Rewrite key management & signing
Extend compos_helper to support signing, use it from CompOS.
Expose the public key from the VM. Rename compos_verify_key to
compos_verify and get it to verify the signature against the current
instance's public key.
Also move DICE access to compos_key_main. There's no use having it in
the library - neither the tests nor compos_verify can use it - and it
complicates the build rules.
There's a lot more that can be deleted, but I'll do that in a
follow-up; this is big enough already.
Bug: 218494522
Test: atest CompOsSigningHostTest CompOsDenialHostTest
Change-Id: I2d71f68a595d5ddadb2e7b16937fa6855f5db0ab
diff --git a/compos/verify/Android.bp b/compos/verify/Android.bp
new file mode 100644
index 0000000..d6875d1
--- /dev/null
+++ b/compos/verify/Android.bp
@@ -0,0 +1,23 @@
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+rust_binary {
+ name: "compos_verify",
+ srcs: ["verify.rs"],
+ edition: "2018",
+ rustlibs: [
+ "compos_aidl_interface-rust",
+ "libandroid_logger",
+ "libanyhow",
+ "libbinder_rs",
+ "libclap",
+ "libcompos_common",
+ "libcompos_verify_native_rust",
+ "liblog_rust",
+ ],
+ prefer_rlib: true,
+ apex_available: [
+ "com.android.compos",
+ ],
+}
diff --git a/compos/verify/native/Android.bp b/compos/verify/native/Android.bp
new file mode 100644
index 0000000..969c9f4
--- /dev/null
+++ b/compos/verify/native/Android.bp
@@ -0,0 +1,51 @@
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+rust_library {
+ name: "libcompos_verify_native_rust",
+ crate_name: "compos_verify_native",
+ srcs: ["lib.rs"],
+ rustlibs: [
+ "libanyhow",
+ "libcxx",
+ "liblibc",
+ ],
+ static_libs: [
+ "libcompos_verify_native_cpp",
+ "libcompos_key",
+ ],
+ shared_libs: [
+ "libcrypto",
+ ],
+ apex_available: ["com.android.compos"],
+}
+
+cc_library_static {
+ name: "libcompos_verify_native_cpp",
+ srcs: ["verify_native.cpp"],
+ static_libs: ["libcompos_key"],
+ shared_libs: [
+ "libbase",
+ "libcrypto",
+ ],
+ generated_headers: ["compos_verify_native_header"],
+ generated_sources: ["compos_verify_native_code"],
+ apex_available: ["com.android.compos"],
+}
+
+genrule {
+ name: "compos_verify_native_code",
+ tools: ["cxxbridge"],
+ cmd: "$(location cxxbridge) $(in) >> $(out)",
+ srcs: ["lib.rs"],
+ out: ["verify_native_cxx_generated.cc"],
+}
+
+genrule {
+ name: "compos_verify_native_header",
+ tools: ["cxxbridge"],
+ cmd: "$(location cxxbridge) $(in) --header >> $(out)",
+ srcs: ["lib.rs"],
+ out: ["lib.rs.h"],
+}
diff --git a/compos/verify/native/lib.rs b/compos/verify/native/lib.rs
new file mode 100644
index 0000000..51050da
--- /dev/null
+++ b/compos/verify/native/lib.rs
@@ -0,0 +1,31 @@
+// Copyright 2022, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Native helper for compos_verify to call boringssl.
+
+pub use native::*;
+
+#[cxx::bridge]
+mod native {
+ unsafe extern "C++" {
+ include!("verify_native.h");
+
+ // SAFETY: The C++ implementation manages its own memory, and does not retain or abuse
+ // the references passed to it.
+
+ /// Verify a PureEd25519 signature with the specified public key on the given data,
+ /// returning whether the signature is valid or not.
+ fn verify(public_key: &[u8], signature: &[u8], data: &[u8]) -> bool;
+ }
+}
diff --git a/compos/verify/native/verify_native.cpp b/compos/verify/native/verify_native.cpp
new file mode 100644
index 0000000..2c43d95
--- /dev/null
+++ b/compos/verify/native/verify_native.cpp
@@ -0,0 +1,37 @@
+/*
+ * Copyright 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "verify_native.h"
+
+#include <compos_key.h>
+
+using rust::Slice;
+
+bool verify(Slice<const uint8_t> public_key, Slice<const uint8_t> signature,
+ Slice<const uint8_t> data) {
+ compos_key::PublicKey public_key_array;
+ compos_key::Signature signature_array;
+
+ if (public_key.size() != public_key_array.size() ||
+ signature.size() != signature_array.size()) {
+ return false;
+ }
+
+ std::copy(public_key.begin(), public_key.end(), public_key_array.begin());
+ std::copy(signature.begin(), signature.end(), signature_array.begin());
+
+ return compos_key::verify(public_key_array, signature_array, data.data(), data.size());
+}
diff --git a/compos/verify/native/verify_native.h b/compos/verify/native/verify_native.h
new file mode 100644
index 0000000..5f000b6
--- /dev/null
+++ b/compos/verify/native/verify_native.h
@@ -0,0 +1,22 @@
+/*
+ * Copyright 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#pragma once
+
+#include "lib.rs.h"
+
+bool verify(rust::Slice<const uint8_t> public_key, rust::Slice<const uint8_t> signature,
+ rust::Slice<const uint8_t> data);
diff --git a/compos/verify/verify.rs b/compos/verify/verify.rs
new file mode 100644
index 0000000..228225d
--- /dev/null
+++ b/compos/verify/verify.rs
@@ -0,0 +1,126 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//! A tool to verify a CompOS signature. It starts a CompOS VM as part of this to retrieve the
+//! public key. The tool is intended to be run by odsign during boot.
