Home | History | Annotate | Download | only in cryptohome 
      1 // Copyright (c) 2014 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 //
      5 // The messages in this file comprise the DBus/Proto interface for
      6 // Cryptohome where there is an AccountIdentifer argument, an
      7 // AuthorizationRequest (if needed for the call), and the call's
      8 // parameters as <Call>Request.
      9 //
     10 // 'optional' annotations are used heavily in the RPC definition
     11 // because the RPC endpoints most properly sanity check the contents
     12 // for application-specific logic, and the more optional-with-default
     13 // parameters exist, the less data is actually transferred on the wire
     14 // in "default" situations.
     15 
     16 syntax = "proto2";
     17 
     18 option optimize_for = LITE_RUNTIME;
     19 
     20 package cryptohome;
     21 
     22 import "key.proto";
     23 
     24 // Error codes do not need to be sequential per-call.
     25 // Prefixes by Request/Reply type should be used to help
     26 // callers know if specialized errors apply.
     27 enum CryptohomeErrorCode {
     28   // 0 is the default value of BaseReply::error. It
     29   // should never be used.
     30   CRYPTOHOME_ERROR_NOT_SET = 0;
     31 
     32   CRYPTOHOME_ERROR_ACCOUNT_NOT_FOUND = 1;
     33   CRYPTOHOME_ERROR_AUTHORIZATION_KEY_NOT_FOUND = 2;
     34   CRYPTOHOME_ERROR_AUTHORIZATION_KEY_FAILED = 3;
     35   CRYPTOHOME_ERROR_NOT_IMPLEMENTED = 4;
     36   CRYPTOHOME_ERROR_MOUNT_FATAL = 5;
     37   CRYPTOHOME_ERROR_MOUNT_MOUNT_POINT_BUSY = 6;
     38   CRYPTOHOME_ERROR_TPM_COMM_ERROR = 7;
     39   CRYPTOHOME_ERROR_TPM_DEFEND_LOCK = 8;
     40   CRYPTOHOME_ERROR_TPM_NEEDS_REBOOT = 9;
     41   CRYPTOHOME_ERROR_AUTHORIZATION_KEY_DENIED = 10;
     42   CRYPTOHOME_ERROR_KEY_QUOTA_EXCEEDED = 11;
     43   CRYPTOHOME_ERROR_KEY_LABEL_EXISTS = 12;
     44   CRYPTOHOME_ERROR_BACKING_STORE_FAILURE = 13;
     45   CRYPTOHOME_ERROR_UPDATE_SIGNATURE_INVALID = 14;
     46   CRYPTOHOME_ERROR_KEY_NOT_FOUND = 15;
     47   CRYPTOHOME_ERROR_LOCKBOX_SIGNATURE_INVALID = 16;
     48   CRYPTOHOME_ERROR_LOCKBOX_CANNOT_SIGN = 17;
     49   CRYPTOHOME_ERROR_BOOT_ATTRIBUTE_NOT_FOUND = 18;
     50   CRYPTOHOME_ERROR_BOOT_ATTRIBUTES_CANNOT_SIGN = 19;
     51   CRYPTOHOME_ERROR_TPM_EK_NOT_AVAILABLE = 20;
     52   CRYPTOHOME_ERROR_ATTESTATION_NOT_READY = 21;
     53   CRYPTOHOME_ERROR_CANNOT_CONNECT_TO_CA = 22;
     54   CRYPTOHOME_ERROR_CA_REFUSED_ENROLLMENT = 23;
     55   CRYPTOHOME_ERROR_CA_REFUSED_CERTIFICATE = 24;
     56   CRYPTOHOME_ERROR_INTERNAL_ATTESTATION_ERROR = 25;
     57   CRYPTOHOME_ERROR_FIRMWARE_MANAGEMENT_PARAMETERS_INVALID = 26;
     58   CRYPTOHOME_ERROR_FIRMWARE_MANAGEMENT_PARAMETERS_CANNOT_STORE = 27;
     59   CRYPTOHOME_ERROR_FIRMWARE_MANAGEMENT_PARAMETERS_CANNOT_REMOVE = 28;
     60   CRYPTOHOME_ERROR_MOUNT_OLD_ENCRYPTION = 29;
     61   CRYPTOHOME_ERROR_MOUNT_PREVIOUS_MIGRATION_INCOMPLETE = 30;
     62 }
     63 
     64 message AccountIdentifier {
     65   // |email| is deprecated. Don't use it.
