From 2ccea6496efc054c21c5ed397f3caff8d4992957 Mon Sep 17 00:00:00 2001 From: Joe Richey Date: Thu, 2 Mar 2017 10:15:23 -0800 Subject: metadata: introduce protobuf structures This commit adds in the metadata package. The primary purpose of this package is to provide the on-disk metadata structures in the form of protocol buffers. This includes: - Policy metadata structure - Protector metadata structure - Config file structure - All necessary sub-structures (wrapped keys, parameters, etc) This commit also adds in an example usage of the Config structure, which represents the structure of the global config file. All the package does at this point is convert between the Config structure and a JSON representation. Here we introduce govendor, which is described more in the README. This means we will have all of our Go dependencies in the vendor subdirectory. This means we will have no Go source dependencies, only dependencies on the build tools (Go and govendor). The README describes this in detail. Note that we commit the generated files. see: https://blog.golang.org/generate Change-Id: Iaacd46666b5d3e4e865a0f4045dd63ed7e3d6f96 --- Makefile | 21 ++- README.md | 43 +++-- metadata/config.go | 45 ++++++ metadata/config_test.go | 77 +++++++++ metadata/metadata.pb.go | 415 ++++++++++++++++++++++++++++++++++++++++++++++++ metadata/metadata.proto | 95 +++++++++++ 6 files changed, 675 insertions(+), 21 deletions(-) create mode 100644 metadata/config.go create mode 100644 metadata/config_test.go create mode 100644 metadata/metadata.pb.go create mode 100644 metadata/metadata.proto diff --git a/Makefile b/Makefile index b891387..0c38d91 100644 --- a/Makefile +++ b/Makefile @@ -29,10 +29,10 @@ ifdef LDFLAGS GOFLAGS += --ldflags '-extldflags "$(LDFLAGS)"' endif -.PHONY: default all $(NAME) go lint format install clean +.PHONY: default all $(NAME) go update lint format install clean default: $(NAME) -all: format lint go $(NAME) +all: update go format lint $(NAME) $(NAME): @mkdir -p $(BUILD_DIR) @@ -40,18 +40,23 @@ $(NAME): # Makes sure go files build and tests pass go: - go build $(GOFLAGS) ./... - go test $(GOFLAGS) ./... + govendor generate $(GOFLAGS) +local + govendor build $(GOFLAGS) +local + govendor test $(GOFLAGS) +local + +update: + @govendor fetch +external +vendor +missing + @govendor remove +unused lint: - @golint ./... || true - @go vet ./... + @golint $$(go list ./... | grep -v vendor) | grep -v "pb.go" || true + @govendor vet +local format: - go fmt ./... + @govendor fmt +local install: - go install $(GOFLAGS) ./... + govendor install $(GOFLAGS) +local clean: rm -rf $(BUILD_DIR) diff --git a/README.md b/README.md index c1ed4e2..ba31826 100644 --- a/README.md +++ b/README.md @@ -54,6 +54,7 @@ more managed environment and handling more functionality in the background. `fscrypt` has a [design document](https://goo.gl/55cCrI) that discusses many of the higher level design choices that were made. + Specifically, `fscrypt` contains the following functionality: * Telling the time (but this is a stub program) @@ -68,11 +69,15 @@ git clone [REDACTED] $GOPATH/src/fscrypt ``` You will also want to add `$GOPATH/bin` to your `$PATH`. +`fscrypt` has the following build dependencies: +* `make` +* A C compiler ('gcc' or 'clang') +* Go + Once this is setup, you can run `make fscrypt` to build the executable in -`build/fscrypt`. The only other build dependencies are `make` and a C compiler. -Pass `"LDFLAGS += -static"` to `make` to get a static executable. If a Go -project contains C code, the go compiler produces a dynamically linked binary by -default. +`build/fscrypt`. Pass `"LDFLAGS += -static"` to `make` to get a static +executable. If a Go project contains C code, the go compiler produces a +dynamically linked binary by default. ## Running and Installing @@ -87,22 +92,34 @@ TODO ## Contributing -If you are making changes to the `fscrypt` component, you will need the -following additional commands: -* `make go` - Checks that all the go files build and tests pass. +If you are making changes to the `fscrypt` component, you will need to have +[govendor](https://github.com/kardianos/govendor) installed, and you will want +to use the following additional commands: +* `make update` - Updates the dependencies in the `vendor/` directory. +* `make go` - Generates, builds, and tests all the Go code. Requires + [protoc (v3.0 or later)](https://github.com/google/protobuf/releases) and + [protoc-gen-go](https://github.com/golang/protobuf). * `make format` - Formats all of the go code. -* `make lint` - Checks the code for style errors, requires - [`golint`](https://github.com/golang/lint) to be installed. -* `make all` - Does the above three commands and builds `fscrypt`. +* `make lint` - Checks the code for style errors. Requires + [`golint`](https://github.com/golang/lint). +* `make all` - Runs the above commands and builds `fscrypt`. + +These commands should be run before submitting any changes. Make sure that `$GOPATH/bin` is in you `$PATH`. All the above dependencies can be installed with: -```bash +``` bash +# Grab the latest version of protoc from github.com/google/protobuf/releases +> curl -L > protoc.zip +> unzip protoc.zip -d protoc +> sudo mv protoc/bin/protoc /usr/local/bin/ +> rm -rf protoc.zip protoc/ +# Grab the go packages in the standard manner +> go get -u github.com/golang/protobuf/protoc-gen-go +> go get -u github.com/kardianos/govendor > go get -u github.com/golang/lint/golint ``` -These commands should be run before submitting any changes. - ## Known Issues None so far! diff --git a/metadata/config.go b/metadata/config.go new file mode 100644 index 0000000..1d73755 --- /dev/null +++ b/metadata/config.go @@ -0,0 +1,45 @@ +/* + * config.go - Parsing for our global config file. The file is simply the JSON + * output of the Config protocol buffer. + * + * Copyright 2017 Google Inc. + * Author: Joe Richey (joerichey@google.com) + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy of + * the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations under + * the License. + */ + +// Package metadata contains all of the on disk structures. +// These structures are definied in meatadata.proto. The package also +// contains functions for reading and writing the Config file to disk +// giving us a config file. +package metadata + +//go:generate protoc --go_out=. metadata.proto +import "github.com/golang/protobuf/jsonpb" + +// WriteConfig