1 // Copyright (c) 2014 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 // 5 // The messages in this file comprise the DBus/Proto interface for 6 // Cryptohome where there is an AccountIdentifer argument, an 7 // AuthorizationRequest (if needed for the call), and the call's 8 // parameters as <Call>Request. 9 // 10 // 'optional' annotations are used heavily in the RPC definition 11 // because the RPC endpoints most properly sanity check the contents 12 // for application-specific logic, and the more optional-with-default 13 // parameters exist, the less data is actually transferred on the wire 14 // in "default" situations. 15 16 syntax = "proto2"; 17 18 option optimize_for = LITE_RUNTIME; 19 20 package cryptohome; 21 22 import "key.proto"; 23 24 // Error codes do not need to be sequential per-call. 25 // Prefixes by Request/Reply type should be used to help 26 // callers know if specialized errors apply. 27 enum CryptohomeErrorCode { 28 // 0 is the default value of BaseReply::error. It 29 // should never be used. 30 CRYPTOHOME_ERROR_NOT_SET = 0; 31 32 CRYPTOHOME_ERROR_ACCOUNT_NOT_FOUND = 1; 33 CRYPTOHOME_ERROR_AUTHORIZATION_KEY_NOT_FOUND = 2; 34 CRYPTOHOME_ERROR_AUTHORIZATION_KEY_FAILED = 3; 35 CRYPTOHOME_ERROR_NOT_IMPLEMENTED = 4; 36 CRYPTOHOME_ERROR_MOUNT_FATAL = 5; 37 CRYPTOHOME_ERROR_MOUNT_MOUNT_POINT_BUSY = 6; 38 CRYPTOHOME_ERROR_TPM_COMM_ERROR = 7; 39 CRYPTOHOME_ERROR_TPM_DEFEND_LOCK = 8; 40 CRYPTOHOME_ERROR_TPM_NEEDS_REBOOT = 9; 41 CRYPTOHOME_ERROR_AUTHORIZATION_KEY_DENIED = 10; 42 CRYPTOHOME_ERROR_KEY_QUOTA_EXCEEDED = 11; 43 CRYPTOHOME_ERROR_KEY_LABEL_EXISTS = 12; 44 CRYPTOHOME_ERROR_BACKING_STORE_FAILURE = 13; 45 CRYPTOHOME_ERROR_UPDATE_SIGNATURE_INVALID = 14; 46 CRYPTOHOME_ERROR_KEY_NOT_FOUND = 15; 47 CRYPTOHOME_ERROR_LOCKBOX_SIGNATURE_INVALID = 16; 48 CRYPTOHOME_ERROR_LOCKBOX_CANNOT_SIGN = 17; 49 CRYPTOHOME_ERROR_BOOT_ATTRIBUTE_NOT_FOUND = 18; 50 CRYPTOHOME_ERROR_BOOT_ATTRIBUTES_CANNOT_SIGN = 19; 51 CRYPTOHOME_ERROR_TPM_EK_NOT_AVAILABLE = 20; 52 CRYPTOHOME_ERROR_ATTESTATION_NOT_READY = 21; 53 CRYPTOHOME_ERROR_CANNOT_CONNECT_TO_CA = 22; 54 CRYPTOHOME_ERROR_CA_REFUSED_ENROLLMENT = 23; 55 CRYPTOHOME_ERROR_CA_REFUSED_CERTIFICATE = 24; 56 CRYPTOHOME_ERROR_INTERNAL_ATTESTATION_ERROR = 25; 57 CRYPTOHOME_ERROR_FIRMWARE_MANAGEMENT_PARAMETERS_INVALID = 26; 58 CRYPTOHOME_ERROR_FIRMWARE_MANAGEMENT_PARAMETERS_CANNOT_STORE = 27; 59 CRYPTOHOME_ERROR_FIRMWARE_MANAGEMENT_PARAMETERS_CANNOT_REMOVE = 28; 60 CRYPTOHOME_ERROR_MOUNT_OLD_ENCRYPTION = 29; 61 CRYPTOHOME_ERROR_MOUNT_PREVIOUS_MIGRATION_INCOMPLETE = 30; 62 } 63 64 message AccountIdentifier { 65 // |email| is deprecated. Don't use it. 66 optional string email = 1; 67 68 optional string account_id = 2; 69 } 70 71 message AuthorizationRequest { 72 // |key| must supply at least a |key.secret()|. If no |key.data()| or 73 // |key.data().label()| is supplied, the |key.secret()| will be tested 74 // against all compatible |key.data().type()| keys, where 75 // KEY_TYPE_PASSWORD is the default type. If 76 // |key.data().label()| is supplied, then the |key.secret()| will only be 77 // tested against the matching VaultKeyset. 78 optional Key key = 1; 79 }; 80 81 // These parameters are for inbound data to Cryptohome RPC 82 // interfaces. When calls are added that return data, a 83 // <Call>Response should be defined. 84 message MountRequest { 85 // Perform an ephemeral mount only. 86 optional bool require_ephemeral = 1 [default=false]; 87 // If defined, the account will be created if it does not exist. 88 // Additionally, a failed AuthorizationRequest will be expected as 89 // there will be no existing keys. 90 optional CreateRequest create = 2; 91 // If set to true, and cryptohomed supports the new "dircrypto" encryption, 92 // forces to use the new encryption. That is, makes it an error to mount 93 // an existing home directory encrypted in the old way (ecryptfs). 94 optional bool force_dircrypto_if_available = 3; 95 } 96 97 // A BaseReply type is used for all cryptohomed responses. A shared base class 98 // is used because all calls will always reply with no-error or an error value. 99 // A centralized definition allows for a reusable reply handler for cases where 100 // there is no Request-specific reply data. Any specialized data will live in 101 // an extension as per MountReply below: 102 // if (reply.HasExtension(MountReply::reply)) { ... } 103 // 104 message BaseReply { 105 // If a call was successful, error will not be defined (clear_error()). 106 // If a call failed, it must set an error code (set_error(CODE)). 107 // In either case, call-specific data may be added as an extension. 108 optional CryptohomeErrorCode error = 1; 109 110 extensions 1000 to max; 111 } 112 113 // The MountRequest call may return more than just success or failure 114 // so it embeds itself in a BaseReply as an extension. 115 message MountReply { 116 extend BaseReply { 117 optional MountReply reply = 1000; 118 } 119 // |recreated| is set when the cryptohome had to be wiped 120 // because the key or data was an unrecoverable. It does not imply 121 // failure to Mount nor is it 'true' when a CreateRequest creates 122 // a cryptohome for the first time. 123 optional bool recreated = 1 [default=false]; 124 // Returns the filesystem-sanitized username. 125 optional string sanitized_username = 2; 126 }; 127 128 message CreateRequest { 129 repeated Key keys = 1; 130 // Explicitly use the |key| from the AuthorizationRequest. 131 // Setting this value means that the KeyData is filled as it 132 // would be with a Key above or in an AddKeyRequest. 133 optional bool copy_authorization_key = 2 [default=false]; 134 // If set to true, always use eCryptfs as the encryption method. 135 optional bool force_ecryptfs = 3 [default=false]; 136 // In the future, this will contain account-wide data like 137 // the deletion priority or the IdP's origin. 138 } 139 140 message AddKeyRequest { 141 optional Key key = 1; 142 optional bool clobber_if_exists = 2 [default=false]; 143 } 144 145 message UpdateKeyRequest { 146 optional Key changes = 1; 147 optional bytes authorization_signature = 2; 148 } 149 150 message CheckKeyRequest { 151 } 152 153 message RemoveKeyRequest { 154 // Only key.data().label() is used at present. 155 optional Key key = 1; 156 } 157 158 message SignBootLockboxRequest { 159 // The data to be signed. 160 optional bytes data = 1; 161 } 162 163 message SignBootLockboxReply { 164 extend BaseReply { 165 optional SignBootLockboxReply reply = 1001; 166 } 167 optional bytes signature = 1; 168 } 169 170 message VerifyBootLockboxRequest { 171 // The signed data to be verified. 172 optional bytes data = 1; 173 // The signature to be verified. 174 optional bytes signature = 2; 175 } 176 177 message FinalizeBootLockboxRequest { 178 } 179 180 message GetKeyDataRequest { 181 // |key| must supply at least one attribute and all others will be treated as 182 // wildcards. Currently only |key.data().label()| may be supplied. Like 183 // AuthorizationRequest, support can be added for queries by 184 // |key.data().type()| to return all keys of a certain class, testing 185 // |key.secret()|, or |key.data().provider_data()| entries. 186 optional Key key = 1; 187 } 188 189 message GetKeyDataReply { 190 extend BaseReply { 191 optional GetKeyDataReply reply = 1002; 192 } 193 repeated KeyData key_data = 1; 194 } 195 196 message GetBootAttributeRequest { 197 optional string name = 1; 198 } 199 200 message GetBootAttributeReply { 201 extend BaseReply { 202 optional GetBootAttributeReply reply = 1003; 203 } 204 optional bytes value = 1; 205 } 206 207 message SetBootAttributeRequest { 208 optional string name = 1; 209 optional bytes value = 2; 210 } 211 212 message FlushAndSignBootAttributesRequest { 213 } 214 215 message ListKeysRequest { 216 // The default behavior is by label so any extension here should honor that. 217 } 218 219 message ListKeysReply { 220 extend BaseReply { 221 optional ListKeysReply reply = 1004; 222 } 223 repeated string labels = 1; 224 } 225 226 message GetLoginStatusRequest { 227 } 228 229 message GetLoginStatusReply { 230 extend BaseReply { 231 optional GetLoginStatusReply reply = 1005; 232 } 233 optional bool owner_user_exists=1; 234 optional bool boot_lockbox_finalized=2; 235 } 236 237 message GetTpmStatusRequest { 238 } 239 240 message GetTpmStatusReply { 241 extend BaseReply { 242 optional GetTpmStatusReply reply = 1006; 243 } 244 // Whether a TPM is enabled on the system. 245 optional bool enabled = 1; 246 // Whether the TPM has been owned. 247 optional bool owned = 2; 248 // Whether the TPM initialization flow has completed. This includes taking 249 // ownership, preparing attestation data, and finalizing lockbox NVRAM. 250 optional bool initialized = 3; 251 // The TPM owner password. This is only available when (owned && 252 // !initialized) and sometimes not even then. 253 optional string owner_password = 4; 254 // Whether attestation data has been prepared. This includes reading the 255 // endorsement certificate out of NVRAM and generating an identity key. This 256 // does not include any kind of enrollment with a Privacy CA. 257 optional bool attestation_prepared = 7; 258 // Whether the device has enrolled with a Privacy CA. This means the identity 259 // key has been successfully certified. 260 optional bool attestation_enrolled = 8; 261 // The current dictionary attack counter value. 262 optional int32 dictionary_attack_counter = 9; 263 // The current dictionary attack counter threshold. 264 optional int32 dictionary_attack_threshold = 10; 265 // Whether the TPM is in some form of dictionary attack lockout. 266 optional bool dictionary_attack_lockout_in_effect = 11; 267 // The number of seconds remaining in the lockout. 268 optional int32 dictionary_attack_lockout_seconds_remaining = 12; 269 // Whether the install lockbox has been finalized. 270 optional bool install_lockbox_finalized = 13; 271 // Whether the boot lockbox has been finalized. 272 optional bool boot_lockbox_finalized = 14; 273 // Whether the current PCR values show a verified boot. 274 optional bool verified_boot_measured = 15; 275 } 276 277 message GetEndorsementInfoRequest { 278 } 279 280 message GetEndorsementInfoReply { 281 extend BaseReply { 282 optional GetEndorsementInfoReply reply = 1007; 283 } 284 // The endorsement public key (PKCS #1 RSAPublicKey). 285 optional bytes ek_public_key = 1; 286 // The endorsement certificate (X.509). 287 optional bytes ek_certificate = 2; 288 } 289 290 message InitializeCastKeyRequest { 291 } 292 293 // Flags for GetFirmwareManagementParametersReply and 294 // SetFirmwareManagementParametersRequest 295 enum FirmwareManagementParametersFlags { 296 NONE = 0; 297 DEVELOPER_DISABLE_BOOT = 1; 298 DEVELOPER_DISABLE_RECOVERY_INSTALL = 2; 299 DEVELOPER_DISABLE_RECOVERY_ROOTFS = 4; 300 DEVELOPER_ENABLE_USB = 8; 301 DEVELOPER_ENABLE_LEGACY = 16; 302 DEVELOPER_USE_KEY_HASH = 32; 303 DEVELOPER_DISABLE_CASE_CLOSED_DEBUGGING_UNLOCK = 64; 304 } 305 306 message GetFirmwareManagementParametersRequest { 307 } 308 309 message GetFirmwareManagementParametersReply { 310 extend BaseReply { 311 optional GetFirmwareManagementParametersReply reply = 1008; 312 } 313 314 // Flags (zero or more from FirmwareManagementParametersFlags) 315 optional int32 flags = 1; 316 optional bytes developer_key_hash = 2; 317 } 318 319 message SetFirmwareManagementParametersRequest { 320 // Flags (zero or more from FirmwareManagementParametersFlags) 321 optional int32 flags = 1; 322 optional bytes developer_key_hash = 2; 323 } 324 325 message RemoveFirmwareManagementParametersRequest { 326 } 327 328 message GetAccountDiskUsageReply { 329 extend BaseReply { 330 optional GetAccountDiskUsageReply reply = 1009; 331 } 332 // The size of cryptohome in bytes. 333 optional int64 size = 1; 334 } 335
