| 1 | #ifndef libTrustCache_TypesConfig_h |
|---|---|
| 2 | #define libTrustCache_TypesConfig_h |
| 3 | |
| 4 | #include <sys/cdefs.h> |
| 5 | __BEGIN_DECLS |
| 6 | |
| 7 | #include <TrustCache/Types.h> |
| 8 | |
| 9 | #if XNU_KERNEL_PRIVATE |
| 10 | /* |
| 11 | * The AppleImage4 API definitions are accessed through the 'img4if' indirection |
| 12 | * layer within XNU itself. Kernel extensions can access them directly from the |
| 13 | * AppleImage4 headers. |
| 14 | */ |
| 15 | #include <libkern/img4/interface.h> |
| 16 | #endif |
| 17 | |
| 18 | #if !XNU_KERNEL_PRIVATE |
| 19 | /* |
| 20 | * XNU does not make this header available and uses different availability macros |
| 21 | * than kernel extensions or base user-space applications. |
| 22 | */ |
| 23 | #include <TargetConditionals.h> |
| 24 | #endif |
| 25 | |
| 26 | #pragma mark Chip Environments |
| 27 | |
| 28 | static const img4_chip_t* |
| 29 | chipEnvironmentPersonalized(void) { |
| 30 | return img4_chip_select_personalized_ap(); |
| 31 | } |
| 32 | |
| 33 | static const img4_chip_t* |
| 34 | chipEnvironmentCategorized(void) { |
| 35 | return img4_chip_select_categorized_ap(); |
| 36 | } |
| 37 | |
| 38 | static const img4_chip_t* |
| 39 | chipEnvironmentGlobalFF00(void) { |
| 40 | return IMG4_CHIP_AP_SOFTWARE_FF00; |
| 41 | } |
| 42 | |
| 43 | static const img4_chip_t* |
| 44 | chipEnvironmentGlobalFF01(void) { |
| 45 | return IMG4_CHIP_AP_SOFTWARE_FF01; |
| 46 | } |
| 47 | |
| 48 | static const img4_chip_t* |
| 49 | chipEnvironmentGlobalFF06(void) { |
| 50 | return IMG4_CHIP_AP_SOFTWARE_FF06; |
| 51 | } |
| 52 | |
| 53 | static const img4_chip_t* |
| 54 | chipEnvironmentEphemeralCryptex(void) { |
| 55 | return IMG4_CHIP_AP_SUPPLEMENTAL; |
| 56 | } |
| 57 | |
| 58 | static const img4_chip_t* |
| 59 | chipEnvironmentCryptex1Boot(void) { |
| 60 | #if IMG4_API_VERSION >= 20211126 |
| 61 | return img4_chip_select_cryptex1_boot(); |
| 62 | #else |
| 63 | return NULL; |
| 64 | #endif |
| 65 | } |
| 66 | |
| 67 | static const img4_chip_t* |
| 68 | chipEnvironmentCryptex1PreBoot(void) { |
| 69 | #if IMG4_API_VERSION >= 20211126 |
| 70 | return img4_chip_select_cryptex1_preboot(); |
| 71 | #else |
| 72 | return NULL; |
| 73 | #endif |
| 74 | } |
| 75 | |
| 76 | static const img4_chip_t* |
| 77 | chipEnvironmentCryptex1MobileAsset(void) { |
| 78 | #if IMG4_API_VERSION >= 20211126 |
| 79 | return IMG4_CHIP_CRYPTEX1_ASSET; |
| 80 | #else |
| 81 | return NULL; |
| 82 | #endif |
| 83 | } |
| 84 | |
| 85 | static const img4_chip_t* |
| 86 | chipEnvironmentSafariDownlevel(void) { |
| 87 | #if IMG4_API_VERSION >= 20211126 |
| 88 | return IMG4_CHIP_CRYPTEX1_BOOT_REDUCED; |
| 89 | #else |
| 90 | return NULL; |
| 91 | #endif |
| 92 | } |
| 93 | |
| 94 | static const img4_chip_t* |
| 95 | chipEnvironmentSupplemental(void) { |
| 96 | return IMG4_CHIP_AP_SUPPLEMENTAL; |
| 97 | } |
| 98 | |
| 99 | static const img4_chip_t* |
| 100 | chipEnvironmentCryptex1Generic(void) { |
| 101 | #if IMG4_API_VERSION >= 20221202 |
| 102 | return IMG4_CHIP_CRYPTEX1_GENERIC; |
| 103 | #else |
| 104 | return NULL; |
| 105 | #endif |
| 106 | } |
| 107 | |
| 108 | static const img4_chip_t* |
| 109 | chipEnvironmentCryptex1GenericSupplemental(void) { |
| 110 | #if IMG4_API_VERSION >= 20221202 |
| 111 | return IMG4_CHIP_CRYPTEX1_GENERIC_SUPPLEMENTAL; |
| 112 | #else |
| 113 | return NULL; |
| 114 | #endif |
| 115 | } |
| 116 | |
| 117 | #pragma mark Nonce Domains |
| 118 | |
| 119 | static const img4_nonce_domain_t* |
| 120 | nonceDomainTrustCache(void) { |
| 121 | return IMG4_NONCE_DOMAIN_TRUST_CACHE; |
| 122 | } |
| 123 | |
| 124 | static const img4_nonce_domain_t* |
| 125 | nonceDomainDDI(void) { |
| 126 | return IMG4_NONCE_DOMAIN_DDI; |
| 127 | } |
| 128 | |
| 129 | static const img4_nonce_domain_t* |
| 130 | nonceDomainCryptex(void) { |
| 131 | return IMG4_NONCE_DOMAIN_CRYPTEX; |
| 132 | } |
| 133 | |
| 134 | static const img4_nonce_domain_t* |
| 135 | nonceDomainEphemeralCryptex(void) { |
| 136 | return IMG4_NONCE_DOMAIN_EPHEMERAL_CRYPTEX; |
| 137 | } |
| 138 | |
| 139 | static const img4_nonce_domain_t* |
| 140 | nonceDomainPDI(void) { |
| 141 | return IMG4_NONCE_DOMAIN_PDI; |
| 142 | } |
| 143 | |
| 144 | #pragma mark Firmware Flags |
| 145 | |
| 146 | static img4_firmware_flags_t |
| 147 | firmwareFlagsDTRS(void) { |
| 148 | return IMG4_FIRMWARE_FLAG_RESPECT_AMNM; |
| 149 | } |
| 150 | |
| 151 | static img4_firmware_flags_t |
| 152 | firmwareFlagsSplat(void) { |
| 153 | #if XNU_TARGET_OS_OSX && (defined(__arm__) || defined(__arm64__)) |
| 154 | return IMG4_FIRMWARE_FLAG_SUBSEQUENT_STAGE; |
| 155 | #elif defined(TARGET_OS_OSX) && TARGET_OS_OSX && (TARGET_CPU_ARM || TARGET_CPU_ARM64) |
| 156 | return IMG4_FIRMWARE_FLAG_SUBSEQUENT_STAGE; |
| 157 | #else |
| 158 | return IMG4_FIRMWARE_FLAG_INIT; |
| 159 | #endif |
| 160 | } |
| 161 | |
| 162 | #pragma mark Type Configuration |
| 163 | |
| 164 | typedef struct _TrustCacheTypeConfig { |
| 165 | /* Chip environment to use for validation */ |
| 166 | const img4_chip_t* (*chipEnvironment)(void); |
| 167 | |
| 168 | /* Nonce domain for anti-replay */ |
| 169 | const img4_nonce_domain_t* (*nonceDomain)(void); |
| 170 | |
| 171 | /* Four CC identifier for this type */ |
| 172 | img4_4cc_t fourCC; |
| 173 | |
| 174 | /* Firmware flags to add for this configuration */ |
| 175 | img4_firmware_flags_t (*firmwareFlags)(void); |
| 176 | |
| 177 | /* |
| 178 | * Higher level policy imposes restrictions on which process can load |
| 179 | * which trust cache. These restrictions are enforced through the use |
| 180 | * of the entitlement "com.apple.private.pmap.load-trust-cache". The |
| 181 | * value here is the required value of the above entitlement. |
| 182 | */ |
| 183 | const char *entitlementValue; |
| 184 | } TrustCacheTypeConfig_t; |
| 185 | |
| 186 | #pragma GCC diagnostic push |
| 187 | #pragma GCC diagnostic ignored "-Wfour-char-constants" |
| 188 | |
| 189 | static const TrustCacheTypeConfig_t TCTypeConfig[kTCTypeTotal] = { |
| 190 | /* Static trust caches are loaded as raw modules */ |
| 191 | [kTCTypeStatic] = { |
| 192 | .chipEnvironment = NULL, |
| 193 | .nonceDomain = NULL, |
| 194 | .fourCC = 0, |
| 195 | .firmwareFlags = NULL, |
| 196 | .entitlementValue = NULL |
| 197 | }, |
| 198 | |
| 199 | /* Engineering trust caches are loaded as raw modules */ |
| 200 | [kTCTypeEngineering] = { |
| 201 | .chipEnvironment = NULL, |
| 202 | .nonceDomain = NULL, |
| 203 | .fourCC = 0, |
| 204 | .firmwareFlags = NULL, |
