[dice] Move format_condig_descriptor to diced_open_dice
Test: atest diced_utils_test diced_sample_inputs_test \
diced_test diced_vendor_test diced_open_dice_cbor_test \
diced_client_test
Test: m pvmfw_img microdroid_manager
Test: atest microdroid_manager_test vmbase_example.integration_test
Bug: 267575445
Change-Id: Iba7f775c1d1a3070c119da546edad38c2bbf67ac
diff --git a/diced/open_dice/Android.bp b/diced/open_dice/Android.bp
index f4c2155..e581085 100644
--- a/diced/open_dice/Android.bp
+++ b/diced/open_dice/Android.bp
@@ -20,6 +20,7 @@
name: "libdiced_open_dice_nostd",
defaults: ["libdiced_open_dice_defaults"],
rustlibs: [
+ "libopen_dice_bcc_bindgen_nostd",
"libopen_dice_cbor_bindgen_nostd",
],
}
@@ -28,6 +29,7 @@
name: "libdiced_open_dice",
defaults: ["libdiced_open_dice_defaults"],
rustlibs: [
+ "libopen_dice_bcc_bindgen",
"libopen_dice_cbor_bindgen",
// For ZVec
"libkeystore2_crypto_rust",
@@ -35,4 +37,7 @@
features: [
"std",
],
+ whole_static_libs: [
+ "libopen_dice_bcc",
+ ],
}
\ No newline at end of file
diff --git a/diced/open_dice/src/bcc.rs b/diced/open_dice/src/bcc.rs
new file mode 100644
index 0000000..8bda225
--- /dev/null
+++ b/diced/open_dice/src/bcc.rs
@@ -0,0 +1,56 @@
+// Copyright 2023, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! This module mirrors the content in open-dice/include/dice/android/bcc.h
+
+use crate::error::{check_result, Result};
+use open_dice_bcc_bindgen::{
+ BccConfigValues, BccFormatConfigDescriptor, BCC_INPUT_COMPONENT_NAME,
+ BCC_INPUT_COMPONENT_VERSION, BCC_INPUT_RESETTABLE,
+};
+use std::{ffi::CStr, ptr};
+
+/// Formats a configuration descriptor following the BCC's specification.
+/// See https://cs.android.com/android/platform/superproject/+/master:hardware/interfaces/security/rkp/aidl/android/hardware/security/keymint/ProtectedData.aidl
+pub fn bcc_format_config_descriptor(
+ name: Option<&CStr>,
+ version: Option<u64>,
+ resettable: bool,
+ buffer: &mut [u8],
+) -> Result<usize> {
+ let mut inputs = 0;
+ if name.is_some() {
+ inputs |= BCC_INPUT_COMPONENT_NAME;
+ }
+ if version.is_some() {
+ inputs |= BCC_INPUT_COMPONENT_VERSION;
+ }
+ if resettable {
+ inputs |= BCC_INPUT_RESETTABLE;
+ }
+
+ let values = BccConfigValues {
+ inputs,
+ component_name: name.map_or(ptr::null(), |p| p.as_ptr()),
+ component_version: version.unwrap_or(0),
+ };
+
+ let mut buffer_size = 0;
+ // SAFETY: The function writes to the buffer, within the given bounds, and only reads the
+ // input values. It writes its result to buffer_size.
+ check_result(unsafe {
+ BccFormatConfigDescriptor(&values, buffer.len(), buffer.as_mut_ptr(), &mut buffer_size)
+ })?;
+ Ok(buffer_size)
+}
diff --git a/diced/open_dice/src/dice.rs b/diced/open_dice/src/dice.rs
index 93d9617..a4615d3 100644
--- a/diced/open_dice/src/dice.rs
+++ b/diced/open_dice/src/dice.rs
@@ -15,8 +15,9 @@
//! Structs and functions about the types used in DICE.
