Merge "[dice] Add nostd version of libdiced_sample_inputs" into main
This commit is contained in:
Treehugger Robot
Gerrit Code Review
commit
63207be169
7 changed files with 107 additions and 25 deletions
|
|
@ -15,5 +15,10 @@
|
||||||
{
|
{
|
||||||
"name": "libdiced_sample_inputs.integration_test"
|
"name": "libdiced_sample_inputs.integration_test"
|
||||||
}
|
}
|
||||||
|
],
|
||||||
|
"postsubmit": [
|
||||||
|
{
|
||||||
|
"name": "libdiced_sample_inputs_nostd.integration_test"
|
||||||
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -17,12 +17,16 @@ rust_library_rlib {
|
||||||
"libopen_dice_cbor_bindgen_nostd",
|
"libopen_dice_cbor_bindgen_nostd",
|
||||||
"libzeroize_nostd",
|
"libzeroize_nostd",
|
||||||
],
|
],
|
||||||
|
features: [
|
||||||
|
"alloc",
|
||||||
|
],
|
||||||
whole_static_libs: [
|
whole_static_libs: [
|
||||||
"libopen_dice_cbor",
|
"libopen_dice_cbor",
|
||||||
"libcrypto_baremetal",
|
"libcrypto_baremetal",
|
||||||
],
|
],
|
||||||
visibility: [
|
visibility: [
|
||||||
"//packages/modules/Virtualization:__subpackages__",
|
"//packages/modules/Virtualization:__subpackages__",
|
||||||
|
"//system/security/diced/sample_inputs",
|
||||||
],
|
],
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -36,6 +40,7 @@ rust_library {
|
||||||
"libzeroize",
|
"libzeroize",
|
||||||
],
|
],
|
||||||
features: [
|
features: [
|
||||||
|
"alloc",
|
||||||
"std",
|
"std",
|
||||||
],
|
],
|
||||||
shared_libs: [
|
shared_libs: [
|
||||||
|
|
|
||||||
|
|
@ -17,6 +17,9 @@
|
||||||
|
|
||||||
#![cfg_attr(not(feature = "std"), no_std)]
|
#![cfg_attr(not(feature = "std"), no_std)]
|
||||||
|
|
||||||
|
#[cfg(feature = "alloc")]
|
||||||
|
extern crate alloc;
|
||||||
|
|
||||||
#[cfg(not(feature = "std"))]
|
#[cfg(not(feature = "std"))]
|
||||||
extern crate core as std;
|
extern crate core as std;
|
||||||
|
|
||||||
|
|
@ -24,7 +27,7 @@ mod bcc;
|
||||||
mod dice;
|
mod dice;
|
||||||
mod error;
|
mod error;
|
||||||
mod ops;
|
mod ops;
|
||||||
#[cfg(feature = "std")]
|
#[cfg(feature = "alloc")]
|
||||||
mod retry;
|
mod retry;
|
||||||
|
|
||||||
pub use bcc::{
|
pub use bcc::{
|
||||||
|
|
@ -38,7 +41,7 @@ pub use dice::{
|
||||||
};
|
};
|
||||||
pub use error::{DiceError, Result};
|
pub use error::{DiceError, Result};
|
||||||
pub use ops::{generate_certificate, hash, kdf, keypair_from_seed, sign, verify};
|
pub use ops::{generate_certificate, hash, kdf, keypair_from_seed, sign, verify};
|
||||||
#[cfg(feature = "std")]
|
#[cfg(feature = "alloc")]
|
||||||
pub use retry::{
|
pub use retry::{
|
||||||
retry_bcc_format_config_descriptor, retry_bcc_main_flow, retry_dice_main_flow,
|
retry_bcc_format_config_descriptor, retry_bcc_main_flow, retry_dice_main_flow,
|
||||||
retry_generate_certificate, OwnedDiceArtifacts,
|
retry_generate_certificate, OwnedDiceArtifacts,
|
||||||
|
|
|
||||||
|
|
@ -23,6 +23,8 @@ use crate::dice::{
|
||||||
};
|
};
|
||||||
use crate::error::{DiceError, Result};
|
use crate::error::{DiceError, Result};
|
||||||
use crate::ops::generate_certificate;
|
use crate::ops::generate_certificate;
|
||||||
|
#[cfg(feature = "alloc")]
|
||||||
|
use alloc::vec::Vec;
|
||||||
|
|
||||||
/// Artifacts stores a set of dice artifacts comprising CDI_ATTEST, CDI_SEAL,
|
/// Artifacts stores a set of dice artifacts comprising CDI_ATTEST, CDI_SEAL,
|
||||||
/// and the BCC formatted attestation certificate chain.
