Closed sahilnxp closed 2 months ago
etienne-lms
commented
2 months ago Hi Sahil, I think it is perfectly fine to add in the pkcs11 TA new mechanisms introduced in the v3.0 of the spec. We already did that for some EC Edwards curve (key gen + EDDSA), see 03e07432b68f9d78dbad4b9a8af50705948e7893.
sahilnxp
commented
2 months ago Thanks @etienne-lms for this reference. Is there any plan to implement HKDF in PKCS#11 implementation in near future?
etienne-lms
commented
2 months ago None that I'm aware of. Contributions are more than welcome of course.
sahilnxp
commented
2 months ago Thanks @etienne-lms for the information. Yes, we are planning to work on this, may be will have something to post here in coming months.
sahilnxp
commented
2 months ago Hi @etienne-lms
We are actually trying to offload the HKDF operations in TLS1.3 to OP-TEE. In TLS1.3, I checked that there are multiple calls to HKDF-extract and HKDF-expand-label Reference: https://tls13.xargs.org/#server-handshake-keys-calc
But in OP-TEE when we call TEE_DeriveKey() for HKDF algorithm which lands into tee_cryp_hkdf , It will call the HKDF-extract and HKDF-expand both in one call.
I am little confused about this; do we need to expose the calls hkdf_expand() and hkdf_extract() so that these can be called directly ? and if we expose these under which TEE* API it will be called ?
If you have any idea about this, please let me know.
Thanks Sahil
etienne-lms
commented
2 months ago Indeed the GP TEE API does not permit 2 distinctive steps for HKDF Expand-Label and Extract operations.
The PCKS#11 allows to request both operations in a signle call. In this very case, using the GP TEE API could allow the TA to leverage OP-TEE's platform HW assistance (and possibly protection, if any).
If the PKCS#11 client requires only 1 of both operation, I think the pkcs11 could use mbedTLS that, I think, provides the required APIs. An alternative could be (IIUC) to have the TA to perform Extract and Expend-Label operation using GP TEE API HMAC operations.
sahilnxp
commented
2 months ago The PCKS#11 allows to request both operations in a signle call. In this very case, using the GP TEE API could allow the TA to leverage OP-TEE's platform HW assistance (and possibly protection, if any).
Yes, in normal cases of HKDF TEE_DeriveKey() will work fine with HKDF because it needs to perform 2 operations HKDF extract and HKDF expand
If the PKCS#11 client requires only of both o,peration, I think the pkcs11 could use mbedTLS that, I think, provides the required APIs. An alternativte could be (IIUC) to have the TA to perform Extract and Expend-Label operation using GP TEE API HMAC operations.
Can you please give me any reference where mbedtls used directly?
etienne-lms
commented
2 months ago I would rather be in favor of using GP TEE crypto API
You can find the 2 operations as implemented in OP-TEE code in tee_cryp_hkdf.c. These rely on crypto_mac_init()/crypto_mac_update()/crypto_mac_final(). The TA can call them using TEE_MACInit()/TEE_MACUpdate()/TEE_MACComputeFinal().
sahilnxp
commented
2 months ago Yeah, got your point. Thanks a lot @etienne-lms
Hi,
We are working on offloading the HKDF functions to OP-TEE via PKCS#11 implementation, but looks like we don't have the CKM_HKDF_DERIVE mechanism defined in https://github.com/OP-TEE/optee_client/blob/master/libckteec/include/pkcs11.h
After some digging found out that HKDF mechanism is added in PKCS#11 3.0 spec, and OP-TEE is conforming to PKCS#11 2.40 spec. So, is there any plan to upgrade the libckteec to PKCS#11 3.0 spec in near future or is there any way by which we can accommodate HKDF mechanism in current libckteec implementation which is conforming to PKCS#11 2.4 spec?
Regards, Sahil Malhotra
cc: @kshitizvars