Revert "[attestation] Validate client VM's Microdroid kernel in service VM"
This reverts commit 73e72268769c51a9dd0f62e85dc3288a9e7202e2.
Reason for revert: Checking if reverting this CL fixes build breakage http://b/315936000
Change-Id: I21c9d089b54d3d40f8b5077646351695850545cc
diff --git a/service_vm/fake_chain/Android.bp b/service_vm/fake_chain/Android.bp
index 2bc7b4e..ebc185d 100644
--- a/service_vm/fake_chain/Android.bp
+++ b/service_vm/fake_chain/Android.bp
@@ -24,7 +24,6 @@
visibility: [
"//packages/modules/Virtualization/rialto:__subpackages__",
],
- prefer_rlib: true,
rustlibs: [
"libcstr",
],
@@ -41,7 +40,6 @@
"libcoset",
"libdiced_open_dice",
"liblog_rust",
- "libmicrodroid_kernel_hashes",
],
}
diff --git a/service_vm/fake_chain/src/client_vm.rs b/service_vm/fake_chain/src/client_vm.rs
index 44ea898..eb8654b 100644
--- a/service_vm/fake_chain/src/client_vm.rs
+++ b/service_vm/fake_chain/src/client_vm.rs
@@ -24,16 +24,21 @@
use coset::CborSerializable;
use cstr::cstr;
use diced_open_dice::{
- hash, retry_bcc_format_config_descriptor, retry_bcc_main_flow, Config, DiceArtifacts,
+ retry_bcc_format_config_descriptor, retry_bcc_main_flow, Config, DiceArtifacts,
DiceConfigValues, DiceError, DiceMode, InputValues, OwnedDiceArtifacts, Result, HASH_SIZE,
HIDDEN_SIZE,
};
use log::error;
-use microdroid_kernel_hashes::{INITRD_DEBUG_HASH, KERNEL_HASH};
type CborResult<T> = result::Result<T, ciborium::value::Error>;
/// All the following data are generated with urandom.
+const CODE_HASH_KERNEL: [u8; HASH_SIZE] = [
+ 0xc8, 0x54, 0x6c, 0xad, 0x9d, 0xe7, 0x25, 0xc7, 0x2b, 0xed, 0x07, 0xe1, 0xe9, 0x1a, 0xb0, 0xd0,
+ 0xa7, 0x7f, 0x43, 0xb9, 0xe4, 0x56, 0x79, 0x0d, 0x7d, 0xd8, 0xc5, 0xdd, 0xad, 0x0d, 0x31, 0x85,
+ 0xaf, 0x94, 0x02, 0xd8, 0x9d, 0x70, 0xab, 0xba, 0xac, 0xc7, 0x12, 0x80, 0xec, 0x7b, 0x9b, 0x65,
+ 0xec, 0x6b, 0xdd, 0x64, 0x94, 0xd0, 0x9a, 0x3a, 0x09, 0xf2, 0x49, 0xdb, 0x60, 0x3c, 0x50, 0x30,
+];
const CODE_HASH_PAYLOAD: [u8; HASH_SIZE] = [
0x08, 0x78, 0xc2, 0x5b, 0xe7, 0xea, 0x3d, 0x62, 0x70, 0x22, 0xd9, 0x1c, 0x4f, 0x3c, 0x2e, 0x2f,
0x0f, 0x97, 0xa4, 0x6f, 0x6d, 0xd5, 0xe6, 0x4a, 0x6d, 0xbe, 0x34, 0x2e, 0x56, 0x04, 0xaf, 0xef,
@@ -106,7 +111,7 @@
// so the authority hash is the same.
