[attestation] Rename the client VM attestation API
As agreed in the doc go/pvm-remote-attestation.
Bug: 303807447
Test: m com.android.virt
Test: run ServiceVmClientApp
Change-Id: Ic954aa60d69e42773c04230af9319e660352d6a9
diff --git a/microdroid_manager/aidl/android/system/virtualization/payload/IVmPayloadService.aidl b/microdroid_manager/aidl/android/system/virtualization/payload/IVmPayloadService.aidl
index 50d437f..b9a7a64 100644
--- a/microdroid_manager/aidl/android/system/virtualization/payload/IVmPayloadService.aidl
+++ b/microdroid_manager/aidl/android/system/virtualization/payload/IVmPayloadService.aidl
@@ -69,11 +69,13 @@
byte[] getDiceAttestationCdi();
/**
- * Requests a certificate using the provided certificate signing request (CSR).
+ * Requests the remote attestation of the client VM.
*
- * TODO(b/271275206): Define the format of the CSR properly.
- * @param csr the certificate signing request.
+ * The challenge will be included in the certificate chain in the attestation result,
+ * serving as proof of the freshness of the result.
+ *
+ * @param challenge the maximum supported challenge size is 64 bytes.
* @return the X.509 encoded certificate.
*/
- byte[] requestCertificate(in byte[] csr);
+ byte[] requestAttestation(in byte[] challenge);
}
diff --git a/microdroid_manager/src/vm_payload_service.rs b/microdroid_manager/src/vm_payload_service.rs
index c611b11..5b5fb9e 100644
--- a/microdroid_manager/src/vm_payload_service.rs
+++ b/microdroid_manager/src/vm_payload_service.rs
@@ -66,9 +66,9 @@
Ok(self.secret.dice().cdi_attest().to_vec())
}
- fn requestCertificate(&self, csr: &[u8]) -> binder::Result<Vec<u8>> {
+ fn requestAttestation(&self, challenge: &[u8]) -> binder::Result<Vec<u8>> {
self.check_restricted_apis_allowed()?;
- self.virtual_machine_service.requestCertificate(csr)
+ self.virtual_machine_service.requestAttestation(challenge)
}
}
diff --git a/service_vm/client_apk/src/main.rs b/service_vm/client_apk/src/main.rs
index 08d4168..bd48dc3 100644
--- a/service_vm/client_apk/src/main.rs
+++ b/service_vm/client_apk/src/main.rs
@@ -17,7 +17,7 @@
use anyhow::Result;
use log::{error, info};
use std::{ffi::c_void, panic};
-use vm_payload_bindgen::AVmPayload_requestCertificate;
+use vm_payload_bindgen::AVmPayload_requestAttestation;
/// Entry point of the Service VM client.
#[allow(non_snake_case)]
@@ -40,25 +40,35 @@
fn try_main() -> Result<()> {
info!("Welcome to Service VM Client!");
- let csr = b"Hello from Service VM";
- info!("Sending: {:?}", csr);
- let certificate = request_certificate(csr);
+ // The data below is only a placeholder generated randomly with urandom
+ let challenge = &[
+ 0x6c, 0xad, 0x52, 0x50, 0x15, 0xe7, 0xf4, 0x1d, 0xa5, 0x60, 0x7e, 0xd2, 0x7d, 0xf1, 0x51,
+ 0x67, 0xc3, 0x3e, 0x73, 0x9b, 0x30, 0xbd, 0x04, 0x20, 0x2e, 0xde, 0x3b, 0x1d, 0xc8, 0x07,
+ 0x11, 0x7b,
+ ];
+ info!("Sending challenge: {:?}", challenge);
+ let certificate = request_attestation(challenge);
info!("Certificate: {:?}", certificate);
Ok(())
}
-fn request_certificate(csr: &[u8]) -> Vec<u8> {
+fn request_attestation(challenge: &[u8]) -> Vec<u8> {
// SAFETY: It is safe as we only request the size of the certificate in this call.
