[attestation] Rename the client VM attestation API
As agreed in the doc go/pvm-remote-attestation.
Bug: 303807447
Test: m com.android.virt
Test: run ServiceVmClientApp
Change-Id: Ic954aa60d69e42773c04230af9319e660352d6a9
diff --git a/vm_payload/include-restricted/vm_payload_restricted.h b/vm_payload/include-restricted/vm_payload_restricted.h
index 1e0c3cc..ee92366 100644
--- a/vm_payload/include-restricted/vm_payload_restricted.h
+++ b/vm_payload/include-restricted/vm_payload_restricted.h
@@ -56,16 +56,21 @@
size_t AVmPayload_getDiceAttestationCdi(void* _Nullable data, size_t size);
/**
- * Requests a certificate using the provided certificate signing request (CSR).
+ * Requests the remote attestation of the client VM.
*
- * \param csr A pointer to the CSR buffer.
- * \param csr_size The size of the CSR buffer.
+ * The challenge will be included in the certificate chain in the attestation result,
+ * serving as proof of the freshness of the result.
+ *
+ * \param challenge A pointer to the challenge buffer.
+ * \param challenge_size size of the challenge, the maximum supported challenge size is
+ * 64 bytes. An error will be returned if an invalid challenge is
+ * passed.
* \param buffer A pointer to the certificate buffer.
* \param size number of bytes that can be written to the certificate buffer.
*
* \return the total size of the certificate
*/
-size_t AVmPayload_requestCertificate(const void* _Nonnull csr, size_t csr_size,
+size_t AVmPayload_requestAttestation(const void* _Nonnull challenge, size_t challenge_size,
void* _Nullable buffer, size_t size)
__INTRODUCED_IN(__ANDROID_API_V__);
diff --git a/vm_payload/libvm_payload.map.txt b/vm_payload/libvm_payload.map.txt
index f0d867e..32dd33b 100644
--- a/vm_payload/libvm_payload.map.txt
+++ b/vm_payload/libvm_payload.map.txt
@@ -1,13 +1,13 @@
LIBVM_PAYLOAD {
global:
- AVmPayload_notifyPayloadReady; # systemapi
- AVmPayload_runVsockRpcServer; # systemapi
- AVmPayload_getVmInstanceSecret; # systemapi
- AVmPayload_getDiceAttestationChain; # systemapi
- AVmPayload_getDiceAttestationCdi; # systemapi
- AVmPayload_getApkContentsPath; # systemapi
- AVmPayload_getEncryptedStoragePath; # systemapi
- AVmPayload_requestCertificate; # systemapi introduced=35
+ AVmPayload_notifyPayloadReady; # systemapi introduced=UpsideDownCake
+ AVmPayload_runVsockRpcServer; # systemapi introduced=UpsideDownCake
+ AVmPayload_getVmInstanceSecret; # systemapi introduced=UpsideDownCake
+ AVmPayload_getDiceAttestationChain; # systemapi introduced=UpsideDownCake
+ AVmPayload_getDiceAttestationCdi; # systemapi introduced=UpsideDownCake
+ AVmPayload_getApkContentsPath; # systemapi introduced=UpsideDownCake
+ AVmPayload_getEncryptedStoragePath; # systemapi introduced=UpsideDownCake
+ AVmPayload_requestAttestation; # systemapi introduced=VanillaIceCream
local:
*;
};
diff --git a/vm_payload/src/api.rs b/vm_payload/src/api.rs
index 00d7299..93dbd1c 100644
--- a/vm_payload/src/api.rs
+++ b/vm_payload/src/api.rs
@@ -253,29 +253,31 @@
get_vm_payload_service()?.getDiceAttestationCdi().context("Cannot get attestation CDI")
}
-/// Requests a certificate using the provided certificate signing request (CSR).
-/// Panics on failure.
+/// Requests the remote attestation of the client VM.
+///
+/// The challenge will be included in the certificate chain in the attestation result,
+/// serving as proof of the freshness of the result.
///
/// # Safety
///
/// Behavior is undefined if any of the following conditions are violated:
///
-/// * `csr` must be [valid] for reads of `csr_size` bytes.
+/// * `challenge` must be [valid] for reads of `challenge_size` bytes.
/// * `buffer` must be [valid] for writes of `size` bytes. `buffer` can be null if `size` is 0.
///
/// [valid]: ptr#safety
#[no_mangle]
-pub unsafe extern "C" fn AVmPayload_requestCertificate(
- csr: *const u8,
- csr_size: usize,
+pub unsafe extern "C" fn AVmPayload_requestAttestation(
+ challenge: *const u8,
+ challenge_size: usize,
buffer: *mut u8,
size: usize,
) -> usize {
initialize_logging();
- // SAFETY: See the requirements on `csr` above.
- let csr = unsafe { std::slice::from_raw_parts(csr, csr_size) };
- let certificate = unwrap_or_abort(try_request_certificate(csr));
+ // SAFETY: See the requirements on `challenge` above.
+ let challenge = unsafe { std::slice::from_raw_parts(challenge, challenge_size) };
+ let certificate = unwrap_or_abort(try_request_attestation(challenge));
if size != 0 || buffer.is_null() {
// SAFETY: See the requirements on `buffer` above. The number of bytes copied doesn't exceed
@@ -292,10 +294,10 @@
certificate.len()
}
-fn try_request_certificate(csr: &[u8]) -> Result<Vec<u8>> {
+fn try_request_attestation(challenge: &[u8]) -> Result<Vec<u8>> {
let certificate = get_vm_payload_service()?
- .requestCertificate(csr)
- .context("Failed to request certificate")?;
+ .requestAttestation(challenge)
+ .context("Failed to request attestation")?;
Ok(certificate)
}