TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / OP-TEE / optee_docs / f4ae3330a57ebafbafb1fa29fa5b140837a04891 / . / architecture / globalplatform_api.rst
blob: d230fd2f008a34344b0919392feeee045d549f9f [file] [log] [blame]
Joakim Bech8e5c5b32018-10-25 08:18:32 +0200[diff] [blame]1.. _globalplatform_api:
2
3##################
4GlobalPlatform API
5##################
6Introduction
7************
8GlobalPlatform_ works across industries to identify, develop and publish
9specifications which facilitate the secure and interoperable deployment and
10management of multiple embedded applications on secure chip technology. OP-TEE
11has support for GlobalPlatform TEE Client API Specification_ v1.0 (GPD_SPE_007)
Etienne Carriere17bb9b72023-06-26 10:00:50 +0200[diff] [blame]12plus Errata and Precisions 2.0 (GPD_EPR_028) and TEE Internal Core API
13Specification v1.3.1 (GPD_SPE_010).
Joakim Bech8e5c5b32018-10-25 08:18:32 +0200[diff] [blame]14
15
16.. _tee_client_api:
17
18TEE Client API
19**************
20The TEE Client API describes and defines how a client running in a rich
21operating environment (REE) should communicate with the TEE. To identify a
22Trusted Application (TA) to be used, the client provides an UUID_. All TA's
23exposes one or several functions. Those functions corresponds to a so called
24``commandID`` which also is sent by the client.
25
26TEE Contexts
27============
28The TEE Context is used for creating a logical connection between the client and
29the TEE. The context must be initialized before the TEE Session can be created.
30When the client has completed a job running in secure world, it should finalize
31the context and thereby also release resources.
32
33TEE Sessions
34============
35Sessions are used to create logical connections between a client and a specific
36Trusted Application. When the session has been established the client has opened
37up the communication channel towards the specified Trusted Application
38identified by the ``UUID``. At this stage the client and the Trusted Application
39can start to exchange data.
40
41
42TEE Client API example / usage
43==============================
44Below you will find the main functions as defined by GlobalPlatform and are used
45in the communication between the client and the TEE.
46
47.. code-block:: c
48
49 TEEC_Result TEEC_InitializeContext(
50 const char* name,
51 TEEC_Context* context)
52
53 void TEEC_FinalizeContext(
54 TEEC_Context* context)
55
56 TEEC_Result TEEC_OpenSession (
57 TEEC_Context* context,
58 TEEC_Session* session,
59 const TEEC_UUID* destination,
60 uint32_t connectionMethod,
61 const void* connectionData,
62 TEEC_Operation* operation,
63 uint32_t* returnOrigin)
64
65 void TEEC_CloseSession (
66 TEEC_Session* session)
67
68 TEEC_Result TEEC_InvokeCommand(
69 TEEC_Session* session,
70 uint32_t commandID,
71 TEEC_Operation* operation,
72 uint32_t* returnOrigin)
73
74In principle the commands are called in this order:
75
76.. code-block:: c
77
78 TEEC_InitializeContext(...)
79 TEEC_OpenSession(...)
80 TEEC_InvokeCommand(...)
81 TEEC_CloseSession(...)
82 TEEC_FinalizeContext(...)
83
84It is not uncommon that ``TEEC_InvokeCommand(...)`` is called several times in
85a row when the session has been established.
86
87For a complete example, please see chapter **5.2 Example 1: Using the TEE Client
88API** in the GlobalPlatform TEE Client API Specification_ v1.0.
89
90
91.. _tee_internal_core_api:
92
93TEE Internal Core API
94*********************
95The Internal Core API is the API that is exposed to the Trusted Applications
96running in the secure world. The TEE Internal API consists of four major parts:
97
98 1. Trusted Storage API for Data and Keys
99 2. Cryptographic Operations API
100 3. Time API
101 4. Arithmetical API
102
103Examples / usage
104================
105Calling the Internal Core API is done in the same way as described above using
106Client API. The best place to find information how this should be done is in the
Etienne Carrieredf106e02023-06-26 09:54:51 +0200[diff] [blame]107TEE Internal Core API Specification_ which contains many examples of how
Joakim Bech8e5c5b32018-10-25 08:18:32 +0200[diff] [blame]108to call the various APIs. One can also have a look at the examples in the
109optee_examples_ git.
