git.saurik.com Git - apple/xnu.git/blame_incremental

... / ...

Commit	Line	Data
	1	/*
	2	* Copyright (c) 2015-2018 Apple Inc. All rights reserved.
	3	*
	4	* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. The rights granted to you under the License
	10	* may not be used to create, or enable the creation or redistribution of,
	11	* unlawful or unlicensed copies of an Apple operating system, or to
	12	* circumvent, violate, or enable the circumvention or violation of, any
	13	* terms of an Apple operating system software license agreement.
	14	*
	15	* Please obtain a copy of the License at
	16	* http://www.opensource.apple.com/apsl/ and read it before using this file.
	17	*
	18	* The Original Code and all software distributed under the License are
	19	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	20	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	21	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	22	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	23	* Please see the License for the specific language governing rights and
	24	* limitations under the License.
	25	*
	26	* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
	27	*/
	28
	29	#include <sys/cprotect.h>
	30	#include <sys/malloc.h>
	31	#include <sys/mount_internal.h>
	32	#include <sys/filio.h>
	33	#include <sys/content_protection.h>
	34	#include <libkern/crypto/sha1.h>
	35	#include <libkern/libkern.h>
	36	//for write protection
	37	#include <vm/vm_kern.h>
	38	#include <vm/vm_map.h>
	39
	40	#define PTR_ADD(type, base, offset) (type)((uintptr_t)(base) + (offset))
	41
	42	// -- struct cpx --
	43
	44	/*
	45	* This structure contains the unwrapped key and is passed to the lower layers.
	46	* It is private so users must use the accessors declared in sys/cprotect.h
	47	* to read/write it.
	48	*/
	49
	50	// cpx_flags defined in cprotect.h
	51	enum {
	52	CPX_SEP_WRAPPEDKEY = 0x01,
	53	CPX_IV_AES_CTX_INITIALIZED = 0x02,
	54	CPX_USE_OFFSET_FOR_IV = 0x04,
	55
	56	// Using AES IV context generated from key
	57	CPX_IV_AES_CTX_VFS = 0x08,
	58	CPX_SYNTHETIC_OFFSET_FOR_IV = 0x10,
	59	CPX_COMPOSITEKEY = 0x20,
	60
	61	//write page protection
	62	CPX_WRITE_PROTECTABLE = 0x40
	63	};
	64
	65	/*
	66	* variable-length CPX structure. See fixed-length variant in cprotect.h
	67	*/
	68	struct cpx {
	69	#if DEBUG
	70	uint32_t cpx_magic1;
	71	#endif
	72	aes_encrypt_ctx *cpx_iv_aes_ctx_ptr;// Pointer to context used for generating the IV
	73	cpx_flags_t cpx_flags;
	74	uint16_t cpx_max_key_len;
	75	uint16_t cpx_key_len;
	76	//fixed length up to here. cpx_cached_key is variable-length
	77	uint8_t cpx_cached_key[];
	78	};
	79
	80	/* Allows us to switch between CPX types */
	81	typedef union cpxunion {
	82	struct cpx cpx_var;
	83	fcpx_t cpx_fixed;
	84	} cpxunion_t;
	85
	86	ZONE_DECLARE(cpx_zone, "cpx",
	87	sizeof(struct fcpx), ZC_ZFREE_CLEARMEM);
	88	ZONE_DECLARE(aes_ctz_zone, "AES ctx",
	89	sizeof(aes_encrypt_ctx), ZC_ZFREE_CLEARMEM \| ZC_NOENCRYPT);
	90
	91	// Note: see struct fcpx defined in sys/cprotect.h
	92
	93	// -- cpx_t accessors --
	94
	95	size_t
	96	cpx_size(size_t key_len)
	97	{
	98	// This should pick up the 'magic' word in DEBUG for free.
	99	size_t size = sizeof(struct cpx) + key_len;
	100
	101	return size;
	102	}
	103
	104	size_t
	105	cpx_sizex(const struct cpx *cpx)
	106	{
	107	return cpx_size(cpx->cpx_max_key_len);
	108	}
	109
	110	cpx_t
	111	cpx_alloc(size_t key_len, bool needs_ctx)
	112	{
	113	cpx_t cpx = NULL;
	114
	115	#if CONFIG_KEYPAGE_WP
	116	/*
	117	* Macs only use 1 key per volume, so force it into its own page.
	118	* This way, we can write-protect as needed.
