commit d530f7e39bc4d2563080ad3fa4626662853ba36f
author Shikha Panwar <shikhapanwar@google.com> Thu Jun 13 08:25:02 2024 +0000
committer Shikha Panwar <shikhapanwar@google.com> Thu Jun 13 14:55:51 2024 +0000
tree 9f0c7e8a05bbd07a1e0c283e6b1eed7487671e74
parent c63722a30c26046d71a25141b9eb2531d6b7a06e

Vts: New dice_policy_builder api with `TargetEntry`.

The policy building library changes in aosp/3125493, accordingly change
the function call. This does not change the behaviour or test coverage
of VTS.

Test: atest VtsSecretkeeperTargetTest
Bug: 291245237
Change-Id: I21a7b0abe5bf186893ec9a68bb080b41778d3313

security/secretkeeper/aidl/vts/secretkeeper_cli.rs

diff --git a/security/secretkeeper/aidl/vts/secretkeeper_cli.rs b/security/secretkeeper/aidl/vts/secretkeeper_cli.rs
index 377ed37..9fbfb45 100644
--- a/security/secretkeeper/aidl/vts/secretkeeper_cli.rs
+++ b/security/secretkeeper/aidl/vts/secretkeeper_cli.rs
@@ -25,7 +25,7 @@
 use clap::{Args, Parser, Subcommand};
 use coset::CborSerializable;
 use dice_policy_builder::{
-    policy_for_dice_chain, CertIndex, ConstraintSpec, ConstraintType, MissingAction,
+    policy_for_dice_chain, ConstraintSpec, ConstraintType, MissingAction, TargetEntry,
     WILDCARD_FULL_ARRAY,
 };
 
@@ -131,33 +131,35 @@
     }
 
     /// Construct a sealing policy on the DICE chain with constraints:
-    /// 1. `ExactMatch` on `AUTHORITY_HASH` (non-optional).
-    /// 2. `ExactMatch` on `MODE` (non-optional).
-    /// 3. `GreaterOrEqual` on `SECURITY_VERSION` (optional).
+    /// 1. `ExactMatch` on `AUTHORITY_HASH` (non-optional) on all nodes.
+    /// 2. `ExactMatch` on `MODE` (non-optional) on all nodes.
+    /// 3. `GreaterOrEqual` on `SECURITY_VERSION` (optional) on all nodes.
+    /// 4. The  DiceChainEntry corresponding to "AVB" contains SubcomponentDescriptor, for each of those:
+    ///     a) GreaterOrEqual on SECURITY_VERSION (Required)
+    //      b) ExactMatch on AUTHORITY_HASH (Required).
     fn sealing_policy(&self) -> Result<Vec<u8>> {
         let dice =
             self.dice_artifacts.explicit_key_dice_chain().context("extract explicit DICE chain")?;
 
-        let constraint_spec = [
+        let constraint_spec = vec![
             ConstraintSpec::new(
                 ConstraintType::ExactMatch,
                 vec![AUTHORITY_HASH],
                 MissingAction::Fail,
-                CertIndex::All,
+                TargetEntry::All,
             ),
             ConstraintSpec::new(
                 ConstraintType::ExactMatch,
                 vec![MODE],
                 MissingAction::Fail,
-                CertIndex::All,
+                TargetEntry::All,
             ),
             ConstraintSpec::new(
                 ConstraintType::GreaterOrEqual,
                 vec![CONFIG_DESC, SECURITY_VERSION],
                 MissingAction::Ignore,
-                CertIndex::All,
+                TargetEntry::All,
             ),
-            // Constraints on sub components in the second last DiceChainEntry
             ConstraintSpec::new(
                 ConstraintType::GreaterOrEqual,
                 vec![
@@ -167,7 +169,7 @@
                     SUBCOMPONENT_SECURITY_VERSION,
                 ],
                 MissingAction::Fail,
-                CertIndex::FromEnd(1),
+                TargetEntry::ByName("AVB".to_string()),
             ),
             ConstraintSpec::new(
                 ConstraintType::ExactMatch,
@@ -178,10 +180,10 @@
                     SUBCOMPONENT_AUTHORITY_HASH,
                 ],
                 MissingAction::Fail,
-                CertIndex::FromEnd(1),
+                TargetEntry::ByName("AVB".to_string()),
             ),
         ];
-        policy_for_dice_chain(dice, &constraint_spec)
+        policy_for_dice_chain(dice, constraint_spec)
             .unwrap()
             .to_vec()
             .context("serialize DICE policy")