Move dice_driver to libs/dice/driver
The dice_driver will be used by the derive_microdroid_vendor_dice_node
binary, hence moving the implementation to libs.
Bug: 287593065
Test: builds
Test: presubmit
Change-Id: If28834f84b24c75738ec6501d25745e20e674547
diff --git a/microdroid_manager/src/dice.rs b/microdroid_manager/src/dice.rs
index a8b88aa..7f65159 100644
--- a/microdroid_manager/src/dice.rs
+++ b/microdroid_manager/src/dice.rs
@@ -12,12 +12,12 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-use crate::dice_driver::DiceDriver;
use crate::instance::{ApexData, ApkData};
use crate::{is_debuggable, MicrodroidData};
use anyhow::{bail, Context, Result};
use ciborium::{cbor, Value};
use coset::CborSerializable;
+use dice_driver::DiceDriver;
use diced_open_dice::OwnedDiceArtifacts;
use microdroid_metadata::PayloadMetadata;
use openssl::sha::{sha512, Sha512};
diff --git a/microdroid_manager/src/dice_driver.rs b/microdroid_manager/src/dice_driver.rs
deleted file mode 100644
index 229f3e0..0000000
--- a/microdroid_manager/src/dice_driver.rs
+++ /dev/null
@@ -1,149 +0,0 @@
-// Copyright 2022, The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-//! Logic for handling the DICE values and boot operations.
-
-use anyhow::{anyhow, bail, Context, Error, Result};
-use byteorder::{NativeEndian, ReadBytesExt};
-use diced_open_dice::{
- bcc_handover_parse, retry_bcc_main_flow, BccHandover, Config, DiceArtifacts, DiceMode, Hash,
- Hidden, InputValues, OwnedDiceArtifacts,
-};
-use keystore2_crypto::ZVec;
-use libc::{c_void, mmap, munmap, MAP_FAILED, MAP_PRIVATE, PROT_READ};
-use openssl::hkdf::hkdf;
-use openssl::md::Md;
-use std::fs;
-use std::os::unix::io::AsRawFd;
-use std::path::{Path, PathBuf};
-use std::ptr::null_mut;
-use std::slice;
-
-/// Artifacts that are mapped into the process address space from the driver.
-pub enum DiceDriver<'a> {
- Real {
- driver_path: PathBuf,
- mmap_addr: *mut c_void,
- mmap_size: usize,
- bcc_handover: BccHandover<'a>,
- },
- Fake(OwnedDiceArtifacts),
-}
-
-impl DiceDriver<'_> {
- fn dice_artifacts(&self) -> &dyn DiceArtifacts {
- match self {
- Self::Real { bcc_handover, .. } => bcc_handover,
- Self::Fake(owned_dice_artifacts) => owned_dice_artifacts,
- }
- }
-
- pub fn new(driver_path: &Path) -> Result<Self> {
- if driver_path.exists() {
- log::info!("Using DICE values from driver");
- } else if super::is_strict_boot() {
- bail!("Strict boot requires DICE value from driver but none were found");
- } else {
- log::warn!("Using sample DICE values");
- let dice_artifacts = diced_sample_inputs::make_sample_bcc_and_cdis()
- .expect("Failed to create sample dice artifacts.");
- return Ok(Self::Fake(dice_artifacts));
- };
-
- let mut file = fs::File::open(driver_path)
- .map_err(|error| Error::new(error).context("Opening driver"))?;
- let mmap_size =
- file.read_u64::<NativeEndian>()
- .map_err(|error| Error::new(error).context("Reading driver"))? as usize;
- // SAFETY: It's safe to map the driver as the service will only create a single
- // mapping per process.
- let mmap_addr = unsafe {
- let fd = file.as_raw_fd();
- mmap(null_mut(), mmap_size, PROT_READ, MAP_PRIVATE, fd, 0)
- };
- if mmap_addr == MAP_FAILED {
- bail!("Failed to mmap {:?}", driver_path);
- }
- let mmap_buf =
- // SAFETY: The slice is created for the region of memory that was just
- // successfully mapped into the process address space so it will be
- // accessible and not referenced from anywhere else.
- unsafe { slice::from_raw_parts((mmap_addr as *const u8).as_ref().unwrap(), mmap_size) };
- let bcc_handover =
- bcc_handover_parse(mmap_buf).map_err(|_| anyhow!("Failed to parse Bcc Handover"))?;
- Ok(Self::Real {
- driver_path: driver_path.to_path_buf(),
- mmap_addr,
- mmap_size,
- bcc_handover,
- })
- }
-
- /// Derives a sealing key of `key_length` bytes from the DICE sealing CDI.
