1 /*
2  * Copyright (C) 2015-2016 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *		http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #pragma once
18 
19 #include <stdint.h>
20 
21 /*
22  * Storage port names
23  *
24  * @STORAGE_CLIENT_NSP_PORT:    Port used by clients that require persistence
25  *                              but DO NOT require rollback detection. Tamper
26  *                              detection is provided by authenticated
27  *                              encryption. Use TDP instead if possible.
28  * @STORAGE_CLIENT_TD_PORT:     Port used by clients that require tamper and
29  *                              rollback detection.
30  * @STORAGE_CLIENT_TDP_PORT:    Port used by clients that require tamper and
31  *                              rollback detection. Data will be preserved
32  *                              during a normal device wipe.
33  * @STORAGE_CLIENT_TDEA_PORT:   Port used by clients that require storage before
34  *                              the non-secure os has booted.
35  * @STORAGE_CLIENT_TP_PORT:     Port used by clients that require tamper proof
36  *                              storage. Note that non-secure code can prevent
37                                 read and write operations from succeeding, but
38                                 it cannot modify on-disk data.
39  * @STORAGE_DISK_PROXY_PORT:    Port used by non-secure proxy server
40  */
41 #define STORAGE_CLIENT_NSP_PORT "com.android.trusty.storage.client.nsp"
42 #define STORAGE_CLIENT_TD_PORT "com.android.trusty.storage.client.td"
43 #define STORAGE_CLIENT_TDP_PORT "com.android.trusty.storage.client.tdp"
44 #define STORAGE_CLIENT_TDEA_PORT "com.android.trusty.storage.client.tdea"
45 #define STORAGE_CLIENT_TP_PORT "com.android.trusty.storage.client.tp"
46 #define STORAGE_DISK_PROXY_PORT "com.android.trusty.storage.proxy"
47 
48 enum storage_cmd {
49     STORAGE_REQ_SHIFT = 1,
50     STORAGE_RESP_BIT = 1,
51 
52     STORAGE_RESP_MSG_ERR = STORAGE_RESP_BIT,
53 
54     STORAGE_FILE_DELETE = 1 << STORAGE_REQ_SHIFT,
55     STORAGE_FILE_OPEN = 2 << STORAGE_REQ_SHIFT,
56     STORAGE_FILE_CLOSE = 3 << STORAGE_REQ_SHIFT,
57     STORAGE_FILE_READ = 4 << STORAGE_REQ_SHIFT,
58     STORAGE_FILE_WRITE = 5 << STORAGE_REQ_SHIFT,
59     STORAGE_FILE_GET_SIZE = 6 << STORAGE_REQ_SHIFT,
60     STORAGE_FILE_SET_SIZE = 7 << STORAGE_REQ_SHIFT,
61 
62     STORAGE_RPMB_SEND = 8 << STORAGE_REQ_SHIFT,
63 
64     /* transaction support */
65     STORAGE_END_TRANSACTION = 9 << STORAGE_REQ_SHIFT,
66 
67     STORAGE_FILE_MOVE = 10 << STORAGE_REQ_SHIFT,
68     STORAGE_FILE_LIST = 11 << STORAGE_REQ_SHIFT,
69     STORAGE_FILE_GET_MAX_SIZE = 12 << STORAGE_REQ_SHIFT,
70 };
71 
72 /**
73  * enum storage_err - error codes for storage protocol
74  * @STORAGE_NO_ERROR:           all OK
75  * @STORAGE_ERR_GENERIC:        unknown error. Can occur when there's an
76  *                              internal server error, e.g. the server runs out
77  *                              of memory or is in a bad state.
78  * @STORAGE_ERR_NOT_VALID:      input not valid. May occur if the arguments
79  *                              passed into the command are not valid, for
80  *                              example if the file handle passed in is not a
81  *                              valid one.
82  * @STORAGE_ERR_UNIMPLEMENTED:  the command passed in is not recognized
83  * @STORAGE_ERR_ACCESS:         the file is not accessible in the requested mode
84  * @STORAGE_ERR_NOT_FOUND:      the file was not found
85  * @STORAGE_ERR_EXIST           the file exists when it shouldn't as in with
86  *                              OPEN_CREATE | OPEN_EXCLUSIVE.
