commit 99652dc7b20d27be7c61c625461ba216ba3ec7b5
author Janis Danisevskis <jdanis@google.com> Wed Oct 20 15:59:33 2021 -0700
committer Janis Danisevskis <jdanis@google.com> Fri Jan 07 12:05:56 2022 -0800
tree 885ad65c1c7720b1049fcaf5e4228847ac920037
parent 2ded9cb10d9f38d1dd06afff9ef25941df64e1cc

Diced: Add dice maintenance implementation

The maintenace interface allows a privileged client to demote diced to
permanently assume the identity of a child.

Test: WIP
Bug: 198197213
Change-Id: I6626d176204564d99f504a2c3b6a75c85e140d80

diced/Android.bp

diff --git a/diced/Android.bp b/diced/Android.bp
index 8de046f..c3ff4a8 100644
--- a/diced/Android.bp
+++ b/diced/Android.bp
@@ -91,9 +91,7 @@
         "libdiced_utils",
         "libkeystore2_crypto_rust",
         "libkeystore2_selinux",
-        "libkeystore2_vintf_rust",
         "liblibc",
-        "liblog_event_list",
         "liblog_rust",
         "libthiserror",
     ],
@@ -107,6 +105,7 @@
         "libbinder_rs",
         "libdiced",
         "libdiced_open_dice_cbor",
+        "libdiced_sample_inputs",
         "libdiced_utils",
         "liblog_rust",
     ],

diced/src/diced_main.rs

diff --git a/diced/src/diced_main.rs b/diced/src/diced_main.rs
index bc6e762..c6a5b68 100644
--- a/diced/src/diced_main.rs
+++ b/diced/src/diced_main.rs
@@ -14,13 +14,13 @@
 
 //! Main entry point for diced, the friendly neighborhood DICE service.
 
-use diced::dice::CDI_SIZE;
-use diced::DiceNode;
-use diced::ResidentNode;
+use diced::{DiceMaintenance, DiceNode, ResidentNode};
+use std::convert::TryInto;
 use std::panic;
 use std::sync::Arc;
 
-static DICE_SERVICE_NAME: &str = "android.security.dice";
+static DICE_NODE_SERVICE_NAME: &str = "android.security.dice.IDiceNode";
+static DICE_MAINTENANCE_SERVICE_NAME: &str = "android.security.dice.IDiceMaintenance";
 
 fn main() {
     android_logger::init_once(
@@ -34,17 +34,30 @@
     // Saying hi.
     log::info!("Diced, your friendly neighborhood DICE service, is starting.");
 
+    let (cdi_attest, cdi_seal, bcc) = diced_sample_inputs::make_sample_bcc_and_cdis()
+        .expect("Failed to create sample dice artifacts.");
+
     let node_impl = Arc::new(
-        ResidentNode::new(&[0u8; CDI_SIZE], &[1u8; CDI_SIZE], vec![])
-            .expect("Failed to construct a resident node."),
+        ResidentNode::new(
+            cdi_attest[..].try_into().expect("Failed to convert cdi_attest into array ref."),
+            cdi_seal[..].try_into().expect("Failed to convert cdi_seal into array ref."),
+            bcc,
+        )
+        .expect("Failed to construct a resident node."),
     );
 
-    let node =
-        DiceNode::new_as_binder(node_impl).expect("Failed to create IDiceNode service instance.");
+    let node = DiceNode::new_as_binder(node_impl.clone())
+        .expect("Failed to create IDiceNode service instance.");
 
-    binder::add_service(DICE_SERVICE_NAME, node.as_binder())
+    let maintenance = DiceMaintenance::new_as_binder(node_impl)
+        .expect("Failed to create IDiceMaintenance service instance.");
+
+    binder::add_service(DICE_NODE_SERVICE_NAME, node.as_binder())
         .expect("Failed to register IDiceNode Service");
 
+    binder::add_service(DICE_MAINTENANCE_SERVICE_NAME, maintenance.as_binder())
+        .expect("Failed to register IDiceMaintenance Service");
+
     log::info!("Joining thread pool now.");
     binder::ProcessState::join_thread_pool();
 }

diced/src/lib.rs

diff --git a/diced/src/lib.rs b/diced/src/lib.rs
index 462d2aa..9ebee28 100644
--- a/diced/src/lib.rs
+++ b/diced/src/lib.rs
@@ -24,7 +24,8 @@
     InputValues::InputValues as BinderInputValues, Mode::Mode, Signature::Signature,
 };
 use android_security_dice::aidl::android::security::dice::{
-    IDiceNode::BnDiceNode, IDiceNode::IDiceNode, ResponseCode::ResponseCode,
+    IDiceMaintenance::BnDiceMaintenance, IDiceMaintenance::IDiceMaintenance, IDiceNode::BnDiceNode,
+    IDiceNode::IDiceNode, ResponseCode::ResponseCode,
 };
 use anyhow::{Context, Result};
 use binder::{public_api::Result as BinderResult, BinderFeatures, Strong, ThreadState};
@@ -164,3 +165,37 @@
         map_or_log_err(self.demote(input_values), Ok)
     }
 }
+
+/// Wraps a DiceNodeImpl and implements the IDiceMaintenance AIDL API.
+pub struct DiceMaintenance {
+    node_impl: Arc<dyn DiceNodeImpl + Sync + Send>,
+}
+
+impl DiceMaintenance {
+    /// Constructs an instance of DiceMaintenance, wraps it with a BnDiceMaintenance object and
+    /// returns a strong pointer to the binder. The result can be used to register the service
+    /// with service manager.
+    pub fn new_as_binder(
+        node_impl: Arc<dyn DiceNodeImpl + Sync + Send>,
+    ) -> Result<Strong<dyn IDiceMaintenance>> {
+        let result = BnDiceMaintenance::new_binder(
+            DiceMaintenance { node_impl },
+            BinderFeatures { set_requesting_sid: true, ..BinderFeatures::default() },
+        );
+        Ok(result)
+    }
+
+    fn demote_self(&self, input_values: &[BinderInputValues]) -> Result<()> {
+        check_caller_permission(Permission::DemoteSelf)
+            .context("In DiceMaintenance::demote_self:")?;
+        self.node_impl.demote_self(input_values)
+    }
+}
+
+impl binder::Interface for DiceMaintenance {}
+
+impl IDiceMaintenance for DiceMaintenance {
+    fn demoteSelf(&self, input_values: &[BinderInputValues]) -> BinderResult<()> {
+        map_or_log_err(self.demote_self(input_values), Ok)
+    }
+}