pvmfw/src/dice.rs

// Copyright 2022, The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

//! Support for DICE derivation and BCC generation.

use core::ffi::CStr;

use dice::bcc::format_config_descriptor;
use dice::bcc::Handover;
use dice::hash;
use dice::ConfigType;
use dice::InputValues;

/// Derive the VM-specific secrets and certificate through DICE.
pub fn derive_next_bcc(
    bcc: &Handover,
    next_bcc: &mut [u8],
    code: &[u8],
    debug_mode: bool,
    authority: &[u8],
) -> dice::Result<usize> {
    let code_hash = hash(code)?;
    let auth_hash = hash(authority)?;
    let mode = if debug_mode { dice::Mode::Debug } else { dice::Mode::Normal };
    let component_name = CStr::from_bytes_with_nul(b"vm_entry\0").unwrap();
    let mut config_descriptor_buffer = [0; 128];
    let config_descriptor_size = format_config_descriptor(
        &mut config_descriptor_buffer,
        Some(component_name),
        None,  // component_version
        false, // resettable
    )?;
    let config = &config_descriptor_buffer[..config_descriptor_size];
    let config = ConfigType::Descriptor(config);

    let input_values = InputValues::new(
        &code_hash,
        None, // code_descriptor
        &config,
        Some(&auth_hash),
        None, // auth_descriptor
        mode,
        None, // TODO(b/249723852): Get salt from instance.img (virtio-blk) and/or TRNG.
    );

    bcc.main_flow(&input_values, next_bcc)
}