1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
|
/* SPDX-License-Identifier: BSD-2-Clause */
/*
* Copyright (c) 2017-2020, Linaro Limited
*/
#ifndef PKCS11_TA_PKCS11_TOKEN_H
#define PKCS11_TA_PKCS11_TOKEN_H
#include <sys/queue.h>
#include <tee_api_types.h>
#include <tee_internal_api.h>
#include <utee_defines.h>
#include "handle.h"
/* Hard coded description */
#define PKCS11_SLOT_DESCRIPTION "OP-TEE PKCS11 TA"
#define PKCS11_SLOT_MANUFACTURER "Linaro"
#define PKCS11_SLOT_HW_VERSION { 0, 0 }
#define PKCS11_SLOT_FW_VERSION { PKCS11_TA_VERSION_MAJOR, \
PKCS11_TA_VERSION_MINOR }
#define PKCS11_TOKEN_LABEL "OP-TEE PKCS#11 TA token"
#define PKCS11_TOKEN_MANUFACTURER PKCS11_SLOT_MANUFACTURER
#define PKCS11_TOKEN_MODEL "OP-TEE TA"
#define PKCS11_TOKEN_HW_VERSION PKCS11_SLOT_HW_VERSION
#define PKCS11_TOKEN_FW_VERSION PKCS11_SLOT_FW_VERSION
enum pkcs11_token_state {
PKCS11_TOKEN_RESET = 0,
PKCS11_TOKEN_READ_WRITE,
PKCS11_TOKEN_READ_ONLY,
};
TAILQ_HEAD(client_list, pkcs11_client);
TAILQ_HEAD(session_list, pkcs11_session);
struct pkcs11_client;
#define PKCS11_MAX_USERS 2
#define PKCS11_TOKEN_PIN_SIZE_MAX 128
#define PKCS11_TOKEN_PIN_SIZE_MIN 10
#define PKCS11_TOKEN_SO_PIN_COUNT_MAX 7
#define PKCS11_TOKEN_USER_PIN_COUNT_MAX 7
/*
* Persistent state of the token
*
* @version - currently unused...
* @label - pkcs11 formatted token label, set by client
* @flags - pkcs11 token flags
* @so_pin_count - counter on security officer login failure
* @so_pin_salt - stores salt in hash of SO PIN, 0 if not set
* @so_pin_hash - stores hash of SO PIN
* @user_pin_count - counter on user login failure
* @user_pin_salt - stores salt in hash of user PIN, 0 if not set
* @user_pin_hash - stores hash of user PIN
*/
struct token_persistent_main {
uint32_t version;
uint8_t label[PKCS11_TOKEN_LABEL_SIZE];
uint32_t flags;
uint32_t so_pin_count;
uint32_t so_pin_salt;
uint8_t so_pin_hash[TEE_MAX_HASH_SIZE];
uint32_t user_pin_count;
uint32_t user_pin_salt;
uint8_t user_pin_hash[TEE_MAX_HASH_SIZE];
};
/*
* Runtime state of the token, complies with pkcs11
*
* @state - Pkcs11 login is public, user, SO or custom
* @session_count - Counter for opened Pkcs11 sessions
* @rw_session_count - Count for opened Pkcs11 read/write sessions
* @db_main - Volatile copy of the persistent main database
*/
struct ck_token {
enum pkcs11_token_state state;
uint32_t session_count;
uint32_t rw_session_count;
/* Copy in RAM of the persistent database */
struct token_persistent_main *db_main;
};
/*
* Structure tracking the PKCS#11 sessions
*
* @link - List of the session belonging to a client
* @client - Client the session belongs to
* @token - Token this session belongs to
* @handle - Identifier of the session published to the client
* @state - R/W SO, R/W user, RO user, R/W public, RO public.
