blob: 8f84d507a95cbc8aa5a44405eb12ef7e39ce89f7 [file] [log] [blame] [edit]
// Copyright 2018 The Chromium OS Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef LIBTPMCRYPTO_TPM_CRYPTO_H_
#define LIBTPMCRYPTO_TPM_CRYPTO_H_
#include <string>
#include <base/macros.h>
#include <brillo/brillo_export.h>
namespace brillo {
class SecureBlob;
} // namespace brillo
namespace tpmcrypto {
// AES key size in bytes (256 bits).
constexpr unsigned int kDefaultAesKeySize = 32;
// AES GCM tag size in bytes (128 bits).
constexpr int kGcmDefaultTagSize = 16;
// AES GCM default IV size in bytes (96 bits).
constexpr int kGcmDefaultIVSize = 12;
class BRILLO_EXPORT TpmCrypto {
public:
virtual ~TpmCrypto() = default;
// Seals arbitrary-length |data| to the TPM's PCR0 and returns
// |encrypted_data| containing the encrypted data. Internally a new random
// key is generated by the TPM which is used to encrypt the data, that key
// is sealed by the Storage Root Key in the TPM. Returns true if the
// encrypted data blob was created successfully.
virtual bool Encrypt(const brillo::SecureBlob& data,
std::string* encrypted_data) = 0;
// Decrypts data previously sealed to the TPM's PCR0. Internally the key
// is unsealed using the Storage Root Key in the TPM, and the unsealed key
// is used to decrypt the content. Decryption also validates that the GCM
// tag created during encryption matches. Returns true if the data is
// decrypted and verified successfully.
virtual bool Decrypt(const std::string& encrypted_data,
brillo::SecureBlob* data) = 0;
protected:
TpmCrypto() = default;
TpmCrypto(const TpmCrypto&) = delete;
TpmCrypto& operator=(const TpmCrypto&) = delete;
};
} // namespace tpmcrypto
#endif // LIBTPMCRYPTO_TPM_CRYPTO_H_