| 205 | .entitlementValue = NULL |
| 206 | }, |
| 207 | |
| 208 | /* Legacy trust caches are loaded as raw modules */ |
| 209 | [kTCTypeLegacy] = { |
| 210 | .chipEnvironment = NULL, |
| 211 | .nonceDomain = NULL, |
| 212 | .fourCC = 0, |
| 213 | .firmwareFlags = NULL, |
| 214 | .entitlementValue = NULL |
| 215 | }, |
| 216 | |
| 217 | [kTCTypeDTRS] = { |
| 218 | .chipEnvironment = chipEnvironmentPersonalized, |
| 219 | .nonceDomain = NULL, |
| 220 | .fourCC = 'dtrs', |
| 221 | .firmwareFlags = firmwareFlagsDTRS, |
| 222 | .entitlementValue = "personalized.engineering-root" |
| 223 | }, |
| 224 | |
| 225 | [kTCTypeLTRS] = { |
| 226 | .chipEnvironment = chipEnvironmentPersonalized, |
| 227 | .nonceDomain = nonceDomainTrustCache, |
| 228 | .fourCC = 'ltrs', |
| 229 | .firmwareFlags = NULL, |
| 230 | .entitlementValue = "personalized.trust-cache" |
| 231 | }, |
| 232 | |
| 233 | [kTCTypePersonalizedDiskImage] = { |
| 234 | .chipEnvironment = chipEnvironmentPersonalized, |
| 235 | .nonceDomain = nonceDomainPDI, |
| 236 | .fourCC = 'ltrs', |
| 237 | .firmwareFlags = NULL, |
| 238 | .entitlementValue = "personalized.pdi" |
| 239 | }, |
| 240 | |
| 241 | [kTCTypeDeveloperDiskImage] = { |
| 242 | .chipEnvironment = chipEnvironmentCategorized, |
| 243 | .nonceDomain = nonceDomainDDI, |
| 244 | .fourCC = 'trdv', |
| 245 | .firmwareFlags = NULL, |
| 246 | .entitlementValue = "personalized.ddi" |
| 247 | }, |
| 248 | |
| 249 | [kTCTypeLTRSWithDDINonce] = { |
| 250 | .chipEnvironment = chipEnvironmentPersonalized, |
| 251 | .nonceDomain = nonceDomainDDI, |
| 252 | .fourCC = 'ltrs', |
| 253 | .firmwareFlags = NULL, |
| 254 | .entitlementValue = "personalized.ddi" |
| 255 | }, |
| 256 | |
| 257 | [kTCTypeCryptex] = { |
| 258 | .chipEnvironment = chipEnvironmentPersonalized, |
| 259 | .nonceDomain = nonceDomainCryptex, |
| 260 | .fourCC = 'ltrs', |
| 261 | .firmwareFlags = NULL, |
| 262 | .entitlementValue = "personalized.cryptex-research" |
| 263 | }, |
| 264 | |
| 265 | [kTCTypeEphemeralCryptex] = { |
| 266 | .chipEnvironment = chipEnvironmentEphemeralCryptex, |
| 267 | .nonceDomain = nonceDomainEphemeralCryptex, |
| 268 | .fourCC = 'ltrs', |
| 269 | .firmwareFlags = NULL, |
| 270 | .entitlementValue = "personalized.ephemeral-cryptex" |
| 271 | }, |
| 272 | |
| 273 | [kTCTypeUpdateBrain] = { |
| 274 | .chipEnvironment = chipEnvironmentGlobalFF00, |
| 275 | .nonceDomain = NULL, |
| 276 | .fourCC = 'ltrs', |
| 277 | .firmwareFlags = NULL, |
| 278 | .entitlementValue = "global.ota-update-brain" |
| 279 | }, |
| 280 | |
| 281 | [kTCTypeInstallAssistant] = { |
| 282 | .chipEnvironment = chipEnvironmentGlobalFF01, |
| 283 | .nonceDomain = NULL, |
| 284 | .fourCC = 'ltrs', |
| 285 | .firmwareFlags = NULL, |
| 286 | .entitlementValue = "global.install-assistant" |
| 287 | }, |
| 288 | |
| 289 | [kTCTypeBootabilityBrain] = { |
| 290 | .chipEnvironment = chipEnvironmentGlobalFF06, |
| 291 | .nonceDomain = NULL, |
| 292 | .fourCC = 'trbb', |
| 293 | .firmwareFlags = NULL, |
| 294 | .entitlementValue = "global.bootability-brain" |
| 295 | }, |
| 296 | |
| 297 | [kTCTypeCryptex1BootOS] = { |
| 298 | .chipEnvironment = chipEnvironmentCryptex1Boot, |
| 299 | .nonceDomain = NULL, |
| 300 | .fourCC = 'trcs', |
| 301 | .firmwareFlags = firmwareFlagsSplat, |
| 302 | .entitlementValue = "cryptex1.boot.os" |
| 303 | }, |
| 304 | |
| 305 | [kTCTypeCryptex1BootApp] = { |
| 306 | .chipEnvironment = chipEnvironmentCryptex1Boot, |
| 307 | .nonceDomain = NULL, |
| 308 | .fourCC = 'trca', |
| 309 | .firmwareFlags = firmwareFlagsSplat, |
| 310 | .entitlementValue = "cryptex1.boot.app" |
| 311 | }, |
| 312 | |
| 313 | [kTCTypeCryptex1PreBootApp] = { |
| 314 | .chipEnvironment = chipEnvironmentCryptex1PreBoot, |
| 315 | .nonceDomain = NULL, |
| 316 | .fourCC = 'trca', |
| 317 | .firmwareFlags = firmwareFlagsSplat, |
| 318 | .entitlementValue = "cryptex1.preboot.app" |
| 319 | }, |
| 320 | |
| 321 | [kTCTypeGlobalDiskImage] = { |
| 322 | .chipEnvironment = chipEnvironmentGlobalFF00, |
| 323 | .nonceDomain = NULL, |
| 324 | .fourCC = 'ltrs', |
| 325 | .firmwareFlags = NULL, |
| 326 | .entitlementValue = "global.pdi" |
| 327 | }, |
| 328 | |
| 329 | [kTCTypeMobileAssetBrain] = { |
| 330 | .chipEnvironment = chipEnvironmentCryptex1MobileAsset, |
| 331 | .nonceDomain = NULL, |
| 332 | .fourCC = 'trab', |
| 333 | .firmwareFlags = NULL, |
| 334 | .entitlementValue = "personalized.mobile-asset-brain" |
| 335 | }, |
| 336 | |
| 337 | [kTCTypeSafariDownlevel] = { |
| 338 | .chipEnvironment = chipEnvironmentSafariDownlevel, |
| 339 | .nonceDomain = NULL, |
| 340 | .fourCC = 'trca', |
| 341 | .firmwareFlags = NULL, |
| 342 | .entitlementValue = "cryptex1.safari-downlevel" |
| 343 | }, |
| 344 | |
| 345 | [kTCTypeCryptex1PreBootOS] = { |
| 346 | .chipEnvironment = chipEnvironmentCryptex1PreBoot, |
| 347 | .nonceDomain = NULL, |
| 348 | .fourCC = 'trcs', |
| 349 | .firmwareFlags = firmwareFlagsSplat, |
| 350 | .entitlementValue = "cryptex1.preboot.os" |
| 351 | }, |
| 352 | |
| 353 | [kTCTypeSupplementalPersistent] = { |
| 354 | .chipEnvironment = chipEnvironmentSupplemental, |
| 355 | .nonceDomain = nonceDomainDDI, |
| 356 | .fourCC = 'ltrs', |
| 357 | .firmwareFlags = NULL, |
| 358 | .entitlementValue = "personalized.supplemental-persistent" |
| 359 | }, |
| 360 | |
| 361 | [kTCTypeSupplementalEphemeral] = { |
| 362 | .chipEnvironment = chipEnvironmentSupplemental, |
| 363 | .nonceDomain = nonceDomainPDI, |
| 364 | .fourCC = 'ltrs', |
| 365 | .firmwareFlags = NULL, |
| 366 | .entitlementValue = "personalized.supplemental-ephemeral" |
| 367 | }, |
| 368 | |
| 369 | [kTCTypeCryptex1Generic] = { |
| 370 | .chipEnvironment = chipEnvironmentCryptex1Generic, |
| 371 | .nonceDomain = NULL, |
| 372 | .fourCC = 'gtcd', |
| 373 | .firmwareFlags = NULL, |
| 374 | .entitlementValue = "cryptex1.generic" |
| 375 | }, |
| 376 | |
| 377 | [kTCTypeCryptex1GenericSupplemental] = { |
| 378 | .chipEnvironment = chipEnvironmentCryptex1GenericSupplemental, |
| 379 | .nonceDomain = NULL, |
| 380 | .fourCC = 'gtcd', |
| 381 | .firmwareFlags = NULL, |
| 382 | .entitlementValue = "cryptex1.generic.supplemental" |
| 383 | } |
| 384 | }; |
| 385 | |
| 386 | #pragma GCC diagnostic pop |
| 387 | |
| 388 | __END_DECLS |
| 389 | #endif /* libTrustCache_TypesConfig_h */ |
| 390 |
Generated while processing xnu/bsd/kern/code_signing/ppl.c
Generated on 2024-Jun-06 from project xnu revision 10063.121.3
Powered by 
Code Browser 2.1
Generator usage only permitted with license.