pkcs11: Add TEE Identity based authentication support#236
pkcs11: Add TEE Identity based authentication support#236jforissier merged 6 commits intoOP-TEE:masterfrom
Conversation
etienne-lms
left a comment
etienne-lms
left a comment
There was a problem hiding this comment.
Only minor comments.
For both commits, prefer start log header line with libckteec: and add () to function labels. Also add a description line between header line and S-o-b tag in commit "C_Login: Allow NULL_PTR PIN entry.". i.e.
libckteec: Allow NULL_PTR PIN entry in C_Login()
Allow C_Login() to transport a null PIN reference as when protected
authentication path is used.
Signed-off-by: Vesa Jääskeläinen <[email protected]>
OK |
vesajaaskelainen
force-pushed
the
token-acl
branch
from
a8ab0b4 to
f8cb453
Compare
Updated commit messages. |
vesajaaskelainen
force-pushed
the
token-acl
branch
from
f8cb453 to
bbd669d
Compare
|
@etienne-lms I believe I have addressed all your comments. Also tested (and fixed) PIN == NULL_PTR cases for methods that use PIN as input. |
|
I was thinking about could xtest be used here somehow but seems rather challenging as there is no API to reset the token back to initial state without performing clearing secure storage and reboot 😞. Also switching to different identities and somehow having common identities can be a bit of problem. |
|
Maybe a debug command to reset a token even without the SO credentials? |
If it would have some magic name then perhaps that could enable reset token feature. This magic name would just be something that normally would not be used. What I would like to have is that we can run xtest (and other tests) on to be released TA binaries to verify that everything is still looking good and if automated tests pass then mark release gate for those TA's as tests has passed. Eg. so that the binary would be intact and no need to compile it differently. |
|
Currently xtest lists the slots and picks the last last to run its tests. |
etienne-lms
left a comment
etienne-lms
left a comment
There was a problem hiding this comment.
@ruchi393, does this change look ok to you?
@vesajaaskelainen, LGTM (with checkpatch report addressed) but I wait for OP-TEE/optee_os#4222 before posting my R-b tag.
I think this is a nice feature, thanks for sharing.
| if ((errno == ERANGE) || (tmpconv > (gid_t)-1) || | ||
| (login_gid_env + strlen(login_gid_env) != endp)) { |
There was a problem hiding this comment.
CI/checkpatch issue report:
4e56bdb libckteec: Use environment variables to determine OP-TEE TA login
CHECK: Unnecessary parentheses around 'errno == ERANGE'
#68: FILE: libckteec/src/invoke_ta.c:267:
+ if ((errno == ERANGE) || (tmpconv > (gid_t)-1) ||
+ (login_gid_env + strlen(login_gid_env) != endp)) {
total: 0 errors, 0 warnings, 1 checks, 63 lines checked
I.e.:
if (errno == ERANGE || tmpconv > (gid_t)-1 ||
(login_gid_env + strlen(login_gid_env) != endp)) {
...
}There was a problem hiding this comment.
$ CHECKPATCH=../linux/scripts/checkpatch.pl ../optee_os/scripts/checkpatch.sh 0eaddfc570b557c39148ff2e7faccaba8e07d55a
Checking commit(s):
0eaddfc libckteec: Use environment variables to determine OP-TEE TA login
total: 0 errors, 0 warnings, 110 lines checked
"[PATCH] libckteec: Use environment variables to determine OP-TEE TA" has no obvious style problems and is ready for submission.Where as linux == v5.10-rc1.
Then wondering the difference:
$ cp ../optee_os/scripts/checkpatch.sh scripts/
$ CHECKPATCH=../linux/scripts/checkpatch.pl scripts/checkpatch.sh 0eaddfc570b557c39148ff2e7faccaba8e07d55a
Checking commit(s):
0eaddfc libckteec: Use environment variables to determine OP-TEE TA login
CHECK: Unnecessary parentheses around 'errno == ERANGE'
#121: FILE: libckteec/src/invoke_ta.c:267:
+ if ((errno == ERANGE) || (tmpconv > (gid_t)-1) ||
+ (login_gid_env + strlen(login_gid_env) != endp)) {
total: 0 errors, 0 warnings, 1 checks, 110 lines checked
Shall we copy the checkpatch.sh also to this repo?
vesajaaskelainen
force-pushed
the
token-acl
branch
2 times, most recently
from
bd1f882 to
8e8b284
Compare
vesajaaskelainen
force-pushed
the
token-acl
branch
from
8e8b284 to
20a08f8
Compare
|
Just rebased on top of master. |
etienne-lms
left a comment
etienne-lms
left a comment
There was a problem hiding this comment.
Reviewed-by: Etienne Carriere <[email protected]> with comment on 1st commit.
It would be nice we have something in optee_test/host/xtest/pkcts11_1000.c to test a bit this but it may tricky to test invalid identities.
Add initialization for variables as required by coding convention. Reviewed-by: Etienne Carriere <[email protected]> Signed-off-by: Vesa Jääskeläinen <[email protected]>
C_Initialize() needs to know what kind of OP-TEE TA login is needed. CKTEEC_LOGIN_TYPE is used to specify login type: - "public" -> TEEC_LOGIN_PUBLIC - "user" -> TEEC_LOGIN_USER - "group" -> TEEC_LOGIN_GROUP When login type is "group" then CKTEEC_LOGIN_GID must be numerical group id. Reviewed-by: Etienne Carriere <[email protected]> Signed-off-by: Vesa Jääskeläinen <[email protected]>
Allow C_InitToken() to transport a null PIN reference as when protected authentication path is used. Specified in: PKCS OP-TEE#11 Cryptographic Token Interface Base Specification Version 2.40 Plus Errata 01 C_InitPIN Reviewed-by: Etienne Carriere <[email protected]> Signed-off-by: Vesa Jääskeläinen <[email protected]>
Allow C_Login() to transport a null PIN reference as when protected authentication path is used. Specified in: PKCS OP-TEE#11 Cryptographic Token Interface Base Specification Version 2.40 Plus Errata 01 C_Login Reviewed-by: Etienne Carriere <[email protected]> Signed-off-by: Vesa Jääskeläinen <[email protected]>
Allow C_InitPIN() to transport a null PIN reference as when protected authentication path is used. Specified in: PKCS OP-TEE#11 Cryptographic Token Interface Base Specification Version 2.40 Plus Errata 01 C_InitPIN Reviewed-by: Etienne Carriere <[email protected]> Signed-off-by: Vesa Jääskeläinen <[email protected]>
Allow C_SetPIN() to transport a null PIN reference as when protected authentication path is used. Specified in: PKCS OP-TEE#11 Cryptographic Token Interface Base Specification Version 2.40 Plus Errata 01 C_SetPIN Reviewed-by: Etienne Carriere <[email protected]> Signed-off-by: Vesa Jääskeläinen <[email protected]>
vesajaaskelainen
force-pushed
the
token-acl
branch
from
20a08f8 to
8b96990
Compare
Thanks for the review! Fixed and applied tags. |
I believe we need to improve the testing support for tokens in overall first and then we can try to add tests also for these. This is kinda integration testing not unit testing level problem as we would need to navigate to different identities in a way that people can still run xtest successfully. I would prefer that we do these as separate things. |
3 participants
Please see OP-TEE/optee_os#4222 for testing and usage instructions.
Implements:
OP-TEE/optee_os#3946