Microdroid: Map a dm-crypt dev on (virtio-blk)disk
1. microdroid_manager, on seeing a (named) block device dedicated for
storage, will run encryptedstore binary.
2. The key derived for the encryption will be derived from the dice
using the CDIs of *payload* as hashes.
3. encryptedstore binary will create the dm-crypt device using the
libdm_rust library.
Note: The salt used for the key is deterministic but I randomly got from
/dev/urandom. This ensures the key & payload secret are different.
Test: Run bin/vm run-app using --storage & --storage-size flag
Test: Write into the crypt device & check persistence by running another
VM with same instance image.
Bug: 241541860
Change-Id: I11d00343a040935dd90a232fe7c5ab4e06b6d145
diff --git a/microdroid_manager/src/dice.rs b/microdroid_manager/src/dice.rs
index 3881db3..499835f 100644
--- a/microdroid_manager/src/dice.rs
+++ b/microdroid_manager/src/dice.rs
@@ -38,6 +38,16 @@
pub bcc: Vec<u8>,
}
+impl DiceContext {
+ pub fn get_sealing_key(&self, salt: &[u8], identifier: &[u8], keysize: u32) -> Result<ZVec> {
+ // Deterministically derive a key to use for sealing data based on salt. Use different salt
+ // for different keys.
+ let mut key = ZVec::new(keysize as usize)?;
+ hkdf(&mut key, Md::sha256(), &self.cdi_seal, salt, identifier)?;
+ Ok(key)
+ }
+}
+
/// Artifacts that are mapped into the process address space from the driver.
pub enum DiceDriver<'a> {
Real {