[dice] Migrate from DICE_COSE_KEY_ALG_VALUE to VM_KEY_ALGORITHM
As the field DICE_COSE_KEY_ALG_VALUE has been removed with the
support of multi-alg version of open-dice.
Going forward, VM_KEY_ALGORITHM will be used as the key
algorithm within different components in VMs.
Test: atest MicrodroidHostTests
Bug: 357008987
Change-Id: I273df743cf2f43a35b749c273e720a058bf7724c
diff --git a/libs/dice/open_dice/Android.bp b/libs/dice/open_dice/Android.bp
index d1129fb..b3cb651 100644
--- a/libs/dice/open_dice/Android.bp
+++ b/libs/dice/open_dice/Android.bp
@@ -14,6 +14,7 @@
name: "libdiced_open_dice_nostd",
defaults: ["libdiced_open_dice_defaults"],
rustlibs: [
+ "libcoset_nostd",
"libopen_dice_android_bindgen_nostd",
"libopen_dice_cbor_bindgen_nostd",
"libzeroize_nostd",
@@ -35,6 +36,7 @@
host_supported: true,
vendor_available: true,
rustlibs: [
+ "libcoset",
"libopen_dice_android_bindgen",
"libopen_dice_cbor_bindgen",
"libserde",
@@ -157,7 +159,6 @@
"--allowlist-var=DICE_PUBLIC_KEY_SIZE",
"--allowlist-var=DICE_PRIVATE_KEY_SIZE",
"--allowlist-var=DICE_SIGNATURE_SIZE",
- "--allowlist-var=DICE_COSE_KEY_ALG_VALUE",
],
}
diff --git a/libs/dice/open_dice/src/dice.rs b/libs/dice/open_dice/src/dice.rs
index e330e00..325a2b1 100644
--- a/libs/dice/open_dice/src/dice.rs
+++ b/libs/dice/open_dice/src/dice.rs
@@ -16,6 +16,7 @@
//! This module mirrors the content in open-dice/include/dice/dice.h
use crate::error::{check_result, Result};
+use coset::iana;
pub use open_dice_cbor_bindgen::DiceMode;
use open_dice_cbor_bindgen::{
DiceConfigType, DiceDeriveCdiCertificateId, DiceDeriveCdiPrivateKeySeed, DiceInputValues,
@@ -62,6 +63,37 @@
/// Array type of DICE ID.
pub type DiceId = [u8; ID_SIZE];
+/// Key algorithm used for DICE.
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum KeyAlgorithm {
+ /// Ed25519.
+ Ed25519,
+ /// ECDSA using P-256 curve.
+ EcdsaP256,
+ /// ECDSA using P-384 curve.
+ EcdsaP384,
+}
+
+impl From<KeyAlgorithm> for iana::Algorithm {
+ fn from(alg: KeyAlgorithm) -> Self {
+ match alg {
+ KeyAlgorithm::Ed25519 => iana::Algorithm::EdDSA,
+ KeyAlgorithm::EcdsaP256 => iana::Algorithm::ES256,
+ KeyAlgorithm::EcdsaP384 => iana::Algorithm::ES384,
+ }
+ }
+}
+
+/// Key algorithm used within different components in VMs.
+///
+/// This algorithm serves two primary purposes:
+///
+/// * **pvmfw Handover:** In pvmfw, a vendor DICE chain, potentially using various algorithms, is
+/// transitioned to this specific algorithm.
+/// * **Post-Handover Consistency:** In components following pvmfw (e.g., the Microdroid OS), this
+/// algorithm is used consistently for both the authority and subject keys in DICE derivation.
+pub const VM_KEY_ALGORITHM: KeyAlgorithm = KeyAlgorithm::Ed25519;
+
/// A trait for types that represent Dice artifacts, which include:
///
/// - Attestation CDI
diff --git a/libs/dice/open_dice/src/lib.rs b/libs/dice/open_dice/src/lib.rs
index 085a2cd..16c2b96 100644
--- a/libs/dice/open_dice/src/lib.rs
+++ b/libs/dice/open_dice/src/lib.rs
@@ -36,14 +36,11 @@
};
pub use dice::{
derive_cdi_certificate_id, derive_cdi_private_key_seed, dice_main_flow, Cdi, CdiValues, Config,
- DiceArtifacts, DiceMode, Hash, Hidden, InlineConfig, InputValues, PrivateKey, PrivateKeySeed,
- PublicKey, Signature, CDI_SIZE, HASH_SIZE, HIDDEN_SIZE, ID_SIZE, PRIVATE_KEY_SEED_SIZE,
+ DiceArtifacts, DiceMode, Hash, Hidden, InlineConfig, InputValues, KeyAlgorithm, PrivateKey,
+ PrivateKeySeed, PublicKey, Signature, CDI_SIZE, HASH_SIZE, HIDDEN_SIZE, ID_SIZE,
+ PRIVATE_KEY_SEED_SIZE, VM_KEY_ALGORITHM,
};
pub use error::{DiceError, Result};
-// Currently, open-dice library only supports a single signing and verification algorithm.
-// The value of DICE_COSE_KEY_ALG_VALUE depends on the algorithm chosen by the underlying C
-// library at build time. Refer to b/342333212 for more information.
-pub use open_dice_cbor_bindgen::DICE_COSE_KEY_ALG_VALUE;
pub use ops::{
derive_cdi_leaf_priv, generate_certificate, hash, kdf, keypair_from_seed, sign, verify,
};