// Copyright 2019 The Fuchsia Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef ZXCRYPT_FDIO_VOLUME_H_
#define ZXCRYPT_FDIO_VOLUME_H_

#include <lib/fdio/fdio.h>
#include <lib/fdio/cpp/caller.h>
#include <lib/zx/channel.h>

#include <memory>

#include <fbl/function.h>
#include <fbl/string.h>
#include <fbl/unique_fd.h>
#include <fbl/vector.h>

#include "src/security/fcrypto/secret.h"
#include "src/security/zxcrypt/volume.h"

namespace zxcrypt {

// Describes what activity we are performing: creating a new volume from
// scratch, or unsealing an existing volume.  Different activities may prefer
// different key sources for migration reasons.
enum Activity {
  Create,
  Unseal,
};

enum KeySourcePolicy {
  // Always uses a key of all zeroes.
  NullSource,

  // Always uses a key from the TEE; fail if not available
  TeeRequiredSource,

  // Always uses a key from the TEE for new volumes;
  // allows fallback to null key for unsealing volumes
  TeeTransitionalSource,

  // Attempts to use a key from the TEE for new volumes and unlocking, but
  // falls back to null key if TEE key fails
  TeeOpportunisticSource,

  // someday: TpmSource variants?
};

enum KeySource {
  kNullSource,
  kTeeSource,
};

// Computes the ordered list of key sources that should be used in the context
// under the policy |ksp|.
fbl::Vector<KeySource> ComputeEffectiveCreatePolicy(KeySourcePolicy ksp);
fbl::Vector<KeySource> ComputeEffectiveUnsealPolicy(KeySourcePolicy ksp);

// Calls |callback| on a key provided by each key source in
// |ordered_key_sources| until either the callback returns ZX_OK or the callback
// has returned some error on all key sources in |ordered_key_sources|.
zx_status_t TryWithKeysFrom(
    const fbl::Vector<KeySource>& ordered_key_sources, Activity activity,
    fbl::Function<zx_status_t(std::unique_ptr<uint8_t[]>, size_t)> callback);

// |zxcrypt::FdioVolumeManager| represents a channel to an instance of a bound
// zxcrypt device (named "zxcrypt" in the device tree).
class __EXPORT FdioVolumeManager {
 public:
  explicit FdioVolumeManager(zx::channel&& chan);

  // Request that the volume provided by the manager represented by |chan| be
  // unsealed with the given key material/slot.  If successful, the driver
  // will create a child device named |unsealed| which exposes a block interface.
  zx_status_t Unseal(const uint8_t* key, size_t key_len, uint8_t slot);

  // Request that the volume provided by the manager represented by |chan| be
  // unsealed with an product-defined device key associated with the specified
  // slot.  The caller must have access to /boot/config/zxcrypt in its
  // namespace to use this function.  If successful, the driver will create a
  // child device named |unsealed| which exposes a block interface.
  zx_status_t UnsealWithDeviceKey(uint8_t slot);

  // Request that the volume provided by the manager represented by |chan| be
  // sealed.  After calling this method, it is an error to make any further
  // calls with this FdioVolumeManager.
  zx_status_t Seal();

  // Request that the volume provided by the manager represented by |chan| be
  // shredded, permanently rendering the device unable to be |Unseal|ed again in
  // the future.  This renders all data on the volume permanently inaccessible
  // once it is sealed.
  zx_status_t Shred();

 private:
  // The underlying zxcrypt device, accessed over FDIO
  zx::channel chan_;
};

// |zxcrypt::FdioVolume| is a zxcrypt volume which does IO via a file
// descriptor.  It can be used on the host to prepare zxcrypt images, and
// is often more convenient for testing.
class __EXPORT FdioVolume final : public Volume {
 public:
  explicit FdioVolume(fbl::unique_fd&& block_dev_fd, fbl::unique_fd&& devfs_root_fd);

  // Creates a new zxcrypt volume associated with the given file descriptor,
  // |block_dev_fd|, which must live in the device tree rooted at
  // |devfs_root_fd|, and returns it via |out|, if provided.  This will format
  // the block device as zxcrypt using the given |key|, which will be
  // associated with key slot 0.  This method takes ownership of
  // |block_dev_fd| and |devfs_root_fd|.  Note that |key| is not strengthened
  // and MUST have cryptographic key length of at least 128 bits.
  static zx_status_t Create(fbl::unique_fd block_dev_fd, fbl::unique_fd devfs_root_fd,
                            const crypto::Secret& key, std::unique_ptr<FdioVolume>* out = nullptr);