	119	*/
	120	size_t cpsize = cpx_size(key_len);
	121
	122	// silence warning for needs_ctx
	123	(void) needs_ctx;
	124
	125	if (cpsize < PAGE_SIZE) {
	126	/*
	127	* Don't use MALLOC to allocate the page-sized structure. Instead,
	128	* use kmem_alloc to bypass KASAN since we are supplying our own
	129	* unilateral write protection on this page. Note that kmem_alloc
	130	* can block.
	131	*/
	132	if (kmem_alloc(kernel_map, (vm_offset_t *)&cpx, PAGE_SIZE, VM_KERN_MEMORY_FILE)) {
	133	/*
	134	* returning NULL at this point (due to failed allocation) would just
	135	* result in a panic. fall back to attempting a normal MALLOC, and don't
	136	* let the cpx get marked PROTECTABLE.
	137	*/
	138	MALLOC(cpx, cpx_t, cpx_size(key_len), M_TEMP, M_WAITOK);
	139	} else {
	140	//mark the page as protectable, since kmem_alloc succeeded.
	141	cpx->cpx_flags \|= CPX_WRITE_PROTECTABLE;
	142	}
	143	} else {
	144	panic("cpx_size too large ! (%lu)", cpsize);
	145	}
	146	#else
	147	/* If key page write protection disabled, just switch to zalloc */
	148
	149	// error out if you try to request a key that's too big
	150	if (key_len > VFS_CP_MAX_CACHEBUFLEN) {
	151	return NULL;
	152	}
	153
	154	// the actual key array is fixed-length, but the amount of usable content can vary, via 'key_len'
	155	cpx = zalloc_flags(cpx_zone, Z_WAITOK \| Z_ZERO);
	156
	157	// if our encryption type needs it, alloc the context
	158	if (needs_ctx) {
	159	cpx_alloc_ctx(cpx);
	160	}
	161
	162	#endif
	163	cpx_init(cpx, key_len);
	164
	165	return cpx;
	166	}
	167
	168	int
	169	cpx_alloc_ctx(cpx_t cpx)
	170	{
	171	#if CONFIG_KEYPAGE_WP
	172	(void) cpx;
	173	#else
	174	if (cpx->cpx_iv_aes_ctx_ptr) {
	175	// already allocated?
	176	return 0;
	177	}
	178
	179	cpx->cpx_iv_aes_ctx_ptr = zalloc_flags(aes_ctz_zone, Z_WAITOK \| Z_ZERO);
	180	#endif // CONFIG_KEYPAGE_WP
	181
	182	return 0;
	183	}
	184
	185	void
	186	cpx_free_ctx(cpx_t cpx)
	187	{
	188	#if CONFIG_KEYPAGE_WP
	189	(void) cpx;
	190	# else
	191	if (cpx->cpx_iv_aes_ctx_ptr) {
	192	zfree(aes_ctz_zone, cpx->cpx_iv_aes_ctx_ptr);
	193	}
	194	#endif // CONFIG_KEYPAGE_WP
	195	}
	196
	197	void
	198	cpx_writeprotect(cpx_t cpx)
	199	{
	200	#if CONFIG_KEYPAGE_WP
	201	void cpxstart = (void)cpx;
	202	void cpxend = (void)((uint8_t*)cpx + PAGE_SIZE);
	203	if (cpx->cpx_flags & CPX_WRITE_PROTECTABLE) {
	204	vm_map_protect(kernel_map, (vm_map_offset_t)cpxstart, (vm_map_offset_t)cpxend, (VM_PROT_READ), FALSE);
	205	}
	206	#else
	207	(void) cpx;
	208	#endif
	209	return;
	210	}
	211
	212	#if DEBUG
	213	static const uint32_t cpx_magic1 = 0x7b787063; // cpx{
	214	static const uint32_t cpx_magic2 = 0x7870637d; // }cpx
	215	#endif
	216
	217	void
	218	cpx_free(cpx_t cpx)
	219	{
	220	#if DEBUG
	221	assert(cpx->cpx_magic1 == cpx_magic1);
	222	assert(PTR_ADD(uint32_t , cpx, cpx_sizex(cpx) - 4) == cpx_magic2);
	223	#endif
	224
	225	#if CONFIG_KEYPAGE_WP
	226	/* unprotect the page before bzeroing */
	227	void cpxstart = (void)cpx;
	228	void cpxend = (void)((uint8_t*)cpx + PAGE_SIZE);
	229	if (cpx->cpx_flags & CPX_WRITE_PROTECTABLE) {
	230	vm_map_protect(kernel_map, (vm_map_offset_t)cpxstart, (vm_map_offset_t)cpxend, (VM_PROT_DEFAULT), FALSE);
	231
	232	//now zero the memory after un-protecting it
	233	bzero(cpx->cpx_cached_key, cpx->cpx_max_key_len);
	234
	235	//If we are here, then we used kmem_alloc to get the page. Must use kmem_free to drop it.