let authority_hash = service_vm::AUTHORITY_HASH_SERVICE_VM;
let input_values = InputValues::new(
- kernel_code_hash()?,
+ CODE_HASH_KERNEL,
Config::Descriptor(config_descriptor.as_slice()),
authority_hash,
DiceMode::kDiceModeDebug,
@@ -174,8 +179,3 @@
},
]
}
-
-fn kernel_code_hash() -> Result<[u8; HASH_SIZE]> {
- let code_hash = [KERNEL_HASH, INITRD_DEBUG_HASH].concat();
- hash(&code_hash)
-}
diff --git a/service_vm/kernel/Android.bp b/service_vm/kernel/Android.bp
deleted file mode 100644
index 79158e6..0000000
--- a/service_vm/kernel/Android.bp
+++ /dev/null
@@ -1,31 +0,0 @@
-package {
- default_applicable_licenses: ["Android-Apache-2.0"],
-}
-
-python_binary_host {
- name: "extract_microdroid_kernel_hashes",
- srcs: ["extract_microdroid_kernel_hashes.py"],
-}
-
-genrule {
- name: "microdroid_kernel_hashes_rs",
- srcs: [":microdroid_kernel"],
- out: ["lib.rs"],
- tools: [
- "extract_microdroid_kernel_hashes",
- "avbtool",
- ],
- cmd: "$(location extract_microdroid_kernel_hashes) $(location avbtool) $(in) > $(out)",
-}
-
-rust_library_rlib {
- name: "libmicrodroid_kernel_hashes",
- srcs: [":microdroid_kernel_hashes_rs"],
- crate_name: "microdroid_kernel_hashes",
- prefer_rlib: true,
- no_stdlibs: true,
- stdlibs: [
- "libcompiler_builtins.rust_sysroot",
- "libcore.rust_sysroot",
- ],
-}
diff --git a/service_vm/kernel/extract_microdroid_kernel_hashes.py b/service_vm/kernel/extract_microdroid_kernel_hashes.py
deleted file mode 100644
index 538c787..0000000
--- a/service_vm/kernel/extract_microdroid_kernel_hashes.py
+++ /dev/null
@@ -1,62 +0,0 @@
-"""Extracts the following hashes from the AVB footer of Microdroid's kernel:
-
-- kernel hash
-- initrd_normal hash
-- initrd_debug hash
-
-The hashes are written to stdout as a Rust file.
-"""
-#!/usr/bin/env python3
-
-import sys
-import subprocess
-from typing import Dict
-
-PARTITION_NAME_BOOT = 'boot'
-PARTITION_NAME_INITRD_NORMAL = 'initrd_normal'
-PARTITION_NAME_INITRD_DEBUG = 'initrd_debug'
-
-def main(args):
- """Main function."""
- avbtool = args[0]
- kernel_image_path = args[1]
- hashes = collect_hashes(avbtool, kernel_image_path)
- assert hashes.keys() == {PARTITION_NAME_BOOT,
- PARTITION_NAME_INITRD_NORMAL,
- PARTITION_NAME_INITRD_DEBUG}, hashes.keys()
-
- print("//! This file is generated by extract_microdroid_kernel_hashes.py.")
- print("//! It contains the hashes of the kernel and initrds.\n")
- print("#![no_std]\n#![allow(missing_docs)]\n")
-
- print("pub const KERNEL_HASH: &[u8] = &["
- f"{format_hex_string(hashes[PARTITION_NAME_BOOT])}];\n")
- print("pub const INITRD_NORMAL_HASH: &[u8] = &["
- f"{format_hex_string(hashes[PARTITION_NAME_INITRD_NORMAL])}];\n")
- print("pub const INITRD_DEBUG_HASH: &[u8] = &["
- f"{format_hex_string(hashes[PARTITION_NAME_INITRD_DEBUG])}];\n")
-
-def collect_hashes(avbtool: str, kernel_image_path: str) -> Dict[str, str]:
- """Collects the hashes from the AVB footer of the kernel image."""
- hashes = {}
- with subprocess.Popen(
- [avbtool, 'print_partition_digests', '--image', kernel_image_path],
- stdout=subprocess.PIPE, stderr=subprocess.STDOUT) as proc:
- stdout, _ = proc.communicate()
- for line in stdout.decode("utf-8").split("\n"):
- line = line.replace(" ", "").split(":")
- if len(line) == 2:
- partition_name, hash_ = line
- hashes[partition_name] = hash_
- return hashes
-
-def format_hex_string(hex_string: str) -> str:
- """Formats a hex string into a Rust array."""
- assert len(hex_string) % 2 == 0, \
- "Hex string must have even length: " + hex_string
- return ", ".join(["\n0x" + hex_string[i:i+2] if i % 32 == 0
- else "0x" + hex_string[i:i+2]
- for i in range(0, len(hex_string), 2)])
-
-if __name__ == '__main__':
- main(sys.argv[1:])
diff --git a/service_vm/requests/Android.bp b/service_vm/requests/Android.bp
index 57da012..52b54b4 100644
--- a/service_vm/requests/Android.bp
+++ b/service_vm/requests/Android.bp
@@ -24,7 +24,6 @@
"libder_nostd",
"libdiced_open_dice_nostd",
"liblog_rust_nostd",
- "libmicrodroid_kernel_hashes",
"libserde_nostd",
"libservice_vm_comm_nostd",
"libspki_nostd",
diff --git a/service_vm/requests/src/client_vm.rs b/service_vm/requests/src/client_vm.rs
index 5b4735d..cfdac2d 100644
--- a/service_vm/requests/src/client_vm.rs
+++ b/service_vm/requests/src/client_vm.rs
@@ -16,20 +16,15 @@
//! client VM.
use crate::cert;
-use crate::dice::{
- validate_client_vm_dice_chain_prefix_match, ClientVmDiceChain, DiceChainEntryPayload,
-};
+use crate::dice::{validate_client_vm_dice_chain_prefix_match, ClientVmDiceChain};
use crate::keyblob::decrypt_private_key;
use alloc::vec::Vec;
-use bssl_avf::{rand_bytes, sha256, Digester, EcKey, PKey};
-use cbor_util::value_to_array;
-use ciborium::value::Value;
+use bssl_avf::{rand_bytes, sha256, EcKey, PKey};
use core::result;
-use coset::{AsCborValue, CborSerializable, CoseSign, CoseSign1};
+use coset::{CborSerializable, CoseSign};
use der::{Decode, Encode};
-use diced_open_dice::{DiceArtifacts, HASH_SIZE};
+use diced_open_dice::DiceArtifacts;
use log::error;
-use microdroid_kernel_hashes::{INITRD_DEBUG_HASH, INITRD_NORMAL_HASH, KERNEL_HASH};
use service_vm_comm::{ClientVmAttestationParams, Csr, CsrPayload, RequestProcessingError};
use x509_cert::{certificate::Certificate, name::Name};
@@ -52,22 +47,13 @@
// Validates the prefix of the Client VM DICE chain in the CSR.
let service_vm_dice_chain =
dice_artifacts.bcc().ok_or(RequestProcessingError::MissingDiceChain)?;
- let service_vm_dice_chain =
- value_to_array(Value::from_slice(service_vm_dice_chain)?, "service_vm_dice_chain")?;
let client_vm_dice_chain =
- value_to_array(Value::from_slice(&csr.dice_cert_chain)?, "client_vm_dice_chain")?;
- validate_client_vm_dice_chain_prefix_match(&client_vm_dice_chain, &service_vm_dice_chain)?;
+ validate_client_vm_dice_chain_prefix_match(&csr.dice_cert_chain, service_vm_dice_chain)?;
// Validates the signatures in the Client VM DICE chain and extracts the partially decoded
// DiceChainEntryPayloads.
let client_vm_dice_chain =
ClientVmDiceChain::validate_signatures_and_parse_dice_chain(client_vm_dice_chain)?;
- // The last entry in the service VM DICE chain describes the service VM, which should
- // be signed with the same key as the kernel image.
- let service_vm_entry = service_vm_dice_chain.last().unwrap();
- validate_kernel_authority_hash(client_vm_dice_chain.microdroid_kernel(), service_vm_entry)?;
- validate_kernel_code_hash(&client_vm_dice_chain)?;
-
// AAD is empty as defined in service_vm/comm/client_vm_csr.cddl.
let aad = &[];
@@ -135,60 +121,3 @@
let digest = sha256(message)?;
key.ecdsa_sign(&digest)
}
-
-/// Validates that the authority hash of the Microdroid kernel in the Client VM DICE chain
-/// matches the authority hash of the service VM entry in the service VM DICE chain, because
-/// the Microdroid kernel is signed with the same key as the one used for the service VM.
-fn validate_kernel_authority_hash(
- kernel: &DiceChainEntryPayload,
- service_vm_entry: &Value,
-) -> Result<()> {
- if expected_kernel_authority_hash(service_vm_entry)? == kernel.authority_hash {
- Ok(())
- } else {
- error!("The authority hash of the Microdroid kernel does not match the expected value");
- Err(RequestProcessingError::InvalidDiceChain)
- }
-}
-
-/// Validates that the kernel code hash in the Client VM DICE chain matches the code hashes
-/// embedded during the build time.
-fn validate_kernel_code_hash(dice_chain: &ClientVmDiceChain) -> Result<()> {
- let kernel = dice_chain.microdroid_kernel();
- if expected_kernel_code_hash_normal()? == kernel.code_hash {
- return Ok(());
- }
- if expected_kernel_code_hash_debug()? == kernel.code_hash {
- if dice_chain.all_entries_are_secure() {
- error!("The Microdroid kernel has debug initrd but the DICE chain is secure");
- return Err(RequestProcessingError::InvalidDiceChain);
- }
- return Ok(());
- }
- error!("The kernel code hash in the Client VM DICE chain does not match any expected values");
- Err(RequestProcessingError::InvalidDiceChain)
-}
-
-fn expected_kernel_code_hash_normal() -> bssl_avf::Result<Vec<u8>> {
- let mut code_hash = [0u8; 64];
- code_hash[0..32].copy_from_slice(KERNEL_HASH);
- code_hash[32..].copy_from_slice(INITRD_NORMAL_HASH);
- Digester::sha512().digest(&code_hash)
-}
-
-fn expected_kernel_code_hash_debug() -> bssl_avf::Result<Vec<u8>> {
- let mut code_hash = [0u8; 64];
- code_hash[0..32].copy_from_slice(KERNEL_HASH);
- code_hash[32..].copy_from_slice(INITRD_DEBUG_HASH);
- Digester::sha512().digest(&code_hash)
-}
-
-fn expected_kernel_authority_hash(service_vm_entry: &Value) -> Result<[u8; HASH_SIZE]> {
- let cose_sign1 = CoseSign1::from_cbor_value(service_vm_entry.clone())?;
- let payload = cose_sign1.payload.ok_or_else(|| {
- error!("No payload found in the service VM DICE chain entry");
- RequestProcessingError::InternalError
- })?;
- let service_vm = DiceChainEntryPayload::from_slice(&payload)?;
- Ok(service_vm.authority_hash)
-}
diff --git a/service_vm/requests/src/dice.rs b/service_vm/requests/src/dice.rs
index 8c804da..557b678 100644
--- a/service_vm/requests/src/dice.rs
+++ b/service_vm/requests/src/dice.rs
@@ -126,7 +126,7 @@
Ok(())
}
- pub(crate) fn microdroid_kernel(&self) -> &DiceChainEntryPayload {
+ fn microdroid_kernel(&self) -> &DiceChainEntryPayload {
&self.payloads[self.payloads.len() - 2]
}
@@ -147,11 +147,15 @@
/// Validates that the `client_vm_dice_chain` matches the `service_vm_dice_chain` up to the pvmfw
/// entry.
///
-/// Returns `Ok(())` if the verification succeeds.
+/// Returns a CBOR value array of the client VM's DICE chain if the verification succeeds.
pub(crate) fn validate_client_vm_dice_chain_prefix_match(
- client_vm_dice_chain: &[Value],
- service_vm_dice_chain: &[Value],
-) -> Result<()> {
+ client_vm_dice_chain: &[u8],
+ service_vm_dice_chain: &[u8],
+) -> Result<Vec<Value>> {
+ let client_vm_dice_chain =
+ value_to_array(Value::from_slice(client_vm_dice_chain)?, "client_vm_dice_chain")?;
+ let service_vm_dice_chain =
+ value_to_array(Value::from_slice(service_vm_dice_chain)?, "service_vm_dice_chain")?;
if service_vm_dice_chain.len() < 3 {
// The service VM's DICE chain must contain the root key and at least two other entries
// that describe:
@@ -176,7 +180,7 @@
);
return Err(RequestProcessingError::InvalidDiceChain);
}
- Ok(())
+ Ok(client_vm_dice_chain)
}
#[derive(Debug, Clone)]
@@ -204,8 +208,11 @@
#[allow(dead_code)]
subject_public_key: PublicKey,
mode: DiceMode,
- pub(crate) code_hash: [u8; HASH_SIZE],
- pub(crate) authority_hash: [u8; HASH_SIZE],
+ /// TODO(b/271275206): Verify Microdroid kernel authority and code hashes.
