github.com/jlmucb/cloudproxy@v0.0.0-20170830161738-b5aa0b619bc4/src/tao/tao.h

github.com/jlmucb/cloudproxy@v0.0.0-20170830161738-b5aa0b619bc4/src/tao/tao.h (about)

     1  //  File: tao.h
     2  //  Author: Tom Roeder <tmroeder@google.com>
     3  //
     4  //  Description: Interface used by hosted programs to access Tao services.
     5  //
     6  //  Copyright (c) 2013, Google Inc.  All rights reserved.
     7  //
     8  // Licensed under the Apache License, Version 2.0 (the "License");
     9  // you may not use this file except in compliance with the License.
    10  // You may obtain a copy of the License at
    11  //
    12  //     http://www.apache.org/licenses/LICENSE-2.0
    13  //
    14  // Unless required by applicable law or agreed to in writing, software
    15  // distributed under the License is distributed on an "AS IS" BASIS,
    16  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    17  // See the License for the specific language governing permissions and
    18  // limitations under the License.
    19  #ifndef TAO_TAO_H_
    20  #define TAO_TAO_H_
    21  
    22  #include <string>
    23  
    24  namespace tao {
    25  using std::string;
    26  
    27  /// Tao is the fundamental Trustworthy Computing interface provided by a host to
    28  /// its hosted programs. Each level of a system can act as a host by exporting
    29  /// the Tao interface and providing Tao services to higher-level hosted
    30  /// programs.
    31  ///
    32  /// In most cases, a hosted program will use a stub Tao that performs RPC over a
    33  /// channel to its host. The details of such RPC depend on the specific
    34  /// implementation of the host: some hosted programs may use pipes to
    35  /// communicate with their host, others may use sockets, etc.
    36  class Tao {
    37   public:
    38    Tao() {}
    39    virtual ~Tao() {}
    40  
    41    /// Serialize Tao parameters for passing across fork/exec or between
    42    /// processes, if possible. Not all Tao implementations must necessarily be
    43    /// serializable.
    44    /// @param params[out] The serialized parameters.
    45    virtual bool SerializeToString(string *params) const { return false; }
    46  
    47    /// Get the Tao principal name assigned to this hosted program. The name
    48    /// encodes the full path from the root Tao, through all intermediary Tao
    49    /// hosts, to this hosted program. The name will be globally unique: different
    50    /// hosted program (for some definition of "different") will be given
    51    /// different Tao names.
    52    /// @param[out] name The full, globally-unique name of this hosted program.
    53    virtual bool GetTaoName(string *name) = 0;
    54  
    55    /// Irreversibly extend the Tao principal name of this hosted program. In
    56    /// effect, the hosted program can drop privileges by taking on the identity
    57    /// of its subprincipal.
    58    /// @param subprin The subprincipal to append to the principal name.
    59    virtual bool ExtendTaoName(const string &subprin) = 0;
    60  
    61    /// Get random bytes.
    62    /// @param size The number of bytes to get.
    63    /// @param[out] bytes The random bytes.
    64    virtual bool GetRandomBytes(size_t size, string *bytes) = 0;
    65  
    66    /// Get a shared random secret, e.g. to be used as a shared secret key.
    67    /// Some levels (i.e. the TPM) do not implement this.
    68    /// @param size The number of bytes to get.
    69    /// @param policy A policy controlling which hosted programs can get this
    70    /// secret. The semantics of this value are host-specific, except
    71    /// all Tao hosts support at least the policies defined below.
    72    /// @param[out] sealed The encrypted data.
    73    virtual bool GetSharedSecret(size_t size, const string &policy,
    74                                 string *bytes) = 0;
    75  
    76    /// Policy for shared secrets. Hosts may implement additional policies.
    77    /// @{
    78  
    79    /// The default shared secret, which corresponds roughly to "a past or future
    80    /// instance of a hosted program having a similar identity as the caller". The
    81    /// definition of "similar" is host-specific. For example, for a Linux OS, it
    82    /// may mean "has the same program binary (and is running on the same Linux OS
    83    /// platform)".
    84    constexpr static auto SharedSecretPolicyDefault = "self";
    85  
    86    /// The most conservative (but non-trivial) shared secret policy supported by
    87    /// the
    88    /// host. For example, a Linux OS may interpret this to mean "the same hosted
    89    /// program instance, including process ID, program hash and argument hash".
