1// Copyright (c) 2014 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4//
5// The messages in this file comprise the DBus/Proto interface for
6// Cryptohome where there is an AccountIdentifer argument, an
7// AuthorizationRequest (if needed for the call), and the call's
8// parameters as <Call>Request.
9//
10// 'optional' annotations are used heavily in the RPC definition
11// because the RPC endpoints most properly sanity check the contents
12// for application-specific logic, and the more optional-with-default
13// parameters exist, the less data is actually transferred on the wire
14// in "default" situations.
15
16syntax = "proto2";
17
18option optimize_for = LITE_RUNTIME;
19
20package cryptohome;
21
22import "key.proto";
23
24// Error codes do not need to be sequential per-call.
25// Prefixes by Request/Reply type should be used to help
26// callers know if specialized errors apply.
27enum CryptohomeErrorCode {
28  // 0 is the default value of BaseReply::error. It
29  // should never be used.
30  CRYPTOHOME_ERROR_NOT_SET = 0;
31
32  CRYPTOHOME_ERROR_ACCOUNT_NOT_FOUND = 1;
33  CRYPTOHOME_ERROR_AUTHORIZATION_KEY_NOT_FOUND = 2;
34  CRYPTOHOME_ERROR_AUTHORIZATION_KEY_FAILED = 3;
35  CRYPTOHOME_ERROR_NOT_IMPLEMENTED = 4;
36  CRYPTOHOME_ERROR_MOUNT_FATAL = 5;
37  CRYPTOHOME_ERROR_MOUNT_MOUNT_POINT_BUSY = 6;
38  CRYPTOHOME_ERROR_TPM_COMM_ERROR = 7;
39  CRYPTOHOME_ERROR_TPM_DEFEND_LOCK = 8;
40  CRYPTOHOME_ERROR_TPM_NEEDS_REBOOT = 9;
41  CRYPTOHOME_ERROR_AUTHORIZATION_KEY_DENIED = 10;
42  CRYPTOHOME_ERROR_KEY_QUOTA_EXCEEDED = 11;
43  CRYPTOHOME_ERROR_KEY_LABEL_EXISTS = 12;
44  CRYPTOHOME_ERROR_BACKING_STORE_FAILURE = 13;
45  CRYPTOHOME_ERROR_UPDATE_SIGNATURE_INVALID = 14;
46  CRYPTOHOME_ERROR_KEY_NOT_FOUND = 15;
47  CRYPTOHOME_ERROR_LOCKBOX_SIGNATURE_INVALID = 16;
48  CRYPTOHOME_ERROR_LOCKBOX_CANNOT_SIGN = 17;
49  CRYPTOHOME_ERROR_BOOT_ATTRIBUTE_NOT_FOUND = 18;
50  CRYPTOHOME_ERROR_BOOT_ATTRIBUTES_CANNOT_SIGN = 19;
51  CRYPTOHOME_ERROR_TPM_EK_NOT_AVAILABLE = 20;
52  CRYPTOHOME_ERROR_ATTESTATION_NOT_READY = 21;
53  CRYPTOHOME_ERROR_CANNOT_CONNECT_TO_CA = 22;
54  CRYPTOHOME_ERROR_CA_REFUSED_ENROLLMENT = 23;
55  CRYPTOHOME_ERROR_CA_REFUSED_CERTIFICATE = 24;
56  CRYPTOHOME_ERROR_INTERNAL_ATTESTATION_ERROR = 25;
57  CRYPTOHOME_ERROR_FIRMWARE_MANAGEMENT_PARAMETERS_INVALID = 26;
58  CRYPTOHOME_ERROR_FIRMWARE_MANAGEMENT_PARAMETERS_CANNOT_STORE = 27;
59  CRYPTOHOME_ERROR_FIRMWARE_MANAGEMENT_PARAMETERS_CANNOT_REMOVE = 28;
60  CRYPTOHOME_ERROR_MOUNT_OLD_ENCRYPTION = 29;
61  CRYPTOHOME_ERROR_MOUNT_PREVIOUS_MIGRATION_INCOMPLETE = 30;
62  CRYPTOHOME_ERROR_MIGRATE_KEY_FAILED = 31;
63  CRYPTOHOME_ERROR_REMOVE_FAILED = 32;
64}
65
66message AccountIdentifier {
67  // |email| is deprecated. Don't use it.
68  optional string email = 1;
69
70  optional string account_id = 2;
71}
72
73// Parameters for connecting and making requests to a key delegate service.
74// This is currently used for making challenge requests for keys of the
75// |KEY_TYPE_CHALLENGE_RESPONSE| type.
