Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 68e76934 authored by Andrew Scull's avatar Andrew Scull Committed by Automerger Merge Worker
Browse files

Merge "Select the DICE validation rules based on the VSR" into main am: b484308d 

Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/2678076



Change-Id: I4694e2508d1381537a25e663382563e24221af7c
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents 6375a4ce b484308d

security/keymint/support/remote_prov_utils.cpp

+20 −1
Original line number Original line Diff line number Diff line
@@ -962,6 +962,20 @@ ErrMsgOr<bytevec> parseAndValidateAuthenticatedRequestSignedPayload( 
    return signedRequest->value();

    return signedRequest->value();

}

}





ErrMsgOr<hwtrust::DiceChain::Kind> getDiceChainKind() {

    int vendor_api_level = ::android::base::GetIntProperty("ro.vendor.api_level", -1);

    switch (vendor_api_level) {

        case __ANDROID_API_T__:

            return hwtrust::DiceChain::Kind::kVsr13;

        case __ANDROID_API_U__:

            return hwtrust::DiceChain::Kind::kVsr14;

        case __ANDROID_API_V__:

            return hwtrust::DiceChain::Kind::kVsr15;

        default:

            return "Unsupported vendor API level: " + std::to_string(vendor_api_level);

    }

}



ErrMsgOr<bytevec> parseAndValidateAuthenticatedRequest(const std::vector<uint8_t>& request,

ErrMsgOr<bytevec> parseAndValidateAuthenticatedRequest(const std::vector<uint8_t>& request,

                                                       const std::vector<uint8_t>& challenge) {

                                                       const std::vector<uint8_t>& challenge) {

    auto [parsedRequest, _, csrErrMsg] = cppbor::parse(request);

    auto [parsedRequest, _, csrErrMsg] = cppbor::parse(request);
@@ -996,7 +1010,12 @@ ErrMsgOr<bytevec> parseAndValidateAuthenticatedRequest(const std::vector<uint8_t 
    }

    }





    // DICE chain is [ pubkey, + DiceChainEntry ].

    // DICE chain is [ pubkey, + DiceChainEntry ].

    auto diceContents = validateBcc(diceCertChain, hwtrust::DiceChain::Kind::kVsr14);

    auto diceChainKind = getDiceChainKind();

    if (!diceChainKind) {

        return diceChainKind.message();

    }



    auto diceContents = validateBcc(diceCertChain, *diceChainKind);

    if (!diceContents) {

    if (!diceContents) {

        return diceContents.message() + "\n" + prettyPrint(diceCertChain);

        return diceContents.message() + "\n" + prettyPrint(diceCertChain);

    }

    }

security/rkp/aidl/android/hardware/security/keymint/generateCertificateRequestV2.cddl

+2 −1
Original line number Original line Diff line number Diff line
@@ -90,6 +90,7 @@ DiceCertChain = [ 
DiceChainEntryPayload = {                    ; CWT [RFC8392]

DiceChainEntryPayload = {                    ; CWT [RFC8392]

    1 : tstr,                                ; Issuer

    1 : tstr,                                ; Issuer

    2 : tstr,                                ; Subject

    2 : tstr,                                ; Subject

    -4670554 : "android.15",                 ; Profile Name

    -4670552 : bstr .cbor PubKeyEd25519 /

    -4670552 : bstr .cbor PubKeyEd25519 /

            bstr .cbor PubKeyECDSA256 /

            bstr .cbor PubKeyECDSA256 /

            bstr .cbor PubKeyECDSA384,       ; Subject Public Key

            bstr .cbor PubKeyECDSA384,       ; Subject Public Key