87  * @STORAGE_ERR_TRANSACT        returned by various operations to indicate that
88  *                              current transaction is in error state. Such
89  *                              state could be only cleared by sending
90  *                              STORAGE_END_TRANSACTION message.
91  * @STORAGE_ERR_SYNC_FAILURE    indicates that the current operation failed to
92  *                              sync to disk. Only returned if
93  *                              STORAGE_MSG_FLAG_PRE_COMMIT or
94  *                              STORAGE_MSG_FLAG_POST_COMMIT was set for the
95  *                              request.
96  * @STORAGE_ERR_NOT_ALLOWED     operation is not allowed in the current state
97  * @STORAGE_ERR_CORRUPTED       requested operation touches a corrupted block
98  *                              and is not allowed
99  * @STORAGE_ERR_FS_REPAIRED     filesystem has been repaired in a way that may
100  *                              affect the requested operation. The requested
101  *                              operation is not allowed without acknowledging
102  *                              the repaired state. Pass
103  *                              STORAGE_MSG_FLAGS_FS_REPAIRED_ACK if a repaired
104  *                              filesystem state is acceptable.
105  */
106 enum storage_err {
107     STORAGE_NO_ERROR = 0,
108     STORAGE_ERR_GENERIC = 1,
109     STORAGE_ERR_NOT_VALID = 2,
110     STORAGE_ERR_UNIMPLEMENTED = 3,
111     STORAGE_ERR_ACCESS = 4,
112     STORAGE_ERR_NOT_FOUND = 5,
113     STORAGE_ERR_EXIST = 6,
114     STORAGE_ERR_TRANSACT = 7,
115     STORAGE_ERR_SYNC_FAILURE = 8,
116     STORAGE_ERR_NOT_ALLOWED = 9,
117     STORAGE_ERR_CORRUPTED = 10,
118     STORAGE_ERR_FS_REPAIRED = 11,
119 };
120 
121 /**
122  * storage_delete_flag - flags for controlling delete semantics
123  */
124 #define STORAGE_FILE_DELETE_MASK (0U)
125 
126 /**
127  * storage_file_move_flag - Flags to control 'move' semantics.
128  * @STORAGE_FILE_MOVE_CREATE:           if the new file name does not exist,
129  *                                      create it.
130  * @STORAGE_FILE_MOVE_CREATE_EXCLUSIVE: causes STORAGE_FILE_MOVE_CREATE to fail
131  *                                      if the new file name already exists.
132  *                                      Only meaningful if used in combination
133  *                                      with STORAGE_FILE_MOVE_CREATE.
134  * @STORAGE_FILE_MOVE_OPEN_FILE:        file is already open.
135  * @STORAGE_FILE_MOVE_MASK:             mask for all move flags supported in
136  *                                      current protocol. All other bits must be
137  *                                      set to 0.
138  */
139 #define STORAGE_FILE_MOVE_CREATE (1U << 0)
140 #define STORAGE_FILE_MOVE_CREATE_EXCLUSIVE (1U << 1)
141 #define STORAGE_FILE_MOVE_OPEN_FILE (1U << 2)
142 #define STORAGE_FILE_MOVE_MASK                                       \
143     (STORAGE_FILE_MOVE_CREATE | STORAGE_FILE_MOVE_CREATE_EXCLUSIVE | \
144      STORAGE_FILE_MOVE_OPEN_FILE)
145 
146 /**
147  * storage_file_flag - Flags to control 'open' semantics.
148  * @STORAGE_FILE_OPEN_CREATE:           if this file does not exist, create it.
149  * @STORAGE_FILE_OPEN_CREATE_EXCLUSIVE: causes STORAGE_FILE_OPEN_CREATE to fail
150  *                                      if the file already exists. Only
151  *                                      meaningful if used in combination with
152  *                                      STORAGE_FILE_OPEN_CREATE.
153  * @STORAGE_FILE_OPEN_TRUNCATE:         if this file already exists, discard
154  *                                      existing content and open it as a new
155  *                                      file. No change in semantics if the file
156  *                                      does not exist.
