blob: 5e156076774c616660d6b2827e59127f1c7c8271 [file] [log] [blame]
/*
* Copyright (C) 2022 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#pragma once
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <sys/cdefs.h>
#include "vm_main.h"
__BEGIN_DECLS
typedef struct AIBinder AIBinder;
/**
* Introduced in API 35.
* Remote attestation result if the attestation succeeds.
*/
typedef struct AVmAttestationResult AVmAttestationResult;
/**
* Introduced in API 35.
* Remote attestation status types returned from remote attestation functions.
*/
typedef enum AVmAttestationStatus : int32_t {
/** The remote attestation completes successfully. */
ATTESTATION_OK = 0,
/** The challenge size is not between 0 and 64. */
ATTESTATION_ERROR_INVALID_CHALLENGE = -10001,
/** Failed to attest the VM. Please retry at a later time. */
ATTESTATION_ERROR_ATTESTATION_FAILED = -10002,
/** Remote attestation is not supported in the current environment. */
ATTESTATION_ERROR_UNSUPPORTED = -10003,
} AVmAttestationStatus;
/**
* Notifies the host that the payload is ready.
*
* If the host app has set a `VirtualMachineCallback` for the VM, its
* `onPayloadReady` method will be called.
*
* Note that subsequent calls to this function after the first have no effect;
* `onPayloadReady` is never called more than once.
*/
void AVmPayload_notifyPayloadReady(void);
/**
* Runs a binder RPC server, serving the supplied binder service implementation on the given vsock
* port.
*
* If and when the server is ready for connections (it is listening on the port), `on_ready` is
* called to allow appropriate action to be taken - e.g. to notify clients that they may now
* attempt to connect with `AVmPayload_notifyPayloadReady`.
*
* Note that this function does not return. The calling thread joins the binder
* thread pool to handle incoming messages.
*
* \param service the service to bind to the given port.
* \param port vsock port.
* \param on_ready the callback to execute once the server is ready for connections. If not null the
* callback will be called at most once.
* \param param parameter to be passed to the `on_ready` callback.
*/
__attribute__((noreturn)) void AVmPayload_runVsockRpcServer(
AIBinder* _Nonnull service, uint32_t port,
void (*_Nullable on_ready)(void* _Nullable param), void* _Nullable param);
/**
* Returns all or part of a 32-byte secret that is bound to this unique VM
* instance and the supplied identifier. The secret can be used e.g. as an
* encryption key.
*
* Every VM has a secret that is derived from a device-specific value known to
* the hypervisor, the code that runs in the VM and its non-modifiable
* configuration; it is not made available to the host OS.
*
* This function performs a further derivation from the VM secret and the
* supplied identifier. As long as the VM identity doesn't change the same value
* will be returned for the same identifier, even if the VM is stopped &
* restarted or the device rebooted.
*
* If multiple secrets are required for different purposes, a different
* identifier should be used for each. The identifiers otherwise are arbitrary
* byte sequences and do not need to be kept secret; typically they are
* hardcoded in the calling code.
*
* \param identifier identifier of the secret to return.
* \param identifier_size size of the secret identifier.
* \param secret pointer to size bytes where the secret is written.
* \param size number of bytes of the secret to get, <= 32.
*/
void AVmPayload_getVmInstanceSecret(const void* _Nonnull identifier, size_t identifier_size,
void* _Nonnull secret, size_t size);
/**
* Gets the path to the APK contents. It is a directory, under which are
* the unzipped contents of the APK containing the payload, all read-only
* but accessible to the payload.
*
* \return the path to the APK contents. The returned string should not be
* deleted or freed by the application. The string remains valid for the
* lifetime of the VM.
*/
const char* _Nonnull AVmPayload_getApkContentsPath(void);
/**
* Gets the path to the encrypted persistent storage for the VM, if any. This is
* a directory under which any files or directories created will be stored on
* behalf of the VM by the host app. All data is encrypted using a key known
* only to the VM, so the host cannot decrypt it, but may delete it.
*
* \return the path to the encrypted storage directory, or NULL if no encrypted
* storage was requested in the VM configuration. If non-null the returned
* string should not be deleted or freed by the application and remains valid
* for the lifetime of the VM.
*/
const char* _Nullable AVmPayload_getEncryptedStoragePath(void);
/**
* Requests the remote attestation of the client VM.
*
* The challenge will be included in the certificate chain in the attestation result,
* serving as proof of the freshness of the result.
*
* \param challenge A pointer to the challenge buffer.
* \param challenge_size size of the challenge. The maximum supported challenge size is
* 64 bytes. The status ATTESTATION_ERROR_INVALID_CHALLENGE will be returned if
* an invalid challenge is passed.
* \param result The remote attestation result will be filled here if the attestation
* succeeds. The result remains valid until it is freed with
* `AVmPayload_freeAttestationResult`.
