Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

PKCS#11 - HMAC digest family

Description

Deliverables

This Epic is about implementing support for the HMAC (MD5 and SHA based) mechanisms in PKCS#11, i.e., in short make it possible to compute plain HMACs using MD5 and SHA algorithms. The list of PKCS#11 mechanisms that we intend to implement in this Epic are:

  • CKM_MD5_HMAC

  • CKM_MD5_HMAC_GENERAL

  • CKM_SHA_1_HMAC

  • CKM_SHA_1_HMAC_GENERAL

  • CKM_SHA224_HMAC

  • CKM_SHA224_HMAC_GENERAL

  • CKM_SHA256_HMAC

  • CKM_SHA256_HMAC_GENERAL

  • CKM_SHA384_HMAC

  • CKM_SHA384_HMAC_GENERAL

  • CKM_SHA512_HMAC

  • CKM_SHA512_HMAC_GENERAL

Note that this depends on (PKCS#11 - Signature and MAC functions).

For most mechanisms mentioned here, we need to write code in optee_os, optee_client and optee_test. I.e., these functions are called on the client side, but in most cases there is a 1:1 mapping to a function on secure side also (as a service in a Trusted Application).

Out of Scope

N/A

Risks and Assumptions

Assumptions: possible to implement this as a standalone component.

Acceptance Criteria

Criteria

Status

Closeout Notes/Links

Patches upstream implementing PKCS#11 mechanisms for traditional HMACs in OP-TEE (Armv7-A and Armv8-A)

See link to patches below.

Patches upstream enabling tests for the PKCS#11 HMAC support

See link to patches below.

CKM_MD5_HMAC, implemented/upstream

https://github.com/OP-TEE/optee_os/pull/4193
https://github.com/OP-TEE/optee_client/pull/232
https://github.com/OP-TEE/optee_test/pull/461

CKM_SHA_1_HMAC, implemented/upstream

Same as above.

CKM_SHA224_HMAC, implemented/upstream

Same as above.

CKM_SHA256_HMAC, implemented/upstream

Same as above.

CKM_SHA384_HMAC, implemented/upstream

Same as above.

CKM_SHA512_HMAC, implemented/upstream

Same as above.

CKM_MD5_HMAC_GENERAL, implemented/upstream

https://github.com/OP-TEE/optee_os/pull/4746
https://github.com/OP-TEE/optee_client/pull/279
https://github.com/OP-TEE/optee_test/pull/535

CKM_SHA_1_HMAC_GENERAL, implemented/upstream

Same as above.

CKM_SHA224_HMAC_GENERAL, implemented/upstream

Same as above.

CKM_SHA256_HMAC_GENERAL, implemented/upstream

Same as above.

CKM_SHA384_HMAC_GENERAL, implemented/upstream

Same as above.

CKM_SHA512_HMAC_GENERAL, implemented/upstream

Same as above.

Legend:

Done, Not Done, Doesn't apply (note the reason)

depends on

implements

Checklist

Activity

Victor C 
October 2, 2021 at 4:53 PM

All patches merged.

Victor C 
September 2, 2021 at 3:07 PM

27/Jul - 2/Sep

  • Continued to address patch review comments on and off… like it would never end

Victor C 
July 22, 2021 at 2:44 PM
(edited)

22/July

  • Addressing patch review comments

15/July

  • Submitted patches for all 3 optee_* repos

8/July

  • Done and passes xtest after dealing with some edge cases

  • Cleaning up and preparing patches

Victor C 
June 15, 2021 at 11:07 AM

  • Done with optee_os and optee_client parts. Working on optee_test

  • Did code walk through of (de)serialization code with Ruchika

Victor C 
June 10, 2021 at 3:05 PM

  • Coding in optee_os and optee_client for C_Sign/C_Verify with *HMAC_GENERAL mechanism, i.e. non-standard hmac length

  • Idea of truncating hmac length as simple/early as possible in optee_client didn’t pan out

  • Familiarizing with (de)serialization code and struct active_processing - extra_ctx member for storing stateful data between multiple calls to Secure World per session

Done

Details

Assignee

Reporter

Labels

Parent

Fix versions

Original estimate

Time tracking

3d logged

Components

Priority

Checklist

Sentry

Created September 10, 2019 at 9:08 AM
Updated October 2, 2021 at 4:53 PM
Resolved October 2, 2021 at 4:53 PM