Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / 947f3f7ef2a444bd2df37009b714510f2f900fc9^! / . / pvmfw / src / instance.rs
commit947f3f7ef2a444bd2df37009b714510f2f900fc9[log] [tgz]
authorAlice Wang <aliceywang@google.com>Fri Sep 29 09:04:07 2023 +0000
committerAlice Wang <aliceywang@google.com>Fri Sep 29 13:22:36 2023 +0000
tree4f81c405af842756a16b477111b8484a2544375b
parentf1a83b0122349eade8d892baf2ac7be59a72e8af [diff] [blame]
[pvmfw] Use hkdf from libbssl instead of bssl bindgen

With this cl, the size of pvmfw.bin increases from
497792 bytes to 497952 bytes.

Test: m pvmfw_bin
Bug: 301068421
Change-Id: Ia5149d2609a33013bee0aa8856f460d07de27ed4

diff --git a/pvmfw/src/instance.rs b/pvmfw/src/instance.rs
index f2b34da..75bc3d3 100644
--- a/pvmfw/src/instance.rs
+++ b/pvmfw/src/instance.rs

@@ -15,12 +15,12 @@
 //! Support for reading and writing to the instance.img.
 
 use crate::crypto;
-use crate::crypto::hkdf_sh512;
 use crate::crypto::AeadCtx;
 use crate::dice::PartialInputs;
 use crate::gpt;
 use crate::gpt::Partition;
 use crate::gpt::Partitions;
+use bssl_avf::{self, hkdf, Digester};
 use core::fmt;
 use core::mem::size_of;
 use diced_open_dice::DiceMode;
@@ -63,6 +63,8 @@
     UnsupportedEntrySize(usize),
     /// Failed to create VirtIO Block device.
     VirtIOBlkCreationFailed(virtio_drivers::Error),
+    /// An error happened during the interaction with BoringSSL.
+    BoringSslFailed(bssl_avf::Error),
 }
 
 impl fmt::Display for Error {
@@ -95,10 +97,19 @@
             Self::VirtIOBlkCreationFailed(e) => {
                 write!(f, "Failed to create VirtIO Block device: {e}")
             }
+            Self::BoringSslFailed(e) => {
+                write!(f, "An error happened during the interaction with BoringSSL: {e}")
+            }
         }
     }
 }
 
+impl From<bssl_avf::Error> for Error {
+    fn from(e: bssl_avf::Error) -> Self {
+        Self::BoringSslFailed(e)
+    }
+}
+
 pub type Result<T> = core::result::Result<T, Error>;
 
 pub fn get_or_generate_instance_salt(
@@ -111,7 +122,7 @@
     let entry = locate_entry(&mut instance_img)?;
     trace!("Found pvmfw instance.img entry: {entry:?}");
 
-    let key = hkdf_sh512::<32>(secret, /*salt=*/ &[], b"vm-instance");
+    let key = hkdf::<32>(secret, /* salt= */ &[], b"vm-instance", Digester::sha512())?;
     let mut blk = [0; BLK_SIZE];
     match entry {
         PvmfwEntry::Existing { header_index, payload_size } => {
@@ -124,7 +135,6 @@
 
             let payload = &blk[..payload_size];
             let mut entry = [0; size_of::<EntryBody>()];
-            let key = key.map_err(Error::FailedOpen)?;
             let aead = AeadCtx::new_aes_256_gcm_randnonce(&key).map_err(Error::FailedOpen)?;
             let decrypted = aead.open(&mut entry, payload).map_err(Error::FailedOpen)?;
 
@@ -143,7 +153,6 @@
             let salt = rand::random_array().map_err(Error::FailedSaltGeneration)?;
             let body = EntryBody::new(dice_inputs, &salt);
 
-            let key = key.map_err(Error::FailedSeal)?;
             let aead = AeadCtx::new_aes_256_gcm_randnonce(&key).map_err(Error::FailedSeal)?;
             // We currently only support single-blk entries.
             let plaintext = body.as_bytes();