Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OP-TEE: Add option for PKCS11 TA (CFG_PKCS11_TA_LOCK_PIN_AFTER_FAILED_LOGIN_ATTEMPTS) #789

Merged
merged 1 commit into from
Sep 27, 2024
Merged

OP-TEE: Add option for PKCS11 TA (CFG_PKCS11_TA_LOCK_PIN_AFTER_FAILED_LOGIN_ATTEMPTS) #789

merged 1 commit into from
Sep 27, 2024

Conversation

TanelDettenborn
Copy link

Introducing a build time option for OP-TEE's PKCS11 TA: lockPinAfterFailedLoginAttempts. If lockPinAfterFailedLoginAttempts is set to true then PKCS11 TA is build with CFG_PKCS11_TA_LOCK_PIN_AFTER_FAILED_LOGIN_ATTEMPTS=y and respectively CFG_PKCS11_TA_LOCK_PIN_AFTER_FAILED_LOGIN_ATTEMPTS=n if option is set to false.

Default value is false.

Note: This is a custom feature. It is not part of the OP-TEE's upstream, but I have opened a pull request towards OP-TEE repository. I will updated this pull request if my OP-TEE's pull request receives any comments.

Description of changes

Checklist for things done

  • Summary of the proposed changes in the PR description
  • More detailed description in the commit message(s)
  • Commits are squashed into relevant entities - avoid a lot of minimal dev time commits in the PR
  • Contribution guidelines followed
  • Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
  • PR linked to architecture documentation and requirement(s) (ticket id)
  • Test procedure described (or includes tests). Select one or more:
    • Tested on Lenovo X1 x86_64
    • Tested on Jetson Orin NX or AGX aarch64
    • Tested on Polarfire riscv64
  • Author has run make-checks and it passes
  • All automatic Github Action checks pass - see actions
  • Author has added reviewers and removed PR draft status
  • Change requires full re-installation
  • Change can be updated with nixos-rebuild ... switch
    Note: Need to remove /data/tee-directory

Instructions for Testing

  • List all targets that this applies to: Jetson Orin NX or AGX
  • Is this a new feature
    • List the test steps to verify:
      A complete testing requires two sequence limited and unlimited logins.
      Common for both cases are initilization:
      alias p11="pkcs11-tool-optee --slot-index 0 --label test"
      p11 --init-token --so-pin 1111
      p11 --init-pin --login --so-pin 1111 --new-pin 2222

Limited login attempts
Compile PKCS11 TA with lockPinAfterFailedLoginAttempts = false
!! remove secure storage rm -rf /data/tee !!
p11 --login --pin 1232 --list-object
p11 --init-pin --login --so-pin 1234 --new-pin 2222
--> Both returns CKR_PIN_INCORRECT
p11 --login --pin 2222 --list-object
p11 --init-pin --login --so-pin 1111 --new-pin 2222
--> Both are able to login (operation success)
7x: p11 --login --pin 1232 --list-object
7x: p11 --init-pin --login --so-pin 1234 --new-pin 2222
--> Both PINs are locked: CKR_PIN_LOCKED
p11 --login --pin 2222 --list-object
p11 --init-pin --login --so-pin 1111 --new-pin 2222
--> Both returns CKR_PIN_LOCKED

Unlimited login attempts
Compile PKCS11 TA with lockPinAfterFailedLoginAttempts = true
!! remove secure storage rm -rf /data/tee !!
p11 --login --pin 1232 --list-object
p11 --init-pin --login --so-pin 1234 --new-pin 2222
--> Both returns CKR_PIN_INCORRECT
p11 --login --pin 2222 --list-object
p11 --init-pin --login --so-pin 1111 --new-pin 2222
--> Both are able to login (operation success)
7x: p11 --login --pin 1232 --list-object
7x: p11 --init-pin --login --so-pin 1234 --new-pin 2222
--> Both returns CKR_PIN_INCORRECT
p11 --login --pin 2222 --list-object
p11 --init-pin --login --so-pin 1111 --new-pin 2222
--> Both are able to login (operation success)

  • If it is an improvement how does it impact existing functionality?
    Adds feature into PKCS11 TA and convenience option for fine tuning it.

