1 #ifndef libTrustCache_TypesConfig_h
2 #define libTrustCache_TypesConfig_h
3
4 #include <sys/cdefs.h>
5 __BEGIN_DECLS
6
7 #include <TrustCache/Types.h>
8
9 #if XNU_KERNEL_PRIVATE
10 /*
11 * The AppleImage4 API definitions are accessed through the 'img4if' indirection
12 * layer within XNU itself. Kernel extensions can access them directly from the
13 * AppleImage4 headers.
14 */
15 #include <libkern/img4/interface.h>
16 #endif
17
18 #if !XNU_KERNEL_PRIVATE
19 /*
20 * XNU does not make this header available and uses different availability macros
21 * than kernel extensions or base user-space applications.
22 */
23 #include <TargetConditionals.h>
24 #endif
25
26 #pragma mark Chip Environments
27
28 static const img4_chip_t*
chipEnvironmentPersonalized(void)29 chipEnvironmentPersonalized(void) {
30 return img4_chip_select_personalized_ap();
31 }
32
33 static const img4_chip_t*
chipEnvironmentCategorized(void)34 chipEnvironmentCategorized(void) {
35 return img4_chip_select_categorized_ap();
36 }
37
38 static const img4_chip_t*
chipEnvironmentGlobalFF00(void)39 chipEnvironmentGlobalFF00(void) {
40 return IMG4_CHIP_AP_SOFTWARE_FF00;
41 }
42
43 static const img4_chip_t*
chipEnvironmentGlobalFF01(void)44 chipEnvironmentGlobalFF01(void) {
45 return IMG4_CHIP_AP_SOFTWARE_FF01;
46 }
47
48 static const img4_chip_t*
chipEnvironmentGlobalFF06(void)49 chipEnvironmentGlobalFF06(void) {
50 return IMG4_CHIP_AP_SOFTWARE_FF06;
51 }
52
53 static const img4_chip_t*
chipEnvironmentEphemeralCryptex(void)54 chipEnvironmentEphemeralCryptex(void) {
55 return IMG4_CHIP_AP_SUPPLEMENTAL;
56 }
57
58 static const img4_chip_t*
chipEnvironmentCryptex1Boot(void)59 chipEnvironmentCryptex1Boot(void) {
60 #if IMG4_API_VERSION >= 20211126
61 return img4_chip_select_cryptex1_boot();
62 #else
63 return NULL;
64 #endif
65 }
66
67 static const img4_chip_t*
chipEnvironmentCryptex1PreBoot(void)68 chipEnvironmentCryptex1PreBoot(void) {
69 #if IMG4_API_VERSION >= 20211126
70 return img4_chip_select_cryptex1_preboot();
71 #else
72 return NULL;
73 #endif
74 }
75
76 static const img4_chip_t*
chipEnvironmentCryptex1MobileAsset(void)77 chipEnvironmentCryptex1MobileAsset(void) {
78 #if IMG4_API_VERSION >= 20211126
79 return IMG4_CHIP_CRYPTEX1_ASSET;
80 #else
81 return NULL;
82 #endif
83 }
84
85 static const img4_chip_t*
chipEnvironmentSafariDownlevel(void)86 chipEnvironmentSafariDownlevel(void) {
87 #if IMG4_API_VERSION >= 20211126
88 return IMG4_CHIP_CRYPTEX1_BOOT_REDUCED;
89 #else
90 return NULL;
91 #endif
92 }
93
94 #pragma mark Nonce Domains
95
96 static const img4_nonce_domain_t*
nonceDomainTrustCache(void)97 nonceDomainTrustCache(void) {
98 return IMG4_NONCE_DOMAIN_TRUST_CACHE;
99 }
100
101 static const img4_nonce_domain_t*
nonceDomainDDI(void)102 nonceDomainDDI(void) {
103 return IMG4_NONCE_DOMAIN_DDI;
104 }
105
106 static const img4_nonce_domain_t*
nonceDomainCryptex(void)107 nonceDomainCryptex(void) {
108 return IMG4_NONCE_DOMAIN_CRYPTEX;
109 }
110
111 static const img4_nonce_domain_t*
nonceDomainEphemeralCryptex(void)112 nonceDomainEphemeralCryptex(void) {
113 return IMG4_NONCE_DOMAIN_EPHEMERAL_CRYPTEX;
114 }
115
116 static const img4_nonce_domain_t*
nonceDomainPDI(void)117 nonceDomainPDI(void) {
118 return IMG4_NONCE_DOMAIN_PDI;
119 }
120
121 #pragma mark Firmware Flags
122
123 static img4_firmware_flags_t
firmwareFlagsDTRS(void)124 firmwareFlagsDTRS(void) {
125 return IMG4_FIRMWARE_FLAG_RESPECT_AMNM;
126 }
127
128 static img4_firmware_flags_t
firmwareFlagsSplat(void)129 firmwareFlagsSplat(void) {
130 #if XNU_TARGET_OS_OSX && (defined(__arm__) || defined(__arm64__))
131 return IMG4_FIRMWARE_FLAG_SUBSEQUENT_STAGE;
132 #elif defined(TARGET_OS_OSX) && TARGET_OS_OSX && (TARGET_CPU_ARM || TARGET_CPU_ARM64)
133 return IMG4_FIRMWARE_FLAG_SUBSEQUENT_STAGE;
134 #else
135 return IMG4_FIRMWARE_FLAG_INIT;
136 #endif
137 }
138
139 #pragma mark Type Configuration
140
141 typedef struct _TrustCacheTypeConfig {
142 /* Chip environment to use for validation */
143 const img4_chip_t* (*chipEnvironment)(void);
144
145 /* Nonce domain for anti-replay */
146 const img4_nonce_domain_t* (*nonceDomain)(void);
147
148 /* Four CC identifier for this type */
149 img4_4cc_t fourCC;
150
151 /* Firmware flags to add for this configuration */
152 img4_firmware_flags_t (*firmwareFlags)(void);
153
154 /*
155 * Higher level policy imposes restrictions on which process can load
156 * which trust cache. These restrictions are enforced through the use
157 * of the entitlement "com.apple.private.pmap.load-trust-cache". The
158 * value here is the required value of the above entitlement.
159 */
160 const char *entitlementValue;
161 } TrustCacheTypeConfig_t;
162
163 static const TrustCacheTypeConfig_t TCTypeConfig[kTCTypeTotal] = {
164 /* Static trust caches are loaded as raw modules */
165 [kTCTypeStatic] = {
166 .chipEnvironment = NULL,
167 .nonceDomain = NULL,
168 .fourCC = 0,
169 .firmwareFlags = NULL,
170 .entitlementValue = NULL
171 },
172
173 /* Engineering trust caches are loaded as raw modules */
174 [kTCTypeEngineering] = {
175 .chipEnvironment = NULL,
176 .nonceDomain = NULL,
177 .fourCC = 0,
178 .firmwareFlags = NULL,
179 .entitlementValue = NULL
180 },
181
182 /* Legacy trust caches are loaded as raw modules */
183 [kTCTypeLegacy] = {
184 .chipEnvironment = NULL,
185 .nonceDomain = NULL,
186 .fourCC = 0,
187 .firmwareFlags = NULL,
188 .entitlementValue = NULL
189 },
190
191 [kTCTypeDTRS] = {
192 .chipEnvironment = chipEnvironmentPersonalized,
193 .nonceDomain = NULL,
194 .fourCC = 'dtrs',
195 .firmwareFlags = firmwareFlagsDTRS,
196 .entitlementValue = "personalized.engineering-root"
197 },
198
199 [kTCTypeLTRS] = {
200 .chipEnvironment = chipEnvironmentPersonalized,
201 .nonceDomain = nonceDomainTrustCache,
202 .fourCC = 'ltrs',
203 .firmwareFlags = NULL,
204 .entitlementValue = "personalized.trust-cache"
205 },
206
207 [kTCTypePersonalizedDiskImage] = {
208 .chipEnvironment = chipEnvironmentPersonalized,
209 .nonceDomain = nonceDomainPDI,
210 .fourCC = 'ltrs',
211 .firmwareFlags = NULL,
212 .entitlementValue = "personalized.pdi"
213 },
214
215 [kTCTypeDeveloperDiskImage] = {
216 .chipEnvironment = chipEnvironmentCategorized,
217 .nonceDomain = nonceDomainDDI,
218 .fourCC = 'trdv',
