Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / d80e99e2a8bfe9fb12beac38f00f229074c613b4^! / . / virtualizationservice / src
commitd80e99e2a8bfe9fb12beac38f00f229074c613b4[log] [tgz]
authorAlice Wang <aliceywang@google.com>Fri Sep 15 13:26:01 2023 +0000
committerAlice Wang <aliceywang@google.com>Tue Sep 19 15:00:57 2023 +0000
treea2538185ce54df56bd1316867a36db0e82bc2f4a
parentbd08dffca5c54bbf9ffaed380089022918a86777 [diff]
[rkp] Report request processing error from service VM to host

This cl moves the request processing error from the service VM
to the communication protocol library so that the service VM can
send the error the host.
This change is necessary to enable the service VM to send back
RKP service specific error later.

Bug: 299256925
Test: atest rialto_test
Change-Id: I2cd718d8606880188866e954ac7c4eb8bb732bb4

diff --git a/virtualizationservice/src/remote_provisioning.rs b/virtualizationservice/src/remote_provisioning.rs
index 1c8d1e6..a9a07a5 100644
--- a/virtualizationservice/src/remote_provisioning.rs
+++ b/virtualizationservice/src/remote_provisioning.rs

@@ -19,7 +19,7 @@
     DeviceInfo::DeviceInfo,
     IRemotelyProvisionedComponent::{
         BnRemotelyProvisionedComponent, IRemotelyProvisionedComponent, STATUS_FAILED,
-        STATUS_REMOVED,
+        STATUS_INVALID_MAC, STATUS_REMOVED,
     },
     MacedPublicKey::MacedPublicKey,
     ProtectedData::ProtectedData,
@@ -28,6 +28,7 @@
 use anyhow::Context;
 use avflog::LogResult;
 use binder::{BinderFeatures, Interface, IntoBinderResult, Result as BinderResult, Status, Strong};
+use service_vm_comm::{RequestProcessingError, Response};
 
 /// Constructs a binder object that implements `IRemotelyProvisionedComponent`.
 pub(crate) fn new_binder() -> Strong<dyn IRemotelyProvisionedComponent> {
@@ -65,12 +66,18 @@
             ))
             .with_log();
         }
-        let key_pair = rkpvm::generate_ecdsa_p256_key_pair()
+        let res = rkpvm::generate_ecdsa_p256_key_pair()
             .context("Failed to generate ECDSA P-256 key pair")
             .with_log()
             .or_service_specific_exception(STATUS_FAILED)?;
-        macedPublicKey.macedKey = key_pair.maced_public_key;
-        Ok(key_pair.key_blob)
+        match res {
+            Response::GenerateEcdsaP256KeyPair(key_pair) => {
+                macedPublicKey.macedKey = key_pair.maced_public_key;
+                Ok(key_pair.key_blob)
+            }
+            _ => Err(to_service_specific_error(res)),
+        }
+        .with_log()
     }
 
     fn generateCertificateRequest(
@@ -104,10 +111,32 @@
             return Err(Status::new_service_specific_error_str(STATUS_FAILED, Some(message)))
                 .with_log();
         }
-        // TODO(b/299259624): Validate the MAC of the keys to certify.
-        rkpvm::generate_certificate_request(keysToSign, challenge)
+        let res = rkpvm::generate_certificate_request(keysToSign, challenge)
             .context("Failed to generate certificate request")
             .with_log()
-            .or_service_specific_exception(STATUS_FAILED)
+            .or_service_specific_exception(STATUS_FAILED)?;
+        match res {
+            Response::GenerateCertificateRequest(res) => Ok(res),
+            _ => Err(to_service_specific_error(res)),
+        }
+        .with_log()
+    }
+}
+
+fn to_service_specific_error(response: Response) -> Status {
+    match response {
+        Response::Err(e) => match e {
+            RequestProcessingError::InvalidMac => {
+                Status::new_service_specific_error_str(STATUS_INVALID_MAC, Some(format!("{e}")))
+            }
+            _ => Status::new_service_specific_error_str(
+                STATUS_FAILED,
+                Some(format!("Failed to process request: {e}.")),
+            ),
+        },
+        other => Status::new_service_specific_error_str(
+            STATUS_FAILED,
+            Some(format!("Incorrect response type: {other:?}")),
+        ),
     }
 }

diff --git a/virtualizationservice/src/rkpvm.rs b/virtualizationservice/src/rkpvm.rs
index 80953b5..d6e87eb 100644
--- a/virtualizationservice/src/rkpvm.rs
+++ b/virtualizationservice/src/rkpvm.rs

@@ -18,7 +18,7 @@
 
 use android_hardware_security_rkp::aidl::android::hardware::security::keymint::MacedPublicKey::MacedPublicKey;
 use anyhow::{bail, Context, Result};
-use service_vm_comm::{EcdsaP256KeyPair, GenerateCertificateRequestParams, Request, Response};
+use service_vm_comm::{GenerateCertificateRequestParams, Request, Response};
 use service_vm_manager::ServiceVm;
 
 pub(crate) fn request_certificate(csr: &[u8]) -> Result<Vec<u8>> {
@@ -33,19 +33,16 @@
     }
 }
 
-pub(crate) fn generate_ecdsa_p256_key_pair() -> Result<EcdsaP256KeyPair> {
+pub(crate) fn generate_ecdsa_p256_key_pair() -> Result<Response> {
     let mut vm = ServiceVm::start()?;
     let request = Request::GenerateEcdsaP256KeyPair;
-    match vm.process_request(request).context("Failed to process request")? {
-        Response::GenerateEcdsaP256KeyPair(key_pair) => Ok(key_pair),
-        _ => bail!("Incorrect response type"),
-    }
+    vm.process_request(request).context("Failed to process request")
 }
 
 pub(crate) fn generate_certificate_request(
     keys_to_sign: &[MacedPublicKey],
     challenge: &[u8],
-) -> Result<Vec<u8>> {
+) -> Result<Response> {
     let params = GenerateCertificateRequestParams {
         keys_to_sign: keys_to_sign.iter().map(|v| v.macedKey.to_vec()).collect(),
         challenge: challenge.to_vec(),
@@ -53,8 +50,5 @@
     let request = Request::GenerateCertificateRequest(params);
 
     let mut vm = ServiceVm::start()?;
-    match vm.process_request(request).context("Failed to process request")? {
-        Response::GenerateCertificateRequest(csr) => Ok(csr),
-        _ => bail!("Incorrect response type"),
-    }
+    vm.process_request(request).context("Failed to process request")
 }