commit f3482600a5764ce8c853f2d51c43767454f080ec
author Alice Wang <aliceywang@google.com> Fri Sep 08 11:51:29 2023 +0000
committer Alice Wang <aliceywang@google.com> Fri Sep 08 18:12:47 2023 +0000
tree 10f66563076a7ab0e4dac86d34a08effee4639da
parent 3d3a70a04aae0e4d2362514d9843f997c8143cdd

[rkp] Set up the connection between RKP Hal and RKP VM

Make the RKP Hal call into RKP VM for the real implementation.

Test: m virtualizationservice
Bug: 299411175
Change-Id: I3217acea028e4506213b8da94af8b8d86b63d54b

virtualizationservice/src/remote_provisioning.rs

diff --git a/virtualizationservice/src/remote_provisioning.rs b/virtualizationservice/src/remote_provisioning.rs
index 599a614..06f8ad4 100644
--- a/virtualizationservice/src/remote_provisioning.rs
+++ b/virtualizationservice/src/remote_provisioning.rs
@@ -14,17 +14,20 @@
 
 //! IRemotelyProvisionedComponent HAL implementation.
 
+use crate::rkpvm;
 use android_hardware_security_rkp::aidl::android::hardware::security::keymint::{
     DeviceInfo::DeviceInfo,
     IRemotelyProvisionedComponent::{
-        BnRemotelyProvisionedComponent, IRemotelyProvisionedComponent, STATUS_REMOVED,
+        BnRemotelyProvisionedComponent, IRemotelyProvisionedComponent, STATUS_FAILED,
+        STATUS_REMOVED,
     },
     MacedPublicKey::MacedPublicKey,
     ProtectedData::ProtectedData,
     RpcHardwareInfo::{RpcHardwareInfo, CURVE_NONE, MIN_SUPPORTED_NUM_KEYS_IN_CSR},
 };
+use anyhow::Context;
 use avflog::LogResult;
-use binder::{BinderFeatures, ExceptionCode, Interface, Result as BinderResult, Status, Strong};
+use binder::{BinderFeatures, Interface, IntoBinderResult, Result as BinderResult, Status, Strong};
 
 /// Constructs a binder object that implements `IRemotelyProvisionedComponent`.
 pub(crate) fn new_binder() -> Strong<dyn IRemotelyProvisionedComponent> {
@@ -53,7 +56,7 @@
     fn generateEcdsaP256KeyPair(
         &self,
         testMode: bool,
-        _macedPublicKey: &mut MacedPublicKey,
+        macedPublicKey: &mut MacedPublicKey,
     ) -> BinderResult<Vec<u8>> {
         if testMode {
             return Err(Status::new_service_specific_error_str(
@@ -62,8 +65,12 @@
             ))
             .with_log();
         }
-        // TODO(b/274881098): Implement this.
-        Err(Status::new_exception(ExceptionCode::UNSUPPORTED_OPERATION, None)).with_log()
+        let key_pair = rkpvm::generate_ecdsa_p256_key_pair()
+            .context("Failed to generate ECDSA P-256 key pair")
+            .with_log()
+            .or_service_specific_exception(STATUS_FAILED)?;
+        macedPublicKey.macedKey = key_pair.maced_public_key;
+        Ok(key_pair.key_blob)
     }
 
     fn generateCertificateRequest(
@@ -84,10 +91,13 @@
 
     fn generateCertificateRequestV2(
         &self,
-        _keysToSign: &[MacedPublicKey],
-        _challenge: &[u8],
+        keysToSign: &[MacedPublicKey],
+        challenge: &[u8],
     ) -> BinderResult<Vec<u8>> {
-        // TODO(b/274881098): Implement this.
-        Err(Status::new_exception(ExceptionCode::UNSUPPORTED_OPERATION, None)).with_log()
+        // TODO(b/299259624): Validate the MAC of the keys to certify.
+        rkpvm::generate_certificate_request(keysToSign, challenge)
+            .context("Failed to generate certificate request")
+            .with_log()
+            .or_service_specific_exception(STATUS_FAILED)
     }
 }