1*4f2df630SAndroid Build Coastguard Worker // Copyright 2014 The ChromiumOS Authors 2*4f2df630SAndroid Build Coastguard Worker // Use of this source code is governed by a BSD-style license that can be 3*4f2df630SAndroid Build Coastguard Worker // found in the LICENSE file. 4*4f2df630SAndroid Build Coastguard Worker 5*4f2df630SAndroid Build Coastguard Worker #ifndef TRUNKS_AUTHORIZATION_DELEGATE_H_ 6*4f2df630SAndroid Build Coastguard Worker #define TRUNKS_AUTHORIZATION_DELEGATE_H_ 7*4f2df630SAndroid Build Coastguard Worker 8*4f2df630SAndroid Build Coastguard Worker #include <string> 9*4f2df630SAndroid Build Coastguard Worker 10*4f2df630SAndroid Build Coastguard Worker namespace trunks { 11*4f2df630SAndroid Build Coastguard Worker 12*4f2df630SAndroid Build Coastguard Worker inline constexpr uint8_t kContinueSession = 1; 13*4f2df630SAndroid Build Coastguard Worker 14*4f2df630SAndroid Build Coastguard Worker // AuthorizationDelegate is an interface passed to TPM commands. The delegate 15*4f2df630SAndroid Build Coastguard Worker // takes care of providing the authorization data for commands and verifying 16*4f2df630SAndroid Build Coastguard Worker // authorization data for responses. It also handles parameter encryption for 17*4f2df630SAndroid Build Coastguard Worker // commands and parameter decryption for responses. 18*4f2df630SAndroid Build Coastguard Worker class AuthorizationDelegate { 19*4f2df630SAndroid Build Coastguard Worker public: AuthorizationDelegate()20*4f2df630SAndroid Build Coastguard Worker AuthorizationDelegate() {} 21*4f2df630SAndroid Build Coastguard Worker AuthorizationDelegate(const AuthorizationDelegate&) = delete; 22*4f2df630SAndroid Build Coastguard Worker AuthorizationDelegate& operator=(const AuthorizationDelegate&) = delete; 23*4f2df630SAndroid Build Coastguard Worker ~AuthorizationDelegate()24*4f2df630SAndroid Build Coastguard Worker virtual ~AuthorizationDelegate() {} 25*4f2df630SAndroid Build Coastguard Worker 26*4f2df630SAndroid Build Coastguard Worker // Provides authorization data for a command which has a cpHash value of 27*4f2df630SAndroid Build Coastguard Worker // |command_hash|. The availability of encryption for the command is indicated 28*4f2df630SAndroid Build Coastguard Worker // by |is_*_parameter_encryption_possible|. On success, |authorization| is 29*4f2df630SAndroid Build Coastguard Worker // populated with the exact octets for the Authorization Area of the command. 30*4f2df630SAndroid Build Coastguard Worker // Returns true on success. 31*4f2df630SAndroid Build Coastguard Worker virtual bool GetCommandAuthorization( 32*4f2df630SAndroid Build Coastguard Worker const std::string& command_hash, 33*4f2df630SAndroid Build Coastguard Worker bool is_command_parameter_encryption_possible, 34*4f2df630SAndroid Build Coastguard Worker bool is_response_parameter_encryption_possible, 35*4f2df630SAndroid Build Coastguard Worker std::string* authorization) = 0; 36*4f2df630SAndroid Build Coastguard Worker 37*4f2df630SAndroid Build Coastguard Worker // Checks authorization data for a response which has a rpHash value of 38*4f2df630SAndroid Build Coastguard Worker // |response_hash|. The exact octets from the Authorization Area of the 39*4f2df630SAndroid Build Coastguard Worker // response are given in |authorization|. Returns true iff the authorization 40*4f2df630SAndroid Build Coastguard Worker // is valid. 41*4f2df630SAndroid Build Coastguard Worker virtual bool CheckResponseAuthorization(const std::string& response_hash, 42*4f2df630SAndroid Build Coastguard Worker const std::string& authorization) = 0; 43*4f2df630SAndroid Build Coastguard Worker 44*4f2df630SAndroid Build Coastguard Worker // Encrypts |parameter| if encryption is enabled. Returns true on success. 45*4f2df630SAndroid Build Coastguard Worker virtual bool EncryptCommandParameter(std::string* parameter) = 0; 46*4f2df630SAndroid Build Coastguard Worker 47*4f2df630SAndroid Build Coastguard Worker // Decrypts |parameter| if encryption is enabled. Returns true on success. 48*4f2df630SAndroid Build Coastguard Worker virtual bool DecryptResponseParameter(std::string* parameter) = 0; 49*4f2df630SAndroid Build Coastguard Worker 50*4f2df630SAndroid Build Coastguard Worker // Returns the current TPM-generated nonce that is associated with the 51*4f2df630SAndroid Build Coastguard Worker // authorization session. Returns true on success. 52*4f2df630SAndroid Build Coastguard Worker virtual bool GetTpmNonce(std::string* nonce) = 0; 53*4f2df630SAndroid Build Coastguard Worker }; 54*4f2df630SAndroid Build Coastguard Worker 55*4f2df630SAndroid Build Coastguard Worker } // namespace trunks 56*4f2df630SAndroid Build Coastguard Worker 57*4f2df630SAndroid Build Coastguard Worker #endif // TRUNKS_AUTHORIZATION_DELEGATE_H_ 58