blob: 372ee15f8444525ce85dc9cf9398df3723fae7c5 [file] [log] [blame]
; DICE Specification for guest VM
; See the Open DICE specification
; https://pigweed.googlesource.com/open-dice/+/HEAD/docs/specification.md,
; and the Android Profile for DICE
; https://pigweed.googlesource.com/open-dice/+/HEAD/docs/android.md.
; This CDDL describes the Configuration Descriptor used for components running in AVF Guest environment
; (VM core components and payload). It extends the `ConfigurationDescriptor` specified at
; https://cs.android.com/android/platform/superproject/main/+/main:hardware/interfaces/security/rkp/aidl/android/hardware/security/keymint/generateCertificateRequestV2.cddl
; Additionally, we reserve range -71000...-71999 for AVF system specific usage. These are or can be
; used by frameworks & parsers of DICE chains such as local and remote attestation frameworks.
; Vendor must not use these key/values for other purposes, that may compromise the integrity of the system.
; Note that each of the key-value pairs may not be useful for all the boot components and therefore
; are optional. For e.g., SubcomponentDescriptor is only used in Microdroid payload, it may
; not have immediate use for pVM firmware.
; Each components of VM must specify the value corresponding to `Component name`(-70002).
; For provided reference implementations:
;
; 1. "vm_entry" - Guest 'OS'. This is the payload booted by pVM firmware. For e.g, Microdroid, Rialto.
; 2. "Microdroid vendor" - The vendor image, specific to Microdroid.
; 3. "Microdroid Payload" - Payload run by Microdroid Manager.
ConfigDescriptor = {
-70002 : tstr, ; Component name
(? -71000: tstr // ; Path to the payload config file
? -71001: PayloadConfig),
? -71002: [+ SubcomponentDescriptor], ; The order of these should be kept constant on each boot
; of the VM instance
? -71003: bstr .size 64 ; Instance hash: Unique identifier of the VM instance
}
PayloadConfig = {
1: tstr ; Path to the binary file where payload execution starts
}
; Describes a unit of code (e.g. an APK or an APEX) present inside the VM.
;
; For an APK, the fields are as follows:
; - Component name: The string "apk:" followed by the package name.
; - Security version: The long version code from the APK manifest
; (https://developer.android.com/reference/android/content/pm/PackageInfo#getLongVersionCode()).
; - Code hash: This is the root hash of a Merkle tree computed over all bytes of the APK, as used
; in the APK Signature Scheme v4 (https://source.android.com/docs/security/features/apksigning/v4)
; with empty salt and using SHA-256 as the hash algorithm.
; - Authority hash: The SHA-512 hash of the DER representation of the X.509 certificate for the
; public key used to sign the APK.
;
; For an APEX, they are as follows:
; - Component name: The string "apex:" followed by the APEX name as specified in the APEX Manifest
; (see https://source.android.com/docs/core/ota/apex).
; - Security version: The version number from the APEX Manifest.
; - Code hash: The root hash of the apex_payload.img file within the APEX, taken from the first
; hashtree descriptor in the VBMeta image
; (see https://android.googlesource.com/platform/external/avb/+/master/README.md).
; - Authority hash: The SHA-512 hash of the public key used to sign the file system image in the
; APEX (as stored in the apex_pubkey file). The format is as described for AvbRSAPublicKeyHeader
; in https://cs.android.com/android/platform/superproject/main/+/main:external/avb/libavb/avb_crypto.h.
SubcomponentDescriptor = {
1: tstr, ; Component name
2: uint, ; Security version
3: bstr, ; Code hash
4: bstr, ; Authority hash
}
TODO: Describe how these descriptors are used by AVF components in Android W.