[apple/xnu.git] / bsd / sys / cprotect.h

/*
 * Copyright (c) 2009-2014 Apple Inc. All rights reserved.
 *
 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. The rights granted to you under the License
 * may not be used to create, or enable the creation or redistribution of,
 * unlawful or unlicensed copies of an Apple operating system, or to
 * circumvent, violate, or enable the circumvention or violation of, any
 * terms of an Apple operating system software license agreement.
 *
 * Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
 */

#ifndef _SYS_CPROTECT_H_
#define _SYS_CPROTECT_H_

#ifdef KERNEL_PRIVATE

#include <sys/cdefs.h>
#include <sys/param.h>
#include <sys/buf.h>
#include <sys/kdebug.h>
#include <crypto/aes.h>
#include <stdbool.h>
#include <uuid/uuid.h>

__BEGIN_DECLS

#define CP_CODE(code) FSDBG_CODE(DBG_CONTENT_PROT, code)
/*
 * Class DBG_FSYSTEM == 0x03
 * Subclass DBG_CONTENT_PROT == 0xCF
 * These debug codes are of the form 0x03CFzzzz
 */

enum {
	CPDBG_OFFSET_IO = CP_CODE(0),   /* 0x03CF0000 */
};

/* normally the debug events are no-ops */
#define CP_DEBUG(x, a, b, c, d, e) do {} while (0);

/* dev kernels only! */
#if !SECURE_KERNEL

/* KDEBUG events used by content protection subsystem */
#if 0
#undef CP_DEBUG
#define CP_DEBUG KERNEL_DEBUG_CONSTANT
#endif

#endif

#define CP_MAX_WRAPPEDKEYSIZE     128   /* The size of the largest allowed key */

/* lock events from AppleKeyStore */
enum {
	CP_ACTION_LOCKED        = 0,
	CP_ACTION_UNLOCKED      = 1,
};
/*
 * Ideally, cp_key_store_action_t would be an enum, but we cannot fix
 * that until AppleKeyStore is updated.
 */
typedef int cp_key_store_action_t;

/*
 * It was once the case (and it may still be the case) where the lock
 * state got conflated with the possible actions/events that
 * AppleKeyStore can send.  For that reason, the locked states below
 * should numerically match their corresponding actions above.
 */
typedef unsigned char cp_lock_state_t;
enum {
	CP_LOCKED_STATE         = 0,
	CP_UNLOCKED_STATE       = 1,
};

typedef uint32_t cp_key_class_t;
typedef uint32_t cp_key_os_version_t;
typedef uint16_t cp_key_revision_t;
typedef uint64_t cp_crypto_id_t;

typedef struct cprotect *cprotect_t;
typedef struct cpx *cpx_t;

typedef struct cp_key {
	uint8_t len;
	void *key;
} cp_key_t;

/* Interface to AKS kext */
typedef struct {
	void     *key;
	unsigned key_len;
	void     *iv_key;
	unsigned iv_key_len;
	uint32_t flags;
} cp_raw_key_s;

typedef cp_raw_key_s* cp_raw_key_t;

typedef struct {
	void     *key;
	unsigned key_len;
	cp_key_class_t dp_class;
} cp_wrapped_key_s;

typedef cp_wrapped_key_s* cp_wrapped_key_t;

typedef struct {
	union {
		ino64_t                 inode;
		cp_crypto_id_t  crypto_id;
	};
	uint32_t                        volume;
	pid_t                           pid;
	uid_t                           uid;
	cp_key_revision_t       key_revision;
} cp_cred_s;

typedef cp_cred_s* cp_cred_t;

/* The wrappers are invoked on the AKS kext */
typedef int unwrapper_t(cp_cred_t access, const cp_wrapped_key_t wrapped_key_in, cp_raw_key_t key_out);
typedef int rewrapper_t(cp_cred_t access, cp_key_class_t dp_class, const cp_wrapped_key_t wrapped_key_in, cp_wrapped_key_t wrapped_key_out);
typedef int new_key_t(cp_cred_t access, cp_key_class_t dp_class, cp_raw_key_t key_out, cp_wrapped_key_t wrapped_key_out);
typedef int invalidater_t(cp_cred_t access); /* invalidates keys */
typedef int backup_key_t(cp_cred_t access, const cp_wrapped_key_t wrapped_key_in, cp_wrapped_key_t wrapped_key_out);