let certificate_size = unsafe {
- AVmPayload_requestCertificate(csr.as_ptr() as *const c_void, csr.len(), [].as_mut_ptr(), 0)
+ AVmPayload_requestAttestation(
+ challenge.as_ptr() as *const c_void,
+ challenge.len(),
+ [].as_mut_ptr(),
+ 0,
+ )
};
let mut certificate = vec![0u8; certificate_size];
// SAFETY: It is safe as we only write the data into the given buffer within the buffer
// size in this call.
unsafe {
- AVmPayload_requestCertificate(
- csr.as_ptr() as *const c_void,
- csr.len(),
+ AVmPayload_requestAttestation(
+ challenge.as_ptr() as *const c_void,
+ challenge.len(),
certificate.as_mut_ptr() as *mut c_void,
certificate.len(),
);
diff --git a/virtualizationmanager/src/aidl.rs b/virtualizationmanager/src/aidl.rs
index 5283ffe..da7dffe 100644
--- a/virtualizationmanager/src/aidl.rs
+++ b/virtualizationmanager/src/aidl.rs
@@ -1245,8 +1245,8 @@
}
}
- fn requestCertificate(&self, csr: &[u8]) -> binder::Result<Vec<u8>> {
- GLOBAL_SERVICE.requestCertificate(csr)
+ fn requestAttestation(&self, csr: &[u8]) -> binder::Result<Vec<u8>> {
+ GLOBAL_SERVICE.requestAttestation(csr)
}
}
diff --git a/virtualizationservice/aidl/android/system/virtualizationservice_internal/IVirtualizationServiceInternal.aidl b/virtualizationservice/aidl/android/system/virtualizationservice_internal/IVirtualizationServiceInternal.aidl
index 172dc59..099a2c0 100644
--- a/virtualizationservice/aidl/android/system/virtualizationservice_internal/IVirtualizationServiceInternal.aidl
+++ b/virtualizationservice/aidl/android/system/virtualizationservice_internal/IVirtualizationServiceInternal.aidl
@@ -56,12 +56,13 @@
VirtualMachineDebugInfo[] debugListVms();
/**
- * Requests a certificate using the provided certificate signing request (CSR).
+ * Requests a certificate chain for the provided certificate signing request (CSR).
*
- * @param csr the certificate signing request.
- * @return the X.509 encoded certificate.
+ * @param csr The certificate signing request.
+ * @return A sequence of DER-encoded X.509 certificates that make up the attestation
+ * key's certificate chain. The attestation key is provided in the CSR.
*/
- byte[] requestCertificate(in byte[] csr);
+ byte[] requestAttestation(in byte[] csr);
/**
* Get a list of assignable devices.
diff --git a/virtualizationservice/aidl/android/system/virtualmachineservice/IVirtualMachineService.aidl b/virtualizationservice/aidl/android/system/virtualmachineservice/IVirtualMachineService.aidl
index 7b90714..87d3056 100644
--- a/virtualizationservice/aidl/android/system/virtualmachineservice/IVirtualMachineService.aidl
+++ b/virtualizationservice/aidl/android/system/virtualmachineservice/IVirtualMachineService.aidl
@@ -46,10 +46,11 @@
void notifyError(ErrorCode errorCode, in String message);
/**
- * Requests a certificate using the provided certificate signing request (CSR).
+ * Requests a certificate chain for the provided certificate signing request (CSR).
*
- * @param csr the certificate signing request.
- * @return the X.509 encoded certificate.
+ * @param csr The certificate signing request.
+ * @return A sequence of DER-encoded X.509 certificates that make up the attestation
+ * key's certificate chain. The attestation key is provided in the CSR.
