Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / 20b8ebc461cff0aea18efd31aa9c37cb031a64e3^! / . / virtualizationservice
commit20b8ebc461cff0aea18efd31aa9c37cb031a64e3[log] [tgz]
authorAlice Wang <aliceywang@google.com>Fri Nov 17 09:54:47 2023 +0000
committerAlice Wang <aliceywang@google.com>Fri Nov 24 14:09:32 2023 +0000
tree1cf3632d5b4f7a435b6f02d0f11cd959fdde577c
parent4c6c558c3caa0076c5c7df9457e6b252dca5c205 [diff]
[attestation] Build the certificate output for attestation

This cl builds the certificate output for the client VM in
pVM remote attestation. The certificate includes the subject
public key extracted from the CSR of the client VM and is
signed by the remotely provisioned key obtained from RKPD.

However, certain fields such as VM information in the
extension are currently absent and will be incorporated in
future changes.

Bug: 311359366
Bug: 309441500
Test: atest rialto_test
Change-Id: Ie9acf72b6158f371c70fa303932aa2b6bf9cfab4

diff --git a/virtualizationservice/src/aidl.rs b/virtualizationservice/src/aidl.rs
index d1f7291..3ac1e60 100644
--- a/virtualizationservice/src/aidl.rs
+++ b/virtualizationservice/src/aidl.rs

@@ -196,10 +196,14 @@
             ))
             .with_log();
         }
-        let certificate = request_attestation(csr, &attestation_key.keyBlob)
-            .context("Failed to request attestation")
-            .with_log()
-            .or_service_specific_exception(-1)?;
+        let certificate = request_attestation(
+            csr.to_vec(),
+            attestation_key.keyBlob,
+            certificate_chain[0].encodedCertificate.clone(),
+        )
+        .context("Failed to request attestation")
+        .with_log()
+        .or_service_specific_exception(-1)?;
         certificate_chain.insert(0, Certificate { encodedCertificate: certificate });
 
         Ok(certificate_chain)

diff --git a/virtualizationservice/src/rkpvm.rs b/virtualizationservice/src/rkpvm.rs
index 5087120..79e09b0 100644
--- a/virtualizationservice/src/rkpvm.rs
+++ b/virtualizationservice/src/rkpvm.rs

@@ -24,15 +24,14 @@
 use service_vm_manager::ServiceVm;
 
 pub(crate) fn request_attestation(
-    csr: &[u8],
-    remotely_provisioned_keyblob: &[u8],
+    csr: Vec<u8>,
+    remotely_provisioned_key_blob: Vec<u8>,
+    remotely_provisioned_cert: Vec<u8>,
 ) -> Result<Vec<u8>> {
     let mut vm = ServiceVm::start()?;
 
-    let params = ClientVmAttestationParams {
-        csr: csr.to_vec(),
-        remotely_provisioned_key_blob: remotely_provisioned_keyblob.to_vec(),
-    };
+    let params =
+        ClientVmAttestationParams { csr, remotely_provisioned_key_blob, remotely_provisioned_cert };
     let request = Request::RequestClientVmAttestation(params);
     match vm.process_request(request).context("Failed to process request")? {
         Response::RequestClientVmAttestation(cert) => Ok(cert),