| // Copyright 2021 The Chromium OS Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #ifndef CRYPTOHOME_AUTH_BLOCK_STATE_H_ |
| #define CRYPTOHOME_AUTH_BLOCK_STATE_H_ |
| |
| #include <absl/types/variant.h> |
| #include <base/optional.h> |
| #include <brillo/secure_blob.h> |
| |
| #include "cryptohome/auth_block_state_generated.h" |
| |
| namespace cryptohome { |
| // TODO(b/199531643): Check the impact of using empty blobs stored in every |
| // AuthBlockState. |
| |
| // Fields in AuthBlockState are all marked optional because they can be read |
| // from objects stored on disk, such as the SerializedVaultKeyset. As a result |
| // cryptohome cannot assume all fields are always populated. However, the |
| // fields should always be defined or the auth block cannot operate. |
| |
| struct TpmNotBoundToPcrAuthBlockState { |
| // Marks if the password is run through scrypt before going to the TPM. |
| bool scrypt_derived = false; |
| // The salt used to bind to the TPM. |
| // Must be set. |
| base::Optional<brillo::SecureBlob> salt; |
| // The number of rounds key derivation is called. |
| base::Optional<uint32_t> password_rounds; |
| // The VKK wrapped with the user's password by the tpm. |
| // Must be set. |
| base::Optional<brillo::SecureBlob> tpm_key; |
| // Optional, served as a TPM identity, useful when checking if the TPM is |
| // the same one sealed the tpm_key. |
| base::Optional<brillo::SecureBlob> tpm_public_key_hash; |
| // The wrapped reset seed to reset LE credentials. |
| // This is for in memory data holding only and will not be serialized. |
| base::Optional<brillo::SecureBlob> wrapped_reset_seed; |
| }; |
| |
| struct TpmBoundToPcrAuthBlockState { |
| // Marks if the password is run through scrypt before going to the TPM. |
| bool scrypt_derived = false; |
| // The salt used to bind to the TPM. |
| base::Optional<brillo::SecureBlob> salt; |
| // The VKK wrapped with the user's password by the tpm. |
| base::Optional<brillo::SecureBlob> tpm_key; |
| // Same as tpm_key, but extends the PCR to only allow one user until reboot. |
| base::Optional<brillo::SecureBlob> extended_tpm_key; |
| // Optional, served as a TPM identity, useful when checking if the TPM is |
| // the same one sealed the tpm_key. |
| base::Optional<brillo::SecureBlob> tpm_public_key_hash; |
| // The wrapped reset seed to reset LE credentials. |
| // This is for in memory data holding only and will not be serialized. |
| base::Optional<brillo::SecureBlob> wrapped_reset_seed; |
| }; |
| |
| struct PinWeaverAuthBlockState { |
| // The label for the credential in the LE hash tree. |
| base::Optional<uint64_t> le_label; |
| // The salt used to first scrypt the user input. |
| base::Optional<brillo::SecureBlob> salt; |
| // The IV used to derive the chaps key. |
| base::Optional<brillo::SecureBlob> chaps_iv; |
| // The IV used to derive the file encryption key. |
| base::Optional<brillo::SecureBlob> fek_iv; |
| }; |
| |
| // This is a unique AuthBlockState for backwards compatibility. libscrypt puts |
| // the metadata, such as IV and salt, into the header of the encrypted |
| // buffer. Thus this is the only auth block state to pass wrapped secrets. See |
| // the LibScryptCompatAuthBlock header for a full explanation. |
| struct LibScryptCompatAuthBlockState { |
| // The wrapped filesystem keys. |
| base::Optional<brillo::SecureBlob> wrapped_keyset; |
| // The wrapped chaps keys. |
| base::Optional<brillo::SecureBlob> wrapped_chaps_key; |
| // The wrapped reset seed keys. |
| // This is for in memory data holding only and will not be serialized. |
| base::Optional<brillo::SecureBlob> wrapped_reset_seed; |
| // The random salt. |
| // TODO(b/198394243): We should remove it because it's not actually used. |
| base::Optional<brillo::SecureBlob> salt; |