*/
- byte[] requestCertificate(in byte[] csr);
+ byte[] requestAttestation(in byte[] csr);
}
diff --git a/virtualizationservice/src/aidl.rs b/virtualizationservice/src/aidl.rs
index a19ecd2..4daa0cf 100644
--- a/virtualizationservice/src/aidl.rs
+++ b/virtualizationservice/src/aidl.rs
@@ -16,7 +16,7 @@
use crate::{get_calling_pid, get_calling_uid};
use crate::atom::{forward_vm_booted_atom, forward_vm_creation_atom, forward_vm_exited_atom};
-use crate::rkpvm::request_certificate;
+use crate::rkpvm::request_attestation;
use android_os_permissions_aidl::aidl::android::os::IPermissionController;
use android_system_virtualizationservice::{
aidl::android::system::virtualizationservice::AssignableDevice::AssignableDevice,
@@ -158,19 +158,20 @@
Ok(cids)
}
- fn requestCertificate(&self, csr: &[u8]) -> binder::Result<Vec<u8>> {
+ fn requestAttestation(&self, csr: &[u8]) -> binder::Result<Vec<u8>> {
check_manage_access()?;
- info!("Received csr. Getting certificate...");
+ info!("Received csr. Requestting attestation...");
if cfg!(remote_attestation) {
- request_certificate(csr)
- .context("Failed to get certificate")
+ request_attestation(csr)
+ .context("Failed to request attestation")
.with_log()
.or_service_specific_exception(-1)
} else {
Err(Status::new_exception_str(
ExceptionCode::UNSUPPORTED_OPERATION,
Some(
- "requestCertificate is not supported with the remote_attestation feature disabled",
+ "requestAttestation is not supported with the remote_attestation feature \
+ disabled",
),
))
.with_log()
diff --git a/virtualizationservice/src/rkpvm.rs b/virtualizationservice/src/rkpvm.rs
index d6e87eb..443b280 100644
--- a/virtualizationservice/src/rkpvm.rs
+++ b/virtualizationservice/src/rkpvm.rs
@@ -21,7 +21,7 @@
use service_vm_comm::{GenerateCertificateRequestParams, Request, Response};
use service_vm_manager::ServiceVm;
-pub(crate) fn request_certificate(csr: &[u8]) -> Result<Vec<u8>> {
+pub(crate) fn request_attestation(csr: &[u8]) -> Result<Vec<u8>> {
let mut vm = ServiceVm::start()?;
// TODO(b/271275206): Send the correct request type with client VM's
diff --git a/vm_payload/include-restricted/vm_payload_restricted.h b/vm_payload/include-restricted/vm_payload_restricted.h
index 1e0c3cc..ee92366 100644
--- a/vm_payload/include-restricted/vm_payload_restricted.h
+++ b/vm_payload/include-restricted/vm_payload_restricted.h
@@ -56,16 +56,21 @@
size_t AVmPayload_getDiceAttestationCdi(void* _Nullable data, size_t size);
/**
- * Requests a certificate using the provided certificate signing request (CSR).
+ * Requests the remote attestation of the client VM.
*
- * \param csr A pointer to the CSR buffer.
- * \param csr_size The size of the CSR buffer.
+ * The challenge will be included in the certificate chain in the attestation result,
+ * serving as proof of the freshness of the result.
+ *
+ * \param challenge A pointer to the challenge buffer.
+ * \param challenge_size size of the challenge, the maximum supported challenge size is
+ * 64 bytes. An error will be returned if an invalid challenge is
+ * passed.
* \param buffer A pointer to the certificate buffer.
* \param size number of bytes that can be written to the certificate buffer.
