Skip to content

Add new PKCS#11 indestructible attribute feature#404

Open
sahesaha wants to merge 1 commit intoOP-TEE:masterfrom
sahesaha:add-new-pkcs11-Indestructible-attribute
Open

Add new PKCS#11 indestructible attribute feature#404
sahesaha wants to merge 1 commit intoOP-TEE:masterfrom
sahesaha:add-new-pkcs11-Indestructible-attribute

Conversation

@sahesaha
Copy link

@sahesaha sahesaha commented Nov 3, 2025

This change defines attributes needed for Indestructible attribute feature.

@sahesaha sahesaha force-pushed the add-new-pkcs11-Indestructible-attribute branch from 83f89d6 to 72f1d94 Compare November 3, 2025 14:21
@github-actions
Copy link

github-actions bot commented Dec 4, 2025

This pull request has been marked as a stale pull request because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment, otherwise this pull request will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time.

@github-actions github-actions bot added the Stale label Dec 4, 2025
@sahesaha
Copy link
Author

sahesaha commented Dec 8, 2025

Commenting to keep alive.

@github-actions github-actions bot removed the Stale label Dec 9, 2025
@github-actions
Copy link

github-actions bot commented Jan 8, 2026

This pull request has been marked as a stale pull request because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment, otherwise this pull request will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time.

@github-actions github-actions bot added the Stale label Jan 8, 2026
@jenswi-linaro
Copy link
Contributor

jenswi-linaro commented Jan 8, 2026

Ping @etienne-lms

etienne-lms
etienne-lms reviewed Jan 8, 2026
View reviewed changes
Copy link
Contributor

@etienne-lms etienne-lms left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you refine the commit message: prefix the header line + add a small description in the message body? E.g.:

libckteec: Add PKCS#11 vendor specific indestructible attribute

Add CKA_OPTEE_INDESTRUCTIBLE vendor specific attribute ID
for object that should never be destroyed, even on token re-initialization.

Signed-off-by: ...

libckteec/include/pkcs11.h Outdated
#define CKA_SUPPORTED_CMS_ATTRIBUTES 0x0503
#define CKA_ALLOWED_MECHANISMS (0x0600 | CKF_ARRAY_ATTRIBUTE)
/* Vendor Defined Indestructible Attribute */
#define CKA_INDESTRUCTIBLE 0x80000010
Copy link
Contributor

@etienne-lms etienne-lms Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
#define CKA_INDESTRUCTIBLE 0x80000010
#define CKA_INDESTRUCTIBLE (0x0010 | CKA_VENDOR_DEFINED)

Also, since it is an OP-TEE specific attribute, I think it should be renamed CKA_OPTEE_INDESTRUCTIBLE.

libckteec/include/pkcs11_ta.h Outdated
Comment on lines 1140 to 1143
/* Vendor extension: reserved for undefined ID (~0U) */
PKCS11_CKA_UNDEFINED_ID = PKCS11_UNDEFINED_ID,
/* Vendor Defined Indestructible Attribute */
PKCS11_CKA_INDESTRUCTIBLE = 0x80000010,
Copy link
Contributor

@etienne-lms etienne-lms Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For consistency, could you keep the IDs sorted by increasing value:

+	/* Vendor Defined Indestructible Attribute */
+	PKCS11_CKA_OPTEE_INDESTRUCTIBLE		= 0x80000010,
	/* Vendor extension: reserved for undefined ID (~0U) */
	PKCS11_CKA_UNDEFINED_ID			= PKCS11_UNDEFINED_ID,

I think it would be nice to introduce also PKCS11_VENDOR_DEFINED (and also PKCS11_CKA_ARRAY_ATTRIBUTE) macros:

	PKCS11_CKA_OPTEE_INDESTRUCTIBLE		= (PKCS11_CKA_VENDOR_DEFINED |
						   0x0010),

@sahesaha sahesaha force-pushed the add-new-pkcs11-Indestructible-attribute branch from 72f1d94 to 8f1a5cf Compare January 8, 2026 10:49
@sahesaha
Copy link
Author

sahesaha commented Jan 8, 2026

@etienne-lms, addressed and changed the macros accordingly the macro added for this requirement in optee_ta to what you suggested there.

@sahesaha sahesaha force-pushed the add-new-pkcs11-Indestructible-attribute branch from 8f1a5cf to 2234a7a Compare January 8, 2026 12:42
@sahesaha
libckteec: Add PKCS#11 vendor specific indestructible attribute
ba80ea5 
Add CKA_OPTEE_INDESTRUCTIBLE vendor specific attribute ID
for object that should never be destroyed, even on token re-initialization.

Reviewed-by: Neeraj Soni <neersoni@qti.qualcomm.com>
Signed-off-by: Saheli Saha <sahesaha@qti.qualcomm.com>
@sahesaha sahesaha force-pushed the add-new-pkcs11-Indestructible-attribute branch from 2234a7a to ba80ea5 Compare January 8, 2026 12:43
@sahesaha
Copy link
Author

sahesaha commented Jan 8, 2026

@etienne-lms, addressed and changed the macros accordingly the macro added for this requirement in optee_ta to what you suggested there.

etienne-lms
etienne-lms reviewed Jan 8, 2026
View reviewed changes
libckteec/include/pkcs11_ta.h
Comment on lines 1140 to +1143
/* Vendor extension: reserved for undefined ID (~0U) */
PKCS11_CKA_UNDEFINED_ID = PKCS11_UNDEFINED_ID,
/* Vendor Defined Indestructible Attribute */
PKCS11_CKA_OPTEE_INDESTRUCTIBLE = 0x80000001,
Copy link
Contributor

@etienne-lms etienne-lms Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you intend with tabulation, and swap the 2 IDs:

Suggested change
/* Vendor extension: reserved for undefined ID (~0U) */
PKCS11_CKA_UNDEFINED_ID = PKCS11_UNDEFINED_ID,
/* Vendor Defined Indestructible Attribute */
PKCS11_CKA_OPTEE_INDESTRUCTIBLE = 0x80000001,
/* Vendor Defined Indestructible Attribute */
PKCS11_CKA_OPTEE_INDESTRUCTIBLE = 0x80000001,
/* Vendor extension: reserved for undefined ID (~0U) */
PKCS11_CKA_UNDEFINED_ID = PKCS11_UNDEFINED_ID,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@etienne-lms etienne-lms etienne-lms left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sahesaha @jenswi-linaro @etienne-lms