1/*
2 * Copyright (c) 2009-2023 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29#ifndef _SYS_CPROTECT_H_
30#define _SYS_CPROTECT_H_
31
32#ifdef KERNEL_PRIVATE
33
34#include <sys/cdefs.h>
35#include <sys/param.h>
36#include <sys/buf.h>
37#include <sys/kdebug.h>
38#include <crypto/aes.h>
39#include <stdbool.h>
40#include <uuid/uuid.h>
41#include <libkern/crypto/sha1.h>
42
43__BEGIN_DECLS
44
45#define CP_CODE(code) FSDBG_CODE(DBG_CONTENT_PROT, code)
46/*
47 * Class DBG_FSYSTEM == 0x03
48 * Subclass DBG_CONTENT_PROT == 0xCF
49 * These debug codes are of the form 0x03CFzzzz
50 */
51
52enum {
53 CPDBG_OFFSET_IO = CP_CODE(0), /* 0x03CF0000 */
54};
55
56/* normally the debug events are no-ops */
57#define CP_DEBUG(x, a, b, c, d, e) do {} while (0);
58
59/* dev kernels only! */
60#if !SECURE_KERNEL
61
62/* KDEBUG events used by content protection subsystem */
63#if 0
64#undef CP_DEBUG
65#define CP_DEBUG KERNEL_DEBUG_CONSTANT
66#endif
67
68#endif
69
70#define CP_MAX_WRAPPEDKEYSIZE 128 /* The size of the largest allowed key */
71#define VFS_CP_MAX_CACHEBUFLEN 64 /* Maximum size of the cached key */
72
73/* lock events from AppleKeyStore */
74enum {
75 CP_ACTION_LOCKED = 0,
76 CP_ACTION_UNLOCKED = 1,
77 CP_ACTION_EP_INVALIDATED = 2,
78 CP_ACTION_CX_EXPIRED = 3,
79};
80/*
81 * Ideally, cp_key_store_action_t would be an enum, but we cannot fix
82 * that until AppleKeyStore is updated.
83 */
84typedef int cp_key_store_action_t;
85
86/*
87 * It was once the case (and it may still be the case) where the lock
88 * state got conflated with the possible actions/events that
89 * AppleKeyStore can send. For that reason, the locked states below
90 * should numerically match their corresponding actions above.
91 */
92typedef unsigned char cp_lock_state_t;
93enum {
94 CP_LOCKED_STATE = 0,
95 CP_UNLOCKED_STATE = 1,
96};
97
98typedef unsigned char cp_ep_state_t;
99enum {
100 CP_EP_INVALIDATED = 0,
101};
102
103typedef unsigned char cp_cx_state_t;
104enum {
105 CP_CX_EXPIRED = 0,
106};
107
108typedef uint32_t cp_key_class_t;
109typedef uint32_t cp_key_os_version_t;
110typedef uint16_t cp_key_revision_t;
111typedef uint64_t cp_crypto_id_t;
112
113typedef struct cprotect *cprotect_t;
114typedef struct cpx *cpx_t;
115
116#ifdef BSD_KERNEL_PRIVATE
117/* Not for consumption outside of XNU */
118typedef uint32_t cpx_flags_t;
119/*
120 * This is a CPX structure with a fixed-length key buffer. We need this defined in a header
121 * so that we can use this structure to allocate the memory for the zone(s) properly.
122 */
123typedef struct fcpx {
124#ifdef DEBUG
125 uint32_t cpx_magic1;
126#endif // DEBUG
127 aes_encrypt_ctx *cpx_iv_aes_ctx_ptr;// Context used for generating the IV
128 cpx_flags_t cpx_flags;
129 uint16_t cpx_max_key_len;
130 uint16_t cpx_key_len;
131 uint8_t cpx_cached_key[VFS_CP_MAX_CACHEBUFLEN];
132 //Fixed length all the way through
133} fcpx_t;
134
135#endif // BSD_KERNEL_PRIVATE
136
137typedef struct cp_key {
138 uint8_t len;
139 void *key;
140} cp_key_t;
141
142/* Interface to AKS kext */
143typedef struct {
144 void *key;
145 unsigned key_len;
146 void *iv_key;
147 unsigned iv_key_len;
148 uint32_t flags;
149} cp_raw_key_s;
150
151typedef cp_raw_key_s* cp_raw_key_t;
152
153typedef struct {
154 void *key;
155 unsigned key_len;
156 cp_key_class_t dp_class;
157} cp_wrapped_key_s;
158
159typedef cp_wrapped_key_s* cp_wrapped_key_t;
160
161typedef struct {
162 union {
163 ino64_t inode;
164 cp_crypto_id_t crypto_id;
165 };
166 uint32_t volume;
167 pid_t pid;
168 uid_t uid;
169 cp_key_revision_t key_revision;
170} cp_cred_s;
171
172typedef cp_cred_s* cp_cred_t;
173
174/* The wrappers are invoked on the AKS kext */
175typedef int unwrapper_t(cp_cred_t access, const cp_wrapped_key_t wrapped_key_in, cp_raw_key_t key_out);
176typedef int rewrapper_t(cp_cred_t access, cp_key_class_t dp_class, const cp_wrapped_key_t wrapped_key_in, cp_wrapped_key_t wrapped_key_out);
177typedef int new_key_t(cp_cred_t access, cp_key_class_t dp_class, cp_raw_key_t key_out, cp_wrapped_key_t wrapped_key_out);
178typedef int invalidater_t(cp_cred_t access); /* invalidates keys */
179typedef int backup_key_t(cp_cred_t access, const cp_wrapped_key_t wrapped_key_in, cp_wrapped_key_t wrapped_key_out);
180
181/*
182 * Flags for Interaction between AKS / Kernel
183 * These are twiddled via the input/output structs in the above
184 * wrapper/unwrapper functions.
185 */
186#define CP_RAW_KEY_WRAPPEDKEY 0x00000001
187
188/*
189 * Function prototypes for kexts to interface with our internal cprotect
190 * fields; cpx provides opacity and allows us to modify behavior internally
191 * without requiring kext changes.
192 */
193cpx_t cpx_alloc(size_t key_size, bool needs_ctx);
194int cpx_alloc_ctx(cpx_t cpx);
195void cpx_free_ctx(cpx_t cpx);
196void cpx_init(cpx_t, size_t key_len);
197void cpx_init_ctx_ptr(cpx_t cpx);
198void cpx_free(cpx_t);
199void cpx_writeprotect(cpx_t cpx);
200__attribute__((const)) size_t cpx_size(size_t key_len);
201__attribute__((pure)) bool cpx_is_sep_wrapped_key(const struct cpx *);
202void cpx_set_is_sep_wrapped_key(struct cpx *, bool);
203__attribute__((pure)) bool cpx_is_composite_key(const struct cpx *);
204void cpx_set_is_composite_key(struct cpx *, bool);
205__attribute__((pure)) bool cpx_use_offset_for_iv(const struct cpx *);
206void cpx_set_use_offset_for_iv(struct cpx *, bool);
207__attribute__((pure)) bool cpx_synthetic_offset_for_iv(const struct cpx *);
208void cpx_set_synthetic_offset_for_iv(struct cpx *, bool);
209__attribute__((pure)) uint16_t cpx_key_len(const struct cpx *);
210void cpx_set_key_len(struct cpx *, uint16_t key_len);
211__attribute__((pure)) void *cpx_key(const struct cpx *);
212aes_encrypt_ctx *cpx_iv_aes_ctx(struct cpx *);
213void cpx_flush(cpx_t cpx);
214bool cpx_can_copy(const struct cpx *src, const struct cpx *dst);
215void cpx_copy(const struct cpx *src, cpx_t dst);
216uint16_t cpx_max_key_len(const struct cpx *cpx);
217bool cpx_has_key(const struct cpx *cpx);
218size_t cpx_sizex(const struct cpx *cpx);
219void cpx_set_aes_iv_key(struct cpx *cpx, void *iv_key);
220
221int cp_key_store_action(cp_key_store_action_t);
222int cp_key_store_action_for_volume(uuid_t volume_uuid, cp_key_store_action_t action);
223cp_key_os_version_t cp_os_version(void);
224// Should be cp_key_class_t but HFS has a conflicting definition
225int cp_is_valid_class(int isdir, int32_t protectionclass);
226
227__END_DECLS
228
229#endif /* KERNEL_PRIVATE */
230#endif /* !_SYS_CPROTECT_H_ */
231