110
111
112.. _extensions:
113
114Extensions
115**********
116In addition to what is stated in :ref:`tee_internal_core_api`, there are some
117non-official extensions in OP-TEE.
118
Jerome Forissier6f47b162021-09-20 10:48:22 +0200[diff] [blame]119Trusted Applications should include header file ``tee_internal_api_extensions.h``
Joakim Bech8e5c5b32018-10-25 08:18:32 +0200[diff] [blame]120to import the definitions of the extensions. For each extension, a configuration
121directive prefixed ``CFG_`` allows one to disable support for the extension when
122building the OP-TEE packages.
123
Etienne Carriere5b99ccc2019-03-11 11:57:30 +0100[diff] [blame]124
125.. _extensions_cache_maintenance:
126
Joakim Bech8e5c5b32018-10-25 08:18:32 +0200[diff] [blame]127Cache Maintenance Support
128=========================
129Following functions have been introduced in order to allow Trusted Applications
130to operate with the data cache:
131
132.. code-block:: c
133
134 TEE_Result TEE_CacheClean(char *buf, size_t len);
135 TEE_Result TEE_CacheFlush(char *buf, size_t len);
136 TEE_Result TEE_CacheInvalidate(char *buf, size_t len);
137
138These functions are available to any Trusted Application defined with the flag
Etienne Carriere5b99ccc2019-03-11 11:57:30 +0100[diff] [blame]139``TA_FLAG_CACHE_MAINTENANCE`` sets on, see :ref:`ta_property_cache_maintenance`.
140When not set, each function returns the error code ``TEE_ERROR_NOT_SUPPORTED``.
141Within these extensions, a Trusted Application is able to operate on the data
142cache, with the following specification:
Joakim Bech8e5c5b32018-10-25 08:18:32 +0200[diff] [blame]143
144.. list-table::
145 :widths: 10 60
146 :header-rows: 1
147
148 * - Function
149 - Description
150
151 * - ``TEE_CacheClean()``
152 - Write back to memory any dirty data cache lines. The line is marked as
153 not dirty. The valid bit is unchanged.
154
155 * - ``TEE_CacheFlush()``
156 - Purges any valid data cache lines. Any dirty cache lines are first
157 written back to memory, then the cache line is invalidated.
158
159 * - ``TEE_CacheInvalidate()``
160 - Invalidate any valid data cache lines. Any dirty line are not written
161 back to memory.
162
163In the following two cases, the error code ``TEE_ERROR_ACCESS_DENIED`` is
164returned:
165
166 - The memory range has not the write access, that is
167 ``TEE_MEMORY_ACCESS_WRITE`` is not set.
168 - The memory is **not** user space memory.
169
Joakim Bech8e5c5b32018-10-25 08:18:32 +0200[diff] [blame]170You may disable this extension by setting the following configuration variable
171in ``conf.mk``:
172
173.. code-block:: make
174
175 CFG_CACHE_API := n
176
177
178.. _rsassa_na1:
179
180PKCS#1 v1.5 RSASSA without hash OID
181===================================
182This extension adds identifer``TEE_ALG_RSASSA_PKCS1_V1_5`` to allow signing and
183verifying messages with RSASSA-PKCS1-v1_5, in `RFC 3447`_, without including the
184OID of the hash in the signature. You may disable this extension by setting the
185following configuration variable in ``conf.mk``:
186
187.. code-block:: make
188
189 CFG_CRYPTO_RSASSA_NA1 := n
190
191The TEE Internal Core API was extended with a new algorithm descriptor.
