keychain/ot/OTStates.h

   1 /*
   2  * Copyright (c) 2018 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 #if OCTAGON
  25
  26 #import <Foundation/Foundation.h>
  27 #import "keychain/ckks/CKKSResultOperation.h"
  28 #import "keychain/ot/OctagonStateMachineHelpers.h"
  29
  30 NS_ASSUME_NONNULL_BEGIN
  31
  32 // Two 'bad states':
  33 //   No iCloud Account (the state machine won't help at all)
  34 //   Untrusted (user interaction is required to resolve)
  35 //   WaitForHSA2 (there's some primary icloud account, but it's not HSA2 (yet))
  36 extern OctagonState* const OctagonStateNoAccount;
  37 extern OctagonState* const OctagonStateUntrusted;
  38 extern OctagonState* const OctagonStateWaitForHSA2;
  39
  40 // Entering this state will mark down that the device is untrusted, then go to OctagonStateUntrusted
  41 extern OctagonState* const OctagonStateBecomeUntrusted;
  42
  43 // WaitForUnlock indicates that Octagon is waiting for the device to unlock before attempting the pended operation
  44 extern OctagonState* const OctagonStateWaitForUnlock;
  45
  46 // 'ready' indicates that this machine believes it is trusted by its peers
  47 // and has no pending things to do.
  48 extern OctagonState* const OctagonStateReady;
  49
  50 // This state runs any final preparation to enter the Ready state
  51 extern OctagonState* const OctagonStateBecomeReady;
  52
  53 // Enter this state if you'd like the state machine to double-check everything
  54 extern OctagonState* const OctagonStateEnsureConsistency;
  55 extern OctagonState* const OctagonStateEnsureOctagonKeysAreConsistent;
  56 extern OctagonState* const OctagonStateEnsureUpdatePreapprovals;
  57
  58 // The boot-up sequence looks as follows:
  59 extern OctagonState* const OctagonStateInitializing;
  60 extern OctagonState* const OctagonStateWaitingForCloudKitAccount;
  61 extern OctagonState* const OctagonStateCloudKitNewlyAvailable;
  62 extern OctagonState* const OctagonStateCheckTrustState;
  63
  64 /*Piggybacking and ProximitySetup as Initiator, Octagon only*/
  65 extern OctagonState* const OctagonStateInitiatorAwaitingVoucher;
  66
  67 extern OctagonState* const OctagonStateInitiatorUpdateDeviceList;
  68 extern OctagonState* const OctagonStateInitiatorJoin;
  69 extern OctagonState* const OctagonStateInitiatorJoinCKKSReset;
  70 extern OctagonState* const OctagonStateInitiatorJoinAfterCKKSReset;
  71
  72 extern OctagonState* const OctagonStateInitiatorVouchWithBottle;
  73 extern OctagonState* const OctagonStateIdentityPrepared;
  74 // OctagonStateIdentityPrepared leads directly to
  75 extern OctagonState* const OctagonStateDeviceListUpdated;
  76
  77 /* used for join with bottle */
  78 extern OctagonState* const OctagonStateInitiatorCreateIdentity;
  79
  80 /* used for join with recovery key */
  81 extern OctagonState* const OctagonStateCreateIdentityForRecoveryKey;
  82
  83 /* used for join with recovery key*/
  84 extern OctagonState* const OctagonStateVouchWithRecoveryKey;
  85
  86 // State flow when performing a full account reset
  87 extern OctagonState* const OctagonStateResetBecomeUntrusted;
  88 extern OctagonState* const OctagonStateResetAndEstablish;
  89 extern OctagonState* const OctagonStateResetAnyMissingTLKCKKSViews;
  90 extern OctagonState* const OctagonStateReEnactDeviceList;
  91 extern OctagonState* const OctagonStateReEnactPrepare;
  92 extern OctagonState* const OctagonStateReEnactReadyToEstablish;
  93 // this last state might loop through:
  94 extern OctagonState* const OctagonStateEstablishCKKSReset;
  95 extern OctagonState* const OctagonStateEstablishAfterCKKSReset;
  96
  97 /* used for trust health checks */
  98 extern OctagonState* const OctagonStateHSA2HealthCheck;
  99 extern OctagonState* const OctagonStateSecurityTrustCheck;
 100 extern OctagonState* const OctagonStateTPHTrustCheck;
 101 extern OctagonState* const OctagonStateCuttlefishTrustCheck;
 102 extern OctagonState* const OctagonStatePostRepairCFU;
 103 extern OctagonState* const OctagonStateHealthCheckReset;
 104
 105 // End of account reset state flow
 106
 107 // Part of the signout flow
 108 extern OctagonState* const OctagonStateNoAccountDoReset;
 109 //
 110
 111 // escrow
 112 extern OctagonState* const OctagonStateEscrowTriggerUpdate;
 113
 114 // Enter this state to perform an SOS peer update, and return to ready.
 115 extern OctagonState* const OctagonStateUpdateSOSPreapprovals;
 116
 117 extern OctagonState* const OctagonStateError;
 118 extern OctagonState* const OctagonStateDisabled;
 119
 120 extern OctagonState* const OctagonStateAttemptSOSUpgrade;
 121 extern OctagonState* const OctagonStateSOSUpgradeCKKSReset;
 122 extern OctagonState* const OctagonStateSOSUpgradeAfterCKKSReset;
 123
 124 extern OctagonState* const OctagonStateDetermineiCloudAccountState;
 125
 126 // CKKS sometimes needs an assist. These states are supposed to handle those cases
 127 extern OctagonState* const OctagonStateAssistCKKSTLKUpload;
 128 extern OctagonState* const OctagonStateAssistCKKSTLKUploadCKKSReset;
 129 extern OctagonState* const OctagonStateAssistCKKSTLKUploadAfterCKKSReset;
 130
 131 // Call out to otpaird (KCPairing via IDS), then proceed to BecomeUntrusted
 132 extern OctagonState* const OctagonStateStartCompanionPairing;
 133
 134 // Untrusted cuttlefish notification.
 135 extern OctagonState* const OctagonStateUntrustedUpdated;
 136
 137 // Cuttlefish notifiation while ready.
 138 extern OctagonState* const OctagonStateReadyUpdated;
 139
 140 extern OctagonState* const OctagonStateUnimplemented;
 141
 142 NSDictionary<OctagonState*, NSNumber*>* OctagonStateMap(void);
 143 NSDictionary<NSNumber*, OctagonState*>* OctagonStateInverseMap(void);
 144
 145 // Unfortunately, this set contains the 'wait for hsa2' state, which means that many
 146 // of our state machine RPCs will work in the SA case.
 147 // <rdar://problem/54094162> Octagon: ensure Octagon operations can't occur on SA accounts
 148 NSSet<OctagonState*>* OctagonInAccountStates(void);
 149 NSSet<OctagonState *>* OctagonHealthSourceStates(void);
 150 NSSet<OctagonFlag *>* AllOctagonFlags(void);
 151
 152 ////// State machine flags
 153 extern OctagonFlag* const OctagonFlagIDMSLevelChanged;
 154
 155 extern OctagonFlag* const OctagonFlagEgoPeerPreapproved;
 156
 157 extern OctagonFlag* const OctagonFlagCKKSRequestsTLKUpload;
 158
 159 // We've received a change notification from cuttlefish; we should probably see what's new
 160 extern OctagonFlag* const OctagonFlagCuttlefishNotification NS_SWIFT_NAME(OctagonFlagCuttlefishNotification);
 161
 162
 163 extern OctagonFlag* const OctagonFlagFetchAuthKitMachineIDList;
 164
 165 extern OctagonFlag* const OctagonFlagAccountIsAvailable;
 166
 167 extern OctagonFlag* const OctagonFlagAttemptSOSUpgrade;
 168 extern OctagonFlag* const OctagonFlagUnlocked;
 169
 170 extern OctagonFlag* const OctagonFlagAttemptSOSUpdatePreapprovals;
 171 extern OctagonFlag* const OctagonFlagAttemptSOSConsistency;
 172
 173 extern OctagonFlag* const OctagonFlagEscrowRequestInformCloudServicesOperation;
 174
 175
 176 NS_ASSUME_NONNULL_END
 177
 178 #endif // OCTAGON