76message KeyDelegate {
77  // D-Bus service name of the key delegate service that exports the key
78  // delegate object.
79  optional string dbus_service_name = 1;
80  // D-Bus object path of the key delegate object that implements the
81  // org.chromium.CryptohomeKeyDelegateInterface interface.
82  optional string dbus_object_path = 2;
83}
84
85message AuthorizationRequest {
86  // |key| must supply at least a |key.secret()|.  If no |key.data()| or
87  // |key.data().label()| is supplied, the |key.secret()| will be tested
88  // against all compatible |key.data().type()| keys, where
89  // KEY_TYPE_PASSWORD is the default type.  If
90  // |key.data().label()| is supplied, then the |key.secret()| will only be
91  // tested against the matching VaultKeyset.
92  optional Key key = 1;
93  // Describes delegate service that should be used for operations with the
94  // |key| key.
95  // Should be set only for keys with the |KEY_TYPE_CHALLENGE_RESPONSE| type.
96  optional KeyDelegate key_delegate = 2;
97}
98
99// These parameters are for inbound data to Cryptohome RPC
100// interfaces.  When calls are added that return data, a
101// <Call>Response should be defined.
102message MountRequest {
103  // Perform an ephemeral mount only.
104  optional bool require_ephemeral = 1 [default=false];
105  // If defined, the account will be created if it does not exist.
106  // Additionally, a failed AuthorizationRequest will be expected as
107  // there will be no existing keys.
108  optional CreateRequest create = 2;
109  // If set to true, and cryptohomed supports the new "dircrypto" encryption,
110  // forces to use the new encryption. That is, makes it an error to mount
111  // an existing home directory encrypted in the old way (ecryptfs).
112  optional bool force_dircrypto_if_available = 3;
113  // If set to true, mounts the existing ecryptfs vault to a temporary location
114  // while setting up a new dircrypto directory.
115  optional bool to_migrate_from_ecryptfs = 4;
116  // Performs a public mount, which is used for a Kiosk session. Credentials are
117  // not needed in the request; they are synthesized by cryptohomed from id.
118  optional bool public_mount = 5;
119  // If set to true, mounts the vault to a temporary location. The mount is not
120  // exposed to the usual locations (/home/user, /home/root).
121  optional bool hidden_mount = 6;
122}
123
124// A BaseReply type is used for all cryptohomed responses. A shared base class
125// is used because all calls will always reply with no-error or an error value.
126// A centralized definition allows for a reusable reply handler for cases where
127// there is no Request-specific reply data.  Any specialized data will live in
128// an extension as per MountReply below:
129//   if (reply.HasExtension(MountReply::reply)) { ... }
130//
131message BaseReply {
132  // If a call was successful, error will not be defined (clear_error()).
133  // If a call failed, it must set an error code (set_error(CODE)).
134  // In either case, call-specific data may be added as an extension.
135  optional CryptohomeErrorCode error = 1;
136
137  extensions 1000 to max;
138  // Next ID to use for extensions: 1011
139}
140
141// The MountRequest call may return more than just success or failure
142// so it embeds itself in a BaseReply as an extension.
143message MountReply {
144  extend BaseReply {
145    optional MountReply reply = 1000;
146  }
147  // |recreated| is set when the cryptohome had to be wiped
148  // because the key or data was an unrecoverable.  It does not imply
149  // failure to Mount nor is it 'true' when a CreateRequest creates
150  // a cryptohome for the first time.
151  optional bool recreated = 1 [default=false];
152  // Returns the filesystem-sanitized username.
153  optional string sanitized_username = 2;
154}
155
156message CreateRequest {
157  repeated Key keys = 1;
158  // Explicitly use the |key| from the AuthorizationRequest.
159  // Setting this value means that the KeyData is filled as it
160  // would be with a Key above or in an AddKeyRequest.
161  optional bool copy_authorization_key = 2 [default=false];
162  // If set to true, always use eCryptfs as the encryption method.
163  optional bool force_ecryptfs = 3 [default=false];
164  // In the future, this will contain account-wide data like
165  // the deletion priority or the IdP's origin.
166}
167
168message AddKeyRequest {
169  optional Key key = 1;
170  optional bool clobber_if_exists = 2 [default=false];
171}
172
173message UpdateKeyRequest {
174  optional Key changes = 1;
175  optional bytes authorization_signature = 2;
176}
177
178message CheckKeyRequest {
179}
180
181message RemoveKeyRequest {
182  // Only key.data().label() is used at present.
183  optional Key key = 1;
184}
185
186message SignBootLockboxRequest {
187  // The data to be signed.