     66   optional string email = 1;
     67 
     68   optional string account_id = 2;
     69 }
     70 
     71 message AuthorizationRequest {
     72   // |key| must supply at least a |key.secret()|.  If no |key.data()| or
     73   // |key.data().label()| is supplied, the |key.secret()| will be tested
     74   // against all compatible |key.data().type()| keys, where
     75   // KEY_TYPE_PASSWORD is the default type.  If
     76   // |key.data().label()| is supplied, then the |key.secret()| will only be
     77   // tested against the matching VaultKeyset.
     78   optional Key key = 1;
     79 };
     80 
     81 // These parameters are for inbound data to Cryptohome RPC
     82 // interfaces.  When calls are added that return data, a
     83 // <Call>Response should be defined.
     84 message MountRequest {
     85   // Perform an ephemeral mount only.
     86   optional bool require_ephemeral = 1 [default=false];
     87   // If defined, the account will be created if it does not exist.
     88   // Additionally, a failed AuthorizationRequest will be expected as
     89   // there will be no existing keys.
     90   optional CreateRequest create = 2;
     91   // If set to true, and cryptohomed supports the new "dircrypto" encryption,
     92   // forces to use the new encryption. That is, makes it an error to mount
     93   // an existing home directory encrypted in the old way (ecryptfs).
     94   optional bool force_dircrypto_if_available = 3;
     95   // If set to true, mounts the existing ecryptfs vault to a temporary location
     96   // while setting up a new dircrypto directory.
     97   optional bool to_migrate_from_ecryptfs = 4;
     98   // Performs a public mount, which is used for a Kiosk session. Credentials are
     99   // not needed in the request; they are synthesized by cryptohomed from id.
    100   optional bool public_mount = 5;
    101   // If set to true, mounts the vault to a temporary location. The mount is not
    102   // exposed to the usual locations (/home/user, /home/root).
    103   optional bool hidden_mount = 6;
    104 }
    105 
    106 // A BaseReply type is used for all cryptohomed responses. A shared base class
    107 // is used because all calls will always reply with no-error or an error value.
    108 // A centralized definition allows for a reusable reply handler for cases where
    109 // there is no Request-specific reply data.  Any specialized data will live in
    110 // an extension as per MountReply below:
    111 //   if (reply.HasExtension(MountReply::reply)) { ... }
    112 //
    113 message BaseReply {
    114   // If a call was successful, error will not be defined (clear_error()).
    115   // If a call failed, it must set an error code (set_error(CODE)).
    116   // In either case, call-specific data may be added as an extension.
    117   optional CryptohomeErrorCode error = 1;
    118 
    119   extensions 1000 to max;
    120   // Next ID to use for extensions: 1011
    121 }
    122 
    123 // The MountRequest call may return more than just success or failure
    124 // so it embeds itself in a BaseReply as an extension.
    125 message MountReply {
    126   extend BaseReply {
    127     optional MountReply reply = 1000;
    128   }
    129   // |recreated| is set when the cryptohome had to be wiped
    130   // because the key or data was an unrecoverable.  It does not imply
    131   // failure to Mount nor is it 'true' when a CreateRequest creates
    132   // a cryptohome for the first time.
    133   optional bool recreated = 1 [default=false];
    134   // Returns the filesystem-sanitized username.
    135   optional string sanitized_username = 2;
    136 };
    137 
    138 message CreateRequest {
    139   repeated Key keys = 1;
    140   // Explicitly use the |key| from the AuthorizationRequest.
    141   // Setting this value means that the KeyData is filled as it
    142   // would be with a Key above or in an AddKeyRequest.
    143   optional bool copy_authorization_key = 2 [default=false];
    144   // If set to true, always use eCryptfs as the encryption method.
    145   optional bool force_ecryptfs = 3 [default=false];
    146   // In the future, this will contain account-wide data like
    147   // the deletion priority or the IdP's origin.
    148 }
    149 
    150 message AddKeyRequest {
    151   optional Key key = 1;
    152   optional bool clobber_if_exists = 2 [default=false];
    153 }
    154 
    155 message UpdateKeyRequest {
    156   optional Key changes = 1;
    157   optional bytes authorization_signature = 2;
    158 }
    159 
    160 message CheckKeyRequest {
    161 }
    162 
    163 message RemoveKeyRequest {
    164   // Only key.data().label() is used at present.
    165   optional Key key = 1;
    166 }
    167 
    168 message SignBootLockboxRequest {
    169   // The data to be signed.
    170   optional bytes data = 1;
    171 }
    172 
    173 message SignBootLockboxReply {
    174   extend BaseReply {
    175     optional SignBootLockboxReply reply = 1001;
    176   }
    177   optional bytes signature = 1;
    178 }
    179 
    180 message VerifyBootLockboxRequest {
    181   // The signed data to be verified.
    182   optional bytes data = 1;
    183   // The signature to be verified.
    184   optional bytes signature = 2;
    185 }
    186 
    187 message FinalizeBootLockboxRequest {
    188 }
    189 
    190 message GetKeyDataRequest {
    191   // |key| must supply at least one attribute and all others will be treated as
    192   // wildcards.  Currently only |key.data().label()| may be supplied.  Like
    193   // AuthorizationRequest, support can be added for queries by
    194   // |key.data().type()| to return all keys of a certain class, testing
    195   // |key.secret()|, or |key.data().provider_data()| entries.
    196   optional Key key = 1;
    197 }
    198 
    199 message GetKeyDataReply {
    200   extend BaseReply {
    201     optional GetKeyDataReply reply = 1002;
    202   }
    203   repeated KeyData key_data = 1;
    204 }
    205 
    206 message GetBootAttributeRequest {
    207   optional string name = 1;
    208 }
    209 
    210 message GetBootAttributeReply {
    211   extend BaseReply {
    212     optional GetBootAttributeReply reply = 1003;
    213   }
    214   optional bytes value = 1;
    215 }
    216 
    217 message SetBootAttributeRequest {
    218   optional string name = 1;
    219   optional bytes value = 2;
    220 }
    221 
    222 message FlushAndSignBootAttributesRequest {
    223 }
    224 
    225 message ListKeysRequest {
    226   // The default behavior is by label so any extension here should honor that.
    227 }
    228 
    229 message ListKeysReply {
    230   extend BaseReply {
    231     optional ListKeysReply reply = 1004;
    232   }
    233   repeated string labels = 1;
    234 }
    235 
    236 message GetLoginStatusRequest {
    237 }
    238 
    239 message GetLoginStatusReply {
    240   extend BaseReply {
    241     optional GetLoginStatusReply reply = 1005;
    242   }
    243   optional bool owner_user_exists=1;
    244   optional bool boot_lockbox_finalized=2;
    245 }
    246 
    247 message GetTpmStatusRequest {
    248 }
    249 
    250 message GetTpmStatusReply {
    251   extend BaseReply {
    252     optional GetTpmStatusReply reply = 1006;
    253   }
    254   // Whether a TPM is enabled on the system.
    255   optional bool enabled = 1;
    256   // Whether the TPM has been owned.
    257   optional bool owned = 2;
    258   // Whether the TPM initialization flow has completed. This includes taking
    259   // ownership, preparing attestation data, and finalizing lockbox NVRAM.
    260   optional bool initialized = 3;
    261   // The TPM owner password. This is only available when (owned &&
    262   // !initialized) and sometimes not even then.
    263   optional string owner_password = 4;
    264   // Whether attestation data has been prepared. This includes reading the
    265   // endorsement certificate out of NVRAM and generating an identity key. This
    266   // does not include any kind of enrollment with a Privacy CA.
    267   optional bool attestation_prepared = 7;
    268   // Whether the device has enrolled with a Privacy CA. This means the identity
    269   // key has been successfully certified.
    270   optional bool attestation_enrolled = 8;
    271   // The current dictionary attack counter value.
    272   optional int32 dictionary_attack_counter = 9;
    273   // The current dictionary attack counter threshold.
    274   optional int32 dictionary_attack_threshold = 10;
    275   // Whether the TPM is in some form of dictionary attack lockout.
    276   optional bool dictionary_attack_lockout_in_effect = 11;
    277   // The number of seconds remaining in the lockout.
    278   optional int32 dictionary_attack_lockout_seconds_remaining = 12;
    279   // Whether the install lockbox has been finalized.
    280   optional bool install_lockbox_finalized = 13;
    281   // Whether the boot lockbox has been finalized.
    282   optional bool boot_lockbox_finalized = 14;
    283   // Whether the current PCR values show a verified boot.
    284   optional bool verified_boot_measured = 15;
    285 }
    286 
    287 message GetEndorsementInfoRequest {
    288 }
    289 
    290 message GetEndorsementInfoReply {
    291   extend BaseReply {
    292     optional GetEndorsementInfoReply reply = 1007;
    293   }
    294   // The endorsement public key (PKCS #1 RSAPublicKey).
    295   optional bytes ek_public_key = 1;
    296   // The endorsement certificate (X.509).
