1 /* SPDX-License-Identifier: BSD-2-Clause */
2 /*
3 * Copyright (c) 2017-2020, Linaro Limited
4 */
5 #ifndef PKCS11_TA_PKCS11_TOKEN_H
6 #define PKCS11_TA_PKCS11_TOKEN_H
7
8 #include <sys/queue.h>
9 #include <tee_api_types.h>
10 #include <tee_internal_api.h>
11 #include <utee_defines.h>
12
13 #include "handle.h"
14 #include "object.h"
15 #include "pkcs11_attributes.h"
16
17 /* Hard coded description */
18 #define PKCS11_SLOT_DESCRIPTION "OP-TEE PKCS11 TA"
19 #define PKCS11_SLOT_MANUFACTURER "Linaro"
20 #define PKCS11_SLOT_HW_VERSION { 0, 0 }
21 #define PKCS11_SLOT_FW_VERSION { PKCS11_TA_VERSION_MAJOR, \
22 PKCS11_TA_VERSION_MINOR }
23
24 #define PKCS11_TOKEN_LABEL "OP-TEE PKCS#11 TA token"
25 #define PKCS11_TOKEN_MANUFACTURER PKCS11_SLOT_MANUFACTURER
26 #define PKCS11_TOKEN_MODEL "OP-TEE TA"
27 #define PKCS11_TOKEN_HW_VERSION PKCS11_SLOT_HW_VERSION
28 #define PKCS11_TOKEN_FW_VERSION PKCS11_SLOT_FW_VERSION
29
30 enum pkcs11_token_state {
31 PKCS11_TOKEN_RESET = 0,
32 PKCS11_TOKEN_READ_WRITE,
33 PKCS11_TOKEN_READ_ONLY,
34 };
35
36 TAILQ_HEAD(client_list, pkcs11_client);
37 TAILQ_HEAD(session_list, pkcs11_session);
38
39 struct pkcs11_client;
40
41 #define PKCS11_MAX_USERS 2
42 #define PKCS11_TOKEN_PIN_SIZE_MAX 128
43 #define PKCS11_TOKEN_PIN_SIZE_MIN 4
44 #define PKCS11_TOKEN_SO_PIN_COUNT_MAX 7
45 #define PKCS11_TOKEN_USER_PIN_COUNT_MAX 7
46
47 /*
48 * Persistent state of the token
49 *
50 * @version - currently unused...
51 * @label - pkcs11 formatted token label, set by client
52 * @flags - pkcs11 token flags
53 * @so_pin_count - counter on security officer login failure
54 * @so_pin_salt - stores salt in hash of SO PIN, 0 if not set
55 * @so_pin_hash - stores hash of SO PIN
56 * @user_pin_count - counter on user login failure
57 * @user_pin_salt - stores salt in hash of user PIN, 0 if not set
58 * @user_pin_hash - stores hash of user PIN
59 */
60 struct token_persistent_main {
61 uint32_t version;
62 uint8_t label[PKCS11_TOKEN_LABEL_SIZE];
63 uint32_t flags;
64 uint32_t so_pin_count;
65 uint32_t so_pin_salt;
66 union {
67 uint8_t so_pin_hash[TEE_MAX_HASH_SIZE];
68 TEE_Identity so_identity;
69 };
70 uint32_t user_pin_count;
71 uint32_t user_pin_salt;
72 union {
73 uint8_t user_pin_hash[TEE_MAX_HASH_SIZE];
74 TEE_Identity user_identity;
75 };
76 };
77
78 /*
79 * Persistent objects in the token
80 *
81 * @count - number of objects stored in the token
82 * @uuids - array of object references/UUIDs (@count items)
83 */
84 struct token_persistent_objs {
85 uint32_t count;
86 TEE_UUID uuids[];
87 };
88
89 /*
90 * Runtime state of the token, complies with pkcs11
91 *
92 * @state - Pkcs11 login is public, user, SO or custom
93 * @session_count - Counter for opened Pkcs11 sessions
94 * @rw_session_count - Count for opened Pkcs11 read/write sessions
95 * @object_list - List of the objects owned by the token
96 * @db_main - Volatile copy of the persistent main database
97 * @db_objs - Volatile copy of the persistent object database
98 */
99 struct ck_token {
100 enum pkcs11_token_state state;
101 uint32_t session_count;
102 uint32_t rw_session_count;
103 struct object_list object_list;
104 /* Copy in RAM of the persistent database */
105 struct token_persistent_main *db_main;
106 struct token_persistent_objs *db_objs;
107 };
108
109 /*
110 * A session can enter a processing state (encrypt, decrypt, digest, ...)