192
193.. list-table::
194 :widths: 10 60
195 :header-rows: 1
196
197 * - Algorithm
198 - Possible Modes
199
200 * - TEE_ALG_RSASSA_PKCS1_V1_5
201 - TEE_MODE_SIGN / TEE_MODE_VERIFY
202
203.. list-table::
204 :widths: 10 60
205 :header-rows: 1
206
207 * - Algorithm
208 - Identifier
209
210 * - TEE_ALG_RSASSA_PKCS1_V1_5
211 - 0xF0000830
212
213
214.. _concat_kdf:
215
216Concat KDF
217==========
218Support for the Concatenation Key Derivation Function (Concat KDF) according to
219`SP 800-56A`_ (*Recommendation for Pair-Wise Key Establishment Schemes Using
220Discrete Logarithm Cryptography*) can be found in OP-TEE. You may disable this
221extension by setting the following configuration variable in ``conf.mk``:
222
223.. code-block:: make
224
225 CFG_CRYPTO_CONCAT_KDF := n
226
227**Implementation notes**
228
229All key and parameter sizes **must** be multiples of 8 bits. That is:
230
231 - Input parameters: the shared secret (``Z``) and ``OtherInfo``.
232 - Output parameter: the derived key (``DerivedKeyingMaterial``).
233
234In addition, the maximum size of the derived key is limited by the size of an
235object of type ``TEE_TYPE_GENERIC_SECRET`` (512 bytes). This implementation does
236**not** enforce any requirement on the content of the ``OtherInfo`` parameter.
237It is the application's responsibility to make sure this parameter is
238constructed as specified by the NIST specification if compliance is desired.
239
240**API extension**
241
Etienne Carrieredf106e02023-06-26 09:54:51 +0200[diff] [blame]242To support Concat KDF, the :ref:`tee_internal_core_api` v1.3.1 was extended with
Joakim Bech8e5c5b32018-10-25 08:18:32 +0200[diff] [blame]243new algorithm descriptors, new object types, and new object attributes as
244described below.
245
246**p.95 Add new object type to TEE_PopulateTransientObject**
247
248The following entry shall be added to **Table 5-8**:
249
250.. list-table::
251 :widths: 10 60
252 :header-rows: 1
253
254 * - Object type
255 - Parts
256
257 * - TEE_TYPE_CONCAT_KDF_Z
258 - The ``TEE_ATTR_CONCAT_KDF_Z`` part (input shared secret) must be
259 provided.
260
261**p.121 Add new algorithms for TEE_AllocateOperation**
262
263The following entry shall be added to **Table 6-3**:
264
265.. list-table::
266 :widths: 10 60
267 :header-rows: 1
268
269 * - Algorithm
270 - Possible Modes
271
272 * - TEE_ALG_CONCAT_KDF_SHA1_DERIVE_KEY
273 TEE_ALG_CONCAT_KDF_SHA224_DERIVE_KEY
274 TEE_ALG_CONCAT_KDF_SHA256_DERIVE_KEY
275 TEE_ALG_CONCAT_KDF_SHA384_DERIVE_KEY
276 TEE_ALG_CONCAT_KDF_SHA512_DERIVE_KEY
277 TEE_ALG_CONCAT_KDF_SHA512_DERIVE_KEY
278 - TEE_MODE_DERIVE
279
280**p.126 Explain usage of HKDF algorithms in TEE_SetOperationKey**
281
282In the bullet list about operation mode, the following shall be added:
283
284 - For the Concat KDF algorithms, the only supported mode is
285 ``TEE_MODE_DERIVE``.
