| # Copyright 2019 The Fuchsia Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| declare_args() { |
| # This argument specifies from where the system should obtain the zxcrypt |
| # master key to the system data partition. |
| # |
| # This value be reified as /boot/config/zxcrypt in both the zircon boot image |
| # and the zedboot boot image, for consumption by fshost and the paver, |
| # respectively. |
| # |
| # Acceptable values are: |
| # * "null": the device should use an all-0's master key, as we lack support |
| # for any secure on-device storage. |
| # * "tee": the device is required to have a Trusted Execution Environment |
| # (TEE) which includes the "keysafe" Trusted Application (associated with the |
| # KMS service). The zxcrypt master key should be derived from a per-device |
| # key accessible only to trusted apps running in the TEE. |
| # * "tee-opportunistic": the device will attempt to use keys from the TEE if |
| # available, but will fall back to using the null key if the key from the TEE |
| # does not work, or if the TEE is not functional on this device. |
| # * "tee-transitional": the device will require the use of a key from the TEE |
| # for new volume creation, but will continue to try both a TEE-sourced key and |
| # the null key when unsealing volumes. |
| # |
| # In the future, we may consider adding support for TPMs, or additional logic |
| # to explicitly support other fallback behavior. |
| zxcrypt_key_source = "null" |
| } |