Overview of Elective Module Managers

Elective services extend CSSM. They define their own application programming interfaces and service provider interfaces. For example, key recovery can be an elective service. Some applications will use key recovery services (by explicit invocation) and other applications will not use it. Audit logs can be an elective service. Applications wishing to maintain a log can do so, other applications will not use that facility. CSSM's elective module management facilities provide a set of mechanisms that support runtime inclusion of new APIs and their corresponding SPIs. Standardization of the new APIs and SPIs is in addition to the current CDSA standards. The additions can be standardized as an enhancement to CDSA or as an independent standard that is adopted and used within CDSA. The elective module management mechanisms allow CDSA implementations to easily and quickly incorporate these new standards. CSSM does not have a priori knowledge of the elective APIs, but applications have complete knowledge of the new APIs in order to explicitly invoke the services provided through those APIs.

Built-In Policies and Application Exemptions

• Are successfully authenticated by CSSM

• Carry implied authorization for the requested exemptions

Credentials are said to carry implied authorization if they can be verified based on points of trust specified by the authorizing entity.

An elective module managers can define trust points in addition to CSSM's trust points by including application authentication keys in the module manager's description contained in its signed manifest credentials. CSSM can use these public keys as additional trust points for authenticating applications requesting exemptions. When an exemption has been granted, it is the responsibility of the elective module manager to not enforce the built-in check corresponding to the granted exemption.

To define new categories of exemption, the elective module manager defines a new, unique CSSM_EXEMPTION_MASK flag. This bitmask represents the set of exemptions requested by an application. Applications can change their exemption status multiple times during execution. Each request for exemption requires a separate authentication check .

Transparent, Dynamic Attach

Applications are aware of instances of add-in modules, not the module managers that control access to those modules. Before requesting services from an add-in service provider (via APIs defined by a module manager), the application invokes CSSM_attach to obtain an instance of the add-in service provider. Steps to Attach an Add-In Module and load its EMM shows the sequence of processing steps. If the module is of an elective category of service, then CSSM transparently attaches the module manager for that category of service (if that manager is not currently loaded). The module manager must perform the CSSM-defined bilateral authentication protocol. This protocol is used to ensure CSSM-wide integrity when any component is dynamically added to the CSSM runtime environment. (This protocol is described in more detail in a later section of this specification.) Once the manager is loaded, the APIs defined by that module are available to the application.

The dynamic nature of the elective module manager is transparent to the add-in module also. This is important. It means that an add-in module vendor need not modify their module implementation to work with an elective module manager versus a basic module manager.

There is at most one module manager for each category of service loaded in CSSM at any given time. When an elective module manager is dynamically added to serve an application, that module manager is a peer of all other module managers and can cooperate with other managers as appropriate.

Elective module management defines a set of mechanisms that support runtime inclusion of new APIs and their corresponding SPIs. Standardization of the new APIs and SPIs is in addition to the current CDSA standards. The additions can be standardized as an enhancement to CDSA or as an independent standard that is adopted and used within CDSA. The elective module management mechanisms allow CDSA implementations to easily and quickly incorporate these new standards. CSSM does not have a priori knowledge of the elective APIs, but applications have complete knowledge of the new APIs in order to explicitly invoke the services provided through those APIs. The elective module manager is responsible for checking instance compatibility with the CSSM that loaded the manager. Compatibility can be based on a combination of the CSSM's GUID, CSSM's Interface GUID, and CSSM's major and minor version number. CSSM APIs can be invoked to obtain these values. These values also represent the instance level of the basic module managers that are always present in the CSSM. In rare cases, elective module managers may have dependencies on each other. In this case compatibility between elective module managers is the responsibility of the elective module managers. These checks must be performed in a manner that does not depend on the order in which the caller attaches depend services that are supported by elective module managers. Compatibility checks among dependent, elective module managers can be checked using the event notification interface for communication among module managers. When an attached application detaches from an add-in service module, CSSM will also unload the associated module manager if it is not in use by another thread, process, or application.

Registering Module Managers

State Sharing Among Module Managers

When two or more module managers share state, each manager must be able to:

• Inform the other module managers of its presence in the system

• Request notification of certain states or activities taking place in the domain of another module manager

• Gather event information from other module managers

• Inform the other module managers of its imminent removal from the system

The other module managers must be able to:

• Change their behavior based on the presence or non-presence of other module managers in the system

• Accept and honor requests from other module managers for ongoing state and activity information

• Issue event notifications to other module managers when events of interest occur

When module managers share state information they must implement conditional logic to interact with each other. Two module managers can share state information by several different mechanisms:

• Invoking known, internal, module manager interfaces

• Using operating system supported state-sharing mechanisms, such as shared memory, RPC, event notification, and general interrupts

• Using a CSSM-supported event notification service

The first two mechanisms depend on platform services outside of CDSA. Module managers that share state information can use all of these mechanisms.

CSSM-supported event notifications require that all module managers implement and register with CSSM an event notification entry point. Module managers issue notifications by invoking a CSSM function, specifying:

• The source manager

• The destination manager

• The event type

• Notification ID (optional)

• Data Values (optional)

CSSM delivers the notification to the destination module manager by invoking the manager's notification entry point.

Typical event types include:

• Module manager loaded

• Module manager unloaded

• Selected Service Request

• Reply

Module managers that share state information are not required to use the CSSM event notification mechanism. These types of events, requests, and notifications can be shared using the other platform dependent mechanisms. CSSM provides this simple mechanism specifically for situations where other platform services are not readily available.