Use Lockstore for SQLite database encryption

Cargo.toml

@@ -9,6 +9,8 @@ members = [
   "js/src/rust",
   "netwerk/base/idna_glue",
   "netwerk/test/http3server",
+  "security/lockstore/lockstore_rs",
+  "security/lockstore/lockstore_ffi",
   "security/manager/ssl/abridged_certs",
   "security/manager/ssl/ipcclientcerts",
   "security/manager/ssl/osclientcerts",

dom/cache/Connection.cpp

@@ -245,6 +245,13 @@ Connection::CreateTable(const char* aTable, const char* aSchema) {
   return mBase->CreateTable(aTable, aSchema);
 }
 
+NS_IMETHODIMP
+Connection::AttachDatabase(const char* aPath, const char* aName,
+                           mozIStorageStatementCallback* aCallback,
+                           mozIStoragePendingStatement** _handle) {
+  return mBase->AttachDatabase(aPath, aName, aCallback, _handle);
+}
+
 NS_IMETHODIMP
 Connection::SetGrowthIncrement(int32_t aIncrement,
                                const nsACString& aDatabase) {

ipc/glue/BackgroundParentImpl.cpp

@@ -31,6 +31,7 @@
 #include "mozilla/dom/MIDIPlatformService.h"
 #include "mozilla/dom/MIDIPortParent.h"
 #include "mozilla/dom/MLSTransactionParent.h"
+#include "mozilla/security/lockstore/LockstoreParent.h"
 #include "mozilla/dom/MessagePortParent.h"
 #include "mozilla/dom/PGamepadEventChannelParent.h"
 #include "mozilla/dom/PGamepadTestChannelParent.h"
@@ -1178,6 +1179,52 @@ mozilla::ipc::IPCResult BackgroundParentImpl::RecvHasMIDIDevice(
   return IPC_OK();
 }
 
+// NOTE: Only accessed on the background thread.
+static StaticRefPtr<nsISerialEventTarget> sLockstoreTaskQueue;
+
+class LockstoreTaskQueueShutdownTask final : public nsITargetShutdownTask {
+ public:
+  NS_DECL_THREADSAFE_ISUPPORTS
+
+  void TargetShutdown() override { sLockstoreTaskQueue = nullptr; }
+
+ private:
+  ~LockstoreTaskQueueShutdownTask() = default;
+};
+
+NS_IMPL_ISUPPORTS(LockstoreTaskQueueShutdownTask, nsITargetShutdownTask)
+
+mozilla::ipc::IPCResult BackgroundParentImpl::RecvCreateLockstoreTransaction(
+    Endpoint<mozilla::security::lockstore::PLockstoreParent>&& aEndpoint) {
+  AssertIsInMainProcess();
+  AssertIsOnBackgroundThread();
+
+  if (!aEndpoint.IsValid()) {
+    return IPC_FAIL(this, "invalid endpoint for Lockstore");
+  }
+
+  if (!sLockstoreTaskQueue) {
+    nsCOMPtr<nsISerialEventTarget> taskQueue;
+    MOZ_ALWAYS_SUCCEEDS(NS_CreateBackgroundTaskQueue(
+        "LockstoreTaskQueue", getter_AddRefs(taskQueue)));
+    sLockstoreTaskQueue = taskQueue.forget();
+
+    nsCOMPtr<nsITargetShutdownTask> shutdownTask =
+        new LockstoreTaskQueueShutdownTask();
+    MOZ_ALWAYS_SUCCEEDS(
+        GetCurrentSerialEventTarget()->RegisterShutdownTask(shutdownTask));
+  }
+
+  sLockstoreTaskQueue->Dispatch(NS_NewRunnableFunction(
+      "CreateLockstoreTransactionRunnable",
+      [endpoint = std::move(aEndpoint)]() mutable {
+        RefPtr<mozilla::security::lockstore::PLockstoreParent> result =
+            new mozilla::security::lockstore::LockstoreParent();
+        endpoint.Bind(result);
+      }));
+  return IPC_OK();
+}
+
 // NOTE: Only accessed on the background thread.
 static StaticRefPtr<nsISerialEventTarget> sMLSTaskQueue;
 

ipc/glue/BackgroundParentImpl.h

@@ -297,6 +297,10 @@ class BackgroundParentImpl : public PBackgroundParent {
   mozilla::ipc::IPCResult RecvHasMIDIDevice(
       HasMIDIDeviceResolver&& aResolver) override;
 
+  mozilla::ipc::IPCResult RecvCreateLockstoreTransaction(
+      Endpoint<mozilla::security::lockstore::PLockstoreParent>&& aEndpoint)
+      override;
+
   mozilla::ipc::IPCResult RecvCreateMLSTransaction(
       Endpoint<PMLSTransactionParent>&& aEndpoint,
       NotNull<nsIPrincipal*> aPrincipal) override;

ipc/glue/PBackground.ipdl

@@ -38,6 +38,7 @@ include protocol PCameras;
 include protocol PLockManager;
 include protocol PMIDIManager;
 include protocol PMIDIPort;
+include protocol PLockstore;
 include protocol PMLSTransaction;
 include protocol PQuota;
 include protocol PServiceWorker;
@@ -267,6 +268,8 @@ parent:
                        MIDIPortInfo portInfo, bool sysexEnabled);
   async HasMIDIDevice() returns (bool hasDevice);
 
+  async CreateLockstoreTransaction(Endpoint<PLockstoreParent> aEndpoint);
+
   async CreateMLSTransaction(Endpoint<PMLSTransactionParent> aEndpoint, nsIPrincipal aPrincipal);
 
   // This method is used to propagate storage activities from the child actor

modules/libpref/init/StaticPrefList.yaml

@@ -17906,6 +17906,12 @@
   value: false
   mirror: always
 
+# Enable keystore file for enterprise storage encryption.
+- name: security.storage.encryption.sqlite.enabled
+  type: bool
+  value: false
+  mirror: once
+
 - name: security.tls13.aes_128_gcm_sha256
   type: RelaxedAtomicBool
   value: true

security/lockstore/LockstoreChild.cpp

@@ -0,0 +1,14 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim:set ts=2 sw=2 sts=2 et cindent: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "LockstoreChild.h"
+
+namespace mozilla::security::lockstore {
+
+// LockstoreChild is a thin wrapper with no additional implementation needed.
+// The class definition in the header provides all necessary functionality.
+
+}  // namespace mozilla::security::lockstore

security/lockstore/LockstoreChild.h

@@ -0,0 +1,27 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim:set ts=2 sw=2 sts=2 et cindent: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_security_lockstore_LockstoreChild_h
+#define mozilla_security_lockstore_LockstoreChild_h
+
+#include "mozilla/security/lockstore/PLockstore.h"
+#include "mozilla/security/lockstore/PLockstoreChild.h"
+
+namespace mozilla::security::lockstore {
+
+class LockstoreChild final : public PLockstoreChild {
+ public:
+  NS_INLINE_DECL_REFCOUNTING(LockstoreChild, override)
+
+  LockstoreChild() = default;
+
+ protected:
+  ~LockstoreChild() = default;
+};
+
+}  // namespace mozilla::security::lockstore
+
+#endif  // mozilla_security_lockstore_LockstoreChild_h

security/lockstore/LockstoreIPCUtils.h

@@ -0,0 +1,43 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim:set ts=2 sw=2 sts=2 et cindent: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_security_lockstore_LockstoreIPCUtils_h
+#define mozilla_security_lockstore_LockstoreIPCUtils_h
+
+#include "ipc/IPCMessageUtils.h"
+#include "mozilla/security/lockstore/PLockstore.h"
+
+namespace IPC {
+
+template <>
+struct ParamTraits<mozilla::security::lockstore::RawBytes> {
+  typedef mozilla::security::lockstore::RawBytes paramType;
+
+  static void Write(MessageWriter* aWriter, const paramType& aParam) {
+    WriteParam(aWriter, aParam.data());
+  }
+
+  static bool Read(MessageReader* aReader, paramType* aResult) {
+    return ReadParam(aReader, &aResult->data());
+  }
+};
+
+template <>
+struct ParamTraits<mozilla::security::lockstore::StringList> {
+  typedef mozilla::security::lockstore::StringList paramType;
+
+  static void Write(MessageWriter* aWriter, const paramType& aParam) {
+    WriteParam(aWriter, aParam.items());
+  }
+
+  static bool Read(MessageReader* aReader, paramType* aResult) {
+    return ReadParam(aReader, &aResult->items());
+  }
+};
+
+}  // namespace IPC
+
+#endif  // mozilla_security_lockstore_LockstoreIPCUtils_h