237 lines
8.1 KiB
Protocol Buffer
237 lines
8.1 KiB
Protocol Buffer
//
|
|
// Copyright (C) 2015 The Android Open Source Project
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
//
|
|
|
|
// NOTE: All tpm_manager protobufs are in the same file because the Android
|
|
// build system cannot handle import statements without using Android-specific
|
|
// paths.
|
|
|
|
option optimize_for = LITE_RUNTIME;
|
|
package tpm_manager;
|
|
|
|
enum TpmManagerStatus {
|
|
STATUS_SUCCESS = 0;
|
|
STATUS_DEVICE_ERROR = 1;
|
|
STATUS_NOT_AVAILABLE = 2;
|
|
}
|
|
|
|
// Result codes. For convenience, keep these in sync with Brillo NVRAM HAL
|
|
// values defined in hardware/nvram_defs.h.
|
|
enum NvramResult {
|
|
NVRAM_RESULT_SUCCESS = 0;
|
|
// An unexpected TPM error occurred. More information should be in logs.
|
|
NVRAM_RESULT_DEVICE_ERROR = 1;
|
|
// The caller is not authorized to perform the requested operation. This may
|
|
// be due to a bad authorization value or to system state.
|
|
NVRAM_RESULT_ACCESS_DENIED = 2;
|
|
NVRAM_RESULT_INVALID_PARAMETER = 3;
|
|
NVRAM_RESULT_SPACE_DOES_NOT_EXIST = 4;
|
|
NVRAM_RESULT_SPACE_ALREADY_EXISTS = 5;
|
|
// This may be because a space is locked or because an operation has been
|
|
// explicitly disabled.
|
|
NVRAM_RESULT_OPERATION_DISABLED = 6;
|
|
// Literally, the TPM is out of non-volatile storage.
|
|
NVRAM_RESULT_INSUFFICIENT_SPACE = 7;
|
|
// An error occurred sending the request to the system service.
|
|
NVRAM_RESULT_IPC_ERROR = 100;
|
|
}
|
|
|
|
// More background on these attributes can be found by looking up the TPMA_NV_*
|
|
// constants in the TPM 2.0 specification or the TPM_NV_PER_* constants in the
|
|
// TPM 1.2 specification.
|
|
enum NvramSpaceAttribute {
|
|
// The space can be locked for writing until it is destroyed. Without TPM
|
|
// owner privilege this is always after the TPM is cleared. This typically
|
|
// occurs during device factory reset.
|
|
NVRAM_PERSISTENT_WRITE_LOCK = 0;
|
|
// The space can be locked for writing until the next boot.
|
|
NVRAM_BOOT_WRITE_LOCK = 1;
|
|
// The space can be locked for reading until the next boot.
|
|
NVRAM_BOOT_READ_LOCK = 2;
|
|
// The space requires an authorization value for writing.
|
|
NVRAM_WRITE_AUTHORIZATION = 3;
|
|
// The space requires an authorization value for reading.
|
|
NVRAM_READ_AUTHORIZATION = 4;
|
|
// The space can not be written directly, only extended.
|
|
// E.g. new_value = HASH(old_value + input)
|
|
NVRAM_WRITE_EXTEND = 5;
|
|
// The space is tied to the global lock (bGlobalLock). This global lock is
|
|
// typically locked early in boot. This is defined for inspecting existing
|
|
// spaces, this interface cannot be used to define spaces with this attribute.
|
|
NVRAM_GLOBAL_LOCK = 6;
|
|
// The space is tied to the platform rather than the TPM owner. The 'platform'
|
|
// is whatever executes first after boot. Typically this access is locked
|
|
// early in boot. This is defined for inspecting existing spaces, this
|
|
// interface cannot be used to define spaces with this attribute.
|
|
NVRAM_PLATFORM_WRITE = 7;
|
|
// The space can only be written by the TPM owner. For TPM 2.0 this can be
|
|
// used only for inspecting existing spaces, not for defining new spaces.
|
|
NVRAM_OWNER_WRITE = 8;
|
|
// The space can only be read by the TPM owner. For TPM 2.0 this can be used
|
|
// only for inspecting existing spaces, not for defining new spaces.
|
|
NVRAM_OWNER_READ = 9;
|
|
}
|
|
|
|
enum NvramSpacePolicy {
|
|
// No policy. Authorization values are still enforced. This is the default.
|
|
NVRAM_POLICY_NONE = 0;
|
|
// Bind both read and write access to the current PCR0 value in addition to
|
|
// enforcing any authorization value.
|
|
NVRAM_POLICY_PCR0 = 1;
|
|
}
|
|
|
|
// Tracks the expected policy for a particular NVRAM space.
|
|
message NvramPolicyRecord {
|
|
optional uint32 index = 1;
|
|
optional NvramSpacePolicy policy = 2;
|
|
// This will be true if the NVRAM_READ_AUTHORIZATION attribute was not
|
|
// specified when the space was created.
|
|
optional bool world_read_allowed = 3;
|
|
// This will be true if the NVRAM_WRITE_AUTHORIZATION attribute was not
|
|
// specified when the space was created.
|
|
optional bool world_write_allowed = 4;
|
|
repeated bytes policy_digests = 5;
|
|
}
|
|
|
|
// The format of persistent local TPM management data stored on the device.
|
|
// When TPM ownership is taken, this protobuf is populated with the passwords
|
|
// used to take ownership, and with a list of clients who have a dependency on
|
|
// the owner password (like Attestation, InstallAttributes and BootLockbox).
|
|
// when all the clients have the owner password injected, this protobuf is
|
|
// cleared of all passwords.
|
|
message LocalData {
|
|
optional bytes owner_password = 2;
|
|
repeated string owner_dependency = 3;
|
|
optional bytes endorsement_password = 4;
|
|
optional bytes lockout_password = 5;
|
|
repeated NvramPolicyRecord nvram_policy = 6;
|
|
}
|
|
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
// A series of request and reply messages for the NVRAM interface methods.
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
message DefineSpaceRequest {
|
|
optional uint32 index = 1;
|
|
optional uint32 size = 2;
|
|
repeated NvramSpaceAttribute attributes = 3;
|
|
optional bytes authorization_value = 4;
|
|
optional NvramSpacePolicy policy = 5;
|
|
}
|
|
|
|
message DefineSpaceReply {
|
|
optional NvramResult result = 1;
|
|
}
|
|
|
|
message DestroySpaceRequest {
|
|
optional uint32 index = 1;
|
|
}
|
|
|
|
message DestroySpaceReply {
|
|
optional NvramResult result = 1;
|
|
}
|
|
|
|
message WriteSpaceRequest {
|
|
optional uint32 index = 1;
|
|
optional bytes data = 2;
|
|
optional bytes authorization_value = 3;
|
|
optional bool use_owner_authorization = 4;
|
|
}
|
|
|
|
message WriteSpaceReply {
|
|
optional NvramResult result = 1;
|
|
}
|
|
|
|
message ReadSpaceRequest {
|
|
optional uint32 index = 1;
|
|
optional bytes authorization_value = 2;
|
|
optional bool use_owner_authorization = 3;
|
|
}
|
|
|
|
message ReadSpaceReply {
|
|
optional NvramResult result = 1;
|
|
optional bytes data = 2;
|
|
}
|
|
|
|
message LockSpaceRequest {
|
|
optional uint32 index = 1;
|
|
optional bool lock_read = 2;
|
|
optional bool lock_write = 3;
|
|
optional bytes authorization_value = 4;
|
|
optional bool use_owner_authorization = 5;
|
|
}
|
|
|
|
message LockSpaceReply {
|
|
optional NvramResult result = 1;
|
|
}
|
|
|
|
message ListSpacesRequest {
|
|
}
|
|
|
|
message ListSpacesReply {
|
|
optional NvramResult result = 1;
|
|
repeated uint32 index_list = 2;
|
|
}
|
|
|
|
message GetSpaceInfoRequest {
|
|
optional uint32 index = 1;
|
|
}
|
|
|
|
message GetSpaceInfoReply {
|
|
optional NvramResult result = 1;
|
|
optional uint32 size = 2;
|
|
optional bool is_read_locked = 3;
|
|
optional bool is_write_locked = 4;
|
|
repeated NvramSpaceAttribute attributes = 5;
|
|
optional NvramSpacePolicy policy = 6;
|
|
}
|
|
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
// A series of request and reply messages for the ownership interface methods.
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
message GetTpmStatusRequest {
|
|
}
|
|
|
|
message GetTpmStatusReply {
|
|
optional TpmManagerStatus status = 1;
|
|
// Whether a TPM is enabled on the system.
|
|
optional bool enabled = 2;
|
|
// Whether the TPM has been owned.
|
|
optional bool owned = 3;
|
|
// Local TPM management data (including the owner password if available).
|
|
optional LocalData local_data = 4;
|
|
// The current dictionary attack counter value.
|
|
optional uint32 dictionary_attack_counter = 5;
|
|
// The current dictionary attack counter threshold.
|
|
optional uint32 dictionary_attack_threshold = 6;
|
|
// Whether the TPM is in some form of dictionary attack lockout.
|
|
optional bool dictionary_attack_lockout_in_effect = 7;
|
|
// The number of seconds remaining in the lockout.
|
|
optional uint32 dictionary_attack_lockout_seconds_remaining = 8;
|
|
}
|
|
|
|
message TakeOwnershipRequest {
|
|
}
|
|
|
|
message TakeOwnershipReply {
|
|
optional TpmManagerStatus status = 1;
|
|
}
|
|
|
|
message RemoveOwnerDependencyRequest {
|
|
optional bytes owner_dependency = 1;
|
|
}
|
|
|
|
message RemoveOwnerDependencyReply {
|
|
optional TpmManagerStatus status = 1;
|
|
}
|