outputs the Config data as nicely formatted JSON +func WriteConfig(config *Config) (string, error) { + m := jsonpb.Marshaler{ + EmitDefaults: false, + EnumsAsInts: false, + Indent: "\t", + OrigName: true, + } + return m.MarshalToString(config) +} + +// ReadConfig writes the JSON data into the config structure +func ReadConfig(input string) (*Config, error) { + config := new(Config) + return config, jsonpb.UnmarshalString(input, config) +} diff --git a/metadata/config_test.go b/metadata/config_test.go new file mode 100644 index 0000000..ecdd44f --- /dev/null +++ b/metadata/config_test.go @@ -0,0 +1,77 @@ +/* + * config_test.go - Tests the processing of the config file + * + * Copyright 2017 Google Inc. + * Author: Joe Richey (joerichey@google.com) + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy of + * the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations under + * the License. + */ + +package metadata + +import ( + "reflect" + "testing" +) + +var testConfig = &Config{ + Source: SourceType_custom_passphrase, + HashCosts: &HashingCosts{ + Time: 10, + Memory: 1 << 12, + Parallelism: 8, + }, + Compatibility: "", + Options: &EncryptionOptions{ + Padding: 32, + ContentsMode: EncryptionMode_XTS, + FilenamesMode: EncryptionMode_CTS, + }, +} + +var testConfigString = `{ + "source": "custom_passphrase", + "hash_costs": { + "time": "10", + "memory": "4096", + "parallelism": "8" + }, + "options": { + "padding": "32", + "contents_mode": "XTS", + "filenames_mode": "CTS" + } +}` + +// Makes sure that writing a config and reading it back gives the same thing. +func TestWrite(t *testing.T) { + str, err := WriteConfig(testConfig) + if err != nil { + t.Fatal(err) + } + t.Logf("json encoded config:\n%s", str) + if str != testConfigString { + t.Errorf("did not match: %s", testConfigString) + } +} + +func TestRead(t *testing.T) { + cfg, err := ReadConfig(testConfigString) + if err != nil { + t.Fatal(err) + } + t.Logf("decoded config:\n%s", cfg) + if !reflect.DeepEqual(cfg, testConfig) { + t.Errorf("did not match: %s", testConfig) + } +} diff --git a/metadata/metadata.pb.go b/metadata/metadata.pb.go new file mode 100644 index 0000000..68001e9 --- /dev/null +++ b/metadata/metadata.pb.go @@ -0,0 +1,415 @@ +// Code generated by protoc-gen-go. +// source: metadata.proto +// DO NOT EDIT! + +/* +Package metadata is a generated protocol buffer package. + +It is generated from these files: + metadata.proto + +It has these top-level messages: + HashingCosts + WrappedKeyData + ProtectorData + EncryptionOptions + WrappedPolicyKey + PolicyData + Config +*/ +package metadata + +import proto "github.com/golang/protobuf/proto" +import fmt "fmt" +import math "math" + +// Reference imports to suppress errors if they are not otherwise used. +var _ = proto.Marshal +var _ = fmt.Errorf +var _ = math.Inf + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the proto package it is being compiled against. +// A compilation error at this line likely means your copy of the +// proto package needs to be updated. +const _ = proto.ProtoPackageIsVersion2 // please upgrade the proto package + +// Specifies the method in which an outside secret is obtained for a Protector +type SourceType int32 + +const ( + SourceType_none SourceType = 0 + SourceType_pam_passphrase SourceType = 1 + SourceType_custom_passphrase SourceType = 2 + SourceType_raw_key SourceType = 3 +) + +var SourceType_name = map[int32]string{ + 0: "none", + 1: "pam_passphrase", + 2: "custom_passphrase", + 3: "raw_key", +} +var SourceType_value = map[string]int32{ + "none": 0, + "pam_passphrase": 1, + "custom_passphrase": 2, + "raw_key": 3, +} + +func (x SourceType) String() string { + return proto.EnumName(SourceType_name, int32(x)) +} +func (SourceType) EnumDescriptor() ([]byte, []int) { return fileDescriptor0, []int{0} } + +// Type of encryption, should match the declarations of FS_ENCRYPTION_MODE +type EncryptionMode int32 + +const ( + EncryptionMode_default EncryptionMode = 0 + EncryptionMode_XTS EncryptionMode = 1 + EncryptionMode_GCM EncryptionMode = 2 + EncryptionMode_CBC EncryptionMode = 3 + EncryptionMode_CTS EncryptionMode = 4 +) + +var EncryptionMode_name = map[int32]string{ + 0: "default", + 1: "XTS", + 2: "GCM", + 3: "CBC", + 4: "CTS", +} +var EncryptionMode_value = map[string]int32{ + "default": 0, + "XTS": 1, + "GCM": 2, + "CBC": 3, + "CTS": 4, +} + +func (x EncryptionMode) String() string { + return proto.EnumName(EncryptionMode_name, int32(x)) +} +func (EncryptionMode) EnumDescriptor() ([]byte, []int) { return fileDescriptor0, []int{1} } + +// Cost parameters to be used in our hashing functions. +type HashingCosts struct { + Time int64 `protobuf:"varint,2,opt,name=time" json:"time,omitempty"` + Memory int64 `protobuf:"varint,3,opt,name=memory" json:"memory,omitempty"` + Parallelism int64 `protobuf:"varint,4,opt,name=parallelism" json:"parallelism,omitempty"` +} + +func (m *HashingCosts) Reset() { *m = HashingCosts{} } +func (m *HashingCosts) String() string { return proto.CompactTextString(m) } +func (*HashingCosts) ProtoMessage() {} +func (*HashingCosts) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{0} } + +func (m *HashingCosts) GetTime() int64 { + if m != nil { + return m.Time + } + return 0 +} + +func (m *HashingCosts) GetMemory() int64 { + if m != nil { + return m.Memory + } + return 0 +} + +func (m *HashingCosts) GetParallelism() int64 { + if m != nil { + return m.Parallelism + } + return 0 +} + +// This structure is used for our authenticated wrapping/unwrapping of keys. +type WrappedKeyData struct { + IV []byte `protobuf:"bytes,1,opt,name=IV,proto3" json:"IV,omitempty"` + EncryptedKey []byte `protobuf:"bytes,2,opt,name=encrypted_key,json=encryptedKey,proto3" json:"encrypted_key,omitempty"` + Hmac []byte `protobuf:"bytes,3,opt,name=hmac,proto3" json:"hmac,omitempty"` +} + +func (m *WrappedKeyData) Reset() { *m = WrappedKeyData{} } +func (m *WrappedKeyData) String() string { return proto.CompactTextString(m) } +func (*WrappedKeyData) ProtoMessage() {} +func (*WrappedKeyData) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{1} } + +func (m *WrappedKeyData) GetIV() []byte { + if m != nil { + return m.IV + } + return nil +} + +func (m *WrappedKeyData) GetEncryptedKey() []byte { + if m != nil { + return m.EncryptedKey + } + return nil +} + +func (m *WrappedKeyData) GetHmac() []byte { + if m != nil { + return m.Hmac + } + return nil +} + +// The associated data for