[dice] Pass DICE data to process_request API in service VM
Bug: 287233786
Test: atest rialto_test
Change-Id: I673195a0fd42d8518d5dc4ab28f4112e6f688aea
diff --git a/rialto/Android.bp b/rialto/Android.bp
index 1df18f6..05775c2 100644
--- a/rialto/Android.bp
+++ b/rialto/Android.bp
@@ -12,6 +12,7 @@
"libciborium_io_nostd",
"libciborium_nostd",
"libdiced_open_dice_nostd",
+ "libdiced_sample_inputs_nostd",
"libhyp",
"libfdtpci",
"liblibfdt",
diff --git a/rialto/src/main.rs b/rialto/src/main.rs
index 7b5cf81..8b73130 100644
--- a/rialto/src/main.rs
+++ b/rialto/src/main.rs
@@ -28,10 +28,11 @@
use crate::communication::VsockStream;
use crate::error::{Error, Result};
use crate::fdt::read_dice_range_from;
+use alloc::boxed::Box;
use ciborium_io::Write;
use core::num::NonZeroUsize;
use core::slice;
-use diced_open_dice::bcc_handover_parse;
+use diced_open_dice::{bcc_handover_parse, DiceArtifacts};
use fdtpci::PciInfo;
use hyp::{get_mem_sharer, get_mmio_guard};
use libfdt::FdtError;
@@ -133,7 +134,7 @@
e
})?;
}
- let _bcc_handover = match vm_type() {
+ let bcc_handover: Box<dyn DiceArtifacts> = match vm_type() {
VmType::ProtectedVm => {
let dice_range = read_dice_range_from(fdt)?;
info!("DICE range: {dice_range:#x?}");
@@ -150,12 +151,13 @@
let dice_start = dice_range.start as *const u8;
// SAFETY: There's no memory overlap and the region is mapped as read-only data.
let bcc_handover = unsafe { slice::from_raw_parts(dice_start, dice_range.len()) };
- let bcc_handover = bcc_handover_parse(bcc_handover)?;
- Some(bcc_handover)
+ Box::new(bcc_handover_parse(bcc_handover)?)
}
- // Currently, no DICE data is retrieved for non-protected VMs, as these VMs are solely
- // intended for debugging purposes.
- VmType::NonProtectedVm => None,
+ // Currently, a sample DICE data is used for non-protected VMs, as these VMs only run
+ // in tests at the moment.
+ // If we intend to run non-protected rialto in production, we should retrieve real
+ // DICE chain data instead.
+ VmType::NonProtectedVm => Box::new(diced_sample_inputs::make_sample_bcc_and_cdis()?),
};
let pci_info = PciInfo::from_fdt(fdt)?;
@@ -167,9 +169,8 @@
debug!("Found socket device: guest cid = {:?}", socket_device.guest_cid());
let mut vsock_stream = VsockStream::new(socket_device, host_addr())?;
- // TODO(b/287233786): Pass the bcc_handover to process_request.
while let ServiceVmRequest::Process(req) = vsock_stream.read_request()? {
- let response = requests::process_request(req)?;
+ let response = requests::process_request(req, bcc_handover.as_ref())?;
vsock_stream.write_response(&response)?;
vsock_stream.flush()?;
}
diff --git a/rialto/src/requests/api.rs b/rialto/src/requests/api.rs
index 5ea0106..59a7aed 100644
--- a/rialto/src/requests/api.rs
+++ b/rialto/src/requests/api.rs
@@ -17,18 +17,21 @@
use super::rkp;
use crate::error::Result;
use alloc::vec::Vec;
+use diced_open_dice::DiceArtifacts;
use service_vm_comm::{Request, Response};
/// Processes a request and returns the corresponding response.
/// This function serves as the entry point for the request processing
/// module.
-pub fn process_request(request: Request) -> Result<Response> {
+pub fn process_request(request: Request, dice_artifacts: &dyn DiceArtifacts) -> Result<Response> {
let response = match request {
Request::Reverse(v) => Response::Reverse(reverse(v)),
- Request::GenerateEcdsaP256KeyPair => rkp::generate_ecdsa_p256_key_pair()
+ Request::GenerateEcdsaP256KeyPair => rkp::generate_ecdsa_p256_key_pair(dice_artifacts)
.map_or_else(Response::Err, Response::GenerateEcdsaP256KeyPair),
- Request::GenerateCertificateRequest(p) => rkp::generate_certificate_request(p)
- .map_or_else(Response::Err, Response::GenerateCertificateRequest),
+ Request::GenerateCertificateRequest(p) => {
+ rkp::generate_certificate_request(p, dice_artifacts)
+ .map_or_else(Response::Err, Response::GenerateCertificateRequest)
+ }
};
Ok(response)
}
diff --git a/rialto/src/requests/rkp.rs b/rialto/src/requests/rkp.rs
index d74bb43..a73b9f4 100644
--- a/rialto/src/requests/rkp.rs
+++ b/rialto/src/requests/rkp.rs
@@ -17,11 +17,14 @@
use alloc::vec::Vec;
use core::result;
+use diced_open_dice::DiceArtifacts;
use service_vm_comm::{EcdsaP256KeyPair, GenerateCertificateRequestParams, RequestProcessingError};
type Result<T> = result::Result<T, RequestProcessingError>;
-pub(super) fn generate_ecdsa_p256_key_pair() -> Result<EcdsaP256KeyPair> {
+pub(super) fn generate_ecdsa_p256_key_pair(
+ _dice_artifacts: &dyn DiceArtifacts,
+) -> Result<EcdsaP256KeyPair> {
// TODO(b/299055662): Generate the key pair.
let key_pair = EcdsaP256KeyPair { maced_public_key: Vec::new(), key_blob: Vec::new() };
Ok(key_pair)
@@ -29,6 +32,7 @@
pub(super) fn generate_certificate_request(
_params: GenerateCertificateRequestParams,
+ _dice_artifacts: &dyn DiceArtifacts,
) -> Result<Vec<u8>> {
// TODO(b/299256925): Generate the certificate request
Ok(Vec::new())