+ #[allow(dead_code)]
+ code_hash: [u8; HASH_SIZE],
+ #[allow(dead_code)]
+ authority_hash: [u8; HASH_SIZE],
config_descriptor: ConfigDescriptor,
}
@@ -223,42 +230,42 @@
error!("No payload found in the DICE chain entry");
RequestProcessingError::InvalidDiceChain
})?;
- Self::from_slice(&payload)
- }
-
- pub(crate) fn from_slice(data: &[u8]) -> Result<Self> {
- let entries = value_to_map(Value::from_slice(data)?, "DiceChainEntryPayload")?;
- let mut builder = PayloadBuilder::default();
- for (key, value) in entries.into_iter() {
- let key: i64 = value_to_num(key, "DiceChainEntryPayload key")?;
- match key {
- SUBJECT_PUBLIC_KEY => {
- let subject_public_key = value_to_bytes(value, "subject_public_key")?;
- let subject_public_key =
- CoseKey::from_slice(&subject_public_key)?.try_into()?;
- builder.subject_public_key(subject_public_key)?;
- }
- MODE => builder.mode(to_mode(value)?)?,
- CODE_HASH => {
- let code_hash = value_to_byte_array(value, "DiceChainEntryPayload code_hash")?;
- builder.code_hash(code_hash)?;
- }
- AUTHORITY_HASH => {
- let authority_hash =
- value_to_byte_array(value, "DiceChainEntryPayload authority_hash")?;
- builder.authority_hash(authority_hash)?;
- }
- CONFIG_DESC => {
- let config_descriptor = value_to_bytes(value, "config_descriptor")?;
- let config_descriptor = ConfigDescriptor::from_slice(&config_descriptor)?;
- builder.config_descriptor(config_descriptor)?;
- }
- _ => {}
- }
- }
- builder.build()
+ let entries = value_to_map(Value::from_slice(&payload)?, "DiceChainEntryPayload")?;
+ build_payload(entries)
}
}
+
+fn build_payload(entries: Vec<(Value, Value)>) -> Result<DiceChainEntryPayload> {
+ let mut builder = PayloadBuilder::default();
+ for (key, value) in entries.into_iter() {
+ let key: i64 = value_to_num(key, "DiceChainEntryPayload key")?;
+ match key {
+ SUBJECT_PUBLIC_KEY => {
+ let subject_public_key = value_to_bytes(value, "subject_public_key")?;
+ let subject_public_key = CoseKey::from_slice(&subject_public_key)?.try_into()?;
+ builder.subject_public_key(subject_public_key)?;
+ }
+ MODE => builder.mode(to_mode(value)?)?,
+ CODE_HASH => {
+ let code_hash = value_to_byte_array(value, "DiceChainEntryPayload code_hash")?;
+ builder.code_hash(code_hash)?;
+ }
+ AUTHORITY_HASH => {
+ let authority_hash =
+ value_to_byte_array(value, "DiceChainEntryPayload authority_hash")?;
+ builder.authority_hash(authority_hash)?;
+ }
+ CONFIG_DESC => {
+ let config_descriptor = value_to_bytes(value, "config_descriptor")?;
+ let config_descriptor = ConfigDescriptor::from_slice(&config_descriptor)?;
+ builder.config_descriptor(config_descriptor)?;
+ }
+ _ => {}
+ }
+ }
+ builder.build()
+}
+
/// Represents a partially decoded `ConfigurationDescriptor`.
///
/// The whole `ConfigurationDescriptor` is defined in: