blob: c043b68da42ef38a332faab0d60ef2e58da32c67 [file] [log] [blame]
# Copyright 2019 The Fuchsia Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
declare_args() {
# This argument specifies from where the system should obtain the zxcrypt
# master key to the system data partition.
#
# This value be reified as /boot/config/zxcrypt in both the zircon boot image
# and the zedboot boot image, for consumption by fshost and the paver,
# respectively.
#
# Acceptable values are:
# * "null": the device should use an all-0's master key, as we lack support
# for any secure on-device storage.
# * "tee": the device is required to have a Trusted Execution Environment
# (TEE) which includes the "keysafe" Trusted Application (associated with the
# KMS service). The zxcrypt master key should be derived from a per-device
# key accessible only to trusted apps running in the TEE.
# * "tee-opportunistic": the device will attempt to use keys from the TEE if
# available, but will fall back to using the null key if the key from the TEE
# does not work, or if the TEE is not functional on this device.
# * "tee-transitional": the device will require the use of a key from the TEE
# for new volume creation, but will continue to try both a TEE-sourced key and
# the null key when unsealing volumes.
#
# In the future, we may consider adding support for TPMs, or additional logic
# to explicitly support other fallback behavior.
zxcrypt_key_source = "null"
}