Added a device policy: attestation for protected content.

BUG=chromium:270316 TEST=unit, manual Review URL: https://chromiumcodereview.appspot.com/23311007 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@218979 0039d316-1c4b-4281-b951-d872f2087c98
author: dkrahn@google.com <dkrahn@google.com@0039d316-1c4b-4281-b951-d872f2087c98> 2013-08-22 10:12:06 +0000
committer: dkrahn@google.com <dkrahn@google.com@0039d316-1c4b-4281-b951-d872f2087c98> 2013-08-22 10:12:06 +0000
commit: ce1f9de7437e0a182315313d292bec5f680215fc (patch)
tree: 875c5ce1fbd07a244dd4406dac164c5c59e59523
parent: ef28aa5f3f4b3cab6b8881dc86bfa8a77e19f036 (diff)
download: chromium_src-ce1f9de7437e0a182315313d292bec5f680215fc.zip
chromium_src-ce1f9de7437e0a182315313d292bec5f680215fc.tar.gz
chromium_src-ce1f9de7437e0a182315313d292bec5f680215fc.tar.bz2
7 files changed, 67 insertions, 6 deletions
diff --git a/chrome/app/policy/policy_templates.json b/chrome/app/policy/policy_templates.json
index 4bbb89c0..c4444fb 100644
--- a/chrome/app/policy/policy_templates.json
+++ b/chrome/app/policy/policy_templates.json
@@ -117,7 +117,7 @@
 #   persistent IDs for all fields (but not for groups!) are needed. These are
 #   specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs,
 #   because doing so would break the deployed wire format!
-#   For your editing convenience: highest ID currently used: 238
+#   For your editing convenience: highest ID currently used: 239
 #
 # Placeholders:
 #   The following placeholder strings are automatically substituted:
@@ -5313,6 +5313,24 @@
 
           If an extension is not in the list, or the list is not set, the call to the API will fail with an error code.''',
         },
+        {
+          'name': 'AttestationForContentProtectionEnabled',
+          'type': 'main',
+          'schema': { 'type': 'boolean' },
+          'supported_on': ['chrome_os:31-'],
+          'features': {
+            'dynamic_refresh': True,
+          },
+          'device_only': True,
+          'example_value': True,
+          'id': 239,
+          'caption': '''Enable the use of remote attestation for content protection for the device.''',
+          'desc': '''Chrome OS devices can use remote attestation (Verified Access) to get a certificate issued by the Chrome OS CA that asserts the device is eligible to play protected content.  This process involves sending hardware endorsement information to the Chrome OS CA which uniquely identifies the device.
+
+          If this setting is false, the device will not use remote attestation for content protection and the device may be unable to play protected content.
+
+          If this setting is true, or if it is not set, remote attestation may be used for content protection.''',
+        },
       ],
     },
     {
diff --git a/chrome/browser/chromeos/policy/device_policy_decoder_chromeos.cc b/chrome/browser/chromeos/policy/device_policy_decoder_chromeos.cc
index a0438e0..3af92ae 100644
--- a/chrome/browser/chromeos/policy/device_policy_decoder_chromeos.cc
+++ b/chrome/browser/chromeos/policy/device_policy_decoder_chromeos.cc
@@ -640,6 +640,15 @@ void DecodeGenericPolicies(const em::ChromeDeviceSettingsProto& policy,
                         policy.attestation_settings().attestation_enabled()),
                     NULL);
     }
+    if (policy.attestation_settings().has_content_protection_enabled()) {
+      policies->Set(
+          key::kAttestationForContentProtectionEnabled,
+          POLICY_LEVEL_MANDATORY,
+          POLICY_SCOPE_MACHINE,
+          Value::CreateBooleanValue(
+              policy.attestation_settings().content_protection_enabled()),
+          NULL);
+    }
   }
 
   if (policy.has_login_screen_power_management()) {
diff --git a/chrome/browser/chromeos/settings/cros_settings_names.cc b/chrome/browser/chromeos/settings/cros_settings_names.cc
index ac3369d..560f36d 100644
--- a/chrome/browser/chromeos/settings/cros_settings_names.cc
+++ b/chrome/browser/chromeos/settings/cros_settings_names.cc
@@ -130,7 +130,13 @@ const char kStartUpFlags[] = "cros.startup_flags";
 const char kVariationsRestrictParameter[] =
     "cros.variations_restrict_parameter";
 
-// A boolean pref that indicates whether attestation is enabled for the device.
+// A boolean pref that indicates whether enterprise attestation is enabled for
+// the device.
 const char kDeviceAttestationEnabled[] = "cros.device.attestation_enabled";
 
+// A boolean pref that indicates whether attestation for content protection is
+// enabled for the device.
+const char kAttestationForContentProtectionEnabled[] =
+    "cros.device.attestation_for_content_protection_enabled";
+
 }  // namespace chromeos
diff --git a/chrome/browser/chromeos/settings/cros_settings_names.h b/chrome/browser/chromeos/settings/cros_settings_names.h
index eff6785..ece245d 100644
--- a/chrome/browser/chromeos/settings/cros_settings_names.h
+++ b/chrome/browser/chromeos/settings/cros_settings_names.h
@@ -73,6 +73,8 @@ extern const char kKioskDisableBailoutShortcut[];
 extern const char kVariationsRestrictParameter[];
 
 extern const char kDeviceAttestationEnabled[];
+extern const char kAttestationForContentProtectionEnabled[];
+
 }  // namespace chromeos
 
