[dice] Add nostd version of libdiced_sample_inputs
This cl adds a version of libdiced_sample_inputs
that is compatible with the nostd environment.
This allows the sample inputs to be used as DICE
chain in the non-protected rialto later for testing
purposes.
Test: atest libdiced_sample_inputs.integration_test \
libdiced_sample_inputs_nostd.integration_test
Bug: 287233786
Change-Id: I6e96e051a8ba0b232521b259d5473520ac767383
diff --git a/diced/TEST_MAPPING b/diced/TEST_MAPPING
index 2f6be00..7628d25 100644
--- a/diced/TEST_MAPPING
+++ b/diced/TEST_MAPPING
@@ -15,5 +15,10 @@
{
"name": "libdiced_sample_inputs.integration_test"
}
+ ],
+ "postsubmit": [
+ {
+ "name": "libdiced_sample_inputs_nostd.integration_test"
+ }
]
}
diff --git a/diced/open_dice/Android.bp b/diced/open_dice/Android.bp
index b87be7f..745b86e 100644
--- a/diced/open_dice/Android.bp
+++ b/diced/open_dice/Android.bp
@@ -17,12 +17,16 @@
"libopen_dice_cbor_bindgen_nostd",
"libzeroize_nostd",
],
+ features: [
+ "alloc",
+ ],
whole_static_libs: [
"libopen_dice_cbor",
"libcrypto_baremetal",
],
visibility: [
"//packages/modules/Virtualization:__subpackages__",
+ "//system/security/diced/sample_inputs",
],
}
@@ -36,6 +40,7 @@
"libzeroize",
],
features: [
+ "alloc",
"std",
],
shared_libs: [
diff --git a/diced/open_dice/src/lib.rs b/diced/open_dice/src/lib.rs
index 6d082b8..83ae07f 100644
--- a/diced/open_dice/src/lib.rs
+++ b/diced/open_dice/src/lib.rs
@@ -17,6 +17,9 @@
#![cfg_attr(not(feature = "std"), no_std)]
+#[cfg(feature = "alloc")]
+extern crate alloc;
+
#[cfg(not(feature = "std"))]
extern crate core as std;
@@ -24,7 +27,7 @@
mod dice;
mod error;
mod ops;
-#[cfg(feature = "std")]
+#[cfg(feature = "alloc")]
mod retry;
pub use bcc::{
@@ -38,7 +41,7 @@
};
pub use error::{DiceError, Result};
pub use ops::{generate_certificate, hash, kdf, keypair_from_seed, sign, verify};
-#[cfg(feature = "std")]
+#[cfg(feature = "alloc")]
pub use retry::{
retry_bcc_format_config_descriptor, retry_bcc_main_flow, retry_dice_main_flow,
retry_generate_certificate, OwnedDiceArtifacts,
diff --git a/diced/open_dice/src/retry.rs b/diced/open_dice/src/retry.rs
index 84ca5f5..a6303bd 100644
--- a/diced/open_dice/src/retry.rs
+++ b/diced/open_dice/src/retry.rs
@@ -23,6 +23,8 @@
};
use crate::error::{DiceError, Result};
use crate::ops::generate_certificate;
+#[cfg(feature = "alloc")]
+use alloc::vec::Vec;
/// Artifacts stores a set of dice artifacts comprising CDI_ATTEST, CDI_SEAL,
/// and the BCC formatted attestation certificate chain.
