1 /* SPDX-License-Identifier: BSD-2-Clause */
2 /*
3  * Copyright (c) 2017-2020, Linaro Limited
4  */
5 #ifndef PKCS11_TA_PKCS11_TOKEN_H
6 #define PKCS11_TA_PKCS11_TOKEN_H
7 
8 #include <sys/queue.h>
9 #include <tee_api_types.h>
10 #include <tee_internal_api.h>
11 #include <utee_defines.h>
12 
13 #include "handle.h"
14 #include "object.h"
15 #include "pkcs11_attributes.h"
16 
17 /* Hard coded description */
18 #define PKCS11_SLOT_DESCRIPTION		"OP-TEE PKCS11 TA"
19 #define PKCS11_SLOT_MANUFACTURER	"Linaro"
20 #define PKCS11_SLOT_HW_VERSION		{ 0, 0 }
21 #define PKCS11_SLOT_FW_VERSION		{ PKCS11_TA_VERSION_MAJOR, \
22 					  PKCS11_TA_VERSION_MINOR }
23 
24 #define PKCS11_TOKEN_LABEL		"OP-TEE PKCS#11 TA token"
25 #define PKCS11_TOKEN_MANUFACTURER	PKCS11_SLOT_MANUFACTURER
26 #define PKCS11_TOKEN_MODEL		"OP-TEE TA"
27 #define PKCS11_TOKEN_HW_VERSION		PKCS11_SLOT_HW_VERSION
28 #define PKCS11_TOKEN_FW_VERSION		PKCS11_SLOT_FW_VERSION
29 
30 enum pkcs11_token_state {
31 	PKCS11_TOKEN_RESET = 0,
32 	PKCS11_TOKEN_READ_WRITE,
33 	PKCS11_TOKEN_READ_ONLY,
34 };
35 
36 TAILQ_HEAD(client_list, pkcs11_client);
37 TAILQ_HEAD(session_list, pkcs11_session);
38 
39 struct pkcs11_client;
40 
41 #define PKCS11_MAX_USERS		2
42 #define PKCS11_TOKEN_PIN_SIZE_MAX	128
43 #define PKCS11_TOKEN_PIN_SIZE_MIN	4
44 #define PKCS11_TOKEN_SO_PIN_COUNT_MAX	7
45 #define PKCS11_TOKEN_USER_PIN_COUNT_MAX	7
46 
47 /*
48  * Persistent state of the token
49  *
50  * @version - currently unused...
51  * @label - pkcs11 formatted token label, set by client
52  * @flags - pkcs11 token flags
53  * @so_pin_count - counter on security officer login failure
54  * @so_pin_salt - stores salt in hash of SO PIN, 0 if not set
55  * @so_pin_hash - stores hash of SO PIN
56  * @user_pin_count - counter on user login failure
57  * @user_pin_salt - stores salt in hash of user PIN, 0 if not set
58  * @user_pin_hash - stores hash of user PIN
59  */
60 struct token_persistent_main {
61 	uint32_t version;
62 	uint8_t label[PKCS11_TOKEN_LABEL_SIZE];
63 	uint32_t flags;
64 	uint32_t so_pin_count;
65 	uint32_t so_pin_salt;
66 	union {
67 		uint8_t so_pin_hash[TEE_MAX_HASH_SIZE];
68 		TEE_Identity so_identity;
69 	};
70 	uint32_t user_pin_count;
71 	uint32_t user_pin_salt;
72 	union {
73 		uint8_t user_pin_hash[TEE_MAX_HASH_SIZE];
74 		TEE_Identity user_identity;
75 	};
76 };
77 
78 /*
79  * Persistent objects in the token
80  *
81  * @count - number of objects stored in the token
82  * @uuids - array of object references/UUIDs (@count items)
83  */
84 struct token_persistent_objs {
85 	uint32_t count;
86 	TEE_UUID uuids[];
87 };
88 
89 /*
90  * Runtime state of the token, complies with pkcs11
91  *
92  * @state - Pkcs11 login is public, user, SO or custom
93  * @session_count - Counter for opened Pkcs11 sessions
94  * @rw_session_count - Count for opened Pkcs11 read/write sessions
95  * @object_list - List of the objects owned by the token
96  * @db_main - Volatile copy of the persistent main database
97  * @db_objs - Volatile copy of the persistent object database
98  */
99 struct ck_token {
100 	enum pkcs11_token_state state;
101 	uint32_t session_count;
102 	uint32_t rw_session_count;
103 	struct object_list object_list;
104 	/* Copy in RAM of the persistent database */
105 	struct token_persistent_main *db_main;
106 	struct token_persistent_objs *db_objs;
107 };
108 
109 /*
110  * A session can enter a processing state (encrypt, decrypt, digest, ...)
