| Alice Wang | 9c40eca | 2023-02-03 13:10:24 +0000 | [diff] [blame] | 1 | // Copyright 2023, The Android Open Source Project |
| 2 | // |
| 3 | // Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 | // you may not use this file except in compliance with the License. |
| 5 | // You may obtain a copy of the License at |
| 6 | // |
| 7 | // http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | // |
| 9 | // Unless required by applicable law or agreed to in writing, software |
| 10 | // distributed under the License is distributed on an "AS IS" BASIS, |
| 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 | // See the License for the specific language governing permissions and |
| 13 | // limitations under the License. |
| 14 | |
| 15 | //! This module mirrors the content in open-dice/include/dice/android/bcc.h |
| 16 | |
| Alice Wang | f4bd1c6 | 2023-02-08 08:38:44 +0000 | [diff] [blame] | 17 | use crate::dice::{Cdi, CdiValues, InputValues}; |
| Alice Wang | 9c40eca | 2023-02-03 13:10:24 +0000 | [diff] [blame] | 18 | use crate::error::{check_result, Result}; |
| 19 | use open_dice_bcc_bindgen::{ |
| Alice Wang | 9b2c38e | 2023-02-14 08:53:31 +0000 | [diff] [blame^] | 20 | BccConfigValues, BccFormatConfigDescriptor, BccHandoverMainFlow, BccMainFlow, |
| 21 | BCC_INPUT_COMPONENT_NAME, BCC_INPUT_COMPONENT_VERSION, BCC_INPUT_RESETTABLE, |
| Alice Wang | 9c40eca | 2023-02-03 13:10:24 +0000 | [diff] [blame] | 22 | }; |
| 23 | use std::{ffi::CStr, ptr}; |
| 24 | |
| 25 | /// Formats a configuration descriptor following the BCC's specification. |
| 26 | /// See https://cs.android.com/android/platform/superproject/+/master:hardware/interfaces/security/rkp/aidl/android/hardware/security/keymint/ProtectedData.aidl |
| 27 | pub fn bcc_format_config_descriptor( |
| 28 | name: Option<&CStr>, |
| 29 | version: Option<u64>, |
| 30 | resettable: bool, |
| 31 | buffer: &mut [u8], |
| 32 | ) -> Result<usize> { |
| 33 | let mut inputs = 0; |
| 34 | if name.is_some() { |
| 35 | inputs |= BCC_INPUT_COMPONENT_NAME; |
| 36 | } |
| 37 | if version.is_some() { |
| 38 | inputs |= BCC_INPUT_COMPONENT_VERSION; |
| 39 | } |
| 40 | if resettable { |
| 41 | inputs |= BCC_INPUT_RESETTABLE; |
| 42 | } |
| 43 | |
| 44 | let values = BccConfigValues { |
| 45 | inputs, |
| 46 | component_name: name.map_or(ptr::null(), |p| p.as_ptr()), |
| 47 | component_version: version.unwrap_or(0), |
| 48 | }; |
| 49 | |
| 50 | let mut buffer_size = 0; |
| 51 | // SAFETY: The function writes to the buffer, within the given bounds, and only reads the |
| 52 | // input values. It writes its result to buffer_size. |
| 53 | check_result(unsafe { |
| 54 | BccFormatConfigDescriptor(&values, buffer.len(), buffer.as_mut_ptr(), &mut buffer_size) |
| 55 | })?; |
| 56 | Ok(buffer_size) |
| 57 | } |
| Alice Wang | f4bd1c6 | 2023-02-08 08:38:44 +0000 | [diff] [blame] | 58 | |
| 59 | /// Executes the main BCC flow. |
| 60 | /// |
| 61 | /// Given a full set of input values along with the current BCC and CDI values, |
| 62 | /// computes the next CDI values and matching updated BCC. |
| 63 | pub fn bcc_main_flow( |
| 64 | current_cdi_attest: &Cdi, |
| 65 | current_cdi_seal: &Cdi, |
| 66 | current_bcc: &[u8], |
| 67 | input_values: &InputValues, |
| 68 | next_cdi_values: &mut CdiValues, |
| 69 | next_bcc: &mut [u8], |
| 70 | ) -> Result<usize> { |
| 71 | let mut next_bcc_size = 0; |
| 72 | // SAFETY: `BccMainFlow` only reads the current `bcc` and CDI values and writes |
| 73 | // to `next_bcc` and next CDI values within its bounds. It also reads |
| 74 | // `input_values` as a constant input and doesn't store any pointer. |
| 75 | // The first argument can be null and is not used in the current implementation. |
| 76 | check_result(unsafe { |
| 77 | BccMainFlow( |
| 78 | ptr::null_mut(), // context |
| 79 | current_cdi_attest.as_ptr(), |
| 80 | current_cdi_seal.as_ptr(), |
| 81 | current_bcc.as_ptr(), |
| 82 | current_bcc.len(), |
| 83 | input_values.as_ptr(), |
| 84 | next_bcc.len(), |
| 85 | next_bcc.as_mut_ptr(), |
| 86 | &mut next_bcc_size, |
| 87 | next_cdi_values.cdi_attest.as_mut_ptr(), |
| 88 | next_cdi_values.cdi_seal.as_mut_ptr(), |
| 89 | ) |
| 90 | })?; |
| 91 | Ok(next_bcc_size) |
| 92 | } |
| Alice Wang | 9b2c38e | 2023-02-14 08:53:31 +0000 | [diff] [blame^] | 93 | |
| 94 | /// Executes the main BCC handover flow. |
| 95 | /// |
| 96 | /// A BCC handover combines the BCC and CDIs in a single CBOR object. |
| 97 | /// This function takes the current boot stage's BCC handover bundle and produces a |
| 98 | /// bundle for the next stage. |
| 99 | pub fn bcc_handover_main_flow( |
| 100 | current_bcc_handover: &[u8], |
| 101 | input_values: &InputValues, |
| 102 | next_bcc_handover: &mut [u8], |
| 103 | ) -> Result<usize> { |
| 104 | let mut next_bcc_handover_size = 0; |
| 105 | // SAFETY - The function only reads `current_bcc_handover` and writes to `next_bcc_handover` |
| 106 | // within its bounds, |
| 107 | // It also reads `input_values` as a constant input and doesn't store any pointer. |
| 108 | // The first argument can be null and is not used in the current implementation. |
| 109 | check_result(unsafe { |
| 110 | BccHandoverMainFlow( |
| 111 | ptr::null_mut(), // context |
| 112 | current_bcc_handover.as_ptr(), |
| 113 | current_bcc_handover.len(), |
| 114 | input_values.as_ptr(), |
| 115 | next_bcc_handover.len(), |
| 116 | next_bcc_handover.as_mut_ptr(), |
| 117 | &mut next_bcc_handover_size, |
| 118 | ) |
| 119 | })?; |
| 120 | |
| 121 | Ok(next_bcc_handover_size) |
| 122 | } |