Loading security/secretkeeper/aidl/vts/secretkeeper_cli.rs +14 −12 Original line number Diff line number Diff line Loading @@ -25,7 +25,7 @@ use authgraph_core::traits::Sha256; use clap::{Args, Parser, Subcommand}; use coset::CborSerializable; use dice_policy_builder::{ policy_for_dice_chain, CertIndex, ConstraintSpec, ConstraintType, MissingAction, policy_for_dice_chain, ConstraintSpec, ConstraintType, MissingAction, TargetEntry, WILDCARD_FULL_ARRAY, }; Loading Loading @@ -131,33 +131,35 @@ impl SkClient { } /// Construct a sealing policy on the DICE chain with constraints: /// 1. `ExactMatch` on `AUTHORITY_HASH` (non-optional). /// 2. `ExactMatch` on `MODE` (non-optional). /// 3. `GreaterOrEqual` on `SECURITY_VERSION` (optional). /// 1. `ExactMatch` on `AUTHORITY_HASH` (non-optional) on all nodes. /// 2. `ExactMatch` on `MODE` (non-optional) on all nodes. /// 3. `GreaterOrEqual` on `SECURITY_VERSION` (optional) on all nodes. /// 4. The DiceChainEntry corresponding to "AVB" contains SubcomponentDescriptor, for each of those: /// a) GreaterOrEqual on SECURITY_VERSION (Required) // b) ExactMatch on AUTHORITY_HASH (Required). fn sealing_policy(&self) -> Result<Vec<u8>> { let dice = self.dice_artifacts.explicit_key_dice_chain().context("extract explicit DICE chain")?; let constraint_spec = [ let constraint_spec = vec![ ConstraintSpec::new( ConstraintType::ExactMatch, vec![AUTHORITY_HASH], MissingAction::Fail, CertIndex::All, TargetEntry::All, ), ConstraintSpec::new( ConstraintType::ExactMatch, vec![MODE], MissingAction::Fail, CertIndex::All, TargetEntry::All, ), ConstraintSpec::new( ConstraintType::GreaterOrEqual, vec![CONFIG_DESC, SECURITY_VERSION], MissingAction::Ignore, CertIndex::All, TargetEntry::All, ), // Constraints on sub components in the second last DiceChainEntry ConstraintSpec::new( ConstraintType::GreaterOrEqual, vec![ Loading @@ -167,7 +169,7 @@ impl SkClient { SUBCOMPONENT_SECURITY_VERSION, ], MissingAction::Fail, CertIndex::FromEnd(1), TargetEntry::ByName("AVB".to_string()), ), ConstraintSpec::new( ConstraintType::ExactMatch, Loading @@ -178,10 +180,10 @@ impl SkClient { SUBCOMPONENT_AUTHORITY_HASH, ], MissingAction::Fail, CertIndex::FromEnd(1), TargetEntry::ByName("AVB".to_string()), ), ]; policy_for_dice_chain(dice, &constraint_spec) policy_for_dice_chain(dice, constraint_spec) .unwrap() .to_vec() .context("serialize DICE policy") Loading security/secretkeeper/aidl/vts/secretkeeper_test_client.rs +9 −10 Original line number Diff line number Diff line Loading @@ -20,7 +20,7 @@ use authgraph_vts_test as ag_vts; use authgraph_boringssl as boring; use authgraph_core::key; use coset::{CborOrdering, CborSerializable, CoseEncrypt0, CoseKey}; use dice_policy_builder::{CertIndex, ConstraintSpec, ConstraintType, MissingAction, WILDCARD_FULL_ARRAY, policy_for_dice_chain}; use dice_policy_builder::{TargetEntry, ConstraintSpec, ConstraintType, MissingAction, WILDCARD_FULL_ARRAY, policy_for_dice_chain}; use rdroidtest::{ignore_if, rdroidtest}; use secretkeeper_client::dice::OwnedDiceArtifactsWithExplicitKey; use secretkeeper_client::{SkSession, Error as SkClientError}; Loading Loading @@ -312,30 +312,29 @@ fn assert_result_matches(res: Result<Secret, Error>, want: SecretkeeperError) { /// 1. ExactMatch on AUTHORITY_HASH (non-optional). /// 2. ExactMatch on MODE (non-optional). /// 3. GreaterOrEqual on SECURITY_VERSION (optional). /// 4. The second last DiceChainEntry contain SubcomponentDescriptor, for each of those: /// 4. The DiceChainEntry corresponding to "AVB" contains SubcomponentDescriptor, for each of those: /// a) GreaterOrEqual on SECURITY_VERSION (Required) // b) ExactMatch on AUTHORITY_HASH (Required). fn sealing_policy(dice: &[u8]) -> Vec<u8> { let constraint_spec = [ let constraint_spec = vec![ ConstraintSpec::new( ConstraintType::ExactMatch, vec![AUTHORITY_HASH], MissingAction::Fail, CertIndex::All, TargetEntry::All, ), ConstraintSpec::new( ConstraintType::ExactMatch, vec![MODE], MissingAction::Fail, CertIndex::All, TargetEntry::All, ), ConstraintSpec::new( ConstraintType::GreaterOrEqual, vec![CONFIG_DESC, SECURITY_VERSION], MissingAction::Ignore, CertIndex::All, TargetEntry::All, ), // Constraints on sub components in the second last DiceChainEntry ConstraintSpec::new( ConstraintType::GreaterOrEqual, vec![ Loading @@ -345,7 +344,7 @@ fn sealing_policy(dice: &[u8]) -> Vec<u8> { SUBCOMPONENT_SECURITY_VERSION, ], MissingAction::Fail, CertIndex::FromEnd(1), TargetEntry::ByName("AVB".to_string()), ), ConstraintSpec::new( ConstraintType::ExactMatch, Loading @@ -356,11 +355,11 @@ fn sealing_policy(dice: &[u8]) -> Vec<u8> { SUBCOMPONENT_AUTHORITY_HASH, ], MissingAction::Fail, CertIndex::FromEnd(1), TargetEntry::ByName("AVB".to_string()), ), ]; policy_for_dice_chain(dice, &constraint_spec).unwrap().to_vec().unwrap() policy_for_dice_chain(dice, constraint_spec).unwrap().to_vec().unwrap() } /// Perform AuthGraph key exchange, returning the session keys and session ID. Loading Loading
security/secretkeeper/aidl/vts/secretkeeper_cli.rs +14 −12 Original line number Diff line number Diff line Loading @@ -25,7 +25,7 @@ use authgraph_core::traits::Sha256; use clap::{Args, Parser, Subcommand}; use coset::CborSerializable; use dice_policy_builder::{ policy_for_dice_chain, CertIndex, ConstraintSpec, ConstraintType, MissingAction, policy_for_dice_chain, ConstraintSpec, ConstraintType, MissingAction, TargetEntry, WILDCARD_FULL_ARRAY, }; Loading Loading @@ -131,33 +131,35 @@ impl SkClient { } /// Construct a sealing policy on the DICE chain with constraints: /// 1. `ExactMatch` on `AUTHORITY_HASH` (non-optional). /// 2. `ExactMatch` on `MODE` (non-optional). /// 3. `GreaterOrEqual` on `SECURITY_VERSION` (optional). /// 1. `ExactMatch` on `AUTHORITY_HASH` (non-optional) on all nodes. /// 2. `ExactMatch` on `MODE` (non-optional) on all nodes. /// 3. `GreaterOrEqual` on `SECURITY_VERSION` (optional) on all nodes. /// 4. The DiceChainEntry corresponding to "AVB" contains SubcomponentDescriptor, for each of those: /// a) GreaterOrEqual on SECURITY_VERSION (Required) // b) ExactMatch on AUTHORITY_HASH (Required). fn sealing_policy(&self) -> Result<Vec<u8>> { let dice = self.dice_artifacts.explicit_key_dice_chain().context("extract explicit DICE chain")?; let constraint_spec = [ let constraint_spec = vec![ ConstraintSpec::new( ConstraintType::ExactMatch, vec![AUTHORITY_HASH], MissingAction::Fail, CertIndex::All, TargetEntry::All, ), ConstraintSpec::new( ConstraintType::ExactMatch, vec![MODE], MissingAction::Fail, CertIndex::All, TargetEntry::All, ), ConstraintSpec::new( ConstraintType::GreaterOrEqual, vec![CONFIG_DESC, SECURITY_VERSION], MissingAction::Ignore, CertIndex::All, TargetEntry::All, ), // Constraints on sub components in the second last DiceChainEntry ConstraintSpec::new( ConstraintType::GreaterOrEqual, vec![ Loading @@ -167,7 +169,7 @@ impl SkClient { SUBCOMPONENT_SECURITY_VERSION, ], MissingAction::Fail, CertIndex::FromEnd(1), TargetEntry::ByName("AVB".to_string()), ), ConstraintSpec::new( ConstraintType::ExactMatch, Loading @@ -178,10 +180,10 @@ impl SkClient { SUBCOMPONENT_AUTHORITY_HASH, ], MissingAction::Fail, CertIndex::FromEnd(1), TargetEntry::ByName("AVB".to_string()), ), ]; policy_for_dice_chain(dice, &constraint_spec) policy_for_dice_chain(dice, constraint_spec) .unwrap() .to_vec() .context("serialize DICE policy") Loading
security/secretkeeper/aidl/vts/secretkeeper_test_client.rs +9 −10 Original line number Diff line number Diff line Loading @@ -20,7 +20,7 @@ use authgraph_vts_test as ag_vts; use authgraph_boringssl as boring; use authgraph_core::key; use coset::{CborOrdering, CborSerializable, CoseEncrypt0, CoseKey}; use dice_policy_builder::{CertIndex, ConstraintSpec, ConstraintType, MissingAction, WILDCARD_FULL_ARRAY, policy_for_dice_chain}; use dice_policy_builder::{TargetEntry, ConstraintSpec, ConstraintType, MissingAction, WILDCARD_FULL_ARRAY, policy_for_dice_chain}; use rdroidtest::{ignore_if, rdroidtest}; use secretkeeper_client::dice::OwnedDiceArtifactsWithExplicitKey; use secretkeeper_client::{SkSession, Error as SkClientError}; Loading Loading @@ -312,30 +312,29 @@ fn assert_result_matches(res: Result<Secret, Error>, want: SecretkeeperError) { /// 1. ExactMatch on AUTHORITY_HASH (non-optional). /// 2. ExactMatch on MODE (non-optional). /// 3. GreaterOrEqual on SECURITY_VERSION (optional). /// 4. The second last DiceChainEntry contain SubcomponentDescriptor, for each of those: /// 4. The DiceChainEntry corresponding to "AVB" contains SubcomponentDescriptor, for each of those: /// a) GreaterOrEqual on SECURITY_VERSION (Required) // b) ExactMatch on AUTHORITY_HASH (Required). fn sealing_policy(dice: &[u8]) -> Vec<u8> { let constraint_spec = [ let constraint_spec = vec![ ConstraintSpec::new( ConstraintType::ExactMatch, vec![AUTHORITY_HASH], MissingAction::Fail, CertIndex::All, TargetEntry::All, ), ConstraintSpec::new( ConstraintType::ExactMatch, vec![MODE], MissingAction::Fail, CertIndex::All, TargetEntry::All, ), ConstraintSpec::new( ConstraintType::GreaterOrEqual, vec![CONFIG_DESC, SECURITY_VERSION], MissingAction::Ignore, CertIndex::All, TargetEntry::All, ), // Constraints on sub components in the second last DiceChainEntry ConstraintSpec::new( ConstraintType::GreaterOrEqual, vec![ Loading @@ -345,7 +344,7 @@ fn sealing_policy(dice: &[u8]) -> Vec<u8> { SUBCOMPONENT_SECURITY_VERSION, ], MissingAction::Fail, CertIndex::FromEnd(1), TargetEntry::ByName("AVB".to_string()), ), ConstraintSpec::new( ConstraintType::ExactMatch, Loading @@ -356,11 +355,11 @@ fn sealing_policy(dice: &[u8]) -> Vec<u8> { SUBCOMPONENT_AUTHORITY_HASH, ], MissingAction::Fail, CertIndex::FromEnd(1), TargetEntry::ByName("AVB".to_string()), ), ]; policy_for_dice_chain(dice, &constraint_spec).unwrap().to_vec().unwrap() policy_for_dice_chain(dice, constraint_spec).unwrap().to_vec().unwrap() } /// Perform AuthGraph key exchange, returning the session keys and session ID. Loading
