Remove the ability to query CompOS BCC
We're no longer planning on using this soon.
Also connect to diced on demand rather than at startup, to reduce
startup latency.
Bug: 214233409
Test: atest ComposKeyTestCase
Change-Id: I91bef95beae9f8b268b2d2b12f782b72ffb006d5
diff --git a/compos/src/compsvc.rs b/compos/src/compsvc.rs
index e4cdb40..422f271 100644
--- a/compos/src/compsvc.rs
+++ b/compos/src/compsvc.rs
@@ -62,7 +62,7 @@
if key.is_empty() {
Err(new_binder_exception(ExceptionCode::ILLEGAL_STATE, "Key is not initialized"))
} else {
- Ok(self.signing_key.new_signer(key))
+ to_binder_result(self.signing_key.new_signer(key))
}
}
}
@@ -118,10 +118,6 @@
true
})
}
-
- fn getBootCertificateChain(&self) -> BinderResult<Vec<u8>> {
- to_binder_result(self.signing_key.get_boot_certificate_chain())
- }
}
fn get_authfs_service() -> BinderResult<Strong<dyn IAuthFsService>> {
diff --git a/compos/src/dice.rs b/compos/src/dice.rs
index d9bb1db..9f66b5e 100644
--- a/compos/src/dice.rs
+++ b/compos/src/dice.rs
@@ -20,7 +20,6 @@
use android_security_dice::binder::{wait_for_interface, Strong};
use anyhow::{Context, Result};
-#[derive(Clone)]
pub struct Dice {
node: Strong<dyn IDiceNode>,
}
@@ -32,15 +31,6 @@
Ok(Self { node: dice_service })
}
- pub fn get_boot_certificate_chain(&self) -> Result<Vec<u8>> {
- let input_values = []; // Get our BCC, not a child's
- let bcc = self
- .node
- .getAttestationChain(&input_values)
- .context("Getting attestation chain failed")?;
- Ok(bcc.data)
- }
-
pub fn get_sealing_cdi(&self) -> Result<Vec<u8>> {
let input_values = [];
let bcc_handover = self.node.derive(&input_values).context("Failed to retrieve CDI")?;
diff --git a/compos/src/signing_key.rs b/compos/src/signing_key.rs
index 990f9b0..175a11b 100644
--- a/compos/src/signing_key.rs
+++ b/compos/src/signing_key.rs
@@ -29,16 +29,12 @@
};
pub struct SigningKey {
- dice: Dice,
+ _unused: (), // Prevent construction other than by new()
}
impl SigningKey {
pub fn new() -> Result<Self> {
- Ok(Self { dice: Dice::new()? })
- }
-
- pub fn get_boot_certificate_chain(&self) -> Result<Vec<u8>> {
- Dice::new()?.get_boot_certificate_chain()
+ Ok(Self { _unused: () })
}
pub fn generate(&self) -> Result<CompOsKeyData> {
@@ -47,7 +43,7 @@
bail!("Failed to generate key pair: {}", key_result.error);
}
- let encrypted = encrypt_private_key(&self.dice, &key_result.private_key)?;
+ let encrypted = encrypt_private_key(&Dice::new()?, &key_result.private_key)?;
Ok(CompOsKeyData { publicKey: key_result.public_key, keyBlob: encrypted })
}
@@ -58,7 +54,7 @@
let mut data = [0u8; 32]; // Size is fairly arbitrary.
SystemRandom::new().fill(&mut data).context("No random data")?;
- let signature = self.new_signer(key_blob).sign(&data)?;
+ let signature = self.new_signer(key_blob)?.sign(&data)?;
let public_key =
signature::UnparsedPublicKey::new(&signature::RSA_PKCS1_2048_8192_SHA256, public_key);
@@ -67,8 +63,8 @@
Ok(())
}
- pub fn new_signer(&self, key_blob: &[u8]) -> Signer {
- Signer { key_blob: key_blob.to_owned(), dice: self.dice.clone() }
+ pub fn new_signer(&self, key_blob: &[u8]) -> Result<Signer> {
+ Ok(Signer { key_blob: key_blob.to_owned(), dice: Dice::new()? })
}
}