service,cryptohome: wire up lockbox to dbus

service.cc

 // Copyright (c) 2009 The Chromium OS Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "service.h"
 
 #include <stdio.h>
 #include <stdlib.h>
 
 #include <base/file_util.h>
 #include <base/logging.h>
 #include <base/string_util.h>
 #include <base/time.h>
 #include <chromeos/dbus/dbus.h>
+#include <string>
+#include <vector>
 
 #include "cryptohome/marshal.glibmarshal.h"
 #include "cryptohome_event_source.h"
 #include "interface.h"
 #include "crypto.h"
+#include "lockbox.h"
 #include "mount.h"
 #include "secure_blob.h"
 #include "tpm.h"
 #include "username_passkey.h"
 #include "vault_keyset.pb.h"
 
 // Forcibly namespace the dbus-bindings generated server bindings instead of
 // modifying the files afterward.
 namespace cryptohome {  // NOLINT
 namespace gobject {  // NOLINT
@@ skipping 49 matching lines @@
       system_salt_(),
       default_mount_(new cryptohome::Mount()),
       mount_(default_mount_.get()),
       default_tpm_init_(new TpmInit()),
       tpm_init_(default_tpm_init_.get()),
       initialize_tpm_(true),
       mount_thread_(kMountThreadName),
       async_complete_signal_(-1),
       tpm_init_signal_(-1),
       event_source_(),
-      auto_cleanup_period_(kAutoCleanupPeriodMS) {
+      auto_cleanup_period_(kAutoCleanupPeriodMS),
+      default_lockbox_(new cryptohome::Lockbox()),
+      lockbox_(default_lockbox_.get()) {
 }
 
 Service::~Service() {
   if (loop_)
     g_main_loop_unref(loop_);
   if (cryptohome_)
     g_object_unref(cryptohome_);
   if (mount_thread_.IsRunning()) {
     mount_thread_.Stop();
   }
 }
 
 bool Service::Initialize() {
   bool result = true;
 
   mount_->Init();
+  // If the TPM is unowned or doesn't exist, it's safe for
+  // this function to be called again. However, it shouldn't
+  // be called across multiple threads in parallel.

[gauravsh, 2011/04/11 04:03:20]

Is this comment for InitializeLockBox()? If so, can you add the comment in the
header definition too.

[Will Drewry, 2011/04/13 16:04:59]

The part that is relevant (thread safety) is in the header for both
InstallAttributes and Lockbox.

+  InitializeLockbox();
+
   Tpm* tpm = const_cast<Tpm*>(mount_->get_crypto()->get_tpm());
-  if (tpm && initialize_tpm_) {
+   if (tpm && initialize_tpm_) {
     tpm_init_->set_tpm(tpm);
     tpm_init_->Init(this);
     if (!SeedUrandom()) {
       LOG(ERROR) << "FAILED TO SEED /dev/urandom AT START";
     }
   }
-
   // Install the type-info for the service with dbus.
   dbus_g_object_type_install_info(gobject::cryptohome_get_type(),
                                   &gobject::dbus_glib_cryptohome_object_info);
   if (!Reset()) {
     result = false;
   }
 
   async_complete_signal_ = g_signal_new("async_call_status",
                                         gobject::cryptohome_get_type(),
                                         G_SIGNAL_RUN_LAST,
@@ skipping 24 matching lines @@
 
   // Start scheduling periodic cleanup events.  Note, that the first
   // event will be called by Chrome explicitly from the login screen.
   mount_thread_.message_loop()->PostDelayedTask(
       FROM_HERE, NewRunnableMethod(this, &Service::AutoCleanupCallback),
       auto_cleanup_period_);
 
   return result;
 }
 
+void Service::InitializeLockbox() {

[gauravsh, 2011/04/11 04:03:20]

Should this return true or false? Otherwise the caller will never know if the
initialization succeeded?

[Will Drewry, 2011/04/13 16:04:59]

The caller doesn't matter as much unless we want cryptohome to do the freaking
out.  We haven't yet decided if cryptohomed, session_manager, or CHrome should
freak out if the InstallAttributes are broken.  THat said, they fail such that
they look empty so it's "safe" to just hang out.

+  Tpm* tpm = const_cast<Tpm*>(mount_->get_crypto()->get_tpm());
+  // Don't call this until the TPM is owned.
+  if (tpm && !tpm->IsOwned())
+    return;
+  // tpm will be NULL if the system lacks one.
+  lockbox_->Init(tpm,
+                 Lockbox::kDefaultNvramIndex,
+                 Lockbox::kDefaultPath);
+}
+
 bool Service::SeedUrandom() {
   SecureBlob random;
   if (!tpm_init_->GetRandomData(kDefaultRandomSeedLength, &random)) {
     LOG(ERROR) << "Could not get random data from the TPM";
     return false;
   }
   size_t written = file_util::WriteFile(FilePath(kDefaultEntropySource),
       static_cast<const char*>(random.const_data()), random.size());
   if (written != random.size()) {
     LOG(ERROR) << "Error writing data to /dev/urandom";
@@ skipping 30 matching lines @@
 