157  * @STORAGE_FILE_OPEN_MASK:             mask for all open flags supported in
158  *                                      current protocol. All other bits must be
159  *                                      set to 0.
160  */
161 #define STORAGE_FILE_OPEN_CREATE (1U << 0)
162 #define STORAGE_FILE_OPEN_CREATE_EXCLUSIVE (1U << 1)
163 #define STORAGE_FILE_OPEN_TRUNCATE (1U << 2)
164 #define STORAGE_FILE_OPEN_MASK                               \
165     (STORAGE_FILE_OPEN_CREATE | STORAGE_FILE_OPEN_TRUNCATE | \
166      STORAGE_FILE_OPEN_CREATE_EXCLUSIVE)
167 
168 /**
169  * storage_file_list - Flags to control 'list' semantics.
170  * @STORAGE_FILE_LIST_START:            Start listing files.
171  * @STORAGE_FILE_LIST_END:              All files have already been listed.
172  * @STORAGE_FILE_LIST_COMMITTED:        File is committed and not removed by
173  *                                      current transaction.
174  * @STORAGE_FILE_LIST_ADDED:            File will be added by current
175  *                                      transaction.
176  * @STORAGE_FILE_LIST_REMOVED:          File will be removed by current
177  *                                      transaction.
178  * @STORAGE_FILE_LIST_STATE_MASK:       mask for list flags used to indicate
179  *                                      file state.
180  * @STORAGE_FILE_LIST_MASK:             mask for all list flags supported in
181  *                                      current protocol. All other bits must be
182  *                                      set to 0.
183  */
184 enum storage_file_list_flag {
185     STORAGE_FILE_LIST_START = 0,
186     STORAGE_FILE_LIST_END = 1,
187     STORAGE_FILE_LIST_COMMITTED = 2,
188     STORAGE_FILE_LIST_ADDED = 3,
189     STORAGE_FILE_LIST_REMOVED = 4,
190     STORAGE_FILE_LIST_STATE_MASK = 7,
191     STORAGE_FILE_LIST_MASK = STORAGE_FILE_LIST_STATE_MASK,
192 };
193 
194 /**
195  * enum storage_msg_flag - protocol-level flags in struct storage_msg
196  * @STORAGE_MSG_FLAG_BATCH:                 if set, command belongs to a batch
197  *                                          transaction. No response will be sent by
198  *                                          the server until it receives a command
199  *                                          with this flag unset, at which point a
200  *                                          cumulative result for all messages sent
201  *                                          with STORAGE_MSG_FLAG_BATCH will be
202  *                                          sent. This is only supported by the
203  *                                          non-secure disk proxy server.
204  * @STORAGE_MSG_FLAG_PRE_COMMIT:            if set, indicates that server need to
205  *                                          commit pending changes before processing
206  *                                          this message.
207  * @STORAGE_MSG_FLAG_POST_COMMIT:           if set, indicates that server need to
208  *                                          commit pending changes after processing
209  *                                          this message.
210  * @STORAGE_MSG_FLAG_TRANSACT_COMPLETE:     if set, indicates that server need to
211  *                                          commit current transaction after
212  *                                          processing this message. It is an alias
213  *                                          for STORAGE_MSG_FLAG_POST_COMMIT.
214  * @STORAGE_MSG_FLAG_PRE_COMMIT_CHECKPOINT: if set, indicates that server needs
215  *                                          to ensure that there is not a
216  *                                          pending checkpoint for the
217  *                                          underlying userdata filesystem
218  *                                          before processing this message.
219  * @STORAGE_MSG_FLAG_TRANSACT_CHECKPOINT:   if set, update the current
220  *                                          checkpoint to the new state of
221  *                                          files modified by this
222  *                                          transaction. Only valid along with
223  *                                          @STORAGE_MSG_FLAG_TRANSACT_COMPLETE,
224  *                                          and only allowed when provisiong is
225  *                                          allowed by the system state service.
226  * @STORAGE_MSG_FLAG_FS_REPAIRED_ACK:       acknowledge that an error in the
227  *                                          file system may have been repaired,
228  *                                          and therefore rollback may have
229  *                                          occurred. Do not use this flag
230  *                                          unless accessing files where partial
231  *                                          rollback of file system state is
232  *                                          acceptable.
233  */
234 enum storage_msg_flag {
235     STORAGE_MSG_FLAG_BATCH = 0x1,
236     STORAGE_MSG_FLAG_PRE_COMMIT = 0x2,
237     STORAGE_MSG_FLAG_POST_COMMIT = 0x4,
238     STORAGE_MSG_FLAG_TRANSACT_COMPLETE = STORAGE_MSG_FLAG_POST_COMMIT,
239     STORAGE_MSG_FLAG_PRE_COMMIT_CHECKPOINT = 0x8,
240     STORAGE_MSG_FLAG_TRANSACT_CHECKPOINT = 0x10,
241     STORAGE_MSG_FLAG_FS_REPAIRED_ACK = 0x20,
242 };
243 
244 /*
245  * The following declarations are the message-specific contents of
246  * the 'payload' element inside struct storage_msg.
247  */
248 
249 /**
250  * struct storage_file_delete_req - request format for STORAGE_FILE_DELETE
251  * @flags: currently unused, must be set to 0.
252  * @name:  the name of the file
253  */
254 struct storage_file_delete_req {
255     uint32_t flags;
256     char name[0];
257 };
258 
259 /**
260  * struct storage_file_move_req - request format for STORAGE_FILE_OPEN
261  * @flags:          Any of storage_file_move_flag or'ed together.
262  * @handle:         Handle for file to move, if @flags contains
263  *                  STORAGE_FILE_MOVE_OPEN_FILE.
264  * @old_name_len:   Size of old file name in @old_new_name.
265  * @old_new_name:   Old file name followed by new file name. Old file name, must
266  *                  match name of @handle.
267  */
268 struct storage_file_move_req {
269     uint32_t flags;
270     uint32_t handle;
271     uint32_t old_name_len;
272     char old_new_name[0];
273 };
274 
275 /**
276  * struct storage_file_open_req - request format for STORAGE_FILE_OPEN
277  * @flags: any of enum storage_file_flag or'ed together
278  * @name:  the name of the file
279  */
280 struct storage_file_open_req {
281     uint32_t flags;
282     char name[0];
283 };
284 
285 /**
286  * struct storage_file_open_resp - response format for STORAGE_FILE_OPEN
287  * @handle: opaque handle to the opened file. Only present on success.
288  */
289 struct storage_file_open_resp {
290     uint32_t handle;
291 };
292 
293 /**
294  * struct storage_file_close_req - request format for STORAGE_FILE_CLOSE
295  * @handle: the handle for the file to close
296  */
297 struct storage_file_close_req {
298     uint32_t handle;
299 };
300 
301 /**
302  * struct storage_file_get_max_size_req - request format for
303  *                                        STORAGE_FILE_GET_MAX_SIZE
304  * @handle: the handle for the file whose max size is requested
305  */
306 struct storage_file_get_max_size_req {
307     uint32_t handle;
308 };
309 
310 /**
311  * struct storage_file_get_max_size_resp - response format for
312  *                                         STORAGE_FILE_GET_MAX_SIZE
313  * @max_size:   the maximum size of the file
314  */
315 struct storage_file_get_max_size_resp {
316     uint64_t max_size;
317 };
318 
319 /**
320  * struct storage_file_read_req - request format for STORAGE_FILE_READ
321  * @handle: the handle for the file from which to read
322  * @size:   the quantity of bytes to read from the file
323  * @offset: the offset in the file from whence to read
324  */
325 struct storage_file_read_req {
326     uint32_t handle;
327     uint32_t size;
328     uint64_t offset;
329 };
330 
331 /**
332  * struct storage_file_read_resp - response format for STORAGE_FILE_READ
333  * @data: beginning of data retrieved from file
334  *
335  * This struct definition is only safe to use in C since empty structs have
336  * different sizes in C(0) and C++(1) which makes them unsafe to be used
337  * across languages
338  */
339 #ifndef __cplusplus
340 struct storage_file_read_resp {
341     uint8_t data[0];
342 };
343 #endif
344 
345 /**
346  * struct storage_file_write_req - request format for STORAGE_FILE_WRITE
347  * @handle:     the handle for the file to write to
348  * @offset:     the offset in the file from whence to write
349  * @__reserved: unused, must be set to 0.
