tequilaOS/platform_hardware_interfaces
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "Vts: New dice_policy_builder api with TargetEntry." into main am: adad97cb79

Browse source 
Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/3127995

Change-Id: If79596e0661aad7485ce3dee42f7f5067d94c83b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Shikha Panwar 2024-06-14 08:59:55 +00:00 committed by Automerger Merge Worker
commit 578eae1d52
2 changed files with 23 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
security/secretkeeper/aidl/vts/secretkeeper_cli.rs
View file

@ -25,7 +25,7 @@ use authgraph_core::traits::Sha256;
use clap::{Args, Parser, Subcommand};
use coset::CborSerializable;
use dice_policy_builder::{
policy_for_dice_chain, CertIndex, ConstraintSpec, ConstraintType, MissingAction,
policy_for_dice_chain, ConstraintSpec, ConstraintType, MissingAction, TargetEntry,
WILDCARD_FULL_ARRAY,
};
@ -131,33 +131,35 @@ impl SkClient {
}
/// Construct a sealing policy on the DICE chain with constraints:
/// 1. `ExactMatch` on `AUTHORITY_HASH` (non-optional).
/// 2. `ExactMatch` on `MODE` (non-optional).
/// 3. `GreaterOrEqual` on `SECURITY_VERSION` (optional).
/// 1. `ExactMatch` on `AUTHORITY_HASH` (non-optional) on all nodes.
/// 2. `ExactMatch` on `MODE` (non-optional) on all nodes.
/// 3. `GreaterOrEqual` on `SECURITY_VERSION` (optional) on all nodes.
/// 4. The DiceChainEntry corresponding to "AVB" contains SubcomponentDescriptor, for each of those:
/// a) GreaterOrEqual on SECURITY_VERSION (Required)
// b) ExactMatch on AUTHORITY_HASH (Required).
fn sealing_policy(&self) -> Result<Vec<u8>> {
let dice =
self.dice_artifacts.explicit_key_dice_chain().context("extract explicit DICE chain")?;
let constraint_spec = [
let constraint_spec = vec![
ConstraintSpec::new(
ConstraintType::ExactMatch,
vec![AUTHORITY_HASH],
MissingAction::Fail,
CertIndex::All,
TargetEntry::All,
),
ConstraintSpec::new(
ConstraintType::ExactMatch,
vec![MODE],
MissingAction::Fail,
CertIndex::All,
TargetEntry::All,
),
ConstraintSpec::new(
ConstraintType::GreaterOrEqual,
vec![CONFIG_DESC, SECURITY_VERSION],
MissingAction::Ignore,
CertIndex::All,
TargetEntry::All,
),
// Constraints on sub components in the second last DiceChainEntry
ConstraintSpec::new(
ConstraintType::GreaterOrEqual,
vec![
@ -167,7 +169,7 @@ impl SkClient {
SUBCOMPONENT_SECURITY_VERSION,
],
MissingAction::Fail,
CertIndex::FromEnd(1),
TargetEntry::ByName("AVB".to_string()),
),
ConstraintSpec::new(
ConstraintType::ExactMatch,
@ -178,10 +180,10 @@ impl SkClient {
SUBCOMPONENT_AUTHORITY_HASH,
],
MissingAction::Fail,
CertIndex::FromEnd(1),
TargetEntry::ByName("AVB".to_string()),
),
];
policy_for_dice_chain(dice, &constraint_spec)
policy_for_dice_chain(dice, constraint_spec)
.unwrap()
.to_vec()
.context("serialize DICE policy")

19
security/secretkeeper/aidl/vts/secretkeeper_test_client.rs
View file

@ -20,7 +20,7 @@ use authgraph_vts_test as ag_vts;
use authgraph_boringssl as boring;
use authgraph_core::key;
use coset::{CborOrdering, CborSerializable, CoseEncrypt0, CoseKey};
use dice_policy_builder::{CertIndex, ConstraintSpec, ConstraintType, MissingAction, WILDCARD_FULL_ARRAY, policy_for_dice_chain};
use dice_policy_builder::{TargetEntry, ConstraintSpec, ConstraintType, MissingAction, WILDCARD_FULL_ARRAY, policy_for_dice_chain};
use rdroidtest::{ignore_if, rdroidtest};
use secretkeeper_client::dice::OwnedDiceArtifactsWithExplicitKey;
use secretkeeper_client::{SkSession, Error as SkClientError};
@ -312,30 +312,29 @@ fn assert_result_matches(res: Result<Secret, Error>, want: SecretkeeperError) {
/// 1. ExactMatch on AUTHORITY_HASH (non-optional).
/// 2. ExactMatch on MODE (non-optional).
/// 3. GreaterOrEqual on SECURITY_VERSION (optional).
/// 4. The second last DiceChainEntry contain SubcomponentDescriptor, for each of those:
/// 4. The DiceChainEntry corresponding to "AVB" contains SubcomponentDescriptor, for each of those:
/// a) GreaterOrEqual on SECURITY_VERSION (Required)
// b) ExactMatch on AUTHORITY_HASH (Required).
fn sealing_policy(dice: &[u8]) -> Vec<u8> {
let constraint_spec = [
let constraint_spec = vec![
ConstraintSpec::new(
ConstraintType::ExactMatch,
vec![AUTHORITY_HASH],
MissingAction::Fail,
CertIndex::All,
TargetEntry::All,
),
ConstraintSpec::new(
ConstraintType::ExactMatch,
vec![MODE],
MissingAction::Fail,
CertIndex::All,
TargetEntry::All,
),
ConstraintSpec::new(
ConstraintType::GreaterOrEqual,
vec![CONFIG_DESC, SECURITY_VERSION],
MissingAction::Ignore,
CertIndex::All,
TargetEntry::All,
),
// Constraints on sub components in the second last DiceChainEntry
ConstraintSpec::new(
ConstraintType::GreaterOrEqual,
vec![
@ -345,7 +344,7 @@ fn sealing_policy(dice: &[u8]) -> Vec<u8> {
SUBCOMPONENT_SECURITY_VERSION,
],
MissingAction::Fail,
CertIndex::FromEnd(1),
TargetEntry::ByName("AVB".to_string()),
),
ConstraintSpec::new(
ConstraintType::ExactMatch,
@ -356,11 +355,11 @@ fn sealing_policy(dice: &[u8]) -> Vec<u8> {
SUBCOMPONENT_AUTHORITY_HASH,
],
MissingAction::Fail,
CertIndex::FromEnd(1),
TargetEntry::ByName("AVB".to_string()),
),
];
policy_for_dice_chain(dice, &constraint_spec).unwrap().to_vec().unwrap()
policy_for_dice_chain(dice, constraint_spec).unwrap().to_vec().unwrap()
}
/// Perform AuthGraph key exchange, returning the session keys and session ID.