xref: /optee_os/ta/pkcs11/src/pkcs11_token.h (revision f6e2b9e2d1a270542c6f6f5e36ed4e36abe18256) 
1 /* SPDX-License-Identifier: BSD-2-Clause */
2 /*
3  * Copyright (c) 2017-2020, Linaro Limited
4  */
5 #ifndef PKCS11_TA_PKCS11_TOKEN_H
6 #define PKCS11_TA_PKCS11_TOKEN_H
7 
8 #include <sys/queue.h>
9 #include <tee_api_types.h>
10 #include <tee_internal_api.h>
11 #include <utee_defines.h>
12 
13 #include "handle.h"
14 #include "object.h"
15 #include "pkcs11_attributes.h"
16 
17 /* Hard coded description */
18 #define PKCS11_SLOT_DESCRIPTION		"OP-TEE PKCS11 TA"
19 #define PKCS11_SLOT_MANUFACTURER	"Linaro"
20 #define PKCS11_SLOT_HW_VERSION		{ 0, 0 }
21 #define PKCS11_SLOT_FW_VERSION		{ PKCS11_TA_VERSION_MAJOR, \
22 					  PKCS11_TA_VERSION_MINOR }
23 
24 #define PKCS11_TOKEN_LABEL		"OP-TEE PKCS#11 TA token"
25 #define PKCS11_TOKEN_MANUFACTURER	PKCS11_SLOT_MANUFACTURER
26 #define PKCS11_TOKEN_MODEL		"OP-TEE TA"
27 #define PKCS11_TOKEN_HW_VERSION		PKCS11_SLOT_HW_VERSION
28 #define PKCS11_TOKEN_FW_VERSION		PKCS11_SLOT_FW_VERSION
29 
30 enum pkcs11_token_state {
31 	PKCS11_TOKEN_RESET = 0,
32 	PKCS11_TOKEN_READ_WRITE,
33 	PKCS11_TOKEN_READ_ONLY,
34 };
35 
36 TAILQ_HEAD(client_list, pkcs11_client);
37 TAILQ_HEAD(session_list, pkcs11_session);
38 
39 struct pkcs11_client;
40 
41 #define PKCS11_MAX_USERS		2
42 #define PKCS11_TOKEN_PIN_SIZE_MAX	128
43 #define PKCS11_TOKEN_PIN_SIZE_MIN	4
44 #define PKCS11_TOKEN_SO_PIN_COUNT_MAX	7
45 #define PKCS11_TOKEN_USER_PIN_COUNT_MAX	7
46 
47 /*
48  * Persistent state of the token
49  *
50  * @version - currently unused...
51  * @label - pkcs11 formatted token label, set by client
52  * @flags - pkcs11 token flags
53  * @so_pin_count - counter on security officer login failure
54  * @so_pin_salt - stores salt in hash of SO PIN, 0 if not set
55  * @so_pin_hash - stores hash of SO PIN
56  * @user_pin_count - counter on user login failure
57  * @user_pin_salt - stores salt in hash of user PIN, 0 if not set
58  * @user_pin_hash - stores hash of user PIN
59  */
60 struct token_persistent_main {
61 	uint32_t version;
62 	uint8_t label[PKCS11_TOKEN_LABEL_SIZE];
63 	uint32_t flags;
64 	uint32_t so_pin_count;
65 	uint32_t so_pin_salt;
66 	union {
67 		uint8_t so_pin_hash[TEE_MAX_HASH_SIZE];
68 		TEE_Identity so_identity;
69 	};
70 	uint32_t user_pin_count;
71 	uint32_t user_pin_salt;
72 	union {
73 		uint8_t user_pin_hash[TEE_MAX_HASH_SIZE];
74 		TEE_Identity user_identity;
75 	};
76 };
77 
78 /*
79  * Persistent objects in the token
80  *
81  * @count - number of objects stored in the token
82  * @uuids - array of object references/UUIDs (@count items)
83  */
84 struct token_persistent_objs {
85 	uint32_t count;
86 	TEE_UUID uuids[];
87 };
88 
89 /*
90  * Runtime state of the token, complies with pkcs11
91  *
92  * @state - Pkcs11 login is public, user, SO or custom
93  * @session_count - Counter for opened Pkcs11 sessions
94  * @rw_session_count - Count for opened Pkcs11 read/write sessions
95  * @object_list - List of the objects owned by the token
96  * @db_main - Volatile copy of the persistent main database
97  * @db_objs - Volatile copy of the persistent object database
98  */
99 struct ck_token {
100 	enum pkcs11_token_state state;
101 	uint32_t session_count;
102 	uint32_t rw_session_count;
103 	struct object_list object_list;
104 	/* Copy in RAM of the persistent database */
105 	struct token_persistent_main *db_main;
106 	struct token_persistent_objs *db_objs;
107 };
108 
109 /*
110  * A session can enter a processing state (encrypt, decrypt, digest, ...)
