Queries related to PKCS11 based tests #721
Comments
|
Hi @anvisriv,
All pkcs11 test from xtest are expected to pass.
Pkcs11 API functions differ from GP TEE API functions in how to get an output buffer size. With Pkcs11, to query an output buffer size, you can either pass a NULL pointer (in which case you get an CKR_OK status with the size output argument set) or you can pass a too small buffer (in which case you get a CKR_BUFFER_TOO_SMALL status and the size output argument set). pkcs11 xtest test are implemented using Pkcs11 cryptoki API functions. |
|
Hi @etienne-lms
Can you please tell me where the output size is calculated for the ‘NULL buffer case with size as 0’ subtest of PKCS11 Test 1008? |
|
The trick is done in the cryptoki API library. When a NULL ref is passed by caller, the API passes a 0 size non-null memref to the TA and expects Regarding if (sign_ref && sign_len && *sign_len)
io = ckteec_register_shm(sign_ref, *sign_len,
sign ? CKTEEC_SHM_OUT : CKTEEC_SHM_IN);
else
io = ckteec_alloc_shm(0, sign ? CKTEEC_SHM_OUT : CKTEEC_SHM_IN);
if (!io) {
rv = CKR_HOST_MEMORY;
goto bail;
}
rv = ckteec_invoke_ta(sign ? PKCS11_CMD_SIGN_FINAL :
PKCS11_CMD_VERIFY_FINAL, ctrl, NULL, io,
&io_size, NULL, NULL);
if (sign && sign_len && (rv == CKR_OK || rv == CKR_BUFFER_TOO_SMALL))
*sign_len = io_size;
if (rv == CKR_BUFFER_TOO_SMALL && io_size && !sign_ref)
rv = CKR_OK;The same sequence is implemented in other cryptoki API functions, for example |
|
Thanks for the explanation regarding the error codes. Could you also explain how the output_size would be handeled in these cases? |
|
Hi @etienne-lms |
The sequence is:
Does that answer your question? |
Hi @etienne-lms Also, can you please tell which PKCS11 specification(v2.4 or v3.1) does current implementation follow? |
It is part of the GP TEE Internal core API that there are functions that are expected to return
We mainly follow the spec PKCS11 spec v2.4 with some extra support from the spec v3.0, if i'm right. |
|
Hi @etienne-lms Can you please point me in the GP specification where it says it is supposed to return size in these cases? |
|
This is described in section 3.4.4 [outbuf] in TEE Internal Core API specification v1.3.1:
|
Hi @etienne-lms Could you also explain why the size is expected in subtest https://github.com/OP-TEE/optee_test/blob/4.0.0/host/xtest/pkcs11_1000.c#L6001? As per section 3.4.4,
Also,
|
|
Becareful. https://github.com/OP-TEE/optee_test/blob/4.0.0/host/xtest/pkcs11_1000.c#L6001 relies on the PKCS#11 API, not the GP TEE API. PKCS#11 API behave differently: |
|
Hi @etienne-lms Also, could you please help with the flow for the below test case? xtest_pkcs11_test_1018 |
|
The test instruction you point to calls
It the pkcs11 returns |
|
Hi @etienne-lms
|
|
Libmbedtls integrated in OP-TEE is based on mainline mbedtls (https://github.com/Mbed-TLS/mbedtls.git). Its revision tag depends on the OP-TEE release tag. Latest OP-TEE, since tag 4.0.0 is based on mbedtls-3.4.0; OP-TEE tags 3.19.0 to 3.22.0 were based on mbedtls-2.28.1; etc... See the Git history of OP-TEE OS directory lib/libmbedtls for more information. |
|
Hi @etienne-lms
|
|
Hi @etienne-lms |
|
TEE_ALG_RSASSA_PKCS1_V1_5 is also defined in "Table C-1: Normative References for Algorithms" of the GP TEE Internal Core API spec v1.3.1, see page 364.
