Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OP-TEE: Add option for PKCS11 TA (CFG_PKCS11_TA_LOCK_PIN_AFTER_FAILED_LOGIN_ATTEMPTS) #789

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

OP-TEE: Add option for PKCS11 TA (CFG_PKCS11_TA_LOCK_PIN_AFTER_FAILED_LOGIN_ATTEMPTS) #789

wants to merge 1 commit into from

Conversation

TanelDettenborn
Copy link

Introducing a build time option for OP-TEE's PKCS11 TA: lockPinAfterFailedLoginAttempts. If lockPinAfterFailedLoginAttempts is set to true then PKCS11 TA is build with CFG_PKCS11_TA_LOCK_PIN_AFTER_FAILED_LOGIN_ATTEMPTS=y and respectively CFG_PKCS11_TA_LOCK_PIN_AFTER_FAILED_LOGIN_ATTEMPTS=n if option is set to false.

Default value is false.

Note: This is a custom feature. It is not part of the OP-TEE's upstream, but I have opened a pull request towards OP-TEE repository. I will updated this pull request if my OP-TEE's pull request receives any comments.

Description of changes

Checklist for things done

  • Summary of the proposed changes in the PR description
  • More detailed description in the commit message(s)
  • Commits are squashed into relevant entities - avoid a lot of minimal dev time commits in the PR
  • Contribution guidelines followed
  • Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
  • PR linked to architecture documentation and requirement(s) (ticket id)
  • Test procedure described (or includes tests). Select one or more:
    • Tested on Lenovo X1 x86_64
    • Tested on Jetson Orin NX or AGX aarch64
    • Tested on Polarfire riscv64
  • Author has run make-checks and it passes
  • All automatic Github Action checks pass - see actions
  • Author has added reviewers and removed PR draft status
  • Change requires full re-installation
  • Change can be updated with nixos-rebuild ... switch
    Note: Need to remove /data/tee-directory

Instructions for Testing

  • List all targets that this applies to: Jetson Orin NX or AGX
  • Is this a new feature
    • List the test steps to verify:
      A complete testing requires two sequence limited and unlimited logins.
      Common for both cases are initilization:
      alias p11="pkcs11-tool-optee --slot-index 0 --label test"
      p11 --init-token --so-pin 1111
      p11 --init-pin --login --so-pin 1111 --new-pin 2222

Limited login attempts
Compile PKCS11 TA with lockPinAfterFailedLoginAttempts = false
!! remove secure storage rm -rf /data/tee !!
p11 --login --pin 1232 --list-object
p11 --init-pin --login --so-pin 1234 --new-pin 2222
--> Both returns CKR_PIN_INCORRECT
p11 --login --pin 2222 --list-object
p11 --init-pin --login --so-pin 1111 --new-pin 2222
--> Both are able to login (operation success)
7x: p11 --login --pin 1232 --list-object
7x: p11 --init-pin --login --so-pin 1234 --new-pin 2222
--> Both PINs are locked: CKR_PIN_LOCKED
p11 --login --pin 2222 --list-object
p11 --init-pin --login --so-pin 1111 --new-pin 2222
--> Both returns CKR_PIN_LOCKED

Unlimited login attempts
Compile PKCS11 TA with lockPinAfterFailedLoginAttempts = true
!! remove secure storage rm -rf /data/tee !!
p11 --login --pin 1232 --list-object
p11 --init-pin --login --so-pin 1234 --new-pin 2222
--> Both returns CKR_PIN_INCORRECT
p11 --login --pin 2222 --list-object
p11 --init-pin --login --so-pin 1111 --new-pin 2222
--> Both are able to login (operation success)
7x: p11 --login --pin 1232 --list-object
7x: p11 --init-pin --login --so-pin 1234 --new-pin 2222
--> Both returns CKR_PIN_INCORRECT
p11 --login --pin 2222 --list-object
p11 --init-pin --login --so-pin 1111 --new-pin 2222
--> Both are able to login (operation success)

  • If it is an improvement how does it impact existing functionality?
    Adds feature into PKCS11 TA and convenience option for fine tuning it.

@brianmcgillion
OP-TEE: Add option for PKCS11 TA (CFG_PKCS11_TA_LOCK_PIN_AFTER_FAILED…
d58ebb1 
…_LOGIN_ATTEMPTS)

Note: Commit includes a custom patch for OP-TEE.

Signed-off-by: Tanel Dettenborn <tanel@ssrc.tii.ae>
@brianmcgillion brianmcgillion added the Needs Testing CI Team to pre-verify label Sep 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brianmcgillion brianmcgillion brianmcgillion approved these changes

Assignees
No one assigned
Labels
Needs Testing CI Team to pre-verify
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@TanelDettenborn @brianmcgillion