PKCS#11 –Persistent Client Key Storage Support
The following APIs can operate on the objects in both token (persistent) and session (ephemeral) mode if persistent client key storage within a physical secure SPI-NOR is available.
- C_CopyObject
- C_DestroyObject
- C_SetAttributeValue
- C_GenerateKey
- C_UnwrapKey
- C_WrapKey
- C_DeriveKey
Availability of a functional persistent client key storage can be established by calling C_GetTokenInfo and checking that field “ulMaxRwSessionCount” is set to 1. “ulMaxRwSessionCount” set to 1 means that 1 Read/Write session is possible and therefore secure storage is functional. Vice-versa, the value CK_UNAVAILABLE_INFORMATION in “ulMaxRwSessionCount” indicates persistent client key storage is not functional.
The PKCS#11 Library CK_TOKEN_INFO structure contain the following values:
ulMaxRwSessionCount | Maximum number of read/write sessions that can be opened with the token at one time by a single application. | NVIDIA limitation: When client token key storage is supported and set to 1, it means that 1 session is possible and therefore secure storage is functional; otherwise, it will remain as CK_UNAVAILABLE_INFORMATION. |