| /* |
| * Copyright (C) 2022 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| #pragma once |
| |
| #include <stdbool.h> |
| #include <stddef.h> |
| #include <stdint.h> |
| #include <sys/cdefs.h> |
| |
| #include "vm_main.h" |
| |
| __BEGIN_DECLS |
| |
| typedef struct AIBinder AIBinder; |
| |
| /** |
| * Introduced in API 35. |
| * Remote attestation result if the attestation succeeds. |
| */ |
| typedef struct AVmAttestationResult AVmAttestationResult; |
| |
| /** |
| * Introduced in API 35. |
| * Remote attestation status types returned from remote attestation functions. |
| */ |
| typedef enum AVmAttestationStatus : int32_t { |
| /** The remote attestation completes successfully. */ |
| ATTESTATION_OK = 0, |
| |
| /** The challenge size is not between 0 and 64. */ |
| ATTESTATION_ERROR_INVALID_CHALLENGE = -10001, |
| |
| /** Failed to attest the VM. Please retry at a later time. */ |
| ATTESTATION_ERROR_ATTESTATION_FAILED = -10002, |
| |
| /** Remote attestation is not supported in the current environment. */ |
| ATTESTATION_ERROR_UNSUPPORTED = -10003, |
| } AVmAttestationStatus; |
| |
| /** |
| * Notifies the host that the payload is ready. |
| * |
| * If the host app has set a `VirtualMachineCallback` for the VM, its |
| * `onPayloadReady` method will be called. |
| * |
| * Note that subsequent calls to this function after the first have no effect; |
| * `onPayloadReady` is never called more than once. |
| */ |
| void AVmPayload_notifyPayloadReady(void); |
| |
| /** |
| * Runs a binder RPC server, serving the supplied binder service implementation on the given vsock |
| * port. |
| * |
| * If and when the server is ready for connections (it is listening on the port), `on_ready` is |
| * called to allow appropriate action to be taken - e.g. to notify clients that they may now |
| * attempt to connect with `AVmPayload_notifyPayloadReady`. |
| * |
| * Note that this function does not return. The calling thread joins the binder |
| * thread pool to handle incoming messages. |
| * |
| * \param service the service to bind to the given port. |
| * \param port vsock port. |
| * \param on_ready the callback to execute once the server is ready for connections. If not null the |
| * callback will be called at most once. |
| * \param param parameter to be passed to the `on_ready` callback. |
| */ |
| __attribute__((noreturn)) void AVmPayload_runVsockRpcServer( |
| AIBinder* _Nonnull service, uint32_t port, |
| void (*_Nullable on_ready)(void* _Nullable param), void* _Nullable param); |
| |
| /** |
| * Returns all or part of a 32-byte secret that is bound to this unique VM |
| * instance and the supplied identifier. The secret can be used e.g. as an |
| * encryption key. |
| * |
| * Every VM has a secret that is derived from a device-specific value known to |
| * the hypervisor, the code that runs in the VM and its non-modifiable |
| * configuration; it is not made available to the host OS. |
| * |
| * This function performs a further derivation from the VM secret and the |
| * supplied identifier. As long as the VM identity doesn't change the same value |
| * will be returned for the same identifier, even if the VM is stopped & |
| * restarted or the device rebooted. |
| * |
| * If multiple secrets are required for different purposes, a different |
| * identifier should be used for each. The identifiers otherwise are arbitrary |
| * byte sequences and do not need to be kept secret; typically they are |
| * hardcoded in the calling code. |
| * |
| * \param identifier identifier of the secret to return. |
| * \param identifier_size size of the secret identifier. |
| * \param secret pointer to size bytes where the secret is written. |
| * \param size number of bytes of the secret to get, <= 32. |
| */ |
| void AVmPayload_getVmInstanceSecret(const void* _Nonnull identifier, size_t identifier_size, |
| void* _Nonnull secret, size_t size); |
| |
| /** |
| * Gets the path to the APK contents. It is a directory, under which are |
| * the unzipped contents of the APK containing the payload, all read-only |
| * but accessible to the payload. |
| * |
| * \return the path to the APK contents. The returned string should not be |
| * deleted or freed by the application. The string remains valid for the |
| * lifetime of the VM. |
| */ |
| const char* _Nonnull AVmPayload_getApkContentsPath(void); |
| |
| /** |
| * Gets the path to the encrypted persistent storage for the VM, if any. This is |
| * a directory under which any files or directories created will be stored on |
| * behalf of the VM by the host app. All data is encrypted using a key known |
| * only to the VM, so the host cannot decrypt it, but may delete it. |
| * |
| * \return the path to the encrypted storage directory, or NULL if no encrypted |
| * storage was requested in the VM configuration. If non-null the returned |
| * string should not be deleted or freed by the application and remains valid |
| * for the lifetime of the VM. |
| */ |
| const char* _Nullable AVmPayload_getEncryptedStoragePath(void); |
| |
| /** |
| * Requests the remote attestation of the client VM. |
| * |
| * The challenge will be included in the certificate chain in the attestation result, |
| * serving as proof of the freshness of the result. |
| * |
| * \param challenge A pointer to the challenge buffer. |
| * \param challenge_size size of the challenge. The maximum supported challenge size is |
| * 64 bytes. The status ATTESTATION_ERROR_INVALID_CHALLENGE will be returned if |
| * an invalid challenge is passed. |
| * \param result The remote attestation result will be filled here if the attestation |
