[rkp] Add request/response for ECDSA P256 key pair generation
This cl adds the request and response protocol for the ECDSA P256
key pair generation needed for the IRemotelyProvisionedComponent
implementation.
Bug: 299055662
Test: atest rialto_test
Change-Id: Ib3b8519e3833a6617fc6daa878777b9e0499f751
diff --git a/libs/service_vm_comm/src/lib.rs b/libs/service_vm_comm/src/lib.rs
index ef5e8bb..555d1f0 100644
--- a/libs/service_vm_comm/src/lib.rs
+++ b/libs/service_vm_comm/src/lib.rs
@@ -22,5 +22,5 @@
mod message;
mod vsock;
-pub use message::{Request, Response};
+pub use message::{EcdsaP256KeyPair, Request, Response};
pub use vsock::host_port;
diff --git a/libs/service_vm_comm/src/message.rs b/libs/service_vm_comm/src/message.rs
index ebbefcb..bbb5d8c 100644
--- a/libs/service_vm_comm/src/message.rs
+++ b/libs/service_vm_comm/src/message.rs
@@ -27,6 +27,10 @@
/// Reverse the order of the bytes in the provided byte array.
/// Currently this is only used for testing.
Reverse(Vec<u8>),
+
+ /// Generates a new ECDSA P-256 key pair that can be attested by the remote
+ /// server.
+ GenerateEcdsaP256KeyPair,
}
/// Represents a response to a request sent to the service VM.
@@ -36,4 +40,19 @@
pub enum Response {
/// Reverse the order of the bytes in the provided byte array.
Reverse(Vec<u8>),
+
+ /// Returns the new ECDSA P-256 key pair.
+ GenerateEcdsaP256KeyPair(EcdsaP256KeyPair),
+}
+
+/// Represents an ECDSA P-256 key pair.
+#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
+pub struct EcdsaP256KeyPair {
+ /// Contains a CBOR-encoded public key specified in:
+ ///
+ /// hardware/interfaces/security/rkp/aidl/android/hardware/security/keymint/MacedPublicKey.aidl
+ pub maced_public_key: Vec<u8>,
+
+ /// Contains a handle to the private key.
+ pub key_blob: Vec<u8>,
}
diff --git a/rialto/src/main.rs b/rialto/src/main.rs
index b34b9de..0ecbe9d 100644
--- a/rialto/src/main.rs
+++ b/rialto/src/main.rs
@@ -135,7 +135,7 @@
debug!("Found socket device: guest cid = {:?}", socket_device.guest_cid());
let mut vsock_stream = VsockStream::new(socket_device, host_addr())?;
- let response = requests::process_request(vsock_stream.read_request()?);
+ let response = requests::process_request(vsock_stream.read_request()?)?;
vsock_stream.write_response(&response)?;
vsock_stream.flush()?;
vsock_stream.shutdown()?;
diff --git a/rialto/src/requests/api.rs b/rialto/src/requests/api.rs
index 11fdde4..05a386e 100644
--- a/rialto/src/requests/api.rs
+++ b/rialto/src/requests/api.rs
@@ -14,16 +14,23 @@
//! This module contains the main API for the request processing module.
+use super::rkp;
+use crate::error::Result;
use alloc::vec::Vec;
use service_vm_comm::{Request, Response};
/// Processes a request and returns the corresponding response.
/// This function serves as the entry point for the request processing
/// module.
-pub fn process_request(request: Request) -> Response {
- match request {
+pub fn process_request(request: Request) -> Result<Response> {
+ let response = match request {
Request::Reverse(v) => Response::Reverse(reverse(v)),
- }
+ Request::GenerateEcdsaP256KeyPair => {
+ let res = rkp::generate_ecdsa_p256_key_pair()?;
+ Response::GenerateEcdsaP256KeyPair(res)
+ }
+ };
+ Ok(response)
}
fn reverse(payload: Vec<u8>) -> Vec<u8> {
diff --git a/rialto/src/requests/mod.rs b/rialto/src/requests/mod.rs
index ca22777..2ed568c 100644
--- a/rialto/src/requests/mod.rs
+++ b/rialto/src/requests/mod.rs
@@ -15,5 +15,6 @@
//! This module contains functions for the request processing.
mod api;
+mod rkp;
pub use api::process_request;
diff --git a/rialto/src/requests/rkp.rs b/rialto/src/requests/rkp.rs
new file mode 100644
index 0000000..f1b1b17
--- /dev/null
+++ b/rialto/src/requests/rkp.rs
@@ -0,0 +1,26 @@
+// Copyright 2023, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! This module contains functions related to the attestation of the
+//! service VM via the RKP (Remote Key Provisionning) server.
+
+use crate::error::Result;
+use alloc::vec::Vec;
+use service_vm_comm::EcdsaP256KeyPair;
+
+pub(super) fn generate_ecdsa_p256_key_pair() -> Result<EcdsaP256KeyPair> {
+ // TODO(b/299055662): Generate the key pair.
+ let key_pair = EcdsaP256KeyPair { maced_public_key: Vec::new(), key_blob: Vec::new() };
+ Ok(key_pair)
+}