Defines TOS OEM Keystore Service trusted application commandIDs available to clients.
| Enumerator |
|---|
| KEYSTORE_SERVICE_PING | Description
Command to ping and check response from OEM Keystore Service.
To check if call is going into OEM Keystore service successfully, ie, test the reach-ability of OEM Keystore service.
- Parameters
-
| [in] | params[0] | NONE |
| [in] | params[1] | NONE |
| [in] | params[2] | NONE |
| [in] | params[3] | NONE |
- Returns
- TEE_SUCCESS If successful.
-
TEE_ERROR_BAD_PARAMETERS If invalid parameter is passed.
-
TEE_ERROR_BAD_STATE If OEM Keystore service is not initialized.
|
| KEYSTORE_SERVICE_GET_KEY | Description
Command to return a key in plaintext format.
Get key material in plain text format in the caller provided buffer, corresponding to the requested key entry index and lookup type, after authenticating the access based on UUID of requesting TA and guest virtual machine number.
- Parameters
-
| [in] | params[0].value.a | Index of the requested key entry |
| [in] | params[0].value.b | Lookup type to use while searching for key entry.
KEYSTORE_LOOKUP_TYPE_ABSOLUTE means treat key entry Index as absolute index from the start of EKS payload.
KEYSTORE_LOOKUP_TYPE_RELATIVE means treat key entry Index as index within the set of key entries having same matching caller's TA UUID. |
| [in] | params[1].value.a | Guest Virtual Machine ID. |
| [in] | params[2].memref.buffer | On success, shall contain requested key material. |
| [in,out] | params[2].memref.size | Shall contain size of input buffer and on successfull return shall contain size of copied key material. |
- Returns
- TEE_SUCCESS Success
-
TEE_ERROR_BAD_PARAMETERS Bad parameters to the function.
-
TEE_ERROR_ACCESS_DENIED Key entry access denied because of permission check failure or internal key retrieval, validation error.
-
TEE_ERROR_SHORT_BUFFER Caller supplied keyBufferSize is less.
|
| KEYSTORE_SERVICE_GET_KEY_ATTRIBUTE | Description
Command to return attribute of a key.
Gets key material attribute corresponding to the key entry index and lookup type, after authenticating the access based on UUID of requesting TA and guest virtual machine number.
- Parameters
-
| [in] | params[0].value.a | Index of the requested key entry. |
| [in] | params[0].value.b | Lookup type to use while searching for key entry.
KEYSTORE_LOOKUP_TYPE_ABSOLUTE means treat key entry Index as absolute index from the start of EKS payload.
KEYSTORE_LOOKUP_TYPE_RELATIVE means treat key entry Index as index within the set of key entries having same matching caller's TA UUID. |
| [in] | params[1].value.a | Guest Virtual Machine ID. |
| [in] | params[2].value.a | Attribute type requested.
KEYSTORE_KEY_ATTRIBUTE_SIZE means that request is for retrieving encrypted key material size. |
| [out] | params[3].value.a | On success, shall contain requested attribute value. |
- Returns
- TEE_SUCCESS Success.
-
TEE_ERROR_BAD_PARAMETERS Bad parameters to the function.
-
TEE_ERROR_ACCESS_DENIED Key entry access denied because of permission check failure or internal key retrieval, validation error.
|
| KEYSTORE_SERVICE_PKCS11_LOAD_AES_KEY | Description
Command to Load PKCS11 symmetric object into AES Keyslot.
Gets PKCS11 Symmetric object corresponding to the key entry index based on absolute lookup type, after authenticating the access based on guest virtual machine number. Validates the key material of the symmetric object and loads into AES Keyslot.
- Parameters
-
| [in] | params[0].value.a | Handle of the AES key to be loaded. |
| [in] | params[1].value.a | Mechanism to be used by this keyslot. Type: PKCS11_CK_MECHANISM_TYPE |
| [in] | params[1].value.b | Purpose for loading the key into keyslot. Type: KeyPurpose |
| [out] | params[3].value.a | On success, shall contain requested keyslot handle. |
- Returns
- TEE_SUCCESS Success.
-
TEE_ERROR_BAD_PARAMETERS Bad parameters to the function.
-
TEE_ERROR_ACCESS_DENIED Key access is denied because of permission check failure or internal key retrieval, validation error.