111  * only from the initialized state. A session must return the initialized
112  * state (from a processing finalization request) before entering another
113  * processing state.
114  */
115 enum pkcs11_proc_state {
116 	PKCS11_SESSION_READY = 0,		/* No active processing */
117 	PKCS11_SESSION_ENCRYPTING,
118 	PKCS11_SESSION_DECRYPTING,
119 	PKCS11_SESSION_DIGESTING,
120 	PKCS11_SESSION_DIGESTING_ENCRYPTING,	/* case C_DigestEncryptUpdate */
121 	PKCS11_SESSION_DECRYPTING_DIGESTING,	/* case C_DecryptDigestUpdate */
122 	PKCS11_SESSION_SIGNING,
123 	PKCS11_SESSION_SIGNING_ENCRYPTING,	/* case C_SignEncryptUpdate */
124 	PKCS11_SESSION_VERIFYING,
125 	PKCS11_SESSION_DECRYPTING_VERIFYING,	/* case C_DecryptVerifyUpdate */
126 	PKCS11_SESSION_SIGNING_RECOVER,
127 	PKCS11_SESSION_VERIFYING_RECOVER,
128 	PKCS11_SESSION_BUSY,
129 };
130 
131 /*
132  * Context of the active processing in the session
133  *
134  * @state - ongoing active processing function or ready state
135  * @mecha_type - mechanism type of the active processing
136  * @always_authen - true if user need to login before each use
137  * @relogged - true once client logged since last operation update
138  * @op_step - last active operation step - update, final or one-shot
139  * @tee_op_handle - handle on active crypto operation or TEE_HANDLE_NULL
140  * @tee_hash_algo - hash algorithm identifier.
141  * @tee_hash_op_handle - handle on active hashing crypto operation or
142  * TEE_HANDLE_NULL
143  * @extra_ctx - context for the active processing
144  */
145 struct active_processing {
146 	enum pkcs11_proc_state state;
147 	uint32_t mecha_type;
148 	enum processing_step step;
149 	bool always_authen;
150 	bool relogged;
151 	TEE_OperationHandle tee_op_handle;
152 	uint32_t tee_hash_algo;
153 	TEE_OperationHandle tee_hash_op_handle;
154 	void *extra_ctx;
155 };
156 
157 /*
158  * Pkcs11 objects search context
159  *
160  * @attributes - matching attributes list searched (null if no search)
161  * @count - number of matching handle found
162  * @handles - array of handle of matching objects
163  * @next - index of the next object handle to return to C_FindObject
164  */
165 struct pkcs11_find_objects {
166 	void *attributes;
167 	size_t count;
168 	uint32_t *handles;
169 	size_t next;
170 };
171 
172 /*
173  * Structure tracking the PKCS#11 sessions
174  *
175  * @link - List of the session belonging to a client
176  * @client - Client the session belongs to
177  * @token - Token this session belongs to
178  * @handle - Identifier of the session published to the client
179  * @object_list - Entry of the session objects list
180  * @state - R/W SO, R/W user, RO user, R/W public, RO public.
