1 /* SPDX-License-Identifier: BSD-2-Clause */ 2 /* 3 * Copyright (c) 2017-2020, Linaro Limited 4 */ 5 #ifndef PKCS11_TA_PKCS11_TOKEN_H 6 #define PKCS11_TA_PKCS11_TOKEN_H 7 8 #include <sys/queue.h> 9 #include <tee_api_types.h> 10 #include <tee_internal_api.h> 11 #include <utee_defines.h> 12 13 #include "handle.h" 14 #include "object.h" 15 #include "pkcs11_attributes.h" 16 17 /* Hard coded description */ 18 #define PKCS11_SLOT_DESCRIPTION "OP-TEE PKCS11 TA" 19 #define PKCS11_SLOT_MANUFACTURER "Linaro" 20 #define PKCS11_SLOT_HW_VERSION { 0, 0 } 21 #define PKCS11_SLOT_FW_VERSION { PKCS11_TA_VERSION_MAJOR, \ 22 PKCS11_TA_VERSION_MINOR } 23 24 #define PKCS11_TOKEN_LABEL "OP-TEE PKCS#11 TA token" 25 #define PKCS11_TOKEN_MANUFACTURER PKCS11_SLOT_MANUFACTURER 26 #define PKCS11_TOKEN_MODEL "OP-TEE TA" 27 #define PKCS11_TOKEN_HW_VERSION PKCS11_SLOT_HW_VERSION 28 #define PKCS11_TOKEN_FW_VERSION PKCS11_SLOT_FW_VERSION 29 30 enum pkcs11_token_state { 31 PKCS11_TOKEN_RESET = 0, 32 PKCS11_TOKEN_READ_WRITE, 33 PKCS11_TOKEN_READ_ONLY, 34 }; 35 36 TAILQ_HEAD(client_list, pkcs11_client); 37 TAILQ_HEAD(session_list, pkcs11_session); 38 39 struct pkcs11_client; 40 41 #define PKCS11_MAX_USERS 2 42 #define PKCS11_TOKEN_PIN_SIZE_MAX 128 43 #define PKCS11_TOKEN_PIN_SIZE_MIN 4 44 #define PKCS11_TOKEN_SO_PIN_COUNT_MAX 7 45 #define PKCS11_TOKEN_USER_PIN_COUNT_MAX 7 46 47 /* 48 * Persistent state of the token 49 * 50 * @version - currently unused... 51 * @label - pkcs11 formatted token label, set by client 52 * @flags - pkcs11 token flags 53 * @so_pin_count - counter on security officer login failure 54 * @so_pin_salt - stores salt in hash of SO PIN, 0 if not set 55 * @so_pin_hash - stores hash of SO PIN 56 * @user_pin_count - counter on user login failure 57 * @user_pin_salt - stores salt in hash of user PIN, 0 if not set 58 * @user_pin_hash - stores hash of user PIN 59 */ 60 struct token_persistent_main { 61 uint32_t version; 62 uint8_t label[PKCS11_TOKEN_LABEL_SIZE]; 63 uint32_t flags; 64 uint32_t so_pin_count; 65 uint32_t so_pin_salt; 66 union { 67 uint8_t so_pin_hash[TEE_MAX_HASH_SIZE]; 68 TEE_Identity so_identity; 69 }; 70 uint32_t user_pin_count; 71 uint32_t user_pin_salt; 72 union { 73 uint8_t user_pin_hash[TEE_MAX_HASH_SIZE]; 74 TEE_Identity user_identity; 75 }; 76 }; 77 78 /* 79 * Persistent objects in the token 80 * 81 * @count - number of objects stored in the token 82 * @uuids - array of object references/UUIDs (@count items) 83 */ 84 struct token_persistent_objs { 85 uint32_t count; 86 TEE_UUID uuids[]; 87 }; 88 89 /* 90 * Runtime state of the token, complies with pkcs11 91 * 92 * @state - Pkcs11 login is public, user, SO or custom 93 * @session_count - Counter for opened Pkcs11 sessions 94 * @rw_session_count - Count for opened Pkcs11 read/write sessions 95 * @object_list - List of the objects owned by the token 96 * @db_main - Volatile copy of the persistent main database 97 * @db_objs - Volatile copy of the persistent object database 98 */ 99 struct ck_token { 100 enum pkcs11_token_state state; 101 uint32_t session_count; 102 uint32_t rw_session_count; 103 struct object_list object_list; 104 /* Copy in RAM of the persistent database */ 105 struct token_persistent_main *db_main; 106 struct token_persistent_objs *db_objs; 107 }; 108 109 /* 110 * A session can enter a processing state (encrypt, decrypt, digest, ...) 111 * only from the initialized state. A session must return the initialized 112 * state (from a processing finalization request) before entering another 113 * processing state. 