Use the vm_payload library to access DICE values
Migrate from direct use of IDiceNode over binder to calling the payload
support library. The functions exposed by the library are expected to
change so this is just the initial migration.
Bug: 243514248
Test: atest MicrodroidTests
Test: atest ComposHostTestCases
Change-Id: Ifadfab090b61ab3240331d381641f6dc33ad8ee9
diff --git a/compos/compos_key_helper/Android.bp b/compos/compos_key_helper/Android.bp
index a932b40..fdfcfc1 100644
--- a/compos/compos_key_helper/Android.bp
+++ b/compos/compos_key_helper/Android.bp
@@ -24,10 +24,11 @@
defaults: ["compos_key_defaults"],
srcs: ["compos_key_main.cpp"],
- static_libs: ["libcompos_key"],
+ static_libs: [
+ "libcompos_key",
+ "libvm_payload",
+ ],
shared_libs: [
- "android.hardware.security.dice-V1-ndk",
- "android.security.dice-ndk",
"libbinder_ndk",
],
}
diff --git a/compos/compos_key_helper/compos_key_main.cpp b/compos/compos_key_helper/compos_key_main.cpp
index 9ba9f8d..77a9cf9 100644
--- a/compos/compos_key_helper/compos_key_main.cpp
+++ b/compos/compos_key_helper/compos_key_main.cpp
@@ -14,21 +14,15 @@
* limitations under the License.
*/
-#include <aidl/android/security/dice/IDiceNode.h>
#include <android-base/file.h>
#include <android-base/logging.h>
-#include <android/binder_auto_utils.h>
-#include <android/binder_manager.h>
#include <unistd.h>
+#include <vm_payload.h>
#include <string_view>
#include "compos_key.h"
-using aidl::android::hardware::security::dice::Bcc;
-using aidl::android::hardware::security::dice::BccHandover;
-using aidl::android::hardware::security::dice::InputValues;
-using aidl::android::security::dice::IDiceNode;
using android::base::Error;
using android::base::ReadFdToString;
using android::base::Result;
@@ -38,22 +32,15 @@
namespace {
Result<Ed25519KeyPair> deriveKeyFromDice() {
- ndk::SpAIBinder binder{AServiceManager_getService("android.security.dice.IDiceNode")};
- auto dice_node = IDiceNode::fromBinder(binder);
- if (!dice_node) {
- return Error() << "Unable to connect to IDiceNode";
- }
-
- const std::vector<InputValues> empty_input_values;
- BccHandover bcc;
- auto status = dice_node->derive(empty_input_values, &bcc);
- if (!status.isOk()) {
- return Error() << "Derive failed: " << status.getDescription();
+ uint8_t cdi_seal[64];
+ size_t cdi_size = get_dice_sealing_cdi(cdi_seal, sizeof(cdi_seal));
+ if (cdi_size == 0) {
+ return Error() << "Failed to get sealing CDI";
}
// We use the sealing CDI because we want stability - the key needs to be the same
// for any instance of the "same" VM.
- return compos_key::deriveKeyFromSecret(bcc.cdiSeal.data(), bcc.cdiSeal.size());
+ return compos_key::deriveKeyFromSecret(cdi_seal, cdi_size);
}
int write_public_key() {
@@ -70,22 +57,14 @@
}
int write_bcc() {
- ndk::SpAIBinder binder{AServiceManager_getService("android.security.dice.IDiceNode")};
- auto dice_node = IDiceNode::fromBinder(binder);
- if (!dice_node) {
- LOG(ERROR) << "Unable to connect to IDiceNode";
+ uint8_t bcc[2048];
+ size_t bcc_size = get_dice_attestation_chain(bcc, sizeof(bcc));
+ if (bcc_size == 0) {
+ LOG(ERROR) << "Failed to get attestation chain";
return 1;
}
- const std::vector<InputValues> empty_input_values;
- Bcc bcc;
- auto status = dice_node->getAttestationChain(empty_input_values, &bcc);
- if (!status.isOk()) {
- LOG(ERROR) << "GetAttestationChain failed: " << status.getDescription();
- return 1;
- }
-
- if (!WriteFully(STDOUT_FILENO, bcc.data.data(), bcc.data.size())) {
+ if (!WriteFully(STDOUT_FILENO, bcc, bcc_size)) {
PLOG(ERROR) << "Write failed";
return 1;
}