| // Copyright 2021 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| syntax = "proto2"; |
| |
| package cryptohome; |
| |
| // These fields are all marked optional because these protobufs are generated |
| // from objects stored on disk, such as the SerializedVaultKeyset. As a result |
| // cryptohome cannot assume the protobuf is always as expected. However, the |
| // fields should always be defined or the auth block cannot operate. |
| message AuthBlockState { |
| message TpmNotBoundToPcrAuthBlockState { |
| // Marks if the password is run through scrypt before going to the TPM. |
| optional bool scrypt_derived = 1; |
| // The VKK wrapped with the user's password by the tpm. |
| optional bytes tpm_key = 2; |
| // A check if this is the same TPM that wrapped the credential. |
| optional bytes tpm_public_key_hash = 3; |
| } |
| message TpmBoundToPcrAuthBlockState { |
| // Marks if the password is run through scrypt before going to the TPM. |
| optional bool scrypt_derived = 1; |
| // The VKK encrypted with the user's password and TPM. |
| optional bytes tpm_key = 2; |
| // Same as tpm_key, but extends the PCR to only allow one user until reboot. |
| optional bytes extended_tpm_key = 3; |
| // A check if this is the same TPM that wrapped the credential. |
| optional bytes tpm_public_key_hash = 4; |
| } |
| message PinWeaverAuthBlockState { |
| // The label for the credential in the LE hash tree. |
| optional uint64 le_label = 5; |
| } |
| message LibScryptCompatAuthBlockState {} |
| message ChallengeCredentialAuthBlockState {} |
| |
| oneof auth_block_state { |
| TpmNotBoundToPcrAuthBlockState tpm_not_bound_to_pcr_state = 1; |
| TpmBoundToPcrAuthBlockState tpm_bound_to_pcr_state = 2; |
| PinWeaverAuthBlockState pin_weaver_state = 3; |
| LibScryptCompatAuthBlockState libscrypt_compat_state = 4; |
| ChallengeCredentialAuthBlockState challenge_credential_state = 5; |
| } |
| } |