TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / OP-TEE / optee_docs / df106e0241e63adab203e66f54bec7e615c6c2be / . / architecture / globalplatform_api.rst
blob: 1289b2ba3c51ac8c443e7ad7b687f3027c9481ae [file] [log] [blame]
Joakim Bech8e5c5b32018-10-25 08:18:32 +0200[diff] [blame]1.. _globalplatform_api:
2
3##################
4GlobalPlatform API
5##################
6Introduction
7************
8GlobalPlatform_ works across industries to identify, develop and publish
9specifications which facilitate the secure and interoperable deployment and
10management of multiple embedded applications on secure chip technology. OP-TEE
11has support for GlobalPlatform TEE Client API Specification_ v1.0 (GPD_SPE_007)
Etienne Carrieredf106e02023-06-26 09:54:51 +0200[diff] [blame^]12and TEE Internal Core API Specification v1.3.1 (GPD_SPE_010).
Joakim Bech8e5c5b32018-10-25 08:18:32 +0200[diff] [blame]13
14
15.. _tee_client_api:
16
17TEE Client API
18**************
19The TEE Client API describes and defines how a client running in a rich
20operating environment (REE) should communicate with the TEE. To identify a
21Trusted Application (TA) to be used, the client provides an UUID_. All TA's
22exposes one or several functions. Those functions corresponds to a so called
23``commandID`` which also is sent by the client.
24
25TEE Contexts
26============
27The TEE Context is used for creating a logical connection between the client and
28the TEE. The context must be initialized before the TEE Session can be created.
29When the client has completed a job running in secure world, it should finalize
30the context and thereby also release resources.
31
32TEE Sessions
33============
34Sessions are used to create logical connections between a client and a specific
35Trusted Application. When the session has been established the client has opened
36up the communication channel towards the specified Trusted Application
37identified by the ``UUID``. At this stage the client and the Trusted Application
38can start to exchange data.
39
40
41TEE Client API example / usage
42==============================
43Below you will find the main functions as defined by GlobalPlatform and are used
44in the communication between the client and the TEE.
45
46.. code-block:: c
47
48 TEEC_Result TEEC_InitializeContext(
49 const char* name,
50 TEEC_Context* context)
51
52 void TEEC_FinalizeContext(
53 TEEC_Context* context)
54
55 TEEC_Result TEEC_OpenSession (
56 TEEC_Context* context,
57 TEEC_Session* session,
58 const TEEC_UUID* destination,
59 uint32_t connectionMethod,
60 const void* connectionData,
61 TEEC_Operation* operation,
62 uint32_t* returnOrigin)
63
64 void TEEC_CloseSession (
65 TEEC_Session* session)
66
67 TEEC_Result TEEC_InvokeCommand(
68 TEEC_Session* session,
69 uint32_t commandID,
70 TEEC_Operation* operation,
71 uint32_t* returnOrigin)
72
73In principle the commands are called in this order:
74
75.. code-block:: c
76
77 TEEC_InitializeContext(...)
78 TEEC_OpenSession(...)
79 TEEC_InvokeCommand(...)
80 TEEC_CloseSession(...)
81 TEEC_FinalizeContext(...)
82
83It is not uncommon that ``TEEC_InvokeCommand(...)`` is called several times in
84a row when the session has been established.
85
86For a complete example, please see chapter **5.2 Example 1: Using the TEE Client
87API** in the GlobalPlatform TEE Client API Specification_ v1.0.
88
89
90.. _tee_internal_core_api:
91
92TEE Internal Core API
93*********************
94The Internal Core API is the API that is exposed to the Trusted Applications
95running in the secure world. The TEE Internal API consists of four major parts:
96
97 1. Trusted Storage API for Data and Keys
98 2. Cryptographic Operations API
99 3. Time API
100 4. Arithmetical API
101
102Examples / usage
103================
104Calling the Internal Core API is done in the same way as described above using
105Client API. The best place to find information how this should be done is in the
Etienne Carrieredf106e02023-06-26 09:54:51 +0200[diff] [blame^]106TEE Internal Core API Specification_ which contains many examples of how
Joakim Bech8e5c5b32018-10-25 08:18:32 +0200[diff] [blame]107to call the various APIs. One can also have a look at the examples in the
108optee_examples_ git.