188  optional bytes data = 1;
189}
190
191message SignBootLockboxReply {
192  extend BaseReply {
193    optional SignBootLockboxReply reply = 1001;
194  }
195  optional bytes signature = 1;
196}
197
198message VerifyBootLockboxRequest {
199  // The signed data to be verified.
200  optional bytes data = 1;
201  // The signature to be verified.
202  optional bytes signature = 2;
203}
204
205message FinalizeBootLockboxRequest {
206}
207
208message GetKeyDataRequest {
209  // |key| must supply at least one attribute and all others will be treated as
210  // wildcards.  Currently only |key.data().label()| may be supplied.  Like
211  // AuthorizationRequest, support can be added for queries by
212  // |key.data().type()| to return all keys of a certain class, testing
213  // |key.secret()|, or |key.data().provider_data()| entries.
214  optional Key key = 1;
215}
216
217message GetKeyDataReply {
218  extend BaseReply {
219    optional GetKeyDataReply reply = 1002;
220  }
221  repeated KeyData key_data = 1;
222}
223
224message GetBootAttributeRequest {
225  optional string name = 1;
226}
227
228message GetBootAttributeReply {
229  extend BaseReply {
230    optional GetBootAttributeReply reply = 1003;
231  }
232  optional bytes value = 1;
233}
234
235message SetBootAttributeRequest {
236  optional string name = 1;
237  optional bytes value = 2;
238}
239
240message FlushAndSignBootAttributesRequest {
241}
242
243message ListKeysRequest {
244  // The default behavior is by label so any extension here should honor that.
245}
246
247message ListKeysReply {
248  extend BaseReply {
249    optional ListKeysReply reply = 1004;
250  }
251  repeated string labels = 1;
252}
253
254message GetLoginStatusRequest {
255}
256
257message GetLoginStatusReply {
258  extend BaseReply {
259    optional GetLoginStatusReply reply = 1005;
260  }
261  optional bool owner_user_exists=1;
262  optional bool boot_lockbox_finalized=2;
263}
264
265message GetTpmStatusRequest {
266}
267
268message GetTpmStatusReply {
269  extend BaseReply {
270    optional GetTpmStatusReply reply = 1006;
271  }
272
273  message Identity {
274    // The identity features.
275    optional int32 features = 1;
276  }
277
278  message IdentityCertificate {
279    // The identity that is enrolled.
280    optional int32 identity = 1;
281    // The Privacy CA that the identity is enrolled with.
282    optional int32 aca = 2;
283  }
284
285  // Whether a TPM is enabled on the system.
286  optional bool enabled = 1;
287  // Whether the TPM has been owned.
288  optional bool owned = 2;
289  // Whether the TPM initialization flow has completed. This includes taking
290  // ownership, preparing attestation data, and finalizing lockbox NVRAM.
291  optional bool initialized = 3;
292  // The TPM owner password. This is only available when (owned &&
293  // !initialized) and sometimes not even then.
294  optional string owner_password = 4;
295  // Whether attestation data has been prepared. This includes reading the
296  // endorsement certificate out of NVRAM and generating an identity key. This
297  // does not include any kind of enrollment with a Privacy CA.
298  optional bool attestation_prepared = 7;
299  // Whether the device has enrolled with a Privacy CA. This means the identity
300  // key has been successfully certified.
301  optional bool attestation_enrolled = 8;
302  // The current dictionary attack counter value.
303  optional int32 dictionary_attack_counter = 9;
304  // The current dictionary attack counter threshold.
305  optional int32 dictionary_attack_threshold = 10;
306  // Whether the TPM is in some form of dictionary attack lockout.
307  optional bool dictionary_attack_lockout_in_effect = 11;
308  // The number of seconds remaining in the lockout.
309  optional int32 dictionary_attack_lockout_seconds_remaining = 12;
310  // Whether the install lockbox has been finalized.
311  optional bool install_lockbox_finalized = 13;
312  // Whether the boot lockbox has been finalized.
313  optional bool boot_lockbox_finalized = 14;
314  // Whether the current PCR values show a verified boot.
315  optional bool verified_boot_measured = 15;
316  // List of identities and their identity features.
317  repeated Identity identities = 16;
318  // List of identity certificates.
319  map<int32, IdentityCertificate> identity_certificates = 17;
320}
321
322message GetEndorsementInfoRequest {
323}
324
325message GetEndorsementInfoReply {
326  extend BaseReply {
327    optional GetEndorsementInfoReply reply = 1007;
328  }
329  // The endorsement public key (PKCS #1 RSAPublicKey).