- pub fn get_sealing_key(&self, identifier: &[u8], key_length: usize) -> Result<ZVec> {
- // Deterministically derive a key to use for sealing data, rather than using the CDI
- // directly, so we have the chance to rotate the key if needed. A salt isn't needed as the
- // input key material is already cryptographically strong.
- let mut key = ZVec::new(key_length)?;
- let salt = &[];
- hkdf(&mut key, Md::sha256(), self.dice_artifacts().cdi_seal(), salt, identifier)?;
- Ok(key)
- }
-
- pub fn derive(
- self,
- code_hash: Hash,
- config_desc: &[u8],
- authority_hash: Hash,
- debug: bool,
- hidden: Hidden,
- ) -> Result<OwnedDiceArtifacts> {
- let input_values = InputValues::new(
- code_hash,
- Config::Descriptor(config_desc),
- authority_hash,
- if debug { DiceMode::kDiceModeDebug } else { DiceMode::kDiceModeNormal },
- hidden,
- );
- let current_dice_artifacts = self.dice_artifacts();
- let next_dice_artifacts = retry_bcc_main_flow(
- current_dice_artifacts.cdi_attest(),
- current_dice_artifacts.cdi_seal(),
- current_dice_artifacts.bcc().ok_or_else(|| anyhow!("bcc is none"))?,
- &input_values,
- )
- .context("DICE derive from driver")?;
- if let Self::Real { driver_path, .. } = &self {
- // Writing to the device wipes the artifacts. The string is ignored by the driver but
- // included for documentation.
- fs::write(driver_path, "wipe")
- .map_err(|err| Error::new(err).context("Wiping driver"))?;
- }
- Ok(next_dice_artifacts)
- }
-}
-
-impl Drop for DiceDriver<'_> {
- fn drop(&mut self) {
- if let &mut Self::Real { mmap_addr, mmap_size, .. } = self {
- // SAFETY: All references to the mapped region have the same lifetime as self. Since
- // self is being dropped, so are all the references to the mapped region meaning it's
- // safe to unmap.
- let ret = unsafe { munmap(mmap_addr, mmap_size) };
- if ret != 0 {
- log::warn!("Failed to munmap ({})", ret);
- }
- }
- }
-}
diff --git a/microdroid_manager/src/instance.rs b/microdroid_manager/src/instance.rs
index 7a9f0e0..888c451 100644
--- a/microdroid_manager/src/instance.rs
+++ b/microdroid_manager/src/instance.rs
@@ -33,11 +33,11 @@
//! The payload of a partition is encrypted/signed by a key that is unique to the loader and to the
//! VM as well. Failing to decrypt/authenticate a partition by a loader stops the boot process.
-use crate::dice_driver::DiceDriver;
use crate::ioutil;
use anyhow::{anyhow, bail, Context, Result};
use byteorder::{LittleEndian, ReadBytesExt, WriteBytesExt};
+use dice_driver::DiceDriver;
use openssl::symm::{decrypt_aead, encrypt_aead, Cipher};
use serde::{Deserialize, Serialize};
use std::fs::{File, OpenOptions};
diff --git a/microdroid_manager/src/main.rs b/microdroid_manager/src/main.rs
index 0d67632..8d2c629 100644
--- a/microdroid_manager/src/main.rs
+++ b/microdroid_manager/src/main.rs
@@ -15,7 +15,6 @@
//! Microdroid Manager
mod dice;
-mod dice_driver;
mod instance;
mod ioutil;
mod payload;
@@ -33,12 +32,12 @@
};
use crate::dice::dice_derivation;
-use crate::dice_driver::DiceDriver;
use crate::instance::{InstanceDisk, MicrodroidData};
use crate::verify::verify_payload;
use crate::vm_payload_service::register_vm_payload_service;
use anyhow::{anyhow, bail, ensure, Context, Error, Result};
use binder::Strong;
+use dice_driver::DiceDriver;
use keystore2_crypto::ZVec;
use libc::VMADDR_CID_HOST;
use log::{error, info};
@@ -241,7 +240,8 @@
vm_payload_service_fd: OwnedFd,
) -> Result<i32> {
let metadata = load_metadata().context("Failed to load payload metadata")?;
- let dice = DiceDriver::new(Path::new("/dev/open-dice0")).context("Failed to load DICE")?;
+ let dice = DiceDriver::new(Path::new("/dev/open-dice0"), is_strict_boot())
+ .context("Failed to load DICE")?;
let mut instance = InstanceDisk::new().context("Failed to load instance.img")?;
let saved_data =