@brianmcgillion
OP-TEE: Add option for PKCS11 TA (CFG_PKCS11_TA_LOCK_PIN_AFTER_FAILED…
d58ebb1 
…_LOGIN_ATTEMPTS)

Note: Commit includes a custom patch for OP-TEE.

Signed-off-by: Tanel Dettenborn <[email protected]>
@brianmcgillion brianmcgillion added the Needs Testing CI Team to pre-verify label Sep 20, 2024
@johannarautanen
Copy link

johannarautanen commented Sep 24, 2024
edited
Loading

Command functionality works:
Limited login attempts-version; after 7 tries PIN was locked.
Unlimited login attempts-version; PIN wasn’t locked after 7 or more tries.

Comfirm from Tanel, that the successfully-note is that: "Using slot with index 0 (0x0)"
p11 --login --pin 2222 --list-object
p11 --init-pin --login --so-pin 1111 --new-pin 2222
--> Both are able to login (operation success)
Screenshot from 2024-09-24 11-35-10

And other thing confirmed: after PIN is locked, need to give the "rm -rf /data/tee" and also reboot the GHAF to be able to try the cases again.

Tried with:
NVIDIA Jetson AGX Orin native, booted Orin AGX from eMMC
Check with commit: d58ebb1
Limited login attempts-version

•  commands works: PIN was locked finally
• automation cases: ok
• launching app: ok

NVIDIA Jetson AGX Orin native, booted Orin AGX from eMMC
build in own machine to get the
Unlimited login attempts-version
• commands work: didn’t lock the PIN
• automation cases: ok
• launching app: ok

NVIDIA Jetson AGX Orin cross compile, booted Orin AGX from eMMC
Check with commit: d58ebb1
Limited login attempts-version

•  commands works: PIN was locked finally
• automation cases: ok
  launching app: ok

NVIDIA Jetson AGX Orin cross compile, booted Orin AGX from eMMC
build in own machine to the get the
Unlimited login attempts-version
• commands work: didn’t lock the PIN
• launching app: ok

NVIDIA Jetson NX Orin native, booted Orin NX from memory stick
Check with commit: d58ebb1
Limited login attempts-version

•  commands works: PIN was locked finally
• launching app: ok

NVIDIA Jetson NX Orin native, booted Orin NX from eMMC
build in own machine to the get the
Unlimited login attempts-version
• commands work: didn’t lock the PIN
• launching app: ok

NVIDIA Jetson NX Orin cross compile, booted Orin NX from memory stick
Check with commit: d58ebb1
Limited login attempts-version
• commands works: PIN was locked finally
launching app: ok

NVIDIA Jetson NX Orin cross compile, booted Orin NX from memory stick
build in own machine to the get the
Unlimited login attempts-version
• commands work: didn’t lock the PIN
• launching app: ok
/

@johannarautanen johannarautanen added Tested on Orin AGX This PR has been tested on NVIDIA Jetson AGX Orin Tested on Orin NX This PR has been tested on NVIDIA Jetson NX Orin Tested on Orin AGX Cross This PR has been tested on NVIDIA Jetson AGX Orin cross-compiled Tested on Orin NX Cross This PR has been tested on NVIDIA Jetson NX Orin cross-compiled and removed Needs Testing CI Team to pre-verify labels Sep 25, 2024
@brianmcgillion brianmcgillion merged commit 3f3766d into tiiuae:main Sep 27, 2024
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brianmcgillion brianmcgillion brianmcgillion approved these changes

Assignees
No one assigned
Labels
Tested on Orin AGX Cross This PR has been tested on NVIDIA Jetson AGX Orin cross-compiled Tested on Orin AGX This PR has been tested on NVIDIA Jetson AGX Orin Tested on Orin NX Cross This PR has been tested on NVIDIA Jetson NX Orin cross-compiled Tested on Orin NX This PR has been tested on NVIDIA Jetson NX Orin
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@TanelDettenborn @johannarautanen @brianmcgillion