350  * @data:       beginning of the data to be written
351  */
352 struct storage_file_write_req {
353     uint64_t offset;
354     uint32_t handle;
355     uint32_t __reserved;
356     uint8_t data[0];
357 };
358 
359 /**
360  * struct storage_file_list_req - request format for STORAGE_FILE_LIST
361  * @max_count:  Max number of files to return, or 0 for no limit.
362  * @flags:      STORAGE_FILE_LIST_START or a copy of @flags last returned in
363  *              storage_file_list_resp.
364  * @name:       File name last returned in storage_file_list_resp, or empty
365  *              if @flags is STORAGE_FILE_LIST_START.
366  */
367 struct storage_file_list_req {
368     uint8_t max_count;
369     uint8_t flags;
370     char name[0];
371 };
372 
373 /**
374  * struct storage_file_list_resp - response format for STORAGE_FILE_LIST
375  * @flags:      Any of the flags in storage_file_list_flag.
376  * @name:       File name (0 terminated).
377  *
378  * If @max_count in storage_file_list_req was not set to 1, then multiple
379  * storage_file_list_resp instances may be returned in a single response
380  * message.
381  */
382 struct storage_file_list_resp {
383     uint8_t flags;
384     char name[0];
385 };
386 
387 /**
388  * struct storage_file_get_size_req - request format for STORAGE_FILE_GET_SIZE
389  * @handle: handle for which the size is requested
390  */
391 struct storage_file_get_size_req {
392     uint32_t handle;
393 };
394 
395 /**
396  * struct storage_file_get_size_resp - response format for STORAGE_FILE_GET_SIZE
397  * @size:   the size of the file
398  */
399 struct storage_file_get_size_resp {
400     uint64_t size;
401 };
402 
403 /**
404  * struct storage_file_set_size_req - request format for STORAGE_FILE_SET_SIZE
405  * @handle: the file handle
406  * @size:   the desired size of the file
407  */
408 struct storage_file_set_size_req {
409     uint64_t size;
410     uint32_t handle;
411 };
412 
413 /**
414  * struct storage_rpmb_send_req - request format for STORAGE_RPMB_SEND
415  * @reliable_write_size:        size in bytes of reliable write region
416  * @write_size:                 size in bytes of write region
417  * @read_size:                  number of bytes to read for a read request
418  * @__reserved:                 unused, must be set to 0
419  * @payload:                    start of reliable write region, followed by
420  *                              write region.
421  *
422  * Only used in proxy<->server interface.
423  */
424 struct storage_rpmb_send_req {
425     uint32_t reliable_write_size;
426     uint32_t write_size;
427     uint32_t read_size;
428     uint32_t __reserved;
429     uint8_t payload[0];
430 };
431 
432 /**
433  * struct storage_rpmb_send_resp: response type for STORAGE_RPMB_SEND
434  * @data: the data frames frames retrieved from the MMC.
435  *
436  * This struct definition is only safe to use in C since empty structs have
437  * different sizes in C(0) and C++(1) which makes them unsafe to be used
438  * across languages
439  */
440 #ifndef __cplusplus
441 struct storage_rpmb_send_resp {
442     uint8_t data[0];
443 };
444 #endif
445 
446 /**
447  * struct storage_msg - generic req/resp format for all storage commands
448  * @cmd:        one of enum storage_cmd
449  * @op_id:      client chosen operation identifier for an instance
450  *              of a command or atomic grouping of commands (transaction).
451  * @flags:      one or many of enum storage_msg_flag or'ed together.
452  * @size:       total size of the message including this header
453  * @result:     one of enum storage_err
454  * @__reserved: unused, must be set to 0.
455  * @payload:    beginning of command specific message format
456  */
457 struct storage_msg {
458     uint32_t cmd;
459     uint32_t op_id;
460     uint32_t flags;
461     uint32_t size;
462     int32_t result;
463     uint32_t __reserved;
464     uint8_t payload[0];
465 };
466