Get CompOS talking to diced
Create a module in compsvc to handle using DICE for signing. Initially
we just expose a method for returning our key's attestation
chain.
Add a method to composd, accessed via compos_cmd, to exercise this
functionality for testing purposes.
Bug: 214233409
Test: composd_cmd dice
Change-Id: I65ef19d0126862b800b6539ae1798b1a433085b8
diff --git a/compos/src/compsvc.rs b/compos/src/compsvc.rs
index 5a2c3ca..28bf5d9 100644
--- a/compos/src/compsvc.rs
+++ b/compos/src/compsvc.rs
@@ -28,6 +28,7 @@
use crate::compilation::{compile_cmd, odrefresh, CompilerOutput, OdrefreshContext};
use crate::compos_key_service::{CompOsKeyService, Signer};
+use crate::dice::Dice;
use crate::fsverity;
use authfs_aidl_interface::aidl::com::android::virt::fs::IAuthFsService::IAuthFsService;
use compos_aidl_interface::aidl::com::android::compos::{
@@ -79,6 +80,11 @@
Ok(self.key_service.new_signer(key))
}
}
+
+ fn get_boot_certificate_chain(&self) -> Result<Vec<u8>> {
+ let dice = Dice::new()?;
+ dice.get_boot_certificate_chain()
+ }
}
impl Interface for CompOsService {}
@@ -164,6 +170,10 @@
true
})
}
+
+ fn getBootCertificateChain(&self) -> BinderResult<Vec<u8>> {
+ to_binder_result(self.get_boot_certificate_chain())
+ }
}
fn get_authfs_service() -> BinderResult<Strong<dyn IAuthFsService>> {
diff --git a/compos/src/compsvc_main.rs b/compos/src/compsvc_main.rs
index 9347905..b4e3128 100644
--- a/compos/src/compsvc_main.rs
+++ b/compos/src/compsvc_main.rs
@@ -20,6 +20,7 @@
mod compilation;
mod compos_key_service;
mod compsvc;
+mod dice;
mod fsverity;
use android_system_virtualmachineservice::{
diff --git a/compos/src/dice.rs b/compos/src/dice.rs
new file mode 100644
index 0000000..22a7ee2
--- /dev/null
+++ b/compos/src/dice.rs
@@ -0,0 +1,42 @@
+/*
+ * Copyright 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//! Handles the use of DICE as the source of our unique signing key via diced / IDiceNode.
+
+use android_security_dice::aidl::android::security::dice::IDiceNode::IDiceNode;
+use android_security_dice::binder::{wait_for_interface, Strong};
+use anyhow::{Context, Result};
+
+pub struct Dice {
+ node: Strong<dyn IDiceNode>,
+}
+
+impl Dice {
+ pub fn new() -> Result<Self> {
+ let dice_service = wait_for_interface::<dyn IDiceNode>("android.security.dice.IDiceNode")
+ .context("No IDiceNode service")?;
+ Ok(Self { node: dice_service })
+ }
+
+ pub fn get_boot_certificate_chain(&self) -> Result<Vec<u8>> {
+ let input_values = []; // Get our BCC, not a child's
+ let bcc = self
+ .node
+ .getAttestationChain(&input_values)
+ .context("Getting attestation chain failed")?;
+ Ok(bcc.data)
+ }
+}