Remove the ability to query CompOS BCC
We're no longer planning on using this soon.
Also connect to diced on demand rather than at startup, to reduce
startup latency.
Bug: 214233409
Test: atest ComposKeyTestCase
Change-Id: I91bef95beae9f8b268b2d2b12f782b72ffb006d5
diff --git a/compos/aidl/com/android/compos/ICompOsService.aidl b/compos/aidl/com/android/compos/ICompOsService.aidl
index 39e9d61..cead5d0 100644
--- a/compos/aidl/com/android/compos/ICompOsService.aidl
+++ b/compos/aidl/com/android/compos/ICompOsService.aidl
@@ -66,9 +66,4 @@
* @return whether the inputs are valid and correspond to each other.
*/
boolean verifySigningKey(in byte[] keyBlob, in byte[] publicKey);
-
- /**
- * Returns the DICE BCC for this instance of CompOS, allowing signatures to be verified.
- */
- byte[] getBootCertificateChain();
}
diff --git a/compos/composd/aidl/android/system/composd/IIsolatedCompilationService.aidl b/compos/composd/aidl/android/system/composd/IIsolatedCompilationService.aidl
index 0b5eec1..8156265 100644
--- a/compos/composd/aidl/android/system/composd/IIsolatedCompilationService.aidl
+++ b/compos/composd/aidl/android/system/composd/IIsolatedCompilationService.aidl
@@ -42,10 +42,4 @@
* a reference to the ICompilationTask until compilation completes or is cancelled.
*/
ICompilationTask startTestCompile(ICompilationTaskCallback callback);
-
- /**
- * For testing.
- * TODO(b/214233409): Remove
- */
- byte[] getBcc();
}
diff --git a/compos/composd/src/service.rs b/compos/composd/src/service.rs
index cb52037..6cdcd85 100644
--- a/compos/composd/src/service.rs
+++ b/compos/composd/src/service.rs
@@ -61,12 +61,6 @@
check_permissions()?;
to_binder_result(self.do_start_test_compile(callback))
}
-
- // TODO(b/214233409): Remove
- fn getBcc(&self) -> binder::Result<Vec<u8>> {
- check_permissions()?;
- to_binder_result(self.do_get_bcc())
- }
}
impl IsolatedCompilationService {
@@ -94,11 +88,6 @@
Ok(BnCompilationTask::new_binder(task, BinderFeatures::default()))
}
-
- fn do_get_bcc(&self) -> Result<Vec<u8>> {
- let comp_os = self.instance_manager.start_test_instance().context("Starting CompOS")?;
- comp_os.get_service().getBootCertificateChain().context("getBcc")
- }
}
fn check_permissions() -> binder::Result<()> {
diff --git a/compos/composd_cmd/composd_cmd.rs b/compos/composd_cmd/composd_cmd.rs
index 9b41104..546c4af 100644
--- a/compos/composd_cmd/composd_cmd.rs
+++ b/compos/composd_cmd/composd_cmd.rs
@@ -29,8 +29,6 @@
};
use anyhow::{bail, Context, Result};
use compos_common::timeouts::timeouts;
-use std::fs::File;
-use std::io::Write;
use std::sync::{Arc, Condvar, Mutex};
use std::time::Duration;
@@ -40,7 +38,7 @@
.index(1)
.takes_value(true)
.required(true)
- .possible_values(&["staged-apex-compile", "test-compile", "dice"]),
+ .possible_values(&["staged-apex-compile", "test-compile"]),
);
let args = app.get_matches();
let command = args.value_of("command").unwrap();
@@ -50,7 +48,6 @@
match command {
"staged-apex-compile" => run_staged_apex_compile()?,
"test-compile" => run_test_compile()?,
- "dice" => write_dice()?,
_ => panic!("Unexpected command {}", command),
}
@@ -115,16 +112,6 @@
run_async_compilation(|service, callback| service.startTestCompile(callback))
}
-fn write_dice() -> Result<()> {
