| Pierre-Clément Tosi | 4f4f5eb | 2022-12-08 14:31:42 +0000 | [diff] [blame] | 1 | // Copyright 2022, The Android Open Source Project |
| 2 | // |
| 3 | // Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 | // you may not use this file except in compliance with the License. |
| 5 | // You may obtain a copy of the License at |
| 6 | // |
| 7 | // http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | // |
| 9 | // Unless required by applicable law or agreed to in writing, software |
| 10 | // distributed under the License is distributed on an "AS IS" BASIS, |
| 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 | // See the License for the specific language governing permissions and |
| 13 | // limitations under the License. |
| 14 | |
| 15 | //! Support for DICE derivation and BCC generation. |
| 16 | |
| 17 | use core::ffi::CStr; |
| Alice Wang | 1f0add0 | 2023-01-23 16:22:53 +0000 | [diff] [blame] | 18 | use core::mem::size_of; |
| Pierre-Clément Tosi | 4f4f5eb | 2022-12-08 14:31:42 +0000 | [diff] [blame] | 19 | use dice::bcc::Handover; |
| Alice Wang | 5aeed33 | 2023-02-02 09:42:21 +0000 | [diff] [blame] | 20 | use dice::Config; |
| Alice Wang | 3122613 | 2023-01-31 12:44:39 +0000 | [diff] [blame] | 21 | use dice::DiceMode; |
| Pierre-Clément Tosi | 4f4f5eb | 2022-12-08 14:31:42 +0000 | [diff] [blame] | 22 | use dice::InputValues; |
| Alice Wang | cb9d2f9 | 2023-02-06 10:29:00 +0000 | [diff] [blame^] | 23 | use diced_open_dice::{bcc_format_config_descriptor, hash, HIDDEN_SIZE}; |
| Alice Wang | 1f0add0 | 2023-01-23 16:22:53 +0000 | [diff] [blame] | 24 | use pvmfw_avb::{DebugLevel, Digest, VerifiedBootData}; |
| 25 | |
| Alice Wang | 3122613 | 2023-01-31 12:44:39 +0000 | [diff] [blame] | 26 | fn to_dice_mode(debug_level: DebugLevel) -> DiceMode { |
| Alice Wang | 1f0add0 | 2023-01-23 16:22:53 +0000 | [diff] [blame] | 27 | match debug_level { |
| Alice Wang | 3122613 | 2023-01-31 12:44:39 +0000 | [diff] [blame] | 28 | DebugLevel::None => DiceMode::kDiceModeNormal, |
| 29 | DebugLevel::Full => DiceMode::kDiceModeDebug, |
| Alice Wang | 1f0add0 | 2023-01-23 16:22:53 +0000 | [diff] [blame] | 30 | } |
| 31 | } |
| 32 | |
| 33 | fn to_dice_hash(verified_boot_data: &VerifiedBootData) -> dice::Result<dice::Hash> { |
| 34 | let mut digests = [0u8; size_of::<Digest>() * 2]; |
| 35 | digests[..size_of::<Digest>()].copy_from_slice(&verified_boot_data.kernel_digest); |
| 36 | if let Some(initrd_digest) = verified_boot_data.initrd_digest { |
| 37 | digests[size_of::<Digest>()..].copy_from_slice(&initrd_digest); |
| 38 | } |
| 39 | hash(&digests) |
| 40 | } |
| Pierre-Clément Tosi | 4f4f5eb | 2022-12-08 14:31:42 +0000 | [diff] [blame] | 41 | |
| 42 | /// Derive the VM-specific secrets and certificate through DICE. |
| 43 | pub fn derive_next_bcc( |
| 44 | bcc: &Handover, |
| 45 | next_bcc: &mut [u8], |
| Alice Wang | 1f0add0 | 2023-01-23 16:22:53 +0000 | [diff] [blame] | 46 | verified_boot_data: &VerifiedBootData, |
| Pierre-Clément Tosi | 4f4f5eb | 2022-12-08 14:31:42 +0000 | [diff] [blame] | 47 | authority: &[u8], |
| 48 | ) -> dice::Result<usize> { |
| Alice Wang | 1f0add0 | 2023-01-23 16:22:53 +0000 | [diff] [blame] | 49 | let code_hash = to_dice_hash(verified_boot_data)?; |
| Pierre-Clément Tosi | 4f4f5eb | 2022-12-08 14:31:42 +0000 | [diff] [blame] | 50 | let auth_hash = hash(authority)?; |
| Alice Wang | 1f0add0 | 2023-01-23 16:22:53 +0000 | [diff] [blame] | 51 | let mode = to_dice_mode(verified_boot_data.debug_level); |
| Pierre-Clément Tosi | 4f4f5eb | 2022-12-08 14:31:42 +0000 | [diff] [blame] | 52 | let component_name = CStr::from_bytes_with_nul(b"vm_entry\0").unwrap(); |
| 53 | let mut config_descriptor_buffer = [0; 128]; |
| Alice Wang | 54511fd | 2023-02-07 08:41:15 +0000 | [diff] [blame] | 54 | let config_descriptor_size = bcc_format_config_descriptor( |
| Pierre-Clément Tosi | 4f4f5eb | 2022-12-08 14:31:42 +0000 | [diff] [blame] | 55 | Some(component_name), |
| 56 | None, // component_version |
| 57 | false, // resettable |
| Alice Wang | 54511fd | 2023-02-07 08:41:15 +0000 | [diff] [blame] | 58 | &mut config_descriptor_buffer, |
| Pierre-Clément Tosi | 4f4f5eb | 2022-12-08 14:31:42 +0000 | [diff] [blame] | 59 | )?; |
| 60 | let config = &config_descriptor_buffer[..config_descriptor_size]; |
| Pierre-Clément Tosi | 4f4f5eb | 2022-12-08 14:31:42 +0000 | [diff] [blame] | 61 | |
| 62 | let input_values = InputValues::new( |
| Alice Wang | a777366 | 2023-02-03 09:37:17 +0000 | [diff] [blame] | 63 | code_hash, |
| Alice Wang | 5aeed33 | 2023-02-02 09:42:21 +0000 | [diff] [blame] | 64 | Config::Descriptor(config), |
| Alice Wang | a777366 | 2023-02-03 09:37:17 +0000 | [diff] [blame] | 65 | auth_hash, |
| Pierre-Clément Tosi | 4f4f5eb | 2022-12-08 14:31:42 +0000 | [diff] [blame] | 66 | mode, |
| Alice Wang | a777366 | 2023-02-03 09:37:17 +0000 | [diff] [blame] | 67 | [0u8; HIDDEN_SIZE], // TODO(b/249723852): Get salt from instance.img (virtio-blk) and/or TRNG. |
| Pierre-Clément Tosi | 4f4f5eb | 2022-12-08 14:31:42 +0000 | [diff] [blame] | 68 | ); |
| 69 | |
| 70 | bcc.main_flow(&input_values, next_bcc) |
| 71 | } |