Merge "[dice] Adapt dice service and tests to the new DiceArtifacts trait"

2023-02-17 15:54:04 +00:00 · 2023-02-17 15:54:04 +00:00 · 249640be0a
commit 249640be0a
parent 86d2173992 e585065a4d
5 changed files with 24 additions and 20 deletions
--- a/security/dice/aidl/default/Android.bp
+++ b/security/dice/aidl/default/Android.bp
@ -14,7 +14,6 @@ rust_binary {
    vendor: true,
    rustlibs: [
        "android.hardware.security.dice-V1-rust",
-        "libdiced_open_dice_cbor",
        "libdiced_sample_inputs",
        "libdiced_vendor",
        "libandroid_logger",
--- a/security/dice/aidl/default/service.rs
+++ b/security/dice/aidl/default/service.rs
@ -14,7 +14,7 @@

 //! Main entry point for the android.hardware.security.dice service.

-use anyhow::Result;
+use anyhow::{anyhow, Result};
 use diced::{
    dice,
    hal_node::{DiceArtifacts, DiceDevice, ResidentHal, UpdatableDiceArtifacts},
@ -40,8 +40,8 @@ impl DiceArtifacts for InsecureSerializableArtifacts {
    fn cdi_seal(&self) -> &[u8; dice::CDI_SIZE] {
        &self.cdi_seal
    }
-    fn bcc(&self) -> Vec<u8> {
-        self.bcc.clone()
+    fn bcc(&self) -> Option<&[u8]> {
+        Some(&self.bcc)
    }
 }

@ -56,7 +56,10 @@ impl UpdatableDiceArtifacts for InsecureSerializableArtifacts {
        Ok(Self {
            cdi_attest: *new_artifacts.cdi_attest(),
            cdi_seal: *new_artifacts.cdi_seal(),
-            bcc: new_artifacts.bcc(),
+            bcc: new_artifacts
+                .bcc()
+                .ok_or_else(|| anyhow!("bcc is none"))?
+                .to_vec(),
        })
    }
 }
@ -77,16 +80,19 @@ fn main() {

    let dice_artifacts =
        make_sample_bcc_and_cdis().expect("Failed to construct sample dice chain.");
-
+    let mut cdi_attest = [0u8; dice::CDI_SIZE];
+    cdi_attest.copy_from_slice(dice_artifacts.cdi_attest());
+    let mut cdi_seal = [0u8; dice::CDI_SIZE];
+    cdi_seal.copy_from_slice(dice_artifacts.cdi_seal());
    let hal_impl = Arc::new(
        unsafe {
            // Safety: ResidentHal cannot be used in multi threaded processes.
            // This service does not start a thread pool. The main thread is the only thread
            // joining the thread pool, thereby keeping the process single threaded.
            ResidentHal::new(InsecureSerializableArtifacts {
-                cdi_attest: dice_artifacts.cdi_values.cdi_attest,
-                cdi_seal: dice_artifacts.cdi_values.cdi_seal,
-                bcc: dice_artifacts.bcc[..].to_vec(),
+                cdi_attest,
+                cdi_seal,
+                bcc: dice_artifacts.bcc().expect("bcc is none").to_vec(),
            })
        }
        .expect("Failed to create ResidentHal implementation."),
--- a/security/dice/aidl/vts/functional/Android.bp
+++ b/security/dice/aidl/vts/functional/Android.bp
@ -23,7 +23,7 @@ rust_test {
        "android.hardware.security.dice-V1-rust",
        "libanyhow",
        "libbinder_rs",
-        "libdiced_open_dice_cbor",
+        "libdiced_open_dice",
        "libdiced_sample_inputs",
        "libdiced_utils",
        "libkeystore2_vintf_rust",
@ -46,7 +46,7 @@ rust_test {
        "android.hardware.security.dice-V1-rust",
        "libanyhow",
        "libbinder_rs",
-        "libdiced_open_dice_cbor",
+        "libdiced_open_dice",
        "libdiced_sample_inputs",
        "libdiced_utils",
        "libkeystore2_vintf_rust",
--- a/security/dice/aidl/vts/functional/dice_demote_test.rs
+++ b/security/dice/aidl/vts/functional/dice_demote_test.rs
@ -12,6 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

+use diced_open_dice::DiceArtifacts;
 use diced_sample_inputs;
 use diced_utils;
 use std::convert::TryInto;
@ -44,11 +45,10 @@ fn demote_test() {
        .unwrap();

        let artifacts = artifacts.execute_steps(input_values.iter()).unwrap();
-        let (cdi_attest, cdi_seal, bcc) = artifacts.into_tuple();
        let from_former = diced_utils::make_bcc_handover(
-            cdi_attest[..].try_into().unwrap(),
-            cdi_seal[..].try_into().unwrap(),
-            &bcc,
+            artifacts.cdi_attest(),
+            artifacts.cdi_seal(),
+            artifacts.bcc().expect("bcc is none"),
        )
        .unwrap();
        // TODO b/204938506 when we have a parser/verifier, check equivalence rather
--- a/security/dice/aidl/vts/functional/dice_test.rs
+++ b/security/dice/aidl/vts/functional/dice_test.rs
@ -12,9 +12,9 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

+use diced_open_dice::DiceArtifacts;
 use diced_sample_inputs;
 use diced_utils;
-use std::convert::TryInto;

 mod utils;
 use utils::with_connection;
@ -44,11 +44,10 @@ fn equivalence_test() {
        .unwrap();

        let artifacts = artifacts.execute_steps(input_values.iter()).unwrap();
-        let (cdi_attest, cdi_seal, bcc) = artifacts.into_tuple();
        let from_former = diced_utils::make_bcc_handover(
-            cdi_attest[..].try_into().unwrap(),
-            cdi_seal[..].try_into().unwrap(),
-            &bcc,
+            artifacts.cdi_attest(),
+            artifacts.cdi_seal(),
+            artifacts.bcc().expect("bcc is none"),
        )
        .unwrap();
        // TODO b/204938506 when we have a parser/verifier, check equivalence rather