Secure key services: step1: TA basics and API #2342
Conversation
SKS aims at providing PKCS#11 compliant services through a trusted application operating as a secure service provider. This is the first step. It defines the trusted application, its entry points and an initial API. The TA API is defined in sks_ta.h and should be exported to the client. This commit introduces the first command: SKS_CMD_PING, used to check TA availability and later retrieve design version information. Signed-off-by: Etienne Carriere <[email protected]>
|
checkpatch is complaining on many stuff... I will push a new proposal that matches checkpatch directives. |
The TA API currently defines invocation commands to support the
Cryptoki functions for slot/token/session management
This change defines the TA commands but not yet the IDs used for
identifying cryptography operations and object attributes. This
will come in a next patch.
The TA API involves several byte serialization of invocation parameters.
Some commands expect several data (i.e 32bit handles) to be stored
one next to the other in the input parameter buffer reference. I.e:
SKS_CMD_DESTROY_OBJECT - Destroy an object
param#0: input-memref : [uint32_t session_handle]
[uint32_t object_handle]
Other commands get arguments in serialized buffer provided as a binary
blob as argument. For example SKS_CMD_CK_INIT_PIN where the arguments
are a 32bit handle followed by a 32bit size info followed by a PIN
value of size the 2nd 32bit size info argument:
SKS_CMD_CK_INIT_PIN - Initialiaze PKCS#11 token PIN
param#0: input-memref : [uint32_t session_handle]
[uint32_t pin_len]
[uint8_t pin[pin_len]]
Last, some data parameters relate to more complex structure. These
are stored serialized staring with a header that allows to find the
object full byte size. For example, object are defined by a list of
attributes, each defined by an ID, a value size and the attribute value
data. Such list of sized defined attributes are binary blobs used in
serialized command parameters. Importing a raw clear object uses:
SKS_CMD_IMPORT_OBJECT - Open Read/Write Session
param#0: input-memref : [uint32_t session_handle]
[struct sks_object_head attribs + its data]
Signed-off-by: Etienne Carriere <[email protected]>
Signed-off-by: Etienne Carriere <[email protected]>
Another type of serialized data used by SKS are the cryptography processing parameters. When initiating a cryptography operation, some initialization parameters may be needed as an IV in a symmetric AES CBC ciphering. Structure of such parameter is very specific to cryptography processing used hence each the serialized format used in the TA API must be defined per processing algorithm. Signed-off-by: Etienne Carriere <[email protected]>
Signed-off-by: Etienne Carriere <[email protected]>
For the SKS to provide client a meaningful retrun code, the GPD TEE command invocation return code is forced to TEE_SUCCESS and client is expected to read to effective SKS return code (which can notify a success or a failure) from the SK TA API. The first memref argument is used to store this SKS statuc info when defined as an input/output memref by the client. In such case, the output memref is a 32bit buffer that stores the SKS return code. Signed-off-by: Etienne Carriere <[email protected]>
|
New serie that complies with checkpatch (needed to squash the commits to get a clean CI status) |
| }; | ||
|
|
||
| /* flags */ | ||
| #define SKS_PROC_HW BIT(0UL) |
There was a problem hiding this comment.
Would be nice to have a common prefix with the struct name. Such as
struct sks_ckm_info {
...
};
#define SKS_CKM_ENCRYPT ...
There was a problem hiding this comment.
fixed. UL useless removed.
thanks.
| * by the caller. These data can be a object handle, a ciphered stream, etc. | ||
| * | ||
| * - Parameter #3 is not used. | ||
| */ |
There was a problem hiding this comment.
I don't think this whole comment adds much. Assuming the parameters for each command are properly described, things should be clear enough.
There was a problem hiding this comment.
Ok, this may be confusing.
It is a generic description that applies to all commands.
