commit aaba4afe509a2b1ad21e3a7688c884090ffb9961
author Janis Danisevskis <jdanis@google.com> Thu Nov 18 14:25:07 2021 -0800
committer Janis Danisevskis <jdanis@google.com> Fri Jan 07 12:43:54 2022 -0800
tree de20f8bed7bac0f1a488a0ae50a8f01d644da8eb
parent da092a14a270ff39a63603f3f6120e442ceef3b2

Diced: Add vendor library for DICE HAL implementations.

Bug: 198197213
Test: atest diced_vendor_test
Change-Id: If2bca4584206dc26a49ffd2fea71d7192d2678bf

diced/src/utils.rs

diff --git a/diced/src/utils.rs b/diced/src/utils.rs
index abb8a7b..3d3db55 100644
--- a/diced/src/utils.rs
+++ b/diced/src/utils.rs
@@ -146,6 +146,17 @@
         })
     }
 
+    /// Creates a ResidentArtifacts object from another one implementing the DiceArtifacts
+    /// trait. Like `new` this function can only create artifacts of appropriate size
+    /// because DiceArtifacts returns array references of appropriate size.
+    pub fn new_from<T: DiceArtifacts + ?Sized>(artifacts: &T) -> Result<Self> {
+        Ok(ResidentArtifacts {
+            cdi_attest: artifacts.cdi_attest()[..].try_into()?,
+            cdi_seal: artifacts.cdi_seal()[..].try_into()?,
+            bcc: artifacts.bcc(),
+        })
+    }
+
     /// Attempts to clone the artifacts. This operation is fallible due to the fallible
     /// nature of ZVec.
     pub fn try_clone(&self) -> Result<Self> {
@@ -200,6 +211,47 @@
     }
 }
 
+/// An object that implements this trait provides the typical DICE artifacts.
+/// CDI_ATTEST, CDI_SEAL, and a certificate chain up to the public key that
+/// can be derived from CDI_ATTEST. Implementations should check the length of
+/// the stored CDI_* secrets on creation so that any valid instance returns the
+/// correct secrets in an infallible way.
+pub trait DiceArtifacts {
+    /// Returns CDI_ATTEST.
+    fn cdi_attest(&self) -> &[u8; dice::CDI_SIZE];
+    /// Returns CDI_SEAL.
+    fn cdi_seal(&self) -> &[u8; dice::CDI_SIZE];
+    /// Returns the attestation certificate chain in BCC format.
+    fn bcc(&self) -> Vec<u8>;
+}
+
+/// Implement this trait to provide read and write access to a secure artifact
+/// storage that can be used by the ResidentHal implementation.
+pub trait UpdatableDiceArtifacts {
+    /// With artifacts provides access to the stored artifacts for the duration
+    /// of the function call by means of calling the callback.
+    fn with_artifacts<F, T>(&self, f: F) -> Result<T>
+    where
+        F: FnOnce(&dyn DiceArtifacts) -> Result<T>;
+
+    /// Consumes the object and returns a an updated version of itself.
+    fn update(self, new_artifacts: &impl DiceArtifacts) -> Result<Self>
+    where
+        Self: Sized;
+}
+
+impl DiceArtifacts for ResidentArtifacts {
+    fn cdi_attest(&self) -> &[u8; dice::CDI_SIZE] {
+        self.cdi_attest[..].try_into().unwrap()
+    }
+    fn cdi_seal(&self) -> &[u8; dice::CDI_SIZE] {
+        self.cdi_seal[..].try_into().unwrap()
+    }
+    fn bcc(&self) -> Vec<u8> {
+        self.bcc.clone()
+    }
+}
+
 /// This submodule implements a limited set of CBOR generation functionality. Essentially,
 /// a cbor header generator and some convenience functions for number and BSTR encoding.
 pub mod cbor {