1 /* SPDX-License-Identifier: LGPL-2.1-or-later */ 2 #pragma once 3 4 #include <inttypes.h> 5 #include <stdbool.h> 6 #include <sys/types.h> 7 8 #include "sd-id128.h" 9 10 #include "fd-util.h" 11 #include "time-util.h" 12 13 #define CREDENTIAL_NAME_MAX FDNAME_MAX 14 15 /* Put a size limit on the individual credential */ 16 #define CREDENTIAL_SIZE_MAX (1024U*1024U) 17 18 /* Refuse to store more than 1M per service, after all this is unswappable memory. Note that for now we put 19 * this to the same limit as the per-credential limit, i.e. if the user has n > 1 credentials instead of 1 it 20 * won't get them more space. */ 21 #define CREDENTIALS_TOTAL_SIZE_MAX CREDENTIAL_SIZE_MAX 22 23 /* Put a size limit on encrypted credentials (which is the same as the unencrypted size plus a spacious 128K of extra 24 * space for headers, IVs, exported TPM2 key material and so on. */ 25 #define CREDENTIAL_ENCRYPTED_SIZE_MAX (CREDENTIAL_SIZE_MAX + 128U*1024U) 26 27 bool credential_name_valid(const char *s); 28 29 /* Where creds have been passed to the local execution context */ 30 int get_credentials_dir(const char **ret); 31 int get_encrypted_credentials_dir(const char **ret); 32 33 /* Where creds have been passed to the system */ 34 #define SYSTEM_CREDENTIALS_DIRECTORY "/run/credentials/@system" 35 #define ENCRYPTED_SYSTEM_CREDENTIALS_DIRECTORY "/run/credentials/@encrypted" 36 37 int read_credential(const char *name, void **ret, size_t *ret_size); 38 39 typedef enum CredentialSecretFlags { 40 CREDENTIAL_SECRET_GENERATE = 1 << 0, 41 CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED = 1 << 1, 42 CREDENTIAL_SECRET_FAIL_ON_TEMPORARY_FS = 1 << 2, 43 } CredentialSecretFlags; 44 45 int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t *ret_size); 46 47 /* The four modes we support: keyed only by on-disk key, only by TPM2 HMAC key, and by the combination of 48 * both, as well as one with a fixed zero length key if TPM2 is missing (the latter of course provides no 49 * authenticity or confidentiality, but is still useful for integrity protection, and makes things simpler 50 * for us to handle). */ 51 #define CRED_AES256_GCM_BY_HOST SD_ID128_MAKE(5a,1c,6a,86,df,9d,40,96,b1,d5,a6,5e,08,62,f1,9a) 52 #define CRED_AES256_GCM_BY_TPM2_HMAC SD_ID128_MAKE(0c,7c,c0,7b,11,76,45,91,9c,4b,0b,ea,08,bc,20,fe) 53 #define CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC SD_ID128_MAKE(93,a8,94,09,48,74,44,90,90,ca,f2,fc,93,ca,b5,53) 54 #define CRED_AES256_GCM_BY_TPM2_ABSENT SD_ID128_MAKE(05,84,69,da,f6,f5,43,24,80,05,49,da,0f,8e,a2,fb) 55 56 /* Two special IDs to pick a general automatic mode (i.e. tpm2+host if TPM2 exists, only host otherwise) or 57 * an initrd-specific automatic mode (i.e. tpm2 if firmware can do it, otherwise fixed zero-length key, and 58 * never involve host keys). These IDs will never be stored on disk, but are useful only internally while 59 * figuring out what precisely to write to disk. To mark that these aren't a "real" type, we'll prefix them 60 * with an underscore. */ 61 #define _CRED_AUTO SD_ID128_MAKE(a2,19,cb,07,85,b2,4c,04,b1,6d,18,ca,b9,d2,ee,01) 62 #define _CRED_AUTO_INITRD SD_ID128_MAKE(02,dc,8e,de,3a,02,43,ab,a9,ec,54,9c,05,e6,a0,71) 63 64 int encrypt_credential_and_warn(sd_id128_t with_key, const char *name, usec_t timestamp, usec_t not_after, const char *tpm2_device, uint32_t tpm2_pcr_mask, const void *input, size_t input_size, void **ret, size_t *ret_size); 65 int decrypt_credential_and_warn(const char *validate_name, usec_t validate_timestamp, const char *tpm2_device, const void *input, size_t input_size, void **ret, size_t *ret_size); 66