From e585065a4d03fbff08d57e66ff8ca4f8ed0e708b Mon Sep 17 00:00:00 2001 From: Alice Wang Date: Wed, 15 Feb 2023 16:10:36 +0000 Subject: [PATCH] [dice] Adapt dice service and tests to the new DiceArtifacts trait The code needed to be adpated because the public fields the code accessed previously now become private. We need to access them via the trait now. This cl also deletes unused dependence libdiced_open_dice_cbor in the dice service and tests targets. Bug: 267575445 Test: m android.hardware.security.dice-service.non-secure-software Test: atest VtsAidlDiceTargetTest VtsAidlDiceDemoteTargetTest Change-Id: I16e18226c0bce8a90ed764ba598e90e7c1c854ab --- security/dice/aidl/default/Android.bp | 1 - security/dice/aidl/default/service.rs | 22 ++++++++++++------- security/dice/aidl/vts/functional/Android.bp | 4 ++-- .../aidl/vts/functional/dice_demote_test.rs | 8 +++---- .../dice/aidl/vts/functional/dice_test.rs | 9 ++++---- 5 files changed, 24 insertions(+), 20 deletions(-) diff --git a/security/dice/aidl/default/Android.bp b/security/dice/aidl/default/Android.bp index b67a44aa84..5ff4847702 100644 --- a/security/dice/aidl/default/Android.bp +++ b/security/dice/aidl/default/Android.bp @@ -14,7 +14,6 @@ rust_binary { vendor: true, rustlibs: [ "android.hardware.security.dice-V1-rust", - "libdiced_open_dice_cbor", "libdiced_sample_inputs", "libdiced_vendor", "libandroid_logger", diff --git a/security/dice/aidl/default/service.rs b/security/dice/aidl/default/service.rs index 0197f2c71c..4363e91ec3 100644 --- a/security/dice/aidl/default/service.rs +++ b/security/dice/aidl/default/service.rs @@ -14,7 +14,7 @@ //! Main entry point for the android.hardware.security.dice service. -use anyhow::Result; +use anyhow::{anyhow, Result}; use diced::{ dice, hal_node::{DiceArtifacts, DiceDevice, ResidentHal, UpdatableDiceArtifacts}, @@ -40,8 +40,8 @@ impl DiceArtifacts for InsecureSerializableArtifacts { fn cdi_seal(&self) -> &[u8; dice::CDI_SIZE] { &self.cdi_seal } - fn bcc(&self) -> Vec { - self.bcc.clone() + fn bcc(&self) -> Option<&[u8]> { + Some(&self.bcc) } } @@ -56,7 +56,10 @@ impl UpdatableDiceArtifacts for InsecureSerializableArtifacts { Ok(Self { cdi_attest: *new_artifacts.cdi_attest(), cdi_seal: *new_artifacts.cdi_seal(), - bcc: new_artifacts.bcc(), + bcc: new_artifacts + .bcc() + .ok_or_else(|| anyhow!("bcc is none"))? + .to_vec(), }) } } @@ -77,16 +80,19 @@ fn main() { let dice_artifacts = make_sample_bcc_and_cdis().expect("Failed to construct sample dice chain."); - + let mut cdi_attest = [0u8; dice::CDI_SIZE]; + cdi_attest.copy_from_slice(dice_artifacts.cdi_attest()); + let mut cdi_seal = [0u8; dice::CDI_SIZE]; + cdi_seal.copy_from_slice(dice_artifacts.cdi_seal()); let hal_impl = Arc::new( unsafe { // Safety: ResidentHal cannot be used in multi threaded processes. // This service does not start a thread pool. The main thread is the only thread // joining the thread pool, thereby keeping the process single threaded. ResidentHal::new(InsecureSerializableArtifacts { - cdi_attest: dice_artifacts.cdi_values.cdi_attest, - cdi_seal: dice_artifacts.cdi_values.cdi_seal, - bcc: dice_artifacts.bcc[..].to_vec(), + cdi_attest, + cdi_seal, + bcc: dice_artifacts.bcc().expect("bcc is none").to_vec(), }) } .expect("Failed to create ResidentHal implementation."), diff --git a/security/dice/aidl/vts/functional/Android.bp b/security/dice/aidl/vts/functional/Android.bp index f5bc949f11..2a85a19ca2 100644 --- a/security/dice/aidl/vts/functional/Android.bp +++ b/security/dice/aidl/vts/functional/Android.bp @@ -23,7 +23,7 @@ rust_test { "android.hardware.security.dice-V1-rust", "libanyhow", "libbinder_rs", - "libdiced_open_dice_cbor", + "libdiced_open_dice", "libdiced_sample_inputs", "libdiced_utils", "libkeystore2_vintf_rust", @@ -46,7 +46,7 @@ rust_test { "android.hardware.security.dice-V1-rust", "libanyhow", "libbinder_rs", - "libdiced_open_dice_cbor", + "libdiced_open_dice", "libdiced_sample_inputs", "libdiced_utils", "libkeystore2_vintf_rust", diff --git a/security/dice/aidl/vts/functional/dice_demote_test.rs b/security/dice/aidl/vts/functional/dice_demote_test.rs index 1a17ec7233..49aea6738b 100644 --- a/security/dice/aidl/vts/functional/dice_demote_test.rs +++ b/security/dice/aidl/vts/functional/dice_demote_test.rs @@ -12,6 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. +use diced_open_dice::DiceArtifacts; use diced_sample_inputs; use diced_utils; use std::convert::TryInto; @@ -44,11 +45,10 @@ fn demote_test() { .unwrap(); let artifacts = artifacts.execute_steps(input_values.iter()).unwrap(); - let (cdi_attest, cdi_seal, bcc) = artifacts.into_tuple(); let from_former = diced_utils::make_bcc_handover( - cdi_attest[..].try_into().unwrap(), - cdi_seal[..].try_into().unwrap(), - &bcc, + artifacts.cdi_attest(), + artifacts.cdi_seal(), + artifacts.bcc().expect("bcc is none"), ) .unwrap(); // TODO b/204938506 when we have a parser/verifier, check equivalence rather diff --git a/security/dice/aidl/vts/functional/dice_test.rs b/security/dice/aidl/vts/functional/dice_test.rs index 190f187050..fbbdd8192c 100644 --- a/security/dice/aidl/vts/functional/dice_test.rs +++ b/security/dice/aidl/vts/functional/dice_test.rs @@ -12,9 +12,9 @@ // See the License for the specific language governing permissions and // limitations under the License. +use diced_open_dice::DiceArtifacts; use diced_sample_inputs; use diced_utils; -use std::convert::TryInto; mod utils; use utils::with_connection; @@ -44,11 +44,10 @@ fn equivalence_test() { .unwrap(); let artifacts = artifacts.execute_steps(input_values.iter()).unwrap(); - let (cdi_attest, cdi_seal, bcc) = artifacts.into_tuple(); let from_former = diced_utils::make_bcc_handover( - cdi_attest[..].try_into().unwrap(), - cdi_seal[..].try_into().unwrap(), - &bcc, + artifacts.cdi_attest(), + artifacts.cdi_seal(), + artifacts.bcc().expect("bcc is none"), ) .unwrap(); // TODO b/204938506 when we have a parser/verifier, check equivalence rather