| // Copyright 2018 The Chromium OS Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #ifndef LIBTPMCRYPTO_TPM_CRYPTO_H_ |
| #define LIBTPMCRYPTO_TPM_CRYPTO_H_ |
| |
| #include <string> |
| |
| #include <base/macros.h> |
| #include <brillo/brillo_export.h> |
| |
| namespace brillo { |
| class SecureBlob; |
| } // namespace brillo |
| |
| namespace tpmcrypto { |
| |
| // AES key size in bytes (256 bits). |
| constexpr unsigned int kDefaultAesKeySize = 32; |
| |
| // AES GCM tag size in bytes (128 bits). |
| constexpr int kGcmDefaultTagSize = 16; |
| |
| // AES GCM default IV size in bytes (96 bits). |
| constexpr int kGcmDefaultIVSize = 12; |
| |
| class BRILLO_EXPORT TpmCrypto { |
| public: |
| virtual ~TpmCrypto() = default; |
| |
| // Seals arbitrary-length |data| to the TPM's PCR0 and returns |
| // |encrypted_data| containing the encrypted data. Internally a new random |
| // key is generated by the TPM which is used to encrypt the data, that key |
| // is sealed by the Storage Root Key in the TPM. Returns true if the |
| // encrypted data blob was created successfully. |
| virtual bool Encrypt(const brillo::SecureBlob& data, |
| std::string* encrypted_data) = 0; |
| |
| // Decrypts data previously sealed to the TPM's PCR0. Internally the key |
| // is unsealed using the Storage Root Key in the TPM, and the unsealed key |
| // is used to decrypt the content. Decryption also validates that the GCM |
| // tag created during encryption matches. Returns true if the data is |
| // decrypted and verified successfully. |
| virtual bool Decrypt(const std::string& encrypted_data, |
| brillo::SecureBlob* data) = 0; |
| |
| protected: |
| TpmCrypto() = default; |
| TpmCrypto(const TpmCrypto&) = delete; |
| TpmCrypto& operator=(const TpmCrypto&) = delete; |
| }; |
| |
| } // namespace tpmcrypto |
| |
| #endif // LIBTPMCRYPTO_TPM_CRYPTO_H_ |