Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / d3a964074a0cc5c4121a83966442ff39d5d014fa^! / . / service_vm / comm / src
commitd3a964074a0cc5c4121a83966442ff39d5d014fa[log] [tgz]
authorAlice Wang <aliceywang@google.com>Fri Nov 24 15:37:39 2023 +0000
committerAlice Wang <aliceywang@google.com>Thu Nov 30 16:38:38 2023 +0000
treeb504acfa6b14ec2b127b95848b55c1ca4a76c57b
parentfe7c4aef9ac13755e133ac9ee15fa07594039e46 [diff]
[attestation] Verify client VM's DICE chain up to pvmfw payload

This cl validates Client VM's DICE chain up to the pvmfw payload
and parse the DICE chain payload to extract necessary fields
required for attestation.

Test: atest rialto_test
Bug: 278717513
Change-Id: Ia60ed9a65fc5ef4ed5fdb6804403035fa9d7c00e

diff --git a/service_vm/comm/src/csr.rs b/service_vm/comm/src/csr.rs
index 757d080..2a27f90 100644
--- a/service_vm/comm/src/csr.rs
+++ b/service_vm/comm/src/csr.rs

@@ -100,7 +100,8 @@
     }
 }
 
-fn try_as_bytes(v: Value, context: &str) -> coset::Result<Vec<u8>> {
+/// Reads the provided value `v` as bytes array.
+pub fn try_as_bytes(v: Value, context: &str) -> coset::Result<Vec<u8>> {
     if let Value::Bytes(data) = v {
         Ok(data)
     } else {
@@ -110,7 +111,8 @@
     }
 }
 
-fn cbor_value_type(v: &Value) -> &'static str {
+/// Reads the type of the provided value `v`.
+pub fn cbor_value_type(v: &Value) -> &'static str {
     match v {
         Value::Integer(_) => "int",
         Value::Bytes(_) => "bstr",

diff --git a/service_vm/comm/src/lib.rs b/service_vm/comm/src/lib.rs
index bb85a26..c9de540 100644
--- a/service_vm/comm/src/lib.rs
+++ b/service_vm/comm/src/lib.rs

@@ -23,7 +23,7 @@
 mod message;
 mod vsock;
 
-pub use csr::{Csr, CsrPayload};
+pub use csr::{cbor_value_type, try_as_bytes, Csr, CsrPayload};
 pub use message::{
     ClientVmAttestationParams, EcdsaP256KeyPair, GenerateCertificateRequestParams, Request,
     RequestProcessingError, Response, ServiceVmRequest,

diff --git a/service_vm/comm/src/message.rs b/service_vm/comm/src/message.rs
index 87c8378..80a9608 100644
--- a/service_vm/comm/src/message.rs
+++ b/service_vm/comm/src/message.rs

@@ -130,6 +130,9 @@
 
     /// An error happened during the DER encoding/decoding.
     DerError,
+
+    /// The DICE chain from the client VM is invalid.
+    InvalidDiceChain,
 }
 
 impl fmt::Display for RequestProcessingError {
@@ -155,6 +158,9 @@
             Self::DerError => {
                 write!(f, "An error happened during the DER encoding/decoding")
             }
+            Self::InvalidDiceChain => {
+                write!(f, "The DICE chain from the client VM is invalid")
+            }
         }
     }
 }

diff --git a/service_vm/comm/src/vsock.rs b/service_vm/comm/src/vsock.rs
index aa7166d..7f7cf25 100644
--- a/service_vm/comm/src/vsock.rs
+++ b/service_vm/comm/src/vsock.rs

@@ -18,7 +18,7 @@
 const NON_PROTECTED_VM_PORT: u32 = 5680;
 
 /// VM Type.
-#[derive(Clone, Copy, Debug)]
+#[derive(Clone, Copy, Debug, PartialEq, Eq)]
 pub enum VmType {
     /// Protected VM.
     ProtectedVm,