Home | History | Annotate | Download | only in trunks 
      1 //
      2 // Copyright (C) 2015 The Android Open Source Project
      3 //
      4 // Licensed under the Apache License, Version 2.0 (the "License");
      5 // you may not use this file except in compliance with the License.
      6 // You may obtain a copy of the License at
      7 //
      8 //      http://www.apache.org/licenses/LICENSE-2.0
      9 //
     10 // Unless required by applicable law or agreed to in writing, software
     11 // distributed under the License is distributed on an "AS IS" BASIS,
     12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13 // See the License for the specific language governing permissions and
     14 // limitations under the License.
     15 //
     16 
     17 #ifndef TRUNKS_RESOURCE_MANAGER_H_
     18 #define TRUNKS_RESOURCE_MANAGER_H_
     19 
     20 #include "trunks/command_transceiver.h"
     21 
     22 #include <map>
     23 #include <set>
     24 #include <string>
     25 #include <vector>
     26 
     27 #include <base/location.h>
     28 #include <base/macros.h>
     29 #include <base/time/time.h>
     30 
     31 #include "trunks/tpm_generated.h"
     32 #include "trunks/trunks_factory.h"
     33 
     34 namespace trunks {
     35 
     36 // The ResourceManager class manages access to limited TPM resources.
     37 //
     38 // It is reactive to and synchronous with active TPM commands, it does not
     39 // perform any background processing. It needs to inspect every TPM command and
     40 // reply. It maintains all actual TPM handles and provides its own handles to
     41 // callers. If a command fails because a resource is not available the resource
     42 // manager will perform the necessary evictions and run the command again. If a
     43 // command needs an object that has been evicted, that object will be loaded
     44 // before the command is sent to the TPM.
     45 //
     46 // In terms of interface the ResourceManager is simply a CommandTranceiver but
     47 // with the limitation that all calls are synchronous. The SendCommand method
     48 // is supported but does not return until the callback has been called. Keeping
     49 // ResourceManager synchronous simplifies the code and improves readability.
     50 // This class works well with a BackgroundCommandTransceiver.
     51 class ResourceManager : public CommandTransceiver {
     52  public:
     53   // The given |factory| will be used to create objects so mocks can be easily
     54   // injected. This class retains a reference to the factory; the factory must
     55   // remain valid for the duration of the ResourceManager lifetime. The
     56   // |next_transceiver| will be used to forward commands to the TPM, this class
     57   // does NOT take ownership of the pointer.
     58   ResourceManager(const TrunksFactory& factory,
     59                   CommandTransceiver* next_transceiver);
     60   ~ResourceManager() override;
     61 
     62   void Initialize();
     63 
     64   // CommandTransceiver methods.
     65   void SendCommand(const std::string& command,
     66                    const ResponseCallback& callback) override;
     67 
     68   std::string SendCommandAndWait(const std::string& command) override;
     69 
     70  private:
     71   struct MessageInfo {
     72     bool has_sessions;
     73     TPM_CC code;  // For a response message this is the TPM_RC response code.
     74     std::vector<TPM_HANDLE> handles;
     75     std::vector<TPM_HANDLE> session_handles;
     76     std::vector<bool> session_continued;
     77     std::string parameter_data;
     78   };
     79 
     80   struct HandleInfo {
     81     HandleInfo();
     82     // Initializes info for a loaded handle.
     83     void Init(TPM_HANDLE handle);
     84 
     85     bool is_loaded;
     86     // Valid only if |is_loaded| is true.
     87     TPM_HANDLE tpm_handle;
     88     // Valid only if |is_loaded| is false.
     89     TPMS_CONTEXT context;
     90     // Time when the handle is create.
     91     base::TimeTicks time_of_create;
     92     // Time when the handle was last used.
     93     base::TimeTicks time_of_last_use;
     94   };
     95 
     96   // Chooses an appropriate session for eviction (or flush) which is not one of
     97   // |sessions_to_retain| and assigns it to |session_to_evict|. Returns true on
     98   // success.
     99   bool ChooseSessionToEvict(const std::vector<TPM_HANDLE>& sessions_to_retain,
    100                             TPM_HANDLE* session_to_evict);
    101 
    102   // Cleans up all references to and information about |flushed_handle|.
    103   void CleanupFlushedHandle(TPM_HANDLE flushed_handle);
    104 
    105   // Creates a new virtual object handle. If the handle space is exhausted a
    106   // valid handle is flushed and re-used.
    107   TPM_HANDLE CreateVirtualHandle();
    108 
    109   // Given a session handle, ensures the session is loaded in the TPM.
    110   TPM_RC EnsureSessionIsLoaded(const MessageInfo& command_info,
    111                                TPM_HANDLE session_handle);
    112 
    113   // Evicts all loaded objects except those required by |command_info|. The
    114   // eviction is best effort; any errors will be ignored.
    115   void EvictObjects(const MessageInfo& command_info);
    116 
    117   // Evicts a session other than those required by |command_info|. The eviction
    118   // is best effort; any errors will be ignored.
    119   void EvictSession(const MessageInfo& command_info);
    120 
    121   // Returns a list of handles parsed from a given |buffer|. No more than
    122   // |number_of_handles| will be parsed.
    123   std::vector<TPM_HANDLE> ExtractHandlesFromBuffer(size_t number_of_handles,
    124                                                    std::string* buffer);
    125 
    126   // A context gap may occur when context counters for active sessions drift too
    127   // far apart for the TPM to manage. Basically, the TPM needs to reassign new
    128   // counters to saved sessions. See the TPM Library Specification Part 1
    129   // Section 30.5 Session Context Management for details.
