Google Git
Sign in
chromium / chromiumos / platform / tpm_init / refs/tags/0.9.112.2 / . / tpm.h
blob: d209bbec5db2e2f431958069ff6886f965585ea1 [file] [log] [blame]
// Copyright (c) 2009-2010 The Chromium OS Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Tpm - class for handling init TPM initialization for Chrome OS
#include <base/lock.h>
#include <base/logging.h>
#include <base/scoped_ptr.h>
#include <chromeos/utility.h>
#include <trousers/tss.h>
#include <trousers/trousers.h>
#include "crypto.h"
#include "platform.h"
#include "secure_blob.h"
#include "tpm_status.pb.h"
#ifndef TPM_INIT_TPM_H_
#define TPM_INIT_TPM_H_
namespace tpm_init {
class Tpm {
public:
// Default constructor
Tpm();
virtual ~Tpm();
// Initializes the Tpm instance
//
// Parameters
virtual bool Init();
// Returns the number of simultaneously-loaded RSA keys that this TPM supports
int GetMaxRsaKeyCount();
// Returns the owner password if this instance was used to take ownership.
// This will only occur when the TPM is unowned, which will be on OOBE
//
// Parameters
// owner_password (OUT) - The random owner password used
bool GetOwnerPassword(chromeos::Blob* owner_password);
// Clears the owner password from storage
void ClearStoredOwnerPassword();
// Returns whether or not the TPM is enabled. This method call returns a
// cached result because querying the TPM directly will block if ownership is
// currently being taken (such as on a separate thread).
bool IsEnabled() const { return !is_disabled_; }
// Returns whether or not the TPM is owned. This method call returns a cached
// result because querying the TPM directly will block if ownership is
// currently being taken (such as on a separate thread).
bool IsOwned() const { return is_owned_; }
// Returns whether or not the SRK is available
bool IsSrkAvailable() const { return is_srk_available_; }
// Returns whether or not the TPM is being owned
bool IsBeingOwned() const { return is_being_owned_; }
// Runs the TPM initialization sequence. This may take a long time due to the
// call to Tspi_TPM_TakeOwnership.
bool InitializeTpm(bool* OUT_took_ownership);
// Gets random bytes from the TPM
//
// Parameters
// length - The number of bytes to get
// data (OUT) - The random data from the TPM
bool GetRandomData(size_t length, chromeos::Blob* data);
private:
// Tries to connect to the TPM
virtual TSS_HCONTEXT Connect();
// Disconnects from the TPM
virtual void Disconnect(TSS_HCONTEXT context_handle);
// Gets a handle to the SRK
bool LoadSrk(TSS_HCONTEXT context_handle, TSS_HKEY* srk_handle,
TSS_RESULT* result);
// Loads the contents of the file specified into a blob
bool LoadFileBytes(const FilePath& path, chromeos::Blob* blob);
// Stores the TPM owner password to the TpmStatus object
bool StoreOwnerPassword(const chromeos::Blob& owner_password,
TpmStatus* tpm_status);
// Retrieves the TPM owner password
bool LoadOwnerPassword(const TpmStatus& tpm_status,
chromeos::Blob* owner_password);
// Loads the TpmStatus object
bool LoadTpmStatus(TpmStatus* serialized);
// Saves the TpmStatus object
bool StoreTpmStatus(const TpmStatus& serialized);
// Attempts to connect to tcsd
//
// Parameters
// context_handle (OUT) - The context handle to the session on success
bool OpenAndConnectTpm(TSS_HCONTEXT* context_handle);
// Returns the maximum simultaneously-loaded RSA key count for the TPM
// specified by the context handle
//
// Parameters
// context_handle - The context handle for the TPM session
int GetMaxRsaKeyCountForContext(TSS_HCONTEXT context_handle);
// Returns whether or not the TPM is disabled by checking a flag in the TPM's
// entry in /sys/class/misc
bool IsDisabledCheckViaSysfs();
// Returns whether or not the TPM is owned by checking a flag in the TPM's
// entry in /sys/class/misc
bool IsOwnedCheckViaSysfs();
// Returns whether or not the TPM is enabled and owned using a call to
// Tspi_TPM_GetCapability
