Loading security/secretkeeper/aidl/vts/dice_sample.rs +34 −11 Original line number Diff line number Diff line Loading @@ -18,9 +18,16 @@ //! module duplicates a large chunk of code in libdiced_sample_inputs. We avoid modifying the //! latter for testing purposes because it is installed on device. use ciborium::{de, ser, value::Value}; use crate::{ COMPONENT_NAME, COMPONENT_RESETTABLE, COMPONENT_VERSION, SUBCOMPONENT_AUTHORITY_HASH, SUBCOMPONENT_CODE_HASH, SUBCOMPONENT_DESCRIPTORS, SUBCOMPONENT_NAME, SUBCOMPONENT_SECURITY_VERSION, }; use ciborium::{cbor, de, ser, value::Value}; use core::ffi::CStr; use coset::{iana, Algorithm, AsCborValue, CoseKey, KeyOperation, KeyType, Label}; use coset::{ iana, Algorithm, AsCborValue, CborSerializable, CoseKey, KeyOperation, KeyType, Label, }; use diced_open_dice::{ derive_cdi_private_key_seed, keypair_from_seed, retry_bcc_format_config_descriptor, retry_bcc_main_flow, retry_dice_main_flow, Config, DiceArtifacts, DiceConfigValues, DiceError, Loading Loading @@ -100,7 +107,8 @@ fn ed25519_public_key_to_cbor_value(public_key: &[u8]) -> Value { /// /// The DICE chain is of the following format: /// public key derived from UDS -> ABL certificate -> AVB certificate -> Android certificate /// The `security_version` is included in the Android certificate. /// The `security_version` is included in the Android certificate as well as each subcomponent /// of AVB certificate. pub fn make_explicit_owned_dice(security_version: u64) -> OwnedDiceArtifactsWithExplicitKey { let dice = make_sample_bcc_and_cdis(security_version); OwnedDiceArtifactsWithExplicitKey::from_owned_artifacts(dice).unwrap() Loading Loading @@ -135,16 +143,31 @@ fn make_sample_bcc_and_cdis(security_version: u64) -> OwnedDiceArtifacts { ser::into_writer(&bcc_value, &mut bcc).unwrap(); // Appends AVB certificate to DICE chain. let config_values = DiceConfigValues { component_name: Some(CStr::from_bytes_with_nul(b"AVB\0").unwrap()), component_version: Some(1), resettable: true, ..Default::default() }; let config_descriptor = retry_bcc_format_config_descriptor(&config_values).unwrap(); let config_desc = cbor!({ COMPONENT_NAME => "AVB", COMPONENT_VERSION => 1, COMPONENT_RESETTABLE => null, SUBCOMPONENT_DESCRIPTORS => [ { SUBCOMPONENT_NAME => "sub_1", SUBCOMPONENT_SECURITY_VERSION => security_version, SUBCOMPONENT_CODE_HASH=> b"xoxo", SUBCOMPONENT_AUTHORITY_HASH => b"oxox" }, { SUBCOMPONENT_NAME => "sub_2", SUBCOMPONENT_SECURITY_VERSION => security_version, SUBCOMPONENT_CODE_HASH => b"xoxo", SUBCOMPONENT_AUTHORITY_HASH => b"oxox", } ] }) .unwrap() .to_vec() .unwrap(); let input_values = InputValues::new( CODE_HASH_AVB, Config::Descriptor(config_descriptor.as_slice()), Config::Descriptor(&config_desc), AUTHORITY_HASH_AVB, DiceMode::kDiceModeNormal, HIDDEN_AVB, Loading security/secretkeeper/aidl/vts/lib.rs +12 −0 Original line number Diff line number Diff line Loading @@ -28,7 +28,19 @@ pub const CONFIG_DESC: i64 = -4670548; pub const COMPONENT_NAME: i64 = -70002; /// Map key for component version. pub const COMPONENT_VERSION: i64 = -70003; /// Map key for Resettable. pub const COMPONENT_RESETTABLE: i64 = -70004; /// Map key for security version. pub const SECURITY_VERSION: i64 = -70005; /// Map key for mode. pub const MODE: i64 = -4670551; /// Map key for SubcomponentDescriptor. pub const SUBCOMPONENT_DESCRIPTORS: i64 = -71002; /// Map key for name of subcomponent. pub