219 .firmwareFlags = NULL,
220 .entitlementValue = "personalized.ddi"
221 },
222
223 [kTCTypeLTRSWithDDINonce] = {
224 .chipEnvironment = chipEnvironmentPersonalized,
225 .nonceDomain = nonceDomainDDI,
226 .fourCC = 'ltrs',
227 .firmwareFlags = NULL,
228 .entitlementValue = "personalized.ddi"
229 },
230
231 [kTCTypeCryptex] = {
232 .chipEnvironment = chipEnvironmentPersonalized,
233 .nonceDomain = nonceDomainCryptex,
234 .fourCC = 'ltrs',
235 .firmwareFlags = NULL,
236 .entitlementValue = "personalized.cryptex-research"
237 },
238
239 [kTCTypeEphemeralCryptex] = {
240 .chipEnvironment = chipEnvironmentEphemeralCryptex,
241 .nonceDomain = nonceDomainEphemeralCryptex,
242 .fourCC = 'ltrs',
243 .firmwareFlags = NULL,
244 .entitlementValue = "personalized.ephemeral-cryptex"
245 },
246
247 [kTCTypeUpdateBrain] = {
248 .chipEnvironment = chipEnvironmentGlobalFF00,
249 .nonceDomain = NULL,
250 .fourCC = 'ltrs',
251 .firmwareFlags = NULL,
252 .entitlementValue = "global.ota-update-brain"
253 },
254
255 [kTCTypeInstallAssistant] = {
256 .chipEnvironment = chipEnvironmentGlobalFF01,
257 .nonceDomain = NULL,
258 .fourCC = 'ltrs',
259 .firmwareFlags = NULL,
260 .entitlementValue = "global.install-assistant"
261 },
262
263 [kTCTypeBootabilityBrain] = {
264 .chipEnvironment = chipEnvironmentGlobalFF06,
265 .nonceDomain = NULL,
266 .fourCC = 'trbb',
267 .firmwareFlags = NULL,
268 .entitlementValue = "global.bootability-brain"
269 },
270
271 [kTCTypeCryptex1BootOS] = {
272 .chipEnvironment = chipEnvironmentCryptex1Boot,
273 .nonceDomain = NULL,
274 .fourCC = 'trcs',
275 .firmwareFlags = firmwareFlagsSplat,
276 .entitlementValue = "cryptex1.boot.os"
277 },
278
279 [kTCTypeCryptex1BootApp] = {
280 .chipEnvironment = chipEnvironmentCryptex1Boot,
281 .nonceDomain = NULL,
282 .fourCC = 'trca',
283 .firmwareFlags = firmwareFlagsSplat,
284 .entitlementValue = "cryptex1.boot.app"
285 },
286
287 [kTCTypeCryptex1PreBootApp] = {
288 .chipEnvironment = chipEnvironmentCryptex1PreBoot,
289 .nonceDomain = NULL,
290 .fourCC = 'trca',
291 .firmwareFlags = firmwareFlagsSplat,
292 .entitlementValue = "cryptex1.preboot.app"
293 },
294
295 [kTCTypeGlobalDiskImage] = {
296 .chipEnvironment = chipEnvironmentGlobalFF00,
297 .nonceDomain = NULL,
298 .fourCC = 'ltrs',
299 .firmwareFlags = NULL,
300 .entitlementValue = "global.pdi"
301 },
302
303 [kTCTypeMobileAssetBrain] = {
304 .chipEnvironment = chipEnvironmentCryptex1MobileAsset,
305 .nonceDomain = NULL,
306 .fourCC = 'trab',
307 .firmwareFlags = NULL,
308 .entitlementValue = "personalized.mobile-asset-brain"
309 },
310
311 [kTCTypeSafariDownlevel] = {
312 .chipEnvironment = chipEnvironmentSafariDownlevel,
313 .nonceDomain = NULL,
314 .fourCC = 'trca',
315 .firmwareFlags = NULL,
316 .entitlementValue = "cryptex1.safari-downlevel"
317 },
318
319 [kTCTypeCryptex1PreBootOS] = {
320 .chipEnvironment = chipEnvironmentCryptex1PreBoot,
321 .nonceDomain = NULL,
322 .fourCC = 'trcs',
323 .firmwareFlags = firmwareFlagsSplat,
324 .entitlementValue = "cryptex1.preboot.os"
325 }
326 };
327
328 __END_DECLS
329 #endif /* libTrustCache_TypesConfig_h */
330