 void Service::NotifyEvent(CryptohomeEventBase* event) {
   if (!strcmp(event->GetEventName(), kMountTaskResultEventType)) {
     MountTaskResult* result = static_cast<MountTaskResult*>(event);
     g_signal_emit(cryptohome_, async_complete_signal_, 0, result->sequence_id(),
                   result->return_status(), result->return_code());
   } else if (!strcmp(event->GetEventName(), kTpmInitStatusEventType)) {
     TpmInitStatus* result = static_cast<TpmInitStatus*>(event);
     g_signal_emit(cryptohome_, tpm_init_signal_, 0, tpm_init_->IsTpmReady(),
                   tpm_init_->IsTpmEnabled(), result->get_took_ownership());
+    // TODO(wad) should we package up a Lockbox status here too?
   }
 }
 
 void Service::InitializeTpmComplete(bool status, bool took_ownership) {
   if (took_ownership) {
     MountTaskResult ignored_result;
     base::WaitableEvent event(true, false);
     MountTaskResetTpmContext* mount_task =
         new MountTaskResetTpmContext(NULL, mount_);
     mount_task->set_result(&ignored_result);
     mount_task->set_complete_event(&event);
     mount_thread_.message_loop()->PostTask(FROM_HERE, mount_task);
     event.Wait();
+    // Initialize the install-time locked attributes since we
+    // can't do it prior to ownership.
+    InitializeLockbox();
   }
   // The event source will free this object
   TpmInitStatus* tpm_init_status = new TpmInitStatus();
   tpm_init_status->set_status(status);
   tpm_init_status->set_took_ownership(took_ownership);
   event_source_.AddEvent(tpm_init_status);
 }
 
 gboolean Service::CheckKey(gchar *userid,
                            gchar *key,
@@ skipping 328 matching lines @@
     tpm_init_->StartInitializeTpm();
   }
   return TRUE;
 }
 
 gboolean Service::TpmClearStoredPassword(GError** error) {
   tpm_init_->ClearStoredTpmPassword();
   return TRUE;
 }
 
+gboolean Service::LockboxGet(gchar* name,
+                             GArray** OUT_value,
+                             gboolean* OUT_successful,
+                             GError** error) {
+  chromeos::Blob value;
+  *OUT_successful = lockbox_->Get(name, &value);
+  *OUT_value = g_array_new(false, false, sizeof(char));
+  if (*OUT_successful)
+    g_array_append_vals(*OUT_value, &value.front(), value.size());
+  return TRUE;
+}
+
+gboolean Service::LockboxSet(gchar* name,
+                             GArray* value,
+                             gboolean* OUT_successful,
+                             GError** error) {
+  // Convert from GArray to vector
+  chromeos::Blob value_blob;
+  value_blob.assign(value->data, value->data + value->len);
+  *OUT_successful = lockbox_->Set(name, value_blob);
+  return TRUE;
+}
+
+gboolean Service::LockboxLock(gboolean* OUT_locked, GError** error) {
+  *OUT_locked = lockbox_->Lock();
+  return TRUE;
+}
+
+gboolean Service::LockboxCount(gint* OUT_count, GError** error) {
+  // TODO(wad) for all of these functions return error on uninit.
+  // Follow the CHROMEOS_LOGIN_ERROR quark example in chromeos/dbus/
+  *OUT_count = lockbox_->Count();
+  return TRUE;
+}
+
+gboolean Service::LockboxIsReady(gboolean* OUT_ready, GError** error) {
+  // Initialization is handled automatically when possible and async
+  // notification implies readiness.  This allows other code to poll.
+  *OUT_ready = (lockbox_->initialized() == true);
+  return TRUE;
+}
+
+gboolean Service::LockboxIsLocked(gboolean* OUT_locked, GError** error) {
+  *OUT_locked = (lockbox_->locked() == true);
+  return TRUE;
+}
+
+gboolean Service::LockboxIsSecure(gboolean* OUT_secure, GError** error) {
+  *OUT_secure = (lockbox_->secure() == true);
+  return TRUE;
+}
+
+gboolean Service::LockboxIsTampered(gboolean* OUT_tampered, GError** error) {
+  *OUT_tampered = (lockbox_->tampered() == true);
+  return TRUE;
+}
+
+gboolean Service::LockboxIsLegacy(gboolean* OUT_legacy, GError** error) {
+  *OUT_legacy = (lockbox_->legacy() == true);
+  return TRUE;
+}
+
 gboolean Service::GetStatusString(gchar** OUT_status, GError** error) {
   Tpm::TpmStatusInfo tpm_status;
   mount_->get_crypto()->EnsureTpm(false);
   Tpm* tpm = const_cast<Tpm*>(mount_->get_crypto()->get_tpm());
 
   if (tpm) {
     tpm->GetStatus(true, &tpm_status);
   } else {
     Tpm::GetSingleton()->GetStatus(true, &tpm_status);
   }
@@ skipping 40 matching lines @@
           " (UTC)\n",
           ((serialized.flags() &
             cryptohome::SerializedVaultKeyset::TPM_WRAPPED) ? "1" : "0"),
           ((serialized.flags() &
             cryptohome::SerializedVaultKeyset::SCRYPT_WRAPPED) ? "1" : "0"),
           exploded.month, exploded.day_of_month, exploded.year,
           exploded.hour, exploded.minute, exploded.second);
 
