[client-vm] Build client VM CSR and sign the CSR with two keys
This cl builds the CSR that a client VM sends to the RKP VM for
remote attestation and adjusted the API accordingly as discussed
in the doc go/pvm-remote-attestation
The CSR payload is signed with both the CDI_Leaf_Priv of the
client VM's DICE chain and the attestation key. RKP VM should
verify the signature later with the CDI_Leaf_Pub extracted
from the same DICE chain in the CSR and the attestation public
key.
The new unit tests are added to config at cl/577763874.
Bug: 303807447
Test: run ServiceVmClientTestApp
Test: atest libservice_vm_comm.test
Test: atest microdroid_manager_test
Change-Id: Ic2c09e7339d9981edda028e2694fa551c911a274
diff --git a/vm_payload/Android.bp b/vm_payload/Android.bp
index b5322a8..7f2b9df 100644
--- a/vm_payload/Android.bp
+++ b/vm_payload/Android.bp
@@ -19,11 +19,26 @@
"liblazy_static",
"liblibc",
"liblog_rust",
+ "libopenssl",
"librpcbinder_rs",
+ "libvm_payload_status_bindgen",
"libvsock",
],
}
+rust_bindgen {
+ name: "libvm_payload_status_bindgen",
+ wrapper_src: "include/vm_payload.h",
+ crate_name: "vm_payload_status_bindgen",
+ defaults: ["avf_build_flags_rust"],
+ source_stem: "bindings",
+ bindgen_flags: [
+ "--default-enum-style rust",
+ "--allowlist-type=attestation_status_t",
+ ],
+ visibility: [":__subpackages__"],
+}
+
// Rust wrappers round the C API for Rust clients.
// (Yes, this involves going Rust -> C -> Rust.)
rust_bindgen {
@@ -33,6 +48,9 @@
defaults: ["avf_build_flags_rust"],
source_stem: "bindings",
apex_available: ["com.android.compos"],
+ bindgen_flags: [
+ "--default-enum-style rust",
+ ],
visibility: [
"//packages/modules/Virtualization/compos",
"//packages/modules/Virtualization/service_vm/test_apk",
@@ -49,6 +67,7 @@
"libbinder_ndk",
"libbinder_rpc_unstable",
"liblog",
+ "libcrypto",
],
whole_static_libs: ["libvm_payload_impl"],
export_static_lib_headers: ["libvm_payload_impl"],