Merge "Move aosp vm attestation tests to avf-presubmit" into main
diff --git a/docs/vm_remote_attestation.md b/docs/vm_remote_attestation.md
index ddb7adf..835dcac 100644
--- a/docs/vm_remote_attestation.md
+++ b/docs/vm_remote_attestation.md
@@ -37,7 +37,17 @@
Additionally, the RKP VM is validated by the pVM Firmware, as part of the
verified boot process.
+During the validation process, the RKP server compares the root public key of the
+DICE chain with the ones registered in the RKP database. Additionally, the server
+examines the presence of the [RKP VM marker][rkpvm-marker] within the DICE
+certificates to determine the origin of the chain, confirming that it indeed
+originates from the RKP VM. For more detailed information about the RKP VM
+DICE chain validation, please refer to the [Remote Provisioning HAL][rkp-hal]
+spec.
+
[open-dice]: https://android.googlesource.com/platform/external/open-dice/+/main/docs/android.md
+[rkpvm-marker]: https://android.googlesource.com/platform/external/open-dice/+/main/docs/android.md#Configuration-descriptor
+[rkp-hal]: https://android.googlesource.com/platform/hardware/interfaces/+/main/security/rkp/README.md
### pVM attestation
diff --git a/rialto/src/main.rs b/rialto/src/main.rs
index 025edff..11e67cb 100644
--- a/rialto/src/main.rs
+++ b/rialto/src/main.rs
@@ -234,4 +234,4 @@
}
main!(main);
-configure_heap!(SIZE_128KB);
+configure_heap!(SIZE_128KB * 2);
diff --git a/service_vm/requests/src/rkp.rs b/service_vm/requests/src/rkp.rs
index 08ee08e..cdbd60e 100644
--- a/service_vm/requests/src/rkp.rs
+++ b/service_vm/requests/src/rkp.rs
@@ -28,7 +28,7 @@
use core::result;
use coset::{iana, AsCborValue, CoseSign1, CoseSign1Builder, HeaderBuilder};
use diced_open_dice::{derive_cdi_leaf_priv, kdf, sign, DiceArtifacts, PrivateKey};
-use log::error;
+use log::{debug, error};
use service_vm_comm::{EcdsaP256KeyPair, GenerateCertificateRequestParams, RequestProcessingError};
use zeroize::Zeroizing;
@@ -78,6 +78,8 @@
let public_key = validate_public_key(&key_to_sign, hmac_key.as_ref())?;
public_keys.push(public_key.to_cbor_value()?);
}
+ debug!("Successfully validated all '{}' public keys.", public_keys.len());
+
// Builds `CsrPayload`.
let csr_payload = cbor!([
Value::Integer(CSR_PAYLOAD_SCHEMA_V3.into()),
@@ -91,6 +93,7 @@
let signed_data_payload =
cbor!([Value::Bytes(params.challenge.to_vec()), Value::Bytes(csr_payload)])?;
let signed_data = build_signed_data(&signed_data_payload, dice_artifacts)?.to_cbor_value()?;
+ debug!("Successfully signed the CSR payload.");
// Builds `AuthenticatedRequest<CsrPayload>`.
// Currently `UdsCerts` is left empty because it is only needed for Samsung devices.
@@ -104,6 +107,7 @@
dice_cert_chain,
signed_data,
])?;
+ debug!("Successfully built the CBOR authenticated request.");
Ok(cbor_util::serialize(&auth_req)?)
}