|
/// and the BCC formatted attestation certificate chain.
|
||||||
|
|
|
||||||
|
|
@ -21,25 +21,61 @@ package {
|
||||||
default_applicable_licenses: ["system_security_license"],
|
default_applicable_licenses: ["system_security_license"],
|
||||||
}
|
}
|
||||||
|
|
||||||
rust_library {
|
rust_defaults {
|
||||||
name: "libdiced_sample_inputs",
|
name: "libdiced_sample_inputs_defaults",
|
||||||
crate_name: "diced_sample_inputs",
|
crate_name: "diced_sample_inputs",
|
||||||
srcs: ["src/lib.rs"],
|
srcs: ["src/lib.rs"],
|
||||||
|
}
|
||||||
|
|
||||||
|
rust_library {
|
||||||
|
name: "libdiced_sample_inputs",
|
||||||
|
defaults: ["libdiced_sample_inputs_defaults"],
|
||||||
|
features: [
|
||||||
|
"std",
|
||||||
|
],
|
||||||
rustlibs: [
|
rustlibs: [
|
||||||
"libanyhow",
|
|
||||||
"libciborium",
|
"libciborium",
|
||||||
"libcoset",
|
"libcoset",
|
||||||
"libdiced_open_dice",
|
"libdiced_open_dice",
|
||||||
|
"liblog_rust",
|
||||||
],
|
],
|
||||||
}
|
}
|
||||||
|
|
||||||
|
rust_library_rlib {
|
||||||
|
name: "libdiced_sample_inputs_nostd",
|
||||||
|
defaults: ["libdiced_sample_inputs_defaults"],
|
||||||
|
rustlibs: [
|
||||||
|
"libciborium_nostd",
|
||||||
|
"libcoset_nostd",
|
||||||
|
"libdiced_open_dice_nostd",
|
||||||
|
"liblog_rust_nostd",
|
||||||
|
],
|
||||||
|
visibility: [
|
||||||
|
"//packages/modules/Virtualization:__subpackages__",
|
||||||
|
],
|
||||||
|
}
|
||||||
|
|
||||||
|
rust_defaults {
|
||||||
|
name: "libdiced_sample_inputs_test_defaults",
|
||||||
|
crate_name: "diced_sample_inputs_test",
|
||||||
|
srcs: ["tests/*.rs"],
|
||||||
|
test_suites: ["general-tests"],
|
||||||
|
}
|
||||||
|
|
||||||
rust_test {
|
rust_test {
|
||||||
name: "libdiced_sample_inputs.integration_test",
|
name: "libdiced_sample_inputs.integration_test",
|
||||||
crate_name: "diced_sample_inputs_test",
|
defaults: ["libdiced_sample_inputs_test_defaults"],
|
||||||
srcs: ["tests/*.rs"],
|
|
||||||
test_suites: ["general-tests"],
|
|
||||||
rustlibs: [
|
rustlibs: [
|
||||||
"libdiced_open_dice",
|
"libdiced_open_dice",
|
||||||
"libdiced_sample_inputs",
|
"libdiced_sample_inputs",
|
||||||
],
|
],
|
||||||
}
|
}
|
||||||
|
|
||||||
|
rust_test {
|
||||||
|
name: "libdiced_sample_inputs_nostd.integration_test",
|
||||||
|
defaults: ["libdiced_sample_inputs_test_defaults"],
|
||||||
|
rustlibs: [
|
||||||
|
"libdiced_open_dice_nostd",
|
||||||
|
"libdiced_sample_inputs_nostd",
|
||||||
|
],
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -17,6 +17,10 @@
|
||||||
//! Provides a set of sample inputs for a DICE chain and CDI values derived
|
//! Provides a set of sample inputs for a DICE chain and CDI values derived
|
||||||
//! from it.
|
//! from it.
|
||||||
|
|
||||||
|
#![cfg_attr(not(feature = "std"), no_std)]
|
||||||
|
|
||||||
|
extern crate alloc;
|
||||||
|
|
||||||
mod sample_inputs;
|
mod sample_inputs;
|
||||||
|
|
||||||
pub use sample_inputs::make_sample_bcc_and_cdis;
|
pub use sample_inputs::make_sample_bcc_and_cdis;
|
||||||
|
|
|
||||||
|
|
@ -15,15 +15,17 @@
|
||||||
//! This module provides a set of sample input values for a DICE chain, a sample UDS,
|
//! This module provides a set of sample input values for a DICE chain, a sample UDS,
|
||||||
//! as well as tuple of CDIs and BCC derived thereof.
|
//! as well as tuple of CDIs and BCC derived thereof.
|
||||||
|
|
||||||
use anyhow::{anyhow, Context, Result};
|
use alloc::vec;
|
||||||
|
use alloc::vec::Vec;
|
||||||
use ciborium::{de, ser, value::Value};
|
use ciborium::{de, ser, value::Value};
|
||||||
|
use core::ffi::CStr;
|
||||||
use coset::{iana, Algorithm, AsCborValue, CoseKey, KeyOperation, KeyType, Label};
|
use coset::{iana, Algorithm, AsCborValue, CoseKey, KeyOperation, KeyType, Label};
|
||||||
use diced_open_dice::{
|
use diced_open_dice::{
|
||||||
derive_cdi_private_key_seed, keypair_from_seed, retry_bcc_format_config_descriptor,
|
derive_cdi_private_key_seed, keypair_from_seed, retry_bcc_format_config_descriptor,
|
||||||
retry_bcc_main_flow, retry_dice_main_flow, Config, DiceArtifacts, DiceConfigValues, DiceMode,
|
retry_bcc_main_flow, retry_dice_main_flow, Config, DiceArtifacts, DiceConfigValues, DiceError,
|
||||||
InputValues, OwnedDiceArtifacts, CDI_SIZE, HASH_SIZE, HIDDEN_SIZE,
|
DiceMode, InputValues, OwnedDiceArtifacts, Result, CDI_SIZE, HASH_SIZE, HIDDEN_SIZE,
|
||||||
};
|
};
|
||||||
use std::ffi::CStr;
|
use log::error;
|
||||||
|
|
||||||
/// Sample UDS used to perform the root dice flow by `make_sample_bcc_and_cdis`.
|
/// Sample UDS used to perform the root dice flow by `make_sample_bcc_and_cdis`.
|
||||||
const UDS: &[u8; CDI_SIZE] = &[
|
const UDS: &[u8; CDI_SIZE] = &[
|
||||||
|
|
@ -88,8 +90,10 @@ fn ed25519_public_key_to_cbor_value(public_key: &[u8]) -> Result<Value> {
|
||||||
],
|
],
|
||||||
..Default::default()
|
..Default::default()
|
||||||
};
|
};
|
||||||
key.to_cbor_value()
|
key.to_cbor_value().map_err(|e| {
|
||||||
.map_err(|e| anyhow!(format!("Failed to serialize the key to CBOR data. Error: {e}")))
|
error!("Failed to serialize the key to CBOR data: {e}");
|
||||||
|
DiceError::InvalidInput
|
||||||
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Makes a DICE chain (BCC) from the sample input.
|
/// Makes a DICE chain (BCC) from the sample input.
|
||||||
|
|
@ -97,12 +101,16 @@ fn ed25519_public_key_to_cbor_value(public_key: &[u8]) -> Result<Value> {
|
||||||
/// The DICE chain is of the following format:
|
/// The DICE chain is of the following format:
|
||||||
/// public key derived from UDS -> ABL certificate -> AVB certificate -> Android certificate
|
/// public key derived from UDS -> ABL certificate -> AVB certificate -> Android certificate
|
||||||
pub fn make_sample_bcc_and_cdis() -> Result<OwnedDiceArtifacts> {
|
pub fn make_sample_bcc_and_cdis() -> Result<OwnedDiceArtifacts> {
|
||||||
let private_key_seed = derive_cdi_private_key_seed(UDS)
|
let private_key_seed = derive_cdi_private_key_seed(UDS).map_err(|e| {
|
||||||
.context("In make_sample_bcc_and_cdis: Trying to derive private key seed.")?;
|
error!("In make_sample_bcc_and_cdis: Trying to derive private key seed. Error: {e}");
|
||||||
|
e
|
||||||
|
})?;
|
||||||
|
|
||||||
// Gets the root public key in DICE chain (BCC).
|
// Gets the root public key in DICE chain (BCC).
|
||||||
let (public_key, _) = keypair_from_seed(private_key_seed.as_array())
|
let (public_key, _) = keypair_from_seed(private_key_seed.as_array()).map_err(|e| {
|
||||||
.context("In make_sample_bcc_and_cids: Failed to generate key pair.")?;
|
error!("In make_sample_bcc_and_cids: Failed to generate key pair. Error: {e}");
|
||||||
|
e
|
||||||
|
})?;
|
||||||
let ed25519_public_key_value = ed25519_public_key_to_cbor_value(&public_key)?;
|
let ed25519_public_key_value = ed25519_public_key_to_cbor_value(&public_key)?;
|
||||||
|
|
||||||
// Gets the ABL certificate to as the root certificate of DICE chain.
|
// Gets the ABL certificate to as the root certificate of DICE chain.
|
||||||
|
|
@ -120,14 +128,22 @@ pub fn make_sample_bcc_and_cdis() -> Result<OwnedDiceArtifacts> {
|
||||||
DiceMode::kDiceModeNormal,
|
DiceMode::kDiceModeNormal,
|
||||||
HIDDEN_ABL,
|
HIDDEN_ABL,
|
||||||
);
|
);
|
||||||
let (cdi_values, cert) = retry_dice_main_flow(UDS, UDS, &input_values)
|
let (cdi_values, cert) = retry_dice_main_flow(UDS, UDS, &input_values).map_err(|e| {
|
||||||
.context("In make_sample_bcc_and_cdis: Trying to run first main flow.")?;
|
error!("In make_sample_bcc_and_cdis: Trying to run first main flow. Error: {e}");
|
||||||
|
e
|
||||||
|
})?;
|
||||||
let bcc_value = Value::Array(vec![
|
let bcc_value = Value::Array(vec![
|
||||||
ed25519_public_key_value,
|
ed25519_public_key_value,
|
||||||
de::from_reader(&cert[..]).context("Deserialize root DICE certificate failed")?,
|
de::from_reader(&cert[..]).map_err(|e| {
|
||||||
|
error!("Deserialize root DICE certificate failed: {e}");
|
||||||
|
DiceError::InvalidInput
|
||||||
|
})?,
|
||||||
]);
|
]);
|
||||||
let mut bcc: Vec<u8> = vec![];
|
let mut bcc: Vec<u8> = vec![];
|
||||||
ser::into_writer(&bcc_value, &mut bcc)?;
|
ser::into_writer(&bcc_value, &mut bcc).map_err(|e| {
|
||||||
|
error!("Serialize BCC failed: {e}");
|
||||||
|
DiceError::InvalidInput
|
||||||
|
})?;
|
||||||
|
|
||||||
// Appends AVB certificate to DICE chain.
|
// Appends AVB certificate to DICE chain.
|
||||||
let config_values = DiceConfigValues {
|
let config_values = DiceConfigValues {
|
||||||
|
|
@ -146,7 +162,12 @@ pub fn make_sample_bcc_and_cdis() -> Result<OwnedDiceArtifacts> {
|
||||||
);
|
);
|
||||||
let dice_artifacts =
|
let dice_artifacts =
|
||||||
retry_bcc_main_flow(&cdi_values.cdi_attest, &cdi_values.cdi_seal, &bcc, &input_values)
|
retry_bcc_main_flow(&cdi_values.cdi_attest, &cdi_values.cdi_seal, &bcc, &input_values)
|
||||||
.context("In make_sample_bcc_and_cdis: Trying to run first bcc main flow.")?;
|
.map_err(|e| {
|
||||||
|
error!(
|
||||||
|
"In make_sample_bcc_and_cdis: Trying to run first bcc main flow. Error: {e}"
|
||||||
|
);
|
||||||
|
e
|
||||||
|
})?;
|
||||||
|
|
||||||
// Appends Android certificate to DICE chain.
|
// Appends Android certificate to DICE chain.
|
||||||
let config_values = DiceConfigValues {
|
let config_values = DiceConfigValues {
|
||||||
|
|
@ -166,8 +187,14 @@ pub fn make_sample_bcc_and_cdis() -> Result<OwnedDiceArtifacts> {
|
||||||
retry_bcc_main_flow(
|
retry_bcc_main_flow(
|
||||||
dice_artifacts.cdi_attest(),
|
dice_artifacts.cdi_attest(),
|
||||||
dice_artifacts.cdi_seal(),
|
dice_artifacts.cdi_seal(),
|
||||||
dice_artifacts.bcc().ok_or_else(|| anyhow!("bcc is none"))?,
|
dice_artifacts.bcc().ok_or_else(|| {
|
||||||
|
error!("bcc is none");
|
||||||
|
DiceError::InvalidInput
|
||||||
|
})?,
|
||||||
&input_values,
|
&input_values,
|
||||||
)
|
)
|
||||||
.context("In make_sample_bcc_and_cdis: Trying to run second bcc main flow.")
|
.map_err(|e| {
|
||||||
|
error!("In make_sample_bcc_and_cdis: Trying to run second bcc main flow. Error: {e}");
|
||||||
|
e
|
||||||
|
})
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue