Refactor BCC handover
Move the generation of the next BCC handover into InputValues. That
gives us cleaner management of the config descriptor buffer and
simplifies the calling code.
(The old version would also require explicit lifetime markers now, not
that that's too big a deal.)
Bug: 280617929
Test: Start a Microdroid pVM
Change-Id: Ie46fa4344b5b0c58d8f8fc33be7433c20212905a
diff --git a/pvmfw/src/dice.rs b/pvmfw/src/dice.rs
index e588acb..4e303ac 100644
--- a/pvmfw/src/dice.rs
+++ b/pvmfw/src/dice.rs
@@ -22,7 +22,8 @@
use core::slice;
use diced_open_dice::{
- bcc_format_config_descriptor, hash, Config, DiceMode, Hash, InputValues, HIDDEN_SIZE,
+ bcc_format_config_descriptor, bcc_handover_main_flow, hash, Config, DiceMode, Hash,
+ InputValues, HIDDEN_SIZE,
};
use pvmfw_avb::{DebugLevel, Digest, VerifiedBootData};
@@ -57,26 +58,30 @@
Ok(Self { code_hash, auth_hash, mode })
}
- pub fn into_input_values(
+ pub fn write_next_bcc(
self,
+ current_bcc_handover: &[u8],
salt: &[u8; HIDDEN_SIZE],
- config_descriptor_buffer: &mut [u8],
- ) -> diced_open_dice::Result<InputValues> {
+ next_bcc: &mut [u8],
+ ) -> diced_open_dice::Result<()> {
+ let mut config_descriptor_buffer = [0; 128];
let config_descriptor_size = bcc_format_config_descriptor(
Some(cstr!("vm_entry")),
None, // component_version
false, // resettable
- config_descriptor_buffer,
+ &mut config_descriptor_buffer,
)?;
let config = &config_descriptor_buffer[..config_descriptor_size];
- Ok(InputValues::new(
+ let dice_inputs = InputValues::new(
self.code_hash,
Config::Descriptor(config),
self.auth_hash,
self.mode,
*salt,
- ))
+ );
+ let _ = bcc_handover_main_flow(current_bcc_handover, &dice_inputs, next_bcc)?;
+ Ok(())
}
}
diff --git a/pvmfw/src/main.rs b/pvmfw/src/main.rs
index 21521da..3c0acc7 100644
--- a/pvmfw/src/main.rs
+++ b/pvmfw/src/main.rs
@@ -48,7 +48,7 @@
use crate::virtio::pci;
use alloc::boxed::Box;
use core::ops::Range;
-use diced_open_dice::{bcc_handover_main_flow, bcc_handover_parse, DiceArtifacts};
+use diced_open_dice::{bcc_handover_parse, DiceArtifacts};
use fdtpci::{PciError, PciInfo};
use libfdt::Fdt;
use log::{debug, error, info, trace, warn};
@@ -124,13 +124,6 @@
})?;
trace!("Got salt from instance.img: {salt:x?}");
- let mut config_descriptor_buffer = [0; 128];
- let dice_inputs =
- dice_inputs.into_input_values(&salt, &mut config_descriptor_buffer).map_err(|e| {
- error!("Failed to generate DICE inputs: {e:?}");
- RebootReason::InternalError
- })?;
-
// It is possible that the DICE chain we were given is rooted in the UDS. We do not want to give
// such a chain to the payload, or even the associated CDIs. So remove the entire chain we
// were given and taint the CDIs. Note that the resulting CDIs are still deterministically
@@ -141,11 +134,12 @@
RebootReason::InternalError
})?;
- let _ = bcc_handover_main_flow(truncated_bcc_handover.as_slice(), &dice_inputs, next_bcc)
- .map_err(|e| {
+ dice_inputs.write_next_bcc(truncated_bcc_handover.as_slice(), &salt, next_bcc).map_err(
+ |e| {
error!("Failed to derive next-stage DICE secrets: {e:?}");
RebootReason::SecretDerivationError
- })?;
+ },
+ )?;
flush(next_bcc);
let strict_boot = true;