// Copyright 2018 The Chromium OS Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Interface used by "mount-encrypted" to interface with the TPM.

#ifndef CRYPTOHOME_MOUNT_ENCRYPTED_TPM_H_
#define CRYPTOHOME_MOUNT_ENCRYPTED_TPM_H_

#include <stdint.h>

#include <map>
#include <memory>
#include <vector>

#include <base/files/file_path.h>
#include <base/macros.h>

#include <vboot/tlcl.h>

#include <brillo/secure_blob.h>

#include "cryptohome/mount_encrypted/mount_encrypted.h"

const uint32_t kLockboxSizeV1 = 0x2c;
const uint32_t kLockboxSizeV2 = 0x45;

#if USE_TPM2
const uint32_t kLockboxIndex = 0x800004;
const uint32_t kEncStatefulIndex = 0x800005;
const uint32_t kEncStatefulSize = 40;
#else
const uint32_t kLockboxIndex = 0x20000004;
const uint32_t kEncStatefulIndex = 0x20000005;
const uint32_t kEncStatefulSize = 72;
#endif

const uint32_t kPCRBootMode = 0;

// Secret used for owner authorization. This is used for taking ownership and in
// TPM commands that require owner authorization. Currently, only the TPM 1.2
// implementation uses owner authorization for some of its operations. The
// constants are nullptr and zero, respectively, for TPM 2.0.
extern const uint8_t* kOwnerSecret;
extern const size_t kOwnerSecretSize;

// Path constants. Note that these don't carry the / root prefix because the
// actual path gets constructed relative to a rootdir (which is a temporary
// directory in tests, the actual root directory for production).
namespace paths {
const char kFirmwareUpdateRequest[] =
    "mnt/stateful_partition/unencrypted/preserve/tpm_firmware_update_request";
const char kFirmwareDir[] = "lib/firmware/tpm";
const char kFirmwareUpdateLocator[] = "usr/sbin/tpm-firmware-locate-update";

namespace cryptohome {
const char kTpmOwned[] = "mnt/stateful_partition/.tpm_owned";
const char kTpmStatus[] = "mnt/stateful_partition/.tpm_status";
const char kShallInitialize[] = "home/.shadow/.can_attempt_ownership";
const char kAttestationDatabase[] =
    "mnt/stateful_partition/unencrypted/preserve/attestation.epb";
}  // namespace cryptohome
}  // namespace paths

class Tpm;

class NvramSpace {
 public:
  NvramSpace(Tpm* tpm, uint32_t index);

  enum class Status {
    kUnknown,   // Not accessed yet.
    kAbsent,    // Not defined.
    kValid,     // Present and read was successful.
    kTpmError,  // Error accessing the space.
  };

  Status status() const { return status_; }
  bool is_valid() const { return status() == Status::kValid; }
  const brillo::SecureBlob& contents() const { return contents_; }

  // Resets the space so that it appears invalid. Doesn't update the TPM.
  void Reset();

  // Retrieves the space attributes.
  result_code GetAttributes(uint32_t* attributes);

  // Attempts to read the NVRAM space.
  result_code Read(uint32_t size);

  // Writes to the NVRAM space.
  result_code Write(const brillo::SecureBlob& contents);

  // Sets the read lock on the space.
  result_code ReadLock();

  // Sets write lock on the space.
  result_code WriteLock();

  // Attempt to define the space with the given attributes and size.
  result_code Define(uint32_t attributes,
                     uint32_t size,
                     uint32_t pcr_selection);

  // Check whether the space is bound to the specified PCR selection.
  result_code CheckPCRBinding(uint32_t pcr_selection, bool* match);

 private:
  // Reads space definition parameters from the TPM.
  result_code GetSpaceInfo();

  // Get the binding policy for the current PCR values of the given PCR
  // selection.
  result_code GetPCRBindingPolicy(uint32_t pcr_selection,
                                  std::vector<uint8_t>* policy);

  Tpm* tpm_;
  uint32_t index_;

  // Cached copy of NVRAM space attributes.
  uint32_t attributes_;

  // Cached copy of the auth policy.
  std::vector<uint8_t> auth_policy_;

  // Cached copy of the data as read from the space.
  brillo::SecureBlob contents_;

  // Cached indicator reflecting the status of the space in the TPM.
  Status status_ = Status::kUnknown;
};

// Encapsulates high-level TPM state and the motions needed to open and close
// the TPM library.
class Tpm {
 public:
  Tpm();
  ~Tpm();

  bool available() const { return available_; }
  bool is_tpm2() const { return is_tpm2_; }

  result_code IsOwned(bool* owned);

  result_code GetRandomBytes(uint8_t* buffer, int wanted);

  // Returns the PCR value for PCR |index|, possibly from the cache.
  result_code ReadPCR(uint32_t index, std::vector<uint8_t>* value);

  // Returns TPM version info.
  bool GetVersionInfo(uint32_t* vendor,
                      uint64_t* firmware_version,
                      std::vector<uint8_t>* vendor_specific);

