xref: /xnu-10002.41.9/libkern/libkern/amfi/amfi.h (revision 699cd48037512bf4380799317ca44ca453c82f57) 
1 /*
2  * Copyright (c) 2020 Apple Inc. All rights reserved.
3  *
4  * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5  *
6  * This file contains Original Code and/or Modifications of Original Code
7  * as defined in and that are subject to the Apple Public Source License
8  * Version 2.0 (the 'License'). You may not use this file except in
9  * compliance with the License. The rights granted to you under the License
10  * may not be used to create, or enable the creation or redistribution of,
11  * unlawful or unlicensed copies of an Apple operating system, or to
12  * circumvent, violate, or enable the circumvention or violation of, any
13  * terms of an Apple operating system software license agreement.
14  *
15  * Please obtain a copy of the License at
16  * http://www.opensource.apple.com/apsl/ and read it before using this file.
17  *
18  * The Original Code and all software distributed under the License are
19  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23  * Please see the License for the specific language governing rights and
24  * limitations under the License.
25  *
26  * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27  */
28 
29 #ifndef __AMFI_H
30 #define __AMFI_H
31 
32 #include <os/base.h>
33 #include <sys/cdefs.h>
34 #include <kern/cs_blobs.h>
35 
36 #define KERN_AMFI_INTERFACE_VERSION 6
37 #define KERN_AMFI_SUPPORTS_DATA_ALLOC 2
38 
39 #pragma mark Forward Declarations
40 struct proc;
41 struct cs_blob;
42 
43 #pragma mark Type Defines
44 typedef struct proc* proc_t;
45 
46 #if XNU_KERNEL_PRIVATE
47 #define CORE_ENTITLEMENTS_I_KNOW_WHAT_IM_DOING
48 #include <CoreEntitlements/CoreEntitlementsPriv.h>
49 #endif
50 
51 typedef void (*amfi_OSEntitlements_invalidate)(void* osentitlements);
52 typedef void* (*amfi_OSEntitlements_asDict)(void* osentitlements);
53 typedef CEError_t (*amfi_OSEntitlements_query)(void* osentitlements, uint8_t cdhash[CS_CDHASH_LEN], CEQuery_t query, size_t queryLength);
54 typedef bool (*amfi_OSEntitlements_get_transmuted_blob)(void* osentitlements, const CS_GenericBlob **blob);
55 typedef bool (*amfi_OSEntitlements_get_xml_blob)(void* osentitlements, CS_GenericBlob **blob);
56 typedef bool (*amfi_get_legacy_profile_exemptions)(const uint8_t **profile, size_t *profileLength);
57 typedef bool (*amfi_get_udid)(const uint8_t **udid, size_t *udidLength);
58 typedef void* (*amfi_query_context_to_object)(CEQueryContext_t ctx);
59 
60 #pragma mark OSEntitlements
61 
62 #define KERN_AMFI_SUPPORTS_OSENTITLEMENTS_API 1
63 #define OSENTITLEMENTS_INTERFACE_VERSION 1u
64 
65 typedef kern_return_t (*OSEntitlements_adjustContextWithMonitor)(
66 	void* os_entitlements,
67 	const CEQueryContext_t ce_ctx,
68 	const void *monitor_sig_obj,
69 	const char *identity,
70 	const uint32_t code_signing_flags
71 	);
72 
73 typedef kern_return_t (*OSEntitlements_adjustContextWithoutMonitor)(
74 	void* os_entitlements,
75 	struct cs_blob *code_signing_blob
76 	);
77 
78 typedef kern_return_t (*OSEntitlements_queryEntitlementBoolean)(
