Merge "[dice] Move DiceSign/Verify nostd/std versions to diced_open_dice"
diff --git a/diced/open_dice/src/bcc.rs b/diced/open_dice/src/bcc.rs
index e3a96fe..3e48215 100644
--- a/diced/open_dice/src/bcc.rs
+++ b/diced/open_dice/src/bcc.rs
@@ -17,8 +17,8 @@
use crate::dice::{Cdi, CdiValues, InputValues};
use crate::error::{check_result, Result};
use open_dice_bcc_bindgen::{
- BccConfigValues, BccFormatConfigDescriptor, BccMainFlow, BCC_INPUT_COMPONENT_NAME,
- BCC_INPUT_COMPONENT_VERSION, BCC_INPUT_RESETTABLE,
+ BccConfigValues, BccFormatConfigDescriptor, BccHandoverMainFlow, BccMainFlow,
+ BCC_INPUT_COMPONENT_NAME, BCC_INPUT_COMPONENT_VERSION, BCC_INPUT_RESETTABLE,
};
use std::{ffi::CStr, ptr};
@@ -90,3 +90,33 @@
})?;
Ok(next_bcc_size)
}
+
+/// Executes the main BCC handover flow.
+///
+/// A BCC handover combines the BCC and CDIs in a single CBOR object.
+/// This function takes the current boot stage's BCC handover bundle and produces a
+/// bundle for the next stage.
+pub fn bcc_handover_main_flow(
+ current_bcc_handover: &[u8],
+ input_values: &InputValues,
+ next_bcc_handover: &mut [u8],
+) -> Result<usize> {
+ let mut next_bcc_handover_size = 0;
+ // SAFETY - The function only reads `current_bcc_handover` and writes to `next_bcc_handover`
+ // within its bounds,
+ // It also reads `input_values` as a constant input and doesn't store any pointer.
+ // The first argument can be null and is not used in the current implementation.
+ check_result(unsafe {
+ BccHandoverMainFlow(
+ ptr::null_mut(), // context
+ current_bcc_handover.as_ptr(),
+ current_bcc_handover.len(),
+ input_values.as_ptr(),
+ next_bcc_handover.len(),
+ next_bcc_handover.as_mut_ptr(),
+ &mut next_bcc_handover_size,
+ )
+ })?;
+
+ Ok(next_bcc_handover_size)
+}
diff --git a/diced/open_dice/src/lib.rs b/diced/open_dice/src/lib.rs
index 7e08956..b2a944a 100644
--- a/diced/open_dice/src/lib.rs
+++ b/diced/open_dice/src/lib.rs
@@ -27,7 +27,7 @@
#[cfg(feature = "std")]
mod retry;
-pub use bcc::{bcc_format_config_descriptor, bcc_main_flow};
+pub use bcc::{bcc_format_config_descriptor, bcc_handover_main_flow, bcc_main_flow};
pub use dice::{
derive_cdi_certificate_id, derive_cdi_private_key_seed, dice_main_flow, Cdi, CdiValues, Config,
DiceMode, Hash, Hidden, InlineConfig, InputValues, PrivateKeySeed, CDI_SIZE, HASH_SIZE,
diff --git a/identity/CredentialStore.cpp b/identity/CredentialStore.cpp
index fea4df9..e2b3cf4 100644
--- a/identity/CredentialStore.cpp
+++ b/identity/CredentialStore.cpp
@@ -47,7 +47,7 @@
bool useRkpd() {
return android::base::GetBoolProperty("remote_provisioning.enable_rkpd",
- /*default_value=*/false);
+ /*default_value=*/true);
}
} // namespace
diff --git a/keystore2/src/attestation_key_utils.rs b/keystore2/src/attestation_key_utils.rs
index d31fa82..8c4cdea 100644
--- a/keystore2/src/attestation_key_utils.rs
+++ b/keystore2/src/attestation_key_utils.rs
@@ -54,11 +54,9 @@
}
fn use_rkpd() -> bool {
- let mutable_property = "persist.device_config.remote_key_provisioning_native.enable_rkpd";
- let fixed_property = "remote_provisioning.enable_rkpd";
- let default_value = false;
- system_properties::read_bool(mutable_property, default_value).unwrap_or(default_value)
- || system_properties::read_bool(fixed_property, default_value).unwrap_or(default_value)
+ let property = "remote_provisioning.enable_rkpd";
+ let default_value = true;
+ system_properties::read_bool(property, default_value).unwrap_or(default_value)
}
/// This function loads and, optionally, assigns the caller's remote provisioned