	236	kmem_free(kernel_map, (vm_offset_t)cpx, PAGE_SIZE);
	237	return;
	238	}
	239	#else
	240	// free the context if it wasn't already freed
	241	cpx_free_ctx(cpx);
	242	zfree(cpx_zone, cpx);
	243	return;
	244	#endif
	245	}
	246
	247	void
	248	cpx_init(cpx_t cpx, size_t key_len)
	249	{
	250	#if DEBUG
	251	cpx->cpx_magic1 = cpx_magic1;
	252	PTR_ADD(uint32_t , cpx, cpx_size(key_len) - 4) = cpx_magic2;
	253	#endif
	254	cpx->cpx_flags = 0;
	255	cpx->cpx_key_len = 0;
	256	assert(key_len <= UINT16_MAX);
	257	cpx->cpx_max_key_len = (uint16_t)key_len;
	258	}
	259
	260	bool
	261	cpx_is_sep_wrapped_key(const struct cpx *cpx)
	262	{
	263	return ISSET(cpx->cpx_flags, CPX_SEP_WRAPPEDKEY);
	264	}
	265
	266	void
	267	cpx_set_is_sep_wrapped_key(struct cpx *cpx, bool v)
	268	{
	269	if (v) {
	270	SET(cpx->cpx_flags, CPX_SEP_WRAPPEDKEY);
	271	} else {
	272	CLR(cpx->cpx_flags, CPX_SEP_WRAPPEDKEY);
	273	}
	274	}
	275
	276	bool
	277	cpx_is_composite_key(const struct cpx *cpx)
	278	{
	279	return ISSET(cpx->cpx_flags, CPX_COMPOSITEKEY);
	280	}
	281
	282	void
	283	cpx_set_is_composite_key(struct cpx *cpx, bool v)
	284	{
	285	if (v) {
	286	SET(cpx->cpx_flags, CPX_COMPOSITEKEY);
	287	} else {
	288	CLR(cpx->cpx_flags, CPX_COMPOSITEKEY);
	289	}
	290	}
	291
	292	bool
	293	cpx_use_offset_for_iv(const struct cpx *cpx)
	294	{
	295	return ISSET(cpx->cpx_flags, CPX_USE_OFFSET_FOR_IV);
	296	}
	297
	298	void
	299	cpx_set_use_offset_for_iv(struct cpx *cpx, bool v)
	300	{
	301	if (v) {
	302	SET(cpx->cpx_flags, CPX_USE_OFFSET_FOR_IV);
	303	} else {
	304	CLR(cpx->cpx_flags, CPX_USE_OFFSET_FOR_IV);
	305	}
	306	}
	307
	308	bool
	309	cpx_synthetic_offset_for_iv(const struct cpx *cpx)
	310	{
	311	return ISSET(cpx->cpx_flags, CPX_SYNTHETIC_OFFSET_FOR_IV);
	312	}
	313
	314	void
	315	cpx_set_synthetic_offset_for_iv(struct cpx *cpx, bool v)
	316	{
	317	if (v) {
	318	SET(cpx->cpx_flags, CPX_SYNTHETIC_OFFSET_FOR_IV);
	319	} else {
	320	CLR(cpx->cpx_flags, CPX_SYNTHETIC_OFFSET_FOR_IV);
	321	}
	322	}
	323
	324	uint16_t
	325	cpx_max_key_len(const struct cpx *cpx)
	326	{
	327	return cpx->cpx_max_key_len;
	328	}
	329
	330	uint16_t
	331	cpx_key_len(const struct cpx *cpx)
	332	{
	333	return cpx->cpx_key_len;
	334	}
	335
	336	void
	337	cpx_set_key_len(struct cpx *cpx, uint16_t key_len)
	338	{
	339	cpx->cpx_key_len = key_len;
	340
	341	if (ISSET(cpx->cpx_flags, CPX_IV_AES_CTX_VFS)) {
	342	/*
	343	* We assume that if the key length is being modified, the key
	344	* has changed. As a result, un-set any bits related to the
	345	* AES context, if needed. They should be re-generated
	346	* on-demand.
	347	*/
	348	CLR(cpx->cpx_flags, CPX_IV_AES_CTX_INITIALIZED \| CPX_IV_AES_CTX_VFS);
	349	}
	350	}
	351
	352	bool
	353	cpx_has_key(const struct cpx *cpx)
	354	{
	355	return cpx->cpx_key_len > 0;
	356	}
	357
	358	#pragma clang diagnostic push
	359	#pragma clang diagnostic ignored "-Wcast-qual"
	360	void *
	361	cpx_key(const struct cpx *cpx)
	362	{
	363	return (void *)cpx->cpx_cached_key;
	364	}
	365	#pragma clang diagnostic pop
	366
	367	void
	368	cpx_set_aes_iv_key(struct cpx cpx, void iv_key)
	369	{
	370	if (cpx->cpx_iv_aes_ctx_ptr) {
	371	aes_encrypt_key128(iv_key, cpx->cpx_iv_aes_ctx_ptr);
	372	SET(cpx->cpx_flags, CPX_IV_AES_CTX_INITIALIZED \| CPX_USE_OFFSET_FOR_IV);
	373	CLR(cpx->cpx_flags, CPX_IV_AES_CTX_VFS);
	374	}
	375	}
	376
	377	aes_encrypt_ctx *
	378	cpx_iv_aes_ctx(struct cpx *cpx)
	379	{
	380	if (ISSET(cpx->cpx_flags, CPX_IV_AES_CTX_INITIALIZED)) {
	381	return cpx->cpx_iv_aes_ctx_ptr;
	382	}
	383
	384	SHA1_CTX sha1ctxt;
	385	uint8_t digest[SHA_DIGEST_LENGTH]; /* Kiv */
	386
	387	/* First init the cp_cache_iv_key[] */
	388	SHA1Init(&sha1ctxt);
	389
	390	/*
	391	* We can only use this when the keys are generated in the AP; As a result
	392	* we only use the first 32 bytes of key length in the cache key
	393	*/
	394	SHA1Update(&sha1ctxt, cpx->cpx_cached_key, cpx->cpx_key_len);
	395	SHA1Final(digest, &sha1ctxt);
	396
	397	cpx_set_aes_iv_key(cpx, digest);
	398	SET(cpx->cpx_flags, CPX_IV_AES_CTX_VFS);
	399
	400	return cpx->cpx_iv_aes_ctx_ptr;
	401	}
	402
	403	void
	404	cpx_flush(cpx_t cpx)
	405	{
	406	bzero(cpx->cpx_cached_key, cpx->cpx_max_key_len);
	407	if (cpx->cpx_iv_aes_ctx_ptr) {
	408	bzero(cpx->cpx_iv_aes_ctx_ptr, sizeof(aes_encrypt_ctx));
	409	}
	410	cpx->cpx_flags = 0;
	411	cpx->cpx_key_len = 0;
	412	}
	413
	414	bool
	415	cpx_can_copy(const struct cpx src, const struct cpx dst)
	416	{
	417	return src->cpx_key_len <= dst->cpx_max_key_len;
	418	}
	419
	420	void
	421	cpx_copy(const struct cpx *src, cpx_t dst)
	422	{
	423	uint16_t key_len = cpx_key_len(src);
	424	cpx_set_key_len(dst, key_len);
	425	memcpy(cpx_key(dst), cpx_key(src), key_len);
	426	dst->cpx_flags = src->cpx_flags;
	427	if (ISSET(dst->cpx_flags, CPX_IV_AES_CTX_INITIALIZED)) {
	428	(dst->cpx_iv_aes_ctx_ptr) = (src->cpx_iv_aes_ctx_ptr); // deep copy
	429	}
	430	}
	431
	432	typedef struct {
	433	cp_lock_state_t state;
	434	int valid_uuid;
	435	uuid_t volume_uuid;
	436	} cp_lock_vfs_callback_arg;
	437
	438	static int
	439	cp_lock_vfs_callback(mount_t mp, void *arg)
	440	{
	441	cp_lock_vfs_callback_arg callback_arg = (cp_lock_vfs_callback_arg )arg;
	442
	443	if (callback_arg->valid_uuid) {
	444	struct vfs_attr va;
	445	VFSATTR_INIT(&va);
	446	VFSATTR_WANTED(&va, f_uuid);
	447
	448	if (vfs_getattr(mp, &va, vfs_context_current())) {
	449	return 0;
	450	}
	451
	452	if (!VFSATTR_IS_SUPPORTED(&va, f_uuid)) {
	453	return 0;
	454	}
	455
	456	if (memcmp(va.f_uuid, callback_arg->volume_uuid, sizeof(uuid_t))) {
	457	return 0;
	458	}
	459	}
	460
	461	VFS_IOCTL(mp, FIODEVICELOCKED, (void *)(uintptr_t)callback_arg->state, 0, vfs_context_kernel());
	462	return 0;
	463	}
	464
	465	int
	466	cp_key_store_action(cp_key_store_action_t action)
	467	{
	468	cp_lock_vfs_callback_arg callback_arg;
	469
	470	switch (action) {
	471	case CP_ACTION_LOCKED:
	472	case CP_ACTION_UNLOCKED:
	473	callback_arg.state = (action == CP_ACTION_LOCKED ? CP_LOCKED_STATE : CP_UNLOCKED_STATE);
	474	memset(callback_arg.volume_uuid, 0, sizeof(uuid_t));
	475	callback_arg.valid_uuid = 0;
	476	return vfs_iterate(0, cp_lock_vfs_callback, (void *)&callback_arg);
	477	default:
	478	return -1;
	479	}
	480	}
	481
	482	int
	483	cp_key_store_action_for_volume(uuid_t volume_uuid, cp_key_store_action_t action)
	484	{
	485	cp_lock_vfs_callback_arg callback_arg;
	486
	487	switch (action) {
	488	case CP_ACTION_LOCKED:
	489	case CP_ACTION_UNLOCKED:
	490	callback_arg.state = (action == CP_ACTION_LOCKED ? CP_LOCKED_STATE : CP_UNLOCKED_STATE);
	491	memcpy(callback_arg.volume_uuid, volume_uuid, sizeof(uuid_t));
	492	callback_arg.valid_uuid = 1;
	493	return vfs_iterate(0, cp_lock_vfs_callback, (void *)&callback_arg);
	494	default:
	495	return -1;
	496	}
	497	}
	498
	499	int
	500	cp_is_valid_class(int isdir, int32_t protectionclass)
	501	{
	502	/*
	503	* The valid protection classes are from 0 -> N
	504	* We use a signed argument to detect unassigned values from
	505	* directory entry creation time in HFS.
	506	*/
	507	if (isdir) {
	508	/* Directories are not allowed to have F, but they can have "NONE" */
	509	return (protectionclass >= PROTECTION_CLASS_DIR_NONE) &&
	510	(protectionclass <= PROTECTION_CLASS_D);
	511	} else {
	512	return (protectionclass >= PROTECTION_CLASS_A) &&
	513	(protectionclass <= PROTECTION_CLASS_F);
	514	}
	515	}
	516
	517	/*
	518	* Parses versions of the form 12A316, i.e. <major><minor><revision> and
	519	* returns a uint32_t in the form 0xaabbcccc where aa = <major>,
	520	* bb = <ASCII char>, cccc = <revision>.
	521	*/
	522	static cp_key_os_version_t
	523	parse_os_version(const char *vers)
	524	{
	525	const char *p = vers;
	526
	527	int a = 0;
	528	while (p >= '0' && p <= '9') {
	529	a = a * 10 + *p - '0';
	530	++p;
	531	}
	532
	533	if (!a) {
	534	return 0;
	535	}
	536
	537	int b = *p++;
	538	if (!b) {
	539	return 0;
	540	}
	541
	542	int c = 0;
	543	while (p >= '0' && p <= '9') {
	544	c = c * 10 + *p - '0';
	545	++p;
	546	}
	547
	548	if (!c) {
	549	return 0;
	550	}
	551
	552	return (a & 0xff) << 24 \| b << 16 \| (c & 0xffff);
	553	}
	554
	555	cp_key_os_version_t
	556	cp_os_version(void)
	557	{
	558	static cp_key_os_version_t cp_os_version;
	559
	560	if (cp_os_version) {
	561	return cp_os_version;
	562	}
	563
	564	if (!osversion[0]) {
	565	return 0;
	566	}
	567
	568	cp_os_version = parse_os_version(osversion);
	569	if (!cp_os_version) {
	570	printf("cp_os_version: unable to parse osversion `%s'\n", osversion);
	571	cp_os_version = 1;
	572	}
	573
	574	return cp_os_version;
	575	}