111 * only from the initialized state. A session must return the initialized
112 * state (from a processing finalization request) before entering another
113 * processing state.
114 */
115 enum pkcs11_proc_state {
116 PKCS11_SESSION_READY = 0, /* No active processing */
117 PKCS11_SESSION_ENCRYPTING,
118 PKCS11_SESSION_DECRYPTING,
119 PKCS11_SESSION_DIGESTING,
120 PKCS11_SESSION_DIGESTING_ENCRYPTING, /* case C_DigestEncryptUpdate */
121 PKCS11_SESSION_DECRYPTING_DIGESTING, /* case C_DecryptDigestUpdate */
122 PKCS11_SESSION_SIGNING,
123 PKCS11_SESSION_SIGNING_ENCRYPTING, /* case C_SignEncryptUpdate */
124 PKCS11_SESSION_VERIFYING,
125 PKCS11_SESSION_DECRYPTING_VERIFYING, /* case C_DecryptVerifyUpdate */
126 PKCS11_SESSION_SIGNING_RECOVER,
127 PKCS11_SESSION_VERIFYING_RECOVER,
128 PKCS11_SESSION_BUSY,
129 };
130
131 /*
132 * Context of the active processing in the session
133 *
134 * @state - ongoing active processing function or ready state
135 * @mecha_type - mechanism type of the active processing
136 * @always_authen - true if user need to login before each use
137 * @relogged - true once client logged since last operation update
138 * @op_step - last active operation step - update, final or one-shot
139 * @tee_op_handle - handle on active crypto operation or TEE_HANDLE_NULL
140 * @tee_hash_algo - hash algorithm identifier.
141 * @tee_hash_op_handle - handle on active hashing crypto operation or
142 * TEE_HANDLE_NULL
143 * @extra_ctx - context for the active processing
144 */
145 struct active_processing {
146 enum pkcs11_proc_state state;
147 uint32_t mecha_type;
148 enum processing_step step;
149 bool always_authen;
150 bool relogged;
151 TEE_OperationHandle tee_op_handle;
152 uint32_t tee_hash_algo;
153 TEE_OperationHandle tee_hash_op_handle;
154 void *extra_ctx;
155 };
156
157 /*
158 * Pkcs11 objects search context
159 *
160 * @attributes - matching attributes list searched (null if no search)
161 * @count - number of matching handle found
162 * @handles - array of handle of matching objects
163 * @next - index of the next object handle to return to C_FindObject
164 */
165 struct pkcs11_find_objects {
166 void *attributes;
167 size_t count;
168 uint32_t *handles;
169 size_t next;
170 };
171
172 /*
173 * Structure tracking the PKCS#11 sessions
174 *
175 * @link - List of the session belonging to a client
176 * @client - Client the session belongs to
177 * @token - Token this session belongs to
178 * @handle - Identifier of the session published to the client
179 * @object_list - Entry of the session objects list
180 * @state - R/W SO, R/W user, RO user, R/W public, RO public.
