1 | /* |
2 | * Copyright (c) 2009-2023 Apple Inc. All rights reserved. |
3 | * |
4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ |
5 | * |
6 | * This file contains Original Code and/or Modifications of Original Code |
7 | * as defined in and that are subject to the Apple Public Source License |
8 | * Version 2.0 (the 'License'). You may not use this file except in |
9 | * compliance with the License. The rights granted to you under the License |
10 | * may not be used to create, or enable the creation or redistribution of, |
11 | * unlawful or unlicensed copies of an Apple operating system, or to |
12 | * circumvent, violate, or enable the circumvention or violation of, any |
13 | * terms of an Apple operating system software license agreement. |
14 | * |
15 | * Please obtain a copy of the License at |
16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. |
17 | * |
18 | * The Original Code and all software distributed under the License are |
19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
23 | * Please see the License for the specific language governing rights and |
24 | * limitations under the License. |
25 | * |
26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ |
27 | */ |
28 | |
29 | #ifndef _SYS_CPROTECT_H_ |
30 | #define _SYS_CPROTECT_H_ |
31 | |
32 | #ifdef KERNEL_PRIVATE |
33 | |
34 | #include <sys/cdefs.h> |
35 | #include <sys/param.h> |
36 | #include <sys/buf.h> |
37 | #include <sys/kdebug.h> |
38 | #include <crypto/aes.h> |
39 | #include <stdbool.h> |
40 | #include <uuid/uuid.h> |
41 | #include <libkern/crypto/sha1.h> |
42 | |
43 | __BEGIN_DECLS |
44 | |
45 | #define CP_CODE(code) FSDBG_CODE(DBG_CONTENT_PROT, code) |
46 | /* |
47 | * Class DBG_FSYSTEM == 0x03 |
48 | * Subclass DBG_CONTENT_PROT == 0xCF |
49 | * These debug codes are of the form 0x03CFzzzz |
50 | */ |
51 | |
52 | enum { |
53 | CPDBG_OFFSET_IO = CP_CODE(0), /* 0x03CF0000 */ |
54 | }; |
55 | |
56 | /* normally the debug events are no-ops */ |
57 | #define CP_DEBUG(x, a, b, c, d, e) do {} while (0); |
58 | |
59 | /* dev kernels only! */ |
60 | #if !SECURE_KERNEL |
61 | |
62 | /* KDEBUG events used by content protection subsystem */ |
63 | #if 0 |
64 | #undef CP_DEBUG |
65 | #define CP_DEBUG KERNEL_DEBUG_CONSTANT |
66 | #endif |
67 | |
68 | #endif |
69 | |
70 | #define CP_MAX_WRAPPEDKEYSIZE 128 /* The size of the largest allowed key */ |
71 | #define VFS_CP_MAX_CACHEBUFLEN 64 /* Maximum size of the cached key */ |
72 | |
73 | /* lock events from AppleKeyStore */ |
74 | enum { |
75 | CP_ACTION_LOCKED = 0, |
76 | CP_ACTION_UNLOCKED = 1, |
77 | CP_ACTION_EP_INVALIDATED = 2, |
78 | CP_ACTION_CX_EXPIRED = 3, |
79 | }; |
80 | /* |
81 | * Ideally, cp_key_store_action_t would be an enum, but we cannot fix |
82 | * that until AppleKeyStore is updated. |
83 | */ |
84 | typedef int cp_key_store_action_t; |
85 | |
86 | /* |
87 | * It was once the case (and it may still be the case) where the lock |
88 | * state got conflated with the possible actions/events that |
89 | * AppleKeyStore can send. For that reason, the locked states below |
90 | * should numerically match their corresponding actions above. |
91 | */ |
92 | typedef unsigned char cp_lock_state_t; |
93 | enum { |
94 | CP_LOCKED_STATE = 0, |
95 | CP_UNLOCKED_STATE = 1, |
96 | }; |
97 | |
98 | typedef unsigned char cp_ep_state_t; |
99 | enum { |
100 | CP_EP_INVALIDATED = 0, |
101 | }; |
102 | |
103 | typedef unsigned char cp_cx_state_t; |
104 | enum { |
105 | CP_CX_EXPIRED = 0, |
106 | }; |
107 | |
108 | typedef uint32_t cp_key_class_t; |
109 | typedef uint32_t cp_key_os_version_t; |
110 | typedef uint16_t cp_key_revision_t; |
111 | typedef uint64_t cp_crypto_id_t; |
112 | |
113 | typedef struct cprotect *cprotect_t; |
114 | typedef struct cpx *cpx_t; |
115 | |
116 | #ifdef BSD_KERNEL_PRIVATE |
117 | /* Not for consumption outside of XNU */ |
118 | typedef uint32_t cpx_flags_t; |
119 | /* |
120 | * This is a CPX structure with a fixed-length key buffer. We need this defined in a header |
121 | * so that we can use this structure to allocate the memory for the zone(s) properly. |
122 | */ |
123 | typedef struct fcpx { |
124 | #ifdef DEBUG |
125 | uint32_t cpx_magic1; |
126 | #endif // DEBUG |
127 | aes_encrypt_ctx *cpx_iv_aes_ctx_ptr;// Context used for generating the IV |
128 | cpx_flags_t cpx_flags; |
129 | uint16_t cpx_max_key_len; |
130 | uint16_t cpx_key_len; |
131 | uint8_t cpx_cached_key[VFS_CP_MAX_CACHEBUFLEN]; |
132 | //Fixed length all the way through |
133 | } fcpx_t; |
134 | |
135 | #endif // BSD_KERNEL_PRIVATE |
136 | |
137 | typedef struct cp_key { |
138 | uint8_t len; |
139 | void *key; |
140 | } cp_key_t; |
141 | |
142 | /* Interface to AKS kext */ |
143 | typedef struct { |
144 | void *key; |
145 | unsigned key_len; |
146 | void *iv_key; |
147 | unsigned iv_key_len; |
148 | uint32_t flags; |
149 | } cp_raw_key_s; |
150 | |
151 | typedef cp_raw_key_s* cp_raw_key_t; |
152 | |
153 | typedef struct { |
154 | void *key; |
155 | unsigned key_len; |
156 | cp_key_class_t dp_class; |
157 | } cp_wrapped_key_s; |
158 | |
159 | typedef cp_wrapped_key_s* cp_wrapped_key_t; |
160 | |
161 | typedef struct { |
162 | union { |
163 | ino64_t inode; |
164 | cp_crypto_id_t crypto_id; |
165 | }; |
166 | uint32_t volume; |
167 | pid_t pid; |
168 | uid_t uid; |
169 | cp_key_revision_t key_revision; |
170 | } cp_cred_s; |
171 | |
172 | typedef cp_cred_s* cp_cred_t; |
173 | |
174 | /* The wrappers are invoked on the AKS kext */ |
175 | typedef int unwrapper_t(cp_cred_t access, const cp_wrapped_key_t wrapped_key_in, cp_raw_key_t key_out); |
176 | typedef int rewrapper_t(cp_cred_t access, cp_key_class_t dp_class, const cp_wrapped_key_t wrapped_key_in, cp_wrapped_key_t wrapped_key_out); |
177 | typedef int new_key_t(cp_cred_t access, cp_key_class_t dp_class, cp_raw_key_t key_out, cp_wrapped_key_t wrapped_key_out); |
178 | typedef int invalidater_t(cp_cred_t access); /* invalidates keys */ |
179 | typedef int backup_key_t(cp_cred_t access, const cp_wrapped_key_t wrapped_key_in, cp_wrapped_key_t wrapped_key_out); |
180 | |
181 | /* |
182 | * Flags for Interaction between AKS / Kernel |
183 | * These are twiddled via the input/output structs in the above |
184 | * wrapper/unwrapper functions. |
185 | */ |
186 | #define CP_RAW_KEY_WRAPPEDKEY 0x00000001 |
187 | |
188 | /* |
189 | * Function prototypes for kexts to interface with our internal cprotect |
190 | * fields; cpx provides opacity and allows us to modify behavior internally |
191 | * without requiring kext changes. |
192 | */ |
193 | cpx_t cpx_alloc(size_t key_size, bool needs_ctx); |
194 | int cpx_alloc_ctx(cpx_t cpx); |
195 | void cpx_free_ctx(cpx_t cpx); |
196 | void cpx_init(cpx_t, size_t key_len); |
197 | void cpx_init_ctx_ptr(cpx_t cpx); |
198 | void cpx_free(cpx_t); |
199 | void cpx_writeprotect(cpx_t cpx); |
200 | __attribute__((const)) size_t cpx_size(size_t key_len); |
201 | __attribute__((pure)) bool cpx_is_sep_wrapped_key(const struct cpx *); |
202 | void cpx_set_is_sep_wrapped_key(struct cpx *, bool); |
203 | __attribute__((pure)) bool cpx_is_composite_key(const struct cpx *); |
204 | void cpx_set_is_composite_key(struct cpx *, bool); |
205 | __attribute__((pure)) bool cpx_use_offset_for_iv(const struct cpx *); |
206 | void cpx_set_use_offset_for_iv(struct cpx *, bool); |
207 | __attribute__((pure)) bool cpx_synthetic_offset_for_iv(const struct cpx *); |
208 | void cpx_set_synthetic_offset_for_iv(struct cpx *, bool); |
209 | __attribute__((pure)) uint16_t cpx_key_len(const struct cpx *); |
210 | void cpx_set_key_len(struct cpx *, uint16_t key_len); |
211 | __attribute__((pure)) void *cpx_key(const struct cpx *); |
212 | aes_encrypt_ctx *cpx_iv_aes_ctx(struct cpx *); |
213 | void cpx_flush(cpx_t cpx); |
214 | bool cpx_can_copy(const struct cpx *src, const struct cpx *dst); |
215 | void cpx_copy(const struct cpx *src, cpx_t dst); |
216 | uint16_t cpx_max_key_len(const struct cpx *cpx); |
217 | bool cpx_has_key(const struct cpx *cpx); |
218 | size_t cpx_sizex(const struct cpx *cpx); |
219 | void cpx_set_aes_iv_key(struct cpx *cpx, void *iv_key); |
220 | |
221 | int cp_key_store_action(cp_key_store_action_t); |
222 | int cp_key_store_action_for_volume(uuid_t volume_uuid, cp_key_store_action_t action); |
223 | cp_key_os_version_t cp_os_version(void); |
224 | // Should be cp_key_class_t but HFS has a conflicting definition |
225 | int cp_is_valid_class(int isdir, int32_t protectionclass); |
226 | |
227 | __END_DECLS |
228 | |
229 | #endif /* KERNEL_PRIVATE */ |
230 | #endif /* !_SYS_CPROTECT_H_ */ |
231 | |