111  * only from the initialized state. A session must return the initialized
112  * state (from a processing finalization request) before entering another
113  * processing state.
114  */
115 enum pkcs11_proc_state {
116 	PKCS11_SESSION_READY = 0,		/* No active processing */
117 	PKCS11_SESSION_ENCRYPTING,
118 	PKCS11_SESSION_DECRYPTING,
119 	PKCS11_SESSION_DIGESTING,
120 	PKCS11_SESSION_DIGESTING_ENCRYPTING,	/* case C_DigestEncryptUpdate */
121 	PKCS11_SESSION_DECRYPTING_DIGESTING,	/* case C_DecryptDigestUpdate */
122 	PKCS11_SESSION_SIGNING,
123 	PKCS11_SESSION_SIGNING_ENCRYPTING,	/* case C_SignEncryptUpdate */
124 	PKCS11_SESSION_VERIFYING,
125 	PKCS11_SESSION_DECRYPTING_VERIFYING,	/* case C_DecryptVerifyUpdate */
126 	PKCS11_SESSION_SIGNING_RECOVER,
127 	PKCS11_SESSION_VERIFYING_RECOVER,
128 };
129 
130 /*
131  * Context of the active processing in the session
132  *
133  * @state - ongoing active processing function or ready state
134  * @mecha_type - mechanism type of the active processing
135  * @always_authen - true if user need to login before each use
136  * @relogged - true once client logged since last operation update
137  * @updated - true once an active operation is updated
138  * @tee_op_handle - handle on active crypto operation or TEE_HANDLE_NULL
139  * @extra_ctx - context for the active processing
140  */
141 struct active_processing {
142 	enum pkcs11_proc_state state;
143 	uint32_t mecha_type;
144 	bool always_authen;
145 	bool relogged;
146 	bool updated;
147 	TEE_OperationHandle tee_op_handle;
148 	void *extra_ctx;
149 };
150 
151 /*
152  * Pkcs11 objects search context
153  *
154  * @attributes - matching attributes list searched (null if no search)
155  * @count - number of matching handle found
156  * @handles - array of handle of matching objects
157  * @next - index of the next object handle to return to C_FindObject
158  */
159 struct pkcs11_find_objects {
160 	void *attributes;
161 	size_t count;
162 	uint32_t *handles;
163 	size_t next;
164 };
165 
166 /*
167  * Structure tracking the PKCS#11 sessions
168  *
169  * @link - List of the session belonging to a client
170  * @client - Client the session belongs to
171  * @token - Token this session belongs to
172  * @handle - Identifier of the session published to the client
173  * @object_list - Entry of the session objects list
174  * @state - R/W SO, R/W user, RO user, R/W public, RO public.