181  * @processing - Reference to initialized processing context if any
182  * @find_ctx - Reference to active search context (null if no active search)
183  */
184 struct pkcs11_session {
185 	TAILQ_ENTRY(pkcs11_session) link;
186 	struct pkcs11_client *client;
187 	struct ck_token *token;
188 	enum pkcs11_mechanism_id handle;
189 	struct object_list object_list;
190 	enum pkcs11_session_state state;
191 	struct active_processing *processing;
192 	struct pkcs11_find_objects *find_ctx;
193 };
194 
195 /* Initialize static token instance(s) from default/persistent database */
196 TEE_Result pkcs11_init(void);
197 void pkcs11_deinit(void);
198 
199 /* Speculation safe lookup of token instance from token identifier */
200 struct ck_token *get_token(unsigned int token_id);
201 
202 /* Return token identified from token instance address */
203 unsigned int get_token_id(struct ck_token *token);
204 
205 /* Return client's (shared) object handle database associated with session */
206 struct handle_db *get_object_handle_db(struct pkcs11_session *session);
207 
208 /* Access to persistent database */
209 struct ck_token *init_persistent_db(unsigned int token_id);
210 void update_persistent_db(struct ck_token *token);
211 void close_persistent_db(struct ck_token *token);
212 
213 /* Load and release persistent object attributes in memory */
214 enum pkcs11_rc load_persistent_object_attributes(struct pkcs11_object *obj);
215 void release_persistent_object_attributes(struct pkcs11_object *obj);
216 enum pkcs11_rc update_persistent_object_attributes(struct pkcs11_object *obj);
217 
218 enum pkcs11_rc hash_pin(enum pkcs11_user_type user, const uint8_t *pin,
219 			size_t pin_size, uint32_t *salt,
220 			uint8_t hash[TEE_MAX_HASH_SIZE]);
221 enum pkcs11_rc verify_pin(enum pkcs11_user_type user, const uint8_t *pin,
222 			  size_t pin_size, uint32_t salt,
223 			  const uint8_t hash[TEE_MAX_HASH_SIZE]);
224 
225 #if defined(CFG_PKCS11_TA_AUTH_TEE_IDENTITY)
226 enum pkcs11_rc setup_so_identity_auth_from_client(struct ck_token *token);
227 enum pkcs11_rc setup_identity_auth_from_pin(struct ck_token *token,
228 					    enum pkcs11_user_type user_type,
229 					    const uint8_t *pin,
230 					    size_t pin_size);
231 enum pkcs11_rc verify_identity_auth(struct ck_token *token,
232 				    enum pkcs11_user_type user_type);
233 #else
234 static inline enum pkcs11_rc
setup_so_identity_auth_from_client(struct ck_token * token __unused)235 setup_so_identity_auth_from_client(struct ck_token *token __unused)
236 {
237 	return PKCS11_CKR_PIN_INVALID;
238 }
239 
240 static inline enum pkcs11_rc
setup_identity_auth_from_pin(struct ck_token * token __unused,enum pkcs11_user_type user_type __unused,const uint8_t * pin __unused,size_t pin_size __unused)241 setup_identity_auth_from_pin(struct ck_token *token __unused,
242 			     enum pkcs11_user_type user_type __unused,
243 			     const uint8_t *pin __unused,
244 			     size_t pin_size __unused)
245 {
246 	return PKCS11_CKR_PIN_INVALID;
247 }
248 
249 static inline enum pkcs11_rc
verify_identity_auth(struct ck_token * token __unused,enum pkcs11_user_type user_type __unused)250 verify_identity_auth(struct ck_token *token __unused,
251 		     enum pkcs11_user_type user_type __unused)
252 {
253 	return PKCS11_CKR_PIN_INCORRECT;
254 }
255 #endif /* CFG_PKCS11_TA_AUTH_TEE_IDENTITY */
256 
257 /* Token persistent objects */
258 enum pkcs11_rc create_object_uuid(struct ck_token *token,
259 				  struct pkcs11_object *obj);
260 void destroy_object_uuid(struct ck_token *token, struct pkcs11_object *obj);
261 enum pkcs11_rc unregister_persistent_object(struct ck_token *token,
262 					    TEE_UUID *uuid);
263 enum pkcs11_rc register_persistent_object(struct ck_token *token,
264 					  TEE_UUID *uuid);
265 enum pkcs11_rc get_persistent_objects_list(struct ck_token *token,
266 					   TEE_UUID *array, size_t *size);
267 
268 /*
269  * Pkcs11 session support
270  */
