Merge "Expand DICE chain in VTS/test to contain arrays" into main am: 36e66b72fe
Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/2927630 Change-Id: If518c675a69c32c843ae2c1363ce99ea3f25ea53 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Shikha Panwar
Automerger Merge Worker
commit
ed58fe2f58
4 changed files with 124 additions and 18 deletions
|
|
@ -18,9 +18,16 @@
|
|||
//! module duplicates a large chunk of code in libdiced_sample_inputs. We avoid modifying the
|
||||
//! latter for testing purposes because it is installed on device.
|
||||
|
||||
use ciborium::{de, ser, value::Value};
|
||||
use crate::{
|
||||
COMPONENT_NAME, COMPONENT_RESETTABLE, COMPONENT_VERSION, SUBCOMPONENT_AUTHORITY_HASH,
|
||||
SUBCOMPONENT_CODE_HASH, SUBCOMPONENT_DESCRIPTORS, SUBCOMPONENT_NAME,
|
||||
SUBCOMPONENT_SECURITY_VERSION,
|
||||
};
|
||||
use ciborium::{cbor, de, ser, value::Value};
|
||||
use core::ffi::CStr;
|
||||
use coset::{iana, Algorithm, AsCborValue, CoseKey, KeyOperation, KeyType, Label};
|
||||
use coset::{
|
||||
iana, Algorithm, AsCborValue, CborSerializable, CoseKey, KeyOperation, KeyType, Label,
|
||||
};
|
||||
use diced_open_dice::{
|
||||
derive_cdi_private_key_seed, keypair_from_seed, retry_bcc_format_config_descriptor,
|
||||
retry_bcc_main_flow, retry_dice_main_flow, Config, DiceArtifacts, DiceConfigValues, DiceError,
|
||||
|
|
@ -100,7 +107,8 @@ fn ed25519_public_key_to_cbor_value(public_key: &[u8]) -> Value {
|
|||
///
|
||||
/// The DICE chain is of the following format:
|
||||
/// public key derived from UDS -> ABL certificate -> AVB certificate -> Android certificate
|
||||
/// The `security_version` is included in the Android certificate.
|
||||
/// The `security_version` is included in the Android certificate as well as each subcomponent
|
||||
/// of AVB certificate.
|
||||
pub fn make_explicit_owned_dice(security_version: u64) -> OwnedDiceArtifactsWithExplicitKey {
|
||||
let dice = make_sample_bcc_and_cdis(security_version);
|
||||
OwnedDiceArtifactsWithExplicitKey::from_owned_artifacts(dice).unwrap()
|
||||
|
|
@ -135,16 +143,31 @@ fn make_sample_bcc_and_cdis(security_version: u64) -> OwnedDiceArtifacts {
|
|||
ser::into_writer(&bcc_value, &mut bcc).unwrap();
|
||||
|
||||
// Appends AVB certificate to DICE chain.
|
||||
let config_values = DiceConfigValues {
|
||||
component_name: Some(CStr::from_bytes_with_nul(b"AVB\0").unwrap()),
|
||||
component_version: Some(1),
|
||||
resettable: true,
|
||||
..Default::default()
|
||||
};
|
||||
let config_descriptor = retry_bcc_format_config_descriptor(&config_values).unwrap();
|
||||
let config_desc = cbor!({
|
||||
COMPONENT_NAME => "AVB",
|
||||
COMPONENT_VERSION => 1,
|
||||
COMPONENT_RESETTABLE => null,
|
||||
SUBCOMPONENT_DESCRIPTORS => [
|
||||
{
|
||||
SUBCOMPONENT_NAME => "sub_1",
|
||||
SUBCOMPONENT_SECURITY_VERSION => security_version,
|
||||
SUBCOMPONENT_CODE_HASH=> b"xoxo",
|
||||
SUBCOMPONENT_AUTHORITY_HASH => b"oxox"
|
||||
},
|
||||
{
|
||||
SUBCOMPONENT_NAME => "sub_2",
|
||||
SUBCOMPONENT_SECURITY_VERSION => security_version,
|
||||
SUBCOMPONENT_CODE_HASH => b"xoxo",
|
||||
SUBCOMPONENT_AUTHORITY_HASH => b"oxox",
|
||||
}
|
||||
]
|
||||
})
|
||||
.unwrap()
|
||||
.to_vec()
|
||||
.unwrap();
|
||||
let input_values = InputValues::new(
|
||||
CODE_HASH_AVB,
|
||||
Config::Descriptor(config_descriptor.as_slice()),
|
||||
Config::Descriptor(&config_desc),
|
||||
AUTHORITY_HASH_AVB,
|
||||
DiceMode::kDiceModeNormal,
|
||||
HIDDEN_AVB,
|
||||
|
|
|
|||
|
|
@ -28,7 +28,19 @@ pub const CONFIG_DESC: i64 = -4670548;
|
|||
pub const COMPONENT_NAME: i64 = -70002;
|
||||
/// Map key for component version.
