• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1// Copyright (c) 2014 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4//
5// The messages in this file comprise the DBus/Proto interface for
6// Cryptohome where there is an AccountIdentifer argument, an
7// AuthorizationRequest (if needed for the call), and the call's
8// parameters as <Call>Request.
9//
10// 'optional' annotations are used heavily in the RPC definition
11// because the RPC endpoints most properly sanity check the contents
12// for application-specific logic, and the more optional-with-default
13// parameters exist, the less data is actually transferred on the wire
14// in "default" situations.
15
16syntax = "proto2";
17
18option optimize_for = LITE_RUNTIME;
19
20package cryptohome;
21
22import "key.proto";
23
24// Error codes do not need to be sequential per-call.
25// Prefixes by Request/Reply type should be used to help
26// callers know if specialized errors apply.
27enum CryptohomeErrorCode {
28  // 0 is the default value of BaseReply::error. It
29  // should never be used.
30  CRYPTOHOME_ERROR_NOT_SET = 0;
31
32  CRYPTOHOME_ERROR_ACCOUNT_NOT_FOUND = 1;
33  CRYPTOHOME_ERROR_AUTHORIZATION_KEY_NOT_FOUND = 2;
34  CRYPTOHOME_ERROR_AUTHORIZATION_KEY_FAILED = 3;
35  CRYPTOHOME_ERROR_NOT_IMPLEMENTED = 4;
36  CRYPTOHOME_ERROR_MOUNT_FATAL = 5;
37  CRYPTOHOME_ERROR_MOUNT_MOUNT_POINT_BUSY = 6;
38  CRYPTOHOME_ERROR_TPM_COMM_ERROR = 7;
39  CRYPTOHOME_ERROR_TPM_DEFEND_LOCK = 8;
40  CRYPTOHOME_ERROR_TPM_NEEDS_REBOOT = 9;
41  CRYPTOHOME_ERROR_AUTHORIZATION_KEY_DENIED = 10;
42  CRYPTOHOME_ERROR_KEY_QUOTA_EXCEEDED = 11;
43  CRYPTOHOME_ERROR_KEY_LABEL_EXISTS = 12;
44  CRYPTOHOME_ERROR_BACKING_STORE_FAILURE = 13;
45  CRYPTOHOME_ERROR_UPDATE_SIGNATURE_INVALID = 14;
46  CRYPTOHOME_ERROR_KEY_NOT_FOUND = 15;
47  CRYPTOHOME_ERROR_LOCKBOX_SIGNATURE_INVALID = 16;
48  CRYPTOHOME_ERROR_LOCKBOX_CANNOT_SIGN = 17;
49  CRYPTOHOME_ERROR_BOOT_ATTRIBUTE_NOT_FOUND = 18;
50  CRYPTOHOME_ERROR_BOOT_ATTRIBUTES_CANNOT_SIGN = 19;
51  CRYPTOHOME_ERROR_TPM_EK_NOT_AVAILABLE = 20;
52  CRYPTOHOME_ERROR_ATTESTATION_NOT_READY = 21;
53  CRYPTOHOME_ERROR_CANNOT_CONNECT_TO_CA = 22;
54  CRYPTOHOME_ERROR_CA_REFUSED_ENROLLMENT = 23;
55  CRYPTOHOME_ERROR_CA_REFUSED_CERTIFICATE = 24;
56  CRYPTOHOME_ERROR_INTERNAL_ATTESTATION_ERROR = 25;
57  CRYPTOHOME_ERROR_FIRMWARE_MANAGEMENT_PARAMETERS_INVALID = 26;
58  CRYPTOHOME_ERROR_FIRMWARE_MANAGEMENT_PARAMETERS_CANNOT_STORE = 27;
59  CRYPTOHOME_ERROR_FIRMWARE_MANAGEMENT_PARAMETERS_CANNOT_REMOVE = 28;
60  CRYPTOHOME_ERROR_MOUNT_OLD_ENCRYPTION = 29;
61  CRYPTOHOME_ERROR_MOUNT_PREVIOUS_MIGRATION_INCOMPLETE = 30;
62}
63
64message AccountIdentifier {
65  // |email| is deprecated. Don't use it.
66  optional string email = 1;
67
68  optional string account_id = 2;
69}
70
71message AuthorizationRequest {
72  // |key| must supply at least a |key.secret()|.  If no |key.data()| or
73  // |key.data().label()| is supplied, the |key.secret()| will be tested
74  // against all compatible |key.data().type()| keys, where
75  // KEY_TYPE_PASSWORD is the default type.  If
76  // |key.data().label()| is supplied, then the |key.secret()| will only be
77  // tested against the matching VaultKeyset.