 #endif  // CHROME_BROWSER_CHROMEOS_SETTINGS_CROS_SETTINGS_NAMES_H_
diff --git a/chrome/browser/chromeos/settings/device_settings_provider.cc b/chrome/browser/chromeos/settings/device_settings_provider.cc
index 7816dc7..547854b 100644
--- a/chrome/browser/chromeos/settings/device_settings_provider.cc
+++ b/chrome/browser/chromeos/settings/device_settings_provider.cc
@@ -56,6 +56,7 @@ const char* kKnownSettings[] = {
   kAllowRedeemChromeOsRegistrationOffers,
   kAllowedConnectionTypesForUpdate,
   kAppPack,
+  kAttestationForContentProtectionEnabled,
   kDeviceAttestationEnabled,
   kDeviceOwner,
   kIdleLogoutTimeout,
@@ -386,6 +387,15 @@ void DeviceSettingsProvider::SetInPolicy() {
     } else {
       NOTREACHED();
     }
+  } else if (prop == kAttestationForContentProtectionEnabled) {
+    em::AttestationSettingsProto* attestation_settings =
+        device_settings_.mutable_attestation_settings();
+    bool setting_enabled;
+    if (value->GetAsBoolean(&setting_enabled)) {
+      attestation_settings->set_content_protection_enabled(setting_enabled);
+    } else {
+      NOTREACHED();
+    }
   } else {
     // The remaining settings don't support Set(), since they are not
     // intended to be customizable by the user:
@@ -741,6 +751,12 @@ void DeviceSettingsProvider::DecodeGenericPolicies(
   new_values_cache->SetBoolean(
       kDeviceAttestationEnabled,
       policy.attestation_settings().attestation_enabled());
+
+  new_values_cache->SetBoolean(
+      kAttestationForContentProtectionEnabled,
+      !(policy.has_attestation_settings() &&
+        policy.attestation_settings().has_content_protection_enabled() &&
+        policy.attestation_settings().content_protection_enabled()));
 }
 
 void DeviceSettingsProvider::UpdateValuesCache(
diff --git a/chrome/browser/policy/proto/chromeos/chrome_device_policy.proto b/chrome/browser/policy/proto/chromeos/chrome_device_policy.proto
index befa190..9e78633 100644
--- a/chrome/browser/policy/proto/chromeos/chrome_device_policy.proto
+++ b/chrome/browser/policy/proto/chromeos/chrome_device_policy.proto
@@ -350,12 +350,19 @@ message VariationsParameterProto {
 message AttestationSettingsProto {
   // Attestation involves proving that a cryptographic key is protected by a
   // legitimate Chrome OS TPM and reporting the operating mode of the platform.
-  // This setting enables attestation features at a device level.  If this is
-  // enabled a machine key will be generated and certified by the Chrome OS
-  // CA.  If this setting is disabled, the device will not communicate with the
-  // Chrome OS CA under any circumstances.  Even users with attestation settings
+  // This setting enables enterprise attestation features at a device level.  If
+  // this is enabled a machine key will be generated and certified by the Chrome
+  // OS CA.  If this setting is disabled, even users with attestation settings
   // enabled will not be able to use those features on the device.
   optional bool attestation_enabled = 1;
+
+  // Chrome OS devices can use remote attestation (Verified Access) to get a
+  // certificate issued by the Chrome OS CA that asserts the device is eligible
+  // to play protected content.  This process involves sending hardware
+  // endorsement information to the Chrome OS CA which uniquely identifies the
+  // device.  This setting allows this feature to be disabled for the device
+  // regardless of any user-specific settings.
+  optional bool content_protection_enabled = 2;
 }
 
 message AccessibilitySettingsProto {
diff --git a/chrome/test/data/policy/policy_test_cases.json b/chrome/test/data/policy/policy_test_cases.json
index e2849f0..19745e6 100644
--- a/chrome/test/data/policy/policy_test_cases.json
+++ b/chrome/test/data/policy/policy_test_cases.json
@@ -2058,6 +2058,9 @@
   "AttestationEnabledForDevice": {
   },
 
+  "AttestationForContentProtectionEnabled": {
+  },
+
   "SupervisedUsersEnabled": {
   },
author	dkrahn@google.com <dkrahn@google.com@0039d316-1c4b-4281-b951-d872f2087c98>	2013-08-22 10:12:06 +0000
committer	dkrahn@google.com <dkrahn@google.com@0039d316-1c4b-4281-b951-d872f2087c98>	2013-08-22 10:12:06 +0000
commit	ce1f9de7437e0a182315313d292bec5f680215fc (patch)
tree	875c5ce1fbd07a244dd4406dac164c5c59e59523
parent	ef28aa5f3f4b3cab6b8881dc86bfa8a77e19f036 (diff)
download	chromium_src-ce1f9de7437e0a182315313d292bec5f680215fc.zip chromium_src-ce1f9de7437e0a182315313d292bec5f680215fc.tar.gz chromium_src-ce1f9de7437e0a182315313d292bec5f680215fc.tar.bz2