  // Does the same as |Create| but with the key provided by a product-defined
  // source.  The caller must have access to /boot/config/zxcrypt in its
  // namespace to use this function.
  static zx_status_t CreateWithDeviceKey(fbl::unique_fd&& block_dev_fd,
                                         fbl::unique_fd&& devfs_root_fd,
                                         std::unique_ptr<FdioVolume>* out);

  // Opens a zxcrypt volume on the block device described by |block_dev_fd|
  // (from the device tree rooted at |devfs_root_fd|) using the |key|
  // corresponding to given key |slot|.  The |block_dev_fd| parameter means
  // this method can be used from libzxcrypt. This method takes ownership of
  // |block_dev_fd| and |devfs_root_fd|.  Note that |key| is not strengthened
  // and MUST have cryptographic key length of at least 128 bits.
  static zx_status_t Unlock(fbl::unique_fd block_dev_fd, fbl::unique_fd devfs_root_fd,
                            const crypto::Secret& key, key_slot_t slot,
                            std::unique_ptr<FdioVolume>* out);

  // Opens a zxcrypt volume on the block device described by |block_dev_fd|
  // (from the device tree rooted at |devfs_root_fd|) using a key from a
  // product-defined source with the specified |slot|.  The caller must have
  // access to /boot/config/zxcrypt in their namespace to use this function.
  // This method takes ownership of |block_dev_fd| and |devfs_root_fd|.
  static zx_status_t UnlockWithDeviceKey(fbl::unique_fd block_dev_fd, fbl::unique_fd devfs_root_fd,
                                         key_slot_t slot, std::unique_ptr<FdioVolume>* out);

  // Returns a new volume object corresponding to the block device given by
  // |block_dev_fd| (which must live in the device tree hosted by
  // |devfs_root_fd|) and populated with the block and FVM information.
  static zx_status_t Init(fbl::unique_fd block_dev_fd, fbl::unique_fd devfs_root_fd,
                          std::unique_ptr<FdioVolume>* out = nullptr);

  // Opens a zxcrypt volume on the block device described by |fd| using the |key| corresponding to
  // given key |slot|.
  zx_status_t Unlock(const crypto::Secret& key, key_slot_t slot);

  // Attempts to open the zxcrypt driver device associated with the underlying
  // block device described by |fd|, binding the driver if necessary,
  // and returning a channel to the zxcrypt device node.
  zx_status_t OpenManager(const zx::duration& timeout, zx_handle_t* out);

  // Opens the block device exposed atop this volume and returns a file
  // descriptor to it via |out|, or fails if the volume isn't available within
  // |timeout|.
  zx_status_t Open(const zx::duration& timeout, fbl::unique_fd* out);

  // Adds a given |key| to the given key |slot|.  This key can then be used to |Open| the
  // zxcrypt device.  This method can only be called if the volume belongs to libzxcrypt.
  zx_status_t Enroll(const crypto::Secret& key, key_slot_t slot);

  // Removes the root key in the given key |slot|.  This key can no longer be used to |Open| the
  // zxcrypt device.  This method can only be called if the volume belongs to libzxcrypt.
  zx_status_t Revoke(key_slot_t slot);

 private:
  friend class testing::TestDevice;

  // Retrieves the block and FVM information and adjusts it
  zx_status_t Init();

  zx_status_t GetBlockInfo(BlockInfo* out);
  zx_status_t GetFvmSliceSize(uint64_t* out);
  zx_status_t DoBlockFvmVsliceQuery(uint64_t vslice_start, SliceRegion ranges[MAX_SLICE_REGIONS],
                                    uint64_t* slice_count);
  zx_status_t DoBlockFvmExtend(uint64_t start_slice, uint64_t slice_count);

  // Reads a block from the current offset on the underlying device.
  zx_status_t Read();

  // Writes a block to the current offset on the underlying device.
  zx_status_t Write();

  // OpenManager, but using a pre-created fdio_t.
  zx_status_t OpenManagerWithCaller(fdio_cpp::UnownedFdioCaller& caller, const zx::duration& timeout,
                                    zx_handle_t* out);

  // Returns the topological path of the underlying block device, relative to
  // |devfs_root_fd|
  zx_status_t RelativeTopologicalPath(fdio_cpp::UnownedFdioCaller& caller, fbl::String* out);

  // The underlying block device, accessed over FDIO
  fbl::unique_fd block_dev_fd_;

  // The root of the device tree, needed to openat() related devices via
  // constructing relative topological paths.
  fbl::unique_fd devfs_root_fd_;
};

}  // namespace zxcrypt

#endif  // ZXCRYPT_FDIO_VOLUME_H_