Merge "[attestation] Add the first version of DeviceInfo" into main am: 30908a5bf5
Original change: https://android-review.googlesource.com/c/platform/packages/modules/Virtualization/+/2955007
Change-Id: Ia2fddc7669bdbe32d7c49d6862f0ef70fe38a4c6
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/rialto/Android.bp b/rialto/Android.bp
index c102c89..d7aac35 100644
--- a/rialto/Android.bp
+++ b/rialto/Android.bp
@@ -133,11 +133,11 @@
"libandroid_logger",
"libanyhow",
"libbssl_avf_nostd",
- "libciborium",
"libclient_vm_csr",
"libcoset",
"liblibc",
"liblog_rust",
+ "libhwtrust",
"libservice_vm_comm",
"libservice_vm_fake_chain",
"libservice_vm_manager",
diff --git a/rialto/tests/test.rs b/rialto/tests/test.rs
index 1302bcd..8899875 100644
--- a/rialto/tests/test.rs
+++ b/rialto/tests/test.rs
@@ -23,9 +23,9 @@
};
use anyhow::{bail, Context, Result};
use bssl_avf::{sha256, EcKey, PKey};
-use ciborium::value::Value;
use client_vm_csr::generate_attestation_key_and_csr;
use coset::{CborSerializable, CoseMac0, CoseSign};
+use hwtrust::{rkp, session::Session};
use log::info;
use service_vm_comm::{
ClientVmAttestationParams, Csr, CsrPayload, EcdsaP256KeyPair, GenerateCertificateRequestParams,
@@ -37,7 +37,6 @@
use service_vm_manager::ServiceVm;
use std::fs;
use std::fs::File;
-use std::io;
use std::panic;
use std::path::PathBuf;
use std::str::FromStr;
@@ -272,16 +271,8 @@
Ok(())
}
-/// TODO(b/300625792): Check the CSR with libhwtrust once the CSR is complete.
fn check_csr(csr: Vec<u8>) -> Result<()> {
- let mut reader = io::Cursor::new(csr);
- let csr: Value = ciborium::from_reader(&mut reader)?;
- match csr {
- Value::Array(arr) => {
- assert_eq!(4, arr.len());
- }
- _ => bail!("Incorrect CSR format: {csr:?}"),
- }
+ let _csr = rkp::Csr::from_cbor(&Session::default(), &csr[..]).context("Failed to parse CSR")?;
Ok(())
}
diff --git a/service_vm/requests/src/rkp.rs b/service_vm/requests/src/rkp.rs
index 9901a92..569ab01 100644
--- a/service_vm/requests/src/rkp.rs
+++ b/service_vm/requests/src/rkp.rs
@@ -76,13 +76,10 @@
public_keys.push(public_key.to_cbor_value()?);
}
// Builds `CsrPayload`.
- // TODO(b/299256925): The device information is currently empty as we do not
- // have sufficient details to include.
- let device_info = Value::Map(Vec::new());
let csr_payload = cbor!([
Value::Integer(CSR_PAYLOAD_SCHEMA_V3.into()),
Value::Text(String::from(CERTIFICATE_TYPE)),
- device_info,
+ device_info(),
Value::Array(public_keys),
])?;
let csr_payload = cbor_util::serialize(&csr_payload)?;
@@ -107,6 +104,22 @@
Ok(cbor_util::serialize(&auth_req)?)
}
+/// Generates the device info required by the RKP server as a temporary placeholder.
+/// More details in b/301592917.
+fn device_info() -> Value {
+ cbor!({"brand" => "aosp-avf",
+ "manufacturer" => "aosp-avf",
+ "product" => "avf",
+ "model" => "avf",
+ "device" => "avf",
+ "vbmeta_digest" => Value::Bytes(vec![0u8; 0]),
+ "system_patch_level" => 202402,
+ "boot_patch_level" => 20240202,
+ "vendor_patch_level" => 20240202,
+ "fused" => 1})
+ .unwrap()
+}
+
fn derive_hmac_key(dice_artifacts: &dyn DiceArtifacts) -> Result<Zeroizing<[u8; HMAC_KEY_LENGTH]>> {
let mut key = Zeroizing::new([0u8; HMAC_KEY_LENGTH]);
kdf(dice_artifacts.cdi_seal(), &HMAC_KEY_SALT, HMAC_KEY_INFO, key.as_mut()).map_err(|e| {