[dice] Add trait DiceArtifacts to access BCC and CDI values
The added DiceArtifacts is implemented for both BccHandover and
OwnedDiceArtifacts. This allows us to access the dice artifacts in
an easy and uniform way.
[u8; CDI_SIZE] is used instead of the alias Cdi to facilitate a
future conversion from Cdi alias to Cdi type so that we can have
more controle over the memory security of CDI. More context in
b/268587826.
Bug: 267575445
Test: atest diced_utils_test diced_sample_inputs_test \
diced_vendor_test diced_open_dice_cbor_test \
libdiced_open_dice_nostd.integration_test \
libdiced_open_dice.integration_test diced_open_dice_cbor_test
Change-Id: Iabb87ad18f2f4a4d46283da045eb21a5776ad4b4
diff --git a/diced/src/hal_node.rs b/diced/src/hal_node.rs
index 7a397ec..04602bd 100644
--- a/diced/src/hal_node.rs
+++ b/diced/src/hal_node.rs
@@ -35,6 +35,7 @@
use anyhow::{Context, Result};
use binder::{BinderFeatures, Result as BinderResult, Strong};
use dice::{ContextImpl, OpenDiceCborContext};
+pub use diced_open_dice::DiceArtifacts;
use diced_open_dice_cbor as dice;
use diced_utils as utils;
use nix::sys::wait::{waitpid, WaitStatus};
@@ -47,7 +48,7 @@
use std::os::unix::io::RawFd;
use std::sync::{Arc, RwLock};
use utils::ResidentArtifacts;
-pub use utils::{DiceArtifacts, UpdatableDiceArtifacts};
+pub use utils::UpdatableDiceArtifacts;
/// PipeReader is a simple wrapper around raw pipe file descriptors.
/// It takes ownership of the file descriptor and closes it on drop. It provides `read_all`, which
@@ -331,7 +332,7 @@
BccHandover::BccHandover, Config::Config as BinderConfig,
InputValues::InputValues as BinderInputValues, Mode::Mode as BinderMode,
};
- use anyhow::{Context, Result};
+ use anyhow::{anyhow, Context, Result};
use diced_open_dice_cbor as dice;
use diced_sample_inputs;
use diced_utils as utils;
@@ -346,11 +347,11 @@
impl From<dice::OwnedDiceArtifacts> for InsecureSerializableArtifacts {
fn from(dice_artifacts: dice::OwnedDiceArtifacts) -> Self {
- Self {
- cdi_attest: dice_artifacts.cdi_values.cdi_attest,
- cdi_seal: dice_artifacts.cdi_values.cdi_seal,
- bcc: dice_artifacts.bcc[..].to_vec(),
- }
+ let mut cdi_attest = [0u8; dice::CDI_SIZE];
+ cdi_attest.copy_from_slice(dice_artifacts.cdi_attest());
+ let mut cdi_seal = [0u8; dice::CDI_SIZE];
+ cdi_seal.copy_from_slice(dice_artifacts.cdi_seal());
+ Self { cdi_attest, cdi_seal, bcc: dice_artifacts.bcc().expect("bcc is none").to_vec() }
}
}
@@ -361,8 +362,8 @@
fn cdi_seal(&self) -> &[u8; dice::CDI_SIZE] {
&self.cdi_seal
}
- fn bcc(&self) -> Vec<u8> {
- self.bcc.clone()
+ fn bcc(&self) -> Option<&[u8]> {
+ Some(&self.bcc)
}
}
@@ -377,7 +378,7 @@
Ok(Self {
cdi_attest: *new_artifacts.cdi_attest(),
cdi_seal: *new_artifacts.cdi_seal(),
- bcc: new_artifacts.bcc(),
+ bcc: new_artifacts.bcc().ok_or_else(|| anyhow!("bcc is none"))?.to_vec(),
})
}
}
@@ -430,7 +431,7 @@
let result = utils::make_bcc_handover(
new_artifacts.cdi_attest(),
new_artifacts.cdi_seal(),
- &new_artifacts.bcc(),
+ new_artifacts.bcc().unwrap(),
)?;
assert_eq!(result, make_derive_test_vector());