| }; |
| |
| struct ChallengeCredentialAuthBlockState { |
| struct LibScryptCompatAuthBlockState scrypt_state; |
| }; |
| |
| struct DoubleWrappedCompatAuthBlockState { |
| struct LibScryptCompatAuthBlockState scrypt_state; |
| struct TpmNotBoundToPcrAuthBlockState tpm_state; |
| }; |
| |
| struct CryptohomeRecoveryAuthBlockState { |
| // Contains encrypted mediator share and data required for decryption. |
| struct EncryptedMediatorShare { |
| // The integrity tag of the data generated during encryption of the |
| // mediator share. |
| base::Optional<brillo::SecureBlob> tag; |
| // The initialization vector generated during encryption of the mediator |
| // share. |
| base::Optional<brillo::SecureBlob> iv; |
| // Ephemeral key created during encryption of the mediator share. |
| base::Optional<brillo::SecureBlob> ephemeral_pub_key; |
| // Encrypted mediator share. |
| base::Optional<brillo::SecureBlob> encrypted_data; |
| }; |
| // Secret share of the mediator encrypted to the mediator public key. |
| base::Optional<EncryptedMediatorShare> encrypted_mediator_share; |
| // HSM Payload is created at onboarding and contains all the data that are |
| // persisted on a chromebook and will be eventually used for recovery, |
| // serialized to CBOR. |
| base::Optional<brillo::SecureBlob> hsm_payload; |
| // The salt used to first scrypt the user input. |
| base::Optional<brillo::SecureBlob> salt; |
| // Secret share of the destination (plaintext). |
| // TODO(b/184924489): store encrypted destination share. |
| base::Optional<brillo::SecureBlob> plaintext_destination_share; |
| // Channel keys that will be used for secure communication during recovery. |
| // TODO(b/196192089): store encrypted keys. |
| base::Optional<brillo::SecureBlob> channel_pub_key; |
| base::Optional<brillo::SecureBlob> channel_priv_key; |
| }; |
| |
| struct TpmEccAuthBlockState { |
| // The salt used to derive the user input with scrypt. |
| base::Optional<brillo::SecureBlob> salt; |
| // The IV to decrypt EVK. |
| base::Optional<brillo::SecureBlob> vkk_iv; |
| // The number of rounds the auth value generating process is called. |
| base::Optional<uint32_t> auth_value_rounds; |
| // HVKKM: Hardware Vault Keyset Key Material. |
| // SVKKM: Software Vault Keyset Key Material. |
| // We would use HVKKM and SVKKM to derive the VKK. |
| // The HVKKM are encrypted with the user's password, TPM, and binds to empty |
| // current user state. |
| base::Optional<brillo::SecureBlob> sealed_hvkkm; |
| // Same as |sealed_hvkkm|, but extends the current user state to the specific |
| // user. |
| base::Optional<brillo::SecureBlob> extended_sealed_hvkkm; |
| // A check if this is the same TPM that wrapped the credential. |
| base::Optional<brillo::SecureBlob> tpm_public_key_hash; |
| // The wrapped reset seed to reset LE credentials. |
| base::Optional<brillo::SecureBlob> wrapped_reset_seed; |
| }; |
| |
| struct AuthBlockState { |
| // Returns an Flatbuffer offset which can be added to other Flatbuffers |
| // tables. Returns a zero offset for errors since AuthBlockState |
| // shall never be an empty table. Zero offset can be checked by IsNull(). |
| flatbuffers::Offset<SerializedAuthBlockState> SerializeToOffset( |
| flatbuffers::FlatBufferBuilder* builder) const; |
| |
| // Returns an AuthBlockState Flatbuffer serialized to a SecureBlob. |
| base::Optional<brillo::SecureBlob> Serialize() const; |
| |
| absl::variant<TpmNotBoundToPcrAuthBlockState, |
| TpmBoundToPcrAuthBlockState, |
| PinWeaverAuthBlockState, |
| LibScryptCompatAuthBlockState, |
| ChallengeCredentialAuthBlockState, |
| DoubleWrappedCompatAuthBlockState, |
| CryptohomeRecoveryAuthBlockState, |
| TpmEccAuthBlockState> |
| state; |
| }; |
| |
| } // namespace cryptohome |
| |
| #endif // CRYPTOHOME_AUTH_BLOCK_STATE_H_ |