You mean the pkcs11 TA should have panicked for that test? We need to cross check this. |
|
Hi @etienne-lms
The TEE_ALG_RSASSA_PKCS1_V1_5 is used in combination with SHA, but unlike TEE_ALG_RSAES_PKCS1_V1_5, there is no standalone symbol defined for it. Could you please verify once more if this symbol is specific to OPTEE? |
|
My bad, I was to quick grepping into the spec document. |
|
Hi @etienne-lms For ECDSA usecase, TA is determining TEE algorithm based on the key size of ECDSA(here) while the GP specification v1.3 in section B.3 Deprecated Algorithm Identifiers Page 352 says:
Can you please confirm what is the right expectation? Adding one more query. |
|
Hi @etienne-lms did you get a chance to check? |
|
Hi @etienne-lms In bget there is Assuming all the BGET configurations are disabled. In the above call flow i didn't find where the poolset's freelist is getting modified to return otherwise from bget. Can you please guide and clarify the understanding? |
|
Hi @etienne-lms Adding one more question to the list :)
But, in case of test 1026, the test client is only setting first 5 attributes for unwrapping key. Will it not cause any issue in TEE_PopulateTransientObject in case of Unwrap usecase? |
|
Sorry, I've not looked at your request. I'll try to find a bit of time.... |
|
Hi @etienne-lms |
|
Hi @etienne-lms Did you got a chance to check? |
|
Hi @anvisriv, sorry for my late feedback. /Regarding comment #721 (comment):
These API functions are described in the PKCS#11 spec (e.g. https://docs.oasis-open.org/pkcs11/pkcs11-base/v3.0/os/pkcs11-base-v3.0-os.html#_Toc29976646 for /Regarding comment #721 (comment):
Unless I missed something, the pkcs11 TA does consider this constriaint: see https://github.com/OP-TEE/optee_os/blob/4.2.0/ta/pkcs11/src/processing_rsa.c#L562-L593. /Regarding comment #721 (comment) on bget: I'm not shure to understand your question. Do you face issues with bget allocator integration? It's been used since a while in OP-TEE core and TAs. /Regarding comment #721 (comment) on ECDSA and PKCS#11 key wrapping with RSA:
This is still an open point. A pull request was created last summer but stalled before reaching a clean conclusion, see OP-TEE/optee_os#6230. I think the issue is still pending and deserves investigation.
Pkcs11 TA implementation embeds MbedTLS library and supports key wrapping. There is nothing to configure, but ensure the TA heap is sized enough ( |
|
Hi @etienne-lms
Even in the absence of exponent1, exponent2, and coefficient, the count will continue to increment, potentially leading to complications when invoking TEE_PopulateTransientObject. Can you please reverify on your end? Also, thanks for other references. |
|
Hi @anvisriv, I took the liberty of creating a P-R for the RSA attributes in the pkcs11 TA. Please see OP-TEE/optee_os#6815. |
|
Hi @etienne-lms |
This change ensures that
I guess it is feasible. Proposals are welcome. |
Maybe the statistics PTA could be used to query the TA heap size before and after the test ? |
Hi @etienne-lms, the count will increase regardless of whether the value is NULL or not NULL, as there is no condition to stop the execution or treat it as an error. Furthermore, the code should handle these three scenarios:
How about we consider redefining malloc, calloc, free, and realloc using macro to track memory allocation in libckteec? This approach may require changes in most of the source code of the library.
Sure, will have a look at it for detecting memory leak in TA. |
Would you be ok to post comments in OP-TEE/optee_os#6815 and discuss the fix on that P-R? I think the P-R is okay:
I guess using Valgrind could help. Instrumenting allocation from libckteec looks also a good solution. Feel free to propose change if you have some ideas. |
|
Hi @etienne-lms
Sure.
Are there any steps available for using Valgrind on PKCS11 TA/lib or any other OPTEE TA/lib? Is ECDHE key derivation supported in PKCS11 lib? I didn't find any test case but see that it is present in TA. Can you please confirm? |
libckteec is a Linux userland library. It should be quite easy I guess to use Valgrind on this library.
True, ECDH is supported but there are no test available in xtest. |
|
Hi @etienne-lms
If not, is there any plan to support above features in upcoming releases? |
|
Hi @etienne-lms any update? |
|
Hi @anvisriv
If Multiclient & Multithreading means concurrently executing PKCS#11 services, then no, it is not supported: the pkcs11 TA processes requests 1 by 1, sequentially. See discussion thread OP-TEE/optee_os#6900.
CKM_ECDH1_DERIVE is implemented (currently only supports KDF type CKD_NULL), but sorry, I see it lacks test cases in optee_test. |
|
Hi @etienne-lms |
The value was initially set to 3 to default have at least a token for platforms needs and a token for test purpose that would not mess up with the token used for some real use case in the default configuration. OP-TEE test uses the last token ID for pkcs11 non-regression tests. 3 is quite empiric. It could have been 2.
I guess this is the right forum for question on the PKCS#11 TA. My apologies if I missed some of your questions. Please resend them as a comment post in this Issue or using a dedicate Issue entry. |
|
Hi, Regarding Multithreading support, can you address this from reentrancy point of view? |
|
TAs are not reentrant, applies to the pkcs11 TA. |
|
Hi @etienne-lms
|
|
Hi @anvisriv,
There are several areas where the PKCS#11 spec allows vendor to define IDs that are not interoperable: object classes, HW capabilities, key types and object attributes. They allow client applications to use vendor specific token features assuming the client application knows it interacts with a compliant vendor token. In OP-TEE pkcs11 TA, we currently use only 1 vendor attribute ID, for EC private keys to store the curve point. This is driven by a requirement in the GP TEE API spec. However, OP-TEE pkcs11 TA does not expose this attribute to the client so it remains inside the pkcs11 TA and is not expected have interoperability impacts with standard PKCS#11 clients.
