diced/open_dice/src/bcc.rs - platform/system/security - Git at Google

 // Copyright 2023, The Android Open Source Project
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 //! This module mirrors the content in open-dice/include/dice/android/bcc.h

 use crate::dice::{Cdi, CdiValues, DiceArtifacts, InputValues, CDI_SIZE};
 use crate::error::{check_result, DiceError, Result};
 use open_dice_bcc_bindgen::{
     BccConfigValues, BccFormatConfigDescriptor, BccHandoverMainFlow, BccHandoverParse, BccMainFlow,
     BCC_INPUT_COMPONENT_NAME, BCC_INPUT_COMPONENT_VERSION, BCC_INPUT_RESETTABLE,
 };
 use std::{ffi::CStr, ptr};

 /// Formats a configuration descriptor following the BCC's specification.
 /// See https://cs.android.com/android/platform/superproject/+/master:hardware/interfaces/security/rkp/aidl/android/hardware/security/keymint/ProtectedData.aidl
 pub fn bcc_format_config_descriptor(
     name: Option<&CStr>,
     version: Option<u64>,
     resettable: bool,
     buffer: &mut [u8],
 ) -> Result<usize> {
     let mut inputs = 0;
     if name.is_some() {
         inputs |= BCC_INPUT_COMPONENT_NAME;
     }
     if version.is_some() {
         inputs |= BCC_INPUT_COMPONENT_VERSION;
     }
     if resettable {
         inputs |= BCC_INPUT_RESETTABLE;
     }

     let values = BccConfigValues {
         inputs,
         component_name: name.map_or(ptr::null(), |p| p.as_ptr()),
         component_version: version.unwrap_or(0),
     };

     let mut buffer_size = 0;
     // SAFETY: The function writes to the buffer, within the given bounds, and only reads the
     // input values. It writes its result to buffer_size.
     check_result(unsafe {
         BccFormatConfigDescriptor(&values, buffer.len(), buffer.as_mut_ptr(), &mut buffer_size)
     })?;
     Ok(buffer_size)
 }

 /// Executes the main BCC flow.
 ///
 /// Given a full set of input values along with the current BCC and CDI values,
 /// computes the next CDI values and matching updated BCC.
 pub fn bcc_main_flow(
     current_cdi_attest: &Cdi,
     current_cdi_seal: &Cdi,
     current_bcc: &[u8],
     input_values: &InputValues,
     next_cdi_values: &mut CdiValues,
     next_bcc: &mut [u8],
 ) -> Result<usize> {
     let mut next_bcc_size = 0;
     // SAFETY: `BccMainFlow` only reads the current `bcc` and CDI values and writes
     // to `next_bcc` and next CDI values within its bounds. It also reads
     // `input_values` as a constant input and doesn't store any pointer.
     // The first argument can be null and is not used in the current implementation.
     check_result(unsafe {
         BccMainFlow(
             ptr::null_mut(), // context
             current_cdi_attest.as_ptr(),
             current_cdi_seal.as_ptr(),
             current_bcc.as_ptr(),
             current_bcc.len(),
             input_values.as_ptr(),
             next_bcc.len(),
             next_bcc.as_mut_ptr(),
             &mut next_bcc_size,
             next_cdi_values.cdi_attest.as_mut_ptr(),
             next_cdi_values.cdi_seal.as_mut_ptr(),
         )
     })?;
     Ok(next_bcc_size)
 }

 /// Executes the main BCC handover flow.
 ///
 /// A BCC handover combines the BCC and CDIs in a single CBOR object.
 /// This function takes the current boot stage's BCC handover bundle and produces a
 /// bundle for the next stage.
 pub fn bcc_handover_main_flow(
     current_bcc_handover: &[u8],
     input_values: &InputValues,
     next_bcc_handover: &mut [u8],
 ) -> Result<usize> {
     let mut next_bcc_handover_size = 0;
     // SAFETY - The function only reads `current_bcc_handover` and writes to `next_bcc_handover`
     // within its bounds,
     // It also reads `input_values` as a constant input and doesn't store any pointer.
     // The first argument can be null and is not used in the current implementation.
     check_result(unsafe {
         BccHandoverMainFlow(
             ptr::null_mut(), // context
             current_bcc_handover.as_ptr(),
             current_bcc_handover.len(),
             input_values.as_ptr(),
             next_bcc_handover.len(),
             next_bcc_handover.as_mut_ptr(),
             &mut next_bcc_handover_size,
         )
     })?;