const SUBCOMPONENT_NAME: i64 = 1; /// Map key for Security Version of subcomponent. pub const SUBCOMPONENT_SECURITY_VERSION: i64 = 2; /// Map key for Code hash of subcomponent. pub const SUBCOMPONENT_CODE_HASH: i64 = 3; /// Map key for Authority Hash of subcomponent. pub const SUBCOMPONENT_AUTHORITY_HASH: i64 = 4; security/secretkeeper/aidl/vts/secretkeeper_cli.rs +36 −2 Original line number Diff line number Diff line Loading @@ -24,7 +24,10 @@ use authgraph_boringssl::BoringSha256; use authgraph_core::traits::Sha256; use clap::{Args, Parser, Subcommand}; use coset::CborSerializable; use dice_policy_builder::{ConstraintSpec, ConstraintType, MissingAction, policy_for_dice_chain}; use dice_policy_builder::{ policy_for_dice_chain, CertIndex, ConstraintSpec, ConstraintType, MissingAction, WILDCARD_FULL_ARRAY, }; use secretkeeper_client::{dice::OwnedDiceArtifactsWithExplicitKey, SkSession}; use secretkeeper_comm::data_types::{ Loading @@ -37,6 +40,7 @@ use secretkeeper_comm::data_types::{ }; use secretkeeper_test::{ dice_sample::make_explicit_owned_dice, AUTHORITY_HASH, CONFIG_DESC, MODE, SECURITY_VERSION, SUBCOMPONENT_AUTHORITY_HASH, SUBCOMPONENT_DESCRIPTORS, SUBCOMPONENT_SECURITY_VERSION, }; use std::io::Write; Loading Loading @@ -139,12 +143,42 @@ impl SkClient { ConstraintType::ExactMatch, vec![AUTHORITY_HASH], MissingAction::Fail, CertIndex::All, ), ConstraintSpec::new( ConstraintType::ExactMatch, vec![MODE], MissingAction::Fail, CertIndex::All, ), ConstraintSpec::new(ConstraintType::ExactMatch, vec![MODE], MissingAction::Fail), ConstraintSpec::new( ConstraintType::GreaterOrEqual, vec![CONFIG_DESC, SECURITY_VERSION], MissingAction::Ignore, CertIndex::All, ), // Constraints on sub components in the second last DiceChainEntry ConstraintSpec::new( ConstraintType::GreaterOrEqual, vec![ CONFIG_DESC, SUBCOMPONENT_DESCRIPTORS, WILDCARD_FULL_ARRAY, SUBCOMPONENT_SECURITY_VERSION, ], MissingAction::Fail, CertIndex::FromEnd(1), ), ConstraintSpec::new( ConstraintType::ExactMatch, vec![ CONFIG_DESC, SUBCOMPONENT_DESCRIPTORS, WILDCARD_FULL_ARRAY, SUBCOMPONENT_AUTHORITY_HASH, ], MissingAction::Fail, CertIndex::FromEnd(1), ), ]; policy_for_dice_chain(dice, &constraint_spec) Loading security/secretkeeper/aidl/vts/secretkeeper_test_client.rs +42 −5 Original line number Diff line number Diff line Loading @@ -20,7 +20,7 @@ use authgraph_vts_test as ag_vts; use authgraph_boringssl as boring; use authgraph_core::key; use coset::{CborSerializable, CoseEncrypt0}; use dice_policy_builder::{ConstraintSpec, ConstraintType, MissingAction, policy_for_dice_chain}; use dice_policy_builder::{CertIndex, ConstraintSpec, ConstraintType, MissingAction, WILDCARD_FULL_ARRAY, policy_for_dice_chain}; use rdroidtest::{ignore_if, rdroidtest}; use secretkeeper_client::dice::OwnedDiceArtifactsWithExplicitKey; use secretkeeper_client::SkSession; Loading @@ -34,13 +34,13 @@ use secretkeeper_comm::data_types::{Id, Secret, SeqNum}; use secretkeeper_comm::data_types::response::Response; use secretkeeper_comm::data_types::packet::{ResponsePacket, ResponseType}; use secretkeeper_test::{ AUTHORITY_HASH, MODE, CONFIG_DESC, SECURITY_VERSION, AUTHORITY_HASH, MODE, CONFIG_DESC, SECURITY_VERSION, SUBCOMPONENT_AUTHORITY_HASH, SUBCOMPONENT_DESCRIPTORS, SUBCOMPONENT_SECURITY_VERSION, dice_sample::make_explicit_owned_dice }; const SECRETKEEPER_SERVICE: &str = "android.hardware.security.secretkeeper.ISecretkeeper"; const