286
287**p.150 Define TEE_DeriveKey input attributes for new algorithms**
288
289The following sentence shall be deleted:
290
291.. code-block:: none
292
293 The TEE_DeriveKey function can only be used with the algorithm
294 TEE_ALG_DH_DERIVE_SHARED_SECRET.
295
296The following entry shall be added to **Table 6-7**:
297
298.. list-table::
299 :header-rows: 1
300
301 * - Algorithm
302 - Possible operation parameters
303
304 * - TEE_ALG_CONCAT_KDF_SHA1_DERIVE_KEY
305 TEE_ALG_CONCAT_KDF_SHA224_DERIVE_KEY
306 TEE_ALG_CONCAT_KDF_SHA256_DERIVE_KEY
307 TEE_ALG_CONCAT_KDF_SHA384_DERIVE_KEY
308 TEE_ALG_CONCAT_KDF_SHA512_DERIVE_KEY
309 TEE_ALG_CONCAT_KDF_SHA512_DERIVE_KEY
310 - TEE_ATTR_CONCAT_KDF_DKM_LENGTH: up to 512 bytes. This parameter is
311 mandatory: TEE_ATTR_CONCAT_KDF_OTHER_INFO
312
313**p.152 Add new algorithm identifiers**
314
315The following entries shall be added to **Table 6-8**:
316
317.. list-table::
318 :header-rows: 1
319
320 * - Algorithm
321 - Identifier
322
323 * - TEE_ALG_CONCAT_KDF_SHA1_DERIVE_KEY
324 - 0x800020C1
325
326 * - TEE_ALG_CONCAT_KDF_SHA224_DERIVE_KEY
327 - 0x800030C1
328
329 * - TEE_ALG_CONCAT_KDF_SHA256_DERIVE_KEY
330 - 0x800040C1
331
332 * - TEE_ALG_CONCAT_KDF_SHA384_DERIVE_KEY
333 - 0x800050C1
334
335 * - TEE_ALG_CONCAT_KDF_SHA512_DERIVE_KEY
336 - 0x800060C1
337
338**p.154 Define new main algorithm**
339
340In **Table 6-9** in section 6.10.1, a new value shall be added to the value
341column for row bits ``[7:0]``:
342
343.. list-table::
344 :header-rows: 1
345
346 * - Bits
347 - Function
348 - Value
349
350 * - Bits [7:0]
351 - Identifiy the main underlying algorithm itself
352 - ...
353
354 0xC1: Concat KDF
355
356The function column for ``bits[15:12]`` shall also be modified to read:
357
358.. list-table::
359 :header-rows: 1
360
361 * - Bits
362 - Function
363 - Value
364
365 * - Bits [15:12]
366 - Define the message digest for asymmetric signature algorithms or Concat KDF
367 -
368
369**p.155 Add new object type for Concat KDF input shared secret**
370
371The following entry shall be added to **Table 6-10**:
372
373.. list-table::
374 :header-rows: 1
375
376 * - Name
377 - Identifier
378 - Possible sizes
379
380 * - TEE_TYPE_CONCAT_KDF_Z
381 - 0xA10000C1
382 - 8 to 4096 bits (multiple of 8)
383
384**p.156 Add new operation attributes for Concat KDF**
385
386The following entries shall be added to **Table 6-11**:
387
388.. list-table::
389 :header-rows: 1
390
391 * - Name
392 - Value
393 - Protection
394 - Type
395 - Comment
396
397 * - TEE_ATTR_CONCAT_KDF_Z
398 - 0xC00001C1
399 - Protected
400 - Ref
401 - The shared secret (``Z``)
402
403 * - TEE_ATTR_CONCAT_KDF_OTHER_INFO
404 - 0xD00002C1
405 - Public
406 - Ref
407 - ``OtherInfo``
408
409 * - TEE_ATTR_CONCAT_KDF_DKM_LENGTH
410 - 0xF00003C1
411 - Public
412 - Value
413 - The length (in bytes) of the derived keying material to be generated,
414 maximum 512. This is ``KeyDataLen`` / 8.
415
416
417.. _hkdf:
418
419HKDF
420====
421OP-TEE implements the *HMAC-based Extract-and-Expand Key Derivation Function
422(HKDF)* as specified in `RFC 5869`_. This file documents the extensions to the
Etienne Carrieredf106e02023-06-26 09:54:51 +0200[diff] [blame]423:ref:`tee_internal_core_api` v1.3.1 that were implemented to support this
Jerome Forissier6f47b162021-09-20 10:48:22 +0200[diff] [blame]424algorithm.