*
* \return ATTESTATION_OK upon successful attestation.
*/
AVmAttestationStatus AVmPayload_requestAttestation(const void* _Nonnull challenge,
size_t challenge_size,
AVmAttestationResult* _Nullable* _Nonnull result)
__INTRODUCED_IN(__ANDROID_API_V__);
/**
* Converts the return value from `AVmPayload_requestAttestation` to a text string
* representing the status code.
*
* \return a constant string value representing the status code. The string should not
* be deleted or freed by the application and remains valid for the lifetime of the VM.
*/
const char* _Nonnull AVmAttestationStatus_toString(AVmAttestationStatus status)
__INTRODUCED_IN(__ANDROID_API_V__);
/**
* Frees all the data owned by the provided attestation result, including the result itself.
*
* Callers should ensure to invoke this API only once on a valid attestation result
* returned by `AVmPayload_requestAttestation` to avoid undefined behavior.
*
* \param result A pointer to the attestation result.
*/
void AVmAttestationResult_free(AVmAttestationResult* _Nullable result)
__INTRODUCED_IN(__ANDROID_API_V__);
/**
* Reads the DER-encoded ECPrivateKey structure specified in [RFC 5915 s3] for the
* EC P-256 private key from the provided attestation result.
*
* \param result A pointer to the attestation result filled in
* `AVmPayload_requestAttestation` when the attestation succeeds.
* \param data A pointer to the memory where the private key will be written
* (can be null if size is 0).
* \param size The maximum number of bytes that can be written to the data buffer.
* If `size` is smaller than the total size of the private key, the key data will be
* truncated to this `size`.
*
* \return The total size of the private key.
*
* [RFC 5915 s3]: https://datatracker.ietf.org/doc/html/rfc5915#section-3
*/
size_t AVmAttestationResult_getPrivateKey(const AVmAttestationResult* _Nonnull result,
void* _Nullable data, size_t size)
__INTRODUCED_IN(__ANDROID_API_V__);
/**
* Signs the given message using ECDSA P-256, the message is first hashed with SHA-256 and
* then it is signed with the attested EC P-256 private key in the attestation result.
*
* \param result A pointer to the attestation result filled in
* `AVmPayload_requestAttestation` when the attestation succeeds.
* \param message A pointer to the message buffer.
* \param message_size size of the message.
* \param data A pointer to the memory where the signature will be written
* (can be null if size is 0). The signature is a DER-encoded ECDSASignature structure
* detailed in the [RFC 6979].
* \param size The maximum number of bytes that can be written to the data buffer.
* If `size` is smaller than the total size of the signature, the signature will be
* truncated to this `size`.
*
* \return The size of the signature, or the size needed if the supplied buffer is too small.
*
* [RFC 6979]: https://datatracker.ietf.org/doc/html/rfc6979
*/
size_t AVmAttestationResult_sign(const AVmAttestationResult* _Nonnull result,
const void* _Nonnull message, size_t message_size,
void* _Nullable data, size_t size)
__INTRODUCED_IN(__ANDROID_API_V__);
/**
* Gets the number of certificates in the certificate chain.
*
* The certificate chain consists of a sequence of DER-encoded X.509 certificates that form
* the attestation key's certificate chain. It starts with a leaf certificate covering the attested
* public key and ends with a root certificate.
*
* \param result A pointer to the attestation result obtained from `AVmPayload_requestAttestation`
* when the attestation succeeds.
*
* \return The number of certificates in the certificate chain.
*/
size_t AVmAttestationResult_getCertificateCount(const AVmAttestationResult* _Nonnull result)
__INTRODUCED_IN(__ANDROID_API_V__);
/**
* Retrieves the certificate at the given `index` from the certificate chain in the provided
* attestation result.
*
* The certificate chain consists of a sequence of DER-encoded X.509 certificates that form
* the attestation key's certificate chain. It starts with a leaf certificate covering the attested
* public key and ends with a root certificate.
*
* \param result A pointer to the attestation result obtained from `AVmPayload_requestAttestation`
* when the attestation succeeds.
* \param index Index of the certificate to retrieve. The `index` must be within the range of
* [0, number of certificates). The number of certificates can be obtained with
* `AVmAttestationResult_getCertificateCount`.
* \param data A pointer to the memory where the certificate will be written
* (can be null if size is 0).
* \param size The maximum number of bytes that can be written to the data buffer. If `size`
* is smaller than the total size of the certificate, the certificate will be
* truncated to this `size`.
*
* \return The total size of the certificate at the given `index`.
*/
size_t AVmAttestationResult_getCertificateAt(const AVmAttestationResult* _Nonnull result,
size_t index, void* _Nullable data, size_t size)
__INTRODUCED_IN(__ANDROID_API_V__);
__END_DECLS