blob: cdfc387119f742c98726257774fb3ca819ae3ec8 [file] [log] [blame]
Alan Stokes71cc11e2022-01-17 10:39:05 +00001/*
2 * Copyright 2022 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Alan Stokesc33d2922022-01-18 14:17:00 +000017//! Handles the use of DICE (via diced / IDiceNode) for accessing our VM's unique secret.
Alan Stokes71cc11e2022-01-17 10:39:05 +000018
19use android_security_dice::aidl::android::security::dice::IDiceNode::IDiceNode;
20use android_security_dice::binder::{wait_for_interface, Strong};
21use anyhow::{Context, Result};
22
23pub struct Dice {
24 node: Strong<dyn IDiceNode>,
25}
26
27impl Dice {
28 pub fn new() -> Result<Self> {
29 let dice_service = wait_for_interface::<dyn IDiceNode>("android.security.dice.IDiceNode")
30 .context("No IDiceNode service")?;
31 Ok(Self { node: dice_service })
32 }
33
34 pub fn get_boot_certificate_chain(&self) -> Result<Vec<u8>> {
35 let input_values = []; // Get our BCC, not a child's
36 let bcc = self
37 .node
38 .getAttestationChain(&input_values)
39 .context("Getting attestation chain failed")?;
40 Ok(bcc.data)
41 }
Alan Stokesc33d2922022-01-18 14:17:00 +000042
43 pub fn get_sealing_cdi(&self) -> Result<Vec<u8>> {
44 let input_values = [];
45 let bcc_handover = self.node.derive(&input_values).context("Failed to retrieve CDI")?;
46 Ok(bcc_handover.cdiSeal.to_vec())
47 }
Alan Stokes71cc11e2022-01-17 10:39:05 +000048}