79 	const void *os_entitlements,
80 	const char *entitlement_name
81 	);
82 
83 typedef kern_return_t (*OSEntitlements_queryEntitlementBooleanWithProc)(
84 	const proc_t proc,
85 	const char *entitlement_name
86 	);
87 
88 typedef kern_return_t (*OSEntitlements_queryEntitlementString)(
89 	const void *os_entitlements,
90 	const char *entitlement_name,
91 	const char *entitlement_value
92 	);
93 
94 typedef kern_return_t (*OSEntitlements_queryEntitlementStringWithProc)(
95 	const proc_t proc,
96 	const char *entitlement_name,
97 	const char *entitlement_value
98 	);
99 
100 typedef kern_return_t (*OSEntitlements_copyEntitlementAsOSObject)(
101 	const void *os_entitlements,
102 	const char *entitlement_name,
103 	void **entitlement_object
104 	);
105 
106 typedef kern_return_t (*OSEntitlements_copyEntitlementAsOSObjectWithProc)(
107 	const proc_t proc,
108 	const char *entitlement_name,
109 	void **entitlement_object
110 	);
111 
112 typedef struct _OSEntitlementsInterface {
113 	uint32_t version;
114 	OSEntitlements_adjustContextWithMonitor adjustContextWithMonitor;
115 	OSEntitlements_adjustContextWithoutMonitor adjustContextWithoutMonitor;
116 	OSEntitlements_queryEntitlementBoolean queryEntitlementBoolean;
117 	OSEntitlements_queryEntitlementBooleanWithProc queryEntitlementBooleanWithProc;
118 	OSEntitlements_queryEntitlementString queryEntitlementString;
119 	OSEntitlements_queryEntitlementStringWithProc queryEntitlementStringWithProc;
120 	OSEntitlements_copyEntitlementAsOSObject copyEntitlementAsOSObject;
121 	OSEntitlements_copyEntitlementAsOSObjectWithProc copyEntitlementAsOSObjectWithProc;
122 } OSEntitlementsInterface_t;
123 
124 #pragma mark libTrustCache
125 
126 #include <TrustCache/API.h>
127 #define KERN_AMFI_SUPPORTS_TRUST_CACHE_API 1
128 #define TRUST_CACHE_INTERFACE_VERSION 3u
129 
130 typedef TCReturn_t (*constructInvalid_t)(
131 	TrustCache_t *trustCache,
132 	const uint8_t *moduleAddr,
133 	size_t moduleSize
134 	);
135 
136 typedef TCReturn_t (*checkRuntimeForUUID_t)(
137 	const TrustCacheRuntime_t *runtime,
138 	const uint8_t checkUUID[kUUIDSize],
139 	const TrustCache_t **trustCacheRet
140 	);
141 
142 typedef TCReturn_t (*loadModule_t)(
143 	TrustCacheRuntime_t *runtime,
144 	const TCType_t type,
145 	TrustCache_t *trustCache,
146 	const uintptr_t dataAddr,
147 	const size_t dataSize
148 	);
149 
150 typedef TCReturn_t (*load_t)(
151 	TrustCacheRuntime_t *runtime,
152 	TCType_t type,
153 	TrustCache_t *trustCache,
154 	const uintptr_t payloadAddr,
155 	const size_t payloadSize,
156 	const uintptr_t manifestAddr,
157 	const size_t manifestSize
158 	);
159 
160 typedef TCReturn_t (*extractModule_t)(
161 	TrustCache_t *trustCache,
162 	const uint8_t *dataAddr,
163 	size_t dataSize
164 	);
165 
166 typedef TCReturn_t (*query_t)(
167 	const TrustCacheRuntime_t *runtime,
168 	TCQueryType_t queryType,
169 	const uint8_t CDHash[kTCEntryHashSize],
170 	TrustCacheQueryToken_t *queryToken
171 	);
172 
173 typedef TCReturn_t (*getModule_t)(
174 	const TrustCache_t *trustCache,
175 	const uint8_t **moduleAddrRet,
176 	size_t *moduleSizeRet
177 	);
178 