|
||||
pub const COMPONENT_VERSION: i64 = -70003;
|
||||
/// Map key for Resettable.
|
||||
pub const COMPONENT_RESETTABLE: i64 = -70004;
|
||||
/// Map key for security version.
|
||||
pub const SECURITY_VERSION: i64 = -70005;
|
||||
/// Map key for mode.
|
||||
pub const MODE: i64 = -4670551;
|
||||
/// Map key for SubcomponentDescriptor.
|
||||
pub const SUBCOMPONENT_DESCRIPTORS: i64 = -71002;
|
||||
/// Map key for name of subcomponent.
|
||||
pub const SUBCOMPONENT_NAME: i64 = 1;
|
||||
/// Map key for Security Version of subcomponent.
|
||||
pub const SUBCOMPONENT_SECURITY_VERSION: i64 = 2;
|
||||
/// Map key for Code hash of subcomponent.
|
||||
pub const SUBCOMPONENT_CODE_HASH: i64 = 3;
|
||||
/// Map key for Authority Hash of subcomponent.
|
||||
pub const SUBCOMPONENT_AUTHORITY_HASH: i64 = 4;
|
||||
|
|
|
|||
|
|
@ -24,7 +24,10 @@ use authgraph_boringssl::BoringSha256;
|
|||
use authgraph_core::traits::Sha256;
|
||||
use clap::{Args, Parser, Subcommand};
|
||||
use coset::CborSerializable;
|
||||
use dice_policy_builder::{ConstraintSpec, ConstraintType, MissingAction, policy_for_dice_chain};
|
||||
use dice_policy_builder::{
|
||||
policy_for_dice_chain, CertIndex, ConstraintSpec, ConstraintType, MissingAction,
|
||||
WILDCARD_FULL_ARRAY,
|
||||
};
|
||||
|
||||
use secretkeeper_client::{dice::OwnedDiceArtifactsWithExplicitKey, SkSession};
|
||||
use secretkeeper_comm::data_types::{
|
||||
|
|
@ -37,6 +40,7 @@ use secretkeeper_comm::data_types::{
|
|||
};
|
||||
use secretkeeper_test::{
|
||||
dice_sample::make_explicit_owned_dice, AUTHORITY_HASH, CONFIG_DESC, MODE, SECURITY_VERSION,
|
||||
SUBCOMPONENT_AUTHORITY_HASH, SUBCOMPONENT_DESCRIPTORS, SUBCOMPONENT_SECURITY_VERSION,
|
||||
};
|
||||
use std::io::Write;
|
||||
|
||||
|
|
@ -139,12 +143,42 @@ impl SkClient {
|
|||
ConstraintType::ExactMatch,
|
||||
vec![AUTHORITY_HASH],
|
||||
MissingAction::Fail,
|
||||
CertIndex::All,
|
||||
),
|
||||
ConstraintSpec::new(
|
||||
ConstraintType::ExactMatch,
|
||||
vec![MODE],
|
||||
MissingAction::Fail,
|
||||
CertIndex::All,
|
||||
),
|
||||
ConstraintSpec::new(ConstraintType::ExactMatch, vec![MODE], MissingAction::Fail),
|
||||
ConstraintSpec::new(
|
||||
ConstraintType::GreaterOrEqual,
|
||||
vec![CONFIG_DESC, SECURITY_VERSION],
|
||||
MissingAction::Ignore,
|
||||
CertIndex::All,
|
||||
),
|
||||
// Constraints on sub components in the second last DiceChainEntry
|
||||
ConstraintSpec::new(
|
||||
ConstraintType::GreaterOrEqual,
|
||||
vec![
|
||||
CONFIG_DESC,
|
||||
SUBCOMPONENT_DESCRIPTORS,
|
||||
WILDCARD_FULL_ARRAY,
|
||||
SUBCOMPONENT_SECURITY_VERSION,
|
||||
],
|
||||
MissingAction::Fail,
|
||||
CertIndex::FromEnd(1),
|
||||
),
|
||||
ConstraintSpec::new(
|
||||
ConstraintType::ExactMatch,
|
||||
vec![
|
||||
CONFIG_DESC,
|
||||
SUBCOMPONENT_DESCRIPTORS,
|
||||
WILDCARD_FULL_ARRAY,
|
||||
SUBCOMPONENT_AUTHORITY_HASH,
|
||||
],
|
||||
MissingAction::Fail,
|
||||
CertIndex::FromEnd(1),
|
||||
),
|
||||
];
|
||||
policy_for_dice_chain(dice, &constraint_spec)
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ use authgraph_vts_test as ag_vts;
|
|||
use authgraph_boringssl as boring;
|
||||
use authgraph_core::key;
|
||||
