From bff2cae4f80b85d541c265e411220057fbf51e31 Mon Sep 17 00:00:00 2001
From: Andrew Scull <ascull@google.com>
Date: Tue, 4 Oct 2022 16:36:34 +0000
Subject: [PATCH] Generalize RKP CDDL schema beyond CSRs

The certificate signing request (CSR) CDDL schema comprises and
authentication wrapper and an inner payload containing details of the
request. Seperate these two parts more clearly in the schema with a view
to reusing the authentication wrapper for other messages.

The change of Csr to be defined in terms of the AuthenticatedMessage
generic type has no effective change on the schema.

A version field is added to CsrPayload, formerly SignedDataPayload, so
that the AuthenticatedMessage and CsrPayload schemas can evolve
independently.

The cert_type field of DeviceInfo is moved up a level into CsrPayload.
This means DeviceInfo only contains device information and not other
fields related to the CSR.

The payload of AuthenticatedMessage is not self-describing. The expected
schema of the payload will be inferred from context, for example the
server endpoint the message is sent to.

Bug: 250910137
Test: n/a - comments only
Change-Id: I2c981ec8fe63995779ce119168ad3d9b40d5b8c5
---
 security/keymint/RKP_CHANGELOG.md             |  6 +-
 .../hardware/security/keymint/DeviceInfo.aidl |  9 ---
 .../IRemotelyProvisionedComponent.aidl        | 60 +++++++++++--------
 3 files changed, 39 insertions(+), 36 deletions(-)

diff --git a/security/keymint/RKP_CHANGELOG.md b/security/keymint/RKP_CHANGELOG.md
index dfcc9381fa..243fc26525 100644
--- a/security/keymint/RKP_CHANGELOG.md
+++ b/security/keymint/RKP_CHANGELOG.md
@@ -21,13 +21,13 @@ This document provides an exact description of which changes have occurred in th
 ## IRemotelyProvisionedComponent 2 -> 3
 * ProtectedData has been removed.
 * DeviceInfo
-  * `cert_type` has been added, with values corresponding to `widevine` or `keymint`
   * `version` has moved to a top-level field within the CSR generated by the HAL
 * IRemotelyProvisionedComponent
   * The need for an EEK has been removed. There is no longer an encrypted portion of the CSR.
   * Test mode has been removed.
   * The schema for the CSR itself has been significantly simplified, please see
-    IRemotelyProvisionedComponent.aidl for more details.
-    * Notably, the chain of signing, MACing, and encryption operations has been replaced with a single
+    IRemotelyProvisionedComponent.aidl for more details. Notably,
+    * the chain of signing, MACing, and encryption operations has been replaced with a single
       COSE_Sign1 object.
+    * CertificateType has been added to identify the type of certificate being requested.
 
diff --git a/security/keymint/aidl/android/hardware/security/keymint/DeviceInfo.aidl b/security/keymint/aidl/android/hardware/security/keymint/DeviceInfo.aidl
index 6854851970..f0af619fc0 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/DeviceInfo.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/DeviceInfo.aidl
@@ -49,16 +49,7 @@ parcelable DeviceInfo {
      *         "security_level" : "tee" / "strongbox",
      *         "fused": 1 / 0,  ; 1 if secure boot is enforced for the processor that the IRPC
      *                          ; implementation is contained in. 0 otherwise.
-     *         "cert_type": CertificateType;
      *     }
-     *
-     *     ; A tstr identifying the type of certificate. The set of supported certificate types may
-     *     ; be extended without requiring a version bump of the HAL. Custom certificate types may
-     *     ; be used, but the provisioning server may reject the request for an unknown certificate
-     *     ; type. The currently defined certificate types are:
-     *     ;  - "widevine"
-     *     ;  - "keymint"
-     *     CertificateType = tstr
      */
     byte[] deviceInfo;
 }
diff --git a/security/keymint/aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.aidl b/security/keymint/aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.aidl
index 3f1f2f7ae3..3b2a8c3f3b 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.aidl
@@ -315,38 +315,50 @@ interface IRemotelyProvisionedComponent {
      *
      * @return the following CBOR Certificate Signing Request (Csr) serialized into a byte array:
      *
-     * Csr = [
-     *    version: 3,              ; The CDDL Schema version.
-     *    UdsCerts,
-     *    DiceCertChain,
-     *    SignedData
-     * ]
+     * Csr = AuthenticatedMessage<CsrPayload>
      *
-     * ; COSE_Sign1 (untagged)
-     * SignedData = [
-     *     protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 },
-     *     unprotected: {},
-     *     payload: bstr .cbor SignedDataPayload,
-     *     signature: bstr            ; PureEd25519(CDI_Leaf_Priv, bstr .cbor SignedDataSigStruct) /
-     *                                ; ECDSA(CDI_Leaf_Priv, bstr .cbor SignedDataSigStruct)
-     * ]
-     *
-     * ; Sig_structure for SignedData
-     * SignedDataSigStruct = [
-     *     context: "Signature1",
-     *     protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 },
-     *     external_aad: bstr .size 0,
-     *     payload: bstr .cbor SignedDataPayload
-     * ]
-     *
-     * SignedDataPayload = [               ; CBOR Array defining the payload for SignedData
+     * CsrPayload = [                      ; CBOR Array defining the payload for Csr
+     *     version: 1,                     ; The CsrPayload CDDL Schema version.
+     *     CertificateType,                ; The type of certificate being requested.
      *     DeviceInfo,                     ; Defined in DeviceInfo.aidl
      *     challenge: bstr .size (32..64), ; Provided by the method parameters
      *     KeysToSign,                     ; Provided by the method parameters
      * ]
      *
+     *  ; A tstr identifying the type of certificate. The set of supported certificate types may
+     *  ; be extended without requiring a version bump of the HAL. Custom certificate types may
+     *  ; be used, but the provisioning server may reject the request for an unknown certificate
+     *  ; type. The currently defined certificate types are:
+     *  ;  - "widevine"
+     *  ;  - "keymint"
+     *  CertificateType = tstr
+     *
      * KeysToSign = [ * PublicKey ]   ; Please see MacedPublicKey.aidl for the PublicKey definition.
      *
+     * AuthenticatedMessage<T> = [
+     *    version: 3,              ; The AuthenticatedMessage CDDL Schema version.
+     *    UdsCerts,
+     *    DiceCertChain,
+     *    SignedData<T>,
+     * ]
+     *
+     * ; COSE_Sign1 (untagged)
+     * SignedData<T> = [
+     *     protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 },
+     *     unprotected: {},
+     *     payload: bstr .cbor T / nil,
+     *     signature: bstr         ; PureEd25519(CDI_Leaf_Priv, bstr .cbor SignedDataSigStruct<T>) /
+     *                             ; ECDSA(CDI_Leaf_Priv, bstr .cbor SignedDataSigStruct<T>)
+     * ]
+     *
+     * ; Sig_structure for SignedData
+     * SignedDataSigStruct<T> = [
+     *     context: "Signature1",
+     *     protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 },
+     *     external_aad: bstr .size 0,
+     *     payload: bstr .cbor T
+     * ]
+     *
      * ; UdsCerts allows the platform to provide additional certifications for the UDS_Pub. For
      * ; example, this could be provided by the hardware vendor, who certifies all of their chips.
      * ; The SignerName is a free-form string describing who generated the signature. The root