     Ok(next_bcc_handover_size)
 }

 /// A BCC handover combines the BCC and CDIs in a single CBOR object.
 /// This struct is used as return of the function `bcc_handover_parse`, its lifetime is tied
 /// to the lifetime of the raw BCC handover slice.
 #[derive(Debug)]
 pub struct BccHandover<'a> {
     /// Attestation CDI.
     cdi_attest: &'a [u8; CDI_SIZE],
     /// Sealing CDI.
     cdi_seal: &'a [u8; CDI_SIZE],
     /// Boot Certificate Chain.
     bcc: Option<&'a [u8]>,
 }

 impl<'a> DiceArtifacts for BccHandover<'a> {
     fn cdi_attest(&self) -> &[u8; CDI_SIZE] {
         self.cdi_attest
     }

     fn cdi_seal(&self) -> &[u8; CDI_SIZE] {
         self.cdi_seal
     }

     fn bcc(&self) -> Option<&[u8]> {
         self.bcc
     }
 }

 /// A BCC handover combines the BCC and CDIs in a single CBOR object.
 /// This function parses the `bcc_handover` to extracts the BCC and CDIs.
 /// The lifetime of the returned `BccHandover` is tied to the given `bcc_handover` slice.
 pub fn bcc_handover_parse(bcc_handover: &[u8]) -> Result<BccHandover> {
     let mut cdi_attest: *const u8 = ptr::null();
     let mut cdi_seal: *const u8 = ptr::null();
     let mut bcc: *const u8 = ptr::null();
     let mut bcc_size = 0;
     // SAFETY: The `bcc_handover` is only read and never stored and the returned pointers should all
     // point within the address range of the `bcc_handover` or be NULL.
     check_result(unsafe {
         BccHandoverParse(
             bcc_handover.as_ptr(),
             bcc_handover.len(),
             &mut cdi_attest,
             &mut cdi_seal,
             &mut bcc,
             &mut bcc_size,
         )
     })?;
     let cdi_attest = sub_slice(bcc_handover, cdi_attest, CDI_SIZE)?;
     let cdi_seal = sub_slice(bcc_handover, cdi_seal, CDI_SIZE)?;
     let bcc = sub_slice(bcc_handover, bcc, bcc_size).ok();
     Ok(BccHandover {
         cdi_attest: cdi_attest.try_into().map_err(|_| DiceError::PlatformError)?,
         cdi_seal: cdi_seal.try_into().map_err(|_| DiceError::PlatformError)?,
         bcc,
     })
 }

 /// Gets a slice the `addr` points to and of length `len`.
 /// The slice should be contained in the buffer.
 fn sub_slice(buffer: &[u8], addr: *const u8, len: usize) -> Result<&[u8]> {
     if addr.is_null() || !buffer.as_ptr_range().contains(&addr) {
         return Err(DiceError::PlatformError);
     }
     // SAFETY: This is safe because addr is not null and is within the range of the buffer.
     let start: usize = unsafe {
         addr.offset_from(buffer.as_ptr()).try_into().map_err(|_| DiceError::PlatformError)?
     };
     start.checked_add(len).and_then(|end| buffer.get(start..end)).ok_or(DiceError::PlatformError)
 }
	// Copyright 2023, The Android Open Source Project
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	//! This module mirrors the content in open-dice/include/dice/android/bcc.h

	use crate::dice::{Cdi, CdiValues, DiceArtifacts, InputValues, CDI_SIZE};
	use crate::error::{check_result, DiceError, Result};
	use open_dice_bcc_bindgen::{
	BccConfigValues, BccFormatConfigDescriptor, BccHandoverMainFlow, BccHandoverParse, BccMainFlow,
	BCC_INPUT_COMPONENT_NAME, BCC_INPUT_COMPONENT_VERSION, BCC_INPUT_RESETTABLE,
	};
	use std::{ffi::CStr, ptr};

	/// Formats a configuration descriptor following the BCC's specification.
	/// See https://cs.android.com/android/platform/superproject/+/master:hardware/interfaces/security/rkp/aidl/android/hardware/security/keymint/ProtectedData.aidl
	pub fn bcc_format_config_descriptor(
	name: Option<&CStr>,
	version: Option<u64>,
	resettable: bool,
	buffer: &mut [u8],
	) -> Result<usize> {
	let mut inputs = 0;
	if name.is_some() {
	inputs \|= BCC_INPUT_COMPONENT_NAME;
	}
	if version.is_some() {
	inputs \|= BCC_INPUT_COMPONENT_VERSION;
	}
	if resettable {
	inputs \|= BCC_INPUT_RESETTABLE;
	}

	let values = BccConfigValues {
	inputs,
	component_name: name.map_or(ptr::null(), \|p\| p.as_ptr()),
	component_version: version.unwrap_or(0),
	};

	let mut buffer_size = 0;
	// SAFETY: The function writes to the buffer, within the given bounds, and only reads the
	// input values. It writes its result to buffer_size.
	check_result(unsafe {
	BccFormatConfigDescriptor(&values, buffer.len(), buffer.as_mut_ptr(), &mut buffer_size)
	})?;
	Ok(buffer_size)
	}

