Merge "Vts: New dice_policy_builder api with `TargetEntry`." into main am:... (05572dc7) · Commits · e / os / android_hardware_interfaces

security/secretkeeper/aidl/vts/secretkeeper_cli.rs

+14 −12

Original line number	Diff line number	Diff line
		@@ -25,7 +25,7 @@ use authgraph_core::traits::Sha256;
		use clap::{Args, Parser, Subcommand};
		use coset::CborSerializable;
		use dice_policy_builder::{
		policy_for_dice_chain, CertIndex, ConstraintSpec, ConstraintType, MissingAction,
		policy_for_dice_chain, ConstraintSpec, ConstraintType, MissingAction, TargetEntry,
		WILDCARD_FULL_ARRAY,
		};

		@@ -131,33 +131,35 @@ impl SkClient {
		}

		/// Construct a sealing policy on the DICE chain with constraints:
		/// 1. `ExactMatch` on `AUTHORITY_HASH` (non-optional).
		/// 2. `ExactMatch` on `MODE` (non-optional).
		/// 3. `GreaterOrEqual` on `SECURITY_VERSION` (optional).
		/// 1. `ExactMatch` on `AUTHORITY_HASH` (non-optional) on all nodes.
		/// 2. `ExactMatch` on `MODE` (non-optional) on all nodes.
		/// 3. `GreaterOrEqual` on `SECURITY_VERSION` (optional) on all nodes.
		/// 4. The DiceChainEntry corresponding to "AVB" contains SubcomponentDescriptor, for each of those:
		/// a) GreaterOrEqual on SECURITY_VERSION (Required)
		// b) ExactMatch on AUTHORITY_HASH (Required).
		fn sealing_policy(&self) -> Result<Vec<u8>> {
		let dice =
		self.dice_artifacts.explicit_key_dice_chain().context("extract explicit DICE chain")?;

		let constraint_spec = [
		let constraint_spec = vec![
		ConstraintSpec::new(
		ConstraintType::ExactMatch,
		vec![AUTHORITY_HASH],
		MissingAction::Fail,
		CertIndex::All,
		TargetEntry::All,
		),
		ConstraintSpec::new(
		ConstraintType::ExactMatch,
		vec![MODE],
		MissingAction::Fail,
		CertIndex::All,
		TargetEntry::All,
		),
		ConstraintSpec::new(
		ConstraintType::GreaterOrEqual,
		vec![CONFIG_DESC, SECURITY_VERSION],
		MissingAction::Ignore,
		CertIndex::All,
		TargetEntry::All,
		),
		// Constraints on sub components in the second last DiceChainEntry
		ConstraintSpec::new(
		ConstraintType::GreaterOrEqual,
		vec![
		@@ -167,7 +169,7 @@ impl SkClient {
		SUBCOMPONENT_SECURITY_VERSION,
		],
		MissingAction::Fail,
		CertIndex::FromEnd(1),
		TargetEntry::ByName("AVB".to_string()),
		),
		ConstraintSpec::new(
		ConstraintType::ExactMatch,
		@@ -178,10 +180,10 @@ impl SkClient {
		SUBCOMPONENT_AUTHORITY_HASH,
		],
		MissingAction::Fail,
		CertIndex::FromEnd(1),
		TargetEntry::ByName("AVB".to_string()),
		),
		];
		policy_for_dice_chain(dice, &constraint_spec)
		policy_for_dice_chain(dice, constraint_spec)
		.unwrap()
		.to_vec()
		.context("serialize DICE policy")

security/secretkeeper/aidl/vts/secretkeeper_test_client.rs

+9 −10

Original line number	Diff line number	Diff line
		@@ -20,7 +20,7 @@ use authgraph_vts_test as ag_vts;
		use authgraph_boringssl as boring;
		use authgraph_core::key;
		use coset::{CborOrdering, CborSerializable, CoseEncrypt0, CoseKey};
		use dice_policy_builder::{CertIndex, ConstraintSpec, ConstraintType, MissingAction, WILDCARD_FULL_ARRAY, policy_for_dice_chain};
		use dice_policy_builder::{TargetEntry, ConstraintSpec, ConstraintType, MissingAction, WILDCARD_FULL_ARRAY, policy_for_dice_chain};
		use rdroidtest::{ignore_if, rdroidtest};
		use secretkeeper_client::dice::OwnedDiceArtifactsWithExplicitKey;
		use secretkeeper_client::{SkSession, Error as SkClientError};
		@@ -312,30 +312,29 @@ fn assert_result_matches(res: Result<Secret, Error>, want: SecretkeeperError) {
		/// 1. ExactMatch on AUTHORITY_HASH (non-optional).
		/// 2. ExactMatch on MODE (non-optional).
		/// 3. GreaterOrEqual on SECURITY_VERSION (optional).
		/// 4. The second last DiceChainEntry contain SubcomponentDescriptor, for each of those:
		/// 4. The DiceChainEntry corresponding to "AVB" contains SubcomponentDescriptor, for each of those:
		/// a) GreaterOrEqual on SECURITY_VERSION (Required)
		// b) ExactMatch on AUTHORITY_HASH (Required).
		fn sealing_policy(dice: &[u8]) -> Vec<u8> {
		let constraint_spec = [
		let constraint_spec = vec![
		ConstraintSpec::new(
		ConstraintType::ExactMatch,
		vec![AUTHORITY_HASH],
		MissingAction::Fail,
		CertIndex::All,
		TargetEntry::All,
		),
		ConstraintSpec::new(
		ConstraintType::ExactMatch,
		vec![MODE],
		MissingAction::Fail,
		CertIndex::All,
		TargetEntry::All,
		),
		ConstraintSpec::new(
		ConstraintType::GreaterOrEqual,
		vec![CONFIG_DESC, SECURITY_VERSION],
		MissingAction::Ignore,
		CertIndex::All,
		TargetEntry::All,
		),
		// Constraints on sub components in the second last DiceChainEntry
		ConstraintSpec::new(
		ConstraintType::GreaterOrEqual,
		vec![
		@@ -345,7 +344,7 @@ fn sealing_policy(dice: &[u8]) -> Vec<u8> {
		SUBCOMPONENT_SECURITY_VERSION,
		],
		MissingAction::Fail,
		CertIndex::FromEnd(1),
		TargetEntry::ByName("AVB".to_string()),
		),
		ConstraintSpec::new(
		ConstraintType::ExactMatch,
		@@ -356,11 +355,11 @@ fn sealing_policy(dice: &[u8]) -> Vec<u8> {
		SUBCOMPONENT_AUTHORITY_HASH,
		],
		MissingAction::Fail,
		CertIndex::FromEnd(1),
		TargetEntry::ByName("AVB".to_string()),
		),
		];

		policy_for_dice_chain(dice, &constraint_spec).unwrap().to_vec().unwrap()
		policy_for_dice_chain(dice, constraint_spec).unwrap().to_vec().unwrap()
		}

		/// Perform AuthGraph key exchange, returning the session keys and session ID.