Revert "pVM to use Secretkeeper protected secrets"
Revert submission 2705357-sk_vm
Reason for revert: DroidMonitor-triggered revert due to breakage https://android-build.corp.google.com/builds/quarterdeck?branch=git_aosp-main-with-phones&target=aosp_oriole-trunk_staging-userdebug&lkgb=11221468&lkbb=11221626&fkbb=11221480
Reverted changes: /q/submissionid:2705357-sk_vm
Bug: 316391577
Change-Id: I8ba23154f91edd3bd239b8eb3a1240adbcb452ff
diff --git a/virtualizationmanager/Android.bp b/virtualizationmanager/Android.bp
index 88e9c70..33897b2 100644
--- a/virtualizationmanager/Android.bp
+++ b/virtualizationmanager/Android.bp
@@ -5,11 +5,7 @@
rust_defaults {
name: "virtualizationmanager_defaults",
crate_name: "virtualizationmanager",
- defaults: [
- "avf_build_flags_rust",
- "secretkeeper_use_latest_hal_aidl_rust",
- "authgraph_use_latest_hal_aidl_rust",
- ],
+ defaults: ["avf_build_flags_rust"],
edition: "2021",
// Only build on targets which crosvm builds on.
enabled: false,
diff --git a/virtualizationmanager/src/aidl.rs b/virtualizationmanager/src/aidl.rs
index f7ea21f..7f98fe8 100644
--- a/virtualizationmanager/src/aidl.rs
+++ b/virtualizationmanager/src/aidl.rs
@@ -52,13 +52,6 @@
use android_system_virtualmachineservice::aidl::android::system::virtualmachineservice::IVirtualMachineService::{
BnVirtualMachineService, IVirtualMachineService,
};
-use android_hardware_security_secretkeeper::aidl::android::hardware::security::secretkeeper::ISecretkeeper::{BnSecretkeeper, ISecretkeeper};
-use android_hardware_security_authgraph::aidl::android::hardware::security::authgraph::{
- Arc::Arc as AuthgraphArc, IAuthGraphKeyExchange::IAuthGraphKeyExchange,
- IAuthGraphKeyExchange::BnAuthGraphKeyExchange, Identity::Identity, KeInitResult::KeInitResult,
- Key::Key, PubKey::PubKey, SessionIdSignature::SessionIdSignature, SessionInfo::SessionInfo,
- SessionInitiationInfo::SessionInitiationInfo,
-};
use anyhow::{anyhow, bail, Context, Result};
use apkverify::{HashAlgorithm, V4Signature};
use avflog::LogResult;
@@ -109,10 +102,6 @@
const MICRODROID_OS_NAME: &str = "microdroid";
-// TODO(b/291213394): Use 'default' instance for secretkeeper instead of 'nonsecure'
-const SECRETKEEPER_IDENTIFIER: &str =
- "android.hardware.security.secretkeeper.ISecretkeeper/nonsecure";
-
const UNFORMATTED_STORAGE_MAGIC: &str = "UNFORMATTED-STORAGE";
/// Roughly estimated sufficient size for storing vendor public key into DTBO.
@@ -1381,20 +1370,6 @@
}
}
- fn getSecretkeeper(&self) -> binder::Result<Option<Strong<dyn ISecretkeeper>>> {
- let sk = match binder::get_interface(SECRETKEEPER_IDENTIFIER) {
- Ok(sk) => {
- Some(BnSecretkeeper::new_binder(SecretkeeperProxy(sk), BinderFeatures::default()))
- }
- Err(StatusCode::NAME_NOT_FOUND) => None,
- Err(e) => {
- error!("unexpected error while fetching connection to Secretkeeper {:?}", e);
- return Err(e.into());
- }
- };
- Ok(sk)
- }
-
fn requestAttestation(&self, csr: &[u8]) -> binder::Result<Vec<Certificate>> {
GLOBAL_SERVICE.requestAttestation(csr, get_calling_uid() as i32)
}
@@ -1579,59 +1554,3 @@
Ok(())
}
}
-
-struct SecretkeeperProxy(Strong<dyn ISecretkeeper>);
-
-impl Interface for SecretkeeperProxy {}
-
-impl ISecretkeeper for SecretkeeperProxy {
- fn processSecretManagementRequest(&self, req: &[u8]) -> binder::Result<Vec<u8>> {
- // Pass the request to the channel, and read the response.
- self.0.processSecretManagementRequest(req)
- }
-
- fn getAuthGraphKe(&self) -> binder::Result<Strong<dyn IAuthGraphKeyExchange>> {
- let ag = AuthGraphKeyExchangeProxy(self.0.getAuthGraphKe()?);
- Ok(BnAuthGraphKeyExchange::new_binder(ag, BinderFeatures::default()))
- }
-}
-
-struct AuthGraphKeyExchangeProxy(Strong<dyn IAuthGraphKeyExchange>);
-
-impl Interface for AuthGraphKeyExchangeProxy {}
-
-impl IAuthGraphKeyExchange for AuthGraphKeyExchangeProxy {
- fn create(&self) -> binder::Result<SessionInitiationInfo> {
- self.0.create()
- }
-
- fn init(
- &self,
- peer_pub_key: &PubKey,
- peer_id: &Identity,
- peer_nonce: &[u8],
- peer_version: i32,
- ) -> binder::Result<KeInitResult> {
- self.0.init(peer_pub_key, peer_id, peer_nonce, peer_version)
- }
-
- fn finish(
- &self,
- peer_pub_key: &PubKey,
- peer_id: &Identity,
- peer_signature: &SessionIdSignature,
- peer_nonce: &[u8],
- peer_version: i32,
- own_key: &Key,
- ) -> binder::Result<SessionInfo> {
- self.0.finish(peer_pub_key, peer_id, peer_signature, peer_nonce, peer_version, own_key)
- }
-
- fn authenticationComplete(
- &self,
- peer_signature: &SessionIdSignature,
- shared_keys: &[AuthgraphArc; 2],
- ) -> binder::Result<[AuthgraphArc; 2]> {
- self.0.authenticationComplete(peer_signature, shared_keys)
- }
-}