*
* \return the total size of the certificate
*/
-size_t AVmPayload_requestCertificate(const void* _Nonnull csr, size_t csr_size,
+size_t AVmPayload_requestAttestation(const void* _Nonnull challenge, size_t challenge_size,
void* _Nullable buffer, size_t size)
__INTRODUCED_IN(__ANDROID_API_V__);
diff --git a/vm_payload/libvm_payload.map.txt b/vm_payload/libvm_payload.map.txt
index f0d867e..32dd33b 100644
--- a/vm_payload/libvm_payload.map.txt
+++ b/vm_payload/libvm_payload.map.txt
@@ -1,13 +1,13 @@
LIBVM_PAYLOAD {
global:
- AVmPayload_notifyPayloadReady; # systemapi
- AVmPayload_runVsockRpcServer; # systemapi
- AVmPayload_getVmInstanceSecret; # systemapi
- AVmPayload_getDiceAttestationChain; # systemapi
- AVmPayload_getDiceAttestationCdi; # systemapi
- AVmPayload_getApkContentsPath; # systemapi
- AVmPayload_getEncryptedStoragePath; # systemapi
- AVmPayload_requestCertificate; # systemapi introduced=35
+ AVmPayload_notifyPayloadReady; # systemapi introduced=UpsideDownCake
+ AVmPayload_runVsockRpcServer; # systemapi introduced=UpsideDownCake
+ AVmPayload_getVmInstanceSecret; # systemapi introduced=UpsideDownCake
+ AVmPayload_getDiceAttestationChain; # systemapi introduced=UpsideDownCake
+ AVmPayload_getDiceAttestationCdi; # systemapi introduced=UpsideDownCake
+ AVmPayload_getApkContentsPath; # systemapi introduced=UpsideDownCake
+ AVmPayload_getEncryptedStoragePath; # systemapi introduced=UpsideDownCake
+ AVmPayload_requestAttestation; # systemapi introduced=VanillaIceCream
local:
*;
};
diff --git a/vm_payload/src/api.rs b/vm_payload/src/api.rs
index 00d7299..93dbd1c 100644
--- a/vm_payload/src/api.rs
+++ b/vm_payload/src/api.rs
@@ -253,29 +253,31 @@
get_vm_payload_service()?.getDiceAttestationCdi().context("Cannot get attestation CDI")
}
-/// Requests a certificate using the provided certificate signing request (CSR).
-/// Panics on failure.
+/// Requests the remote attestation of the client VM.
+///
+/// The challenge will be included in the certificate chain in the attestation result,
+/// serving as proof of the freshness of the result.
///
/// # Safety
///
/// Behavior is undefined if any of the following conditions are violated:
///
-/// * `csr` must be [valid] for reads of `csr_size` bytes.
+/// * `challenge` must be [valid] for reads of `challenge_size` bytes.
/// * `buffer` must be [valid] for writes of `size` bytes. `buffer` can be null if `size` is 0.
///
/// [valid]: ptr#safety
#[no_mangle]
-pub unsafe extern "C" fn AVmPayload_requestCertificate(
- csr: *const u8,
- csr_size: usize,
+pub unsafe extern "C" fn AVmPayload_requestAttestation(
+ challenge: *const u8,
+ challenge_size: usize,
buffer: *mut u8,
size: usize,
) -> usize {
initialize_logging();
- // SAFETY: See the requirements on `csr` above.
- let csr = unsafe { std::slice::from_raw_parts(csr, csr_size) };
- let certificate = unwrap_or_abort(try_request_certificate(csr));
+ // SAFETY: See the requirements on `challenge` above.
+ let challenge = unsafe { std::slice::from_raw_parts(challenge, challenge_size) };
+ let certificate = unwrap_or_abort(try_request_attestation(challenge));
if size != 0 || buffer.is_null() {
// SAFETY: See the requirements on `buffer` above. The number of bytes copied doesn't exceed
@@ -292,10 +294,10 @@
certificate.len()
}
-fn try_request_certificate(csr: &[u8]) -> Result<Vec<u8>> {
+fn try_request_attestation(challenge: &[u8]) -> Result<Vec<u8>> {
let certificate = get_vm_payload_service()?
- .requestCertificate(csr)
- .context("Failed to request certificate")?;
+ .requestAttestation(challenge)
+ .context("Failed to request attestation")?;
Ok(certificate)
}