commit c33d2921c3e6e8afc008b9970696687c74c42041
author Alan Stokes <alanstokes@google.com> Tue Jan 18 14:17:00 2022 +0000
committer Alan Stokes <alanstokes@google.com> Mon Jan 24 10:58:15 2022 +0000
tree 45162b42b8244ce349ecb04eb3d187945f0f7ec7
parent 2eb528fddc626664649b555757de77323f68de8c

Key blob protection using AEAD

Add BlobEncryptor, which can be used to write a secret (like our
private key) to an encrypted & authenticated blob and later retrieve
it.

Added the skeleton of code to make use of this, using the sealing CDI
as the input to the key derivation.

Bug: 214233409
Test: atest compsvc_device_tests
Change-Id: Iea7e82405072a31ae5f7ad64a9e894a970913219

compos/src/compsvc.rs

diff --git a/compos/src/compsvc.rs b/compos/src/compsvc.rs
index b4af9b5..60e77a7 100644
--- a/compos/src/compsvc.rs
+++ b/compos/src/compsvc.rs
@@ -46,6 +46,7 @@
     let service = CompOsService {
         odrefresh_path: PathBuf::from(ODREFRESH_PATH),
         key_service: CompOsKeyService::new()?,
+        dice: Dice::new()?,
         key_blob: RwLock::new(Vec::new()),
     };
     Ok(BnCompOsService::new_binder(service, BinderFeatures::default()))
@@ -54,6 +55,7 @@
 struct CompOsService {
     odrefresh_path: PathBuf,
     key_service: CompOsKeyService,
+    dice: Dice,
     key_blob: RwLock<Vec<u8>>,
 }
 
@@ -68,8 +70,7 @@
     }
 
     fn get_boot_certificate_chain(&self) -> Result<Vec<u8>> {
-        let dice = Dice::new()?;
-        dice.get_boot_certificate_chain()
+        self.dice.get_boot_certificate_chain()
     }
 }