-
Notifications
You must be signed in to change notification settings - Fork 232
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFC] libsks for Pkcs#11 services through OP-TEE SKS TA #138
Conversation
f9f08af
to
7d55242
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
a bit more review
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM in general, possible errors in the function parameters can still be weeded out when the functions are actually implemented.
Minor question but to be clarified asap if possible: since removing the SKS meaningless acronym, I'm looking for a nice name for the client library. Not too small, not too long, to address a cryptoki integration ina GTD TEE env (as OP-TEE is). |
7d55242
to
41cb553
Compare
Refer to OP-TEE/optee_test#281 (comment) for running the basic test. |
I'd prefer |
let's go for |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comments for the commit "libckteec: Introduce PKCS#11 API (2.40-e01) header"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comments for the commit "libckteec: fully stubbed cryptoki API"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comment for the commit "libckteec: local utilities":
There's no ASSERT defined in this commit, please update the commit message.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the commit "libckteec: implement C_GetFunctionList()":
Acked-by: Jens Wiklander <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comment for "libckteec: introduce minimal PKCS11 TA API"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comment for the commit "libckteec: helpers for Cryptoki/PKCS11 TA IDs conversion"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comment for the commit "libckteec: debug helpers for PKCS#11 IDs as strings"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comments for commit "libckteec: generic invocation of the PKCS11 TA"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comments for "libckteec: sanity on APIs regarding library initialization"
Hello, |
41cb553
to
e249062
Compare
For commit "libckteec: local utilities" + fixup: |
For commit "libckteec: generic invocation of the PKCS11 TA": |
For commit "libckteec: sanity on APIs regarding library initialization": |
Added late fixup on top of the series for an issue reported by Travis. |
Please rebase on master to include checkpatch in the review. |
19c1b4c
to
d09cef6
Compare
Update for checkpatch compliance. I squashed all fixup related to checkpatch complains in "libckteec: Introduce PKCS#11 API (2.40-e01) header …". I see there are still failures. Most I'll fix. But there ar esome I don't understand what wring with:
|
I'm fine with ignoring the |
Let me know when you're done with the current updates and I'll go through it once more. |
d09cef6
to
72df84b
Compare
I am done with the updates. |
Looks good to me. |
Library ckteec will implement the PKCS#11 API using the PKCS11 trusted application executing in OP-TEE as backend token. Implement pkcs11.h header file that partially covers the PKCS#11 specification. Resources initially planned to be supported are defined. The header will need to be updated with remaining PKCS#11 definition when related support will be implemented. Signed-off-by: Etienne Carriere <[email protected]> Acked-by: Jens Wiklander <[email protected]>
Define the few platform macros expected by the cryptolib header files. Initial source file: the API functions from pkcs11_api.c. Builds from Makefile or from CMake. Signed-off-by: Etienne Carriere <[email protected]> Acked-by: Jens Wiklander <[email protected]>
Define ARRAY_SIZE() helper macros for library internal purposes. Signed-off-by: Etienne Carriere <[email protected]> Reviewed-by: Jens Wiklander <[email protected]>
C_GetFunctionList() returns the list of the functions supported by the PKCS#11 implementation. Signed-off-by: Etienne Carriere <[email protected]> Acked-by: Jens Wiklander <[email protected]>
Introduce the PKCS11 TA API (pkcs11_ta.h) with only 1 command defined and the PKCS11 return code values. Command PKCS11_CMD_PING is used when initializing the library to check PKCS11 TA availability and compatibility (version info). Signed-off-by: Etienne Carriere <[email protected]> Acked-by: Jens Wiklander <[email protected]>
The PKCS11 TA uses IDs that mostly relate to defined PKCS#11 IDs but with different numerical value. These helpers convert PKCS#11 IDs into/from PKCS11 TA IDs. This change introduces conversion from GPD TEE Client error codes into CryptoKi return values. Signed-off-by: Etienne Carriere <[email protected]> Acked-by: Jens Wiklander <[email protected]>
Library opens a single TEE session against the PKCS11 TA regardless of the PKCS#11 token reached in the TA. Signed-off-by: Etienne Carriere <[email protected]> Reviewed-by: Jens Wiklander <[email protected]>
PKCS#11 specifies library must be initialized prior being used but for 2 API functions, C_Initialize() and C_GetFunctionList(). Library initialization first invokes the PKCS11 TA and check its availability and version information. Signed-off-by: Etienne Carriere <[email protected]> Reviewed-by: Jens Wiklander <[email protected]>
2b6dd77
to
67f24d6
Compare
squashed. tags applied. |
FYI, I've noticed that this PR breaks the $ cd build && make -j`nproc` optee-client-common
make -C /home/jbech/devel/optee_projects/qemu/build/../optee_client CROSS_COMPILE="/usr/bin/ccache /home/jbech/devel/optee_projects/qemu/build/../toolchains/aarch32/bin/arm-linux-gnueabihf-
" CFG_TEE_BENCHMARK=n CFG_TA_TEST_PATH=y
make[1]: Entering directory '/home/jbech/devel/optee_projects/qemu/optee_client'
Building libteec.so
Building libckteec.so
CC src/ck_helpers.c
CC src/pkcs11_api.c
CC src/invoke_ta.c
CC src/tee_client_api.c
CC src/teec_trace.c
LINK /home/jbech/devel/optee_projects/qemu/optee_client/libckteec/../out/libckteec/libckteec.so.0.1.0
AR /home/jbech/devel/optee_projects/qemu/optee_client/libckteec/../out/libckteec/libckteec.a
/home/jbech/devel/optee_projects/reference/toolchains/aarch32/bin/../lib/gcc/arm-linux-gnueabihf/8.3.0/../../../../arm-linux-gnueabihf/bin/ld: cannot find -lteec
collect2: error: ld returned 1 exit status
Makefile:47: recipe for target '/home/jbech/devel/optee_projects/qemu/optee_client/libckteec/../out/libckteec/libckteec.so.0.1.0' failed
make[2]: *** [/home/jbech/devel/optee_projects/qemu/optee_client/libckteec/../out/libckteec/libckteec.so.0.1.0] Error 1
Makefile:40: recipe for target 'build-libckteec' failed
make[1]: *** [build-libckteec] Error 2
make[1]: *** Waiting for unfinished jobs....
AR /home/jbech/devel/optee_projects/qemu/optee_client/libteec/../out/libteec/libteec.a
LINK /home/jbech/devel/optee_projects/qemu/optee_client/libteec/../out/libteec/libteec.so.1.0.0
make[1]: Leaving directory '/home/jbech/devel/optee_projects/qemu/optee_client'
common.mk:413: recipe for target 'optee-client-common' failed
make: *** [optee-client-common] Error 2
|
@jbech-linaro I've noticed that too, does not happen every time. Now I have double checked, it's just a missing dependency. I'll create a PR. |
This change introduces an implementation of the Pkcs#11 Cryptoki library that interface a specific trusted application in the secure side provided by the optee_os source tree.
This P-R implements the basics for the client library. The effective implementation of the services will come later. However this P-R still introduces a first TA command for this initial P-R to at least invoke the SKS TA to check it is available when library is initialized.
This P-R does not introduce the full TA API itself that is being reviewed through (edited: OP-TEE/optee_os#2732). The client library will integrate the released TA API once its is approved and merged in optee_os mainline.
This P-R replaces #121.
edited, url of TA API P-R and below
#139 proposes the first commits of this RFC.