/*
 * Flags for Interaction between AKS / Kernel
 * These are twiddled via the input/output structs in the above
 * wrapper/unwrapper functions.
 */
#define CP_RAW_KEY_WRAPPEDKEY   0x00000001

/*
 * Function prototypes for kexts to interface with our internal cprotect
 * fields;  cpx provides opacity and allows us to modify behavior internally
 * without requiring kext changes.
 */
cpx_t cpx_alloc(size_t key_size);
void cpx_init(cpx_t, size_t key_len);
void cpx_free(cpx_t);
void cpx_writeprotect(cpx_t cpx);
__attribute__((const)) size_t cpx_size(size_t key_size);
__attribute__((pure)) bool cpx_is_sep_wrapped_key(const struct cpx *);
void cpx_set_is_sep_wrapped_key(struct cpx *, bool);
__attribute__((pure)) bool cpx_is_composite_key(const struct cpx *);
void cpx_set_is_composite_key(struct cpx *, bool);
__attribute__((pure)) bool cpx_use_offset_for_iv(const struct cpx *);
void cpx_set_use_offset_for_iv(struct cpx *, bool);
__attribute__((pure)) bool cpx_synthetic_offset_for_iv(const struct cpx *);
void cpx_set_synthetic_offset_for_iv(struct cpx *, bool);
__attribute__((pure)) uint16_t cpx_key_len(const struct cpx *);
void cpx_set_key_len(struct cpx *, uint16_t key_len);
__attribute__((pure)) void *cpx_key(const struct cpx *);
aes_encrypt_ctx *cpx_iv_aes_ctx(struct cpx *);
void cpx_flush(cpx_t cpx);
bool cpx_can_copy(const struct cpx *src, const struct cpx *dst);
void cpx_copy(const struct cpx *src, cpx_t dst);
uint16_t cpx_max_key_len(const struct cpx *cpx);
bool cpx_has_key(const struct cpx *cpx);
size_t cpx_sizex(const struct cpx *cpx);
void cpx_set_aes_iv_key(struct cpx *cpx, void *iv_key);

int cp_key_store_action(cp_key_store_action_t);
int cp_key_store_action_for_volume(uuid_t volume_uuid, cp_key_store_action_t action);
cp_key_os_version_t cp_os_version(void);
// Should be cp_key_class_t but HFS has a conflicting definition
int cp_is_valid_class(int isdir, int32_t protectionclass);