175  * @processing - Reference to initialized processing context if any
176  * @find_ctx - Reference to active search context (null if no active search)
177  */
178 struct pkcs11_session {
179 	TAILQ_ENTRY(pkcs11_session) link;
180 	struct pkcs11_client *client;
181 	struct ck_token *token;
182 	enum pkcs11_mechanism_id handle;
183 	struct object_list object_list;
184 	enum pkcs11_session_state state;
185 	struct active_processing *processing;
186 	struct pkcs11_find_objects *find_ctx;
187 };
188 
189 /* Initialize static token instance(s) from default/persistent database */
190 TEE_Result pkcs11_init(void);
191 void pkcs11_deinit(void);
192 
193 /* Speculation safe lookup of token instance from token identifier */
194 struct ck_token *get_token(unsigned int token_id);
195 
196 /* Return token identified from token instance address */
197 unsigned int get_token_id(struct ck_token *token);
198 
199 /* Return client's (shared) object handle database associated with session */
200 struct handle_db *get_object_handle_db(struct pkcs11_session *session);
201 
202 /* Access to persistent database */
203 struct ck_token *init_persistent_db(unsigned int token_id);
204 void update_persistent_db(struct ck_token *token);
205 void close_persistent_db(struct ck_token *token);
206 
207 /* Load and release persistent object attributes in memory */
208 enum pkcs11_rc load_persistent_object_attributes(struct pkcs11_object *obj);
209 void release_persistent_object_attributes(struct pkcs11_object *obj);
210 enum pkcs11_rc update_persistent_object_attributes(struct pkcs11_object *obj);
211 
212 enum pkcs11_rc hash_pin(enum pkcs11_user_type user, const uint8_t *pin,
213 			size_t pin_size, uint32_t *salt,
214 			uint8_t hash[TEE_MAX_HASH_SIZE]);
215 enum pkcs11_rc verify_pin(enum pkcs11_user_type user, const uint8_t *pin,
216 			  size_t pin_size, uint32_t salt,
217 			  const uint8_t hash[TEE_MAX_HASH_SIZE]);
218 
219 #if defined(CFG_PKCS11_TA_AUTH_TEE_IDENTITY)
220 enum pkcs11_rc setup_so_identity_auth_from_client(struct ck_token *token);
221 enum pkcs11_rc setup_identity_auth_from_pin(struct ck_token *token,
222 					    enum pkcs11_user_type user_type,
223 					    const uint8_t *pin,
224 					    size_t pin_size);
225 enum pkcs11_rc verify_identity_auth(struct ck_token *token,
226 				    enum pkcs11_user_type user_type);
227 #else
228 static inline enum pkcs11_rc
229 setup_so_identity_auth_from_client(struct ck_token *token __unused)
230 {
231 	return PKCS11_CKR_PIN_INVALID;
232 }
233 
234 static inline enum pkcs11_rc
235 setup_identity_auth_from_pin(struct ck_token *token __unused,
236 			     enum pkcs11_user_type user_type __unused,
237 			     const uint8_t *pin __unused,
238 			     size_t pin_size __unused)
239 {
240 	return PKCS11_CKR_PIN_INVALID;
241 }
242 
243 static inline enum pkcs11_rc
244 verify_identity_auth(struct ck_token *token __unused,
245 		     enum pkcs11_user_type user_type __unused)
246 {
247 	return PKCS11_CKR_PIN_INCORRECT;
248 }
249 #endif /* CFG_PKCS11_TA_AUTH_TEE_IDENTITY */
250 
251 /* Token persistent objects */
252 enum pkcs11_rc create_object_uuid(struct ck_token *token,
253 				  struct pkcs11_object *obj);
254 void destroy_object_uuid(struct ck_token *token, struct pkcs11_object *obj);
255 enum pkcs11_rc unregister_persistent_object(struct ck_token *token,
256 					    TEE_UUID *uuid);
257 enum pkcs11_rc register_persistent_object(struct ck_token *token,
258 					  TEE_UUID *uuid);
259 enum pkcs11_rc get_persistent_objects_list(struct ck_token *token,
260 					   TEE_UUID *array, size_t *size);
261 
262 /*
263  * Pkcs11 session support