	/// Executes the main BCC flow.
	///
	/// Given a full set of input values along with the current BCC and CDI values,
	/// computes the next CDI values and matching updated BCC.
	pub fn bcc_main_flow(
	current_cdi_attest: &Cdi,
	current_cdi_seal: &Cdi,
	current_bcc: &[u8],
	input_values: &InputValues,
	next_cdi_values: &mut CdiValues,
	next_bcc: &mut [u8],
	) -> Result<usize> {
	let mut next_bcc_size = 0;
	// SAFETY: `BccMainFlow` only reads the current `bcc` and CDI values and writes
	// to `next_bcc` and next CDI values within its bounds. It also reads
	// `input_values` as a constant input and doesn't store any pointer.
	// The first argument can be null and is not used in the current implementation.
	check_result(unsafe {
	BccMainFlow(
	ptr::null_mut(), // context
	current_cdi_attest.as_ptr(),
	current_cdi_seal.as_ptr(),
	current_bcc.as_ptr(),
	current_bcc.len(),
	input_values.as_ptr(),
	next_bcc.len(),
	next_bcc.as_mut_ptr(),
	&mut next_bcc_size,
	next_cdi_values.cdi_attest.as_mut_ptr(),
	next_cdi_values.cdi_seal.as_mut_ptr(),
	)
	})?;
	Ok(next_bcc_size)
	}

	/// Executes the main BCC handover flow.
	///
	/// A BCC handover combines the BCC and CDIs in a single CBOR object.
	/// This function takes the current boot stage's BCC handover bundle and produces a
	/// bundle for the next stage.
	pub fn bcc_handover_main_flow(
	current_bcc_handover: &[u8],
	input_values: &InputValues,
	next_bcc_handover: &mut [u8],
	) -> Result<usize> {
	let mut next_bcc_handover_size = 0;
	// SAFETY - The function only reads `current_bcc_handover` and writes to `next_bcc_handover`
	// within its bounds,
	// It also reads `input_values` as a constant input and doesn't store any pointer.
	// The first argument can be null and is not used in the current implementation.
	check_result(unsafe {
	BccHandoverMainFlow(
	ptr::null_mut(), // context
	current_bcc_handover.as_ptr(),
	current_bcc_handover.len(),
	input_values.as_ptr(),
	next_bcc_handover.len(),
	next_bcc_handover.as_mut_ptr(),
	&mut next_bcc_handover_size,
	)
	})?;

	Ok(next_bcc_handover_size)
	}

	/// A BCC handover combines the BCC and CDIs in a single CBOR object.
	/// This struct is used as return of the function `bcc_handover_parse`, its lifetime is tied
	/// to the lifetime of the raw BCC handover slice.
	#[derive(Debug)]
	pub struct BccHandover<'a> {
	/// Attestation CDI.
	cdi_attest: &'a [u8; CDI_SIZE],
	/// Sealing CDI.
	cdi_seal: &'a [u8; CDI_SIZE],
	/// Boot Certificate Chain.
	bcc: Option<&'a [u8]>,
	}

	impl<'a> DiceArtifacts for BccHandover<'a> {
	fn cdi_attest(&self) -> &[u8; CDI_SIZE] {
	self.cdi_attest
	}

	fn cdi_seal(&self) -> &[u8; CDI_SIZE] {
	self.cdi_seal
	}

	fn bcc(&self) -> Option<&[u8]> {
	self.bcc
	}
	}

	/// A BCC handover combines the BCC and CDIs in a single CBOR object.
	/// This function parses the `bcc_handover` to extracts the BCC and CDIs.
	/// The lifetime of the returned `BccHandover` is tied to the given `bcc_handover` slice.
	pub fn bcc_handover_parse(bcc_handover: &[u8]) -> Result<BccHandover> {
	let mut cdi_attest: *const u8 = ptr::null();
	let mut cdi_seal: *const u8 = ptr::null();
	let mut bcc: *const u8 = ptr::null();
	let mut bcc_size = 0;
	// SAFETY: The `bcc_handover` is only read and never stored and the returned pointers should all
	// point within the address range of the `bcc_handover` or be NULL.
	check_result(unsafe {
	BccHandoverParse(
	bcc_handover.as_ptr(),
	bcc_handover.len(),
	&mut cdi_attest,
	&mut cdi_seal,
	&mut bcc,
	&mut bcc_size,
	)
	})?;
	let cdi_attest = sub_slice(bcc_handover, cdi_attest, CDI_SIZE)?;
	let cdi_seal = sub_slice(bcc_handover, cdi_seal, CDI_SIZE)?;
	let bcc = sub_slice(bcc_handover, bcc, bcc_size).ok();
	Ok(BccHandover {
	cdi_attest: cdi_attest.try_into().map_err(\|_\| DiceError::PlatformError)?,
	cdi_seal: cdi_seal.try_into().map_err(\|_\| DiceError::PlatformError)?,
	bcc,
	})
	}

	/// Gets a slice the `addr` points to and of length `len`.
	/// The slice should be contained in the buffer.
	fn sub_slice(buffer: &[u8], addr: *const u8, len: usize) -> Result<&[u8]> {
	if addr.is_null() \|\| !buffer.as_ptr_range().contains(&addr) {
	return Err(DiceError::PlatformError);
	}
	// SAFETY: This is safe because addr is not null and is within the range of the buffer.
	let start: usize = unsafe {
	addr.offset_from(buffer.as_ptr()).try_into().map_err(\|_\| DiceError::PlatformError)?
	};
	start.checked_add(len).and_then(\|end\| buffer.get(start..end)).ok_or(DiceError::PlatformError)
	}