Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / 9eebbab9ca0765dec4216fb221401e6ebbab7ddc^! / . / service_vm / requests / src / api.rs
commit9eebbab9ca0765dec4216fb221401e6ebbab7ddc[log] [tgz]
authorAlice Wang <aliceywang@google.com>Wed Apr 10 14:57:27 2024 +0000
committerAlice Wang <aliceywang@google.com>Thu Apr 25 16:46:47 2024 +0000
tree8745eb9a179ff628a90314707482d4892b841ee4
parenta93fea919a5d18b358e896b74cda1d6675c9348c [diff] [blame]
[attestation] Validate vendor module loaded by client VM in RKP VM

This cl added the following tasks to the RKP VM:

- Parses a client VM DICE chain containing an additional vendor
module entry.
- Validates the code hash in the vendor module DICE entry against
the code hash read from the device tree.

The cl also adds a CTS test that triggers the VM attestation from
a VM with vendor module.

Bug: 330678211
Test: atest MicrodroidTests
Change-Id: Id56c6edd8baa32bae6a8ad7b5bca7b18ce167022

diff --git a/service_vm/requests/src/api.rs b/service_vm/requests/src/api.rs
index 315d2af..9eca20f 100644
--- a/service_vm/requests/src/api.rs
+++ b/service_vm/requests/src/api.rs

@@ -21,22 +21,38 @@
 use service_vm_comm::{Request, Response};
 
 /// Processes a request and returns the corresponding response.
-/// This function serves as the entry point for the request processing
-/// module.
-pub fn process_request(request: Request, dice_artifacts: &dyn DiceArtifacts) -> Response {
+/// This function serves as the entry point for the request processing module.
+pub fn process_request(request: Request, context: &RequestContext) -> Response {
     match request {
         Request::Reverse(v) => Response::Reverse(reverse(v)),
-        Request::GenerateEcdsaP256KeyPair => rkp::generate_ecdsa_p256_key_pair(dice_artifacts)
-            .map_or_else(Response::Err, Response::GenerateEcdsaP256KeyPair),
+        Request::GenerateEcdsaP256KeyPair => {
+            rkp::generate_ecdsa_p256_key_pair(context.dice_artifacts)
+                .map_or_else(Response::Err, Response::GenerateEcdsaP256KeyPair)
+        }
         Request::GenerateCertificateRequest(p) => {
-            rkp::generate_certificate_request(p, dice_artifacts)
+            rkp::generate_certificate_request(p, context.dice_artifacts)
                 .map_or_else(Response::Err, Response::GenerateCertificateRequest)
         }
-        Request::RequestClientVmAttestation(p) => client_vm::request_attestation(p, dice_artifacts)
-            .map_or_else(Response::Err, Response::RequestClientVmAttestation),
+        Request::RequestClientVmAttestation(p) => client_vm::request_attestation(
+            p,
+            context.dice_artifacts,
+            context.vendor_hashtree_root_digest,
+        )
+        .map_or_else(Response::Err, Response::RequestClientVmAttestation),
     }
 }
 
+/// The context for the request processing.
+///
+/// This struct contains the reference data used during the request processing.
+pub struct RequestContext<'a> {
+    /// The reference DICE artifacts.
+    pub dice_artifacts: &'a dyn DiceArtifacts,
+
+    /// The reference hash tree root digest of the vendor partition if exists.
+    pub vendor_hashtree_root_digest: Option<&'a [u8]>,
+}
+
 fn reverse(payload: Vec<u8>) -> Vec<u8> {
     payload.into_iter().rev().collect()
 }