OP-TEE: Add option for PKCS11 TA (CFG_PKCS11_TA_LOCK_PIN_AFTER_FAILED_LOGIN_ATTEMPTS) #789
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Introducing a build time option for OP-TEE's PKCS11 TA: lockPinAfterFailedLoginAttempts. If lockPinAfterFailedLoginAttempts is set to true then PKCS11 TA is build with CFG_PKCS11_TA_LOCK_PIN_AFTER_FAILED_LOGIN_ATTEMPTS=y and respectively CFG_PKCS11_TA_LOCK_PIN_AFTER_FAILED_LOGIN_ATTEMPTS=n if option is set to false.
Default value is false.
Note: This is a custom feature. It is not part of the OP-TEE's upstream, but I have opened a pull request towards OP-TEE repository. I will updated this pull request if my OP-TEE's pull request receives any comments.
Description of changes
Checklist for things done
x86_64
aarch64
riscv64
make-checks
and it passesnixos-rebuild ... switch
Note: Need to remove /data/tee-directory
Instructions for Testing
A complete testing requires two sequence limited and unlimited logins.
Common for both cases are initilization:
alias p11="pkcs11-tool-optee --slot-index 0 --label test"
p11 --init-token --so-pin 1111
p11 --init-pin --login --so-pin 1111 --new-pin 2222
Limited login attempts
Compile PKCS11 TA with
lockPinAfterFailedLoginAttempts = false
!! remove secure storage
rm -rf /data/tee
!!p11 --login --pin 1232 --list-object
p11 --init-pin --login --so-pin 1234 --new-pin 2222
--> Both returns
CKR_PIN_INCORRECT
p11 --login --pin 2222 --list-object
p11 --init-pin --login --so-pin 1111 --new-pin 2222
--> Both are able to login (operation success)
7x:
p11 --login --pin 1232 --list-object
7x:
p11 --init-pin --login --so-pin 1234 --new-pin 2222
--> Both PINs are locked:
CKR_PIN_LOCKED
p11 --login --pin 2222 --list-object
p11 --init-pin --login --so-pin 1111 --new-pin 2222
--> Both returns
CKR_PIN_LOCKED
Unlimited login attempts
Compile PKCS11 TA with
lockPinAfterFailedLoginAttempts = true
!! remove secure storage
rm -rf /data/tee
!!p11 --login --pin 1232 --list-object
p11 --init-pin --login --so-pin 1234 --new-pin 2222
--> Both returns
CKR_PIN_INCORRECT
p11 --login --pin 2222 --list-object
p11 --init-pin --login --so-pin 1111 --new-pin 2222
--> Both are able to login (operation success)
7x:
p11 --login --pin 1232 --list-object
7x:
p11 --init-pin --login --so-pin 1234 --new-pin 2222
--> Both returns
CKR_PIN_INCORRECT
p11 --login --pin 2222 --list-object
p11 --init-pin --login --so-pin 1111 --new-pin 2222
--> Both are able to login (operation success)
Adds feature into PKCS11 TA and convenience option for fine tuning it.