-
TEE_ERROR_BAD_STATE if CryptoSession is not established.
-
TEE_ERROR_NOT_SUPPORTED if provided mechanism or purpose is not supported by the key
-
TEE_ERROR_OVERFLOW if no keyslots allocated to guest are free.
|
| KEYSTORE_SERVICE_PKCS11_RELEASE_AES_KEYSLOT | Description
Command to release AES Keyslot when a PKCS11 Symmetric object is loaded into Keyslot using KEYSTORE_SERVICE_PKCS11_LOAD_AES_KEY command.
Performs a check if the input Keyslot handle is valid and already loaded. Releases the keyslot, if true and return error if false.
- Parameters
-
| [in] | params[0].value.a | KeySlot Handle to be released. |
- Returns
- TEE_SUCCESS Success.
-
TEE_ERROR_BAD_STATE if CryptoSession is not established.
-
TEE_ERROR_BAD_PARAMETERS Bad parameters to the function.
-
TEE_ERROR_ITEM_NOT_FOUND if Keyslot handle is not found.
|
| KEYSTORE_SERVICE_PKCS11_LOOKUP_AES_KEY | Description
Command to Look up PKSC11 Symmetric Object based on object id
Performs a look up in available PKSC11 Symmetric Objects based on input object id and returns handle to object if request is from valid guest owner.
- Parameters
-
| [in] | params[0].memref.buffer | Pointer to object Id buffer. |
| [in] | params[0].memref.size | Size of buffer containing object id. |
| [out] | params[3].value.a | On success, shall contain requested handle to object. |
- Returns
- TEE_SUCCESS Success.
-
TEE_ERROR_BAD_PARAMETERS Bad parameters to the function.
-
TEE_ERROR_ACCESS_DENIED Key access is denied because of permission check failure or internal key retrieval, validation error.
-
TEE_ERROR_BAD_STATE if CryptoSession is not established.
-
TEE_ERROR_ITEM_NOT_FOUND if object is not found.
|
| KEYSTORE_SERVICE_PKCS11_GET_KEY_OBJ_METADATA | Description
Get PKCS11 object metadata.
Gets PKCS11 object metadata. The PKCS11 object type from the metadata indicates the type of object like a secret key object or a public key object and it must be used to interpret the returned metadata.
- Parameters
-
| [in] | params[0].value.a | KeyHandle of the key object returned by KEYSTORE_SERVICE_PKCS11_* APIs. |
| [out] | params[1].memref.buffer | Pointer to the metadata struct. |
| [in] | params[1].memref.size | Size of buffer (uint32_t). |
| [in] | params[2] | NONE |
| [in] | params[3] | NONE |
- Returns
- TEE_SUCCESS Success.
-
TEE_ERROR_BAD_PARAMETERS Bad parameters to the function.
-
TEE_ERROR_ACCESS_DENIED Key access is denied because of permission check failure or internal key retrieval.
|
| KEYSTORE_SERVICE_PKCS11_GENERATE_AES_KEY | Description
Command to generate new PKCS11 Symmetric Key Objects
This command helps to generate new PKCS11 Symmetric key objects in TZRAM. These keys are ephemeral in nature because they reside in secure memory and not persistent across system boots. This command generates new key based on PKCS11 Symmetric Key template from non secure client which is provided as input parameter. The following metadata fields of template are validated before generating new secret key:
- Key Metdata which includes key type, key purpose and mechanisms, key sensitivity, key extractability.
- Object Type, Structure Version.
- Checks if ObjectId is unique.
- Parameters
-
| [in] | params[0].memref.buffer | Pointer to Symmetric Key template. |
| [in] | params[0].memref.size | Size of Symmetric Key template. |
| [out] | params[3].value.a | On success, shall contain Key handle to new object. |
- Returns
- TEE_SUCCESS if Key generaion is Success.
-
TEE_ERROR_BAD_PARAMETERS Bad parameters to the function or if template validation fails.
-
TEE_ERROR_BAD_STATE if CryptoSession is not established.
-
TEE_ERROR_GENERIC if Key generation fails
-
TEE_ERROR_OUT_OF_MEMORY if TZRAM Symmetric key entries are full
|
| KEYSTORE_SERVICE_PKCS11_DELETE_KEY | Description
Command to delete ephemeral PKCS11 key objects created by key generate commands.