each protector +type ProtectorData struct { + ProtectorDescriptor string `protobuf:"bytes,1,opt,name=protector_descriptor,json=protectorDescriptor" json:"protector_descriptor,omitempty"` + Name string `protobuf:"bytes,2,opt,name=name" json:"name,omitempty"` + Source SourceType `protobuf:"varint,3,opt,name=source,enum=metadata.SourceType" json:"source,omitempty"` + // These are only used by some of the protector types + Costs *HashingCosts `protobuf:"bytes,4,opt,name=costs" json:"costs,omitempty"` + Salt []byte `protobuf:"bytes,5,opt,name=salt,proto3" json:"salt,omitempty"` + Uid int64 `protobuf:"varint,6,opt,name=uid" json:"uid,omitempty"` + WrappedKey *WrappedKeyData `protobuf:"bytes,7,opt,name=wrapped_key,json=wrappedKey" json:"wrapped_key,omitempty"` +} + +func (m *ProtectorData) Reset() { *m = ProtectorData{} } +func (m *ProtectorData) String() string { return proto.CompactTextString(m) } +func (*ProtectorData) ProtoMessage() {} +func (*ProtectorData) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{2} } + +func (m *ProtectorData) GetProtectorDescriptor() string { + if m != nil { + return m.ProtectorDescriptor + } + return "" +} + +func (m *ProtectorData) GetName() string { + if m != nil { + return m.Name + } + return "" +} + +func (m *ProtectorData) GetSource() SourceType { + if m != nil { + return m.Source + } + return SourceType_none +} + +func (m *ProtectorData) GetCosts() *HashingCosts { + if m != nil { + return m.Costs + } + return nil +} + +func (m *ProtectorData) GetSalt() []byte { + if m != nil { + return m.Salt + } + return nil +} + +func (m *ProtectorData) GetUid() int64 { + if m != nil { + return m.Uid + } + return 0 +} + +func (m *ProtectorData) GetWrappedKey() *WrappedKeyData { + if m != nil { + return m.WrappedKey + } + return nil +} + +// Encryption policy specifics, should match struct fscrypt_policy +type EncryptionOptions struct { + Padding int64 `protobuf:"varint,1,opt,name=padding" json:"padding,omitempty"` + ContentsMode EncryptionMode `protobuf:"varint,2,opt,name=contents_mode,json=contentsMode,enum=metadata.EncryptionMode" json:"contents_mode,omitempty"` + FilenamesMode EncryptionMode `protobuf:"varint,3,opt,name=filenames_mode,json=filenamesMode,enum=metadata.EncryptionMode" json:"filenames_mode,omitempty"` +} + +func (m *EncryptionOptions) Reset() { *m = EncryptionOptions{} } +func (m *EncryptionOptions) String() string { return proto.CompactTextString(m) } +func (*EncryptionOptions) ProtoMessage() {} +func (*EncryptionOptions) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{3} } + +func (m *EncryptionOptions) GetPadding() int64 { + if m != nil { + return m.Padding + } + return 0 +} + +func (m *EncryptionOptions) GetContentsMode() EncryptionMode { + if m != nil { + return m.ContentsMode + } + return EncryptionMode_default +} + +func (m *EncryptionOptions) GetFilenamesMode() EncryptionMode { + if m != nil { + return m.FilenamesMode + } + return EncryptionMode_default +} + +type WrappedPolicyKey struct { + ProtectorDescriptor string `protobuf:"bytes,1,opt,name=protector_descriptor,json=protectorDescriptor" json:"protector_descriptor,omitempty"` + WrappedKey *WrappedKeyData `protobuf:"bytes,2,opt,name=wrapped_key,json=wrappedKey" json:"wrapped_key,omitempty"` +} + +func (m *WrappedPolicyKey) Reset() { *m = WrappedPolicyKey{} } +func (m *WrappedPolicyKey) String() string { return proto.CompactTextString(m) } +func (*WrappedPolicyKey) ProtoMessage() {} +func (*WrappedPolicyKey) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{4} } + +func (m *WrappedPolicyKey) GetProtectorDescriptor() string { + if m != nil { + return m.ProtectorDescriptor + } + return "" +} + +func (m *WrappedPolicyKey) GetWrappedKey() *WrappedKeyData { + if m != nil { + return m.WrappedKey + } + return nil +} + +// The associated data for each policy +type PolicyData struct { + KeyDescriptor string `protobuf:"bytes,1,opt,name=key_descriptor,json=keyDescriptor" json:"key_descriptor,omitempty"` + Options *EncryptionOptions `protobuf:"bytes,2,opt,name=options" json:"options,omitempty"` + WrappedPolicyKeys []*WrappedPolicyKey `protobuf:"bytes,3,rep,name=wrapped_policy_keys,json=wrappedPolicyKeys" json:"wrapped_policy_keys,omitempty"` +} + +func (m *PolicyData) Reset() { *m = PolicyData{} } +func (m *PolicyData) String() string { return proto.CompactTextString(m) } +func (*PolicyData) ProtoMessage() {} +func (*PolicyData) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{5} } + +func (m *PolicyData) GetKeyDescriptor() string { + if m != nil { + return m.KeyDescriptor + } + return "" +} + +func (m *PolicyData) GetOptions() *EncryptionOptions { + if m != nil { + return m.Options + } + return nil +} + +func (m *PolicyData) GetWrappedPolicyKeys() []*WrappedPolicyKey { + if m != nil { + return m.WrappedPolicyKeys + } + return nil +} + +// Data stored in the config file +type Config struct { + Source SourceType `protobuf:"varint,1,opt,name=source,enum=metadata.SourceType" json:"source,omitempty"` + HashCosts *HashingCosts `protobuf:"bytes,2,opt,name=hash_costs,json=hashCosts" json:"hash_costs,omitempty"` + Compatibility string `protobuf:"bytes,3,opt,name=compatibility" json:"compatibility,omitempty"` + Options *EncryptionOptions `protobuf:"bytes,4,opt,name=options" json:"options,omitempty"` +} + +func (m *Config) Reset() { *m = Config{} } +func (m *Config) String() string { return proto.CompactTextString(m) } +func (*Config) ProtoMessage() {} +func (*Config) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{6} } + +func (m *Config) GetSource() SourceType { + if m != nil { + return m.Source + } + return SourceType_none +} + +func (m *Config) GetHashCosts() *HashingCosts { + if m != nil { + return m.HashCosts + } + return nil +} + +func (m *Config) GetCompatibility() string { + if m != nil { + return m.Compatibility + } + return "" +} + +func (m *Config) GetOptions() *EncryptionOptions { + if m != nil { + return m.Options + } + return nil +} + +func init() { + proto.RegisterType((*HashingCosts)(nil), "metadata.HashingCosts") + proto.RegisterType((*WrappedKeyData)(nil), "metadata.WrappedKeyData") + proto.RegisterType((*ProtectorData)(nil), "metadata.ProtectorData") + proto.RegisterType((*EncryptionOptions)(nil), "metadata.EncryptionOptions") + proto.RegisterType((*WrappedPolicyKey)(nil), "metadata.WrappedPolicyKey") + proto.RegisterType((*PolicyData)(nil), "metadata.PolicyData") + proto.RegisterType((*Config)(nil), "metadata.Config") + proto.RegisterEnum("metadata.SourceType", SourceType_name, SourceType_value) + proto.RegisterEnum("metadata.EncryptionMode", EncryptionMode_name, EncryptionMode_value) +} + +func