[go: nahoru, domu]
Google Git
Sign in
chromium / chromium / src / 1c50ac95463d73117431bd2ebef3b90adb37e57a^! / . / crypto / chaps_support.h
commit1c50ac95463d73117431bd2ebef3b90adb37e57a[log] [tgz]
authorMichael Ershov <miersh@google.com>Wed Dec 02 21:01:17 2020
committerChromium LUCI CQ <chromium-scoped@luci-project-accounts.iam.gserviceaccount.com>Wed Dec 02 21:01:17 2020
treee27ea42e0fa2879c306aa0452ce91158abefa76b
parent1340989ccd024354fd3aeef5c8ade33125bbbb05 [diff] [blame]
Certificates for Lacros (MVP)

This allows Lacros-Chrome access to the system-wide TPM slot,
the per-user TPM slot, and per-user storage for certificates and
trust settings, for enterprise-managed devices where the logged-in
user is an affiliate of that enterprise.

Rather than Lacros-Chrome directly interacting with the login services,
it requests that Ash-Chrome notify it when the TPM and Cryptohome are
available, receiving the path to the per-user storage and the result
of TPM initialization. Lacros-Chrome can then initialize initialize a
connection to the TPM (via a PKCS#11 module) and initialize storage at
the path provided by Ash-Chrome.

For users that are not affiliated, Chrome today enables access to both
the per-user TPM and per-user storage. However, for Lacros-Chrome, this
is a known issue and not yet supported (crbug.com/1146430). This is
because loading the TPM unconditionally loads both the system and user
slot today, while non-affiliated users should not have access to the
system slot. The per-user storage will be loaded for all users with
this CL.

Similarly, using the system slot on the login screen is not yet
supported, and will be addressed in a follow-up (crbug.com/1146430).

Bug: 1145946
Change-Id: I2edc6e04c2de09f4c8a4d3bdca9c9ba5a9dee3fa
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2435642
Commit-Queue: Michael Ershov <miersh@google.com>
Reviewed-by: David Roger <droger@chromium.org>
Reviewed-by: Roland Bock <rbock@google.com>
Reviewed-by: Pavol Marko <pmarko@chromium.org>
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: Erik Chen <erikchen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#832960}

diff --git a/crypto/chaps_support.h b/crypto/chaps_support.h
new file mode 100644
index 0000000..6b44dcb
--- /dev/null
+++ b/crypto/chaps_support.h

@@ -0,0 +1,22 @@
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CRYPTO_CHAPS_SUPPORT_H_
+#define CRYPTO_CHAPS_SUPPORT_H_
+
+#include <secmodt.h>
+
+#include "crypto/crypto_export.h"
+
+namespace crypto {
+
+// Loads chaps module for this NSS session.
+CRYPTO_EXPORT SECMODModule* LoadChaps();
+
+// Returns true if chaps is the module to which |slot| is attached.
+CRYPTO_EXPORT bool IsSlotProvidedByChaps(PK11SlotInfo* slot);
+
+}  // namespace crypto
+
+#endif  // CRYPTO_CHAPS_SUPPORT_H_