| * succeeds. The result remains valid until it is freed with |
| * `AVmPayload_freeAttestationResult`. |
| * |
| * \return ATTESTATION_OK upon successful attestation. |
| */ |
| AVmAttestationStatus AVmPayload_requestAttestation(const void* _Nonnull challenge, |
| size_t challenge_size, |
| AVmAttestationResult* _Nullable* _Nonnull result) |
| __INTRODUCED_IN(__ANDROID_API_V__); |
| |
| /** |
| * Converts the return value from `AVmPayload_requestAttestation` to a text string |
| * representing the status code. |
| * |
| * \return a constant string value representing the status code. The string should not |
| * be deleted or freed by the application and remains valid for the lifetime of the VM. |
| */ |
| const char* _Nonnull AVmAttestationStatus_toString(AVmAttestationStatus status) |
| __INTRODUCED_IN(__ANDROID_API_V__); |
| |
| /** |
| * Frees all the data owned by the provided attestation result, including the result itself. |
| * |
| * Callers should ensure to invoke this API only once on a valid attestation result |
| * returned by `AVmPayload_requestAttestation` to avoid undefined behavior. |
| * |
| * \param result A pointer to the attestation result. |
| */ |
| void AVmAttestationResult_free(AVmAttestationResult* _Nullable result) |
| __INTRODUCED_IN(__ANDROID_API_V__); |
| |
| /** |
| * Reads the DER-encoded ECPrivateKey structure specified in [RFC 5915 s3] for the |
| * EC P-256 private key from the provided attestation result. |
| * |
| * \param result A pointer to the attestation result filled in |
| * `AVmPayload_requestAttestation` when the attestation succeeds. |
| * \param data A pointer to the memory where the private key will be written |
| * (can be null if size is 0). |
| * \param size The maximum number of bytes that can be written to the data buffer. |
| * If `size` is smaller than the total size of the private key, the key data will be |
| * truncated to this `size`. |
| * |
| * \return The total size of the private key. |
| * |
| * [RFC 5915 s3]: https://datatracker.ietf.org/doc/html/rfc5915#section-3 |
| */ |
| size_t AVmAttestationResult_getPrivateKey(const AVmAttestationResult* _Nonnull result, |
| void* _Nullable data, size_t size) |
| __INTRODUCED_IN(__ANDROID_API_V__); |
| |
| /** |
| * Signs the given message using ECDSA P-256, the message is first hashed with SHA-256 and |
| * then it is signed with the attested EC P-256 private key in the attestation result. |
| * |
| * \param result A pointer to the attestation result filled in |
| * `AVmPayload_requestAttestation` when the attestation succeeds. |
| * \param message A pointer to the message buffer. |
| * \param message_size size of the message. |
| * \param data A pointer to the memory where the signature will be written |
| * (can be null if size is 0). The signature is a DER-encoded ECDSASignature structure |
| * detailed in the [RFC 6979]. |
| * \param size The maximum number of bytes that can be written to the data buffer. |
| * If `size` is smaller than the total size of the signature, the signature will be |
| * truncated to this `size`. |
| * |
| * \return The size of the signature, or the size needed if the supplied buffer is too small. |
| * |
| * [RFC 6979]: https://datatracker.ietf.org/doc/html/rfc6979 |
| */ |
| size_t AVmAttestationResult_sign(const AVmAttestationResult* _Nonnull result, |
| const void* _Nonnull message, size_t message_size, |
| void* _Nullable data, size_t size) |
| __INTRODUCED_IN(__ANDROID_API_V__); |
| |
| /** |
| * Gets the number of certificates in the certificate chain. |
| * |
| * The certificate chain consists of a sequence of DER-encoded X.509 certificates that form |
| * the attestation key's certificate chain. It starts with a leaf certificate covering the attested |
| * public key and ends with a root certificate. |
| * |
| * \param result A pointer to the attestation result obtained from `AVmPayload_requestAttestation` |
| * when the attestation succeeds. |
| * |
| * \return The number of certificates in the certificate chain. |
| */ |
| size_t AVmAttestationResult_getCertificateCount(const AVmAttestationResult* _Nonnull result) |
| __INTRODUCED_IN(__ANDROID_API_V__); |
| |
| /** |
| * Retrieves the certificate at the given `index` from the certificate chain in the provided |
| * attestation result. |
| * |
| * The certificate chain consists of a sequence of DER-encoded X.509 certificates that form |
| * the attestation key's certificate chain. It starts with a leaf certificate covering the attested |
| * public key and ends with a root certificate. |
| * |
| * \param result A pointer to the attestation result obtained from `AVmPayload_requestAttestation` |
| * when the attestation succeeds. |
| * \param index Index of the certificate to retrieve. The `index` must be within the range of |
| * [0, number of certificates). The number of certificates can be obtained with |
| * `AVmAttestationResult_getCertificateCount`. |
| * \param data A pointer to the memory where the certificate will be written |
| * (can be null if size is 0). |
| * \param size The maximum number of bytes that can be written to the data buffer. If `size` |
| * is smaller than the total size of the certificate, the certificate will be |
| * truncated to this `size`. |
| * |
| * \return The total size of the certificate at the given `index`. |
| */ |
| size_t AVmAttestationResult_getCertificateAt(const AVmAttestationResult* _Nonnull result, |
| size_t index, void* _Nullable data, size_t size) |
| __INTRODUCED_IN(__ANDROID_API_V__); |
| |
| __END_DECLS |