init() { proto.RegisterFile("metadata.proto", fileDescriptor0) } + +var fileDescriptor0 = []byte{ + // 629 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x9c, 0x94, 0x51, 0x6f, 0xd3, 0x30, + 0x10, 0xc7, 0x97, 0xa4, 0x6b, 0xd7, 0x6b, 0x1b, 0x65, 0xde, 0x98, 0x22, 0x78, 0xa9, 0x0a, 0x48, + 0xd3, 0x34, 0x4d, 0x62, 0x68, 0x0f, 0x3c, 0x20, 0x04, 0x1d, 0x82, 0x31, 0x0d, 0x26, 0x6f, 0x1a, + 0x20, 0x21, 0x55, 0x5e, 0xe2, 0xad, 0x56, 0x93, 0xd8, 0xb2, 0x5d, 0x55, 0x79, 0xe3, 0x3b, 0xf0, + 0x39, 0x78, 0xe5, 0x43, 0xf0, 0xa9, 0x90, 0x9d, 0x34, 0x4d, 0x37, 0x04, 0x83, 0x97, 0xe8, 0xee, + 0x7c, 0xb9, 0xff, 0xdd, 0xcf, 0x27, 0x83, 0x9f, 0x52, 0x4d, 0x62, 0xa2, 0xc9, 0x9e, 0x90, 0x5c, + 0x73, 0xb4, 0x36, 0xf7, 0x07, 0x5f, 0xa0, 0xfb, 0x96, 0xa8, 0x31, 0xcb, 0xae, 0x87, 0x5c, 0x69, + 0x85, 0x10, 0x34, 0x34, 0x4b, 0x69, 0xe8, 0xf6, 0x9d, 0x6d, 0x0f, 0x5b, 0x1b, 0x6d, 0x41, 0x33, + 0xa5, 0x29, 0x97, 0x79, 0xe8, 0xd9, 0x68, 0xe9, 0xa1, 0x3e, 0x74, 0x04, 0x91, 0x24, 0x49, 0x68, + 0xc2, 0x54, 0x1a, 0x36, 0xec, 0x61, 0x3d, 0x34, 0xf8, 0x0c, 0xfe, 0x47, 0x49, 0x84, 0xa0, 0xf1, + 0x31, 0xcd, 0x0f, 0x89, 0x26, 0xc8, 0x07, 0xf7, 0xe8, 0x22, 0x74, 0xfa, 0xce, 0x76, 0x17, 0xbb, + 0x47, 0x17, 0xe8, 0x21, 0xf4, 0x68, 0x16, 0xc9, 0x5c, 0x68, 0x1a, 0x8f, 0x26, 0x34, 0xb7, 0xc2, + 0x5d, 0xdc, 0xad, 0x82, 0xc7, 0x34, 0x37, 0x4d, 0x8d, 0x53, 0x12, 0x59, 0xf9, 0x2e, 0xb6, 0xf6, + 0xe0, 0x9b, 0x0b, 0xbd, 0x53, 0xc9, 0x35, 0x8d, 0x34, 0x97, 0xb6, 0xf4, 0x13, 0xd8, 0x14, 0xf3, + 0xc0, 0x28, 0xa6, 0x2a, 0x92, 0x4c, 0x68, 0x2e, 0xad, 0x58, 0x1b, 0x6f, 0x54, 0x67, 0x87, 0xd5, + 0x91, 0x29, 0x9c, 0x91, 0x72, 0xda, 0x36, 0xb6, 0x36, 0xda, 0x85, 0xa6, 0xe2, 0x53, 0x19, 0x51, + 0x2b, 0xe7, 0xef, 0x6f, 0xee, 0x55, 0xf0, 0xce, 0x6c, 0xfc, 0x3c, 0x17, 0x14, 0x97, 0x39, 0x68, + 0x17, 0x56, 0x23, 0x03, 0xce, 0x4e, 0xdf, 0xd9, 0xdf, 0x5a, 0x24, 0xd7, 0xb1, 0xe2, 0x22, 0xc9, + 0xe8, 0x29, 0x92, 0xe8, 0x70, 0xb5, 0x18, 0xc4, 0xd8, 0x28, 0x00, 0x6f, 0xca, 0xe2, 0xb0, 0x69, + 0xe9, 0x19, 0x13, 0x3d, 0x83, 0xce, 0xac, 0xa0, 0x66, 0x89, 0xb4, 0x6c, 0xe5, 0x70, 0x51, 0x79, + 0x19, 0x29, 0x86, 0x59, 0xe5, 0x0f, 0xbe, 0x3b, 0xb0, 0xfe, 0xba, 0x40, 0xc7, 0x78, 0xf6, 0xc1, + 0x7e, 0x15, 0x0a, 0xa1, 0x25, 0x48, 0x1c, 0xb3, 0xec, 0xda, 0xc2, 0xf0, 0xf0, 0xdc, 0x45, 0xcf, + 0xa1, 0x17, 0xf1, 0x4c, 0xd3, 0x4c, 0xab, 0x51, 0xca, 0xe3, 0x82, 0x84, 0x5f, 0x17, 0x5b, 0x54, + 0x3b, 0xe1, 0x31, 0xc5, 0xdd, 0x79, 0xba, 0xf1, 0xd0, 0x0b, 0xf0, 0xaf, 0x58, 0x42, 0x0d, 0xb7, + 0xf2, 0x7f, 0xef, 0x2f, 0xff, 0xf7, 0xaa, 0x7c, 0xe3, 0x0e, 0xbe, 0x3a, 0x10, 0x94, 0xe3, 0x9c, + 0xf2, 0x84, 0x45, 0xb9, 0xb9, 0xee, 0xff, 0xb8, 0xc8, 0x1b, 0xc8, 0xdc, 0x7f, 0x40, 0xf6, 0xc3, + 0x01, 0x28, 0xb4, 0xed, 0x16, 0x3d, 0x06, 0x7f, 0x42, 0xf3, 0xdb, 0xb2, 0xbd, 0x09, 0xcd, 0x6b, + 0x82, 0x07, 0xd0, 0xe2, 0x05, 0xdd, 0x52, 0xec, 0xc1, 0xef, 0x46, 0x2e, 0x2f, 0x00, 0xcf, 0x73, + 0xd1, 0x3b, 0xd8, 0x98, 0xf7, 0x29, 0xac, 0xa6, 0x69, 0x57, 0x85, 0x5e, 0xdf, 0xdb, 0xee, 0xec, + 0xdf, 0xbf, 0xd5, 0x6f, 0xc5, 0x04, 0xaf, 0xcf, 0x6e, 0x44, 0xd4, 0xe0, 0xa7, 0x03, 