1 //
2 // Copyright (C) 2015 The Android Open Source Project
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 //      http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 //
16 
17 #ifndef TPM_MANAGER_SERVER_TPM2_NVRAM_IMPL_H_
18 #define TPM_MANAGER_SERVER_TPM2_NVRAM_IMPL_H_
19 
20 #include "tpm_manager/server/tpm_nvram.h"
21 
22 #include <memory>
23 #include <string>
24 
25 #include <base/macros.h>
26 #include <trunks/trunks_factory.h>
27 
28 #include "tpm_manager/common/tpm_manager.pb.h"
29 #include "tpm_manager/server/local_data_store.h"
30 
31 namespace tpm_manager {
32 
33 // A TpmNvram implementation backed by a TPM 2.0 device. All index values are
34 // the 'index' portion of an NV handle and must fit in 24 bits.
35 class Tpm2NvramImpl : public TpmNvram {
36  public:
37   // Does not take ownership of arguments.
38   Tpm2NvramImpl(const trunks::TrunksFactory& factory,
39                 LocalDataStore* local_data_store);
40   ~Tpm2NvramImpl() override = default;
41 
42   // TpmNvram methods.
43   NvramResult DefineSpace(uint32_t index,
44                           size_t size,
45                           const std::vector<NvramSpaceAttribute>& attributes,
46                           const std::string& authorization_value,
47                           NvramSpacePolicy policy) override;
48   NvramResult DestroySpace(uint32_t index) override;
49   NvramResult WriteSpace(uint32_t index,
50                          const std::string& data,
51                          const std::string& authorization_value) override;
52   NvramResult ReadSpace(uint32_t index,
53                         std::string* data,
54                         const std::string& authorization_value) override;
55   NvramResult LockSpace(uint32_t index,
56                         bool lock_read,
57                         bool lock_write,
58                         const std::string& authorization_value) override;
59   NvramResult ListSpaces(std::vector<uint32_t>* index_list) override;
60   NvramResult GetSpaceInfo(
61       uint32_t index,
62       size_t* size,
63       bool* is_read_locked,
64       bool* is_write_locked,
65       std::vector<NvramSpaceAttribute>* attributes,
66       NvramSpacePolicy* policy) override;
67 
68  private:
69   // Must be called before using any data members. This may be called multiple
70   // times and will be very fast if already initialized.
71   bool Initialize();
72 
73   // Gets the TPM owner password. Returns an empty string if not available.
74   std::string GetOwnerPassword();
75 
76   // Configures |trunks_session_| with owner authorization. Returns true on
77   // success.
78   bool SetupOwnerSession();
79 
80   // Configures a new policy |session| for a given |policy_record|,
81   // |authorization_value|, and |command_code|. Returns true on success.
82   bool SetupPolicySession(const NvramPolicyRecord& policy_record,
83                           const std::string& authorization_value,
84                           trunks::TPM_CC command_code,
85                           trunks::PolicySession* session);
86 
87   // A helper to add policies to a |session| for a particular |command_code| and
88   // |policy_record|. Returns true on success.
89   bool AddPoliciesForCommand(const NvramPolicyRecord& policy_record,
90                              trunks::TPM_CC command_code,
91                              trunks::PolicySession* session);
92 
93   // A helper to add an OR policy to |session| based on |policy_record|. Returns
94   // true on success.
95   bool AddPolicyOR(const NvramPolicyRecord& policy_record,
96                    trunks::PolicySession* session);
97 
98   // Computes the policy |digest| for a given |policy_record| and fills the
99   // policy_digests field in the |policy_record|.
100   bool ComputePolicyDigest(NvramPolicyRecord* policy_record,
101                            std::string* digest);
102 
103   // Gets the policy |record| for the given |index|. Returns true on success.
104   bool GetPolicyRecord(uint32_t index, NvramPolicyRecord* record);
105 
106   // Saves a policy |record| in the local_data_store_.
107   bool SavePolicyRecord(const NvramPolicyRecord& record);
108 
109   // Best effort delete of the policy |record| for |index|.
110   void DeletePolicyRecord(uint32_t index);
111 
112   const trunks::TrunksFactory& trunks_factory_;
113   LocalDataStore* local_data_store_;
114   bool initialized_;
115   std::unique_ptr<trunks::HmacSession> trunks_session_;
116   std::unique_ptr<trunks::TpmUtility> trunks_utility_;
117 
118   friend class Tpm2NvramTest;
119   DISALLOW_COPY_AND_ASSIGN(Tpm2NvramImpl);
120 };
121 
122 }  // namespace tpm_manager
123 
124 #endif  // TPM_MANAGER_SERVER_TPM2_NVRAM_IMPL_H_
125