keychain/ot/OTStates.h

   1 /*
   2  * Copyright (c) 2018 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 #if OCTAGON
  25
  26 #import <Foundation/Foundation.h>
  27 #import "keychain/ckks/CKKSResultOperation.h"
  28 #import "keychain/ot/OctagonStateMachineHelpers.h"
  29
  30 NS_ASSUME_NONNULL_BEGIN
  31
  32 // Two 'bad states':
  33 //   No iCloud Account (the state machine won't help at all)
  34 //   Untrusted (user interaction is required to resolve)
  35 //   WaitForHSA2 (there's some primary icloud account, but it's not HSA2 (yet))
  36 extern OctagonState* const OctagonStateNoAccount;
  37 extern OctagonState* const OctagonStateUntrusted;
  38 extern OctagonState* const OctagonStateWaitForHSA2;
  39
  40 // Entering this state will mark down that the device is untrusted, then go to OctagonStateUntrusted
  41 extern OctagonState* const OctagonStateBecomeUntrusted;
  42
  43 // WaitForUnlock indicates that Octagon is waiting for the device to unlock before attempting the pended operation
  44 extern OctagonState* const OctagonStateWaitForUnlock;
  45
  46 // 'ready' indicates that this machine believes it is trusted by its peers
  47 // and has no pending things to do.
  48 extern OctagonState* const OctagonStateReady;
  49
  50 // This state runs any final preparation to enter the Ready state
  51 extern OctagonState* const OctagonStateBecomeReady;
  52
  53 // Enter this state if you'd like the state machine to double-check everything
  54 extern OctagonState* const OctagonStateEnsureConsistency;
  55 extern OctagonState* const OctagonStateEnsureOctagonKeysAreConsistent;
  56 extern OctagonState* const OctagonStateEnsureUpdatePreapprovals;
  57
  58 // The boot-up sequence looks as follows:
  59 extern OctagonState* const OctagonStateInitializing;
  60 extern OctagonState* const OctagonStateWaitingForCloudKitAccount;
  61 extern OctagonState* const OctagonStateCloudKitNewlyAvailable;
  62 extern OctagonState* const OctagonStateCheckTrustState;
  63
  64 /*Piggybacking and ProximitySetup as Initiator, Octagon only*/
  65 extern OctagonState* const OctagonStateInitiatorAwaitingVoucher;
  66
  67 extern OctagonState* const OctagonStateInitiatorUpdateDeviceList;
  68 extern OctagonState* const OctagonStateInitiatorJoin;
  69 extern OctagonState* const OctagonStateInitiatorJoinCKKSReset;
  70 extern OctagonState* const OctagonStateInitiatorJoinAfterCKKSReset;
  71
  72 extern OctagonState* const OctagonStateInitiatorVouchWithBottle;
  73 extern OctagonState* const OctagonStateIdentityPrepared;
  74 // OctagonStateIdentityPrepared leads directly to
  75 extern OctagonState* const OctagonStateDeviceListUpdated;
  76
  77 /* used for join with bottle */
  78 extern OctagonState* const OctagonStateInitiatorCreateIdentity;
  79
  80 /* used for join with recovery key */
  81 extern OctagonState* const OctagonStateCreateIdentityForRecoveryKey;
  82
  83 /* used for join with recovery key*/
  84 extern OctagonState* const OctagonStateVouchWithRecoveryKey;
  85
  86 // State flow when performing a full account reset
  87 extern OctagonState* const OctagonStateResetBecomeUntrusted;
  88 extern OctagonState* const OctagonStateResetAndEstablish;
  89 extern OctagonState* const OctagonStateResetAnyMissingTLKCKKSViews;
  90 extern OctagonState* const OctagonStateReEnactDeviceList;
  91 extern OctagonState* const OctagonStateReEnactPrepare;
  92 extern OctagonState* const OctagonStateReEnactReadyToEstablish;
  93 // this last state might loop through:
  94 extern OctagonState* const OctagonStateEstablishCKKSReset;
  95 extern OctagonState* const OctagonStateEstablishAfterCKKSReset;
  96
  97 /* used for trust health checks */
  98 extern OctagonState* const OctagonStateHSA2HealthCheck;
  99 extern OctagonState* const OctagonStateSecurityTrustCheck;
 100 extern OctagonState* const OctagonStateTPHTrustCheck;
 101 extern OctagonState* const OctagonStateCuttlefishTrustCheck;
 102 extern OctagonState* const OctagonStatePostRepairCFU;
 103
 104 // End of account reset state flow
 105
 106 // Part of the signout flow
 107 extern OctagonState* const OctagonStateNoAccountDoReset;
 108 //
 109
 110 // escrow
 111 extern OctagonState* const OctagonStateEscrowTriggerUpdate;
 112
 113 // Enter this state to perform an SOS peer update, and return to ready.
 114 extern OctagonState* const OctagonStateUpdateSOSPreapprovals;
 115
 116 extern OctagonState* const OctagonStateError;
 117 extern OctagonState* const OctagonStateDisabled;
 118
 119 extern OctagonState* const OctagonStateAttemptSOSUpgrade;
 120 extern OctagonState* const OctagonStateSOSUpgradeCKKSReset;
 121 extern OctagonState* const OctagonStateSOSUpgradeAfterCKKSReset;
 122
 123 extern OctagonState* const OctagonStateDetermineiCloudAccountState;
 124
 125 // CKKS sometimes needs an assist. These states are supposed to handle those cases
 126 extern OctagonState* const OctagonStateAssistCKKSTLKUpload;
 127
 128 // Call out to otpaird (KCPairing via IDS), then proceed to BecomeUntrusted
 129 extern OctagonState* const OctagonStateStartCompanionPairing;
 130
 131 // Untrusted cuttlefish notification.
 132 extern OctagonState* const OctagonStateUntrustedUpdated;
 133
 134 // Cuttlefish notifiation while ready.
 135 extern OctagonState* const OctagonStateReadyUpdated;
 136
 137 extern OctagonState* const OctagonStateUnimplemented;
 138
 139 NSDictionary<OctagonState*, NSNumber*>* OctagonStateMap(void);
 140 NSDictionary<NSNumber*, OctagonState*>* OctagonStateInverseMap(void);
 141
 142 // Unfortunately, this set contains the 'wait for hsa2' state, which means that many
 143 // of our state machine RPCs will work in the SA case.
 144 // <rdar://problem/54094162> Octagon: ensure Octagon operations can't occur on SA accounts
 145 NSSet<OctagonState*>* OctagonInAccountStates(void);
 146 NSSet<OctagonState *>* OctagonHealthSourceStates(void);
 147
 148 ////// State machine flags
 149 extern OctagonFlag* const OctagonFlagEgoPeerPreapproved;
 150
 151 extern OctagonFlag* const OctagonFlagCKKSRequestsTLKUpload;
 152
 153 // We've received a change notification from cuttlefish; we should probably see what's new
 154 extern OctagonFlag* const OctagonFlagCuttlefishNotification;
 155
 156 extern OctagonFlag* const OctagonFlagFetchAuthKitMachineIDList;
 157
 158 extern OctagonFlag* const OctagonFlagAccountIsAvailable;
 159
 160 extern OctagonFlag* const OctagonFlagAttemptSOSUpgrade;
 161 extern OctagonFlag* const OctagonFlagUnlocked;
 162
 163 extern OctagonFlag* const OctagonFlagAttemptSOSUpdatePreapprovals;
 164
 165 extern OctagonFlag* const OctagonFlagPerformHealthCheck;
 166
 167 extern OctagonFlag* const OctagonFlagEscrowRequestInformCloudServicesOperation;
 168
 169
 170 NS_ASSUME_NONNULL_END
 171
 172 #endif // OCTAGON