Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / b2cd9053016835e993a02db2974b9f8f87115a2b / . / virtualizationservice / src / rkpvm.rs
blob: 8f1de6be25567628e0c2ce442922339c27f93c81 [file] [log] [blame]
Alice Wangc2fec932023-02-23 16:24:02 +0000[diff] [blame]1// Copyright 2023, The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15//! Handles the RKP (Remote Key Provisioning) VM and host communication.
16//! The RKP VM will be recognized and attested by the RKP server periodically and
17//! serves as a trusted platform to attest a client VM.
18
Alice Wangf3482602023-09-08 11:51:29 +0000[diff] [blame]19use android_hardware_security_rkp::aidl::android::hardware::security::keymint::MacedPublicKey::MacedPublicKey;
Alice Wang4e3015d2023-10-10 09:35:37 +0000[diff] [blame]20use android_system_virtualizationcommon::aidl::android::system::virtualizationcommon::Certificate::Certificate;
Alice Wanga4486592023-09-05 08:25:59 +0000[diff] [blame]21use anyhow::{bail, Context, Result};
Alice Wangd80e99e2023-09-15 13:26:01 +0000[diff] [blame]22use service_vm_comm::{GenerateCertificateRequestParams, Request, Response};
Alice Wang734801c2023-09-05 11:46:50 +0000[diff] [blame]23use service_vm_manager::ServiceVm;
Alice Wangc2fec932023-02-23 16:24:02 +0000[diff] [blame]24
Alice Wang4e3015d2023-10-10 09:35:37 +0000[diff] [blame]25pub(crate) fn request_attestation(csr: &[u8]) -> Result<Vec<Certificate>> {
Alice Wanga4486592023-09-05 08:25:59 +0000[diff] [blame]26 let mut vm = ServiceVm::start()?;
Alice Wangc2fec932023-02-23 16:24:02 +0000[diff] [blame]27
Alice Wanga4486592023-09-05 08:25:59 +0000[diff] [blame]28 // TODO(b/271275206): Send the correct request type with client VM's
29 // information to be attested.
30 let request = Request::Reverse(csr.to_vec());
Alice Wangfbdc85b2023-09-07 12:56:46 +0000[diff] [blame]31 match vm.process_request(request).context("Failed to process request")? {
Alice Wang4e3015d2023-10-10 09:35:37 +0000[diff] [blame]32 // TODO(b/271275206): Adjust the response type.
33 Response::Reverse(cert) => {
34 let cert = Certificate { encodedCertificate: cert };
35 Ok(vec![cert])
36 }
Alice Wanga4486592023-09-05 08:25:59 +0000[diff] [blame]37 _ => bail!("Incorrect response type"),
38 }
Alice Wangc2fec932023-02-23 16:24:02 +0000[diff] [blame]39}
Alice Wangf3482602023-09-08 11:51:29 +0000[diff] [blame]40
Alice Wangd80e99e2023-09-15 13:26:01 +0000[diff] [blame]41pub(crate) fn generate_ecdsa_p256_key_pair() -> Result<Response> {
Alice Wangf3482602023-09-08 11:51:29 +0000[diff] [blame]42 let mut vm = ServiceVm::start()?;
43 let request = Request::GenerateEcdsaP256KeyPair;
Alice Wangd80e99e2023-09-15 13:26:01 +0000[diff] [blame]44 vm.process_request(request).context("Failed to process request")
Alice Wangf3482602023-09-08 11:51:29 +0000[diff] [blame]45}
46
47pub(crate) fn generate_certificate_request(
48 keys_to_sign: &[MacedPublicKey],
49 challenge: &[u8],
Alice Wangd80e99e2023-09-15 13:26:01 +0000[diff] [blame]50) -> Result<Response> {
Alice Wangf3482602023-09-08 11:51:29 +0000[diff] [blame]51 let params = GenerateCertificateRequestParams {
52 keys_to_sign: keys_to_sign.iter().map(|v| v.macedKey.to_vec()).collect(),
53 challenge: challenge.to_vec(),
54 };
55 let request = Request::GenerateCertificateRequest(params);
56
57 let mut vm = ServiceVm::start()?;
Alice Wangd80e99e2023-09-15 13:26:01 +0000[diff] [blame]58 vm.process_request(request).context("Failed to process request")
Alice Wangf3482602023-09-08 11:51:29 +0000[diff] [blame]59}