CURRENT_VERSION: u64 = 1; // Random bytes (of ID_SIZE/SECRET_SIZE) generated for tests. const ID_EXAMPLE: Id = Id([ 0xF1, 0xB2, 0xED, 0x3B, 0xD1, 0xBD, 0xF0, 0x7D, 0xE1, 0xF0, 0x01, 0xFC, 0x61, 0x71, 0xD3, 0x42, Loading Loading @@ -256,14 +256,51 @@ fn assert_entry_not_found(res: Result<Secret, Error>) { /// 1. ExactMatch on AUTHORITY_HASH (non-optional). /// 2. ExactMatch on MODE (non-optional). /// 3. GreaterOrEqual on SECURITY_VERSION (optional). /// 4. The second last DiceChainEntry contain SubcomponentDescriptor, for each of those: /// a) GreaterOrEqual on SECURITY_VERSION (Required) // b) ExactMatch on AUTHORITY_HASH (Required). fn sealing_policy(dice: &[u8]) -> Vec<u8> { let constraint_spec = [ ConstraintSpec::new(ConstraintType::ExactMatch, vec![AUTHORITY_HASH], MissingAction::Fail), ConstraintSpec::new(ConstraintType::ExactMatch, vec![MODE], MissingAction::Fail), ConstraintSpec::new( ConstraintType::ExactMatch, vec![AUTHORITY_HASH], MissingAction::Fail, CertIndex::All, ), ConstraintSpec::new( ConstraintType::ExactMatch, vec![MODE], MissingAction::Fail, CertIndex::All, ), ConstraintSpec::new( ConstraintType::GreaterOrEqual, vec![CONFIG_DESC, SECURITY_VERSION], MissingAction::Ignore, CertIndex::All, ), // Constraints on sub components in the second last DiceChainEntry ConstraintSpec::new( ConstraintType::GreaterOrEqual, vec![ CONFIG_DESC, SUBCOMPONENT_DESCRIPTORS, WILDCARD_FULL_ARRAY, SUBCOMPONENT_SECURITY_VERSION, ], MissingAction::Fail, CertIndex::FromEnd(1), ), ConstraintSpec::new( ConstraintType::ExactMatch, vec![ CONFIG_DESC, SUBCOMPONENT_DESCRIPTORS, WILDCARD_FULL_ARRAY, SUBCOMPONENT_AUTHORITY_HASH, ], MissingAction::Fail, CertIndex::FromEnd(1), ), ]; Loading Loading
security/secretkeeper/aidl/vts/dice_sample.rs +34 −11 Original line number Diff line number Diff line Loading @@ -18,9 +18,16 @@ //! module duplicates a large chunk of code in libdiced_sample_inputs. We avoid modifying the //! latter for testing purposes because it is installed on device. use ciborium::{de, ser, value::Value}; use crate::{ COMPONENT_NAME, COMPONENT_RESETTABLE, COMPONENT_VERSION, SUBCOMPONENT_AUTHORITY_HASH, SUBCOMPONENT_CODE_HASH, SUBCOMPONENT_DESCRIPTORS, SUBCOMPONENT_NAME, SUBCOMPONENT_SECURITY_VERSION, }; use ciborium::{cbor, de, ser, value::Value}; use core::ffi::CStr; use coset::{iana, Algorithm, AsCborValue, CoseKey, KeyOperation, KeyType, Label}; use coset::{ iana, Algorithm, AsCborValue, CborSerializable, CoseKey, KeyOperation, KeyType, Label, }; use diced_open_dice::{ derive_cdi_private_key_seed, keypair_from_seed, retry_bcc_format_config_descriptor, retry_bcc_main_flow, retry_dice_main_flow, Config, DiceArtifacts, DiceConfigValues, DiceError, Loading Loading @@ -100,7 +107,8 @@ fn ed25519_public_key_to_cbor_value(public_key: &[u8]) -> Value { /// /// The DICE chain is of the following format: /// public key derived from UDS -> ABL certificate -> AVB certificate -> Android certificate /// The `security_version` is included in the Android certificate. /// The `security_version` is included in the Android certificate as well as each subcomponent /// of AVB certificate. pub fn make_explicit_owned_dice(security_version: u64) -> OwnedDiceArtifactsWithExplicitKey { let dice = make_sample_bcc_and_cdis(security_version); OwnedDiceArtifactsWithExplicitKey::from_owned_artifacts(dice).unwrap() Loading Loading @@ -135,16 +143,31 @@ fn make_sample_bcc_and_cdis(security_version: u64) -> OwnedDiceArtifacts { ser::into_writer(&bcc_value, &mut bcc).unwrap(); // Appends AVB certificate to DICE chain. let config_values = DiceConfigValues { component_name: Some(CStr::from_bytes_with_nul(b"AVB\0").unwrap()), component_version: Some(1), resettable: true, ..Default::default() }; let config_descriptor = retry_bcc_format_config_descriptor(&config_values).unwrap(); let config_desc = cbor!({ COMPONENT_NAME => "AVB", COMPONENT_VERSION => 1, COMPONENT_RESETTABLE => null, SUBCOMPONENT_DESCRIPTORS => [ { SUBCOMPONENT_NAME => "sub_1", SUBCOMPONENT_SECURITY_VERSION => security_version, SUBCOMPONENT_CODE_HASH=> b"xoxo", SUBCOMPONENT_AUTHORITY_HASH => b"oxox" }, { SUBCOMPONENT_NAME => "sub_2", SUBCOMPONENT_SECURITY_VERSION => security_version, SUBCOMPONENT_CODE_HASH => b"xoxo", SUBCOMPONENT_AUTHORITY_HASH => b"oxox", } ] }) .unwrap() .to_vec() .unwrap(); let input_values = InputValues::new( CODE_HASH_AVB, Config::Descriptor(config_descriptor.as_slice()), Config::Descriptor(&config_desc), AUTHORITY_HASH_AVB, DiceMode::kDiceModeNormal, HIDDEN_AVB, Loading
security/secretkeeper/aidl/vts/lib.rs +12 −0 Original line number Diff line number Diff line Loading @@ -28,7 +28,19 @@ pub const CONFIG_DESC: i64 = -4670548; pub const COMPONENT_NAME: i64 = -70002; /// Map key for component version. pub const COMPONENT_VERSION: i64 = -70003; /// Map key for Resettable. pub const COMPONENT_RESETTABLE: i64 = -70004; /// Map key for security version. pub const SECURITY_VERSION: i64 = -70005; /// Map key for mode. pub const MODE: i64 = -4670551; /// Map key for SubcomponentDescriptor. pub const SUBCOMPONENT_DESCRIPTORS: i64 = -71002; /// Map key for name of subcomponent. pub const SUBCOMPONENT_NAME: i64 = 1; /// Map key for Security Version of subcomponent. pub const SUBCOMPONENT_SECURITY_VERSION: i64 = 2; /// Map key for Code hash of subcomponent. pub const SUBCOMPONENT_CODE_HASH: i64 = 3; /// Map key for Authority Hash of subcomponent. pub const SUBCOMPONENT_AUTHORITY_HASH: i64 = 4;
security/secretkeeper/aidl/vts/secretkeeper_cli.rs +36 −2 Original line number Diff line number Diff line Loading @@ -24,7 +24,10 @@ use authgraph_boringssl::BoringSha256; use authgraph_core::traits::Sha256; use clap::{Args, Parser, Subcommand}; use coset::CborSerializable; use dice_policy_builder::{ConstraintSpec, ConstraintType, MissingAction, policy_for_dice_chain}; use dice_policy_builder::{ policy_for_dice_chain, CertIndex, ConstraintSpec, ConstraintType, MissingAction, WILDCARD_FULL_ARRAY, }; use secretkeeper_client::{dice::OwnedDiceArtifactsWithExplicitKey, SkSession}; use secretkeeper_comm::data_types::{ Loading @@ -37,6 +40,7 @@ use secretkeeper_comm::data_types::{ }; use secretkeeper_test::{ dice_sample::make_explicit_owned_dice, AUTHORITY_HASH, CONFIG_DESC, MODE, SECURITY_VERSION, SUBCOMPONENT_AUTHORITY_HASH, SUBCOMPONENT_DESCRIPTORS, SUBCOMPONENT_SECURITY_VERSION, }; use std::io::Write; Loading Loading @@ -139,12 +143,42 @@ impl SkClient { ConstraintType::ExactMatch, vec![AUTHORITY_HASH], MissingAction::Fail, CertIndex::All, ), ConstraintSpec::new( ConstraintType::ExactMatch, vec![MODE], MissingAction::Fail, CertIndex::All, ), ConstraintSpec::new(ConstraintType::ExactMatch, vec![MODE], MissingAction::Fail), ConstraintSpec::new( ConstraintType::GreaterOrEqual, vec![CONFIG_DESC, SECURITY_VERSION], MissingAction::Ignore, CertIndex::All, ), // Constraints on sub components in the second last DiceChainEntry ConstraintSpec::new( ConstraintType::GreaterOrEqual, vec![ CONFIG_DESC, SUBCOMPONENT_DESCRIPTORS, WILDCARD_FULL_ARRAY, SUBCOMPONENT_SECURITY_VERSION, ], MissingAction::Fail, CertIndex::FromEnd(1), ), ConstraintSpec::new( ConstraintType::ExactMatch, vec![ CONFIG_DESC, SUBCOMPONENT_DESCRIPTORS, WILDCARD_FULL_ARRAY, SUBCOMPONENT_AUTHORITY_HASH, ], MissingAction::Fail, CertIndex::FromEnd(1), ), ]; policy_for_dice_chain(dice, &constraint_spec) Loading
