commit bd51176b023dd2069cb7225c5edfd6910d0d709b
author Ajinkya Chalke <achalke@google.com> Tue Dec 12 11:57:03 2023 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Dec 12 11:57:03 2023 +0000
tree 6a26e85e173c28268223f80f4ef801f0b66ef3a1
parent 73e72268769c51a9dd0f62e85dc3288a9e7202e2

Revert "[attestation] Validate client VM's Microdroid kernel in service VM"

This reverts commit 73e72268769c51a9dd0f62e85dc3288a9e7202e2.

Reason for revert: Checking if reverting this CL fixes build breakage http://b/315936000

Change-Id: I21c9d089b54d3d40f8b5077646351695850545cc

service_vm/requests/src/dice.rs

diff --git a/service_vm/requests/src/dice.rs b/service_vm/requests/src/dice.rs
index 8c804da..557b678 100644
--- a/service_vm/requests/src/dice.rs
+++ b/service_vm/requests/src/dice.rs
@@ -126,7 +126,7 @@
         Ok(())
     }
 
-    pub(crate) fn microdroid_kernel(&self) -> &DiceChainEntryPayload {
+    fn microdroid_kernel(&self) -> &DiceChainEntryPayload {
         &self.payloads[self.payloads.len() - 2]
     }
 
@@ -147,11 +147,15 @@
 /// Validates that the `client_vm_dice_chain` matches the `service_vm_dice_chain` up to the pvmfw
 /// entry.
 ///
-/// Returns `Ok(())` if the verification succeeds.
+/// Returns a CBOR value array of the client VM's DICE chain if the verification succeeds.
 pub(crate) fn validate_client_vm_dice_chain_prefix_match(
-    client_vm_dice_chain: &[Value],
-    service_vm_dice_chain: &[Value],
-) -> Result<()> {
+    client_vm_dice_chain: &[u8],
+    service_vm_dice_chain: &[u8],
+) -> Result<Vec<Value>> {
+    let client_vm_dice_chain =
+        value_to_array(Value::from_slice(client_vm_dice_chain)?, "client_vm_dice_chain")?;
+    let service_vm_dice_chain =
+        value_to_array(Value::from_slice(service_vm_dice_chain)?, "service_vm_dice_chain")?;
     if service_vm_dice_chain.len() < 3 {
         // The service VM's DICE chain must contain the root key and at least two other entries
         // that describe:
@@ -176,7 +180,7 @@
         );
         return Err(RequestProcessingError::InvalidDiceChain);
     }
-    Ok(())
+    Ok(client_vm_dice_chain)
 }
 
 #[derive(Debug, Clone)]
@@ -204,8 +208,11 @@
     #[allow(dead_code)]
     subject_public_key: PublicKey,
     mode: DiceMode,
-    pub(crate) code_hash: [u8; HASH_SIZE],
-    pub(crate) authority_hash: [u8; HASH_SIZE],
+    /// TODO(b/271275206): Verify Microdroid kernel authority and code hashes.
+    #[allow(dead_code)]
+    code_hash: [u8; HASH_SIZE],
+    #[allow(dead_code)]
+    authority_hash: [u8; HASH_SIZE],
     config_descriptor: ConfigDescriptor,
 }
 
@@ -223,42 +230,42 @@
             error!("No payload found in the DICE chain entry");
             RequestProcessingError::InvalidDiceChain
         })?;
-        Self::from_slice(&payload)
-    }
-
-    pub(crate) fn from_slice(data: &[u8]) -> Result<Self> {
-        let entries = value_to_map(Value::from_slice(data)?, "DiceChainEntryPayload")?;
-        let mut builder = PayloadBuilder::default();
-        for (key, value) in entries.into_iter() {
-            let key: i64 = value_to_num(key, "DiceChainEntryPayload key")?;
-            match key {
-                SUBJECT_PUBLIC_KEY => {
-                    let subject_public_key = value_to_bytes(value, "subject_public_key")?;
-                    let subject_public_key =
-                        CoseKey::from_slice(&subject_public_key)?.try_into()?;
-                    builder.subject_public_key(subject_public_key)?;
-                }
-                MODE => builder.mode(to_mode(value)?)?,
-                CODE_HASH => {
-                    let code_hash = value_to_byte_array(value, "DiceChainEntryPayload code_hash")?;
-                    builder.code_hash(code_hash)?;
-                }
-                AUTHORITY_HASH => {
-                    let authority_hash =
-                        value_to_byte_array(value, "DiceChainEntryPayload authority_hash")?;
-                    builder.authority_hash(authority_hash)?;
-                }
-                CONFIG_DESC => {
-                    let config_descriptor = value_to_bytes(value, "config_descriptor")?;
-                    let config_descriptor = ConfigDescriptor::from_slice(&config_descriptor)?;
-                    builder.config_descriptor(config_descriptor)?;
-                }
-                _ => {}
-            }
-        }
-        builder.build()
+        let entries = value_to_map(Value::from_slice(&payload)?, "DiceChainEntryPayload")?;
+        build_payload(entries)
     }
 }
+
+fn build_payload(entries: Vec<(Value, Value)>) -> Result<DiceChainEntryPayload> {
+    let mut builder = PayloadBuilder::default();
+    for (key, value) in entries.into_iter() {
+        let key: i64 = value_to_num(key, "DiceChainEntryPayload key")?;
+        match key {
+            SUBJECT_PUBLIC_KEY => {
+                let subject_public_key = value_to_bytes(value, "subject_public_key")?;
+                let subject_public_key = CoseKey::from_slice(&subject_public_key)?.try_into()?;
+                builder.subject_public_key(subject_public_key)?;
+            }
+            MODE => builder.mode(to_mode(value)?)?,
+            CODE_HASH => {
+                let code_hash = value_to_byte_array(value, "DiceChainEntryPayload code_hash")?;
+                builder.code_hash(code_hash)?;
+            }
+            AUTHORITY_HASH => {
+                let authority_hash =
+                    value_to_byte_array(value, "DiceChainEntryPayload authority_hash")?;
+                builder.authority_hash(authority_hash)?;
+            }
+            CONFIG_DESC => {
+                let config_descriptor = value_to_bytes(value, "config_descriptor")?;
+                let config_descriptor = ConfigDescriptor::from_slice(&config_descriptor)?;
+                builder.config_descriptor(config_descriptor)?;
+            }
+            _ => {}
+        }
+    }
+    builder.build()
+}
+
 /// Represents a partially decoded `ConfigurationDescriptor`.
 ///
 /// The whole `ConfigurationDescriptor` is defined in: