1//
2// Copyright (C) 2015 The Android Open Source Project
3//
4// Licensed under the Apache License, Version 2.0 (the "License");
5// you may not use this file except in compliance with the License.
6// You may obtain a copy of the License at
7//
8//      http://www.apache.org/licenses/LICENSE-2.0
9//
10// Unless required by applicable law or agreed to in writing, software
11// distributed under the License is distributed on an "AS IS" BASIS,
12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13// See the License for the specific language governing permissions and
14// limitations under the License.
15//
16
17#ifndef TPM_MANAGER_SERVER_TPM2_NVRAM_IMPL_H_
18#define TPM_MANAGER_SERVER_TPM2_NVRAM_IMPL_H_
19
20#include "tpm_manager/server/tpm_nvram.h"
21
22#include <memory>
23#include <string>
24
25#include <base/macros.h>
26#include <trunks/trunks_factory.h>
27
28#include "tpm_manager/common/tpm_manager.pb.h"
29#include "tpm_manager/server/local_data_store.h"
30
31namespace tpm_manager {
32
33// A TpmNvram implementation backed by a TPM 2.0 device. All index values are
34// the 'index' portion of an NV handle and must fit in 24 bits.
35class Tpm2NvramImpl : public TpmNvram {
36 public:
37  // Does not take ownership of arguments.
38  Tpm2NvramImpl(const trunks::TrunksFactory& factory,
39                LocalDataStore* local_data_store);
40  ~Tpm2NvramImpl() override = default;
41
42  // TpmNvram methods.
43  NvramResult DefineSpace(uint32_t index,
44                          size_t size,
45                          const std::vector<NvramSpaceAttribute>& attributes,
46                          const std::string& authorization_value,
47                          NvramSpacePolicy policy) override;
48  NvramResult DestroySpace(uint32_t index) override;
49  NvramResult WriteSpace(uint32_t index,
50                         const std::string& data,
51                         const std::string& authorization_value) override;
52  NvramResult ReadSpace(uint32_t index,
53                        std::string* data,
54                        const std::string& authorization_value) override;
55  NvramResult LockSpace(uint32_t index,
56                        bool lock_read,
57                        bool lock_write,
58                        const std::string& authorization_value) override;
59  NvramResult ListSpaces(std::vector<uint32_t>* index_list) override;
60  NvramResult GetSpaceInfo(
61      uint32_t index,
62      size_t* size,
63      bool* is_read_locked,
64      bool* is_write_locked,
65      std::vector<NvramSpaceAttribute>* attributes,
66      NvramSpacePolicy* policy) override;
67
68 private:
69  // Must be called before using any data members. This may be called multiple
70  // times and will be very fast if already initialized.
71  bool Initialize();
72
73  // Gets the TPM owner password. Returns an empty string if not available.
74  std::string GetOwnerPassword();
75
76  // Configures |trunks_session_| with owner authorization. Returns true on
77  // success.
78  bool SetupOwnerSession();
79
80  // Configures a new policy |session| for a given |policy_record|,
81  // |authorization_value|, and |command_code|. Returns true on success.
82  bool SetupPolicySession(const NvramPolicyRecord& policy_record,
83                          const std::string& authorization_value,
84                          trunks::TPM_CC command_code,
85                          trunks::PolicySession* session);
86
87  // A helper to add policies to a |session| for a particular |command_code| and
88  // |policy_record|. Returns true on success.
89  bool AddPoliciesForCommand(const NvramPolicyRecord& policy_record,
90                             trunks::TPM_CC command_code,
91                             trunks::PolicySession* session);
92
93  // A helper to add an OR policy to |session| based on |policy_record|. Returns
94  // true on success.
95  bool AddPolicyOR(const NvramPolicyRecord& policy_record,
96                   trunks::PolicySession* session);
97
98  // Computes the policy |digest| for a given |policy_record| and fills the
99  // policy_digests field in the |policy_record|.
100  bool ComputePolicyDigest(NvramPolicyRecord* policy_record,
101                           std::string* digest);
102
103  // Gets the policy |record| for the given |index|. Returns true on success.
104  bool GetPolicyRecord(uint32_t index, NvramPolicyRecord* record);
105
106  // Saves a policy |record| in the local_data_store_.
107  bool SavePolicyRecord(const NvramPolicyRecord& record);
108
109  // Best effort delete of the policy |record| for |index|.
110  void DeletePolicyRecord(uint32_t index);
111
112  const trunks::TrunksFactory& trunks_factory_;
113  LocalDataStore* local_data_store_;
114  bool initialized_;
115  std::unique_ptr<trunks::HmacSession> trunks_session_;
116  std::unique_ptr<trunks::TpmUtility> trunks_utility_;
117
118  friend class Tpm2NvramTest;
119  DISALLOW_COPY_AND_ASSIGN(Tpm2NvramImpl);
120};
121
122}  // namespace tpm_manager
123
124#endif  // TPM_MANAGER_SERVER_TPM2_NVRAM_IMPL_H_
125