security/secretkeeper/aidl/vts/secretkeeper_test_client.rs +42 −5 Original line number Diff line number Diff line Loading @@ -20,7 +20,7 @@ use authgraph_vts_test as ag_vts; use authgraph_boringssl as boring; use authgraph_core::key; use coset::{CborSerializable, CoseEncrypt0}; use dice_policy_builder::{ConstraintSpec, ConstraintType, MissingAction, policy_for_dice_chain}; use dice_policy_builder::{CertIndex, ConstraintSpec, ConstraintType, MissingAction, WILDCARD_FULL_ARRAY, policy_for_dice_chain}; use rdroidtest::{ignore_if, rdroidtest}; use secretkeeper_client::dice::OwnedDiceArtifactsWithExplicitKey; use secretkeeper_client::SkSession; Loading @@ -34,13 +34,13 @@ use secretkeeper_comm::data_types::{Id, Secret, SeqNum}; use secretkeeper_comm::data_types::response::Response; use secretkeeper_comm::data_types::packet::{ResponsePacket, ResponseType}; use secretkeeper_test::{ AUTHORITY_HASH, MODE, CONFIG_DESC, SECURITY_VERSION, AUTHORITY_HASH, MODE, CONFIG_DESC, SECURITY_VERSION, SUBCOMPONENT_AUTHORITY_HASH, SUBCOMPONENT_DESCRIPTORS, SUBCOMPONENT_SECURITY_VERSION, dice_sample::make_explicit_owned_dice }; const SECRETKEEPER_SERVICE: &str = "android.hardware.security.secretkeeper.ISecretkeeper"; const CURRENT_VERSION: u64 = 1; // Random bytes (of ID_SIZE/SECRET_SIZE) generated for tests. const ID_EXAMPLE: Id = Id([ 0xF1, 0xB2, 0xED, 0x3B, 0xD1, 0xBD, 0xF0, 0x7D, 0xE1, 0xF0, 0x01, 0xFC, 0x61, 0x71, 0xD3, 0x42, Loading Loading @@ -256,14 +256,51 @@ fn assert_entry_not_found(res: Result<Secret, Error>) { /// 1. ExactMatch on AUTHORITY_HASH (non-optional). /// 2. ExactMatch on MODE (non-optional). /// 3. GreaterOrEqual on SECURITY_VERSION (optional). /// 4. The second last DiceChainEntry contain SubcomponentDescriptor, for each of those: /// a) GreaterOrEqual on SECURITY_VERSION (Required) // b) ExactMatch on AUTHORITY_HASH (Required). fn sealing_policy(dice: &[u8]) -> Vec<u8> { let constraint_spec = [ ConstraintSpec::new(ConstraintType::ExactMatch, vec![AUTHORITY_HASH], MissingAction::Fail), ConstraintSpec::new(ConstraintType::ExactMatch, vec![MODE], MissingAction::Fail), ConstraintSpec::new( ConstraintType::ExactMatch, vec![AUTHORITY_HASH], MissingAction::Fail, CertIndex::All, ), ConstraintSpec::new( ConstraintType::ExactMatch, vec![MODE], MissingAction::Fail, CertIndex::All, ), ConstraintSpec::new( ConstraintType::GreaterOrEqual, vec![CONFIG_DESC, SECURITY_VERSION], MissingAction::Ignore, CertIndex::All, ), // Constraints on sub components in the second last DiceChainEntry ConstraintSpec::new( ConstraintType::GreaterOrEqual, vec![ CONFIG_DESC, SUBCOMPONENT_DESCRIPTORS, WILDCARD_FULL_ARRAY, SUBCOMPONENT_SECURITY_VERSION, ], MissingAction::Fail, CertIndex::FromEnd(1), ), ConstraintSpec::new( ConstraintType::ExactMatch, vec![ CONFIG_DESC, SUBCOMPONENT_DESCRIPTORS, WILDCARD_FULL_ARRAY, SUBCOMPONENT_AUTHORITY_HASH, ], MissingAction::Fail, CertIndex::FromEnd(1), ), ]; Loading
