| // Copyright 2021 The Chromium Authors |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| include "structures.fbs"; |
| |
| // Our Python generator removes the "_serialized_" namespace when generating |
| // the code, to avoid symbol clash with the code generated by flatc. |
| namespace cryptohome._serialized_; |
| |
| // Defined the attributes that may be used in this schema file. |
| attribute "optional"; |
| attribute "secure"; |
| attribute "serializable"; |
| |
| // Fields in AuthBlockState are all marked optional because they can be read |
| // from objects stored on disk, such as the SerializedVaultKeyset. As a result |
| // cryptohome cannot assume all fields are always populated. However, the |
| // fields should always be defined or the auth block cannot operate. |
| |
| table TpmNotBoundToPcrAuthBlockState (secure) { |
| // Marks if the password is run through scrypt before going to the TPM. |
| scrypt_derived:bool = null (id: 0); |
| // The salt used to bind to the TPM. |
| // Must be set. |
| salt:[ubyte] (id: 1, optional); |
| // Optional, the number of rounds key derivation is called. |
| // This is only used for legacy non-scrypt key derivation. |
| password_rounds:uint = null (id: 2, optional); |
| // The VKK wrapped with the user's password by the tpm. |
| // Must be set. |
| tpm_key:[ubyte] (id: 3, optional); |
| // Optional, served as a TPM identity, useful when checking if the TPM is |
| // the same one sealed the tpm_key. |
| tpm_public_key_hash:[ubyte] (id: 4, optional); |
| } |
| |
| table TpmBoundToPcrAuthBlockState (secure) { |
| // Marks if the password is run through scrypt before going to the TPM. |
| scrypt_derived:bool = null (id: 0); |
| // The salt used to bind to the TPM. |
| salt:[ubyte] (id: 1, optional); |
| // The VKK wrapped with the user's password by the tpm. |
| tpm_key:[ubyte] (id: 2, optional); |
| // Same as tpm_key, but extends the PCR to only allow one user until reboot. |
| extended_tpm_key:[ubyte] (id: 3, optional); |
| // Optional, served as a TPM identity, useful when checking if the TPM is |
| // the same one sealed the tpm_key. |
| tpm_public_key_hash:[ubyte] (id: 4, optional); |
| } |
| |
| table PinWeaverAuthBlockState (secure) { |
| // The label for the credential in the LE hash tree. |
| le_label:ulong = null (id: 0, optional); |
| // The salt used to first scrypt the user input. |
| salt:[ubyte] (id: 1, optional); |
| // The IV used to derive the chaps key. |
| chaps_iv:[ubyte] (id: 2, optional); |
| // The IV used to derive the file encryption key. |
| // TODO(b/204202689): rename fek_iv to vkk_iv. |
| fek_iv:[ubyte] (id: 3, optional); |
| // The reset_salt used to derive the reset_secret. |
| // This will only be used for legacy vk. USS does not use reset_(seed/salt). |
| reset_salt:[ubyte] (id: 4, optional); |
| } |
| |
| // This is a unique AuthBlockState for backwards compatibility. libscrypt puts |
| // the metadata, such as IV and salt, into the header of the encrypted |
| // buffer. Thus this is the only auth block state to pass wrapped secrets. See |
| // the LibScryptCompatAuthBlock header for a full explanation. |
| table LibScryptCompatAuthBlockState (secure) { |
| // The wrapped filesystem keys. |
| // This is for in memory data holding only and will not be serialized. |
| wrapped_keyset:[ubyte] (id: 0, optional); |
| // The wrapped chaps keys. |
| // This is for in memory data holding only and will not be serialized. |
| wrapped_chaps_key:[ubyte] (id: 1, optional); |
| // The wrapped reset seed keys. |
| // This is for in memory data holding only and will not be serialized. |