//
// Parameters
// context_handle - The context handle for the TPM session
// enabled (OUT) - Whether the TPM is enabled
// owned (OUT) - Whether the TPM is owned
void IsEnabledOwnedCheckViaContext(TSS_HCONTEXT context_handle,
bool* enabled, bool* owned);
// Attempts to create the endorsement key in the TPM
//
// Parameters
// context_handle - The context handle for the TPM session
bool CreateEndorsementKey(TSS_HCONTEXT context_handle);
// Delegates ownership authority
//
// Parameters
// context_handle - The context handle for the TPM session
bool DelegateTpmOwnership(TSS_HCONTEXT context_handle, TSS_HTPM tpm_handle,
SecureBlob* delegation_blob);
// Checks to see if the endorsement key is available by attempting to get its
// public key
//
// Parameters
// context_handle - The context handle for the TPM session
bool IsEndorsementKeyAvailable(TSS_HCONTEXT context_handle);
// Creates a random owner password
//
// Parameters
// password (OUT) - the generated password
void CreateOwnerPassword(SecureBlob* password);
// Attempts to take ownership of the TPM
//
// Parameters
// context_handle - The context handle for the TPM session
// max_timeout_tries - The maximum number of attempts to make if the call
// times out, which it may occasionally do
bool TakeOwnership(TSS_HCONTEXT context_handle, int max_timeout_tries,
const SecureBlob& owner_password);
// Zeros the SRK password (sets it to an empty string)
//
// Parameters
// context_handle - The context handle for the TPM session
// owner_password - The owner password for the TPM
bool ZeroSrkPassword(TSS_HCONTEXT context_handle,
const SecureBlob& owner_password);
// Removes usage restrictions on the SRK
//
// Parameters
// context_handle - The context handle for the TPM session
// owner_password - The owner password for the TPM
bool UnrestrictSrk(TSS_HCONTEXT context_handle,
const SecureBlob& owner_password);
// Changes the owner password
//
// Parameters
// context_handle - The context handle for the TPM session
// previous_owner_password - The previous owner password for the TPM
// owner_password - The owner password for the TPM
bool ChangeOwnerPassword(TSS_HCONTEXT context_handle,
const SecureBlob& previous_owner_password,
const SecureBlob& owner_password);
// Gets a handle to the TPM from the specified context
//
// Parameters
// context_handle - The context handle for the TPM session
// tpm_handle (OUT) - The handle for the TPM on success
bool GetTpm(TSS_HCONTEXT context_handle, TSS_HTPM* tpm_handle);
// Gets a handle to the TPM from the specified context with the given owner
// password
//
// Parameters
// context_handle - The context handle for the TPM session
// owner_password - The owner password to use when getting the handle
// tpm_handle (OUT) - The handle for the TPM on success
bool GetTpmWithAuth(TSS_HCONTEXT context_handle,
const SecureBlob& owner_password,
TSS_HTPM* tpm_handle);
// Test the TPM auth by calling Tspi_TPM_GetStatus
//
// Parameters
// tpm_handle = The TPM handle
bool TestTpmAuth(TSS_HTPM tpm_handle);
// The default Crypto instance to use (for generating the random owner
// password)
scoped_ptr<Crypto> default_crypto_;
// The actual Crypto instance to use
Crypto* crypto_;
// The default Platform instance to use
scoped_ptr<Platform> default_platform_;
// The actual Platform instance to use
Platform* platform_;
// If TPM ownership is taken, owner_password_ contains the password used
SecureBlob owner_password_;
// Used to provide thread-safe access to owner_password_, as it is set in the
// initialization background thread.
Lock password_sync_lock_;
// Indicates if the TPM is disabled
bool is_disabled_;
// Indicates if the TPM is owned
bool is_owned_;
// Indicates if the SRK is available
bool is_srk_available_;
// Indicates if the TPM is being owned
bool is_being_owned_;
DISALLOW_COPY_AND_ASSIGN(Tpm);
};
} // namespace tpm_init
#endif // TPM_INIT_TPM_H_