330  optional bytes ek_public_key = 1;
331  // The endorsement certificate (X.509).
332  optional bytes ek_certificate = 2;
333}
334
335message InitializeCastKeyRequest {
336}
337
338// Flags for GetFirmwareManagementParametersReply and
339// SetFirmwareManagementParametersRequest
340enum FirmwareManagementParametersFlags {
341  NONE = 0;
342  DEVELOPER_DISABLE_BOOT = 1;
343  DEVELOPER_DISABLE_RECOVERY_INSTALL = 2;
344  DEVELOPER_DISABLE_RECOVERY_ROOTFS = 4;
345  DEVELOPER_ENABLE_USB = 8;
346  DEVELOPER_ENABLE_LEGACY = 16;
347  DEVELOPER_USE_KEY_HASH = 32;
348  DEVELOPER_DISABLE_CASE_CLOSED_DEBUGGING_UNLOCK = 64;
349}
350
351message GetFirmwareManagementParametersRequest {
352}
353
354message GetFirmwareManagementParametersReply {
355  extend BaseReply {
356    optional GetFirmwareManagementParametersReply reply = 1008;
357  }
358
359  // Flags (zero or more from FirmwareManagementParametersFlags)
360  optional int32 flags = 1;
361  optional bytes developer_key_hash = 2;
362}
363
364message SetFirmwareManagementParametersRequest {
365  // Flags (zero or more from FirmwareManagementParametersFlags)
366  optional int32 flags = 1;
367  optional bytes developer_key_hash = 2;
368}
369
370message RemoveFirmwareManagementParametersRequest {
371}
372
373message GetAccountDiskUsageReply {
374  extend BaseReply {
375    optional GetAccountDiskUsageReply reply = 1009;
376  }
377  // The size of cryptohome in bytes.
378  optional int64 size = 1;
379}
380
381// Request parameters for MigrateToDircrypto.
382message MigrateToDircryptoRequest {
383  // Next ID to use: 2
384
385  // If true, only a few paths (specified in cryptohomed) that are necessary for
386  // a working profile will be migrated. Most user data will be wiped.
387  optional bool minimal_migration = 1;
388}
389
390// Request parameters for challenge requests for keys of the
391// |KEY_TYPE_CHALLENGE_RESPONSE| type.
392message KeyChallengeRequest {
393  // Specifies challenge types.
394  enum ChallengeType {
395    // Challenge is a request of a cryptographic signature of the specified data
396    // using the specified key.
397    CHALLENGE_TYPE_SIGNATURE = 1;
398  }
399  // Type of the requested challenge.
400  optional ChallengeType challenge_type = 1;
401  // Is set when |challenge_type| is |CHALLENGE_TYPE_SIGNATURE|. Contains the
402  // challenge request data.
403  optional SignatureKeyChallengeRequestData signature_request_data = 2;
404}
405
406// Request data for challenge requests of the |CHALLENGE_TYPE_SIGNATURE| request
407// type.
408message SignatureKeyChallengeRequestData {
409  // The blob of data for which the signature is asked.
410  optional bytes data_to_sign = 1;
411  // Specifies the key which is asked to sign the data. Contains the DER-encoded
412  // blob of the X.509 Subject Public Key Info.
413  optional bytes public_key_spki_der = 2;
414  // Specifies the signature algorithm that has to be used.
415  optional ChallengeSignatureAlgorithm signature_algorithm = 3;
416}
417
418// Response for challenge requests.
419message KeyChallengeResponse {
420  // Is set for responses to challenge requests of the
421  // |CHALLENGE_TYPE_SIGNATURE| challenge type. Contains the challenge response
422  // data.
423  optional SignatureKeyChallengeResponseData signature_response_data = 1;
424}
425
426// Response data for challenge requests of the |CHALLENGE_TYPE_SIGNATURE|
427// challenge type.
428message SignatureKeyChallengeResponseData {
429  // The signature blob of the requested data.
430  optional bytes signature = 1;
431}
432
433// Request a GetSupportedKeyPoliciesReply from cryptohome.
434message GetSupportedKeyPoliciesRequest {
435}
436
437// Response that informs the caller which KeyPolicy features are supported.
438message GetSupportedKeyPoliciesReply {
439  // Next ID to use: 2
440
441  extend BaseReply {
442    optional GetSupportedKeyPoliciesReply reply = 1010;
443  }
444
445  // Does it support low entropy credentials.
446  optional bool low_entropy_credentials = 1;
447}
448
449message MigrateKeyRequest {
450  optional bytes secret = 1;
451}
452
453// Mount the guest user partition.
454message MountGuestRequest {
455}
456