179 typedef TCReturn_t (*getUUID_t)(
180 	const TrustCache_t *trustCache,
181 	uint8_t returnUUID[kUUIDSize]
182 	);
183 
184 typedef TCReturn_t (*getCapabilities_t)(
185 	const TrustCache_t *trustCache,
186 	TCCapabilities_t *capabilities
187 	);
188 
189 typedef TCReturn_t (*queryGetTCType_t)(
190 	const TrustCacheQueryToken_t *queryToken,
191 	TCType_t *typeRet
192 	);
193 
194 typedef TCReturn_t (*queryGetCapabilities_t)(
195 	const TrustCacheQueryToken_t *queryToken,
196 	TCCapabilities_t *capabilities
197 	);
198 
199 typedef TCReturn_t (*queryGetHashType_t)(
200 	const TrustCacheQueryToken_t *queryToken,
201 	uint8_t *hashTypeRet
202 	);
203 
204 typedef TCReturn_t (*queryGetFlags_t)(
205 	const TrustCacheQueryToken_t *queryToken,
206 	uint64_t *flagsRet
207 	);
208 
209 typedef TCReturn_t (*queryGetConstraintCategory_t)(
210 	const TrustCacheQueryToken_t *queryToken,
211 	uint8_t *constraintCategoryRet
212 	);
213 
214 typedef struct _TrustCacheInterface {
215 	uint32_t version;
216 	loadModule_t loadModule;
217 	load_t load;
218 	query_t query;
219 	getCapabilities_t getCapabilities;
220 	queryGetTCType_t queryGetTCType;
221 	queryGetCapabilities_t queryGetCapabilities;
222 	queryGetHashType_t queryGetHashType;
223 	queryGetFlags_t queryGetFlags;
224 	queryGetConstraintCategory_t queryGetConstraintCategory;
225 
226 	/* Available since interface version 3 */
227 	constructInvalid_t constructInvalid;
228 	checkRuntimeForUUID_t checkRuntimeForUUID;
229 	extractModule_t extractModule;
230 	getModule_t getModule;
231 	getUUID_t getUUID;
232 } TrustCacheInterface_t;
233 
234 #pragma mark Main AMFI Structure
235 
236 typedef struct _amfi {
237 	amfi_OSEntitlements_invalidate OSEntitlements_invalidate;
238 	amfi_OSEntitlements_asDict OSEntitlements_asdict;
239 	amfi_OSEntitlements_query OSEntitlements_query;
240 	amfi_OSEntitlements_get_transmuted_blob OSEntitlements_get_transmuted;
241 	amfi_OSEntitlements_get_xml_blob OSEntitlements_get_xml;
242 	coreentitlements_t CoreEntitlements;
243 	amfi_get_legacy_profile_exemptions get_legacy_profile_exemptions;
244 	amfi_get_udid get_udid;
245 	amfi_query_context_to_object query_context_to_object;
246 
247 #if KERN_AMFI_SUPPORTS_TRUST_CACHE_API
248 	/* Interface to interact with libTrustCache */
249 	TrustCacheInterface_t TrustCache;
250 #endif
251 
252 #if KERN_AMFI_SUPPORTS_OSENTITLEMENTS_API
253 	/* Interface to interact with OSEntitlements */
254 	OSEntitlementsInterface_t OSEntitlements;
255 #endif
256 } amfi_t;
257 
258 __BEGIN_DECLS
259 
260 /*!
261  * @const amfi
262  * The AMFI interface that was registered.
263  */
264 extern const amfi_t * amfi;
265 
266 /*!
267  * @function amfi_interface_register
268  * Registers the AMFI kext interface for use within the kernel proper.
269  *
270  * @param mfi
271  * The interface to register.
272  *
273  * @discussion
274  * This routine may only be called once and must be called before late-const has
275  * been applied to kernel memory.
276  */
277 OS_EXPORT OS_NONNULL1
278 void
279 amfi_interface_register(const amfi_t *mfi);
280 
281 __END_DECLS
282 
283 #endif // __AMFI_H
284