dice_for_avf_guest.cddl

; DICE Specification for guest VM

; See the Open DICE specification
; https://pigweed.googlesource.com/open-dice/+/HEAD/docs/specification.md,
; and the Android Profile for DICE
; https://pigweed.googlesource.com/open-dice/+/HEAD/docs/android.md.

; This CDDL describes the Configuration Descriptor used for components running in AVF Guest environment
; (VM core components and payload). It extends the `ConfigurationDescriptor` specified at
; https://cs.android.com/android/platform/superproject/main/+/main:hardware/interfaces/security/rkp/aidl/android/hardware/security/keymint/generateCertificateRequestV2.cddl

; Additionally, we reserve range -71000...-71999 for AVF system specific usage. These are or can be
; used by frameworks & parsers of DICE chains such as local and remote attestation frameworks.
; Vendor must not use these key/values for other purposes, that may compromise the integrity of the system.
; Note that each of the key-value pairs may not be useful for all the boot components and therefore
; are optional. For e.g., SubcomponentDescriptor is only used in Microdroid payload, it may
; not have immediate use for pVM firmware.

; Each components of VM must specify the value corresponding to `Component name`(-70002).
; For provided reference implementations:
;
; 1. "vm_entry" - Guest 'OS'. This is the payload booted by pVM firmware. For e.g, Microdroid, Rialto.
; 2. "Microdroid vendor" - The vendor image, specific to Microdroid.
; 3. "Microdroid Payload" - Payload run by Microdroid Manager.


ConfigDescriptor = {
    -70002 : tstr,                        ; Component name
    (? -71000: tstr //                    ; Path to the payload config file
    ? -71001: PayloadConfig),
    ? -71002: [+ SubcomponentDescriptor], ; The order of these should be kept constant on each boot
                                          ; of the VM instance
    ? -71003: bstr .size 64               ; Instance hash: Unique identifier of the VM instance
}

PayloadConfig = {
    1: tstr                             ; Path to the binary file where payload execution starts
}

; Describes a unit of code (e.g. an APK or an APEX) present inside the VM.
;
; For an APK, the fields are as follows:
; - Component name: The string "apk:" followed by the package name.
; - Security version: The long version code from the APK manifest
;   (https://developer.android.com/reference/android/content/pm/PackageInfo#getLongVersionCode()).
; - Code hash: This is the root hash of a Merkle tree computed over all bytes of the APK, as used
;   in the APK Signature Scheme v4 (https://source.android.com/docs/security/features/apksigning/v4)
;   with empty salt and using SHA-256 as the hash algorithm.
; - Authority hash: The SHA-512 hash of the DER representation of the X.509 certificate for the
;   public key used to sign the APK.
;
; For an APEX, they are as follows:
; - Component name: The string "apex:" followed by the APEX name as specified in the APEX Manifest
;   (see https://source.android.com/docs/core/ota/apex).
; - Security version: The version number from the APEX Manifest.
; - Code hash: The root hash of the apex_payload.img file within the APEX, taken from the first
;   hashtree descriptor in the VBMeta image
;   (see https://android.googlesource.com/platform/external/avb/+/master/README.md).
; - Authority hash: The SHA-512 hash of the public key used to sign the file system image in the
;   APEX (as stored in the apex_pubkey file). The format is as described for AvbRSAPublicKeyHeader
;   in https://cs.android.com/android/platform/superproject/main/+/main:external/avb/libavb/avb_crypto.h.
SubcomponentDescriptor = {
  1: tstr,                              ; Component name
  2: uint,                              ; Security version
  3: bstr,                              ; Code hash
  4: bstr,                              ; Authority hash
}

TODO: Describe how these descriptors are used by AVF components in Android W.