- let service = wait_for_interface::<dyn IIsolatedCompilationService>("android.system.composd")
- .context("Failed to connect to composd service")?;
-
- let bcc = service.getBcc()?;
- let mut file =
- File::create("/data/misc/apexdata/com.android.compos/bcc").context("Creating bcc file")?;
- file.write_all(&bcc).context("Writing bcc")
-}
-
fn run_async_compilation<F>(start_compile_fn: F) -> Result<()>
where
F: FnOnce(
diff --git a/compos/src/compsvc.rs b/compos/src/compsvc.rs
index e4cdb40..422f271 100644
--- a/compos/src/compsvc.rs
+++ b/compos/src/compsvc.rs
@@ -62,7 +62,7 @@
if key.is_empty() {
Err(new_binder_exception(ExceptionCode::ILLEGAL_STATE, "Key is not initialized"))
} else {
- Ok(self.signing_key.new_signer(key))
+ to_binder_result(self.signing_key.new_signer(key))
}
}
}
@@ -118,10 +118,6 @@
true
})
}
-
- fn getBootCertificateChain(&self) -> BinderResult<Vec<u8>> {
- to_binder_result(self.signing_key.get_boot_certificate_chain())
- }
}
fn get_authfs_service() -> BinderResult<Strong<dyn IAuthFsService>> {
diff --git a/compos/src/dice.rs b/compos/src/dice.rs
index d9bb1db..9f66b5e 100644
--- a/compos/src/dice.rs
+++ b/compos/src/dice.rs
@@ -20,7 +20,6 @@
use android_security_dice::binder::{wait_for_interface, Strong};
use anyhow::{Context, Result};
-#[derive(Clone)]
pub struct Dice {
node: Strong<dyn IDiceNode>,
}
@@ -32,15 +31,6 @@
Ok(Self { node: dice_service })
}
- pub fn get_boot_certificate_chain(&self) -> Result<Vec<u8>> {
- let input_values = []; // Get our BCC, not a child's
- let bcc = self
- .node
- .getAttestationChain(&input_values)
- .context("Getting attestation chain failed")?;
- Ok(bcc.data)
- }
-
pub fn get_sealing_cdi(&self) -> Result<Vec<u8>> {
let input_values = [];
let bcc_handover = self.node.derive(&input_values).context("Failed to retrieve CDI")?;
diff --git a/compos/src/signing_key.rs b/compos/src/signing_key.rs
index 990f9b0..175a11b 100644
--- a/compos/src/signing_key.rs
+++ b/compos/src/signing_key.rs
@@ -29,16 +29,12 @@
};
pub struct SigningKey {
- dice: Dice,
+ _unused: (), // Prevent construction other than by new()
}
impl SigningKey {
pub fn new() -> Result<Self> {
- Ok(Self { dice: Dice::new()? })
- }
-
- pub fn get_boot_certificate_chain(&self) -> Result<Vec<u8>> {
- Dice::new()?.get_boot_certificate_chain()
+ Ok(Self { _unused: () })
}
pub fn generate(&self) -> Result<CompOsKeyData> {
@@ -47,7 +43,7 @@
bail!("Failed to generate key pair: {}", key_result.error);
}
- let encrypted = encrypt_private_key(&self.dice, &key_result.private_key)?;
+ let encrypted = encrypt_private_key(&Dice::new()?, &key_result.private_key)?;
Ok(CompOsKeyData { publicKey: key_result.public_key, keyBlob: encrypted })
}
@@ -58,7 +54,7 @@
let mut data = [0u8; 32]; // Size is fairly arbitrary.
SystemRandom::new().fill(&mut data).context("No random data")?;
- let signature = self.new_signer(key_blob).sign(&data)?;
+ let signature = self.new_signer(key_blob)?.sign(&data)?;
let public_key =
signature::UnparsedPublicKey::new(&signature::RSA_PKCS1_2048_8192_SHA256, public_key);
@@ -67,8 +63,8 @@
Ok(())
}
- pub fn new_signer(&self, key_blob: &[u8]) -> Signer {
- Signer { key_blob: key_blob.to_owned(), dice: self.dice.clone() }
+ pub fn new_signer(&self, key_blob: &[u8]) -> Result<Signer> {
+ Ok(Signer { key_blob: key_blob.to_owned(), dice: Dice::new()? })
}
}