Get CompOS talking to diced
Create a module in compsvc to handle using DICE for signing. Initially
we just expose a method for returning our key's attestation
chain.
Add a method to composd, accessed via compos_cmd, to exercise this
functionality for testing purposes.
Bug: 214233409
Test: composd_cmd dice
Change-Id: I65ef19d0126862b800b6539ae1798b1a433085b8
diff --git a/compos/src/dice.rs b/compos/src/dice.rs
new file mode 100644
index 0000000..22a7ee2
--- /dev/null
+++ b/compos/src/dice.rs
@@ -0,0 +1,42 @@
+/*
+ * Copyright 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//! Handles the use of DICE as the source of our unique signing key via diced / IDiceNode.
+
+use android_security_dice::aidl::android::security::dice::IDiceNode::IDiceNode;
+use android_security_dice::binder::{wait_for_interface, Strong};
+use anyhow::{Context, Result};
+
+pub struct Dice {
+ node: Strong<dyn IDiceNode>,
+}
+
+impl Dice {
+ pub fn new() -> Result<Self> {
+ let dice_service = wait_for_interface::<dyn IDiceNode>("android.security.dice.IDiceNode")
+ .context("No IDiceNode service")?;
+ Ok(Self { node: dice_service })
+ }
+
+ pub fn get_boot_certificate_chain(&self) -> Result<Vec<u8>> {
+ let input_values = []; // Get our BCC, not a child's
+ let bcc = self
+ .node
+ .getAttestationChain(&input_values)
+ .context("Getting attestation chain failed")?;
+ Ok(bcc.data)
+ }
+}