//! This module mirrors the content in open-dice/include/dice/dice.h
+pub use open_dice_cbor_bindgen::DiceMode;
use open_dice_cbor_bindgen::{
- DiceConfigType, DiceInputValues, DiceMode, DICE_CDI_SIZE, DICE_HASH_SIZE, DICE_HIDDEN_SIZE,
+ DiceConfigType, DiceInputValues, DICE_CDI_SIZE, DICE_HASH_SIZE, DICE_HIDDEN_SIZE,
DICE_INLINE_CONFIG_SIZE,
};
use std::ptr;
diff --git a/diced/open_dice/src/error.rs b/diced/open_dice/src/error.rs
index 9cf2ae8..7405c51 100644
--- a/diced/open_dice/src/error.rs
+++ b/diced/open_dice/src/error.rs
@@ -29,11 +29,6 @@
BufferTooSmall,
/// Platform error.
PlatformError,
- /// Input string has an interior nul byte.
- /// TODO(b/267575445): Remove this error once we change the param of
- /// `format_config_descriptor to take &CStr.
- #[cfg(feature = "std")]
- CStrNulError,
/// The allocation of a ZVec failed.
#[cfg(feature = "std")]
ZVecError(keystore2_crypto::zvec::Error),
@@ -57,8 +52,6 @@
Self::BufferTooSmall => write!(f, "buffer too small"),
Self::PlatformError => write!(f, "platform error"),
#[cfg(feature = "std")]
- Self::CStrNulError => write!(f, "input string has an interior nul byte"),
- #[cfg(feature = "std")]
Self::ZVecError(e) => write!(f, "ZVec allocation failed {e}"),
}
}
diff --git a/diced/open_dice/src/lib.rs b/diced/open_dice/src/lib.rs
index 4cdd5c9..0723b2d 100644
--- a/diced/open_dice/src/lib.rs
+++ b/diced/open_dice/src/lib.rs
@@ -20,10 +20,17 @@
#[cfg(not(feature = "std"))]
extern crate core as std;
+mod bcc;
mod dice;
mod error;
+#[cfg(feature = "std")]
+mod retry;
+pub use bcc::bcc_format_config_descriptor;
pub use dice::{
- Cdi, Config, Hash, Hidden, InlineConfig, InputValues, CDI_SIZE, HASH_SIZE, HIDDEN_SIZE,
+ Cdi, Config, DiceMode, Hash, Hidden, InlineConfig, InputValues, CDI_SIZE, HASH_SIZE,
+ HIDDEN_SIZE,
};
pub use error::{check_result, DiceError, Result};
+#[cfg(feature = "std")]
+pub use retry::retry_bcc_format_config_descriptor;
diff --git a/diced/open_dice/src/retry.rs b/diced/open_dice/src/retry.rs
new file mode 100644
index 0000000..648fd91
--- /dev/null
+++ b/diced/open_dice/src/retry.rs
@@ -0,0 +1,64 @@
+// Copyright 2023, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! This module implements a retry version for multiple DICE functions that
+//! require preallocated output buffer. As the retry functions require
+//! memory allocation on heap, currently we only expose these functions in
+//! std environment.
+
+use crate::bcc::bcc_format_config_descriptor;
+use crate::error::{DiceError, Result};
+use std::ffi::CStr;
+
+/// Retries the given function with bigger output buffer size.
+fn retry_with_bigger_buffer<F>(mut f: F) -> Result<Vec<u8>>
+where
+ F: FnMut(&mut Vec<u8>) -> Result<usize>,
+{
+ const INITIAL_BUFFER_SIZE: usize = 256;
+ const MAX_BUFFER_SIZE: usize = 64 * 1024 * 1024;
+
+ let mut buffer = vec![0u8; INITIAL_BUFFER_SIZE];
+ while buffer.len() <= MAX_BUFFER_SIZE {
+ match f(&mut buffer) {
+ Err(DiceError::BufferTooSmall) => {
+ let new_size = buffer.len() * 2;
+ buffer.resize(new_size, 0);
+ }
+ Err(e) => return Err(e),
+ Ok(actual_size) => {
+ if actual_size > buffer.len() {
+ panic!(
+ "actual_size larger than buffer size: open-dice function
+ may have written past the end of the buffer."
+ );
+ }
+ buffer.truncate(actual_size);
+ return Ok(buffer);
+ }
+ }
+ }
+ Err(DiceError::PlatformError)
+}
+
+/// Formats a configuration descriptor following the BCC's specification.