    297   optional bytes ek_certificate = 2;
    298 }
    299 
    300 message InitializeCastKeyRequest {
    301 }
    302 
    303 // Flags for GetFirmwareManagementParametersReply and
    304 // SetFirmwareManagementParametersRequest
    305 enum FirmwareManagementParametersFlags {
    306   NONE = 0;
    307   DEVELOPER_DISABLE_BOOT = 1;
    308   DEVELOPER_DISABLE_RECOVERY_INSTALL = 2;
    309   DEVELOPER_DISABLE_RECOVERY_ROOTFS = 4;
    310   DEVELOPER_ENABLE_USB = 8;
    311   DEVELOPER_ENABLE_LEGACY = 16;
    312   DEVELOPER_USE_KEY_HASH = 32;
    313   DEVELOPER_DISABLE_CASE_CLOSED_DEBUGGING_UNLOCK = 64;
    314 }
    315 
    316 message GetFirmwareManagementParametersRequest {
    317 }
    318 
    319 message GetFirmwareManagementParametersReply {
    320   extend BaseReply {
    321     optional GetFirmwareManagementParametersReply reply = 1008;
    322   }
    323 
    324   // Flags (zero or more from FirmwareManagementParametersFlags)
    325   optional int32 flags = 1;
    326   optional bytes developer_key_hash = 2;
    327 }
    328 
    329 message SetFirmwareManagementParametersRequest {
    330   // Flags (zero or more from FirmwareManagementParametersFlags)
    331   optional int32 flags = 1;
    332   optional bytes developer_key_hash = 2;
    333 }
    334 
    335 message RemoveFirmwareManagementParametersRequest {
    336 }
    337 
    338 message GetAccountDiskUsageReply {
    339   extend BaseReply {
    340     optional GetAccountDiskUsageReply reply = 1009;
    341   }
    342   // The size of cryptohome in bytes.
    343   optional int64 size = 1;
    344 }
    345 
    346 // Request parameters for MigrateToDircryptoEx.
    347 // TODO(pmarko): Update comment when MigrateToDircryptoEx gets renamed to
    348 // MigrateToDircrypto: crbug.com/758837.
    349 message MigrateToDircryptoRequest {
    350   // Next ID to use: 2
    351 
    352   // If true, only a few paths (specified in cryptohomed) that are necessary for
    353   // a working profile will be migrated. Most user data will be wiped.
    354   optional bool minimal_migration = 1;
    355 }
    356 
    357 // Request parameters for challenge requests for keys of the
    358 // |KEY_TYPE_CHALLENGE_RESPONSE| type.
    359 message KeyChallengeRequest {
    360   // An opaque identifier of the request. Should be used for sending the
    361   // response back.
    362   optional int64 request_id = 1;
    363   // Specifies challenge types.
    364   enum ChallengeType {
    365     // Challenge is a request of a cryptographic signature of the specified data
    366     // using the specified key.
    367     CHALLENGE_TYPE_SIGNATURE = 1;
    368   }
    369   // Type of the requested challenge.
    370   optional ChallengeType challenge_type = 2;
    371   // Is set when |challenge_type| is |CHALLENGE_TYPE_SIGNATURE|. Contains the
    372   // challenge request data.
    373   optional SignatureKeyChallengeRequestData signature_request_data = 3;
    374 }
    375 
    376 // Request data for challenge requests of the |CHALLENGE_TYPE_SIGNATURE| request
    377 // type.
    378 message SignatureKeyChallengeRequestData {
    379   // The blob of data for which the signature is asked.
    380   optional bytes data_to_sign = 1;
    381   // Specifies the key which is asked to sign the data. Contains the DER-encoded
    382   // blob of the X.509 Subject Public Key Info.
    383   optional bytes public_key_spki_der = 2;
    384   // Specifies the signature algorithm that has to be used.
    385   optional ChallengeSignatureAlgorithm signature_algorithm = 3;
    386 }
    387 
    388 // Response for challenge requests.
    389 message KeyChallengeResponse {
    390   // The request identifier. Should be taken from the |request_id| field of the
    391   // KeyChallengeRequest message.
    392   optional int64 request_id = 1;
    393   // Is set for responses to challenge requests of the
    394   // |CHALLENGE_TYPE_SIGNATURE| challenge type. Contains the challenge
    395   // response data.
    396   optional SignatureKeyChallengeResponseData signature_response_data = 2;
    397 }
    398 
    399 // Response data for challenge requests of the |CHALLENGE_TYPE_SIGNATURE|
    400 // challenge type.
    401 message SignatureKeyChallengeResponseData {
    402   // The signature blob of the requested data.
    403   optional bytes signature = 1;
    404 }
    405 
    406 // Request a GetSupportedKeyPoliciesReply from cryptohome.
    407 message GetSupportedKeyPoliciesRequest {
    408 }
    409 
    410 // Response that informs the caller which KeyPolicy features are supported.
    411 message GetSupportedKeyPoliciesReply {
    412   // Next ID to use: 2
    413 
    414   extend BaseReply {
    415     optional GetSupportedKeyPoliciesReply reply = 1010;
    416   }
    417 
    418   // Does it support low entropy credentials.
    419   optional bool low_entropy_credentials = 1;
    420 }
    421