diff --git a/diced/sample_inputs/Android.bp b/diced/sample_inputs/Android.bp
index cf6ef5f..e66d436 100644
--- a/diced/sample_inputs/Android.bp
+++ b/diced/sample_inputs/Android.bp
@@ -21,25 +21,61 @@
default_applicable_licenses: ["system_security_license"],
}
-rust_library {
- name: "libdiced_sample_inputs",
+rust_defaults {
+ name: "libdiced_sample_inputs_defaults",
crate_name: "diced_sample_inputs",
srcs: ["src/lib.rs"],
+}
+
+rust_library {
+ name: "libdiced_sample_inputs",
+ defaults: ["libdiced_sample_inputs_defaults"],
+ features: [
+ "std",
+ ],
rustlibs: [
- "libanyhow",
"libciborium",
"libcoset",
"libdiced_open_dice",
+ "liblog_rust",
],
}
+rust_library_rlib {
+ name: "libdiced_sample_inputs_nostd",
+ defaults: ["libdiced_sample_inputs_defaults"],
+ rustlibs: [
+ "libciborium_nostd",
+ "libcoset_nostd",
+ "libdiced_open_dice_nostd",
+ "liblog_rust_nostd",
+ ],
+ visibility: [
+ "//packages/modules/Virtualization:__subpackages__",
+ ],
+}
+
+rust_defaults {
+ name: "libdiced_sample_inputs_test_defaults",
+ crate_name: "diced_sample_inputs_test",
+ srcs: ["tests/*.rs"],
+ test_suites: ["general-tests"],
+}
+
rust_test {
name: "libdiced_sample_inputs.integration_test",
- crate_name: "diced_sample_inputs_test",
- srcs: ["tests/*.rs"],
- test_suites: ["general-tests"],
+ defaults: ["libdiced_sample_inputs_test_defaults"],
rustlibs: [
"libdiced_open_dice",
"libdiced_sample_inputs",
],
}
+
+rust_test {
+ name: "libdiced_sample_inputs_nostd.integration_test",
+ defaults: ["libdiced_sample_inputs_test_defaults"],
+ rustlibs: [
+ "libdiced_open_dice_nostd",
+ "libdiced_sample_inputs_nostd",
+ ],
+}
diff --git a/diced/sample_inputs/src/lib.rs b/diced/sample_inputs/src/lib.rs
index ebbfd29..9d6deca 100644
--- a/diced/sample_inputs/src/lib.rs
+++ b/diced/sample_inputs/src/lib.rs
@@ -17,6 +17,10 @@
//! Provides a set of sample inputs for a DICE chain and CDI values derived
//! from it.
+#![cfg_attr(not(feature = "std"), no_std)]
+
+extern crate alloc;
+
mod sample_inputs;
pub use sample_inputs::make_sample_bcc_and_cdis;
diff --git a/diced/sample_inputs/src/sample_inputs.rs b/diced/sample_inputs/src/sample_inputs.rs
index 6ad15cd..54f551b 100644
--- a/diced/sample_inputs/src/sample_inputs.rs
+++ b/diced/sample_inputs/src/sample_inputs.rs
@@ -15,15 +15,17 @@
//! This module provides a set of sample input values for a DICE chain, a sample UDS,
//! as well as tuple of CDIs and BCC derived thereof.
-use anyhow::{anyhow, Context, Result};
+use alloc::vec;
+use alloc::vec::Vec;
use ciborium::{de, ser, value::Value};
+use core::ffi::CStr;
use coset::{iana, Algorithm, AsCborValue, CoseKey, KeyOperation, KeyType, Label};
use diced_open_dice::{
derive_cdi_private_key_seed, keypair_from_seed, retry_bcc_format_config_descriptor,
- retry_bcc_main_flow, retry_dice_main_flow, Config, DiceArtifacts, DiceConfigValues, DiceMode,
- InputValues, OwnedDiceArtifacts, CDI_SIZE, HASH_SIZE, HIDDEN_SIZE,
+ retry_bcc_main_flow, retry_dice_main_flow, Config, DiceArtifacts, DiceConfigValues, DiceError,
+ DiceMode, InputValues, OwnedDiceArtifacts, Result, CDI_SIZE, HASH_SIZE, HIDDEN_SIZE,
};
-use std::ffi::CStr;
+use log::error;
/// Sample UDS used to perform the root dice flow by `make_sample_bcc_and_cdis`.
const UDS: &[u8; CDI_SIZE] = &[
@@ -88,8 +90,10 @@
],
..Default::default()
};
- key.to_cbor_value()
- .map_err(|e| anyhow!(format!("Failed to serialize the key to CBOR data. Error: {e}")))
+ key.to_cbor_value().map_err(|e| {
+ error!("Failed to serialize the key to CBOR data: {e}");
+ DiceError::InvalidInput
+ })
}
/// Makes a DICE chain (BCC) from the sample input.