    90    constexpr static auto SharedSecretPolicyConservative = "few";
    91  
    92    /// The most liberal (but non-trivial) sealing policy supported by the host.
    93    /// For example, a Linux OS may interpret this to mean "any hosted program on
    94    /// the
    95    /// same Linux OS".
    96    constexpr static auto SharedSecretPolicyLiberal = "any";
    97  
    98    /// @}
    99  
   100    /// Request the Tao host sign a Statement on behalf of this hosted program.
   101    /// @param message A delegation statement to be signed. This statement is a
   102    /// serialized binary auth statement and can be created using MarshalSpeaksfor
   103    /// in util.h.
   104    /// @param[out] attestation The resulting signed attestation.
   105    virtual bool Attest(const string &message, string *attestation) = 0;
   106  
   107    /// Encrypt data so only certain hosted programs can unseal it.
   108    /// @param data The data to seal.
   109    /// @param policy A policy controlling which hosted programs can seal or
   110    /// unseal the data. The semantics of this value are host-specific, except:
   111    /// all Tao hosts support at least the policies defined below; and the policy
   112    /// must be satisfied both during Seal() and during Unseal().
   113    /// @param[out] sealed The encrypted data.
   114    /// TODO(kwalsh) Add expiration.
   115    virtual bool Seal(const string &data, const string &policy,
   116                      string *sealed) = 0;
   117  
   118    /// Decrypt data that has been sealed by the Seal() operation, but only
   119    /// if the policy specified during the Seal() operation is satisfied.
   120    /// @param sealed The sealed data to decrypt.
   121    /// @param[out] data The decrypted data, if the policy was satisfied.
   122    /// @param[out] policy The sealing policy, if it was satisfied.
   123    /// Note: The returned policy can be used as a limited integrity check, since
   124    /// only a hosted program that itself satisfies the policy could have
   125    /// performed the Seal() operation.
   126    virtual bool Unseal(const string &sealed, string *data, string *policy) = 0;
   127  
   128    // InitCounter initializes the rollback counter.
   129    virtual bool InitCounter(const string& label, int64_t& c) = 0;
   130  
   131    // GetCounter retrieved the rollback counter.
   132    virtual bool GetCounter(const string& label, int64_t* c) = 0;
   133  
   134    // RollbackProtectedSeal does a rollback protected seal.
   135    virtual bool RollbackProtectedSeal(const string& label, const string &data, const string &policy, string *sealed) = 0;
   136  
   137    // RollbackProtectedUnseal does a rollback protected unseal.
   138    virtual bool RollbackProtectedUnseal(const string &sealed, string *data, string *policy) = 0;
   139  
   140    /// Policy for sealing and unsealing. Hosts may implement additional policies.
   141    /// @{
   142  
   143    /// The default sealing policy, which corresponds roughly to "a past or future
   144    /// instance of a hosted program having a similar identity as the caller". The
   145    /// definition of "similar" is host-specific. For example, for a TPM, it may
   146    /// mean "has identical PCR values, for some subset of the PCRs". And for a
   147    /// Linux OS, it may mean "has the same program binary (and is running on the
   148    /// same Linux OS platform)".
   149    constexpr static auto SealPolicyDefault = "self";
   150  
   151    /// The most conservative (but non-trivial) sealing policy supported by the
   152    /// host. For example, a Linux OS may interpret this to mean "the same hosted
   153    /// program instance, including process ID, program hash and argument hash".
   154    constexpr static auto SealPolicyConservative = "few";
   155  
   156    /// The most liberal (but non-trivial) sealing policy supported by the host.
   157    /// For example, a TPM may interpret this to mean "any hosted program on the
   158    /// same platform". And a Linux OS might interpret this to mean "any hosted
   159    /// program on the same Linux OS".
   160    constexpr static auto SealPolicyLiberal = "any";
   161  
   162    /// @}
   163  
   164    /// Get most recent error message, or emptystring if there have been no
   165    /// errors.
   166    virtual string GetRecentErrorMessage() const = 0;
   167  
   168    // Clear the most recent error message and return the previous value, if any.
   169    virtual string ResetRecentErrorMessage() = 0;
   170  
   171    /// A context string for signed attestations.
   172    constexpr static auto AttestationSigningContext =
   173        "tao::Attestation Version 1";
   174  
   175    /// Default timeout for Attestation (= 1 year in seconds).
   176    static const int DefaultAttestationTimeout = 31556926;
   177  };
   178  }  // namespace tao
   179  
   180  #endif  // TAO_TAO_H_