+
+use anyhow::{bail, Context, Result};
+use compos_aidl_interface::binder::ProcessState;
+use compos_common::compos_client::{VmInstance, VmParameters};
+use compos_common::odrefresh::{
+ CURRENT_ARTIFACTS_SUBDIR, ODREFRESH_OUTPUT_ROOT_DIR, PENDING_ARTIFACTS_SUBDIR,
+ TEST_ARTIFACTS_SUBDIR,
+};
+use compos_common::{
+ COMPOS_DATA_ROOT, IDSIG_FILE, IDSIG_MANIFEST_APK_FILE, INSTANCE_IMAGE_FILE,
+ PENDING_INSTANCE_DIR, TEST_INSTANCE_DIR,
+};
+use log::error;
+use std::fs::File;
+use std::io::Read;
+use std::panic;
+use std::path::Path;
+
+const MAX_FILE_SIZE_BYTES: u64 = 100 * 1024;
+
+fn main() {
+ android_logger::init_once(
+ android_logger::Config::default()
+ .with_tag("compos_verify")
+ .with_min_level(log::Level::Info),
+ );
+
+ // Redirect panic messages to logcat.
+ panic::set_hook(Box::new(|panic_info| {
+ error!("{}", panic_info);
+ }));
+
+ if let Err(e) = try_main() {
+ error!("{:?}", e);
+ std::process::exit(1)
+ }
+}
+
+fn try_main() -> Result<()> {
+ let matches = clap::App::new("compos_verify")
+ .arg(
+ clap::Arg::with_name("instance")
+ .long("instance")
+ .takes_value(true)
+ .required(true)
+ .possible_values(&["pending", "current", "test"]),
+ )
+ .arg(clap::Arg::with_name("debug").long("debug"))
+ .get_matches();
+
+ let debug_mode = matches.is_present("debug");
+ let (instance_dir, artifacts_dir) = match matches.value_of("instance").unwrap() {
+ "pending" => (PENDING_INSTANCE_DIR, PENDING_ARTIFACTS_SUBDIR),
+ "current" => (PENDING_INSTANCE_DIR, CURRENT_ARTIFACTS_SUBDIR),
+ "test" => (TEST_INSTANCE_DIR, TEST_ARTIFACTS_SUBDIR),
+ _ => unreachable!("Unexpected instance name"),
+ };
+
+ let instance_dir = Path::new(COMPOS_DATA_ROOT).join(instance_dir);
+ let artifacts_dir = Path::new(ODREFRESH_OUTPUT_ROOT_DIR).join(artifacts_dir);
+
+ if !instance_dir.is_dir() {
+ bail!("{:?} is not a directory", instance_dir);
+ }
+
+ let instance_image = instance_dir.join(INSTANCE_IMAGE_FILE);
+ let idsig = instance_dir.join(IDSIG_FILE);
+ let idsig_manifest_apk = instance_dir.join(IDSIG_MANIFEST_APK_FILE);
+
+ let instance_image = File::open(instance_image).context("Failed to open instance image")?;
+
+ let info = artifacts_dir.join("compos.info");
+ let signature = artifacts_dir.join("compos.info.signature");
+
+ let info = read_small_file(&info)?;
+ let signature = read_small_file(&signature)?;
+
+ // We need to start the thread pool to be able to receive Binder callbacks
+ ProcessState::start_thread_pool();
+
+ let virtualization_service = VmInstance::connect_to_virtualization_service()?;
+ let vm_instance = VmInstance::start(
+ &*virtualization_service,
+ instance_image,
+ &idsig,
+ &idsig_manifest_apk,
+ &VmParameters { debug_mode, ..Default::default() },
+ )?;
+ let service = vm_instance.get_service()?;
+
+ let public_key = service.getPublicKey().context("Getting public key")?;
+
+ if !compos_verify_native::verify(&public_key, &signature, &info) {
+ bail!("Signature verification failed");
+ }
+
+ Ok(())
+}
+
+fn read_small_file(file: &Path) -> Result<Vec<u8>> {
+ let mut file = File::open(file)?;
+ if file.metadata()?.len() > MAX_FILE_SIZE_BYTES {
+ bail!("File is too big");
+ }
+ let mut data = Vec::new();
+ file.read_to_end(&mut data)?;
+ Ok(data)
+}