@@ -97,12 +101,16 @@
/// The DICE chain is of the following format:
/// public key derived from UDS -> ABL certificate -> AVB certificate -> Android certificate
pub fn make_sample_bcc_and_cdis() -> Result<OwnedDiceArtifacts> {
- let private_key_seed = derive_cdi_private_key_seed(UDS)
- .context("In make_sample_bcc_and_cdis: Trying to derive private key seed.")?;
+ let private_key_seed = derive_cdi_private_key_seed(UDS).map_err(|e| {
+ error!("In make_sample_bcc_and_cdis: Trying to derive private key seed. Error: {e}");
+ e
+ })?;
// Gets the root public key in DICE chain (BCC).
- let (public_key, _) = keypair_from_seed(private_key_seed.as_array())
- .context("In make_sample_bcc_and_cids: Failed to generate key pair.")?;
+ let (public_key, _) = keypair_from_seed(private_key_seed.as_array()).map_err(|e| {
+ error!("In make_sample_bcc_and_cids: Failed to generate key pair. Error: {e}");
+ e
+ })?;
let ed25519_public_key_value = ed25519_public_key_to_cbor_value(&public_key)?;
// Gets the ABL certificate to as the root certificate of DICE chain.
@@ -120,14 +128,22 @@
DiceMode::kDiceModeNormal,
HIDDEN_ABL,
);
- let (cdi_values, cert) = retry_dice_main_flow(UDS, UDS, &input_values)
- .context("In make_sample_bcc_and_cdis: Trying to run first main flow.")?;
+ let (cdi_values, cert) = retry_dice_main_flow(UDS, UDS, &input_values).map_err(|e| {
+ error!("In make_sample_bcc_and_cdis: Trying to run first main flow. Error: {e}");
+ e
+ })?;
let bcc_value = Value::Array(vec![
ed25519_public_key_value,
- de::from_reader(&cert[..]).context("Deserialize root DICE certificate failed")?,
+ de::from_reader(&cert[..]).map_err(|e| {
+ error!("Deserialize root DICE certificate failed: {e}");
+ DiceError::InvalidInput
+ })?,
]);
let mut bcc: Vec<u8> = vec![];
- ser::into_writer(&bcc_value, &mut bcc)?;
+ ser::into_writer(&bcc_value, &mut bcc).map_err(|e| {
+ error!("Serialize BCC failed: {e}");
+ DiceError::InvalidInput
+ })?;
// Appends AVB certificate to DICE chain.
let config_values = DiceConfigValues {
@@ -146,7 +162,12 @@
);
let dice_artifacts =
retry_bcc_main_flow(&cdi_values.cdi_attest, &cdi_values.cdi_seal, &bcc, &input_values)
- .context("In make_sample_bcc_and_cdis: Trying to run first bcc main flow.")?;
+ .map_err(|e| {
+ error!(
+ "In make_sample_bcc_and_cdis: Trying to run first bcc main flow. Error: {e}"
+ );
+ e
+ })?;
// Appends Android certificate to DICE chain.
let config_values = DiceConfigValues {
@@ -166,8 +187,14 @@
retry_bcc_main_flow(
dice_artifacts.cdi_attest(),
dice_artifacts.cdi_seal(),
- dice_artifacts.bcc().ok_or_else(|| anyhow!("bcc is none"))?,
+ dice_artifacts.bcc().ok_or_else(|| {
+ error!("bcc is none");
+ DiceError::InvalidInput
+ })?,
&input_values,
)
- .context("In make_sample_bcc_and_cdis: Trying to run second bcc main flow.")
+ .map_err(|e| {
+ error!("In make_sample_bcc_and_cdis: Trying to run second bcc main flow. Error: {e}");
+ e
+ })
}