PKCS#11 Interface#
The Security Services PKCS#11 library is a user space library available to DriveOS applications running on the Guest OS that provides a sub-set of the PKCS#11 interface as specified by the PKCS#11 v3.00 specification. In addition, some NVIDIA extensions are included.
It exposes interfaces for cryptographic hardware offload using the Security Engine for typical cryptography operations like symmetric-key/asymmetric-key cryptography, message authentication code generation, and pseudo random number generation.
Additionally, it also exposes interfaces for key management operations, including key generation, key derivation, and access to the dedicated secure key storage solution.
All cryptographic and key management operations are tightly coupled and securely implemented in SoC hardware, and the hardware-backed Trusted Execution Environment.
Note
The PKCS#11 interfaces may be used to provision keys used in the FSI, but using those keys in the FSI requires a different interface. For additional information, see “Functional Safety Island (FSI)” in the NVIDIA DriveOS SDK Developer Guide.
Note
The users of Security Services PKCS11 Lib APIs must ensure that API usage is as per API description and valid input parameters are passed. They must be familiar with the OASIS PKCS11 standard, including the OASIS standard user guide, for version 3.0, for all relevant APIs and mechanisms; they must also follow guidance published by NVIDIA in the present guide for the PKCS11 Library before using any PKCS11 API.
- PKCS#11 – Supported Mechanism – Function Table per Token
- PKCS#11 – Supported APIs
- PKCS#11 – Supported Objects
- PKCS#11 – Persistent Object Secure Storage Support
- PKCS#11 – Supported Attributes
- Create EC and RSA Public Key Attributes Support
- Create Secret Key Attributes Support
- Generate Secret Key Attributes Support
- Generate Public / Private Key Pair Attributes Support
- Derive Secret Key Attributes Support
- Unwrap Key Attributes Support with CKM_NVIDIA_AES_GCM_KEY_UNWRAP
- Unwrap Secret Key Attributes Support with CKM_AES_CBC
- Unwrap Private Key Attributes Support with CKM_AES_CBC
- Copy Key Attributes Support
- Set Attributes Support
- Get Attributes Support
- Create Data Object Attributes Support
- Copy Data Object Attributes Support
- Set Data Object Attributes Support
- Get Data Object Attributes Support
- Key Exclusive Usage Rules
- Key Usage Immutability
- CKA_ID
- CKA_LABEL
- Attribute Repeated in Template
- Surplus Attributes in Template
- Unwrap Template Not Supported
- Wrap Template Not Supported
- Unique ID Not Supported
- PKCS#11 – Sample Application
- PKCS#11 – Implementation Details
- Slots and Tokens
- Underlying Resource Limitations
- Multi-Threaded Application
- Session Type
- Active Operation Abandonment
- Operations That Cannot Be Canceled by C_SessionCancel
- User Type
- Read-Only User Authentication
- Read/Write User Authentication
- Maximum Input Data Size Limits for AES and Digest Operations
- Encrypt Input Data Length
- Decrypt Input Data length
- Session Object Limit
- Cryptoki Function Calls
- Callback Function Not Supported
- C_GetInterface Usage to Return Pointer to NV_CK_FUNCTION_LIST
- Find Objects
- Deriving Additional Key
- Derivation From Fuse-based Keys
- CKM_SP800_108_COUNTER_KDF Input Parameters
- Secret Key Material Protection
- Limit AES Block Count within AES-CTR Encryption
- Added Allowed Function Return Values
- Symmetric Key Block Mode
- CMAC Message Length
- Mutually Exclusive KDF Mechanism Support
- C_Finalize Prior to SC7 Entry
- C_WrapKey with CKM_AES_CBC Output IV Handling
- GCM with Zero-Length Data
- ECDSA and EDDSA Signature Encoding
- EDDSAph Message Hash Expectations
- Exclusive extension CMAC Mechanism Support
- C_Initialize and C_Finalize are per Application not per Thread
- C_Finalize When No Other Threads Call PKCS#11 APIs
- C_Finalize is an INIT/DEINIT Phase API
- Restrict PKCS#11 Mechanisms