114 */ 115 enum pkcs11_proc_state { 116 PKCS11_SESSION_READY = 0, /* No active processing */ 117 PKCS11_SESSION_ENCRYPTING, 118 PKCS11_SESSION_DECRYPTING, 119 PKCS11_SESSION_DIGESTING, 120 PKCS11_SESSION_DIGESTING_ENCRYPTING, /* case C_DigestEncryptUpdate */ 121 PKCS11_SESSION_DECRYPTING_DIGESTING, /* case C_DecryptDigestUpdate */ 122 PKCS11_SESSION_SIGNING, 123 PKCS11_SESSION_SIGNING_ENCRYPTING, /* case C_SignEncryptUpdate */ 124 PKCS11_SESSION_VERIFYING, 125 PKCS11_SESSION_DECRYPTING_VERIFYING, /* case C_DecryptVerifyUpdate */ 126 PKCS11_SESSION_SIGNING_RECOVER, 127 PKCS11_SESSION_VERIFYING_RECOVER, 128 }; 129 130 /* 131 * Context of the active processing in the session 132 * 133 * @state - ongoing active processing function or ready state 134 * @mecha_type - mechanism type of the active processing 135 * @always_authen - true if user need to login before each use 136 * @relogged - true once client logged since last operation update 137 * @updated - true once an active operation is updated 138 * @tee_op_handle - handle on active crypto operation or TEE_HANDLE_NULL 139 * @extra_ctx - context for the active processing 140 */ 141 struct active_processing { 142 enum pkcs11_proc_state state; 143 uint32_t mecha_type; 144 bool always_authen; 145 bool relogged; 146 bool updated; 147 TEE_OperationHandle tee_op_handle; 148 void *extra_ctx; 149 }; 150 151 /* 152 * Pkcs11 objects search context 153 * 154 * @attributes - matching attributes list searched (null if no search) 155 * @count - number of matching handle found 156 * @handles - array of handle of matching objects 157 * @next - index of the next object handle to return to C_FindObject 158 */ 159 struct pkcs11_find_objects { 160 void *attributes; 161 size_t count; 162 uint32_t *handles; 163 size_t next; 164 }; 165 166 /* 167 * Structure tracking the PKCS#11 sessions 168 * 169 * @link - List of the session belonging to a client 170 * @client - Client the session belongs to 171 * @token - Token this session belongs to 172 * @handle - Identifier of the session published to the client 173 * @object_list - Entry of the session objects list 174 * @object_handle_db - Database for object handles published by the session 175 * @state - R/W SO, R/W user, RO user, R/W public, RO public. 176 * @processing - Reference to initialized processing context if any 177 * @find_ctx - Reference to active search context (null if no active search) 178 */ 179 struct pkcs11_session { 180 TAILQ_ENTRY(pkcs11_session) link; 181 struct pkcs11_client *client; 182 struct ck_token *token; 183 enum pkcs11_mechanism_id handle; 184 struct object_list object_list; 185 struct handle_db object_handle_db; 186 enum pkcs11_session_state state; 187 struct active_processing *processing; 188 struct pkcs11_find_objects *find_ctx; 189 }; 190 191 /* Initialize static token instance(s) from default/persistent database */ 192 TEE_Result pkcs11_init(void); 193 void pkcs11_deinit(void); 194 195 /* Speculation safe lookup of token instance from token identifier */ 196 struct ck_token *get_token(unsigned int token_id); 197 198 /* Return token identified from token instance address */ 199 unsigned int get_token_id(struct ck_token *token); 200 201 /* Access to persistent database */ 202 struct ck_token *init_persistent_db(unsigned int token_id); 203 void update_persistent_db(struct ck_token *token); 204 void close_persistent_db(struct ck_token *token); 205 206 /* Load and release persistent object attributes in memory */ 207 enum pkcs11_rc load_persistent_object_attributes(struct pkcs11_object *obj); 208 void release_persistent_object_attributes(struct pkcs11_object *obj); 209 210 enum pkcs11_rc hash_pin(enum pkcs11_user_type user, const uint8_t *pin, 211 size_t pin_size, uint32_t *salt, 212 uint8_t hash[TEE_MAX_HASH_SIZE]); 213 enum pkcs11_rc verify_pin(enum pkcs11_user_type user, const uint8_t *pin, 214 size_t pin_size, uint32_t salt, 215 const uint8_t hash[TEE_MAX_HASH_SIZE]); 216 217 #if defined(CFG_PKCS11_TA_AUTH_TEE_IDENTITY) 218 enum pkcs11_rc setup_so_identity_auth_from_client(struct ck_token *token); 219 enum pkcs11_rc setup_identity_auth_from_pin(struct ck_token *token, 220 enum pkcs11_user_type user_type, 221 const uint8_t *pin, 222 size_t pin_size); 223 enum pkcs11_rc verify_identity_auth(struct ck_token *token, 224 enum pkcs11_user_type user_type); 225 #else 226 static inline enum pkcs11_rc 227 setup_so_identity_auth_from_client(struct ck_token *token __unused) 228 { 229 return PKCS11_CKR_PIN_INVALID; 230 } 231 232 static inline enum pkcs11_rc 233 setup_identity_auth_from_pin(struct ck_token *token __unused, 234 enum