*/
struct pkcs11_session {
TAILQ_ENTRY(pkcs11_session) link;
struct pkcs11_client *client;
struct ck_token *token;
uint32_t handle;
enum pkcs11_session_state state;
};
/* Initialize static token instance(s) from default/persistent database */
TEE_Result pkcs11_init(void);
void pkcs11_deinit(void);
/* Speculation safe lookup of token instance from token identifier */
struct ck_token *get_token(unsigned int token_id);
/* Return token identified from token instance address */
unsigned int get_token_id(struct ck_token *token);
/* Access to persistent database */
struct ck_token *init_persistent_db(unsigned int token_id);
void update_persistent_db(struct ck_token *token);
void close_persistent_db(struct ck_token *token);
enum pkcs11_rc hash_pin(enum pkcs11_user_type user, const uint8_t *pin,
size_t pin_size, uint32_t *salt,
uint8_t hash[TEE_MAX_HASH_SIZE]);
enum pkcs11_rc verify_pin(enum pkcs11_user_type user, const uint8_t *pin,
size_t pin_size, uint32_t salt,
const uint8_t hash[TEE_MAX_HASH_SIZE]);
/*
* Pkcs11 session support
*/
struct pkcs11_client *tee_session2client(void *tee_session);
struct pkcs11_client *register_client(void);
void unregister_client(struct pkcs11_client *client);
struct pkcs11_session *pkcs11_handle2session(uint32_t handle,
struct pkcs11_client *client);
static inline bool pkcs11_session_is_read_write(struct pkcs11_session *session)
{
return session->state == PKCS11_CKS_RW_PUBLIC_SESSION ||
session->state == PKCS11_CKS_RW_USER_FUNCTIONS ||
session->state == PKCS11_CKS_RW_SO_FUNCTIONS;
}
static inline bool pkcs11_session_is_public(struct pkcs11_session *session)
{
return session->state == PKCS11_CKS_RO_PUBLIC_SESSION ||
session->state == PKCS11_CKS_RW_PUBLIC_SESSION;
}
static inline bool pkcs11_session_is_user(struct pkcs11_session *session)
{
return session->state == PKCS11_CKS_RO_USER_FUNCTIONS ||
session->state == PKCS11_CKS_RW_USER_FUNCTIONS;
}
static inline bool pkcs11_session_is_so(struct pkcs11_session *session)
{
return session->state == PKCS11_CKS_RW_SO_FUNCTIONS;
}
static inline
struct ck_token *pkcs11_session2token(struct pkcs11_session *session)
{
return session->token;
}
/* Entry point for the TA commands */
enum pkcs11_rc entry_ck_slot_list(uint32_t ptypes, TEE_Param *params);
enum pkcs11_rc entry_ck_slot_info(uint32_t ptypes, TEE_Param *params);
enum pkcs11_rc entry_ck_token_info(uint32_t ptypes, TEE_Param *params);
enum pkcs11_rc entry_ck_token_mecha_ids(uint32_t ptypes, TEE_Param *params);
enum pkcs11_rc entry_ck_token_mecha_info(uint32_t ptypes, TEE_Param *params);
enum pkcs11_rc entry_ck_open_session(struct pkcs11_client *client,
uint32_t ptypes, TEE_Param *params);
enum pkcs11_rc entry_ck_close_session(struct pkcs11_client *client,
uint32_t ptypes, TEE_Param *params);
enum pkcs11_rc entry_ck_close_all_sessions(struct pkcs11_client *client,
uint32_t ptypes, TEE_Param *params);
enum pkcs11_rc entry_ck_session_info(struct pkcs11_client *client,
uint32_t ptypes, TEE_Param *params);
enum pkcs11_rc entry_ck_token_initialize(uint32_t ptypes, TEE_Param *params);
enum pkcs11_rc entry_ck_init_pin(struct pkcs11_client *client,
uint32_t ptypes, TEE_Param *params);
enum pkcs11_rc entry_ck_set_pin(struct pkcs11_client *client,
uint32_t ptypes, TEE_Param *params);
enum pkcs11_rc entry_ck_login(struct pkcs11_client *client,
uint32_t ptypes, TEE_Param *params);
enum pkcs11_rc entry_ck_logout(struct pkcs11_client *client,
uint32_t ptypes, TEE_Param *params);
#endif /*PKCS11_TA_PKCS11_TOKEN_H*/
|