271 struct session_list *get_session_list(struct pkcs11_session *session);
272 struct pkcs11_client *tee_session2client(void *tee_session);
273 struct pkcs11_client *register_client(void);
274 void unregister_client(struct pkcs11_client *client);
275 
276 struct pkcs11_session *pkcs11_handle2session(uint32_t handle,
277 					     struct pkcs11_client *client);
278 
session_is_active(struct pkcs11_session * session)279 static inline bool session_is_active(struct pkcs11_session *session)
280 {
281 	return session->processing;
282 }
283 
284 enum pkcs11_rc set_processing_state(struct pkcs11_session *session,
285 				    enum processing_func function,
286 				    struct pkcs11_object *obj1,
287 				    struct pkcs11_object *obj2);
288 
pkcs11_session_is_read_write(struct pkcs11_session * session)289 static inline bool pkcs11_session_is_read_write(struct pkcs11_session *session)
290 {
291 	return session->state == PKCS11_CKS_RW_PUBLIC_SESSION ||
292 	       session->state == PKCS11_CKS_RW_USER_FUNCTIONS ||
293 	       session->state == PKCS11_CKS_RW_SO_FUNCTIONS;
294 }
295 
pkcs11_session_is_public(struct pkcs11_session * session)296 static inline bool pkcs11_session_is_public(struct pkcs11_session *session)
297 {
298 	return session->state == PKCS11_CKS_RO_PUBLIC_SESSION ||
299 	       session->state == PKCS11_CKS_RW_PUBLIC_SESSION;
300 }
301 
pkcs11_session_is_user(struct pkcs11_session * session)302 static inline bool pkcs11_session_is_user(struct pkcs11_session *session)
303 {
304 	return session->state == PKCS11_CKS_RO_USER_FUNCTIONS ||
305 	       session->state == PKCS11_CKS_RW_USER_FUNCTIONS;
306 }
307 
pkcs11_session_is_so(struct pkcs11_session * session)308 static inline bool pkcs11_session_is_so(struct pkcs11_session *session)
309 {
310 	return session->state == PKCS11_CKS_RW_SO_FUNCTIONS;
311 }
312 
313 static inline
pkcs11_get_session_objects(struct pkcs11_session * session)314 struct object_list *pkcs11_get_session_objects(struct pkcs11_session *session)
315 {
316 	return &session->object_list;
317 }
318 
319 static inline
pkcs11_session2token(struct pkcs11_session * session)320 struct ck_token *pkcs11_session2token(struct pkcs11_session *session)
321 {
322 	return session->token;
323 }
324 
325 /* Entry point for the TA commands */
326 enum pkcs11_rc entry_ck_slot_list(uint32_t ptypes, TEE_Param *params);
327 enum pkcs11_rc entry_ck_slot_info(uint32_t ptypes, TEE_Param *params);
328 enum pkcs11_rc entry_ck_token_info(uint32_t ptypes, TEE_Param *params);
329 enum pkcs11_rc entry_ck_token_mecha_ids(uint32_t ptypes, TEE_Param *params);
330 enum pkcs11_rc entry_ck_token_mecha_info(uint32_t ptypes, TEE_Param *params);
331 enum pkcs11_rc entry_ck_open_session(struct pkcs11_client *client,
332 				     uint32_t ptypes, TEE_Param *params);
333 enum pkcs11_rc entry_ck_close_session(struct pkcs11_client *client,
334 				      uint32_t ptypes, TEE_Param *params);
335 enum pkcs11_rc entry_ck_close_all_sessions(struct pkcs11_client *client,
336 					   uint32_t ptypes, TEE_Param *params);
337 enum pkcs11_rc entry_ck_session_info(struct pkcs11_client *client,
338 				     uint32_t ptypes, TEE_Param *params);
339 enum pkcs11_rc entry_ck_token_initialize(uint32_t ptypes, TEE_Param *params);
340 enum pkcs11_rc entry_ck_init_pin(struct pkcs11_client *client,
341 				 uint32_t ptypes, TEE_Param *params);
342 enum pkcs11_rc entry_ck_set_pin(struct pkcs11_client *client,
343 				uint32_t ptypes, TEE_Param *params);
344 enum pkcs11_rc entry_ck_login(struct pkcs11_client *client,
345 			      uint32_t ptypes, TEE_Param *params);
346 enum pkcs11_rc entry_ck_logout(struct pkcs11_client *client,
347 			       uint32_t ptypes, TEE_Param *params);
348 enum pkcs11_rc entry_ck_seed_random(struct pkcs11_client *client,
349 				    uint32_t ptypes, TEE_Param *params);
350 enum pkcs11_rc entry_ck_generate_random(struct pkcs11_client *client,
351 					uint32_t ptypes, TEE_Param *params);
352 
353 #endif /*PKCS11_TA_PKCS11_TOKEN_H*/
354