0xcd, 0x21, + 0xcf, 0xae, 0xd8, 0x75, 0x6d, 0x67, 0x9d, 0x3b, 0xec, 0xec, 0x01, 0xc0, 0x98, 0xa8, 0xf1, 0xa8, + 0x58, 0x5c, 0xf7, 0x8f, 0x8b, 0xdb, 0x36, 0x99, 0xc5, 0xd3, 0xf0, 0xc8, 0xec, 0x4a, 0x2a, 0x88, + 0x66, 0x97, 0x2c, 0x61, 0xba, 0x78, 0x0d, 0xda, 0x78, 0x39, 0x58, 0x07, 0xd3, 0xb8, 0x3b, 0x98, + 0x9d, 0xf7, 0x00, 0x8b, 0x4e, 0xd1, 0x1a, 0x34, 0x32, 0x9e, 0xd1, 0x60, 0x05, 0x21, 0xf0, 0x05, + 0x49, 0x47, 0x82, 0x28, 0x25, 0xc6, 0x92, 0x28, 0x1a, 0x38, 0xe8, 0x1e, 0xac, 0x47, 0x53, 0xa5, + 0xf9, 0x52, 0xd8, 0x45, 0x1d, 0x68, 0x49, 0x32, 0x33, 0x40, 0x03, 0x6f, 0xe7, 0x25, 0xf8, 0xcb, + 0x9b, 0x67, 0x8e, 0x63, 0x7a, 0x45, 0xa6, 0x89, 0x0e, 0x56, 0x50, 0x0b, 0xbc, 0x4f, 0xe7, 0x67, + 0x81, 0x63, 0x8c, 0x37, 0xc3, 0x93, 0xc0, 0x35, 0xc6, 0xf0, 0xd5, 0x30, 0xf0, 0xac, 0x71, 0x7e, + 0x16, 0x34, 0x2e, 0x9b, 0xf6, 0xad, 0x7c, 0xfa, 0x2b, 0x00, 0x00, 0xff, 0xff, 0x53, 0xcd, 0x67, + 0x08, 0x3d, 0x05, 0x00, 0x00, +} diff --git a/metadata/metadata.proto b/metadata/metadata.proto new file mode 100644 index 0000000..b967407 --- /dev/null +++ b/metadata/metadata.proto @@ -0,0 +1,95 @@ +/* + * metadata.proto - File which contains all of the metadata structures which we + * write to metadata files. Must be compiled with protoc to use the library. + * Compilation can be invoked with go generate. + * + * Copyright 2017 Google Inc. + * Author: Joe Richey (joerichey@google.com) + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy of + * the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations under + * the License. + */ + +syntax = "proto3"; +package metadata; + +// Cost parameters to be used in our hashing functions. +message HashingCosts { + int64 time = 2; + int64 memory = 3; + int64 parallelism = 4; +} + +// This structure is used for our authenticated wrapping/unwrapping of keys. +message WrappedKeyData { + bytes IV = 1; + bytes encrypted_key = 2; + bytes hmac = 3; +} + +// Specifies the method in which an outside secret is obtained for a Protector +enum SourceType { + none = 0; + pam_passphrase = 1; + custom_passphrase = 2; + raw_key = 3; +} + +// The associated data for each protector +message ProtectorData { + string protector_descriptor = 1; + string name = 2; + SourceType source = 3; + + // These are only used by some of the protector types + HashingCosts costs = 4; + bytes salt = 5; + int64 uid = 6; + + WrappedKeyData wrapped_key = 7; +} + +// Type of encryption, should match the declarations of FS_ENCRYPTION_MODE +enum EncryptionMode { + default = 0; + XTS = 1; + GCM = 2; + CBC = 3; + CTS = 4; +} + +// Encryption policy specifics, should match struct fscrypt_policy +message EncryptionOptions { + int64 padding = 1; + EncryptionMode contents_mode = 2; + EncryptionMode filenames_mode = 3; +} + +message WrappedPolicyKey { + string protector_descriptor = 1; + WrappedKeyData wrapped_key = 2; +} + +// The associated data for each policy +message PolicyData { + string key_descriptor = 1; + EncryptionOptions options = 2; + repeated WrappedPolicyKey wrapped_policy_keys = 3; +} + +// Data stored in the config file +message Config { + SourceType source = 1; + HashingCosts hash_costs = 2; + string compatibility = 3; + EncryptionOptions options = 4; +} -- cgit v1.2.3