Performs a look up in available PKSC11 Objects in TZRAM based on input key handle and deletes the Key Entry.
- Parameters
-
| [in] | params[0].value.a | Valid Key handle to delete. Key Handle must be from the prior successfull Key generation command |
- Returns
- TEE_SUCCESS if Key deletion is successfull.
-
TEE_ERROR_BAD_PARAMETERS if Key handle is invalid.
-
TEE_ERROR_ACCESS_DENIED Key access is denied because of permission check failure.
-
TEE_ERROR_ITEM_NOT_FOUND if object is not found.
|
| KEYSTORE_SERVICE_PKCS11_DERIVE_AES_KEY | Description
Command to derive AES Key based on exisiting deriving AES Key.
Finds the deriving key provided based on key handle and loads it into AES Keyslot after verifying if the key can be used for key derivation. Derives new key material by computing CMAC on derivation data using the loaded deriving keyslot. A new key is then derived using the provided Symmetric Key template as input along with derived key material. The following metadata fields of template are validated before generating new secret key:
- Key Metdata which includes key type, key purpose and mechanisms, key sensitivity, key extractability.
- Object Type, Structure Version.
- Checks if ObjectId is unique.
- Parameters
-
| [in] | params[0].value.a | Handle for the deriving Key |
| [in] | params[1].memref.buffer | Pointer to PKCS symmetric key metadata template structure |
| [in] | params[1].memref.size | Size of symmteric obj metadata |
| [in] | params[2].memref.buffer | Pointer to derivation data buffer |
| [in] | params[2].memref.size | Size of derivation data |
| [out] | params[3].value.a | On success, contains derived keyhandle |
- Returns
- TEE_SUCCESS Success.
-
TEE_ERROR_BAD_PARAMETERS Bad parameters to the function.
-
TEE_ERROR_ACCESS_DENIED Key access is denied because of permission check failure or internal key retrieval, validation error.
-
TEE_ERROR_BAD_STATE if CryptoSession is not established.
-
TEE_ERROR_ITEM_NOT_FOUND if deriving key is not found.
-
TEE_ERROR_GENERIC if any generic error.
|
| KEYSTORE_SERVICE_PKCS11_UNWRAP_AES_KEY | Description
Command to unwrap an AES key using AES-CCM from exisiting AES key.
Unwraps an AES key from another AES key using AES-CCM. Input parameters needed for unwrapping a key are its tag length, nonce, wrapped key material and AAD(Additional Authentication Data). Below are the details:
- TAG Length: This is fixed as 16 and is not provided as input.
- NONCE: Nonce and nonce size are provided as one of the input params. Size of nonce is fixed as 12 bytes.
- WRAPPED KEY: Wrapped data is provided as input via 'encKeyData' field of unwrapped key template.
- TAG: This is also know as MAC and is length 16 bytes. Passed via 'macData' field of unwrapped key template.
- AAD: The entire metadata template excluding IV, Key and MAC Fields is considered as AAD(Additional Authentication Data) and is used for authenticating the key during unwrapping by the Keystore service.
Following metadata fields of unwrapped key are validated before key unwrapping:
- Key Metadata which includes key type, key purpose and mechanisms, key sensitivity, key extractability.
- Object Type, Structure Version.
- Checks if ObjectId is unique. NOTE: Fields of Unwrapped key Template should contain Wrapped key metadata, wrapped key material and TAG.
- Parameters
-
| [in] | params[0].value.a | Handle for the unwrapping key |
| [in] | params[1].memref.buffer | Pointer to nonce buffer. |
| [in] | params[1].memref.size | Size of the nonce buffer. |
| [in] | params[2].memref.buffer | Pointer to PKCS symmetric key metadata template structure |
| [in] | params[2].memref.size | Size of symmteric obj metadata |
| [out] | params[3].value.a | On success, contains unwrapped keyhandle |
- Returns
- TEE_SUCCESS Success.
-
TEE_ERROR_BAD_PARAMETERS Bad parameters to the function.
-
TEE_ERROR_ACCESS_DENIED Key access is denied because of permission check failure or internal key retrieval.
-
TEE_ERROR_BAD_STATE if CryptoSession is not established.
-
TEE_ERROR_ITEM_NOT_FOUND if unwrapping key is not found.
-
TEE_ERROR_GENERIC if any AAD authentication fails or
-
unwrapping fails.
|