181 * @processing - Reference to initialized processing context if any
182 * @find_ctx - Reference to active search context (null if no active search)
183 */
184 struct pkcs11_session {
185 TAILQ_ENTRY(pkcs11_session) link;
186 struct pkcs11_client *client;
187 struct ck_token *token;
188 enum pkcs11_mechanism_id handle;
189 struct object_list object_list;
190 enum pkcs11_session_state state;
191 struct active_processing *processing;
192 struct pkcs11_find_objects *find_ctx;
193 };
194
195 /* Initialize static token instance(s) from default/persistent database */
196 TEE_Result pkcs11_init(void);
197 void pkcs11_deinit(void);
198
199 /* Speculation safe lookup of token instance from token identifier */
200 struct ck_token *get_token(unsigned int token_id);
201
202 /* Return token identified from token instance address */
203 unsigned int get_token_id(struct ck_token *token);
204
205 /* Return client's (shared) object handle database associated with session */
206 struct handle_db *get_object_handle_db(struct pkcs11_session *session);
207
208 /* Access to persistent database */
209 struct ck_token *init_persistent_db(unsigned int token_id);
210 void update_persistent_db(struct ck_token *token);
211 void close_persistent_db(struct ck_token *token);
212
213 /* Load and release persistent object attributes in memory */
214 enum pkcs11_rc load_persistent_object_attributes(struct pkcs11_object *obj);
215 void release_persistent_object_attributes(struct pkcs11_object *obj);
216 enum pkcs11_rc update_persistent_object_attributes(struct pkcs11_object *obj);
217
218 enum pkcs11_rc hash_pin(enum pkcs11_user_type user, const uint8_t *pin,
219 size_t pin_size, uint32_t *salt,
220 uint8_t hash[TEE_MAX_HASH_SIZE]);
221 enum pkcs11_rc verify_pin(enum pkcs11_user_type user, const uint8_t *pin,
222 size_t pin_size, uint32_t salt,
223 const uint8_t hash[TEE_MAX_HASH_SIZE]);
224
225 #if defined(CFG_PKCS11_TA_AUTH_TEE_IDENTITY)
226 enum pkcs11_rc setup_so_identity_auth_from_client(struct ck_token *token);
227 enum pkcs11_rc setup_identity_auth_from_pin(struct ck_token *token,
228 enum pkcs11_user_type user_type,
229 const uint8_t *pin,
230 size_t pin_size);
231 enum pkcs11_rc verify_identity_auth(struct ck_token *token,
232 enum pkcs11_user_type user_type);
233 #else
234 static inline enum pkcs11_rc
setup_so_identity_auth_from_client(struct ck_token * token __unused)235 setup_so_identity_auth_from_client(struct ck_token *token __unused)
236 {
237 return PKCS11_CKR_PIN_INVALID;
238 }
239
240 static inline enum pkcs11_rc
setup_identity_auth_from_pin(struct ck_token * token __unused,enum pkcs11_user_type user_type __unused,const uint8_t * pin __unused,size_t pin_size __unused)241 setup_identity_auth_from_pin(struct ck_token *token __unused,
242 enum pkcs11_user_type user_type __unused,
243 const uint8_t *pin __unused,
244 size_t pin_size __unused)
245 {
246 return PKCS11_CKR_PIN_INVALID;
247 }
248
249 static inline enum pkcs11_rc
verify_identity_auth(struct ck_token * token __unused,enum pkcs11_user_type user_type __unused)250 verify_identity_auth(struct ck_token *token __unused,
251 enum pkcs11_user_type user_type __unused)
252 {
253 return PKCS11_CKR_PIN_INCORRECT;
254 }
255 #endif /* CFG_PKCS11_TA_AUTH_TEE_IDENTITY */
256
257 /* Token persistent objects */
258 enum pkcs11_rc create_object_uuid(struct ck_token *token,
259 struct pkcs11_object *obj);
260 void destroy_object_uuid(struct ck_token *token, struct pkcs11_object *obj);
261 enum pkcs11_rc unregister_persistent_object(struct ck_token *token,
262 TEE_UUID *uuid);
263 enum pkcs11_rc register_persistent_object(struct ck_token *token,
264 TEE_UUID *uuid);
265 enum pkcs11_rc get_persistent_objects_list(struct ck_token *token,
266 TEE_UUID *array, size_t *size);
267
268 /*
269 * Pkcs11 session support
270 */
