Use the vm_payload library to access DICE values
Migrate from direct use of IDiceNode over binder to calling the payload
support library. The functions exposed by the library are expected to
change so this is just the initial migration.
Bug: 243514248
Test: atest MicrodroidTests
Test: atest ComposHostTestCases
Change-Id: Ifadfab090b61ab3240331d381641f6dc33ad8ee9
diff --git a/compos/compos_key_helper/Android.bp b/compos/compos_key_helper/Android.bp
index a932b40..fdfcfc1 100644
--- a/compos/compos_key_helper/Android.bp
+++ b/compos/compos_key_helper/Android.bp
@@ -24,10 +24,11 @@
defaults: ["compos_key_defaults"],
srcs: ["compos_key_main.cpp"],
- static_libs: ["libcompos_key"],
+ static_libs: [
+ "libcompos_key",
+ "libvm_payload",
+ ],
shared_libs: [
- "android.hardware.security.dice-V1-ndk",
- "android.security.dice-ndk",
"libbinder_ndk",
],
}
diff --git a/compos/compos_key_helper/compos_key_main.cpp b/compos/compos_key_helper/compos_key_main.cpp
index 9ba9f8d..77a9cf9 100644
--- a/compos/compos_key_helper/compos_key_main.cpp
+++ b/compos/compos_key_helper/compos_key_main.cpp
@@ -14,21 +14,15 @@
* limitations under the License.
*/
-#include <aidl/android/security/dice/IDiceNode.h>
#include <android-base/file.h>
#include <android-base/logging.h>
-#include <android/binder_auto_utils.h>
-#include <android/binder_manager.h>
#include <unistd.h>
+#include <vm_payload.h>
#include <string_view>
#include "compos_key.h"
-using aidl::android::hardware::security::dice::Bcc;
-using aidl::android::hardware::security::dice::BccHandover;
-using aidl::android::hardware::security::dice::InputValues;
-using aidl::android::security::dice::IDiceNode;
using android::base::Error;
using android::base::ReadFdToString;
using android::base::Result;
@@ -38,22 +32,15 @@
namespace {
Result<Ed25519KeyPair> deriveKeyFromDice() {
- ndk::SpAIBinder binder{AServiceManager_getService("android.security.dice.IDiceNode")};
- auto dice_node = IDiceNode::fromBinder(binder);
- if (!dice_node) {
- return Error() << "Unable to connect to IDiceNode";
- }
-
- const std::vector<InputValues> empty_input_values;
- BccHandover bcc;
- auto status = dice_node->derive(empty_input_values, &bcc);
- if (!status.isOk()) {
- return Error() << "Derive failed: " << status.getDescription();
+ uint8_t cdi_seal[64];
+ size_t cdi_size = get_dice_sealing_cdi(cdi_seal, sizeof(cdi_seal));
+ if (cdi_size == 0) {
+ return Error() << "Failed to get sealing CDI";
}
// We use the sealing CDI because we want stability - the key needs to be the same
// for any instance of the "same" VM.
- return compos_key::deriveKeyFromSecret(bcc.cdiSeal.data(), bcc.cdiSeal.size());
+ return compos_key::deriveKeyFromSecret(cdi_seal, cdi_size);
}
int write_public_key() {
@@ -70,22 +57,14 @@
}
int write_bcc() {
- ndk::SpAIBinder binder{AServiceManager_getService("android.security.dice.IDiceNode")};
- auto dice_node = IDiceNode::fromBinder(binder);
- if (!dice_node) {
- LOG(ERROR) << "Unable to connect to IDiceNode";
+ uint8_t bcc[2048];
+ size_t bcc_size = get_dice_attestation_chain(bcc, sizeof(bcc));
+ if (bcc_size == 0) {
+ LOG(ERROR) << "Failed to get attestation chain";
return 1;
}
- const std::vector<InputValues> empty_input_values;
- Bcc bcc;
- auto status = dice_node->getAttestationChain(empty_input_values, &bcc);
- if (!status.isOk()) {
- LOG(ERROR) << "GetAttestationChain failed: " << status.getDescription();
- return 1;
- }
-
- if (!WriteFully(STDOUT_FILENO, bcc.data.data(), bcc.data.size())) {
+ if (!WriteFully(STDOUT_FILENO, bcc, bcc_size)) {
PLOG(ERROR) << "Write failed";
return 1;
}
diff --git a/microdroid/vm_payload/Android.bp b/microdroid/vm_payload/Android.bp
index 4f893d6..f7223ab 100644
--- a/microdroid/vm_payload/Android.bp
+++ b/microdroid/vm_payload/Android.bp
@@ -15,4 +15,7 @@
"libbinder_rs",
"liblog_rust",
],
+ apex_available: [
+ "com.android.compos",
+ ],
}
diff --git a/microdroid_manager/aidl/Android.bp b/microdroid_manager/aidl/Android.bp
index 98ce6f5..0aa8662 100644
--- a/microdroid_manager/aidl/Android.bp
+++ b/microdroid_manager/aidl/Android.bp
@@ -11,6 +11,7 @@
enabled: true,
apex_available: [
"com.android.virt",
+ "com.android.compos",
],
},
},
diff --git a/tests/testapk/Android.bp b/tests/testapk/Android.bp
index 9e6958c..e1c8124 100644
--- a/tests/testapk/Android.bp
+++ b/tests/testapk/Android.bp
@@ -32,7 +32,6 @@
name: "MicrodroidTestNativeLib",
srcs: ["src/native/testbinary.cpp"],
shared_libs: [
- "android.security.dice-ndk",
"com.android.microdroid.testservice-ndk",
"libbase",
"libbinder_ndk",
diff --git a/tests/testapk/src/native/testbinary.cpp b/tests/testapk/src/native/testbinary.cpp
index fd8e776..d1cfc56 100644
--- a/tests/testapk/src/native/testbinary.cpp
+++ b/tests/testapk/src/native/testbinary.cpp
@@ -13,7 +13,6 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-#include <aidl/android/security/dice/IDiceNode.h>
#include <aidl/com/android/microdroid/testservice/BnTestService.h>
#include <android-base/file.h>
#include <android-base/properties.h>
@@ -28,15 +27,11 @@
#include <sys/ioctl.h>
#include <sys/system_properties.h>
#include <unistd.h>
+#include <vm_payload.h>
#include <binder_rpc_unstable.hpp>
#include <string>
-#include "vm_payload.h"
-
-using aidl::android::hardware::security::dice::BccHandover;
-using aidl::android::security::dice::IDiceNode;
-
using android::base::ErrnoError;
using android::base::Error;
using android::base::Result;
@@ -79,53 +74,35 @@
}
ndk::ScopedAStatus insecurelyExposeSealingCdi(std::vector<uint8_t>* out) override {
- ndk::SpAIBinder binder(AServiceManager_getService("android.security.dice.IDiceNode"));
- auto service = IDiceNode::fromBinder(binder);
- if (service == nullptr) {
+ uint8_t cdi[64];
+ size_t cdi_size = get_dice_sealing_cdi(cdi, sizeof(cdi));
+ if (cdi_size == 0) {
return ndk::ScopedAStatus::
- fromServiceSpecificErrorWithMessage(0, "Failed to find diced");
+ fromServiceSpecificErrorWithMessage(0, "Failed to get sealing cdi");
}
- BccHandover handover;
- auto deriveStatus = service->derive({}, &handover);
- if (!deriveStatus.isOk()) {
- return ndk::ScopedAStatus::fromServiceSpecificErrorWithMessage(0,
- "Failed call diced");
- }
- *out = {handover.cdiSeal.begin(), handover.cdiSeal.end()};
+ *out = {cdi, cdi + cdi_size};
return ndk::ScopedAStatus::ok();
}
ndk::ScopedAStatus insecurelyExposeAttestationCdi(std::vector<uint8_t>* out) override {
- ndk::SpAIBinder binder(AServiceManager_getService("android.security.dice.IDiceNode"));
- auto service = IDiceNode::fromBinder(binder);
- if (service == nullptr) {
+ uint8_t cdi[64];
+ size_t cdi_size = get_dice_attestation_cdi(cdi, sizeof(cdi));
+ if (cdi_size == 0) {
return ndk::ScopedAStatus::
- fromServiceSpecificErrorWithMessage(0, "Failed to find diced");
+ fromServiceSpecificErrorWithMessage(0, "Failed to get attestation cdi");
}
- BccHandover handover;
- auto deriveStatus = service->derive({}, &handover);
- if (!deriveStatus.isOk()) {
- return ndk::ScopedAStatus::fromServiceSpecificErrorWithMessage(0,
- "Failed call diced");
- }
- *out = {handover.cdiAttest.begin(), handover.cdiAttest.end()};
+ *out = {cdi, cdi + cdi_size};
return ndk::ScopedAStatus::ok();
}
ndk::ScopedAStatus getBcc(std::vector<uint8_t>* out) override {
- ndk::SpAIBinder binder(AServiceManager_getService("android.security.dice.IDiceNode"));
- auto service = IDiceNode::fromBinder(binder);
- if (service == nullptr) {
+ uint8_t bcc[2048];
+ size_t bcc_size = get_dice_attestation_chain(bcc, sizeof(bcc));
+ if (bcc_size == 0) {
return ndk::ScopedAStatus::
- fromServiceSpecificErrorWithMessage(0, "Failed to find diced");
+ fromServiceSpecificErrorWithMessage(0, "Failed to get attestation chain");
}
- BccHandover handover;
- auto deriveStatus = service->derive({}, &handover);
- if (!deriveStatus.isOk()) {
- return ndk::ScopedAStatus::fromServiceSpecificErrorWithMessage(0,
- "Failed call diced");
- }
- *out = {handover.bcc.data.begin(), handover.bcc.data.end()};
+ *out = {bcc, bcc + bcc_size};
return ndk::ScopedAStatus::ok();
}
};