  // Returns Infineon-specific field upgrade status.
  bool GetIFXFieldUpgradeInfo(TPM_IFX_FIELDUPGRADEINFO* field_upgrade_info);

  // Returns the initialized lockbox NVRAM space.
  NvramSpace* GetLockboxSpace();

  // Get the initialized encrypted stateful space.
  NvramSpace* GetEncStatefulSpace();

  // Take TPM ownership using an all-zeros password.
  result_code TakeOwnership();

  // Set a flag in the TPM to indicate that the system key has been
  // re-initialized after the last TPM clear. The TPM automatically clears the
  // flag as a side effect of the TPM clear operation.
  result_code SetSystemKeyInitializedFlag();

  // Check the system key initialized flag.
  result_code HasSystemKeyInitializedFlag(bool* flag_value);

 private:
  bool available_ = false;
  bool is_tpm2_ = false;

  bool ownership_checked_ = false;
  bool owned_ = false;

#if !USE_TPM2
  bool initialized_flag_checked_ = false;
  bool initialized_flag_ = false;
#endif  // !USE_TPM2

  std::map<uint32_t, std::vector<uint8_t>> pcr_values_;

  std::unique_ptr<NvramSpace> lockbox_space_;
  std::unique_ptr<NvramSpace> encstateful_space_;

  DISALLOW_COPY_AND_ASSIGN(Tpm);
};

// The interface used by the key handling logic to access the system key. The
// system key is used to wrap the actual data encryption key.
//
// System keys must have these properties:
//  1. The system key can only be accessed in the current boot mode, i.e.
//     switching to developer mode blocks access or destroys the system key.
//  2. A fresh system key must be generated after clearing the TPM. This can be
//     achieved either by arranging a TPM clear to drop the key or by detecting
//     a TPM clear an generating a fresh key.
//  3. The key should ideally not be accessible for reading after early boot.
//  4. Because mounting the encrypted stateful file system is on the critical
//     boot path, loading the system key must be reasonably fast.
//  5. Fresh keys can be generated with reasonable cost. Costly operations such
//     as taking TPM ownership after each TPM clear to set up fresh NVRAM spaces
//     do not fly performance-wise. The file system encryption key logic has a
//     fallback path to dump its key without protection by a system key until
//     the latter becomes available, but that's a risk that should ideally be
//     avoided.
class SystemKeyLoader {
 public:
  virtual ~SystemKeyLoader() = default;

  // Create a system key loader suitable for the system.
  static std::unique_ptr<SystemKeyLoader> Create(Tpm* tpm,
                                                 const base::FilePath& rootdir);

  // Load the encryption key from TPM NVRAM. Returns true if successful and
  // fills in key, false if the key is not available or there is an error.
  virtual result_code Load(brillo::SecureBlob* key) = 0;

  // Generate a fresh system key but do not store it in NVRAM yet.
  virtual brillo::SecureBlob Generate() = 0;

  // Persist a previously generated system key in NVRAM. This may not be
  // possible in case the TPM is not in a state where the NVRAM spaces can be
  // manipulated.
  virtual result_code Persist() = 0;

  // Lock the system key to prevent further manipulation.
  virtual void Lock() = 0;

  // Set up the TPM to allow generation of a system key. This is an expensive
  // operation that can take dozens of seconds depending on hardware so this
  // can't be used routinely.
  virtual result_code SetupTpm() = 0;

  // Checks whether the system is eligible for encryption key preservation. If
  // so, sets up a new system key to wrap the existing encryption key. On
  // success, |previous_key| and |fresh_key| will be filled in. Returns false if
  // the system is not eligible or there is an error.
  virtual result_code GenerateForPreservation(
      brillo::SecureBlob* previous_key, brillo::SecureBlob* fresh_key) = 0;

  // Checks whether the lockbox space contents are considered valid.
  virtual result_code CheckLockbox(bool* valid) = 0;

  // Whether the lockbox salt is used as the system key.
  virtual bool UsingLockboxKey() = 0;
};

// A SystemKeyLoader implementation backed by a fixed system key supplied at
// construction time.
class FixedSystemKeyLoader : public SystemKeyLoader {
 public:
  explicit FixedSystemKeyLoader(const brillo::SecureBlob& key) : key_(key) {}
  virtual ~FixedSystemKeyLoader() = default;

  result_code Load(brillo::SecureBlob* key) override {
    *key = key_;
    return RESULT_SUCCESS;
  }
  brillo::SecureBlob Generate() override { return brillo::SecureBlob(); }
  result_code Persist() override { return RESULT_FAIL_FATAL; }
  void Lock() override {}
  result_code SetupTpm() override { return RESULT_FAIL_FATAL; }
  result_code GenerateForPreservation(brillo::SecureBlob* previous_key,
                                      brillo::SecureBlob* fresh_key) override {
    return RESULT_FAIL_FATAL;
  }
  result_code CheckLockbox(bool* valid) override { return RESULT_FAIL_FATAL; }
  bool UsingLockboxKey() override { return false; }

 private:
  brillo::SecureBlob key_;
};

#endif  // CRYPTOHOME_MOUNT_ENCRYPTED_TPM_H_