Rewrite key management & signing
Extend compos_helper to support signing, use it from CompOS.
Expose the public key from the VM. Rename compos_verify_key to
compos_verify and get it to verify the signature against the current
instance's public key.
Also move DICE access to compos_key_main. There's no use having it in
the library - neither the tests nor compos_verify can use it - and it
complicates the build rules.
There's a lot more that can be deleted, but I'll do that in a
follow-up; this is big enough already.
Bug: 218494522
Test: atest CompOsSigningHostTest CompOsDenialHostTest
Change-Id: I2d71f68a595d5ddadb2e7b16937fa6855f5db0ab
diff --git a/compos/composd/src/odrefresh_task.rs b/compos/composd/src/odrefresh_task.rs
index d1d0e28..9dec1c1 100644
--- a/compos/composd/src/odrefresh_task.rs
+++ b/compos/composd/src/odrefresh_task.rs
@@ -26,7 +26,7 @@
use compos_aidl_interface::aidl::com::android::compos::ICompOsService::{
CompilationMode::CompilationMode, ICompOsService,
};
-use compos_common::odrefresh::ExitCode;
+use compos_common::odrefresh::{ExitCode, ODREFRESH_OUTPUT_ROOT_DIR};
use log::{error, info, warn};
use rustutils::system_properties;
use std::fs::{remove_dir_all, File, OpenOptions};
@@ -36,8 +36,6 @@
use std::sync::{Arc, Mutex};
use std::thread;
-const ART_APEX_DATA: &str = "/data/misc/apexdata/com.android.art";
-
#[derive(Clone)]
pub struct OdrefreshTask {
running_task: Arc<Mutex<Option<RunningTask>>>,
@@ -122,7 +120,7 @@
compilation_mode: CompilationMode,
target_dir_name: &str,
) -> Result<ExitCode> {
- let output_root = Path::new(ART_APEX_DATA);
+ let output_root = Path::new(ODREFRESH_OUTPUT_ROOT_DIR);
// We need to remove the target directory because odrefresh running in compos will create it
// (and can't see the existing one, since authfs doesn't show it existing files in an output
diff --git a/compos/composd/src/service.rs b/compos/composd/src/service.rs
index f4121e7..8e5586e 100644
--- a/compos/composd/src/service.rs
+++ b/compos/composd/src/service.rs
@@ -30,6 +30,7 @@
use anyhow::{Context, Result};
use compos_aidl_interface::aidl::com::android::compos::ICompOsService::CompilationMode::CompilationMode;
use compos_common::binder::to_binder_result;
+use compos_common::odrefresh::{PENDING_ARTIFACTS_SUBDIR, TEST_ARTIFACTS_SUBDIR};
use rustutils::{users::AID_ROOT, users::AID_SYSTEM};
use std::sync::Arc;
@@ -72,7 +73,7 @@
// TODO: Try to start the current instance with staged APEXes to see if it works?
let comp_os = self.instance_manager.start_pending_instance().context("Starting CompOS")?;
- let target_dir_name = "compos-pending".to_owned();
+ let target_dir_name = PENDING_ARTIFACTS_SUBDIR.to_owned();
let task = OdrefreshTask::start(
comp_os,
CompilationMode::NORMAL_COMPILE,
@@ -89,7 +90,7 @@
) -> Result<Strong<dyn ICompilationTask>> {
let comp_os = self.instance_manager.start_test_instance().context("Starting CompOS")?;
- let target_dir_name = "test-artifacts".to_owned();
+ let target_dir_name = TEST_ARTIFACTS_SUBDIR.to_owned();
let task = OdrefreshTask::start(
comp_os,
CompilationMode::TEST_COMPILE,