__END_DECLS

#endif /* KERNEL_PRIVATE */
#endif /* !_SYS_CPROTECT_H_ */
Commit	Line	Data
d1ecb069	1	/*
fe8ab488	2	* Copyright (c) 2009-2014 Apple Inc. All rights reserved.
d1ecb069 A	3	*
d1ecb069 A	4	* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
39236c6e	5	*
d1ecb069 A	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. The rights granted to you under the License
	10	* may not be used to create, or enable the creation or redistribution of,
	11	* unlawful or unlicensed copies of an Apple operating system, or to
	12	* circumvent, violate, or enable the circumvention or violation of, any
	13	* terms of an Apple operating system software license agreement.
39236c6e	14	*
d1ecb069 A	15	* Please obtain a copy of the License at
d1ecb069 A	16	* http://www.opensource.apple.com/apsl/ and read it before using this file.
39236c6e	17	*
d1ecb069 A	18	* The Original Code and all software distributed under the License are
	19	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	20	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	21	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	22	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	23	* Please see the License for the specific language governing rights and
	24	* limitations under the License.
39236c6e	25	*
d1ecb069 A	26	* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
	27	*/
	28
	29	#ifndef _SYS_CPROTECT_H_
0a7de745	30	#define _SYS_CPROTECT_H_
d1ecb069	31
813fb2f6	32	#ifdef KERNEL_PRIVATE
d1ecb069 A	33
d1ecb069 A	34	#include <sys/cdefs.h>
3e170ce0 A	35	#include <sys/param.h>
	36	#include <sys/buf.h>
	37	#include <sys/kdebug.h>
316670eb	38	#include <crypto/aes.h>
3e170ce0	39	#include <stdbool.h>
813fb2f6	40	#include <uuid/uuid.h>
d1ecb069	41
3e170ce0	42	__BEGIN_DECLS
fe8ab488 A	43
fe8ab488 A	44	#define CP_CODE(code) FSDBG_CODE(DBG_CONTENT_PROT, code)
0a7de745	45	/*
fe8ab488 A	46	* Class DBG_FSYSTEM == 0x03
	47	* Subclass DBG_CONTENT_PROT == 0xCF
	48	* These debug codes are of the form 0x03CFzzzz
	49	*/
	50
	51	enum {
0a7de745	52	CPDBG_OFFSET_IO = CP_CODE(0), /* 0x03CF0000 */
fe8ab488 A	53	};
	54
	55	/* normally the debug events are no-ops */
0a7de745	56	#define CP_DEBUG(x, a, b, c, d, e) do {} while (0);
fe8ab488 A	57
fe8ab488 A	58	/* dev kernels only! */
0a7de745	59	#if !SECURE_KERNEL
fe8ab488 A	60
	61	/* KDEBUG events used by content protection subsystem */
	62	#if 0
	63	#undef CP_DEBUG
	64	#define CP_DEBUG KERNEL_DEBUG_CONSTANT
	65	#endif
	66
	67	#endif
	68
0a7de745	69	#define CP_MAX_WRAPPEDKEYSIZE 128 /* The size of the largest allowed key */
d1ecb069	70
6d2010ae	71	/* lock events from AppleKeyStore */
39037602	72	enum {
0a7de745 A	73	CP_ACTION_LOCKED = 0,
0a7de745 A	74	CP_ACTION_UNLOCKED = 1,
39037602 A	75	};
	76	/*
	77	* Ideally, cp_key_store_action_t would be an enum, but we cannot fix
	78	* that until AppleKeyStore is updated.
	79	*/
	80	typedef int cp_key_store_action_t;
d1ecb069	81
39037602 A	82	/*
	83	* It was once the case (and it may still be the case) where the lock
	84	* state got conflated with the possible actions/events that
	85	* AppleKeyStore can send. For that reason, the locked states below
	86	* should numerically match their corresponding actions above.
	87	*/
	88	typedef unsigned char cp_lock_state_t;
	89	enum {
0a7de745 A	90	CP_LOCKED_STATE = 0,
0a7de745 A	91	CP_UNLOCKED_STATE = 1,
39037602 A	92	};
	93
	94	typedef uint32_t cp_key_class_t;
	95	typedef uint32_t cp_key_os_version_t;
	96	typedef uint16_t cp_key_revision_t;
	97	typedef uint64_t cp_crypto_id_t;
d1ecb069	98
d1ecb069	99	typedef struct cprotect *cprotect_t;
3e170ce0	100	typedef struct cpx *cpx_t;
d1ecb069	101
39037602 A	102	typedef struct cp_key {
	103	uint8_t len;
	104	void *key;
	105	} cp_key_t;
	106
	107	/* Interface to AKS kext */
39236c6e A	108	typedef struct {
	109	void *key;
	110	unsigned key_len;
	111	void *iv_key;
	112	unsigned iv_key_len;
	113	uint32_t flags;
fe8ab488 A	114	} cp_raw_key_s;
	115
	116	typedef cp_raw_key_s* cp_raw_key_t;
39236c6e A	117
	118	typedef struct {
	119	void *key;
	120	unsigned key_len;
39037602	121	cp_key_class_t dp_class;
fe8ab488 A	122	} cp_wrapped_key_s;
	123
	124	typedef cp_wrapped_key_s* cp_wrapped_key_t;
39236c6e A	125
39236c6e A	126	typedef struct {
39037602	127	union {
0a7de745 A	128	ino64_t inode;
0a7de745 A	129	cp_crypto_id_t crypto_id;
39037602	130	};
0a7de745 A	131	uint32_t volume;
	132	pid_t pid;
	133	uid_t uid;
	134	cp_key_revision_t key_revision;
fe8ab488 A	135	} cp_cred_s;
	136
	137	typedef cp_cred_s* cp_cred_t;
d1ecb069	138
39236c6e A	139	/* The wrappers are invoked on the AKS kext */
39236c6e A	140	typedef int unwrapper_t(cp_cred_t access, const cp_wrapped_key_t wrapped_key_in, cp_raw_key_t key_out);
39037602 A	141	typedef int rewrapper_t(cp_cred_t access, cp_key_class_t dp_class, const cp_wrapped_key_t wrapped_key_in, cp_wrapped_key_t wrapped_key_out);
39037602 A	142	typedef int new_key_t(cp_cred_t access, cp_key_class_t dp_class, cp_raw_key_t key_out, cp_wrapped_key_t wrapped_key_out);
39236c6e	143	typedef int invalidater_t(cp_cred_t access); /* invalidates keys */
fe8ab488	144	typedef int backup_key_t(cp_cred_t access, const cp_wrapped_key_t wrapped_key_in, cp_wrapped_key_t wrapped_key_out);
39236c6e	145
0a7de745 A	146	/*
0a7de745 A	147	* Flags for Interaction between AKS / Kernel
fe8ab488 A	148	* These are twiddled via the input/output structs in the above
	149	* wrapper/unwrapper functions.
	150	*/
0a7de745	151	#define CP_RAW_KEY_WRAPPEDKEY 0x00000001
fe8ab488	152
39236c6e	153	/*
3e170ce0 A	154	* Function prototypes for kexts to interface with our internal cprotect
	155	* fields; cpx provides opacity and allows us to modify behavior internally
	156	* without requiring kext changes.
6d2010ae	157	*/
3e170ce0	158	cpx_t cpx_alloc(size_t key_size);
39037602	159	void cpx_init(cpx_t, size_t key_len);
3e170ce0	160	void cpx_free(cpx_t);
a39ff7e2	161	void cpx_writeprotect(cpx_t cpx);
3e170ce0 A	162	__attribute__((const)) size_t cpx_size(size_t key_size);
	163	__attribute__((pure)) bool cpx_is_sep_wrapped_key(const struct cpx *);
	164	void cpx_set_is_sep_wrapped_key(struct cpx *, bool);
813fb2f6 A	165	__attribute__((pure)) bool cpx_is_composite_key(const struct cpx *);
813fb2f6 A	166	void cpx_set_is_composite_key(struct cpx *, bool);
3e170ce0 A	167	__attribute__((pure)) bool cpx_use_offset_for_iv(const struct cpx *);
3e170ce0 A	168	void cpx_set_use_offset_for_iv(struct cpx *, bool);
39037602 A	169	__attribute__((pure)) bool cpx_synthetic_offset_for_iv(const struct cpx *);
39037602 A	170	void cpx_set_synthetic_offset_for_iv(struct cpx *, bool);
3e170ce0 A	171	__attribute__((pure)) uint16_t cpx_key_len(const struct cpx *);
	172	void cpx_set_key_len(struct cpx *, uint16_t key_len);
	173	__attribute__((pure)) void cpx_key(const struct cpx );
	174	aes_encrypt_ctx cpx_iv_aes_ctx(struct cpx );
39037602 A	175	void cpx_flush(cpx_t cpx);
	176	bool cpx_can_copy(const struct cpx src, const struct cpx dst);
	177	void cpx_copy(const struct cpx *src, cpx_t dst);
	178	uint16_t cpx_max_key_len(const struct cpx *cpx);
	179	bool cpx_has_key(const struct cpx *cpx);
	180	size_t cpx_sizex(const struct cpx *cpx);
	181	void cpx_set_aes_iv_key(struct cpx cpx, void iv_key);
d1ecb069	182
39037602	183	int cp_key_store_action(cp_key_store_action_t);
813fb2f6	184	int cp_key_store_action_for_volume(uuid_t volume_uuid, cp_key_store_action_t action);
39037602 A	185	cp_key_os_version_t cp_os_version(void);
39037602 A	186	// Should be cp_key_class_t but HFS has a conflicting definition
0a7de745	187	int cp_is_valid_class(int isdir, int32_t protectionclass);
d1ecb069	188
3e170ce0	189	__END_DECLS
d1ecb069	190
3e170ce0	191	#endif /* KERNEL_PRIVATE */
d1ecb069	192	#endif /* !_SYS_CPROTECT_H_ */