pkcs11_user_type user_type __unused, 235 const uint8_t *pin __unused, 236 size_t pin_size __unused) 237 { 238 return PKCS11_CKR_PIN_INVALID; 239 } 240 241 static inline enum pkcs11_rc 242 verify_identity_auth(struct ck_token *token __unused, 243 enum pkcs11_user_type user_type __unused) 244 { 245 return PKCS11_CKR_PIN_INCORRECT; 246 } 247 #endif /* CFG_PKCS11_TA_AUTH_TEE_IDENTITY */ 248 249 /* Token persistent objects */ 250 enum pkcs11_rc create_object_uuid(struct ck_token *token, 251 struct pkcs11_object *obj); 252 void destroy_object_uuid(struct ck_token *token, struct pkcs11_object *obj); 253 enum pkcs11_rc unregister_persistent_object(struct ck_token *token, 254 TEE_UUID *uuid); 255 enum pkcs11_rc register_persistent_object(struct ck_token *token, 256 TEE_UUID *uuid); 257 enum pkcs11_rc get_persistent_objects_list(struct ck_token *token, 258 TEE_UUID *array, size_t *size); 259 260 /* 261 * Pkcs11 session support 262 */ 263 struct pkcs11_client *tee_session2client(void *tee_session); 264 struct pkcs11_client *register_client(void); 265 void unregister_client(struct pkcs11_client *client); 266 267 struct pkcs11_session *pkcs11_handle2session(uint32_t handle, 268 struct pkcs11_client *client); 269 270 static inline bool session_is_active(struct pkcs11_session *session) 271 { 272 return session->processing; 273 } 274 275 enum pkcs11_rc set_processing_state(struct pkcs11_session *session, 276 enum processing_func function, 277 struct pkcs11_object *obj1, 278 struct pkcs11_object *obj2); 279 280 static inline bool pkcs11_session_is_read_write(struct pkcs11_session *session) 281 { 282 return session->state == PKCS11_CKS_RW_PUBLIC_SESSION || 283 session->state == PKCS11_CKS_RW_USER_FUNCTIONS || 284 session->state == PKCS11_CKS_RW_SO_FUNCTIONS; 285 } 286 287 static inline bool pkcs11_session_is_public(struct pkcs11_session *session) 288 { 289 return session->state == PKCS11_CKS_RO_PUBLIC_SESSION || 290 session->state == PKCS11_CKS_RW_PUBLIC_SESSION; 291 } 292 293 static inline bool pkcs11_session_is_user(struct pkcs11_session *session) 294 { 295 return session->state == PKCS11_CKS_RO_USER_FUNCTIONS || 296 session->state == PKCS11_CKS_RW_USER_FUNCTIONS; 297 } 298 299 static inline bool pkcs11_session_is_so(struct pkcs11_session *session) 300 { 301 return session->state == PKCS11_CKS_RW_SO_FUNCTIONS; 302 } 303 304 static inline 305 struct object_list *pkcs11_get_session_objects(struct pkcs11_session *session) 306 { 307 return &session->object_list; 308 } 309 310 static inline 311 struct ck_token *pkcs11_session2token(struct pkcs11_session *session) 312 { 313 return session->token; 314 } 315 316 /* Entry point for the TA commands */ 317 enum pkcs11_rc entry_ck_slot_list(uint32_t ptypes, TEE_Param *params); 318 enum pkcs11_rc entry_ck_slot_info(uint32_t ptypes, TEE_Param *params); 319 enum pkcs11_rc entry_ck_token_info(uint32_t ptypes, TEE_Param *params); 320 enum pkcs11_rc entry_ck_token_mecha_ids(uint32_t ptypes, TEE_Param *params); 321 enum pkcs11_rc entry_ck_token_mecha_info(uint32_t ptypes, TEE_Param *params); 322 enum pkcs11_rc entry_ck_open_session(struct pkcs11_client *client, 323 uint32_t ptypes, TEE_Param *params); 324 enum pkcs11_rc entry_ck_close_session(struct pkcs11_client *client, 325 uint32_t ptypes, TEE_Param *params); 326 enum pkcs11_rc entry_ck_close_all_sessions(struct pkcs11_client *client, 327 uint32_t ptypes, TEE_Param *params); 328 enum pkcs11_rc entry_ck_session_info(struct pkcs11_client *client, 329 uint32_t ptypes, TEE_Param *params); 330 enum pkcs11_rc entry_ck_token_initialize(uint32_t ptypes, TEE_Param *params); 331 enum pkcs11_rc entry_ck_init_pin(struct pkcs11_client *client, 332 uint32_t ptypes, TEE_Param *params); 333 enum pkcs11_rc entry_ck_set_pin(struct pkcs11_client *client, 334 uint32_t ptypes, TEE_Param *params); 335 enum pkcs11_rc entry_ck_login(struct pkcs11_client *client, 336 uint32_t ptypes, TEE_Param *params); 337 enum pkcs11_rc entry_ck_logout(struct pkcs11_client *client, 338 uint32_t ptypes, TEE_Param *params); 339 340 #endif /*PKCS11_TA_PKCS11_TOKEN_H*/ 341