Joakim Bech8e5c5b32018-10-25 08:18:32 +0200[diff] [blame]425
Etienne Carrieredf106e02023-06-26 09:54:51 +0200[diff] [blame]426Note that the implementation follows the recommendations of version 1.3.1 of the
Joakim Bech8e5c5b32018-10-25 08:18:32 +0200[diff] [blame]427specification for adding new algorithms. It should make it compatible with
428future changes to the official specification. You can disable this extension by
429setting the following in ``conf.mk``:
430
431.. code-block:: make
432
433 CFG_CRYPTO_HKDF := n
434
435**p.95 Add new object type to TEE_PopulateTransientObject**
436
437The following entry shall be added to **Table 5-8**:
438
439.. list-table::
440 :header-rows: 1
441
442 * - Object type
443 - Parts
444
445 * - TEE_TYPE_HKDF_IKM
446 - The TEE_ATTR_HKDF_IKM (Input Keying Material) part must be provided.
447
448**p.121 Add new algorithms for TEE_AllocateOperation**
449
450The following entry shall be added to **Table 6-3**:
451
452.. list-table::
453 :header-rows: 1
454
455 * - Algorithm
456 - Possible Modes
457
458 * - TEE_ALG_HKDF_MD5_DERIVE_KEY
459 TEE_ALG_HKDF_SHA1_DERIVE_KEY
460 TEE_ALG_HKDF_SHA224_DERIVE_KEY
461 TEE_ALG_HKDF_SHA256_DERIVE_KEY
462 TEE_ALG_HKDF_SHA384_DERIVE_KEY
463 TEE_ALG_HKDF_SHA512_DERIVE_KEY
464 TEE_ALG_HKDF_SHA512_DERIVE_KEY
465 - TEE_MODE_DERIVE
466
467**p.126 Explain usage of HKDF algorithms in TEE_SetOperationKey**
468
469In the bullet list about operation mode, the following shall be added:
470
471 - For the HKDF algorithms, the only supported mode is TEE_MODE_DERIVE.
472
473**p.150 Define TEE_DeriveKey input attributes for new algorithms**
474
475The following sentence shall be deleted:
476
477.. code-block:: none
478
479 The TEE_DeriveKey function can only be used with the algorithm
480 TEE_ALG_DH_DERIVE_SHARED_SECRET
481
482The following entry shall be added to **Table 6-7**:
483
484.. list-table::
485 :header-rows: 1
486
487 * - Algorithm
488 - Possible operation parameters
489
490 * - TEE_ALG_HKDF_MD5_DERIVE_KEY
491 TEE_ALG_HKDF_SHA1_DERIVE_KEY
492 TEE_ALG_HKDF_SHA224_DERIVE_KEY
493 TEE_ALG_HKDF_SHA256_DERIVE_KEY
494 TEE_ALG_HKDF_SHA384_DERIVE_KEY
495 TEE_ALG_HKDF_SHA512_DERIVE_KEY
496 TEE_ALG_HKDF_SHA512_DERIVE_KEY
497 - TEE_ATTR_HKDF_OKM_LENGTH: Number of bytes in the Output Keying Material
498
499 TEE_ATTR_HKDF_SALT (optional) Salt to be used during the extract step
500
501 TEE_ATTR_HKDF_INFO (optional) Info to be used during the expand step
502
503**p.152 Add new algorithm identifiers**
504
505The following entries shall be added to **Table 6-8**:
506
507.. list-table::
508 :header-rows: 1
509
510 * - Algorithm
511 - Identifier
512
513 * - TEE_ALG_HKDF_MD5_DERIVE_KEY
514 - 0x800010C0
515
516 * - TEE_ALG_HKDF_SHA1_DERIVE_KEY
517 - 0x800020C0
518
519 * - TEE_ALG_HKDF_SHA224_DERIVE_KEY
520 - 0x800030C0
521
522 * - TEE_ALG_HKDF_SHA256_DERIVE_KEY
523 - 0x800040C0
524
525 * - TEE_ALG_HKDF_SHA384_DERIVE_KEY
526 - 0x800050C0
527
528 * - TEE_ALG_HKDF_SHA512_DERIVE_KEY
529 - 0x800060C0
530
531## p.154 Define new main algorithm
532
533In **Table 6-9** in section 6.10.1, a new value shall be added to the value column
534for row ``bits [7:0]``:
535
536.. list-table::
537 :header-rows: 1
538
539 * - Bits
540 - Function
541 - Value
542
543 * - Bits [7:0]
544 - Identifiy the main underlying algorithm itself
545 - ...