use coset::{CborSerializable, CoseEncrypt0};
|
||||
use dice_policy_builder::{ConstraintSpec, ConstraintType, MissingAction, policy_for_dice_chain};
|
||||
use dice_policy_builder::{CertIndex, ConstraintSpec, ConstraintType, MissingAction, WILDCARD_FULL_ARRAY, policy_for_dice_chain};
|
||||
use rdroidtest::{ignore_if, rdroidtest};
|
||||
use secretkeeper_client::dice::OwnedDiceArtifactsWithExplicitKey;
|
||||
use secretkeeper_client::SkSession;
|
||||
|
|
@ -34,13 +34,13 @@ use secretkeeper_comm::data_types::{Id, Secret, SeqNum};
|
|||
use secretkeeper_comm::data_types::response::Response;
|
||||
use secretkeeper_comm::data_types::packet::{ResponsePacket, ResponseType};
|
||||
use secretkeeper_test::{
|
||||
AUTHORITY_HASH, MODE, CONFIG_DESC, SECURITY_VERSION,
|
||||
AUTHORITY_HASH, MODE, CONFIG_DESC, SECURITY_VERSION, SUBCOMPONENT_AUTHORITY_HASH,
|
||||
SUBCOMPONENT_DESCRIPTORS, SUBCOMPONENT_SECURITY_VERSION,
|
||||
dice_sample::make_explicit_owned_dice
|
||||
};
|
||||
|
||||
const SECRETKEEPER_SERVICE: &str = "android.hardware.security.secretkeeper.ISecretkeeper";
|
||||
const CURRENT_VERSION: u64 = 1;
|
||||
|
||||
// Random bytes (of ID_SIZE/SECRET_SIZE) generated for tests.
|
||||
const ID_EXAMPLE: Id = Id([
|
||||
0xF1, 0xB2, 0xED, 0x3B, 0xD1, 0xBD, 0xF0, 0x7D, 0xE1, 0xF0, 0x01, 0xFC, 0x61, 0x71, 0xD3, 0x42,
|
||||
|
|
@ -256,14 +256,51 @@ fn assert_entry_not_found(res: Result<Secret, Error>) {
|
|||
/// 1. ExactMatch on AUTHORITY_HASH (non-optional).
|
||||
/// 2. ExactMatch on MODE (non-optional).
|
||||
/// 3. GreaterOrEqual on SECURITY_VERSION (optional).
|
||||
/// 4. The second last DiceChainEntry contain SubcomponentDescriptor, for each of those:
|
||||
/// a) GreaterOrEqual on SECURITY_VERSION (Required)
|
||||
// b) ExactMatch on AUTHORITY_HASH (Required).
|
||||
fn sealing_policy(dice: &[u8]) -> Vec<u8> {
|
||||
let constraint_spec = [
|
||||
ConstraintSpec::new(ConstraintType::ExactMatch, vec![AUTHORITY_HASH], MissingAction::Fail),
|
||||
ConstraintSpec::new(ConstraintType::ExactMatch, vec![MODE], MissingAction::Fail),
|
||||
ConstraintSpec::new(
|
||||
ConstraintType::ExactMatch,
|
||||
vec![AUTHORITY_HASH],
|
||||
MissingAction::Fail,
|
||||
CertIndex::All,
|
||||
),
|
||||
ConstraintSpec::new(
|
||||
ConstraintType::ExactMatch,
|
||||
vec![MODE],
|
||||
MissingAction::Fail,
|
||||
CertIndex::All,
|
||||
),
|
||||
ConstraintSpec::new(
|
||||
ConstraintType::GreaterOrEqual,
|
||||
vec![CONFIG_DESC, SECURITY_VERSION],
|
||||
MissingAction::Ignore,
|
||||
CertIndex::All,
|
||||
),
|
||||
// Constraints on sub components in the second last DiceChainEntry
|
||||
ConstraintSpec::new(
|
||||
ConstraintType::GreaterOrEqual,
|
||||
vec![
|
||||
CONFIG_DESC,
|
||||
SUBCOMPONENT_DESCRIPTORS,
|
||||
WILDCARD_FULL_ARRAY,
|
||||
SUBCOMPONENT_SECURITY_VERSION,
|
||||
],
|
||||
MissingAction::Fail,
|
||||
CertIndex::FromEnd(1),
|
||||
),
|
||||
ConstraintSpec::new(
|
||||
ConstraintType::ExactMatch,
|
||||
vec![
|
||||
CONFIG_DESC,
|
||||
SUBCOMPONENT_DESCRIPTORS,
|
||||
WILDCARD_FULL_ARRAY,
|
||||
SUBCOMPONENT_AUTHORITY_HASH,
|
||||
],
|
||||
MissingAction::Fail,
|
||||
CertIndex::FromEnd(1),
|
||||
),
|
||||
];
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue