Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / cf9c24e13e455f0f03385c7e74bdd934002aef12 / . / virtualizationservice / src / rkpvm.rs
blob: 6898921c78036a30b29bfa43da0ff1303b0e9d2c [file] [log] [blame]
Alice Wangc2fec932023-02-23 16:24:02 +0000[diff] [blame]1// Copyright 2023, The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15//! Handles the RKP (Remote Key Provisioning) VM and host communication.
16//! The RKP VM will be recognized and attested by the RKP server periodically and
17//! serves as a trusted platform to attest a client VM.
18
Alice Wangf3482602023-09-08 11:51:29 +0000[diff] [blame]19use android_hardware_security_rkp::aidl::android::hardware::security::keymint::MacedPublicKey::MacedPublicKey;
Alice Wanga4486592023-09-05 08:25:59 +0000[diff] [blame]20use anyhow::{bail, Context, Result};
Alice Wangbff017f2023-11-09 14:43:28 +0000[diff] [blame]21use service_vm_comm::{
22 ClientVmAttestationParams, GenerateCertificateRequestParams, Request, Response,
23};
Alice Wang5daec072024-03-15 15:31:17 +0000[diff] [blame]24use service_vm_manager::process_request;
Alice Wangc2fec932023-02-23 16:24:02 +0000[diff] [blame]25
Alice Wangbff017f2023-11-09 14:43:28 +0000[diff] [blame]26pub(crate) fn request_attestation(
Alice Wang20b8ebc2023-11-17 09:54:47 +0000[diff] [blame]27 csr: Vec<u8>,
28 remotely_provisioned_key_blob: Vec<u8>,
29 remotely_provisioned_cert: Vec<u8>,
Alice Wangbff017f2023-11-09 14:43:28 +0000[diff] [blame]30) -> Result<Vec<u8>> {
Alice Wang20b8ebc2023-11-17 09:54:47 +0000[diff] [blame]31 let params =
32 ClientVmAttestationParams { csr, remotely_provisioned_key_blob, remotely_provisioned_cert };
Alice Wangbff017f2023-11-09 14:43:28 +0000[diff] [blame]33 let request = Request::RequestClientVmAttestation(params);
Alice Wang5daec072024-03-15 15:31:17 +0000[diff] [blame]34 match process_request(request).context("Failed to process request")? {
Alice Wangbff017f2023-11-09 14:43:28 +0000[diff] [blame]35 Response::RequestClientVmAttestation(cert) => Ok(cert),
Alice Wang1654e892024-02-21 15:43:57 +0000[diff] [blame]36 other => bail!("Incorrect response type {other:?}"),
Alice Wanga4486592023-09-05 08:25:59 +0000[diff] [blame]37 }
Alice Wangc2fec932023-02-23 16:24:02 +0000[diff] [blame]38}
Alice Wangf3482602023-09-08 11:51:29 +0000[diff] [blame]39
Alice Wangd80e99e2023-09-15 13:26:01 +0000[diff] [blame]40pub(crate) fn generate_ecdsa_p256_key_pair() -> Result<Response> {
Alice Wangf3482602023-09-08 11:51:29 +0000[diff] [blame]41 let request = Request::GenerateEcdsaP256KeyPair;
Alice Wang5daec072024-03-15 15:31:17 +0000[diff] [blame]42 process_request(request).context("Failed to process request")
Alice Wangf3482602023-09-08 11:51:29 +0000[diff] [blame]43}
44
45pub(crate) fn generate_certificate_request(
46 keys_to_sign: &[MacedPublicKey],
47 challenge: &[u8],
Alice Wangd80e99e2023-09-15 13:26:01 +0000[diff] [blame]48) -> Result<Response> {
Alice Wangf3482602023-09-08 11:51:29 +0000[diff] [blame]49 let params = GenerateCertificateRequestParams {
50 keys_to_sign: keys_to_sign.iter().map(|v| v.macedKey.to_vec()).collect(),
51 challenge: challenge.to_vec(),
52 };
53 let request = Request::GenerateCertificateRequest(params);
54
Alice Wang5daec072024-03-15 15:31:17 +0000[diff] [blame]55 process_request(request).context("Failed to process request")
Alice Wangf3482602023-09-08 11:51:29 +0000[diff] [blame]56}