546
547 0xC0: HKDF
548
549The function column for ``bits[15:12]`` shall also be modified to read:
550
551.. list-table::
552 :header-rows: 1
553
554 * - Bits
555 - Function
556 - Value
557
558 * - Bits [15:12]
559 - Define the message digest for asymmetric signature algorithms or HKDF
560 -
561
562**p.155 Add new object type for HKDF input keying material**
563
564The following entry shall be added to **Table 6-10**:
565
566.. list-table::
567 :header-rows: 1
568
569 * - Name
570 - Identifier
571 - Possible sizes
572
573 * - TEE_TYPE_HKDF_IKM
574 - 0xA10000C0
575 - 8 to 4096 bits (multiple of 8)
576
577**p.156 Add new operation attributes for HKDF salt and info**
578
579The following entries shall be added to **Table 6-11**:
580
581.. list-table::
582 :widths: 40 10 10 10 40
583 :header-rows: 1
584
585 * - Name
586 - Value
587 - Protection
588 - Type
589 - Comment
590
591 * - TEE_ATTR_HKDF_IKM
592 - 0xC00001C0
593 - Protected
594 - Ref
595 -
596
597 * - TEE_ATTR_HKDF_SALT
598 - 0xD00002C0
599 - Public
600 - Ref
601 -
602
603 * - TEE_ATTR_HKDF_INFO
604 - 0xD00003C0
605 - Public
606 - Ref
607 -
608
609 * - TEE_ATTR_HKDF_OKM_LENGTH
610 - 0xF00004C0
611 - Public
612 - Value
613 -
614
615.. _pbkdf2:
616
617PBKDF2
618======
619This document describes the OP-TEE implementation of the key derivation
620function, *PBKDF2* as specified in `RFC 2898`_ section 5.2. This RFC is a
621republication of PKCS #5 v2.0 from RSA Laboratories' Public-Key Cryptography
622Standards (PKCS) series. You may disable this extension by setting the following
623configuration variable in ``conf.mk``:
624
625.. code-block:: make
626
627 CFG_CRYPTO_PBKDF2 := n
628
629**API extension**
630
Etienne Carrieredf106e02023-06-26 09:54:51 +0200[diff] [blame]631To support PBKDF2, the :ref:`tee_internal_core_api` v1.3.1 was extended with a new
Joakim Bech8e5c5b32018-10-25 08:18:32 +0200[diff] [blame]632algorithm descriptor, new object types, and new object attributes as described
633below.
634
635**p.95 Add new object type to TEE_PopulateTransientObject**
636
637The following entry shall be added to **Table 5-8**:
638
639.. list-table::
640 :header-rows: 1
641
642 * - Object type
643 - Parts
644
645 * - TEE_TYPE_PBKDF2_PASSWORD
646 - The TEE_ATTR_PBKDF2_PASSWORD part must be provided.
647
648**p.121 Add new algorithms for TEE_AllocateOperation**
649
650The following entry shall be added to **Table 6-3**:
651
652.. list-table::
653 :header-rows: 1
654
655 * - Algorithm
656 - Possible Modes
657
658 * - TEE_ALG_PBKDF2_HMAC_SHA1_DERIVE_KEY
659 - TEE_MODE_DERIVE
660
661**p.126 Explain usage of PBKDF2 algorithm in TEE_SetOperationKey**
662
663In the bullet list about operation mode, the following shall be added:
664
665 - For the PBKDF2 algorithm, the only supported mode is TEE_MODE_DERIVE.