+pub fn retry_bcc_format_config_descriptor(
+ name: Option<&CStr>,
+ version: Option<u64>,
+ resettable: bool,
+) -> Result<Vec<u8>> {
+ retry_with_bigger_buffer(|buffer| {
+ bcc_format_config_descriptor(name, version, resettable, buffer)
+ })
+}
diff --git a/diced/open_dice_cbor/lib.rs b/diced/open_dice_cbor/lib.rs
index feb6eb6..30ab760 100644
--- a/diced/open_dice_cbor/lib.rs
+++ b/diced/open_dice_cbor/lib.rs
@@ -32,8 +32,8 @@
//! ```
pub use diced_open_dice::{
- check_result, Config, DiceError, Hash, Hidden, InputValues, Result, CDI_SIZE, HASH_SIZE,
- HIDDEN_SIZE,
+ check_result, retry_bcc_format_config_descriptor, Config, DiceError, Hash, Hidden, InputValues,
+ Result, CDI_SIZE, HASH_SIZE, HIDDEN_SIZE,
};
use keystore2_crypto::ZVec;
use open_dice_bcc_bindgen::BccMainFlow;
@@ -68,6 +68,8 @@
/// exactly.
/// The function panics if the callback returns `Ok(())` and the size hint is
/// larger than the buffer size.
+/// TODO(b/267575445): Remove this method once we migrate all its callers to
+/// `retry_with_bigger_buffer` in `diced_open_dice`.
fn retry_while_adjusting_output_buffer<F>(mut f: F) -> Result<Vec<u8>>
where
F: FnMut(&mut Vec<u8>, &mut usize) -> Result<()>,
@@ -484,60 +486,6 @@
}
}
-/// This submodule provides additional support for the Boot Certificate Chain (BCC)
-/// specification.
-/// See https://cs.android.com/android/platform/superproject/+/master:hardware/interfaces/security/keymint/aidl/android/hardware/security/keymint/ProtectedData.aidl
-pub mod bcc {
- use super::{check_result, retry_while_adjusting_output_buffer, DiceError, Result};
- use open_dice_bcc_bindgen::{
- BccConfigValues, BccFormatConfigDescriptor, BCC_INPUT_COMPONENT_NAME,
- BCC_INPUT_COMPONENT_VERSION, BCC_INPUT_RESETTABLE,
- };
- use std::ffi::CString;
-
- /// Safe wrapper around BccFormatConfigDescriptor, see open dice documentation for details.
- /// TODO(b/267575445): Make `component_name` take &CStr here.
- pub fn format_config_descriptor(
- component_name: Option<&str>,
- component_version: Option<u64>,
- resettable: bool,
- ) -> Result<Vec<u8>> {
- let component_name = match component_name {
- Some(n) => Some(CString::new(n).map_err(|_| DiceError::CStrNulError)?),
- None => None,
- };
- let input = BccConfigValues {
- inputs: if component_name.is_some() { BCC_INPUT_COMPONENT_NAME } else { 0 }
- | if component_version.is_some() { BCC_INPUT_COMPONENT_VERSION } else { 0 }
- | if resettable { BCC_INPUT_RESETTABLE } else { 0 },
- // SAFETY: The as_ref() in the line below is vital to keep the component_name object
- // alive. Removing as_ref will move the component_name and the pointer will
- // become invalid after this statement.
- component_name: component_name.as_ref().map_or(std::ptr::null(), |s| s.as_ptr()),
- component_version: component_version.unwrap_or(0),
- };
-
- // SAFETY:
- // * The first argument is a pointer to the BccConfigValues input assembled above.
- // It and its indirections must be valid for the duration of the function call.
- // * The second argument and the third argument are the length of and the pointer to the
- // allocated output buffer respectively. The buffer must be at least as long
- // as indicated by the size argument.
- // * The forth argument is a pointer to the actual size returned by the function.
- // * All pointers must be valid for the duration of the function call but not beyond.
- retry_while_adjusting_output_buffer(|config_descriptor, actual_size| {
- check_result(unsafe {
- BccFormatConfigDescriptor(
- &input as *const BccConfigValues,
- config_descriptor.len(),
- config_descriptor.as_mut_ptr(),
- actual_size as *mut _,
- )
- })
- })
- }
-}
-
#[cfg(test)]
mod test {
use super::*;
diff --git a/diced/src/diced_client_test.rs b/diced/src/diced_client_test.rs
index f579a4e..054b2d1 100644
--- a/diced/src/diced_client_test.rs
+++ b/diced/src/diced_client_test.rs
@@ -22,6 +22,7 @@
use diced_open_dice_cbor as dice;
use nix::libc::uid_t;
use std::convert::TryInto;
+use std::ffi::CString;
static DICE_NODE_SERVICE_NAME: &str = "android.security.dice.IDiceNode";
static DICE_MAINTENANCE_SERVICE_NAME: &str = "android.security.dice.IDiceMaintenance";
@@ -106,10 +107,11 @@
}
fn client_input_values(uid: uid_t) -> BinderInputValues {
+ let desc = CString::new(format!("{}", uid)).unwrap();
BinderInputValues {
codeHash: [0; dice::HASH_SIZE],
config: BinderConfig {
- desc: dice::bcc::format_config_descriptor(Some(&format!("{}", uid)), None, true)
+ desc: dice::retry_bcc_format_config_descriptor(Some(desc.as_c_str()), None, true)
.unwrap(),
},
authorityHash: [0; dice::HASH_SIZE],
diff --git a/diced/src/hal_node.rs b/diced/src/hal_node.rs
index d2e8b0c..453b12e 100644
--- a/diced/src/hal_node.rs
+++ b/diced/src/hal_node.rs
@@ -333,6 +333,7 @@
use diced_open_dice_cbor as dice;
use diced_sample_inputs;
use diced_utils as utils;
+ use std::ffi::CStr;
#[derive(Debug, Serialize, Deserialize, Clone)]
struct InsecureSerializableArtifacts {
@@ -371,7 +372,7 @@
fn make_input_values(
code: &str,
- config_name: &str,
+ config_name: &CStr,
authority: &str,
) -> Result<BinderInputValues> {
let mut dice_ctx = dice::OpenDiceCborContext::new();
@@ -382,7 +383,7 @@
.as_slice()
.try_into()?,
config: BinderConfig {
- desc: dice::bcc::format_config_descriptor(Some(config_name), None, true)
+ desc: dice::retry_bcc_format_config_descriptor(Some(config_name), None, true)
.context("In make_input_values: Failed to format config descriptor.")?,
},
authorityHash: dice_ctx
@@ -405,9 +406,21 @@
ResidentArtifacts::new(cdi_attest[..].try_into()?, cdi_seal[..].try_into()?, &bcc)?;
let input_values = &[
- make_input_values("component 1 code", "component 1", "component 1 authority")?,
- make_input_values("component 2 code", "component 2", "component 2 authority")?,
- make_input_values("component 3 code", "component 3", "component 3 authority")?,
+ make_input_values(
+ "component 1 code",
+ CStr::from_bytes_with_nul(b"component 1\0").unwrap(),
+ "component 1 authority",
+ )?,
+ make_input_values(
+ "component 2 code",
+ CStr::from_bytes_with_nul(b"component 2\0").unwrap(),
+ "component 2 authority",
+ )?,
+ make_input_values(
+ "component 3 code",
+ CStr::from_bytes_with_nul(b"component 3\0").unwrap(),
+ "component 3 authority",
+ )?,
];
let new_artifacts = artifacts.execute_steps(input_values)?;
@@ -441,9 +454,21 @@
let bcc_handover = hal_impl
.derive(&[
- make_input_values("component 1 code", "component 1", "component 1 authority")?,
- make_input_values("component 2 code", "component 2", "component 2 authority")?,
- make_input_values("component 3 code", "component 3", "component 3 authority")?,
+ make_input_values(
+ "component 1 code",
+ CStr::from_bytes_with_nul(b"component 1\0").unwrap(),
+ "component 1 authority",
+ )?,
+ make_input_values(
+ "component 2 code",
+ CStr::from_bytes_with_nul(b"component 2\0").unwrap(),
+ "component 2 authority",
+ )?,
+ make_input_values(
+ "component 3 code",
+ CStr::from_bytes_with_nul(b"component 3\0").unwrap(),
+ "component 3 authority",
+ )?,
])
.expect("Failed to derive artifacts.");
@@ -470,15 +495,23 @@
hal_impl
.demote(&[
- make_input_values("component 1 code", "component 1", "component 1 authority")?,
- make_input_values("component 2 code", "component 2", "component 2 authority")?,
+ make_input_values(
+ "component 1 code",
+ CStr::from_bytes_with_nul(b"component 1\0").unwrap(),
+ "component 1 authority",
+ )?,
+ make_input_values(
+ "component 2 code",
+ CStr::from_bytes_with_nul(b"component 2\0").unwrap(),
+ "component 2 authority",
+ )?,
])
.expect("Failed to demote implementation.");
let bcc_handover = hal_impl
.derive(&[make_input_values(
"component 3 code",
- "component 3",
+ CStr::from_bytes_with_nul(b"component 3\0").unwrap(),
"component 3 authority",
)?])
.expect("Failed to derive artifacts.");
diff --git a/diced/src/lib.rs b/diced/src/lib.rs
index 50e0e96..9e70ace 100644
--- a/diced/src/lib.rs
+++ b/diced/src/lib.rs
@@ -36,6 +36,7 @@
use keystore2_selinux as selinux;
use libc::uid_t;
use permission::Permission;
+use std::ffi::CString;
use std::sync::Arc;
/// A DiceNode backend implementation.
@@ -97,11 +98,12 @@
}
fn client_input_values(uid: uid_t) -> Result<BinderInputValues> {
+ let desc = CString::new(format!("{}", uid)).unwrap();
Ok(BinderInputValues {
codeHash: [0; dice::HASH_SIZE],
config: BinderConfig {
- desc: dice::bcc::format_config_descriptor(Some(&format!("{}", uid)), None, false)
- .context("In client_input_values: failed to format config descriptor")?,
+ desc: dice::retry_bcc_format_config_descriptor(Some(desc.as_c_str()), None, true)
+ .unwrap(),
},
authorityHash: [0; dice::HASH_SIZE],
authorityDescriptor: None,
diff --git a/diced/src/sample_inputs.rs b/diced/src/sample_inputs.rs
index 0553327..3f36119 100644
--- a/diced/src/sample_inputs.rs
+++ b/diced/src/sample_inputs.rs
@@ -24,6 +24,7 @@
use diced_utils::{cbor, to_dice_input_values};
use keystore2_crypto::ZVec;
use std::convert::TryInto;
+use std::ffi::CStr;
use std::io::Write;
/// Sample UDS used to perform the root dice flow by `make_sample_bcc_and_cdis`.
@@ -122,7 +123,7 @@
fn make_input_values(
code_hash: dice::Hash,
authority_hash: dice::Hash,
- config_name: &str,
+ config_name: &CStr,
config_version: u64,
config_resettable: bool,
mode: Mode,
@@ -131,7 +132,7 @@
Ok(BinderInputValues {
codeHash: code_hash,
config: BinderConfig {
- desc: dice::bcc::format_config_descriptor(
+ desc: dice::retry_bcc_format_config_descriptor(
Some(config_name),
Some(config_version),
config_resettable,
@@ -201,9 +202,9 @@
make_input_values(
CODE_HASH1,
AUTHORITY_HASH1,
- "ABL", // config name
- 1, // config version
- true, // resettable
+ CStr::from_bytes_with_nul(b"ABL\0").unwrap(), // config name
+ 1, // config version
+ true, // resettable
Mode::NORMAL,
HIDDEN1,
)
@@ -211,9 +212,9 @@
make_input_values(
CODE_HASH2,
AUTHORITY_HASH2,
- "AVB", // config name
- 1, // config version
- true, // resettable
+ CStr::from_bytes_with_nul(b"AVB\0").unwrap(), // config name
+ 1, // config version
+ true, // resettable
Mode::NORMAL,
HIDDEN2,
)
@@ -221,9 +222,9 @@
make_input_values(
[0; dice::HASH_SIZE], // code hash
AUTHORITY_HASH3,
- "Android", // config name
- 12, // config version
- true, // resettable
+ CStr::from_bytes_with_nul(b"Android\0").unwrap(), // config name
+ 12, // config version
+ true, // resettable
Mode::NORMAL,
[0; dice::HIDDEN_SIZE], // hidden,
)