Key blob protection using AEAD Add BlobEncryptor, which can be used to write a secret (like our private key) to an encrypted & authenticated blob and later retrieve it. Added the skeleton of code to make use of this, using the sealing CDI as the input to the key derivation. Bug: 214233409 Test: atest compsvc_device_tests Change-Id: Iea7e82405072a31ae5f7ad64a9e894a970913219

commit: c33d2921c3e6e8afc008b9970696687c74c42041 [log] [tgz]
author: Alan Stokes <alanstokes@google.com> Tue Jan 18 14:17:00 2022 +0000
committer: Alan Stokes <alanstokes@google.com> Mon Jan 24 10:58:15 2022 +0000
tree: 45162b42b8244ce349ecb04eb3d187945f0f7ec7
parent: 2eb528fddc626664649b555757de77323f68de8c [diff] [blame]
diff --git a/compos/src/dice.rs b/compos/src/dice.rs
index 22a7ee2..cdfc387 100644
--- a/compos/src/dice.rs
+++ b/compos/src/dice.rs

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-//! Handles the use of DICE as the source of our unique signing key via diced / IDiceNode.
+//! Handles the use of DICE (via diced / IDiceNode) for accessing our VM's unique secret.
 
 use android_security_dice::aidl::android::security::dice::IDiceNode::IDiceNode;
 use android_security_dice::binder::{wait_for_interface, Strong};
@@ -39,4 +39,10 @@
             .context("Getting attestation chain failed")?;
         Ok(bcc.data)
     }
+
+    pub fn get_sealing_cdi(&self) -> Result<Vec<u8>> {
+        let input_values = [];
+        let bcc_handover = self.node.derive(&input_values).context("Failed to retrieve CDI")?;
+        Ok(bcc_handover.cdiSeal.to_vec())
+    }
 }
commit	c33d2921c3e6e8afc008b9970696687c74c42041	[log] [tgz]
author	Alan Stokes <alanstokes@google.com>	Tue Jan 18 14:17:00 2022 +0000
committer	Alan Stokes <alanstokes@google.com>	Mon Jan 24 10:58:15 2022 +0000
tree	45162b42b8244ce349ecb04eb3d187945f0f7ec7
parent	2eb528fddc626664649b555757de77323f68de8c [diff] [blame]