 340 enum pkcs11_rc entry_ck_logout(struct pkcs11_client *client, 341 uint32_t ptypes, TEE_Param *params); 342 enum pkcs11_rc entry_ck_seed_random(struct pkcs11_client *client, 343 uint32_t ptypes, TEE_Param *params); 344 enum pkcs11_rc entry_ck_generate_random(struct pkcs11_client *client, 345 uint32_t ptypes, TEE_Param *params); 346 347 #endif /*PKCS11_TA_PKCS11_TOKEN_H*/ 348