| ; DICE Specification for guest VM |
| |
| ; See the Open DICE specification |
| ; https://pigweed.googlesource.com/open-dice/+/HEAD/docs/specification.md, |
| ; and the Android Profile for DICE |
| ; https://pigweed.googlesource.com/open-dice/+/HEAD/docs/android.md. |
| |
| ; This CDDL describes the Configuration Descriptor used for components running in AVF Guest environment |
| ; (VM core components and payload). It extends the `ConfigurationDescriptor` specified at |
| ; https://cs.android.com/android/platform/superproject/main/+/main:hardware/interfaces/security/rkp/aidl/android/hardware/security/keymint/generateCertificateRequestV2.cddl |
| |
| ; Additionally, we reserve range -71000...-71999 for AVF system specific usage. These are or can be |
| ; used by frameworks & parsers of DICE chains such as local and remote attestation frameworks. |
| ; Vendor must not use these key/values for other purposes, that may compromise the integrity of the system. |
| ; Note that each of the key-value pairs may not be useful for all the boot components and therefore |
| ; are optional. For e.g., SubcomponentDescriptor is only used in Microdroid payload, it may |
| ; not have immediate use for pVM firmware. |
| |
| ; Each components of VM must specify the value corresponding to `Component name`(-70002). |
| ; For provided reference implementations: |
| ; |
| ; 1. "vm_entry" - Guest 'OS'. This is the payload booted by pVM firmware. For e.g, Microdroid, Rialto. |
| ; 2. "Microdroid vendor" - The vendor image, specific to Microdroid. |
| ; 3. "Microdroid Payload" - Payload run by Microdroid Manager. |
| |
| |
| ConfigDescriptor = { |
| -70002 : tstr, ; Component name |
| (? -71000: tstr // ; Path to the payload config file |
| ? -71001: PayloadConfig), |
| ? -71002: [+ SubcomponentDescriptor], ; The order of these should be kept constant on each boot |
| ; of the VM instance |
| ? -71003: bstr .size 64 ; Instance hash: Unique identifier of the VM instance |
| } |
| |
| PayloadConfig = { |
| 1: tstr ; Path to the binary file where payload execution starts |
| } |
| |
| ; Describes a unit of code (e.g. an APK or an APEX) present inside the VM. |
| ; |
| ; For an APK, the fields are as follows: |
| ; - Component name: The string "apk:" followed by the package name. |
| ; - Security version: The long version code from the APK manifest |
| ; (https://developer.android.com/reference/android/content/pm/PackageInfo#getLongVersionCode()). |
| ; - Code hash: This is the root hash of a Merkle tree computed over all bytes of the APK, as used |
| ; in the APK Signature Scheme v4 (https://source.android.com/docs/security/features/apksigning/v4) |
| ; with empty salt and using SHA-256 as the hash algorithm. |
| ; - Authority hash: The SHA-512 hash of the DER representation of the X.509 certificate for the |
| ; public key used to sign the APK. |
| ; |
| ; For an APEX, they are as follows: |
| ; - Component name: The string "apex:" followed by the APEX name as specified in the APEX Manifest |
| ; (see https://source.android.com/docs/core/ota/apex). |
| ; - Security version: The version number from the APEX Manifest. |
| ; - Code hash: The root hash of the apex_payload.img file within the APEX, taken from the first |
| ; hashtree descriptor in the VBMeta image |
| ; (see https://android.googlesource.com/platform/external/avb/+/master/README.md). |
| ; - Authority hash: The SHA-512 hash of the public key used to sign the file system image in the |
| ; APEX (as stored in the apex_pubkey file). The format is as described for AvbRSAPublicKeyHeader |
| ; in https://cs.android.com/android/platform/superproject/main/+/main:external/avb/libavb/avb_crypto.h. |
| SubcomponentDescriptor = { |
| 1: tstr, ; Component name |
| 2: uint, ; Security version |
| 3: bstr, ; Code hash |
| 4: bstr, ; Authority hash |
| } |
| |
| TODO: Describe how these descriptors are used by AVF components in Android W. |