| wrapped_reset_seed:[ubyte] (id: 2, optional); |
| // The random salt. |
| // TODO(b/198394243): We should remove it because it's not actually used. |
| salt:[ubyte] (id: 3, optional); |
| } |
| |
| table ChallengeCredentialAuthBlockState (secure) { |
| scrypt_state:LibScryptCompatAuthBlockState (id: 0); |
| keyset_challenge_info:cryptohome.structure._serialized_.SignatureChallengeInfo (id: 1, optional); |
| } |
| |
| table DoubleWrappedCompatAuthBlockState (secure) { |
| scrypt_state:LibScryptCompatAuthBlockState (id: 0); |
| tpm_state:TpmNotBoundToPcrAuthBlockState (id: 1); |
| } |
| |
| table CryptohomeRecoveryAuthBlockState (secure) { |
| // HSM Payload is created at onboarding and contains all the data that are |
| // persisted on a chromebook and will be eventually used for recovery, |
| // serialized to CBOR. |
| hsm_payload:[ubyte] (id: 0); |
| // Secret share of the destination (encrypted with TPM). |
| encrypted_destination_share:[ubyte] (id: 1); |
| // Secret share of the destination sealed to TPM1.2 with binding to extended PCR). |
| extended_pcr_bound_destination_share:[ubyte] (id: 2); |
| // Channel keys that will be used for secure communication during recovery. |
| // Private key is encrypted with TPM. |
| channel_pub_key:[ubyte] (id: 3); |
| encrypted_channel_priv_key:[ubyte] (id: 4); |
| // RSA private key is used only on TMP 1.2 devices. |
| encrypted_rsa_priv_key:[ubyte] (id: 5); |
| } |
| |
| table TpmEccAuthBlockState (secure) { |
| // The salt used to derive the user input with scrypt. |
| salt:[ubyte] (id: 0, optional); |
| // The IV to decrypt EVK. |
| vkk_iv:[ubyte] (id: 1, optional); |
| // The number of rounds the auth value generating process is called. |
| auth_value_rounds:uint = null (id: 2, optional); |
| // HVKKM: Hardware Vault Keyset Key Material. |
| // SVKKM: Software Vault Keyset Key Material. |
| // We would use HVKKM and SVKKM to derive the VKK. |
| // The HVKKM are encrypted with the user's password, TPM, and binds to empty |
| // current user state. |
| sealed_hvkkm:[ubyte] (id: 3, optional); |
| // Same as |sealed_hvkkm|, but extends the current user state to the specific |
| // user. |
| extended_sealed_hvkkm:[ubyte] (id: 4, optional); |
| // A check if this is the same TPM that wrapped the credential. |
| tpm_public_key_hash:[ubyte] (id: 5, optional); |
| // The wrapped reset seed to reset LE credentials. |
| wrapped_reset_seed:[ubyte] (id: 6, optional); |
| } |
| |
| // This would be used for the ScryptAuthBlock that would generate vkk directly. |
| table ScryptAuthBlockState (secure) { |
| // The random salt used when deriving the scrypt key. |
| salt:[ubyte] (id: 0, optional); |
| // The work factor passed to scrypt. |
| work_factor:int = null (id: 1, optional); |
| // The block size passed to scrypt. |
| block_size:uint = null (id: 2, optional); |
| // The parallel factor passed to scrypt. |
| parallel_factor:uint = null (id: 3, optional); |
| } |
| |
| union AuthBlockStateUnion (secure) { |
| TpmBoundToPcrAuthBlockState, |
| TpmNotBoundToPcrAuthBlockState, |
| PinWeaverAuthBlockState, |
| LibScryptCompatAuthBlockState, |
| ChallengeCredentialAuthBlockState, |
| DoubleWrappedCompatAuthBlockState, |
| CryptohomeRecoveryAuthBlockState, |
| TpmEccAuthBlockState, |
| ScryptAuthBlockState, |
| } |
| |
| table RevocationState (secure) { |
| // The label for the credential in the LE hash tree. |
| le_label:ulong = null (id: 0, optional); |
| } |
| |
| table AuthBlockState (serializable, secure) { |
| state:AuthBlockStateUnion (id:1); |
| revocation_state:RevocationState (id: 2, optional); |
| } |
| |
| root_type AuthBlockState; |