     } while(false);
   }
+  int lockbox_size = lockbox_->Count();
+  std::string lockbox_data("Lockbox Contents:\n");
+  if (lockbox_->Count()) {
+    std::string name;
+    chromeos::Blob value;
+    for (int pair = 0; pair < lockbox_size; ++pair) {
+      lockbox_data += StringPrintf(

[gauravsh, 2011/04/11 04:03:20]

is using += as efficient as using append()? (not that efficiency may matter that
much here).

[Will Drewry, 2011/04/13 16:04:59]

No idea.  Done.

[gauravsh, 2011/04/14 07:39:52]

Yeah, it seems either append or += is ok. What's not ok is using +. That creates
temp copies and is a waste of energy.

+        "  Index...........................: %d\n", pair);
+      if (lockbox_->GetNameByIndex(pair, &name) &&
+          lockbox_->GetValueByIndex(pair, &value)) {
+        std::string value_str(reinterpret_cast<const char*>(&value[0]),
+                              value.size());
+        lockbox_data += StringPrintf(
+          "  Name............................: %s\n"
+          "  Value...........................: %s\n",
+          name.c_str(),
+          value_str.c_str());
+      }
+    }
+  }
 
   *OUT_status = g_strdup_printf(
       "TPM Status:\n"
       "  Enabled.........................: %s\n"
       "  Owned...........................: %s\n"
       "  Being Owned.....................: %s\n"
       "  Can Connect.....................: %s\n"
       "  Can Load SRK....................: %s\n"
       "  Can Load SRK Public.............: %s\n"
       "  Has Cryptohome Key..............: %s\n"
       "  Can Encrypt.....................: %s\n"
       "  Can Decrypt.....................: %s\n"
       "  Instance Context................: %s\n"
       "  Instance Key Handle.............: %s\n"
       "  Last Error......................: %08x\n"
       "%s"
       "Mount Status:\n"
-      "  Vault Is Mounted................: %s\n",
+      "  Vault Is Mounted................: %s\n"
+      "Lockbox Status:\n"
+      "  Initialized.....................: %s\n"
+      "  Secure..........................: %s\n"
+      "  Legacy..........................: %s\n"
+      "  Locked..........................: %s\n"
+      "  Tampered........................: %s\n"
+      "  Entries.........................: %d\n"
+      "%s",
       (tpm_status.Enabled ? "1" : "0"),
       (tpm_status.Owned ? "1" : "0"),
       (tpm_status.BeingOwned ? "1" : "0"),
       (tpm_status.CanConnect ? "1" : "0"),
       (tpm_status.CanLoadSrk ? "1" : "0"),
       (tpm_status.CanLoadSrkPublicKey ? "1" : "0"),
       (tpm_status.HasCryptohomeKey ? "1" : "0"),
       (tpm_status.CanEncrypt ? "1" : "0"),
       (tpm_status.CanDecrypt ? "1" : "0"),
       (tpm_status.ThisInstanceHasContext ? "1" : "0"),
       (tpm_status.ThisInstanceHasKeyHandle ? "1" : "0"),
       tpm_status.LastTpmError,
       user_data.c_str(),
-      (mount_->IsCryptohomeMounted() ? "1" : "0"));
+      (mount_->IsCryptohomeMounted() ? "1" : "0"),
+      (lockbox_->initialized() ? "1" : "0"),
+      (lockbox_->secure() ? "1" : "0"),
+      (lockbox_->legacy() ? "1" : "0"),
+      (lockbox_->locked() ? "1" : "0"),
+      (lockbox_->tampered() ? "1" : "0"),
+      lockbox_size,
+      lockbox_data.c_str());
   return TRUE;
 }
 
 // Called on Mount thread.
 void Service::AutoCleanupCallback() {
   mount_->DoAutomaticFreeDiskSpaceControl();
 
   // Schedule our next call. If the thread is terminating, we would
   // not be called.
   mount_thread_.message_loop()->PostDelayedTask(
       FROM_HERE, NewRunnableMethod(this, &Service::AutoCleanupCallback),
       auto_cleanup_period_);
 }
 
 }  // namespace cryptohome
 
 // We do not want AutoCleanupCallback() to refer the class and make it
 // wait for its execution.  If Mount thread terminates, it will delete
 // our pending task or wait for it to finish.
 DISABLE_RUNNABLE_METHOD_REFCOUNT(cryptohome::Service);