1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
11 #include "time-util.h"
13 #define CREDENTIAL_NAME_MAX FDNAME_MAX
15 /* Put a size limit on the individual credential */
16 #define CREDENTIAL_SIZE_MAX (1024U*1024U)
18 /* Refuse to store more than 1M per service, after all this is unswappable memory. Note that for now we put
19 * this to the same limit as the per-credential limit, i.e. if the user has n > 1 credentials instead of 1 it
20 * won't get them more space. */
21 #define CREDENTIALS_TOTAL_SIZE_MAX CREDENTIAL_SIZE_MAX
23 /* Put a size limit on encrypted credentials (which is the same as the unencrypted size plus a spacious 128K of extra
24 * space for headers, IVs, exported TPM2 key material and so on. */
25 #define CREDENTIAL_ENCRYPTED_SIZE_MAX (CREDENTIAL_SIZE_MAX + 128U*1024U)
27 bool credential_name_valid(const char *s
);
28 bool credential_glob_valid(const char *s
);
30 /* Where creds have been passed to the local execution context */
31 int get_credentials_dir(const char **ret
);
32 int get_encrypted_credentials_dir(const char **ret
);
34 int open_credentials_dir(void);
36 /* Where creds have been passed to the system */
37 #define SYSTEM_CREDENTIALS_DIRECTORY "/run/credentials/@system"
38 #define ENCRYPTED_SYSTEM_CREDENTIALS_DIRECTORY "/run/credentials/@encrypted"
40 int read_credential(const char *name
, void **ret
, size_t *ret_size
); /* use in services! */
41 int read_credential_with_decryption(const char *name
, void **ret
, size_t *ret_size
); /* use in generators + pid1! */
43 int read_credential_strings_many_internal(const char *first_name
, char **first_value
, ...);
45 #define read_credential_strings_many(first_name, first_value, ...) \
46 read_credential_strings_many_internal(first_name, first_value, __VA_ARGS__, NULL)
48 int read_credential_bool(const char *name
);
50 typedef enum CredentialSecretFlags
{
51 CREDENTIAL_SECRET_GENERATE
= 1 << 0,
52 CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED
= 1 << 1,
53 CREDENTIAL_SECRET_FAIL_ON_TEMPORARY_FS
= 1 << 2,
54 } CredentialSecretFlags
;
56 int get_credential_host_secret(CredentialSecretFlags flags
, struct iovec
*ret
);
58 int get_credential_user_password(const char *username
, char **ret_password
, bool *ret_is_hashed
);
60 typedef enum CredentialFlags
{
61 CREDENTIAL_ALLOW_NULL
= 1 << 0, /* allow decryption of NULL key, even if TPM is around */
62 CREDENTIAL_ANY_SCOPE
= 1 << 1, /* allow decryption of both system and user credentials */
65 /* The four modes we support: keyed only by on-disk key, only by TPM2 HMAC key, and by the combination of
66 * both, as well as one with a fixed zero length key if TPM2 is missing (the latter of course provides no
67 * authenticity or confidentiality, but is still useful for integrity protection, and makes things simpler
68 * for us to handle). */
69 #define CRED_AES256_GCM_BY_HOST SD_ID128_MAKE(5a,1c,6a,86,df,9d,40,96,b1,d5,a6,5e,08,62,f1,9a)
70 #define CRED_AES256_GCM_BY_HOST_SCOPED SD_ID128_MAKE(55,b9,ed,1d,38,59,4d,43,a8,31,9d,2e,bb,33,2a,c6)
71 #define CRED_AES256_GCM_BY_TPM2_HMAC SD_ID128_MAKE(0c,7c,c0,7b,11,76,45,91,9c,4b,0b,ea,08,bc,20,fe)
72 #define CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK SD_ID128_MAKE(fa,f7,eb,93,41,e3,41,2c,a1,a4,36,f9,5a,29,36,2f)
73 #define CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC SD_ID128_MAKE(93,a8,94,09,48,74,44,90,90,ca,f2,fc,93,ca,b5,53)
74 #define CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_SCOPED \
75 SD_ID128_MAKE(ef,4a,c1,36,79,a9,48,0e,a7,db,68,89,7f,9f,16,5d)
76 #define CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK \
77 SD_ID128_MAKE(af,49,50,a8,49,13,4e,b1,a7,38,46,30,4f,f3,0c,05)
78 #define CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK_SCOPED \
79 SD_ID128_MAKE(ad,bc,4c,a3,ef,b6,42,01,ba,88,1b,6f,2e,40,95,ea)
80 #define CRED_AES256_GCM_BY_NULL SD_ID128_MAKE(05,84,69,da,f6,f5,43,24,80,05,49,da,0f,8e,a2,fb)
82 /* Two special IDs to pick a general automatic mode (i.e. tpm2+host if TPM2 exists, only host otherwise) or
83 * an initrd-specific automatic mode (i.e. tpm2 if firmware can do it, otherwise fixed zero-length key, and
84 * never involve host keys). These IDs will never be stored on disk, but are useful only internally while
85 * figuring out what precisely to write to disk. To mark that these aren't a "real" type, we'll prefix them
86 * with an underscore. */
87 #define _CRED_AUTO SD_ID128_MAKE(a2,19,cb,07,85,b2,4c,04,b1,6d,18,ca,b9,d2,ee,01)
88 #define _CRED_AUTO_INITRD SD_ID128_MAKE(02,dc,8e,de,3a,02,43,ab,a9,ec,54,9c,05,e6,a0,71)
89 #define _CRED_AUTO_SCOPED SD_ID128_MAKE(23,88,96,85,6f,74,48,8a,9c,78,6f,6a,b0,e7,3b,6a)
91 int encrypt_credential_and_warn(sd_id128_t with_key
, const char *name
, usec_t timestamp
, usec_t not_after
, const char *tpm2_device
, uint32_t tpm2_hash_pcr_mask
, const char *tpm2_pubkey_path
, uint32_t tpm2_pubkey_pcr_mask
, uid_t uid
, const struct iovec
*input
, CredentialFlags flags
, struct iovec
*ret
);
92 int decrypt_credential_and_warn(const char *validate_name
, usec_t validate_timestamp
, const char *tpm2_device
, const char *tpm2_signature_path
, uid_t uid
, const struct iovec
*input
, CredentialFlags flags
, struct iovec
*ret
);
94 int ipc_encrypt_credential(const char *name
, usec_t timestamp
, usec_t not_after
, uid_t uid
, const struct iovec
*input
, CredentialFlags flags
, struct iovec
*ret
);
95 int ipc_decrypt_credential(const char *validate_name
, usec_t validate_timestamp
, uid_t uid
, const struct iovec
*input
, CredentialFlags flags
, struct iovec
*ret
);
97 typedef struct PickUpCredential
{
98 const char *credential_prefix
;
99 const char *target_dir
;
100 const char *filename_suffix
;
103 int pick_up_credentials(const PickUpCredential
*table
, size_t n_table_entry
);