TAP layer
The primary layer for NanoTAP is the TAP layer, which resides in the ${MSS_SRC_PKG}/src/crypto/tap folder. The TAP layer is a thin layer of code that provides a set of APIs for application developers to use while being mostly agnostic to the details of an underlying security module. This layer includes a generic set of interfaces or APIs through which applications can communicate with an SMP and is the only layer exposed to the end user.
The south side of TAP includes the interface between NanoTAP and NanoSMP. NanoTAP translates the information provided by the user to the SMP in a manner that is transparent to the end user.
By having two interfaces, applications interface with the various security modules consistently through TAP APIs and the TAP layer ensures that the calls are routed to the appropriate SMP underneath. An SMP may be implemented to interface with a module that is local to the host device and/or to a module that exists on a remote host. The TAP layer is agnostic to a module being local or remote. However, the module is expected to let the TAP layer know (during module initialization) if it supports remote connections. The capabilities required for an SMP to interface with a remote host are described further in this document.
The naming convention that TAP follows is:
Secure element (SE): Refers to a particular type of security module (e.g., TPM2) and its supporting code. It is also referred to as a Security Module Plugin (SMP).
MODULE: Refers to a specific instance of a secure element.
The NanoTAP source code resides in the ${MSS_SRC_PKG}/src/tap directory and contains the modules described in this section.
Code layout
This table lists the files inside the TAP layer:
File | Client/Server | Description |
|---|---|---|
| Client | Defines the NanoTAP APIs, which is the set of functions common to all security modules. |
| Both | Contains definitions, types, and structures needed by TAP and SMP modules. |
| Client | Defines the client-facing TAP definitions, types, and structures. |
| Both | Contains functions common to NanoTAP client and server modules. |
| Both | Contains utility functions common to NanoTAP client and server modules. |
| Both | Contains definitions, types, and structures needed for NanoTAP client-server communication. |
| Both | Contains serialization definitions and functions for structures defined in |
| Both | Contains shadow structure definitions for structures defined in |
| Client | The client-side communication library. It is only included in the client-server build. |
| Both | Code needed to parse out configuration files. In a client-server build, this is needed by the server. In a local-only build, this is used by the TAP client. |
| Server | The NanoTAP server code which runs as a service on the device containing a security module and must not be included in a client-side build. |
| Server | Contains the information needed to establish a connection. This includes the port on which the server listens, as well as SSL certificate and key file paths. There can be only one server configuration file. |
| Client Only needed for a client-server build | Contains the TAP client SSL information needed to establish an SSL connection via mutual authentication with a TAP server. This must be present if mutual authentication is required by the TAP server. |
In addition, all SMPs must provide their own configuration files, or another method for an administrator to provide configuration information. This is left to SMP writers to implement as they prefer. The only TAP requirement is that the SMP provides the information TAP needs when it is requested.
The TAP client provides outward facing high-level APIs, which applications and tools must call, either directly or through the Crypto Interface APIs. These APIs encapsulate functionality common to the various supported security modules, as detailed in the table above, including functions for:
Discovery of providers and modules
TAP context management
Cryptographic operations
Key creation
Sign and verify
Encrypt and decrypt
Obtaining and seeding random numbers
Trusted data
Secure storage
Attestation
Key storage
All SMPs must gracefully handle unsupported commands (for example, by returning an ERR_CMD_NOT_SUPPORTED error).
TAP server
All server code resides here. It includes code to spawn connection threads and handle server and module-specific commands. All communication to the underlying security modules begins here in client-server TAP builds.
The following files make up the primary TAP server:
taps.h/ctap_remote.htap_serialize.h/ctap_serialize_remote.h/c
Each SMP must provide a command dispatcher. All SMP requirements are detailed in the NanoSMP documentation.