Is this page helpful?

PKCS #11 Support in OP-TEE#

Cryptoki Introduction#

In cryptography, PKCS #11 is one of the Public-Key Cryptography Standards and refers to the programming interface used to create and manipulate cryptographic tokens, where the secret is a cryptographic key.

The PKCS #11 standard defines a platform-independent API for interacting with cryptographic tokens, such as hardware security modules (HSM) and smart cards. The API is officially named Cryptoki (derived from “cryptographic token interface” and pronounced as “crypto-key”). However, PKCS #11 is often used interchangeably to refer to the API and the standard that defines it.

This API specifies the most commonly used cryptographic object types (RSA keys, X.509 certificates, DES/Triple DES keys, etc.) and all the functions needed to create, generate, modify, delete, and use these objects.

The primary goal of PKCS #11 is to allow applications to securely and consistently use the features of cryptographic tokens. This enables developers to focus on their application’s functionality without worrying about the intricacies of token-specific interfaces.

Some key features of PKCS #11 include token management, key management, encryption, and decryption.

Token Management#

The ability to manage and configure cryptographic tokens, such as loading or unloading keys.

Key Management#

The ability to create, store, and retrieve encryption keys.

Encryption and Decryption#

The ability to perform various types of encryption and decryption operations.

For more details about PKCS #11, refer to PKCS #11 Cryptographic Token Interface Base Specification Version 2.40.

Cryptoki Implementation in OP-TEE#

The Cryptoki specific implementation in OP-TEE is located in the libckteec directory of optee_client, which complies with the PKCS #11 Cryptographic Token Interface Base Specification Version 2.40. The source code is located in the src subdirectory, and to build your own PKCS #11 application, you need to include the header files in the include subdirectory.

This diagram shows the relationships among the components:

Relationship among components in the OPTEE architecture

Note

The Jetson Orin series doesn’t have S-EL2 support, so Hafnium (S-EL2) in the preceding diagram applies only to the Jetson AGX Thor series.

You can visit PKCS #11 Driver to learn how to integrate PKCS #11 in Linux user land with OP-TEE.

PKCS #11 TA#

The PKCS #11 TA is the trusted application that supports PKCS #11 in OP-TEE. It serves as the backend for libteec, with its specific implementation located in the ta/pkcs directory of optee_os. This is a user TA, implemented and maintained by OP-TEE. The source code is located in the src subdirectory. To call the PKCS #11 TA, you need include the header files in the include subdirectory.

PKCS #11 Sample CA#

For a working example of Cryptoki in action, refer to the PKCS #11 Sample Application located in the app/samples/pkcs11-sample directory. This application primarily demonstrates the usage of C_GenerateKey to generate keys and C_WrapKey to wrap keys and unwrap keys from the wrapped key object.