DICE specification for AVF guest
Consolidate the usage of different keys in Config Descriptor specified
for various components running in AVF guest environment.
Test: N/A
Bug: 291245237
Change-Id: Ic081636ea7e1b8c4767cd18fc5a9ea83b9cc2e6f
diff --git a/microdroid_manager/src/dice.rs b/microdroid_manager/src/dice.rs
index cecf413..7cfeb21 100644
--- a/microdroid_manager/src/dice.rs
+++ b/microdroid_manager/src/dice.rs
@@ -134,8 +134,8 @@
apks.chain(apexes).collect()
}
-// Returns a configuration descriptor of the given payload. See vm_config.cddl for the definition
-// of the format.
+// Returns a configuration descriptor of the given payload. See dice_for_avf_guest.cddl for the
+// definition of the format.
fn format_payload_config_descriptor(
payload: &PayloadMetadata,
subcomponents: Vec<Subcomponent>,
diff --git a/microdroid_manager/src/vm_config.cddl b/microdroid_manager/src/vm_config.cddl
deleted file mode 100644
index 8508e8f..0000000
--- a/microdroid_manager/src/vm_config.cddl
+++ /dev/null
@@ -1,56 +0,0 @@
-; Configuration Descriptor used in the DICE node that describes the payload of a Microdroid virtual
-; machine.
-;
-; See the Open DICE specification
-; https://pigweed.googlesource.com/open-dice/+/HEAD/docs/specification.md,
-; and the Android Profile for DICE
-; https://pigweed.googlesource.com/open-dice/+/HEAD/docs/android.md.
-;
-; CDDL for the normal Configuration Descriptor can be found at
-; https://cs.android.com/android/platform/superproject/main/+/main:hardware/interfaces/security/rkp/aidl/android/hardware/security/keymint/generateCertificateRequestV2.cddl
-
-; The configuration descriptor node for a Microdroid VM, with extensions to describe the contents
-; of the VM payload.
-; The subcomponents describe the APKs and then the APEXes that are part of the VM. The main APK
-; is first, followed by any extra APKs in the order they are specified in the VM config.
-; The APEXes are listed in the order specified when the VM is created, which is normally alphabetic
-; order by name.
-VmConfigDescriptor = {
- -70002 : "Microdroid payload", ; Component name
- (? -71000: tstr // ; Path to the payload config file
- ? -71001: PayloadConfig),
- ? -71002: [+ SubcomponentDescriptor],
-}
-
-PayloadConfig = {
- 1: tstr ; Path to the binary file where payload execution starts
-}
-
-; Describes a unit of code (e.g. an APK or an APEX) present inside the VM.
-;
-; For an APK, the fields are as follows:
-; - Component name: The string "apk:" followed by the package name.
-; - Security version: The long version code from the APK manifest
-; (https://developer.android.com/reference/android/content/pm/PackageInfo#getLongVersionCode()).
-; - Code hash: This is the root hash of a Merkle tree computed over all bytes of the APK, as used
-; in the APK Signature Scheme v4 (https://source.android.com/docs/security/features/apksigning/v4)
-; with empty salt and using SHA-256 as the hash algorithm.
-; - Authority hash: The SHA-512 hash of the DER representation of the X.509 certificate for the
-; public key used to sign the APK.
-;
-; For an APEX, they are as follows:
-; - Component name: The string "apex:" followed by the APEX name as specified in the APEX Manifest
-; (see https://source.android.com/docs/core/ota/apex).
-; - Security version: The version number from the APEX Manifest.
-; - Code hash: The root hash of the apex_payload.img file within the APEX, taken from the first
-; hashtree descriptor in the VBMeta image
-; (see https://android.googlesource.com/platform/external/avb/+/master/README.md).
-; - Authority hash: The SHA-512 hash of the public key used to sign the file system image in the
-; APEX (as stored in the apex_pubkey file). The format is as described for AvbRSAPublicKeyHeader
-; in https://cs.android.com/android/platform/superproject/main/+/main:external/avb/libavb/avb_crypto.h.
-SubcomponentDescriptor = {
- 1: tstr, ; Component name
- 2: uint, ; Security version
- 3: bstr, ; Code hash
- 4: bstr, ; Authority hash
-}
diff --git a/microdroid_manager/src/vm_secret.rs b/microdroid_manager/src/vm_secret.rs
index ec40b45..693bf76 100644
--- a/microdroid_manager/src/vm_secret.rs
+++ b/microdroid_manager/src/vm_secret.rs
@@ -170,7 +170,7 @@
// rollback protection of pvmfw. Such components may chose to not put SECURITY_VERSION in the
// corresponding DiceChainEntry.
// 4. For each Subcomponent on the last DiceChainEntry (which corresponds to VM payload, See
-// microdroid_manager/src/vm_config.cddl):
+// dice_for_avf_guest.cddl):
// - GreaterOrEqual on SECURITY_VERSION (Required)
// - ExactMatch on AUTHORITY_HASH (Required).
fn sealing_policy(dice: &[u8]) -> Result<Vec<u8>, String> {