1// Copyright (c) 2014 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4// 5// The messages in this file comprise the DBus/Proto interface for 6// Cryptohome where there is an AccountIdentifer argument, an 7// AuthorizationRequest (if needed for the call), and the call's 8// parameters as <Call>Request. 9// 10// 'optional' annotations are used heavily in the RPC definition 11// because the RPC endpoints most properly sanity check the contents 12// for application-specific logic, and the more optional-with-default 13// parameters exist, the less data is actually transferred on the wire 14// in "default" situations. 15 16syntax = "proto2"; 17 18option optimize_for = LITE_RUNTIME; 19 20package cryptohome; 21 22import "key.proto"; 23 24// Error codes do not need to be sequential per-call. 25// Prefixes by Request/Reply type should be used to help 26// callers know if specialized errors apply. 27enum CryptohomeErrorCode { 28 // 0 is the default value of BaseReply::error. It 29 // should never be used. 30 CRYPTOHOME_ERROR_NOT_SET = 0; 31 32 CRYPTOHOME_ERROR_ACCOUNT_NOT_FOUND = 1; 33 CRYPTOHOME_ERROR_AUTHORIZATION_KEY_NOT_FOUND = 2; 34 CRYPTOHOME_ERROR_AUTHORIZATION_KEY_FAILED = 3; 35 CRYPTOHOME_ERROR_NOT_IMPLEMENTED = 4; 36 CRYPTOHOME_ERROR_MOUNT_FATAL = 5; 37 CRYPTOHOME_ERROR_MOUNT_MOUNT_POINT_BUSY = 6; 38 CRYPTOHOME_ERROR_TPM_COMM_ERROR = 7; 39 CRYPTOHOME_ERROR_TPM_DEFEND_LOCK = 8; 40 CRYPTOHOME_ERROR_TPM_NEEDS_REBOOT = 9; 41 CRYPTOHOME_ERROR_AUTHORIZATION_KEY_DENIED = 10; 42 CRYPTOHOME_ERROR_KEY_QUOTA_EXCEEDED = 11; 43 CRYPTOHOME_ERROR_KEY_LABEL_EXISTS = 12; 44 CRYPTOHOME_ERROR_BACKING_STORE_FAILURE = 13; 45 CRYPTOHOME_ERROR_UPDATE_SIGNATURE_INVALID = 14; 46 CRYPTOHOME_ERROR_KEY_NOT_FOUND = 15; 47 CRYPTOHOME_ERROR_LOCKBOX_SIGNATURE_INVALID = 16; 48 CRYPTOHOME_ERROR_LOCKBOX_CANNOT_SIGN = 17; 49 CRYPTOHOME_ERROR_BOOT_ATTRIBUTE_NOT_FOUND = 18; 50 CRYPTOHOME_ERROR_BOOT_ATTRIBUTES_CANNOT_SIGN = 19; 51 CRYPTOHOME_ERROR_TPM_EK_NOT_AVAILABLE = 20; 52 CRYPTOHOME_ERROR_ATTESTATION_NOT_READY = 21; 53 CRYPTOHOME_ERROR_CANNOT_CONNECT_TO_CA = 22; 54 CRYPTOHOME_ERROR_CA_REFUSED_ENROLLMENT = 23; 55 CRYPTOHOME_ERROR_CA_REFUSED_CERTIFICATE = 24; 56 CRYPTOHOME_ERROR_INTERNAL_ATTESTATION_ERROR = 25; 57 CRYPTOHOME_ERROR_FIRMWARE_MANAGEMENT_PARAMETERS_INVALID = 26; 58 CRYPTOHOME_ERROR_FIRMWARE_MANAGEMENT_PARAMETERS_CANNOT_STORE = 27; 59 CRYPTOHOME_ERROR_FIRMWARE_MANAGEMENT_PARAMETERS_CANNOT_REMOVE = 28; 60 CRYPTOHOME_ERROR_MOUNT_OLD_ENCRYPTION = 29; 61 CRYPTOHOME_ERROR_MOUNT_PREVIOUS_MIGRATION_INCOMPLETE = 30; 62 CRYPTOHOME_ERROR_MIGRATE_KEY_FAILED = 31; 63 CRYPTOHOME_ERROR_REMOVE_FAILED = 32; 64} 65 66message AccountIdentifier { 67 // |email| is deprecated. Don't use it. 68 optional string email = 1; 69 70 optional string account_id = 2; 71} 72 73// Parameters for connecting and making requests to a key delegate service. 74// This is currently used for making challenge requests for keys of the 75// |KEY_TYPE_CHALLENGE_RESPONSE| type. 76message KeyDelegate { 77 // D-Bus service name of the key delegate service that exports the key 78 // delegate object. 79 optional string dbus_service_name = 1; 80 // D-Bus object path of the key delegate object that implements the 81 // org.chromium.CryptohomeKeyDelegateInterface interface. 82 optional string dbus_object_path = 2; 83} 84 85message AuthorizationRequest { 86 // |key| must supply at least a |key.secret()|. If no |key.data()| or 87 // |key.data().label()| is supplied, the |key.secret()| will be tested 88 // against all compatible |key.data().type()| keys, where 89 // KEY_TYPE_PASSWORD is the default type. If 90 // |key.data().label()| is supplied, then the |key.secret()| will only be 91 // tested against the matching VaultKeyset. 92 optional Key key = 1; 93 // Describes delegate service that should be used for operations with the 94 // |key| key. 95 // Should be set only for keys with the |KEY_TYPE_CHALLENGE_RESPONSE| type. 96 optional KeyDelegate key_delegate = 2; 97} 98 99// These parameters are for inbound data to Cryptohome RPC 100// interfaces. When calls are added that return data, a 101// <Call>Response should be defined. 102message MountRequest { 103 // Perform an ephemeral mount only. 104 optional bool require_ephemeral = 1 [default=false]; 105 // If defined, the account will be created if it does not exist. 106 // Additionally, a failed AuthorizationRequest will be expected as 107 // there will be no existing keys. 108 optional CreateRequest create = 2; 109 // If set to true, and cryptohomed supports the new "dircrypto" encryption, 110 // forces to use the new encryption. That is, makes it an error to mount 111 // an existing home directory encrypted in the old way (ecryptfs). 112 optional bool force_dircrypto_if_available = 3; 113 // If set to true, mounts the existing ecryptfs vault to a temporary location 114 // while setting up a new dircrypto directory. 115 optional bool to_migrate_from_ecryptfs = 4; 116 // Performs a public mount, which is used for a Kiosk session. Credentials are 117 // not needed in the request; they are synthesized by cryptohomed from id. 118 optional bool public_mount = 5; 119 // If set to true, mounts the vault to a temporary location. The mount is not 120 // exposed to the usual locations (/home/user, /home/root). 121 optional bool hidden_mount = 6; 122} 123 124// A BaseReply type is used for all cryptohomed responses. A shared base class 125// is used because all calls will always reply with no-error or an error value. 126// A centralized definition allows for a reusable reply handler for cases where 127// there is no Request-specific reply data. Any specialized data will live in 128// an extension as per MountReply below: 129// if (reply.HasExtension(MountReply::reply)) { ... } 130// 131message BaseReply { 132 // If a call was successful, error will not be defined (clear_error()). 133 // If a call failed, it must set an error code (set_error(CODE)). 134 // In either case, call-specific data may be added as an extension. 135 optional CryptohomeErrorCode error = 1; 136 137 extensions 1000 to max; 138 // Next ID to use for extensions: 1011 139} 140 141// The MountRequest call may return more than just success or failure 142// so it embeds itself in a BaseReply as an extension. 143message MountReply { 144 extend BaseReply { 145 optional MountReply reply = 1000; 146 } 147 // |recreated| is set when the cryptohome had to be wiped 148 // because the key or data was an unrecoverable. It does not imply 149 // failure to Mount nor is it 'true' when a CreateRequest creates 150 // a cryptohome for the first time. 151 optional bool recreated = 1 [default=false]; 152 // Returns the filesystem-sanitized username. 153 optional string sanitized_username = 2; 154} 155 156message CreateRequest { 157 repeated Key keys = 1; 158 // Explicitly use the |key| from the AuthorizationRequest. 159 // Setting this value means that the KeyData is filled as it 160 // would be with a Key above or in an AddKeyRequest. 161 optional bool copy_authorization_key = 2 [default=false]; 162 // If set to true, always use eCryptfs as the encryption method. 163 optional bool force_ecryptfs = 3 [default=false]; 164 // In the future, this will contain account-wide data like 165 // the deletion priority or the IdP's origin. 166} 167 168message AddKeyRequest { 169 optional Key key = 1; 170 optional bool clobber_if_exists = 2 [default=false]; 171} 172 173message UpdateKeyRequest { 174 optional Key changes = 1; 175 optional bytes authorization_signature = 2; 176} 177 178message CheckKeyRequest { 179} 180 181message RemoveKeyRequest { 182 // Only key.data().label() is used at present. 183 optional Key key = 1; 184} 185 186message SignBootLockboxRequest { 187 // The data to be signed. 188 optional bytes data = 1; 189} 190 191message SignBootLockboxReply { 192 extend BaseReply { 193 optional SignBootLockboxReply reply = 1001; 194 } 195 optional bytes signature = 1; 196} 197 198message VerifyBootLockboxRequest { 199 // The signed data to be verified. 200 optional bytes data = 1; 201 // The signature to be verified. 202 optional bytes signature = 2; 203} 204 205message FinalizeBootLockboxRequest { 206} 207 208message GetKeyDataRequest { 209 // |key| must supply at least one attribute and all others will be treated as 210 // wildcards. Currently only |key.data().label()| may be supplied. Like 211 // AuthorizationRequest, support can be added for queries by 212 // |key.data().type()| to return all keys of a certain class, testing 213 // |key.secret()|, or |key.data().provider_data()| entries. 214 optional Key key = 1; 215} 216 217message GetKeyDataReply { 218 extend BaseReply { 219 optional GetKeyDataReply reply = 1002; 220 } 221 repeated KeyData key_data = 1; 222} 223 224message GetBootAttributeRequest { 225 optional string name = 1; 226} 227 228message GetBootAttributeReply { 229 extend BaseReply { 230 optional GetBootAttributeReply reply = 1003; 231 } 232 optional bytes value = 1; 233} 234 235message SetBootAttributeRequest { 236 optional string name = 1; 237 optional bytes value = 2; 238} 239 240message FlushAndSignBootAttributesRequest { 241} 242 243message ListKeysRequest { 244 // The default behavior is by label so any extension here should honor that. 245} 246 247message ListKeysReply { 248 extend BaseReply { 249 optional ListKeysReply reply = 1004; 250 } 251 repeated string labels = 1; 252} 253 254message GetLoginStatusRequest { 255} 256 257message GetLoginStatusReply { 258 extend BaseReply { 259 optional GetLoginStatusReply reply = 1005; 260 } 261 optional bool owner_user_exists=1; 262 optional bool boot_lockbox_finalized=2; 263} 264 265message GetTpmStatusRequest { 266} 267 268message GetTpmStatusReply { 269 extend BaseReply { 270 optional GetTpmStatusReply reply = 1006; 271 } 272 273 message Identity { 274 // The identity features. 275 optional int32 features = 1; 276 } 277 278 message IdentityCertificate { 279 // The identity that is enrolled. 280 optional int32 identity = 1; 281 // The Privacy CA that the identity is enrolled with. 282 optional int32 aca = 2; 283 } 284 285 // Whether a TPM is enabled on the system. 286 optional bool enabled = 1; 287 // Whether the TPM has been owned. 288 optional bool owned = 2; 289 // Whether the TPM initialization flow has completed. This includes taking 290 // ownership, preparing attestation data, and finalizing lockbox NVRAM. 291 optional bool initialized = 3; 292 // The TPM owner password. This is only available when (owned && 293 // !initialized) and sometimes not even then. 294 optional string owner_password = 4; 295 // Whether attestation data has been prepared. This includes reading the 296 // endorsement certificate out of NVRAM and generating an identity key. This 297 // does not include any kind of enrollment with a Privacy CA. 298 optional bool attestation_prepared = 7; 299 // Whether the device has enrolled with a Privacy CA. This means the identity 300 // key has been successfully certified. 301 optional bool attestation_enrolled = 8; 302 // The current dictionary attack counter value. 303 optional int32 dictionary_attack_counter = 9; 304 // The current dictionary attack counter threshold. 305 optional int32 dictionary_attack_threshold = 10; 306 // Whether the TPM is in some form of dictionary attack lockout. 307 optional bool dictionary_attack_lockout_in_effect = 11; 308 // The number of seconds remaining in the lockout. 309 optional int32 dictionary_attack_lockout_seconds_remaining = 12; 310 // Whether the install lockbox has been finalized. 311 optional bool install_lockbox_finalized = 13; 312 // Whether the boot lockbox has been finalized. 313 optional bool boot_lockbox_finalized = 14; 314 // Whether the current PCR values show a verified boot. 315 optional bool verified_boot_measured = 15; 316 // List of identities and their identity features. 317 repeated Identity identities = 16; 318 // List of identity certificates. 319 map<int32, IdentityCertificate> identity_certificates = 17; 320} 321 322message GetEndorsementInfoRequest { 323} 324 325message GetEndorsementInfoReply { 326 extend BaseReply { 327 optional GetEndorsementInfoReply reply = 1007; 328 } 329 // The endorsement public key (PKCS #1 RSAPublicKey). 330 optional bytes ek_public_key = 1; 331 // The endorsement certificate (X.509). 332 optional bytes ek_certificate = 2; 333} 334 335message InitializeCastKeyRequest { 336} 337 338// Flags for GetFirmwareManagementParametersReply and 339// SetFirmwareManagementParametersRequest 340enum FirmwareManagementParametersFlags { 341 NONE = 0; 342 DEVELOPER_DISABLE_BOOT = 1; 343 DEVELOPER_DISABLE_RECOVERY_INSTALL = 2; 344 DEVELOPER_DISABLE_RECOVERY_ROOTFS = 4; 345 DEVELOPER_ENABLE_USB = 8; 346 DEVELOPER_ENABLE_LEGACY = 16; 347 DEVELOPER_USE_KEY_HASH = 32; 348 DEVELOPER_DISABLE_CASE_CLOSED_DEBUGGING_UNLOCK = 64; 349} 350 351message GetFirmwareManagementParametersRequest { 352} 353 354message GetFirmwareManagementParametersReply { 355 extend BaseReply { 356 optional GetFirmwareManagementParametersReply reply = 1008; 357 } 358 359 // Flags (zero or more from FirmwareManagementParametersFlags) 360 optional int32 flags = 1; 361 optional bytes developer_key_hash = 2; 362} 363 364message SetFirmwareManagementParametersRequest { 365 // Flags (zero or more from FirmwareManagementParametersFlags) 366 optional int32 flags = 1; 367 optional bytes developer_key_hash = 2; 368} 369 370message RemoveFirmwareManagementParametersRequest { 371} 372 373message GetAccountDiskUsageReply { 374 extend BaseReply { 375 optional GetAccountDiskUsageReply reply = 1009; 376 } 377 // The size of cryptohome in bytes. 378 optional int64 size = 1; 379} 380 381// Request parameters for MigrateToDircrypto. 382message MigrateToDircryptoRequest { 383 // Next ID to use: 2 384 385 // If true, only a few paths (specified in cryptohomed) that are necessary for 386 // a working profile will be migrated. Most user data will be wiped. 387 optional bool minimal_migration = 1; 388} 389 390// Request parameters for challenge requests for keys of the 391// |KEY_TYPE_CHALLENGE_RESPONSE| type. 392message KeyChallengeRequest { 393 // Specifies challenge types. 394 enum ChallengeType { 395 // Challenge is a request of a cryptographic signature of the specified data 396 // using the specified key. 397 CHALLENGE_TYPE_SIGNATURE = 1; 398 } 399 // Type of the requested challenge. 400 optional ChallengeType challenge_type = 1; 401 // Is set when |challenge_type| is |CHALLENGE_TYPE_SIGNATURE|. Contains the 402 // challenge request data. 403 optional SignatureKeyChallengeRequestData signature_request_data = 2; 404} 405 406// Request data for challenge requests of the |CHALLENGE_TYPE_SIGNATURE| request 407// type. 408message SignatureKeyChallengeRequestData { 409 // The blob of data for which the signature is asked. 410 optional bytes data_to_sign = 1; 411 // Specifies the key which is asked to sign the data. Contains the DER-encoded 412 // blob of the X.509 Subject Public Key Info. 413 optional bytes public_key_spki_der = 2; 414 // Specifies the signature algorithm that has to be used. 415 optional ChallengeSignatureAlgorithm signature_algorithm = 3; 416} 417 418// Response for challenge requests. 419message KeyChallengeResponse { 420 // Is set for responses to challenge requests of the 421 // |CHALLENGE_TYPE_SIGNATURE| challenge type. Contains the challenge response 422 // data. 423 optional SignatureKeyChallengeResponseData signature_response_data = 1; 424} 425 426// Response data for challenge requests of the |CHALLENGE_TYPE_SIGNATURE| 427// challenge type. 428message SignatureKeyChallengeResponseData { 429 // The signature blob of the requested data. 430 optional bytes signature = 1; 431} 432 433// Request a GetSupportedKeyPoliciesReply from cryptohome. 434message GetSupportedKeyPoliciesRequest { 435} 436 437// Response that informs the caller which KeyPolicy features are supported. 438message GetSupportedKeyPoliciesReply { 439 // Next ID to use: 2 440 441 extend BaseReply { 442 optional GetSupportedKeyPoliciesReply reply = 1010; 443 } 444 445 // Does it support low entropy credentials. 446 optional bool low_entropy_credentials = 1; 447} 448 449message MigrateKeyRequest { 450 optional bytes secret = 1; 451} 452 453// Mount the guest user partition. 454message MountGuestRequest { 455} 456