It is not included yet. One shall build the TA as a standard TA, pointing to optee_os/ta_services/secure_key_services/Makefile
Directory ta/ is current storing TA build resources, not service TAs code. |
Well, I don't feel good carrying code that cannot be built by the CI loop. It should not bee too hard to build the TA based on some CFG_ flag. |
Clean makefile. Refine description of TA commands ABI. Remove the TODO comments. Signed-off-by: Etienne Carriere <[email protected]>
Remove unclear comments. Update invocation command ABI info. Rename the SKS IDs that relate to a cryptoki ID: the SKS macro is labeled SKS_CKx_xxxxxx for a cryptoki ID CKx_xxxx. Signed-off-by: Etienne Carriere <[email protected]>
Use SKS_CKO_xxx, SKS_CKK_xxx as macro name. Signed-off-by: Etienne Carriere <[email protected]>
Update to SKS_CKM_xxx for mechanism IDs. Signed-off-by: Etienne Carriere <[email protected]>
|
comments expected addressed.
|
I understand. OP-TEE/build#261 will insure the TA is built and tested on
There is even a request to allow a |
|
I still think that if the source is in optee_os, the TA has to be built in optee_os. |
|
That's true, but things get tricky when bulding optee_os outside buildroot and building filesystem content from buildroot. With the service TAs, optee_os now should be built in both environment. Yet, I am ok to plan to have I think one should still be able to build the service TAs from their optee_os sources using a specifc external TA devkit file tree. |
Can't buildroot fetch the pre-built TAs from the external optee_os directory?
I can take care of this. My idea is to add a new target: I agree that we could later support building in one step without specifying the clumsy TA file.
It's OK, external stuff can always point to files in optee_os. |
|
The problem of building the TA is been addressed in one way in https://github.com/jenswi-linaro/optee_os/tree/keymaster |
|
@jenswi-linaro Ha! That's more or less what I had in mind, except for the fact that I don't like the recursive make invocation very much. But it is certainly acceptable if it simplifies things (re-using the TA dev kit stuff would be a good reason). |
| * | ||
| * The TA instance may represent several PKCS#11 slots and associated tokens. | ||
| * This command relates the PKCS#11 API function C_GetSlotList and return the | ||
| * valid IDs recognized by the trsuted application. |
| /* | ||
| * SKS_CMD_SIGN_FINAL - Initialize a signature computation processing | ||
| * SKS_CMD_VERIFY_FINAL - Initialize a signature verification processing | ||
| * |
There was a problem hiding this comment.
s/Initialize/Finalize in description for both Sign and Verify
| #define SKS_CMD_GET_ATTRIBUTE_VALUE 0x00000021 | ||
|
|
||
| /* | ||
| * SKS_CMD_SET_ATTRIBUTE_VALUE - Set the value for object attrbiute(s) |
| * | ||
| * The TA instance may represent several PKCS#11 slots and associated tokens. | ||
| * This command relates the PKCS#11 API function C_GetSlotList and return the | ||
| * valid IDs recognized by the trsuted application. |
| }; | ||
|
|
||
| /* flags */ | ||
| #define SKS_PROC_HW BIT(0UL) |
There was a problem hiding this comment.
fixed. UL useless removed.
thanks.
Signed-off-by: Etienne Carriere <[email protected]>
Signed-off-by: Etienne Carriere <[email protected]>
Signed-off-by: Etienne Carriere <[email protected]>
s/blobs/attrs/g in struct sks_object_head. Signed-off-by: Etienne Carriere <[email protected]>
|
Can we status on directory path? optee_os/ta_services/ or optee_os/ta/ ? |
I'm fine with either one of them. Pick the one that you like and if can't/don't want to make up your mind, then why not just stick with the ta_services, I think that is what we proposed initially. |
|
Superseded by #2732. |
Propose a service trusted application in optee_os to propose Pkcs#11 services.
This P-R introduces the trusted application implementation basics (entry point, build scripts, ...) and the TA API description through an exported header file.
The TA API designed is documented in the SKS TA API shared doc.
This change is related to P-Rs: