OP-TEE: Add option for PKCS11 TA (CFG_PKCS11_TA_LOCK_PIN_AFTER_FAILED…

…_LOGIN_ATTEMPTS) Note: Commit includes a custom patch for OP-TEE. Signed-off-by: Tanel Dettenborn <[email protected]>
tiiuae · Sep 17, 2024 · 9f2e9bd · 9f2e9bd
1 parent cfcfe93
commit 9f2e9bd
Show file tree

Hide file tree

Showing 4 changed files with 212 additions and 4 deletions.
diff --git a/REUSE.toml b/REUSE.toml
@@ -126,3 +126,10 @@ SPDX-FileCopyrightText = "Copyright 2019-2021 Microchip Corporation."
 path = [
 	"packages/hart-software-services/0001-Workaround-for-a-compilation-issue.patch",
 ]
+
+[[annotations]]
+SPDX-License-Identifier = "BSD-2-Clause"
+SPDX-FileCopyrightText = "Copyright (c) 2017-2020, Linaro Limited"
+path = [
+	"targets/nvidia-jetson-orin/0001-ta-pkcs11-Build-time-option-for-controlling-pin-lock.patch",
+]
diff --git a/modules/reference/hardware/jetpack/nvidia-jetson-orin/optee.nix b/modules/reference/hardware/jetpack/nvidia-jetson-orin/optee.nix
@@ -43,6 +43,15 @@
         '';
       };
 
+      lockPinAfterFailedLoginAttempts = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+        description = lib.mdDoc ''
+          Locks correspondingly User or SO PIN when reaching maximum
+          failed authentication attemps (continous) limit
+        '';
+      };
+
       heapSize = lib.mkOption {
         type = lib.types.int;
         default = 32768;

diff --git a/targets/nvidia-jetson-orin/0001-ta-pkcs11-Build-time-option-for-controlling-pin-lock.patch b/targets/nvidia-jetson-orin/0001-ta-pkcs11-Build-time-option-for-controlling-pin-lock.patch
@@ -0,0 +1,186 @@
+From 18c1ea534dba4a75848fdeea3c55de00ca11c397 Mon Sep 17 00:00:00 2001
+From: Tanel Dettenborn <[email protected]>
+Date: Sat, 14 Sep 2024 16:45:46 +0300
+Subject: [PATCH] ta: pkcs11: Build time option for controlling pin locking
+ Adding a build time option for disabling or enabling pin locking after failed
+ authentication attempts. Option controls both, User and SO, pins. Default is
+ 'y'.
+
+Option is called:
+ CFG_PKCS11_TA_LOCK_PIN_AFTER_FAILED_LOGIN_ATTEMPTS
+
+NOTE: Patch is backported!
+
+Signed-off-by: Tanel Dettenborn <[email protected]>
+---
+ optee/optee_os/ta/pkcs11/src/pkcs11_token.c | 102 +++++++++++---------
+ optee/optee_os/ta/pkcs11/sub.mk             |   4 +
+ 2 files changed, 60 insertions(+), 46 deletions(-)
+
+diff --git a/optee/optee_os/ta/pkcs11/src/pkcs11_token.c b/optee/optee_os/ta/pkcs11/src/pkcs11_token.c
+index 25ba77827..9882d1cf2 100644
+--- a/optee/optee_os/ta/pkcs11/src/pkcs11_token.c
++++ b/optee/optee_os/ta/pkcs11/src/pkcs11_token.c
+@@ -884,16 +884,18 @@ enum pkcs11_rc entry_ck_token_initialize(uint32_t ptypes, TEE_Param *params)
+ 		if (rc != PKCS11_CKR_PIN_INCORRECT)
+ 			return rc;
+
+-		token->db_main->flags |= PKCS11_CKFT_SO_PIN_COUNT_LOW;
+-		token->db_main->so_pin_count++;
++		if (IS_ENABLED(CFG_PKCS11_TA_LOCK_PIN_AFTER_FAILED_LOGIN_ATTEMPTS)) {
++			token->db_main->flags |= PKCS11_CKFT_SO_PIN_COUNT_LOW;
++			token->db_main->so_pin_count++;
+
+-		pin_count = token->db_main->so_pin_count;
+-		if (pin_count == PKCS11_TOKEN_SO_PIN_COUNT_MAX - 1)
+-			token->db_main->flags |= PKCS11_CKFT_SO_PIN_FINAL_TRY;
+-		if (pin_count == PKCS11_TOKEN_SO_PIN_COUNT_MAX)
+-			token->db_main->flags |= PKCS11_CKFT_SO_PIN_LOCKED;
++			pin_count = token->db_main->so_pin_count;
++			if (pin_count == PKCS11_TOKEN_SO_PIN_COUNT_MAX - 1)
++				token->db_main->flags |= PKCS11_CKFT_SO_PIN_FINAL_TRY;
++			if (pin_count == PKCS11_TOKEN_SO_PIN_COUNT_MAX)
++				token->db_main->flags |= PKCS11_CKFT_SO_PIN_LOCKED;
+
+-		update_persistent_db(token);
++			update_persistent_db(token);
++		}
+
+ 		return PKCS11_CKR_PIN_INCORRECT;
+ 	}
+@@ -1140,35 +1142,39 @@ static enum pkcs11_rc check_so_pin(struct pkcs11_session *session,
+ 		if (rc != PKCS11_CKR_PIN_INCORRECT)
+ 			return rc;
+
+-		token->db_main->flags |= PKCS11_CKFT_SO_PIN_COUNT_LOW;
+-		token->db_main->so_pin_count++;
++		if (IS_ENABLED(CFG_PKCS11_TA_LOCK_PIN_AFTER_FAILED_LOGIN_ATTEMPTS)) {
++			token->db_main->flags |= PKCS11_CKFT_SO_PIN_COUNT_LOW;
++			token->db_main->so_pin_count++;
+
+-		pin_count = token->db_main->so_pin_count;
+-		if (pin_count == PKCS11_TOKEN_SO_PIN_COUNT_MAX - 1)
+-			token->db_main->flags |= PKCS11_CKFT_SO_PIN_FINAL_TRY;
+-		if (pin_count == PKCS11_TOKEN_SO_PIN_COUNT_MAX)
+-			token->db_main->flags |= PKCS11_CKFT_SO_PIN_LOCKED;
++			pin_count = token->db_main->so_pin_count;
++			if (pin_count == PKCS11_TOKEN_SO_PIN_COUNT_MAX - 1)
++				token->db_main->flags |= PKCS11_CKFT_SO_PIN_FINAL_TRY;
++			if (pin_count == PKCS11_TOKEN_SO_PIN_COUNT_MAX)
++				token->db_main->flags |= PKCS11_CKFT_SO_PIN_LOCKED;
+
+-		update_persistent_db(token);
++			update_persistent_db(token);
+
+-		if (token->db_main->flags & PKCS11_CKFT_SO_PIN_LOCKED)
+-			return PKCS11_CKR_PIN_LOCKED;
++			if (token->db_main->flags & PKCS11_CKFT_SO_PIN_LOCKED)
++				return PKCS11_CKR_PIN_LOCKED;
++		}
+
+ 		return PKCS11_CKR_PIN_INCORRECT;
+ 	}
+
+-	if (token->db_main->so_pin_count) {
+-		token->db_main->so_pin_count = 0;
++	if (IS_ENABLED(CFG_PKCS11_TA_LOCK_PIN_AFTER_FAILED_LOGIN_ATTEMPTS)) {
++		if (token->db_main->so_pin_count) {
++			token->db_main->so_pin_count = 0;
+
+-		update_persistent_db(token);
+-	}
++			update_persistent_db(token);
++		}
+
+-	if (token->db_main->flags & (PKCS11_CKFT_SO_PIN_COUNT_LOW |
+-				     PKCS11_CKFT_SO_PIN_FINAL_TRY)) {
+-		token->db_main->flags &= ~(PKCS11_CKFT_SO_PIN_COUNT_LOW |
+-					   PKCS11_CKFT_SO_PIN_FINAL_TRY);
++		if (token->db_main->flags & (PKCS11_CKFT_SO_PIN_COUNT_LOW |
++									 PKCS11_CKFT_SO_PIN_FINAL_TRY)) {
++			token->db_main->flags &= ~(PKCS11_CKFT_SO_PIN_COUNT_LOW |
++									   PKCS11_CKFT_SO_PIN_FINAL_TRY);
+
+-		update_persistent_db(token);
++			update_persistent_db(token);
++		}
+ 	}
+
+ 	return PKCS11_CKR_OK;
+@@ -1199,35 +1205,39 @@ static enum pkcs11_rc check_user_pin(struct pkcs11_session *session,
+ 		if (rc != PKCS11_CKR_PIN_INCORRECT)
+ 			return rc;
+
+-		token->db_main->flags |= PKCS11_CKFT_USER_PIN_COUNT_LOW;
+-		token->db_main->user_pin_count++;
++		if (IS_ENABLED(CFG_PKCS11_TA_LOCK_PIN_AFTER_FAILED_LOGIN_ATTEMPTS)) {
++			token->db_main->flags |= PKCS11_CKFT_USER_PIN_COUNT_LOW;
++			token->db_main->user_pin_count++;
+
+-		pin_count = token->db_main->user_pin_count;
+-		if (pin_count == PKCS11_TOKEN_USER_PIN_COUNT_MAX - 1)
+-			token->db_main->flags |= PKCS11_CKFT_USER_PIN_FINAL_TRY;
+-		if (pin_count == PKCS11_TOKEN_USER_PIN_COUNT_MAX)
+-			token->db_main->flags |= PKCS11_CKFT_USER_PIN_LOCKED;
++			pin_count = token->db_main->user_pin_count;
++			if (pin_count == PKCS11_TOKEN_USER_PIN_COUNT_MAX - 1)
++				token->db_main->flags |= PKCS11_CKFT_USER_PIN_FINAL_TRY;
++			if (pin_count == PKCS11_TOKEN_USER_PIN_COUNT_MAX)
++				token->db_main->flags |= PKCS11_CKFT_USER_PIN_LOCKED;
+
+-		update_persistent_db(token);
++			update_persistent_db(token);
+
+-		if (token->db_main->flags & PKCS11_CKFT_USER_PIN_LOCKED)
+-			return PKCS11_CKR_PIN_LOCKED;
++			if (token->db_main->flags & PKCS11_CKFT_USER_PIN_LOCKED)
++				return PKCS11_CKR_PIN_LOCKED;
++		}
+
+ 		return PKCS11_CKR_PIN_INCORRECT;
+ 	}
+
+-	if (token->db_main->user_pin_count) {
+-		token->db_main->user_pin_count = 0;
++	if (IS_ENABLED(CFG_PKCS11_TA_LOCK_PIN_AFTER_FAILED_LOGIN_ATTEMPTS)) {
++		if (token->db_main->user_pin_count) {
++			token->db_main->user_pin_count = 0;
+
+-		update_persistent_db(token);
+-	}
++			update_persistent_db(token);
++		}
+
+-	if (token->db_main->flags & (PKCS11_CKFT_USER_PIN_COUNT_LOW |
+-				     PKCS11_CKFT_USER_PIN_FINAL_TRY)) {
+-		token->db_main->flags &= ~(PKCS11_CKFT_USER_PIN_COUNT_LOW |
+-					   PKCS11_CKFT_USER_PIN_FINAL_TRY);
++		if (token->db_main->flags & (PKCS11_CKFT_USER_PIN_COUNT_LOW |
++									 PKCS11_CKFT_USER_PIN_FINAL_TRY)) {
++			token->db_main->flags &= ~(PKCS11_CKFT_USER_PIN_COUNT_LOW |
++									   PKCS11_CKFT_USER_PIN_FINAL_TRY);
+
+-		update_persistent_db(token);
++			update_persistent_db(token);
++		}
+ 	}
+
+ 	return PKCS11_CKR_OK;
+diff --git a/optee/optee_os/ta/pkcs11/sub.mk b/optee/optee_os/ta/pkcs11/sub.mk
+index 30dd13cb5..c9c401879 100644
+--- a/optee/optee_os/ta/pkcs11/sub.mk
++++ b/optee/optee_os/ta/pkcs11/sub.mk
+@@ -10,6 +10,10 @@ CFG_PKCS11_TA_HEAP_SIZE ?= (32 * 1024)
+ # Defines the number of PKCS11 token implemented by the PKCS11 TA
+ CFG_PKCS11_TA_TOKEN_COUNT ?= 3
+
++# Locks correspondingly User or SO PIN when reaching maximum
++# failed authentication attemps (continous) limit
++CFG_PKCS11_TA_LOCK_PIN_AFTER_FAILED_LOGIN_ATTEMPTS ?= y
++
+ global-incdirs-y += include
+ global-incdirs-y += src
+ subdirs-y += src
+-- 
+2.42.2
+
diff --git a/targets/nvidia-jetson-orin/optee.nix b/targets/nvidia-jetson-orin/optee.nix
@@ -16,10 +16,13 @@ _:
     inherit (pkgs.nvidia-jetpack) l4tVersion opteeClient;
     inherit (config.hardware.nvidia-jetpack.devicePkgs) taDevKit;
 
-    opteeSource = pkgs.fetchgit {
-      url = "https://nv-tegra.nvidia.com/r/tegra/optee-src/nv-optee";
-      rev = "jetson_${l4tVersion}";
-      sha256 = "sha256-jJOMig2+9FlKA9gJUCH/dva7ZtAq1typZSNGKyM7tlg=";
+    opteeSource = pkgs.applyPatches {
+      src = pkgs.fetchgit {
+        url = "https://nv-tegra.nvidia.com/r/tegra/optee-src/nv-optee";
+        rev = "jetson_${l4tVersion}";
+        sha256 = "sha256-jJOMig2+9FlKA9gJUCH/dva7ZtAq1typZSNGKyM7tlg=";
+      };
+      patches = [ ./0001-ta-pkcs11-Build-time-option-for-controlling-pin-lock.patch ];
     };
 
     opteeXtest = stdenv.mkDerivation {
@@ -59,6 +62,9 @@ _:
         "CFG_PKCS11_TA_AUTH_TEE_IDENTITY=${
           if config.ghaf.hardware.nvidia.orin.optee.pkcs11.authTeeIdentity then "y" else "n"
         }"
+        "CFG_PKCS11_TA_LOCK_PIN_AFTER_FAILED_LOGIN_ATTEMPTS=${
+          if config.ghaf.hardware.nvidia.orin.optee.pkcs11.lockPinAfterFailedLoginAttempts then "y" else "n"
+        }"
         "CFG_PKCS11_TA_ALLOW_DIGEST_KEY=y"
         "OPTEE_CLIENT_EXPORT=${opteeClient}"
         "O=$(PWD)/out"