// // Copyright (C) 2015 The Android Open Source Project // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // // NOTE: All tpm_manager protobufs are in the same file because the Android // build system cannot handle import statements without using Android-specific // paths. option optimize_for = LITE_RUNTIME; package tpm_manager; enum TpmManagerStatus { STATUS_SUCCESS = 0; STATUS_DEVICE_ERROR = 1; STATUS_NOT_AVAILABLE = 2; } // Result codes. For convenience, keep these in sync with Brillo NVRAM HAL // values defined in hardware/nvram_defs.h. enum NvramResult { NVRAM_RESULT_SUCCESS = 0; // An unexpected TPM error occurred. More information should be in logs. NVRAM_RESULT_DEVICE_ERROR = 1; // The caller is not authorized to perform the requested operation. This may // be due to a bad authorization value or to system state. NVRAM_RESULT_ACCESS_DENIED = 2; NVRAM_RESULT_INVALID_PARAMETER = 3; NVRAM_RESULT_SPACE_DOES_NOT_EXIST = 4; NVRAM_RESULT_SPACE_ALREADY_EXISTS = 5; // This may be because a space is locked or because an operation has been // explicitly disabled. NVRAM_RESULT_OPERATION_DISABLED = 6; // Literally, the TPM is out of non-volatile storage. NVRAM_RESULT_INSUFFICIENT_SPACE = 7; // An error occurred sending the request to the system service. NVRAM_RESULT_IPC_ERROR = 100; } // More background on these attributes can be found by looking up the TPMA_NV_* // constants in the TPM 2.0 specification or the TPM_NV_PER_* constants in the // TPM 1.2 specification. enum NvramSpaceAttribute { // The space can be locked for writing until it is destroyed. Without TPM // owner privilege this is always after the TPM is cleared. This typically // occurs during device factory reset. NVRAM_PERSISTENT_WRITE_LOCK = 0; // The space can be locked for writing until the next boot. NVRAM_BOOT_WRITE_LOCK = 1; // The space can be locked for reading until the next boot. NVRAM_BOOT_READ_LOCK = 2; // The space requires an authorization value for writing. NVRAM_WRITE_AUTHORIZATION = 3; // The space requires an authorization value for reading. NVRAM_READ_AUTHORIZATION = 4; // The space can not be written directly, only extended. // E.g. new_value = HASH(old_value + input) NVRAM_WRITE_EXTEND = 5; // The space is tied to the global lock (bGlobalLock). This global lock is // typically locked early in boot. This is defined for inspecting existing // spaces, this interface cannot be used to define spaces with this attribute. NVRAM_GLOBAL_LOCK = 6; // The space is tied to the platform rather than the TPM owner. The 'platform' // is whatever executes first after boot. Typically this access is locked // early in boot. This is defined for inspecting existing spaces, this // interface cannot be used to define spaces with this attribute. NVRAM_PLATFORM_WRITE = 7; // The space can only be written by the TPM owner. For TPM 2.0 this can be // used only for inspecting existing spaces, not for defining new spaces. NVRAM_OWNER_WRITE = 8; // The space can only be read by the TPM owner. For TPM 2.0 this can be used // only for inspecting existing spaces, not for defining new spaces. NVRAM_OWNER_READ = 9; } enum NvramSpacePolicy { // No policy. Authorization values are still enforced. This is the default. NVRAM_POLICY_NONE = 0; // Bind both read and write access to the current PCR0 value in addition to // enforcing any authorization value. NVRAM_POLICY_PCR0 = 1; } // Tracks the expected policy for a particular NVRAM space. message NvramPolicyRecord { optional uint32 index = 1; optional NvramSpacePolicy policy = 2; // This will be true if the NVRAM_READ_AUTHORIZATION attribute was not // specified when the space was created. optional bool world_read_allowed = 3; // This will be true if the NVRAM_WRITE_AUTHORIZATION attribute was not // specified when the space was created. optional bool world_write_allowed = 4; repeated bytes policy_digests = 5; } // The format of persistent local TPM management data stored on the device. // When TPM ownership is taken, this protobuf is populated with the passwords // used to take ownership, and with a list of clients who have a dependency on // the owner password (like Attestation, InstallAttributes and BootLockbox). // when all the clients have the owner password injected, this protobuf is // cleared of all passwords. message LocalData { optional bytes owner_password = 2; repeated string owner_dependency = 3; optional bytes endorsement_password = 4; optional bytes lockout_password = 5; repeated NvramPolicyRecord nvram_policy = 6; } //////////////////////////////////////////////////////////////////////////////// // A series of request and reply messages for the NVRAM interface methods. //////////////////////////////////////////////////////////////////////////////// message DefineSpaceRequest { optional uint32 index = 1; optional uint32 size = 2; repeated NvramSpaceAttribute attributes = 3; optional bytes authorization_value = 4; optional NvramSpacePolicy policy = 5; } message DefineSpaceReply { optional NvramResult result = 1; } message DestroySpaceRequest { optional uint32 index = 1; } message DestroySpaceReply { optional NvramResult result = 1; } message WriteSpaceRequest { optional uint32 index = 1; optional bytes data = 2; optional bytes authorization_value = 3; optional bool use_owner_authorization = 4; } message WriteSpaceReply { optional NvramResult result = 1; } message ReadSpaceRequest { optional uint32 index = 1; optional bytes authorization_value = 2; optional bool use_owner_authorization = 3; } message ReadSpaceReply { optional NvramResult result = 1; optional bytes data = 2; } message LockSpaceRequest { optional uint32 index = 1; optional bool lock_read = 2; optional bool lock_write = 3; optional bytes authorization_value = 4; optional bool use_owner_authorization = 5; } message LockSpaceReply { optional NvramResult result = 1; } message ListSpacesRequest { } message ListSpacesReply { optional NvramResult result = 1; repeated uint32 index_list = 2; } message GetSpaceInfoRequest { optional uint32 index = 1; } message GetSpaceInfoReply { optional NvramResult result = 1; optional uint32 size = 2; optional bool is_read_locked = 3; optional bool is_write_locked = 4; repeated NvramSpaceAttribute attributes = 5; optional NvramSpacePolicy policy = 6; } //////////////////////////////////////////////////////////////////////////////// // A series of request and reply messages for the ownership interface methods. //////////////////////////////////////////////////////////////////////////////// message GetTpmStatusRequest { } message GetTpmStatusReply { optional TpmManagerStatus status = 1; // Whether a TPM is enabled on the system. optional bool enabled = 2; // Whether the TPM has been owned. optional bool owned = 3; // Local TPM management data (including the owner password if available). optional LocalData local_data = 4; // The current dictionary attack counter value. optional uint32 dictionary_attack_counter = 5; // The current dictionary attack counter threshold. optional uint32 dictionary_attack_threshold = 6; // Whether the TPM is in some form of dictionary attack lockout. optional bool dictionary_attack_lockout_in_effect = 7; // The number of seconds remaining in the lockout. optional uint32 dictionary_attack_lockout_seconds_remaining = 8; } message TakeOwnershipRequest { } message TakeOwnershipReply { optional TpmManagerStatus status = 1; } message RemoveOwnerDependencyRequest { optional bytes owner_dependency = 1; } message RemoveOwnerDependencyReply { optional TpmManagerStatus status = 1; }