271 struct session_list *get_session_list(struct pkcs11_session *session);
272 struct pkcs11_client *tee_session2client(void *tee_session);
273 struct pkcs11_client *register_client(void);
274 void unregister_client(struct pkcs11_client *client);
275
276 struct pkcs11_session *pkcs11_handle2session(uint32_t handle,
277 struct pkcs11_client *client);
278
session_is_active(struct pkcs11_session * session)279 static inline bool session_is_active(struct pkcs11_session *session)
280 {
281 return session->processing;
282 }
283
284 enum pkcs11_rc set_processing_state(struct pkcs11_session *session,
285 enum processing_func function,
286 struct pkcs11_object *obj1,
287 struct pkcs11_object *obj2);
288
pkcs11_session_is_read_write(struct pkcs11_session * session)289 static inline bool pkcs11_session_is_read_write(struct pkcs11_session *session)
290 {
291 return session->state == PKCS11_CKS_RW_PUBLIC_SESSION ||
292 session->state == PKCS11_CKS_RW_USER_FUNCTIONS ||
293 session->state == PKCS11_CKS_RW_SO_FUNCTIONS;
294 }
295
pkcs11_session_is_public(struct pkcs11_session * session)296 static inline bool pkcs11_session_is_public(struct pkcs11_session *session)
297 {
298 return session->state == PKCS11_CKS_RO_PUBLIC_SESSION ||
299 session->state == PKCS11_CKS_RW_PUBLIC_SESSION;
300 }
301
pkcs11_session_is_user(struct pkcs11_session * session)302 static inline bool pkcs11_session_is_user(struct pkcs11_session *session)
303 {
304 return session->state == PKCS11_CKS_RO_USER_FUNCTIONS ||
305 session->state == PKCS11_CKS_RW_USER_FUNCTIONS;
306 }
307
pkcs11_session_is_so(struct pkcs11_session * session)308 static inline bool pkcs11_session_is_so(struct pkcs11_session *session)
309 {
310 return session->state == PKCS11_CKS_RW_SO_FUNCTIONS;
311 }
312
313 static inline
pkcs11_get_session_objects(struct pkcs11_session * session)314 struct object_list *pkcs11_get_session_objects(struct pkcs11_session *session)
315 {
316 return &session->object_list;
317 }
318
319 static inline
pkcs11_session2token(struct pkcs11_session * session)320 struct ck_token *pkcs11_session2token(struct pkcs11_session *session)
321 {
322 return session->token;
323 }
324
325 /* Entry point for the TA commands */
326 enum pkcs11_rc entry_ck_slot_list(uint32_t ptypes, TEE_Param *params);
327 enum pkcs11_rc entry_ck_slot_info(uint32_t ptypes, TEE_Param *params);
328 enum pkcs11_rc entry_ck_token_info(uint32_t ptypes, TEE_Param *params);
329 enum pkcs11_rc entry_ck_token_mecha_ids(uint32_t ptypes, TEE_Param *params);
330 enum pkcs11_rc entry_ck_token_mecha_info(uint32_t ptypes, TEE_Param *params);
331 enum pkcs11_rc entry_ck_open_session(struct pkcs11_client *client,
332 uint32_t ptypes, TEE_Param *params);
333 enum pkcs11_rc entry_ck_close_session(struct pkcs11_client *client,
334 uint32_t ptypes, TEE_Param *params);
335 enum pkcs11_rc entry_ck_close_all_sessions(struct pkcs11_client *client,
336 uint32_t ptypes, TEE_Param *params);
337 enum pkcs11_rc entry_ck_session_info(struct pkcs11_client *client,
338 uint32_t ptypes, TEE_Param *params);
339 enum pkcs11_rc entry_ck_token_initialize(uint32_t ptypes, TEE_Param *params);
340 enum pkcs11_rc entry_ck_init_pin(struct pkcs11_client *client,
341 uint32_t ptypes, TEE_Param *params);
342 enum pkcs11_rc entry_ck_set_pin(struct pkcs11_client *client,
343 uint32_t ptypes, TEE_Param *params);
344 enum pkcs11_rc entry_ck_login(struct pkcs11_client *client,
345 uint32_t ptypes, TEE_Param *params);
346 enum pkcs11_rc entry_ck_logout(struct pkcs11_client *client,
347 uint32_t ptypes, TEE_Param *params);
348 enum pkcs11_rc entry_ck_seed_random(struct pkcs11_client *client,
349 uint32_t ptypes, TEE_Param *params);
350 enum pkcs11_rc entry_ck_generate_random(struct pkcs11_client *client,
351 uint32_t ptypes, TEE_Param *params);
352
353 #endif /*PKCS11_TA_PKCS11_TOKEN_H*/
354