109
110
111.. _extensions:
112
113Extensions
114**********
115In addition to what is stated in :ref:`tee_internal_core_api`, there are some
116non-official extensions in OP-TEE.
117
Jerome Forissier6f47b162021-09-20 10:48:22 +0200[diff] [blame]118Trusted Applications should include header file ``tee_internal_api_extensions.h``
Joakim Bech8e5c5b32018-10-25 08:18:32 +0200[diff] [blame]119to import the definitions of the extensions. For each extension, a configuration
120directive prefixed ``CFG_`` allows one to disable support for the extension when
121building the OP-TEE packages.
122
Etienne Carriere5b99ccc2019-03-11 11:57:30 +0100[diff] [blame]123
124.. _extensions_cache_maintenance:
125
Joakim Bech8e5c5b32018-10-25 08:18:32 +0200[diff] [blame]126Cache Maintenance Support
127=========================
128Following functions have been introduced in order to allow Trusted Applications
129to operate with the data cache:
130
131.. code-block:: c
132
133 TEE_Result TEE_CacheClean(char *buf, size_t len);
134 TEE_Result TEE_CacheFlush(char *buf, size_t len);
135 TEE_Result TEE_CacheInvalidate(char *buf, size_t len);
136
137These functions are available to any Trusted Application defined with the flag
Etienne Carriere5b99ccc2019-03-11 11:57:30 +0100[diff] [blame]138``TA_FLAG_CACHE_MAINTENANCE`` sets on, see :ref:`ta_property_cache_maintenance`.
139When not set, each function returns the error code ``TEE_ERROR_NOT_SUPPORTED``.
140Within these extensions, a Trusted Application is able to operate on the data
141cache, with the following specification:
Joakim Bech8e5c5b32018-10-25 08:18:32 +0200[diff] [blame]142
143.. list-table::
144 :widths: 10 60
145 :header-rows: 1
146
147 * - Function
148 - Description
149
150 * - ``TEE_CacheClean()``
151 - Write back to memory any dirty data cache lines. The line is marked as
152 not dirty. The valid bit is unchanged.
153
154 * - ``TEE_CacheFlush()``
155 - Purges any valid data cache lines. Any dirty cache lines are first
156 written back to memory, then the cache line is invalidated.
157
158 * - ``TEE_CacheInvalidate()``
159 - Invalidate any valid data cache lines. Any dirty line are not written
160 back to memory.
161
162In the following two cases, the error code ``TEE_ERROR_ACCESS_DENIED`` is
163returned:
164
165 - The memory range has not the write access, that is
166 ``TEE_MEMORY_ACCESS_WRITE`` is not set.
167 - The memory is **not** user space memory.
168
Joakim Bech8e5c5b32018-10-25 08:18:32 +0200[diff] [blame]169You may disable this extension by setting the following configuration variable
170in ``conf.mk``:
171
172.. code-block:: make
173
174 CFG_CACHE_API := n
175
176
177.. _rsassa_na1:
178
179PKCS#1 v1.5 RSASSA without hash OID
180===================================
181This extension adds identifer``TEE_ALG_RSASSA_PKCS1_V1_5`` to allow signing and
182verifying messages with RSASSA-PKCS1-v1_5, in `RFC 3447`_, without including the
183OID of the hash in the signature. You may disable this extension by setting the
184following configuration variable in ``conf.mk``:
185
186.. code-block:: make
187
188 CFG_CRYPTO_RSASSA_NA1 := n
189
190The TEE Internal Core API was extended with a new algorithm descriptor.
191
192.. list-table::
193 :widths: 10 60
194 :header-rows: 1
195
196 * - Algorithm
197 - Possible Modes
198
199 * - TEE_ALG_RSASSA_PKCS1_V1_5
200 - TEE_MODE_SIGN / TEE_MODE_VERIFY
201
202.. list-table::
203 :widths: 10 60
204 :header-rows: 1
205
206 * - Algorithm
207 - Identifier
208
209 * - TEE_ALG_RSASSA_PKCS1_V1_5
210 - 0xF0000830
211
212
213.. _concat_kdf:
214
215Concat KDF
216==========
217Support for the Concatenation Key Derivation Function (Concat KDF) according to
218`SP 800-56A`_ (*Recommendation for Pair-Wise Key Establishment Schemes Using
219Discrete Logarithm Cryptography*) can be found in OP-TEE. You may disable this
220extension by setting the following configuration variable in ``conf.mk``:
221
222.. code-block:: make
223
224 CFG_CRYPTO_CONCAT_KDF := n
225
226**Implementation notes**
227
228All key and parameter sizes **must** be multiples of 8 bits. That is:
229
230 - Input parameters: the shared secret (``Z``) and ``OtherInfo``.
231 - Output parameter: the derived key (``DerivedKeyingMaterial``).
232
233In addition, the maximum size of the derived key is limited by the size of an
234object of type ``TEE_TYPE_GENERIC_SECRET`` (512 bytes). This implementation does
235**not** enforce any requirement on the content of the ``OtherInfo`` parameter.
236It is the application's responsibility to make sure this parameter is
237constructed as specified by the NIST specification if compliance is desired.
238
239**API extension**
240
Etienne Carrieredf106e02023-06-26 09:54:51 +0200[diff] [blame^]241To support Concat KDF, the :ref:`tee_internal_core_api` v1.3.1 was extended with
Joakim Bech8e5c5b32018-10-25 08:18:32 +0200[diff] [blame]242new algorithm descriptors, new object types, and new object attributes as
243described below.
244
245**p.95 Add new object type to TEE_PopulateTransientObject**
246
247The following entry shall be added to **Table 5-8**:
248
249.. list-table::
250 :widths: 10 60
251 :header-rows: 1
252
253 * - Object type
254 - Parts
255
256 * - TEE_TYPE_CONCAT_KDF_Z
257 - The ``TEE_ATTR_CONCAT_KDF_Z`` part (input shared secret) must be
258 provided.
259
260**p.121 Add new algorithms for TEE_AllocateOperation**
261
262The following entry shall be added to **Table 6-3**:
263
264.. list-table::
265 :widths: 10 60
266 :header-rows: 1
267
268 * - Algorithm
269 - Possible Modes
270
271 * - TEE_ALG_CONCAT_KDF_SHA1_DERIVE_KEY
272 TEE_ALG_CONCAT_KDF_SHA224_DERIVE_KEY
273 TEE_ALG_CONCAT_KDF_SHA256_DERIVE_KEY
274 TEE_ALG_CONCAT_KDF_SHA384_DERIVE_KEY
275 TEE_ALG_CONCAT_KDF_SHA512_DERIVE_KEY
276 TEE_ALG_CONCAT_KDF_SHA512_DERIVE_KEY
277 - TEE_MODE_DERIVE
278
279**p.126 Explain usage of HKDF algorithms in TEE_SetOperationKey**
280
281In the bullet list about operation mode, the following shall be added:
282
283 - For the Concat KDF algorithms, the only supported mode is
284 ``TEE_MODE_DERIVE``.
285
286**p.150 Define TEE_DeriveKey input attributes for new algorithms**
287
288The following sentence shall be deleted:
289
290.. code-block:: none
291
292 The TEE_DeriveKey function can only be used with the algorithm
293 TEE_ALG_DH_DERIVE_SHARED_SECRET.
294
295The following entry shall be added to **Table 6-7**:
296
297.. list-table::
298 :header-rows: 1
299
300 * - Algorithm
301 - Possible operation parameters
302
303 * - TEE_ALG_CONCAT_KDF_SHA1_DERIVE_KEY
304 TEE_ALG_CONCAT_KDF_SHA224_DERIVE_KEY
305 TEE_ALG_CONCAT_KDF_SHA256_DERIVE_KEY
306 TEE_ALG_CONCAT_KDF_SHA384_DERIVE_KEY
307 TEE_ALG_CONCAT_KDF_SHA512_DERIVE_KEY
308 TEE_ALG_CONCAT_KDF_SHA512_DERIVE_KEY
309 - TEE_ATTR_CONCAT_KDF_DKM_LENGTH: up to 512 bytes. This parameter is
310 mandatory: TEE_ATTR_CONCAT_KDF_OTHER_INFO
311
312**p.152 Add new algorithm identifiers**
313
314The following entries shall be added to **Table 6-8**:
315
316.. list-table::
317 :header-rows: 1
318
319 * - Algorithm
320 - Identifier
321
322 * - TEE_ALG_CONCAT_KDF_SHA1_DERIVE_KEY
323 - 0x800020C1
324
325 * - TEE_ALG_CONCAT_KDF_SHA224_DERIVE_KEY
326 - 0x800030C1
327
328 * - TEE_ALG_CONCAT_KDF_SHA256_DERIVE_KEY
329 - 0x800040C1
330
331 * - TEE_ALG_CONCAT_KDF_SHA384_DERIVE_KEY
332 - 0x800050C1
333
334 * - TEE_ALG_CONCAT_KDF_SHA512_DERIVE_KEY
335 - 0x800060C1
336
337**p.154 Define new main algorithm**
338
339In **Table 6-9** in section 6.10.1, a new value shall be added to the value
340column for row bits ``[7:0]``:
341
342.. list-table::
343 :header-rows: 1
344
345 * - Bits
346 - Function
347 - Value
348
349 * - Bits [7:0]
350 - Identifiy the main underlying algorithm itself
351 - ...
352
353 0xC1: Concat KDF
354
355The function column for ``bits[15:12]`` shall also be modified to read:
356
357.. list-table::
358 :header-rows: 1
359
360 * - Bits
361 - Function
362 - Value
363
364 * - Bits [15:12]
365 - Define the message digest for asymmetric signature algorithms or Concat KDF
366 -
367
368**p.155 Add new object type for Concat KDF input shared secret**
369
370The following entry shall be added to **Table 6-10**:
371
372.. list-table::
373 :header-rows: 1
374
375 * - Name
376 - Identifier
377 - Possible sizes
378
379 * - TEE_TYPE_CONCAT_KDF_Z
380 - 0xA10000C1
381 - 8 to 4096 bits (multiple of 8)
382
383**p.156 Add new operation attributes for Concat KDF**
384
385The following entries shall be added to **Table 6-11**:
386
387.. list-table::
388 :header-rows: 1
389
390 * - Name
391 - Value
392 - Protection
393 - Type
394 - Comment
395
396 * - TEE_ATTR_CONCAT_KDF_Z
397 - 0xC00001C1
398 - Protected
399 - Ref
400 - The shared secret (``Z``)
401
402 * - TEE_ATTR_CONCAT_KDF_OTHER_INFO
403 - 0xD00002C1
404 - Public
405 - Ref
406 - ``OtherInfo``
407
408 * - TEE_ATTR_CONCAT_KDF_DKM_LENGTH
409 - 0xF00003C1
410 - Public
411 - Value
412 - The length (in bytes) of the derived keying material to be generated,
413 maximum 512. This is ``KeyDataLen`` / 8.
414
415
416.. _hkdf:
417
418HKDF
419====
420OP-TEE implements the *HMAC-based Extract-and-Expand Key Derivation Function
421(HKDF)* as specified in `RFC 5869`_. This file documents the extensions to the
Etienne Carrieredf106e02023-06-26 09:54:51 +0200[diff] [blame^]422:ref:`tee_internal_core_api` v1.3.1 that were implemented to support this
Jerome Forissier6f47b162021-09-20 10:48:22 +0200[diff] [blame]423algorithm.
Joakim Bech8e5c5b32018-10-25 08:18:32 +0200[diff] [blame]424
Etienne Carrieredf106e02023-06-26 09:54:51 +0200[diff] [blame^]425Note that the implementation follows the recommendations of version 1.3.1 of the
Joakim Bech8e5c5b32018-10-25 08:18:32 +0200[diff] [blame]426specification for adding new algorithms. It should make it compatible with
427future changes to the official specification. You can disable this extension by
428setting the following in ``conf.mk``:
429
430.. code-block:: make
431
432 CFG_CRYPTO_HKDF := n
433
434**p.95 Add new object type to TEE_PopulateTransientObject**
435
436The following entry shall be added to **Table 5-8**:
437
438.. list-table::
439 :header-rows: 1
440
441 * - Object type
442 - Parts
443
444 * - TEE_TYPE_HKDF_IKM
445 - The TEE_ATTR_HKDF_IKM (Input Keying Material) part must be provided.
446
447**p.121 Add new algorithms for TEE_AllocateOperation**
448
449The following entry shall be added to **Table 6-3**:
450
451.. list-table::
452 :header-rows: 1
453
454 * - Algorithm
455 - Possible Modes
456
457 * - TEE_ALG_HKDF_MD5_DERIVE_KEY
458 TEE_ALG_HKDF_SHA1_DERIVE_KEY
459 TEE_ALG_HKDF_SHA224_DERIVE_KEY
460 TEE_ALG_HKDF_SHA256_DERIVE_KEY
461 TEE_ALG_HKDF_SHA384_DERIVE_KEY
462 TEE_ALG_HKDF_SHA512_DERIVE_KEY
463 TEE_ALG_HKDF_SHA512_DERIVE_KEY
464 - TEE_MODE_DERIVE
465
466**p.126 Explain usage of HKDF algorithms in TEE_SetOperationKey**
467
468In the bullet list about operation mode, the following shall be added:
469
470 - For the HKDF algorithms, the only supported mode is TEE_MODE_DERIVE.
471
472**p.150 Define TEE_DeriveKey input attributes for new algorithms**
473
474The following sentence shall be deleted:
475
476.. code-block:: none
477
478 The TEE_DeriveKey function can only be used with the algorithm
479 TEE_ALG_DH_DERIVE_SHARED_SECRET
480
481The following entry shall be added to **Table 6-7**:
482
483.. list-table::
484 :header-rows: 1
485
486 * - Algorithm
487 - Possible operation parameters
488
489 * - TEE_ALG_HKDF_MD5_DERIVE_KEY
490 TEE_ALG_HKDF_SHA1_DERIVE_KEY
491 TEE_ALG_HKDF_SHA224_DERIVE_KEY
492 TEE_ALG_HKDF_SHA256_DERIVE_KEY
493 TEE_ALG_HKDF_SHA384_DERIVE_KEY
494 TEE_ALG_HKDF_SHA512_DERIVE_KEY
495 TEE_ALG_HKDF_SHA512_DERIVE_KEY
496 - TEE_ATTR_HKDF_OKM_LENGTH: Number of bytes in the Output Keying Material
497
498 TEE_ATTR_HKDF_SALT (optional) Salt to be used during the extract step
499
500 TEE_ATTR_HKDF_INFO (optional) Info to be used during the expand step
501
502**p.152 Add new algorithm identifiers**
503
504The following entries shall be added to **Table 6-8**:
505
506.. list-table::
507 :header-rows: 1
508
509 * - Algorithm
510 - Identifier
511
512 * - TEE_ALG_HKDF_MD5_DERIVE_KEY
513 - 0x800010C0
514
515 * - TEE_ALG_HKDF_SHA1_DERIVE_KEY
516 - 0x800020C0
517
518 * - TEE_ALG_HKDF_SHA224_DERIVE_KEY
519 - 0x800030C0
520
521 * - TEE_ALG_HKDF_SHA256_DERIVE_KEY
522 - 0x800040C0
523
524 * - TEE_ALG_HKDF_SHA384_DERIVE_KEY
525 - 0x800050C0
526
527 * - TEE_ALG_HKDF_SHA512_DERIVE_KEY
528 - 0x800060C0
529
530## p.154 Define new main algorithm
531
532In **Table 6-9** in section 6.10.1, a new value shall be added to the value column
533for row ``bits [7:0]``:
534
535.. list-table::
536 :header-rows: 1
537
538 * - Bits
539 - Function
540 - Value
541
542 * - Bits [7:0]
543 - Identifiy the main underlying algorithm itself
544 - ...
545
546 0xC0: HKDF
547
548The function column for ``bits[15:12]`` shall also be modified to read:
549
550.. list-table::
551 :header-rows: 1
552
553 * - Bits
554 - Function
555 - Value
556
557 * - Bits [15:12]
558 - Define the message digest for asymmetric signature algorithms or HKDF
559 -
560
561**p.155 Add new object type for HKDF input keying material**
562
563The following entry shall be added to **Table 6-10**:
564
565.. list-table::
566 :header-rows: 1
567
568 * - Name
569 - Identifier
570 - Possible sizes
571
572 * - TEE_TYPE_HKDF_IKM
573 - 0xA10000C0
574 - 8 to 4096 bits (multiple of 8)
575
576**p.156 Add new operation attributes for HKDF salt and info**
577
578The following entries shall be added to **Table 6-11**:
579
580.. list-table::
581 :widths: 40 10 10 10 40
582 :header-rows: 1
583
584 * - Name
585 - Value
586 - Protection
587 - Type
588 - Comment
589
590 * - TEE_ATTR_HKDF_IKM
591 - 0xC00001C0
592 - Protected
593 - Ref
594 -
595
596 * - TEE_ATTR_HKDF_SALT
597 - 0xD00002C0
598 - Public
599 - Ref
600 -
601
602 * - TEE_ATTR_HKDF_INFO
603 - 0xD00003C0
604 - Public
605 - Ref
606 -
607
608 * - TEE_ATTR_HKDF_OKM_LENGTH
609 - 0xF00004C0
610 - Public
611 - Value
612 -
613
614.. _pbkdf2:
615
616PBKDF2
617======
618This document describes the OP-TEE implementation of the key derivation
619function, *PBKDF2* as specified in `RFC 2898`_ section 5.2. This RFC is a
620republication of PKCS #5 v2.0 from RSA Laboratories' Public-Key Cryptography
621Standards (PKCS) series. You may disable this extension by setting the following
622configuration variable in ``conf.mk``:
623
624.. code-block:: make
625
626 CFG_CRYPTO_PBKDF2 := n
627
628**API extension**
629
Etienne Carrieredf106e02023-06-26 09:54:51 +0200[diff] [blame^]630To support PBKDF2, the :ref:`tee_internal_core_api` v1.3.1 was extended with a new
Joakim Bech8e5c5b32018-10-25 08:18:32 +0200[diff] [blame]631algorithm descriptor, new object types, and new object attributes as described
632below.
633
634**p.95 Add new object type to TEE_PopulateTransientObject**
635
636The following entry shall be added to **Table 5-8**:
637
638.. list-table::
639 :header-rows: 1
640
641 * - Object type
642 - Parts
643
644 * - TEE_TYPE_PBKDF2_PASSWORD
645 - The TEE_ATTR_PBKDF2_PASSWORD part must be provided.
646
647**p.121 Add new algorithms for TEE_AllocateOperation**
648
649The following entry shall be added to **Table 6-3**:
650
651.. list-table::
652 :header-rows: 1
653
654 * - Algorithm
655 - Possible Modes
656
657 * - TEE_ALG_PBKDF2_HMAC_SHA1_DERIVE_KEY
658 - TEE_MODE_DERIVE
659
660**p.126 Explain usage of PBKDF2 algorithm in TEE_SetOperationKey**
661
662In the bullet list about operation mode, the following shall be added:
663
664 - For the PBKDF2 algorithm, the only supported mode is TEE_MODE_DERIVE.
665
666**p.150 Define TEE_DeriveKey input attributes for new algorithms**
667
668The following sentence shall be deleted:
669
670.. code-block:: none
671
672 The TEE_DeriveKey function can only be used with the algorithm
673 TEE_ALG_DH_DERIVE_SHARED_SECRET
674
675The following entry shall be added to **Table 6-7**:
676
677.. list-table::
678 :header-rows: 1
679
680 * - Algorithm
681 - Possible operation parameters
682
683 * - TEE_ALG_PBKDF2_HMAC_SHA1_DERIVE_KEY
684 - TEE_ATTR_PBKDF2_DKM_LENGTH: up to 512 bytes. This parameter is
685 mandatory.
686
687 TEE_ATTR_PBKDF2_SALT
688
689 TEE_ATTR_PBKDF2_ITERATION_COUNT: This parameter is mandatory.
690
691**p.152 Add new algorithm identifiers**
692
693The following entries shall be added to **Table 6-8**:
694
695.. list-table::
696 :header-rows: 1
697
698 * - Algorithm
699 - Identifier
700
701 * - TEE_ALG_PBKDF2_HMAC_SHA1_DERIVE_KEY
702 - 0x800020C2
703
704**p.154 Define new main algorithm**
705
706In **Table 6-9** in section 6.10.1, a new value shall be added to the value
707column for row ``bits [7:0]``:
708
709.. list-table::
710 :header-rows: 1
711
712 * - Bits
713 - Function
714 - Value
715
716 * - Bits [7:0]
717 - Identifiy the main underlying algorithm itself
718 - ...
719
720 0xC2: PBKDF2
721
722The function column for ``bits[15:12]`` shall also be modified to read:
723
724.. list-table::
725 :header-rows: 1
726
727 * - Bits
728 - Function
729 - Value
730
731 * - Bits [15:12]
732 - Define the message digest for asymmetric signature algorithms or PBKDF2
733 -
734
735**p.155 Add new object type for PBKDF2 password**
736
737The following entry shall be added to **Table 6-10**:
738
739.. list-table::
740 :header-rows: 1
741
742 * - Name
743 - Identifier
744 - Possible sizes
745
746 * - TEE_TYPE_PBKDF2_PASSWORD
747 - 0xA10000C2
748 - 8 to 4096 bits (multiple of 8)
749
750**p.156 Add new operation attributes for Concat KDF**
751
752The following entries shall be added to **Table 6-11**:
753
754.. list-table::
755 :widths: 40 10 10 10 40
756 :header-rows: 1
757
758 * - Name
759 - Value
760 - Protection
761 - Type
762 - Comment
763
764 * - TEE_ATTR_PBKDF2_PASSWORD
765 - 0xC00001C2
766 - Protected
767 - Ref
768 -
769
770 * - TEE_ATTR_PBKDF2_SALT
771 - 0xD00002C2
772 - Public
773 - Ref
774 -
775
776 * - TEE_ATTR_PBKDF2_ITERATION_COUNT
777 - 0xF00003C2
778 - Public
779 - Value
780 -
781
782 * - TEE_ATTR_PBKDF2_DKM_LENGTH
783 - 0xF00004C2
784 - Public
785 - Value
786 - The length (in bytes) of the derived keying material to be generated,
787 maximum 512.
788
789
Aleksandr Anisimova6f9a612021-03-10 20:33:58 +0300[diff] [blame]790.. _loadable_plugins_framework:
791
792Loadable plugins framework
793==========================
794This framework makes the supplicant a bit more flexible in terms of providing
795services. It is possible to design any REE service for the TEE as
796a tee-supplicant plugin. It makes it easy to:
797
798 - add new features to the supplicant that aren't needed in upstream,
799 e.g. Rich OS-specific services
800 - sync an own fork of the supplicant with the upstream version
801
802To create a plugin, developers have to implement the following structure from
803the ``public/tee_plugin_method.h`` file from the optee_client_ git.:
804
805.. code-block:: c
806
807 struct plugin_method {
808 const char *name; /* short friendly name of the plugin */
809 TEEC_UUID uuid;
810 TEEC_Result (*init)(void);
811 TEEC_Result (*invoke)(unsigned int cmd, unsigned int sub_cmd,
812 void *data, size_t in_len, size_t *out_len);
813 };
814
815The plugin framework is based on the RPC - ``OPTEE_MSG_RPC_CMD_PLUGIN``.
816This is a unified interface between TEE and plugins.
817TEE can only access the plugins by its UUID.
818
819After implementing this structure, a plugin has to be compiled as a shared
820object. The objects have to be placed into the directory defined
821by ``CFG_TEE_PLUGIN_LOAD_PATH``. This path can be set in the ``config.mk`` file
822in the optee_client_ git. By default it is set to
823**/usr/lib/tee-supplicant/plugins/**.
824
825The supplicant loads all of the plugins from the directory during the startup
826process using **libdl**. After this, any requests to plugins
827from TEE will be processed in the common RPC handler.
828
829On TEE side users can use any plugin by its UUID from TAs code and from
830the OP-TEE kernel code. The following function has been introduced like
831an extension of the TEE API to allow Trusted Applications to operate with
832plugins:
833
834.. code-block:: c
835
836 /*
837 * tee_invoke_supp_plugin() - invoke a tee-supplicant's plugin
838 * @uuid: uuid of the plugin
839 * @cmd: command for the plugin
840 * @sub_cmd: subcommand for the plugin
841 * @buf: data [to/from] the plugin [in/out]
842 * @len: length of the input buf
843 * @outlen: pointer to length of the output data (if they will be used)
844 *
845 * Return TEE_SUCCESS on success or TEE_ERRROR_* on failure.
846 */
847 TEE_Result tee_invoke_supp_plugin(const TEE_UUID *uuid, uint32_t cmd,
848 uint32_t sub_cmd, void *buf, size_t len,
849 size_t *outlen);
850
851This API calls the ``system-pta``, which uses the RPC to call a plugin.
852See ``OPTEE_RPC_CMD_SUPP_PLUGIN`` in the ``core/include/optee_rpc_cmd.h`` file
853from optee_os_ git. If there is a need to use plugins from the OP-TEE kernel,
854then the following function can be called directly:
855
856.. code-block:: c
857
858 TEE_Result tee_invoke_supp_plugin_rpc(const TEE_UUID *uuid, uint32_t cmd,
859 uint32_t sub_cmd, void *buf, size_t len,
860 size_t *outlen);
861
862.. NOTE::
863 One buffer is used for input data to a plugin and for output data
864 from a plugin. See an example of using this feature in the optee_examples_
865 git.
866
867
Joakim Bech8e5c5b32018-10-25 08:18:32 +0200[diff] [blame]868.. _GlobalPlatform: https://globalplatform.org
869.. _optee_examples: https://github.com/linaro-swg/optee_examples
Aleksandr Anisimova6f9a612021-03-10 20:33:58 +0300[diff] [blame]870.. _optee_client: https://github.com/OP-TEE/optee_client
871.. _optee_os: https://github.com/OP-TEE/optee_os
Joakim Bech8e5c5b32018-10-25 08:18:32 +0200[diff] [blame]872.. _TZC-400: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0504c/index.html
873.. _RFC 2898: https://www.ietf.org/rfc/rfc2898.txt
874.. _RFC 3447: https://tools.ietf.org/html/rfc3447#section-8.2
875.. _RFC 5869: https://tools.ietf.org/html/rfc5869
876.. _Specification: https://globalplatform.org/specs-library/?filter-committee=tee
877.. _SP 800-56A: http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf
878.. _UUID: https://en.wikipedia.org/wiki/Universally_unique_identifier