264  */
265 struct session_list *get_session_list(struct pkcs11_session *session);
266 struct pkcs11_client *tee_session2client(void *tee_session);
267 struct pkcs11_client *register_client(void);
268 void unregister_client(struct pkcs11_client *client);
269 
270 struct pkcs11_session *pkcs11_handle2session(uint32_t handle,
271 					     struct pkcs11_client *client);
272 
273 static inline bool session_is_active(struct pkcs11_session *session)
274 {
275 	return session->processing;
276 }
277 
278 enum pkcs11_rc set_processing_state(struct pkcs11_session *session,
279 				    enum processing_func function,
280 				    struct pkcs11_object *obj1,
281 				    struct pkcs11_object *obj2);
282 
283 static inline bool pkcs11_session_is_read_write(struct pkcs11_session *session)
284 {
285 	return session->state == PKCS11_CKS_RW_PUBLIC_SESSION ||
286 	       session->state == PKCS11_CKS_RW_USER_FUNCTIONS ||
287 	       session->state == PKCS11_CKS_RW_SO_FUNCTIONS;
288 }
289 
290 static inline bool pkcs11_session_is_public(struct pkcs11_session *session)
291 {
292 	return session->state == PKCS11_CKS_RO_PUBLIC_SESSION ||
293 	       session->state == PKCS11_CKS_RW_PUBLIC_SESSION;
294 }
295 
296 static inline bool pkcs11_session_is_user(struct pkcs11_session *session)
297 {
298 	return session->state == PKCS11_CKS_RO_USER_FUNCTIONS ||
299 	       session->state == PKCS11_CKS_RW_USER_FUNCTIONS;
300 }
301 
302 static inline bool pkcs11_session_is_so(struct pkcs11_session *session)
303 {
304 	return session->state == PKCS11_CKS_RW_SO_FUNCTIONS;
305 }
306 
307 static inline
308 struct object_list *pkcs11_get_session_objects(struct pkcs11_session *session)
309 {
310 	return &session->object_list;
311 }
312 
313 static inline
314 struct ck_token *pkcs11_session2token(struct pkcs11_session *session)
315 {
316 	return session->token;
317 }
318 
319 /* Entry point for the TA commands */
320 enum pkcs11_rc entry_ck_slot_list(uint32_t ptypes, TEE_Param *params);
321 enum pkcs11_rc entry_ck_slot_info(uint32_t ptypes, TEE_Param *params);
322 enum pkcs11_rc entry_ck_token_info(uint32_t ptypes, TEE_Param *params);
323 enum pkcs11_rc entry_ck_token_mecha_ids(uint32_t ptypes, TEE_Param *params);
324 enum pkcs11_rc entry_ck_token_mecha_info(uint32_t ptypes, TEE_Param *params);
325 enum pkcs11_rc entry_ck_open_session(struct pkcs11_client *client,
326 				     uint32_t ptypes, TEE_Param *params);
327 enum pkcs11_rc entry_ck_close_session(struct pkcs11_client *client,
328 				      uint32_t ptypes, TEE_Param *params);
329 enum pkcs11_rc entry_ck_close_all_sessions(struct pkcs11_client *client,
330 					   uint32_t ptypes, TEE_Param *params);
331 enum pkcs11_rc entry_ck_session_info(struct pkcs11_client *client,
332 				     uint32_t ptypes, TEE_Param *params);
333 enum pkcs11_rc entry_ck_token_initialize(uint32_t ptypes, TEE_Param *params);
334 enum pkcs11_rc entry_ck_init_pin(struct pkcs11_client *client,
335 				 uint32_t ptypes, TEE_Param *params);
336 enum pkcs11_rc entry_ck_set_pin(struct pkcs11_client *client,
337 				uint32_t ptypes, TEE_Param *params);
338 enum pkcs11_rc entry_ck_login(struct pkcs11_client *client,
339 			      uint32_t ptypes, TEE_Param *params);
340 enum pkcs11_rc entry_ck_logout(struct pkcs11_client *client,
341 			       uint32_t ptypes, TEE_Param *params);
342 enum pkcs11_rc entry_ck_seed_random(struct pkcs11_client *client,
343 				    uint32_t ptypes, TEE_Param *params);
344 enum pkcs11_rc entry_ck_generate_random(struct pkcs11_client *client,
345 					uint32_t ptypes, TEE_Param *params);
346 
347 #endif /*PKCS11_TA_PKCS11_TOKEN_H*/
348