OP-TEE pkcs11 TA relies on GP TEE Internal Core API spec for persistent storage and crypto operations (and a bit more). However, the GP TEE spec we're based on does not provide some operations needed for few PKCS#11 features while mbedTLS lib does and is available to OP-TEE TAs since a while. Therefore, we use mbedtls for some operations, see
This feature allows to replace the PKCS#11 client login/authentication (supervisor and user) based on PIN with an client authentication based on Linux OS user ID or group ID (managed by Linux ACL). When |
|
Hi @etienne-lms Q1. Will token object persist in scenario described below?
Q2. When a TEE_PANIC occurs due to a specific scenario in TZ, is there a method for the client to identify the root cause? (say if TEE_PANIC happens if heap memory runs out) Q3. Are there any restrictions on mechanisms or interfaces for key objects created through hardware tokens? Additionally, which attribute distinguishes objects created from hardware versus software solutions? Is it possible to have CKA_HW_FEATURE_TYPE used for key objects making it CKH_VENDOR_DEFINED? |
Can you please elaborate on what was the delta because of which there was a requirement to use libmbedtls? |
Fix RSA key attributes function load_tee_rsa_key_attrs() that badly checks that the 5 extended RSA attributes are found in the key object. Link: OP-TEE/optee_test#721 (comment) Link: OP-TEE/optee_test#721 (comment) Fixes: 0442c95 ("ta: pkcs11: Add support for RSA signing & verification") Signed-off-by: Etienne Carriere <[email protected]> Reviewed-by: Vesa Jääskeläinen <[email protected]>
Fix RSA key attributes function load_tee_rsa_key_attrs() that badly checks that the 5 extended RSA attributes are found in the key object. Link: OP-TEE/optee_test#721 (comment) Link: OP-TEE/optee_test#721 (comment) Fixes: 0442c95 ("ta: pkcs11: Add support for RSA signing & verification") Signed-off-by: Etienne Carriere <[email protected]> Reviewed-by: Vesa Jääskeläinen <[email protected]>
|
Hi @etienne-lms |
|
Hi @anvisrv, sorry for that late answer.
The current pkcs11 TA implementation is made so that object handle at step 5. indeed refers to the initial persistent object. But that is an implementation side effect and implementation can change (for example if the client closes all its sessions towards the pkcs11 TA token). I strongly suggest your client rather relies on the PKCS#11 specification: at step 5, it is safer to find the object (
In case of a TA panic, the client only gets a "TEE_ERROR_TARGET_DEAD" code. In case of a core panic, system will likely hang AFAICT. In both case, only OP-TEE core trace messages can give you some hints of what could have happened.
The PKCS#11 spec puts no restrictions on that but allows tokens (hardware or software ones) to have specific restrictions.
We could introduce a vendor specific attribute to object in the pkcs11 TA but I would not recommend that in the generic pkcs11 TA since such attribute you be meaningful only for specif vendor client applications.
Regarding Regarding EC private key import, the issue is GP TEE API require a private key object to also relate to a public key but that API does while the PKCS#11 API allows a client to import only a private key. Because the GP TEE API does not allow to generate a public key from a private key, we use MbedTLS API to generate an EC point as an object attribute of the PKCS11 object that is not exposed to client and only remains in the TA for internal use. |
|
Hi @etienne-lms |
That is right. The PKCS#11 specification allows token to have objects not destroyed when the token is initialized. Such are vendor specific. I think we can introduce a vendor specific object boolean attribute ID for objects that are to be always persistent. It should be clear however who is responsible for loading such objects: I think at least only SO or maybe USER should be allowed to create such object. |
|
Hi @etienne-lms, |
|
Sure, you are free to create a pull request for any contribution you would like to be discussed. |
|
Hi @etienne-lms, I have noticed that for many PKCS11 mechanisms, test cases have been added to the "optee_test" repository. For instance, test cases for CKM_AES_GCM can be found here: optee_test/host/xtest/pkcs11_1000.c Line 9567 in 695231e However, I observed that test cases for CKM_ECDH1_DERIVE have not been included in the "optee_test" repository. Instead, PKCS11-tool was used for testing this mechanism. Could you please clarify why CKM_ECDH1_DERIVE related test cases were not added to "optee_test" and is there any plan to include these test cases in the future? Additionally, is there any future plan to integrate pkcs11-tool to "optee test" repository? Thanks in advance. |
Indeed, it would be better we have a xtest test case for CKM_ECDH1_DERIVE. I'll try to if I find time. Contributions are welcome.
No and I don't think it would add much value. One can pick the pkcs11-tool source tree and build it if needed. If your are using Buildroot, you only have to enable Using Yocto, using the opensc layer and adding |
Hi Team
If repos (optee_test,optee_client,optee_os)with tag 4.0.0 is used then,
The text was updated successfully, but these errors were encountered: