X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/39236c6e673c41db228275375ab7fdb0f837b292..743345f9a4b36f7e2f9ba37691e70c50baecb56e:/bsd/sys/cprotect.h?ds=inline diff --git a/bsd/sys/cprotect.h b/bsd/sys/cprotect.h index 9a7c36d77..97cb5a7c1 100644 --- a/bsd/sys/cprotect.h +++ b/bsd/sys/cprotect.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2009-2012 Apple Inc. All rights reserved. + * Copyright (c) 2009-2014 Apple Inc. All rights reserved. * * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ * @@ -29,238 +29,179 @@ #ifndef _SYS_CPROTECT_H_ #define _SYS_CPROTECT_H_ -#ifdef __cplusplus -extern "C" { -#endif - #if KERNEL_PRIVATE #include -#include -#include +#include +#include +#include #include +#include -#define CP_IV_KEYSIZE 20 /* 16x8 = 128, but SHA1 pushes 20 bytes so keep space for that */ -#define CP_MAX_KEYSIZE 32 /* 8x4 = 32, 32x8 = 256 */ -#define CP_MAX_WRAPPEDKEYSIZE 128 /* The size of the largest allowed key */ -#define CP_INITIAL_WRAPPEDKEYSIZE 40 -#define CP_V2_WRAPPEDKEYSIZE 40 /* Size of the wrapped key in a v2 EA */ -#define CP_V4_RESERVEDBYTES 20 /* Number of reserved bytes in EA still present */ +__BEGIN_DECLS -/* lock events from AppleKeyStore */ -#define CP_LOCKED_STATE 0 /* Device is locked */ -#define CP_UNLOCKED_STATE 1 /* Device is unlocked */ +#define CP_CODE(code) FSDBG_CODE(DBG_CONTENT_PROT, code) +/* + * Class DBG_FSYSTEM == 0x03 + * Subclass DBG_CONTENT_PROT == 0xCF + * These debug codes are of the form 0x03CFzzzz + */ -#define CP_MAX_STATE 1 /* uint8_t ; maximum # of states is 255 */ +enum { + CPDBG_OFFSET_IO = CP_CODE(0), /* 0x03CF0000 */ +}; -#define CP_LOCKED_KEYCHAIN 0 -#define CP_UNLOCKED_KEYCHAIN 1 +/* normally the debug events are no-ops */ +#define CP_DEBUG(x,a,b,c,d,e) do {} while (0); -/* For struct cprotect: cp_flags */ -#define CP_NEEDS_KEYS 0x01 /* File needs persistent keys */ -#define CP_KEY_FLUSHED 0x02 /* File's unwrapped key has been purged from memory */ -#define CP_NO_XATTR 0x04 /* Key info has not been saved as EA to the FS */ -#define CP_OFF_IV_ENABLED 0x08 /* Only go down relative IV route if this flag is set */ -#define CP_RELOCATION_INFLIGHT 0x10 /* File with offset IVs is in the process of being relocated. */ -#define CP_SEP_WRAPPEDKEY 0x20 /* Wrapped key delivered from keybag */ +/* dev kernels only! */ +#if !SECURE_KERNEL -/* Content Protection VNOP Operation flags */ -#define CP_READ_ACCESS 0x1 -#define CP_WRITE_ACCESS 0x2 +/* KDEBUG events used by content protection subsystem */ +#if 0 +#undef CP_DEBUG +#define CP_DEBUG KERNEL_DEBUG_CONSTANT +#endif +#endif + +#define CP_MAX_WRAPPEDKEYSIZE 128 /* The size of the largest allowed key */ + +/* lock events from AppleKeyStore */ +enum { + CP_ACTION_LOCKED = 0, + CP_ACTION_UNLOCKED = 1, +}; /* - * Check for this version when deciding to enable features - * For iOS 4, CP_CURRENT_MAJOR_VERS = 2.0 - * For iOS 5, CP_CURRENT_MAJOR_VERS = 4.0 + * Ideally, cp_key_store_action_t would be an enum, but we cannot fix + * that until AppleKeyStore is updated. */ -#define CONTENT_PROTECTION_XATTR_NAME "com.apple.system.cprotect" -#define CP_NEW_MAJOR_VERS 4 -#define CP_PREV_MAJOR_VERS 2 -#define CP_MINOR_VERS 0 +typedef int cp_key_store_action_t; + +/* + * It was once the case (and it may still be the case) where the lock + * state got conflated with the possible actions/events that + * AppleKeyStore can send. For that reason, the locked states below + * should numerically match their corresponding actions above. + */ +typedef unsigned char cp_lock_state_t; +enum { + CP_LOCKED_STATE = 0, + CP_UNLOCKED_STATE = 1, +}; + +typedef uint32_t cp_key_class_t; +typedef uint32_t cp_key_os_version_t; +typedef uint16_t cp_key_revision_t; +typedef uint64_t cp_crypto_id_t; typedef struct cprotect *cprotect_t; typedef struct cp_wrap_func *cp_wrap_func_t; -typedef struct cp_global_state *cp_global_state_t; -typedef struct cp_xattr *cp_xattr_t; +typedef struct cpx *cpx_t; -typedef struct cnode * cnode_ptr_t; -//forward declare the struct. -struct hfsmount; +typedef struct cp_key { + uint8_t len; + void *key; +} cp_key_t; -/* Structures passed between HFS and AKS kext */ +/* Interface to AKS kext */ typedef struct { void *key; unsigned key_len; void *iv_key; unsigned iv_key_len; uint32_t flags; -} cp_raw_key_s, *cp_raw_key_t; +} cp_raw_key_s; + +typedef cp_raw_key_s* cp_raw_key_t; typedef struct { void *key; unsigned key_len; - uint32_t dp_class; -} cp_wrapped_key_s, *cp_wrapped_key_t; + cp_key_class_t dp_class; +} cp_wrapped_key_s; + +typedef cp_wrapped_key_s* cp_wrapped_key_t; typedef struct { - ino64_t inode; - uint32_t volume; - pid_t pid; - uid_t uid; -} cp_cred_s, *cp_cred_t; + union { + ino64_t inode; + cp_crypto_id_t crypto_id; + }; + uint32_t volume; + pid_t pid; + uid_t uid; + cp_key_revision_t key_revision; +} cp_cred_s; + +typedef cp_cred_s* cp_cred_t; /* The wrappers are invoked on the AKS kext */ typedef int unwrapper_t(cp_cred_t access, const cp_wrapped_key_t wrapped_key_in, cp_raw_key_t key_out); -typedef int rewrapper_t(cp_cred_t access, uint32_t dp_class, const cp_wrapped_key_t wrapped_key_in, cp_wrapped_key_t wrapped_key_out); -typedef int new_key_t(cp_cred_t access, uint32_t dp_class, cp_raw_key_t key_out, cp_wrapped_key_t wrapped_key_out); +typedef int rewrapper_t(cp_cred_t access, cp_key_class_t dp_class, const cp_wrapped_key_t wrapped_key_in, cp_wrapped_key_t wrapped_key_out); +typedef int new_key_t(cp_cred_t access, cp_key_class_t dp_class, cp_raw_key_t key_out, cp_wrapped_key_t wrapped_key_out); typedef int invalidater_t(cp_cred_t access); /* invalidates keys */ +typedef int backup_key_t(cp_cred_t access, const cp_wrapped_key_t wrapped_key_in, cp_wrapped_key_t wrapped_key_out); - -/* Flags for Interaction between AKS / Kernel */ -#define CP_RAW_KEY_WRAPPEDKEY 0x00000001 - +/* + * Flags for Interaction between AKS / Kernel + * These are twiddled via the input/output structs in the above + * wrapper/unwrapper functions. + */ +#define CP_RAW_KEY_WRAPPEDKEY 0x00000001 /* - * Runtime-only structure containing the content protection status - * for the given file. This is contained within the cnode - * This is passed down to IOStorageFamily via the bufattr struct - * - ****************************************************** - * Some Key calculation information for offset based IV - ****************************************************** - * Kf = original 256 bit per file key - * Kiv = SHA1(Kf), use full Kf, but truncate Kiv to 128 bits - * Kiv can be cached in the cprotect, so it only has to be calculated once for the file init - * - * IVb = Encrypt(Kiv, offset) - * + * Function prototypes for kexts to interface with our internal cprotect + * fields; cpx provides opacity and allows us to modify behavior internally + * without requiring kext changes. */ -struct cprotect { - uint32_t cp_flags; - uint32_t cp_pclass; - aes_encrypt_ctx cp_cache_iv_ctx; - uint32_t cp_cache_key_len; - uint8_t cp_cache_key[CP_MAX_KEYSIZE]; - uint32_t cp_persistent_key_len; - void* cp_backing_cnode; - uint8_t cp_persistent_key[]; -}; - +cpx_t cpx_alloc(size_t key_size); +void cpx_init(cpx_t, size_t key_len); +void cpx_free(cpx_t); +__attribute__((const)) size_t cpx_size(size_t key_size); +__attribute__((pure)) bool cpx_is_sep_wrapped_key(const struct cpx *); +void cpx_set_is_sep_wrapped_key(struct cpx *, bool); +__attribute__((pure)) bool cpx_use_offset_for_iv(const struct cpx *); +void cpx_set_use_offset_for_iv(struct cpx *, bool); +__attribute__((pure)) bool cpx_synthetic_offset_for_iv(const struct cpx *); +void cpx_set_synthetic_offset_for_iv(struct cpx *, bool); +__attribute__((pure)) uint16_t cpx_key_len(const struct cpx *); +void cpx_set_key_len(struct cpx *, uint16_t key_len); +__attribute__((pure)) void *cpx_key(const struct cpx *); +aes_encrypt_ctx *cpx_iv_aes_ctx(struct cpx *); +void cpx_flush(cpx_t cpx); +bool cpx_can_copy(const struct cpx *src, const struct cpx *dst); +void cpx_copy(const struct cpx *src, cpx_t dst); +uint16_t cpx_max_key_len(const struct cpx *cpx); +bool cpx_has_key(const struct cpx *cpx); +size_t cpx_sizex(const struct cpx *cpx); +void cpx_set_aes_iv_key(struct cpx *cpx, void *iv_key); + +/* Structure to store pointers for AKS functions */ struct cp_wrap_func { new_key_t *new_key; unwrapper_t *unwrapper; rewrapper_t *rewrapper; invalidater_t *invalidater; + backup_key_t *backup_key; }; -struct cp_global_state { - uint8_t wrap_functions_set; - uint8_t lock_state; - u_int16_t reserved; -}; - -/* - * On-disk structure written as the per-file EA payload - * All on-disk multi-byte fields for the CP XATTR must be stored - * little-endian on-disk. This means they must be endian swapped to - * L.E on getxattr() and converted to LE on setxattr(). - * - * This structure is a fixed length and is tightly packed. - * 56 bytes total. - */ -struct cp_xattr_v2 { - u_int16_t xattr_major_version; - u_int16_t xattr_minor_version; - u_int32_t flags; - u_int32_t persistent_class; - u_int32_t key_size; - uint8_t persistent_key[CP_V2_WRAPPEDKEYSIZE]; -} __attribute__((aligned(2), packed)); - - -/* - * V4 Content Protection EA On-Disk Layout. - * - * This structure must be tightly packed, but the *size can vary* - * depending on the length of the key. At MOST, the key length will be - * CP_MAX_WRAPPEDKEYSIZE, but the length is defined by the key_size field. - * - * Either way, the packing must be applied to ensure that the key data is - * retrievable in the right location relative to the start of the struct. - * - * Fully packed, this structure can range from : - * MIN: 36 bytes (no key -- used with directories) - * MAX: 164 bytes (with 128 byte key) - * - * During runtime we always allocate with the full 128 byte key, but only - * use as much of the key buffer as needed. It must be tightly packed, though. - */ - -struct cp_xattr_v4 { - u_int16_t xattr_major_version; - u_int16_t xattr_minor_version; - u_int32_t flags; - u_int32_t persistent_class; - u_int32_t key_size; - /* CP V4 Reserved Bytes == 20 */ - u_int8_t reserved[CP_V4_RESERVEDBYTES]; - /* All above fields are fixed regardless of key length (36 bytes) */ - /* Max Wrapped Size == 128 */ - uint8_t persistent_key[CP_MAX_WRAPPEDKEYSIZE]; -} __attribute__((aligned(2), packed)); - - -/* - * The Root Directory's EA (fileid 1) is special; it defines information about - * what capabilities the filesystem is using. - * - * The data is still stored little endian. - * - * Note that this structure is tightly packed: 28 bytes total. - */ - struct cp_root_xattr { - u_int16_t major_version; - u_int16_t minor_version; - u_int64_t flags; - u_int8_t reserved[16]; -} __attribute__((aligned(2), packed)); - - -/* - * Functions to check the status of a CP and to query - * the containing filesystem to see if it is supported. - */ -int cp_vnode_getclass(vnode_t, int *); -int cp_vnode_setclass(vnode_t, uint32_t); -int cp_vnode_transcode(vnode_t); - -int cp_key_store_action(int); +int cp_key_store_action(cp_key_store_action_t); int cp_register_wraps(cp_wrap_func_t); - -int cp_entry_init(cnode_ptr_t, struct mount *); -int cp_entry_gentempkeys(struct cprotect **entry_ptr, struct hfsmount *hfsmp); -int cp_needs_tempkeys (struct hfsmount *hfsmp, int* needs); -void cp_entry_destroy(struct cprotect *entry_ptr); -void cp_replace_entry (struct cnode *cp, struct cprotect *newentry); -cnode_ptr_t cp_get_protected_cnode(vnode_t); -int cp_handle_vnop(vnode_t, int, int); -int cp_fs_protected (mount_t); -int cp_getrootxattr (struct hfsmount *hfsmp, struct cp_root_xattr *outxattr); -int cp_setrootxattr (struct hfsmount *hfsmp, struct cp_root_xattr *newxattr); -int cp_setxattr(struct cnode *cp, struct cprotect *entry, struct hfsmount *hfsmp, uint32_t fileid, int options); -int cp_generate_keys (struct hfsmount *hfsmp, struct cnode *cp, int targetclass, struct cprotect **newentry); -int cp_setup_newentry (struct hfsmount *hfsmp, struct cnode *dcp, int32_t suppliedclass, - mode_t cmode, struct cprotect **tmpentry); -int cp_handle_relocate (cnode_ptr_t cp, struct hfsmount *hfsmp); -int cp_handle_open(struct vnode *vp, int mode); -int cp_get_root_major_vers (struct vnode *vp, uint32_t *level); -int cp_get_default_level (struct vnode *vp, uint32_t *level); +int cp_rewrap_key(cp_cred_t access, cp_key_class_t dp_class, + const cp_wrapped_key_t wrapped_key_in, + cp_wrapped_key_t wrapped_key_out); +int cp_new_key(cp_cred_t access, cp_key_class_t dp_class, cp_raw_key_t key_out, + cp_wrapped_key_t wrapped_key_out); +int cp_unwrap_key(cp_cred_t access, const cp_wrapped_key_t wrapped_key_in, + cp_raw_key_t key_out); +int cp_get_backup_key(cp_cred_t access, const cp_wrapped_key_t wrapped_key_in, + cp_wrapped_key_t wrapped_key_out); +cp_key_os_version_t cp_os_version(void); +// Should be cp_key_class_t but HFS has a conflicting definition int cp_is_valid_class (int isdir, int32_t protectionclass); -#endif /* KERNEL_PRIVATE */ - -#ifdef __cplusplus -}; -#endif +__END_DECLS +#endif /* KERNEL_PRIVATE */ #endif /* !_SYS_CPROTECT_H_ */