keychain/ot/OTStates.h

   1 /*
   2  * Copyright (c) 2018 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 #if OCTAGON
  25
  26 #import <Foundation/Foundation.h>
  27 #import "keychain/ckks/CKKSResultOperation.h"
  28 #import "keychain/ot/OctagonStateMachineHelpers.h"
  29
  30 NS_ASSUME_NONNULL_BEGIN
  31
  32 // Two 'bad states':
  33 //   No iCloud Account (the state machine won't help at all)
  34 //   Untrusted (user interaction is required to resolve)
  35 //   WaitForHSA2 (there's some primary icloud account, but it's not HSA2 (yet))
  36 //   WaitForCDP (there's some HSA2 primary icloud account, but it's not CDP-enabled (yet)
  37 extern OctagonState* const OctagonStateNoAccount;
  38 extern OctagonState* const OctagonStateUntrusted;
  39 extern OctagonState* const OctagonStateWaitForHSA2;
  40 extern OctagonState* const OctagonStateWaitForCDP;
  41
  42 // Entering this state will mark down that the device is untrusted, then go to OctagonStateUntrusted
  43 extern OctagonState* const OctagonStateBecomeUntrusted;
  44
  45 // WaitForUnlock indicates that Octagon is waiting for the device to unlock before attempting the pended operation
  46 extern OctagonState* const OctagonStateWaitForUnlock;
  47
  48 // Similar to the above, but we can't even be sure there's an account until the device unlocks for the first time.
  49 extern OctagonState* const OctagonStateWaitForClassCUnlock;
  50
  51 // 'ready' indicates that this machine believes it is trusted by its peers
  52 // and has no pending things to do.
  53 extern OctagonState* const OctagonStateReady;
  54
  55 // This state runs any final preparation to enter the Ready state
  56 extern OctagonState* const OctagonStateBecomeReady;
  57
  58 // BecomeReady might go here, if it's not actually ready
  59 extern OctagonState* const OctagonStateRefetchCKKSPolicy;
  60
  61 // Used in RPCs to set CKKS sync status
  62 extern OctagonState* const OctagonStateEnableUserControllableViews;
  63 extern OctagonState* const OctagonStateDisableUserControllableViews;
  64 extern OctagonState* const OctagonStateSetUserControllableViewsToPeerConsensus;
  65
  66 // Enter this state if you'd like the state machine to double-check everything
  67 extern OctagonState* const OctagonStateEnsureConsistency;
  68 extern OctagonState* const OctagonStateEnsureOctagonKeysAreConsistent;
  69 extern OctagonState* const OctagonStateEnsureUpdatePreapprovals;
  70
  71 // The boot-up sequence looks as follows:
  72 extern OctagonState* const OctagonStateInitializing;
  73 extern OctagonState* const OctagonStateWaitingForCloudKitAccount;
  74 extern OctagonState* const OctagonStateCloudKitNewlyAvailable;
  75 extern OctagonState* const OctagonStateDetermineCDPState;
  76 extern OctagonState* const OctagonStateCheckTrustState;
  77
  78 /*Piggybacking and ProximitySetup as Initiator, Octagon only*/
  79 extern OctagonState* const OctagonStateInitiatorAwaitingVoucher;
  80
  81 extern OctagonState* const OctagonStateInitiatorSetCDPBit;
  82 extern OctagonState* const OctagonStateInitiatorUpdateDeviceList;
  83 extern OctagonState* const OctagonStateInitiatorJoin;
  84 extern OctagonState* const OctagonStateInitiatorJoinCKKSReset;
  85 extern OctagonState* const OctagonStateInitiatorJoinAfterCKKSReset;
  86
  87 extern OctagonState* const OctagonStateBottleJoinVouchWithBottle;
  88 extern OctagonState* const OctagonStateIdentityPrepared;
  89 // OctagonStateIdentityPrepared leads directly to
  90 extern OctagonState* const OctagonStateDeviceListUpdated;
  91
  92 /* used for join with bottle */
  93 extern OctagonState* const OctagonStateBottleJoinCreateIdentity;
  94 extern OctagonState* const OctagonStateBottlePreloadOctagonKeysInSOS;
  95
  96 /* used for join with recovery key */
  97 extern OctagonState* const OctagonStateCreateIdentityForRecoveryKey;
  98
  99 /* used for join with recovery key*/
 100 extern OctagonState* const OctagonStateVouchWithRecoveryKey;
 101
 102 // State flow when performing a full account reset
 103 extern OctagonState* const OctagonStateResetBecomeUntrusted;
 104 extern OctagonState* const OctagonStateResetAndEstablish;
 105 extern OctagonState* const OctagonStateResetAnyMissingTLKCKKSViews;
 106 extern OctagonState* const OctagonStateEstablishEnableCDPBit;
 107 extern OctagonState* const OctagonStateReEnactDeviceList;
 108 extern OctagonState* const OctagonStateReEnactPrepare;
 109 extern OctagonState* const OctagonStateReEnactReadyToEstablish;
 110 // this last state might loop through:
 111 extern OctagonState* const OctagonStateEstablishCKKSReset;
 112 extern OctagonState* const OctagonStateEstablishAfterCKKSReset;
 113
 114 /* used for trust health checks */
 115 extern OctagonState* const OctagonStateHSA2HealthCheck;
 116 extern OctagonState* const OctagonStateCDPHealthCheck;
 117 extern OctagonState* const OctagonStateSecurityTrustCheck;
 118 extern OctagonState* const OctagonStateTPHTrustCheck;
 119 extern OctagonState* const OctagonStateCuttlefishTrustCheck;
 120 extern OctagonState* const OctagonStatePostRepairCFU;
 121 extern OctagonState* const OctagonStateHealthCheckReset;
 122
 123 // End of account reset state flow
 124
 125 //Leave Clique
 126 extern OctagonState* const OctagonStateHealthCheckLeaveClique;
 127
 128 // Part of the signout flow
 129 extern OctagonState* const OctagonStateNoAccountDoReset;
 130 //
 131
 132 // escrow
 133 extern OctagonState* const OctagonStateEscrowTriggerUpdate;
 134
 135 // Enter this state to perform an SOS peer update, and return to ready.
 136 extern OctagonState* const OctagonStateUpdateSOSPreapprovals;
 137
 138 extern OctagonState* const OctagonStateError;
 139 extern OctagonState* const OctagonStateDisabled;
 140
 141 extern OctagonState* const OctagonStateAttemptSOSUpgradeDetermineCDPState;
 142 extern OctagonState* const OctagonStateAttemptSOSUpgrade;
 143 extern OctagonState* const OctagonStateSOSUpgradeCKKSReset;
 144 extern OctagonState* const OctagonStateSOSUpgradeAfterCKKSReset;
 145
 146 extern OctagonState* const OctagonStateDetermineiCloudAccountState;
 147
 148 // CKKS sometimes needs an assist. These states are supposed to handle those cases
 149 extern OctagonState* const OctagonStateAssistCKKSTLKUpload;
 150 extern OctagonState* const OctagonStateAssistCKKSTLKUploadCKKSReset;
 151 extern OctagonState* const OctagonStateAssistCKKSTLKUploadAfterCKKSReset;
 152
 153 // Call out to otpaird (KCPairing via IDS), then proceed to BecomeUntrusted
 154 extern OctagonState* const OctagonStateStartCompanionPairing;
 155
 156 // Cuttlefish notification while waiting for CDP
 157 extern OctagonState* const OctagonStateWaitForCDPUpdated;
 158
 159 // Untrusted cuttlefish notification.
 160 extern OctagonState* const OctagonStateUntrustedUpdated;
 161
 162 // Cuttlefish notifiation while ready.
 163 extern OctagonState* const OctagonStateReadyUpdated;
 164
 165 extern OctagonState* const OctagonStateUnimplemented;
 166
 167 NSDictionary<OctagonState*, NSNumber*>* OctagonStateMap(void);
 168 NSDictionary<NSNumber*, OctagonState*>* OctagonStateInverseMap(void);
 169
 170 // Unfortunately, this set contains the 'wait for hsa2' state, which means that many
 171 // of our state machine RPCs will work in the SA case.
 172 // <rdar://problem/54094162> Octagon: ensure Octagon operations can't occur on SA accounts
 173 NSSet<OctagonState*>* OctagonInAccountStates(void);
 174 NSSet<OctagonState *>* OctagonHealthSourceStates(void);
 175 NSSet<OctagonFlag *>* AllOctagonFlags(void);
 176
 177 ////// State machine flags
 178 extern OctagonFlag* const OctagonFlagIDMSLevelChanged;
 179
 180 extern OctagonFlag* const OctagonFlagEgoPeerPreapproved;
 181
 182 extern OctagonFlag* const OctagonFlagCKKSRequestsTLKUpload;
 183 extern OctagonFlag* const OctagonFlagCKKSRequestsPolicyCheck;
 184
 185 // Set by Octagon when the CKKS view set has changed. Indicates a need to re-tell CKKS if it's trusted or not.
 186 extern OctagonFlag* const OctagonFlagCKKSViewSetChanged;
 187
 188 // We've received a change notification from cuttlefish; we should probably see what's new
 189 extern OctagonFlag* const OctagonFlagCuttlefishNotification NS_SWIFT_NAME(OctagonFlagCuttlefishNotification);
 190
 191
 192 extern OctagonFlag* const OctagonFlagFetchAuthKitMachineIDList;
 193
 194 extern OctagonFlag* const OctagonFlagAccountIsAvailable;
 195 extern OctagonFlag* const OctagonFlagCDPEnabled;
 196
 197 extern OctagonFlag* const OctagonFlagAttemptSOSUpgrade;
 198 extern OctagonFlag* const OctagonFlagUnlocked;
 199
 200 extern OctagonFlag* const OctagonFlagAttemptSOSUpdatePreapprovals;
 201 extern OctagonFlag* const OctagonFlagAttemptSOSConsistency;
 202
 203 extern OctagonFlag* const OctagonFlagEscrowRequestInformCloudServicesOperation;
 204 extern OctagonFlag* const OctagonFlagWarmEscrowRecordCache;
 205
 206 extern OctagonFlag* const OctagonFlagAttemptBottleTLKExtraction;
 207 extern OctagonFlag* const OctagonFlagAttemptRecoveryKeyTLKExtraction;
 208
 209 extern OctagonFlag* const OctagonFlagAttemptUserControllableViewStatusUpgrade;
 210
 211
 212 NS_ASSUME_NONNULL_END
 213
 214 #endif // OCTAGON