commit 9e15e5e01e3dd8cfff5833fabae4ebde241def09
author Shikha Panwar <shikhapanwar@google.com> Thu Jan 25 11:16:28 2024 +0000
committer Shikha Panwar <shikhapanwar@google.com> Thu Feb 01 13:15:36 2024 +0000
tree e08d53bbfedcb08409d22cd95c1062f6627bb0d6
parent 9eab79b8c9d714496de74533ca9408929b238250

Expand DICE chain in VTS/test to contain arrays

Include a list of subcomponents in AVB DiceChainEntry in the sample DICE
chain and include constraints on that in the sealing_policy.

Bug: 291238565
Test: VTS#secret_management_policy_gate
Change-Id: Id36ddf137bacf99c273b61c3136691426f2d5b34

security/secretkeeper/aidl/vts/secretkeeper_cli.rs

diff --git a/security/secretkeeper/aidl/vts/secretkeeper_cli.rs b/security/secretkeeper/aidl/vts/secretkeeper_cli.rs
index 0c13811..d02bfe6 100644
--- a/security/secretkeeper/aidl/vts/secretkeeper_cli.rs
+++ b/security/secretkeeper/aidl/vts/secretkeeper_cli.rs
@@ -24,7 +24,10 @@
 use authgraph_core::traits::Sha256;
 use clap::{Args, Parser, Subcommand};
 use coset::CborSerializable;
-use dice_policy_builder::{ConstraintSpec, ConstraintType, MissingAction, policy_for_dice_chain};
+use dice_policy_builder::{
+    policy_for_dice_chain, CertIndex, ConstraintSpec, ConstraintType, MissingAction,
+    WILDCARD_FULL_ARRAY,
+};
 
 use secretkeeper_client::{dice::OwnedDiceArtifactsWithExplicitKey, SkSession};
 use secretkeeper_comm::data_types::{
@@ -37,6 +40,7 @@
 };
 use secretkeeper_test::{
     dice_sample::make_explicit_owned_dice, AUTHORITY_HASH, CONFIG_DESC, MODE, SECURITY_VERSION,
+    SUBCOMPONENT_AUTHORITY_HASH, SUBCOMPONENT_DESCRIPTORS, SUBCOMPONENT_SECURITY_VERSION,
 };
 use std::io::Write;
 
@@ -139,12 +143,42 @@
                 ConstraintType::ExactMatch,
                 vec![AUTHORITY_HASH],
                 MissingAction::Fail,
+                CertIndex::All,
             ),
-            ConstraintSpec::new(ConstraintType::ExactMatch, vec![MODE], MissingAction::Fail),
+            ConstraintSpec::new(
+                ConstraintType::ExactMatch,
+                vec![MODE],
+                MissingAction::Fail,
+                CertIndex::All,
+            ),
             ConstraintSpec::new(
                 ConstraintType::GreaterOrEqual,
                 vec![CONFIG_DESC, SECURITY_VERSION],
                 MissingAction::Ignore,
+                CertIndex::All,
+            ),
+            // Constraints on sub components in the second last DiceChainEntry
+            ConstraintSpec::new(
+                ConstraintType::GreaterOrEqual,
+                vec![
+                    CONFIG_DESC,
+                    SUBCOMPONENT_DESCRIPTORS,
+                    WILDCARD_FULL_ARRAY,
+                    SUBCOMPONENT_SECURITY_VERSION,
+                ],
+                MissingAction::Fail,
+                CertIndex::FromEnd(1),
+            ),
+            ConstraintSpec::new(
+                ConstraintType::ExactMatch,
+                vec![
+                    CONFIG_DESC,
+                    SUBCOMPONENT_DESCRIPTORS,
+                    WILDCARD_FULL_ARRAY,
+                    SUBCOMPONENT_AUTHORITY_HASH,
+                ],
+                MissingAction::Fail,
+                CertIndex::FromEnd(1),
             ),
         ];
         policy_for_dice_chain(dice, &constraint_spec)