    130   void FixContextGap(const MessageInfo& command_info);
    131 
    132   // Performs best-effort handling of actionable warnings. The |command_info|
    133   // must correspond with the current command being processed by the resource
    134   // manager. Returns true only if |result| represents an actionable warning and
    135   // it has been handled.
    136   bool FixWarnings(const MessageInfo& command_info, TPM_RC result);
    137 
    138   // Flushes a session other than those required by |command_info|. The flush is
    139   // best effort; any errors will be ignored.
    140   void FlushSession(const MessageInfo& command_info);
    141 
    142   // When a caller saves context, the resource manager retains that context and
    143   // possible trades it for new context data to fix a context gap (see
    144   // FixContextGap). So when the caller wants to load the original context again
    145   // it needs to be swapped with the latest actual context maintained by the
    146   // resource manager. This method finds the correct TPM context for a given
    147   // |external_context| previously returned to the caller. If not found,
    148   // |external_context| is returned.
    149   std::string GetActualContextFromExternalContext(
    150       const std::string& external_context);
    151 
    152   // Returns true iff |handle| is a transient object handle.
    153   bool IsObjectHandle(TPM_HANDLE handle) const;
    154 
    155   // Returns true iff |handle| is a session handle.
    156   bool IsSessionHandle(TPM_HANDLE handle) const;
    157 
    158   // Loads the context for a session or object handle. On success returns
    159   // TPM_RC_SUCCESS and ensures |handle_info| holds a valid handle (and invalid
    160   // context data).
    161   TPM_RC LoadContext(const MessageInfo& command_info, HandleInfo* handle_info);
    162 
    163   // Returns a resource manager error code given a particular |tpm_error| and
    164   // logs the occurrence of the error.
    165   TPM_RC MakeError(TPM_RC tpm_error,
    166                    const ::tracked_objects::Location& location);
    167 
    168   // Parses a |command|, sanity checking its format and extracting
    169   // |message_info| on success. Returns TPM_RC_SUCCESS on success.
    170   TPM_RC ParseCommand(const std::string& command, MessageInfo* message_info);
    171 
    172   // Parses a |response| to a command associated with |command_info|. The
    173   // response is sanity checked and |response_info| is extracted. Returns
    174   // TPM_RC_SUCCESS on success.
    175   TPM_RC ParseResponse(const MessageInfo& command_info,
    176                        const std::string& response,
    177                        MessageInfo* response_info);
    178 
    179   // Performs processing after a successful external ContextSave operation.
    180   // A subsequent call to GetActualContextFromExternalContext will succeed for
    181   // the context.
    182   void ProcessExternalContextSave(const MessageInfo& command_info,
    183                                   const MessageInfo& response_info);
    184 
    185   // Process an external flush context |command|.
    186   std::string ProcessFlushContext(const std::string& command,
    187                                   const MessageInfo& command_info);
    188 
    189   // Given a |virtual_handle| created by this resource manager, finds the
    190   // associated TPM |actual_handle|, restoring the object if necessary. The
    191   // current |command_info| must be provided. If |virtual_handle| is not an
    192   // object handle, then |actual_handle| is set to |virtual_handle|. Returns
    193   // TPM_RC_SUCCESS on success.
    194   TPM_RC ProcessInputHandle(const MessageInfo& command_info,
    195                             TPM_HANDLE virtual_handle,
    196                             TPM_HANDLE* actual_handle);
    197 
    198   // Given a TPM object handle, returns an associated virtual handle, generating
    199   // a new one if necessary.
    200   TPM_HANDLE ProcessOutputHandle(TPM_HANDLE object_handle);
    201 
    202   // Replaces all handles in a given |message| with |new_handles| and returns
    203   // the resulting modified message. The modified message is guaranteed to have
    204   // the same length as the input message.
    205   std::string ReplaceHandles(const std::string& message,
    206                              const std::vector<TPM_HANDLE>& new_handles);
    207 
    208   // Saves the context for a session or object handle. On success returns
    209   // TPM_RC_SUCCESS and ensures |handle_info| holds valid context data.
    210   TPM_RC SaveContext(const MessageInfo& command_info, HandleInfo* handle_info);
    211 
    212   const TrunksFactory& factory_;
    213   CommandTransceiver* next_transceiver_ = nullptr;
    214   TPM_HANDLE next_virtual_handle_ = TRANSIENT_FIRST;
    215 
    216   // A mapping of known virtual handles to corresponding HandleInfo.
    217   std::map<TPM_HANDLE, HandleInfo> virtual_object_handles_;
    218   // A mapping of loaded tpm object handles to the corresponding virtual handle.
    219   std::map<TPM_HANDLE, TPM_HANDLE> tpm_object_handles_;
    220   // A mapping of known session handles to corresponding HandleInfo.
    221   std::map<TPM_HANDLE, HandleInfo> session_handles_;
    222   // A mapping of external context blobs to current context blobs.
    223   std::map<std::string, std::string> external_context_to_actual_;
    224   // A mapping of actual context blobs to external context blobs.
    225   std::map<std::string, std::string> actual_context_to_external_;
    226 
    227   // The set of warnings already handled in the context of a FixWarnings() call.
    228   // Tracking this allows us to avoid re-entrance.
    229   std::set<TPM_RC> warnings_already_seen_;
    230   // Whether a FixWarnings() call is currently executing.
    231   bool fixing_warnings_ = false;
    232 
    233   DISALLOW_COPY_AND_ASSIGN(ResourceManager);
    234 };
    235 
    236 }  // namespace trunks
    237 
    238 #endif  // TRUNKS_RESOURCE_MANAGER_H_
    239