Better API for creating a DICE config descriptor
Instead of listing all the possible parameters, put them in a struct
(as the C API does).
This means callers only have to list the ones they use, and a new
parameter doesn't require all clients to change.
Bug: 291241882
Test: atest -p in diced
Change-Id: I7c4925385e30ba9fcec0dc188747a23d7df614d7
diff --git a/diced/open_dice/src/bcc.rs b/diced/open_dice/src/bcc.rs
index 543cb57..199e1a9 100644
--- a/diced/open_dice/src/bcc.rs
+++ b/diced/open_dice/src/bcc.rs
@@ -20,34 +20,47 @@
DiceAndroidConfigValues, DiceAndroidFormatConfigDescriptor, DiceAndroidHandoverMainFlow,
DiceAndroidHandoverParse, DiceAndroidMainFlow, DICE_ANDROID_CONFIG_COMPONENT_NAME,
DICE_ANDROID_CONFIG_COMPONENT_VERSION, DICE_ANDROID_CONFIG_RESETTABLE,
+ DICE_ANDROID_CONFIG_SECURITY_VERSION,
};
use std::{ffi::CStr, ptr};
+/// Contains the input values used to construct the Android Profile for DICE
+/// configuration descriptor.
+#[derive(Default, Debug)]
+pub struct DiceConfigValues<'a> {
+ /// Name of the component.
+ pub component_name: Option<&'a CStr>,
+ /// Version of the component.
+ pub component_version: Option<u64>,
+ /// Whether the key changes on factory reset.
+ pub resettable: bool,
+ /// Monotonically increasing version of the component.
+ pub security_version: Option<u64>,
+}
+
/// Formats a configuration descriptor following the Android Profile for DICE specification.
-/// See https://pigweed.googlesource.com/open-dice/+/refs/heads/main/docs/android.md
-pub fn bcc_format_config_descriptor(
- name: Option<&CStr>,
- version: Option<u64>,
- resettable: bool,
- buffer: &mut [u8],
-) -> Result<usize> {
+/// See https://pigweed.googlesource.com/open-dice/+/refs/heads/main/docs/android.md.
+pub fn bcc_format_config_descriptor(values: &DiceConfigValues, buffer: &mut [u8]) -> Result<usize> {
let mut configs = 0;
- if name.is_some() {
+
+ let component_name = values.component_name.map_or(ptr::null(), |name| {
configs |= DICE_ANDROID_CONFIG_COMPONENT_NAME;
- }
- if version.is_some() {
+ name.as_ptr()
+ });
+ let component_version = values.component_version.map_or(0, |version| {
configs |= DICE_ANDROID_CONFIG_COMPONENT_VERSION;
- }
- if resettable {
+ version
+ });
+ if values.resettable {
configs |= DICE_ANDROID_CONFIG_RESETTABLE;
}
+ let security_version = values.security_version.map_or(0, |version| {
+ configs |= DICE_ANDROID_CONFIG_SECURITY_VERSION;
+ version
+ });
- let values = DiceAndroidConfigValues {
- configs,
- component_name: name.map_or(ptr::null(), |p| p.as_ptr()),
- component_version: version.unwrap_or(0),
- security_version: 0,
- };
+ let values =
+ DiceAndroidConfigValues { configs, component_name, component_version, security_version };
let mut buffer_size = 0;
check_result(
diff --git a/diced/open_dice/src/lib.rs b/diced/open_dice/src/lib.rs
index 4a85a1e..6d082b8 100644
--- a/diced/open_dice/src/lib.rs
+++ b/diced/open_dice/src/lib.rs
@@ -29,7 +29,7 @@
pub use bcc::{
bcc_format_config_descriptor, bcc_handover_main_flow, bcc_handover_parse, bcc_main_flow,
- BccHandover,
+ BccHandover, DiceConfigValues,
};
pub use dice::{
derive_cdi_certificate_id, derive_cdi_private_key_seed, dice_main_flow, Cdi, CdiValues, Config,
diff --git a/diced/open_dice/src/retry.rs b/diced/open_dice/src/retry.rs
index 3db4781..84ca5f5 100644
--- a/diced/open_dice/src/retry.rs
+++ b/diced/open_dice/src/retry.rs
@@ -17,13 +17,12 @@
//! memory allocation on heap, currently we only expose these functions in
//! std environment.
-use crate::bcc::{bcc_format_config_descriptor, bcc_main_flow};
+use crate::bcc::{bcc_format_config_descriptor, bcc_main_flow, DiceConfigValues};
use crate::dice::{
dice_main_flow, Cdi, CdiValues, DiceArtifacts, InputValues, CDI_SIZE, PRIVATE_KEY_SEED_SIZE,
};
use crate::error::{DiceError, Result};
use crate::ops::generate_certificate;
-use std::ffi::CStr;
/// Artifacts stores a set of dice artifacts comprising CDI_ATTEST, CDI_SEAL,
/// and the BCC formatted attestation certificate chain.
@@ -69,14 +68,8 @@
}
/// Formats a configuration descriptor following the BCC's specification.
-pub fn retry_bcc_format_config_descriptor(
- name: Option<&CStr>,
- version: Option<u64>,
- resettable: bool,
-) -> Result<Vec<u8>> {
- retry_with_measured_buffer(|buffer| {
- bcc_format_config_descriptor(name, version, resettable, buffer)
- })
+pub fn retry_bcc_format_config_descriptor(values: &DiceConfigValues) -> Result<Vec<u8>> {
+ retry_with_measured_buffer(|buffer| bcc_format_config_descriptor(values, buffer))
}
/// Executes the main BCC flow.