666
667**p.150 Define TEE_DeriveKey input attributes for new algorithms**
668
669The following sentence shall be deleted:
670
671.. code-block:: none
672
673 The TEE_DeriveKey function can only be used with the algorithm
674 TEE_ALG_DH_DERIVE_SHARED_SECRET
675
676The following entry shall be added to **Table 6-7**:
677
678.. list-table::
679 :header-rows: 1
680
681 * - Algorithm
682 - Possible operation parameters
683
684 * - TEE_ALG_PBKDF2_HMAC_SHA1_DERIVE_KEY
685 - TEE_ATTR_PBKDF2_DKM_LENGTH: up to 512 bytes. This parameter is
686 mandatory.
687
688 TEE_ATTR_PBKDF2_SALT
689
690 TEE_ATTR_PBKDF2_ITERATION_COUNT: This parameter is mandatory.
691
692**p.152 Add new algorithm identifiers**
693
694The following entries shall be added to **Table 6-8**:
695
696.. list-table::
697 :header-rows: 1
698
699 * - Algorithm
700 - Identifier
701
702 * - TEE_ALG_PBKDF2_HMAC_SHA1_DERIVE_KEY
703 - 0x800020C2
704
705**p.154 Define new main algorithm**
706
707In **Table 6-9** in section 6.10.1, a new value shall be added to the value
708column for row ``bits [7:0]``:
709
710.. list-table::
711 :header-rows: 1
712
713 * - Bits
714 - Function
715 - Value
716
717 * - Bits [7:0]
718 - Identifiy the main underlying algorithm itself
719 - ...
720
721 0xC2: PBKDF2
722
723The function column for ``bits[15:12]`` shall also be modified to read:
724
725.. list-table::
726 :header-rows: 1
727
728 * - Bits
729 - Function
730 - Value
731
732 * - Bits [15:12]
733 - Define the message digest for asymmetric signature algorithms or PBKDF2
734 -
735
736**p.155 Add new object type for PBKDF2 password**
737
738The following entry shall be added to **Table 6-10**:
739
740.. list-table::
741 :header-rows: 1
742
743 * - Name
744 - Identifier
745 - Possible sizes
746
747 * - TEE_TYPE_PBKDF2_PASSWORD
748 - 0xA10000C2
749 - 8 to 4096 bits (multiple of 8)
750
751**p.156 Add new operation attributes for Concat KDF**
752
753The following entries shall be added to **Table 6-11**:
754
755.. list-table::
756 :widths: 40 10 10 10 40
757 :header-rows: 1
758
759 * - Name
760 - Value
761 - Protection
762 - Type
763 - Comment
764
765 * - TEE_ATTR_PBKDF2_PASSWORD
766 - 0xC00001C2
767 - Protected
768 - Ref
769 -
770
771 * - TEE_ATTR_PBKDF2_SALT
772 - 0xD00002C2
773 - Public
774 - Ref
775 -
776
777 * - TEE_ATTR_PBKDF2_ITERATION_COUNT
778 - 0xF00003C2
779 - Public
780 - Value
781 -
782
783 * - TEE_ATTR_PBKDF2_DKM_LENGTH
784 - 0xF00004C2
785 - Public
786 - Value
787 - The length (in bytes) of the derived keying material to be generated,
788 maximum 512.
789
790
Aleksandr Anisimova6f9a612021-03-10 20:33:58 +0300[diff] [blame]791.. _loadable_plugins_framework:
792
793Loadable plugins framework
794==========================
795This framework makes the supplicant a bit more flexible in terms of providing
796services. It is possible to design any REE service for the TEE as
797a tee-supplicant plugin. It makes it easy to:
798
799 - add new features to the supplicant that aren't needed in upstream,
800 e.g. Rich OS-specific services
801 - sync an own fork of the supplicant with the upstream version
802
803To create a plugin, developers have to implement the following structure from
804the ``public/tee_plugin_method.h`` file from the optee_client_ git.:
805
806.. code-block:: c
807
808 struct plugin_method {
809 const char *name; /* short friendly name of the plugin */
810 TEEC_UUID uuid;
811 TEEC_Result (*init)(void);
812 TEEC_Result (*invoke)(unsigned int cmd, unsigned int sub_cmd,
813 void *data, size_t in_len, size_t *out_len);
814 };
815
816The plugin framework is based on the RPC - ``OPTEE_MSG_RPC_CMD_PLUGIN``.
817This is a unified interface between TEE and plugins.
818TEE can only access the plugins by its UUID.
819
820After implementing this structure, a plugin has to be compiled as a shared
821object. The objects have to be placed into the directory defined
822by ``CFG_TEE_PLUGIN_LOAD_PATH``. This path can be set in the ``config.mk`` file
823in the optee_client_ git. By default it is set to
824**/usr/lib/tee-supplicant/plugins/**.
825
826The supplicant loads all of the plugins from the directory during the startup
827process using **libdl**. After this, any requests to plugins
828from TEE will be processed in the common RPC handler.
829
830On TEE side users can use any plugin by its UUID from TAs code and from
831the OP-TEE kernel code. The following function has been introduced like
832an extension of the TEE API to allow Trusted Applications to operate with
833plugins:
834
835.. code-block:: c
836
837 /*
838 * tee_invoke_supp_plugin() - invoke a tee-supplicant's plugin
839 * @uuid: uuid of the plugin
840 * @cmd: command for the plugin
841 * @sub_cmd: subcommand for the plugin
842 * @buf: data [to/from] the plugin [in/out]
843 * @len: length of the input buf
844 * @outlen: pointer to length of the output data (if they will be used)
845 *
846 * Return TEE_SUCCESS on success or TEE_ERRROR_* on failure.
847 */
848 TEE_Result tee_invoke_supp_plugin(const TEE_UUID *uuid, uint32_t cmd,
849 uint32_t sub_cmd, void *buf, size_t len,
850 size_t *outlen);
851
852This API calls the ``system-pta``, which uses the RPC to call a plugin.
853See ``OPTEE_RPC_CMD_SUPP_PLUGIN`` in the ``core/include/optee_rpc_cmd.h`` file
854from optee_os_ git. If there is a need to use plugins from the OP-TEE kernel,
855then the following function can be called directly:
856
857.. code-block:: c
858
859 TEE_Result tee_invoke_supp_plugin_rpc(const TEE_UUID *uuid, uint32_t cmd,
860 uint32_t sub_cmd, void *buf, size_t len,
861 size_t *outlen);
862
863.. NOTE::
864 One buffer is used for input data to a plugin and for output data
865 from a plugin. See an example of using this feature in the optee_examples_
866 git.
867
868
Joakim Bech8e5c5b32018-10-25 08:18:32 +0200[diff] [blame]869.. _GlobalPlatform: https://globalplatform.org
870.. _optee_examples: https://github.com/linaro-swg/optee_examples
Aleksandr Anisimova6f9a612021-03-10 20:33:58 +0300[diff] [blame]871.. _optee_client: https://github.com/OP-TEE/optee_client
872.. _optee_os: https://github.com/OP-TEE/optee_os
Joakim Bech8e5c5b32018-10-25 08:18:32 +0200[diff] [blame]873.. _TZC-400: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0504c/index.html
874.. _RFC 2898: https://www.ietf.org/rfc/rfc2898.txt
875.. _RFC 3447: https://tools.ietf.org/html/rfc3447#section-8.2
876.. _RFC 5869: https://tools.ietf.org/html/rfc5869
877.. _Specification: https://globalplatform.org/specs-library/?filter-committee=tee
878.. _SP 800-56A: http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf
879.. _UUID: https://en.wikipedia.org/wiki/Universally_unique_identifier