78  optional Key key = 1;
79};
80
81// These parameters are for inbound data to Cryptohome RPC
82// interfaces.  When calls are added that return data, a
83// <Call>Response should be defined.
84message MountRequest {
85  // Perform an ephemeral mount only.
86  optional bool require_ephemeral = 1 [default=false];
87  // If defined, the account will be created if it does not exist.
88  // Additionally, a failed AuthorizationRequest will be expected as
89  // there will be no existing keys.
90  optional CreateRequest create = 2;
91  // If set to true, and cryptohomed supports the new "dircrypto" encryption,
92  // forces to use the new encryption. That is, makes it an error to mount
93  // an existing home directory encrypted in the old way (ecryptfs).
94  optional bool force_dircrypto_if_available = 3;
95}
96
97// A BaseReply type is used for all cryptohomed responses. A shared base class
98// is used because all calls will always reply with no-error or an error value.
99// A centralized definition allows for a reusable reply handler for cases where
100// there is no Request-specific reply data.  Any specialized data will live in
101// an extension as per MountReply below:
102//   if (reply.HasExtension(MountReply::reply)) { ... }
103//
104message BaseReply {
105  // If a call was successful, error will not be defined (clear_error()).
106  // If a call failed, it must set an error code (set_error(CODE)).
107  // In either case, call-specific data may be added as an extension.
108  optional CryptohomeErrorCode error = 1;
109
110  extensions 1000 to max;
111}
112
113// The MountRequest call may return more than just success or failure
114// so it embeds itself in a BaseReply as an extension.
115message MountReply {
116  extend BaseReply {
117    optional MountReply reply = 1000;
118  }
119  // |recreated| is set when the cryptohome had to be wiped
120  // because the key or data was an unrecoverable.  It does not imply
121  // failure to Mount nor is it 'true' when a CreateRequest creates
122  // a cryptohome for the first time.
123  optional bool recreated = 1 [default=false];
124  // Returns the filesystem-sanitized username.
125  optional string sanitized_username = 2;
126};
127
128message CreateRequest {
129  repeated Key keys = 1;
130  // Explicitly use the |key| from the AuthorizationRequest.
131  // Setting this value means that the KeyData is filled as it
132  // would be with a Key above or in an AddKeyRequest.
133  optional bool copy_authorization_key = 2 [default=false];
134  // If set to true, always use eCryptfs as the encryption method.
135  optional bool force_ecryptfs = 3 [default=false];
136  // In the future, this will contain account-wide data like
137  // the deletion priority or the IdP's origin.
138}
139
140message AddKeyRequest {
141  optional Key key = 1;
142  optional bool clobber_if_exists = 2 [default=false];
143}
144
145message UpdateKeyRequest {
146  optional Key changes = 1;
147  optional bytes authorization_signature = 2;
148}
149
150message CheckKeyRequest {
151}
152
153message RemoveKeyRequest {
154  // Only key.data().label() is used at present.
155  optional Key key = 1;
156}
157
158message SignBootLockboxRequest {
159  // The data to be signed.
160  optional bytes data = 1;
161}
162
163message SignBootLockboxReply {
164  extend BaseReply {
165    optional SignBootLockboxReply reply = 1001;
166  }
167  optional bytes signature = 1;
168}
169
170message VerifyBootLockboxRequest {
171  // The signed data to be verified.
172  optional bytes data = 1;
173  // The signature to be verified.
174  optional bytes signature = 2;
175}
176
177message FinalizeBootLockboxRequest {
178}
179
180message GetKeyDataRequest {
181  // |key| must supply at least one attribute and all others will be treated as
182  // wildcards.  Currently only |key.data().label()| may be supplied.  Like
183  // AuthorizationRequest, support can be added for queries by
184  // |key.data().type()| to return all keys of a certain class, testing
185  // |key.secret()|, or |key.data().provider_data()| entries.
186  optional Key key = 1;
187}
188
189message GetKeyDataReply {
190  extend BaseReply {
191    optional GetKeyDataReply reply = 1002;
192  }
193  repeated KeyData key_data = 1;
194}
195
196message GetBootAttributeRequest {
197  optional string name = 1;
198}
199
200message GetBootAttributeReply {
201  extend BaseReply {
202    optional GetBootAttributeReply reply = 1003;
203  }
204  optional bytes value = 1;
205}
206
207message SetBootAttributeRequest {
208  optional string name = 1;
209  optional bytes value = 2;
210}
211
212message FlushAndSignBootAttributesRequest {
213}
214
215message ListKeysRequest {
216  // The default behavior is by label so any extension here should honor that.
217}
218
219message ListKeysReply {
220  extend BaseReply {
221    optional ListKeysReply reply = 1004;
222  }
223  repeated string labels = 1;
224}
225
226message GetLoginStatusRequest {
227}
228
229message GetLoginStatusReply {
230  extend BaseReply {
231    optional GetLoginStatusReply reply = 1005;
232  }
233  optional bool owner_user_exists=1;
234  optional bool boot_lockbox_finalized=2;
235}
236
237message GetTpmStatusRequest {
238}
239
240message GetTpmStatusReply {
241  extend BaseReply {
242    optional GetTpmStatusReply reply = 1006;
243  }
244  // Whether a TPM is enabled on the system.
245  optional bool enabled = 1;
246  // Whether the TPM has been owned.
247  optional bool owned = 2;
248  // Whether the TPM initialization flow has completed. This includes taking
249  // ownership, preparing attestation data, and finalizing lockbox NVRAM.
250  optional bool initialized = 3;
251  // The TPM owner password. This is only available when (owned &&
252  // !initialized) and sometimes not even then.
253  optional string owner_password = 4;
254  // Whether attestation data has been prepared. This includes reading the
255  // endorsement certificate out of NVRAM and generating an identity key. This
256  // does not include any kind of enrollment with a Privacy CA.
257  optional bool attestation_prepared = 7;
258  // Whether the device has enrolled with a Privacy CA. This means the identity
259  // key has been successfully certified.
260  optional bool attestation_enrolled = 8;
261  // The current dictionary attack counter value.
262  optional int32 dictionary_attack_counter = 9;
263  // The current dictionary attack counter threshold.
264  optional int32 dictionary_attack_threshold = 10;
265  // Whether the TPM is in some form of dictionary attack lockout.
266  optional bool dictionary_attack_lockout_in_effect = 11;
267  // The number of seconds remaining in the lockout.
268  optional int32 dictionary_attack_lockout_seconds_remaining = 12;
269  // Whether the install lockbox has been finalized.
270  optional bool install_lockbox_finalized = 13;
271  // Whether the boot lockbox has been finalized.
272  optional bool boot_lockbox_finalized = 14;
273  // Whether the current PCR values show a verified boot.
274  optional bool verified_boot_measured = 15;
275}
276
277message GetEndorsementInfoRequest {
278}
279
280message GetEndorsementInfoReply {
281  extend BaseReply {
282    optional GetEndorsementInfoReply reply = 1007;
283  }
284  // The endorsement public key (PKCS #1 RSAPublicKey).
285  optional bytes ek_public_key = 1;
286  // The endorsement certificate (X.509).
287  optional bytes ek_certificate = 2;
288}
289
290message InitializeCastKeyRequest {
291}
292
293// Flags for GetFirmwareManagementParametersReply and
294// SetFirmwareManagementParametersRequest
295enum FirmwareManagementParametersFlags {
296  NONE = 0;
297  DEVELOPER_DISABLE_BOOT = 1;
298  DEVELOPER_DISABLE_RECOVERY_INSTALL = 2;
299  DEVELOPER_DISABLE_RECOVERY_ROOTFS = 4;
300  DEVELOPER_ENABLE_USB = 8;
301  DEVELOPER_ENABLE_LEGACY = 16;
302  DEVELOPER_USE_KEY_HASH = 32;
303  DEVELOPER_DISABLE_CASE_CLOSED_DEBUGGING_UNLOCK = 64;
304}
305
306message GetFirmwareManagementParametersRequest {
307}
308
309message GetFirmwareManagementParametersReply {
310  extend BaseReply {
311    optional GetFirmwareManagementParametersReply reply = 1008;
312  }
313
314  // Flags (zero or more from FirmwareManagementParametersFlags)
315  optional int32 flags = 1;
316  optional bytes developer_key_hash = 2;
317}
318
319message SetFirmwareManagementParametersRequest {
320  // Flags (zero or more from FirmwareManagementParametersFlags)
321  optional int32 flags = 1;
322  optional bytes developer_key_hash = 2;
323}
324
325message RemoveFirmwareManagementParametersRequest {
326}
327
328message GetAccountDiskUsageReply {
329  extend BaseReply {
330    optional GetAccountDiskUsageReply reply = 1009;
331  }
332  // The size of cryptohome in bytes.
333  optional int64 size = 1;
334}
335