Evolution-x/hardware_interfaces
1
0
Fork 0
mirror of https://github.com/Evolution-X/hardware_interfaces synced 2026-02-01 16:23:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

Validate DICE chain based on context

Browse Source 
The DICE chain in the ProtectedData objects are evaluated against the
specification from v1 and v2 of the HAL whereas the chain in
AuthenticatedMessage objects are evaluated against the specification
from v3.

There are only small differences with v3 aligning to the standards where
there was previously more leniency.

Fix: 262599829
Test: TH
Change-Id: Ied14362b5530485eb6c2302a0ae0f21da9cdb33f
This commit is contained in:
Andrew Scull
2023-03-13 16:46:49 +00:00
parent 86d2173992
commit a601d07478
1 changed files with 7 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
security/keymint/support/remote_prov_utils.cpp
View File

@@ -290,11 +290,12 @@ bytevec getProdEekChain(int32_t supportedEekCurve) {
return chain.encode();
}
ErrMsgOr<std::vector<BccEntryData>> validateBcc(const cppbor::Array* bcc) {
ErrMsgOr<std::vector<BccEntryData>> validateBcc(const cppbor::Array* bcc,
hwtrust::DiceChain::Kind kind) {
auto encodedBcc = bcc->encode();
auto chain = hwtrust::DiceChain::verify(encodedBcc);
auto chain = hwtrust::DiceChain::Verify(encodedBcc, kind);
if (!chain.ok()) return chain.error().message();
auto keys = chain->cose_public_keys();
auto keys = chain->CosePublicKeys();
if (!keys.ok()) return keys.error().message();
std::vector<BccEntryData> result;
for (auto& key : *keys) {
@@ -569,7 +570,7 @@ ErrMsgOr<std::vector<BccEntryData>> verifyProtectedData(
}
// BCC is [ pubkey, + BccEntry]
auto bccContents = validateBcc(bcc->asArray());
auto bccContents = validateBcc(bcc->asArray(), hwtrust::DiceChain::Kind::kProtectedData);
if (!bccContents) {
return bccContents.message() + "\n" + prettyPrint(bcc.get());
}
@@ -859,8 +860,8 @@ ErrMsgOr<bytevec> parseAndValidateAuthenticatedRequest(const std::vector<uint8_t
return "AuthenticatedRequest SignedData must be an Array.";
}
// DICE chain is [ pubkey, + DiceChainEntry ]. Its format is the same as BCC from RKP v1-2.
auto diceContents = validateBcc(diceCertChain);
// DICE chain is [ pubkey, + DiceChainEntry ].
auto diceContents = validateBcc(diceCertChain, hwtrust::DiceChain::Kind::kAuthenticatedMessage);
if (!diceContents) {
return diceContents.message() + "\n" + prettyPrint(diceCertChain);
}