1 // Copyright 2023, The Android Open Source Project
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 //! Handles the RKP (Remote Key Provisioning) VM and host communication.
16 //! The RKP VM will be recognized and attested by the RKP server periodically and
17 //! serves as a trusted platform to attest a client VM.
18
19 use android_hardware_security_rkp::aidl::android::hardware::security::keymint::MacedPublicKey::MacedPublicKey;
20 use anyhow::{bail, Context, Result};
21 use service_vm_comm::{
22 ClientVmAttestationParams, GenerateCertificateRequestParams, Request, Response,
23 };
24 use service_vm_manager::process_request;
25
request_attestation( csr: Vec<u8>, remotely_provisioned_key_blob: Vec<u8>, remotely_provisioned_cert: Vec<u8>, ) -> Result<Vec<u8>>26 pub(crate) fn request_attestation(
27 csr: Vec<u8>,
28 remotely_provisioned_key_blob: Vec<u8>,
29 remotely_provisioned_cert: Vec<u8>,
30 ) -> Result<Vec<u8>> {
31 let params =
32 ClientVmAttestationParams { csr, remotely_provisioned_key_blob, remotely_provisioned_cert };
33 let request = Request::RequestClientVmAttestation(params);
34 match process_request(request).context("Failed to process request")? {
35 Response::RequestClientVmAttestation(cert) => Ok(cert),
36 other => bail!("Incorrect response type {other:?}"),
37 }
38 }
39
generate_ecdsa_p256_key_pair() -> Result<Response>40 pub(crate) fn generate_ecdsa_p256_key_pair() -> Result<Response> {
41 let request = Request::GenerateEcdsaP256KeyPair;
42 process_request(request).context("Failed to process request")
43 }
44
generate_certificate_request( keys_to_sign: &[MacedPublicKey], challenge: &[u8], ) -> Result<Response>45 pub(crate) fn generate_certificate_request(
46 keys_to_sign: &[MacedPublicKey],
47 challenge: &[u8],
48 ) -> Result<Response> {
49 let params = GenerateCertificateRequestParams {
50 keys_to_sign: keys_to_sign.iter().map(|v| v.macedKey.to_vec()).collect(),
51 challenge: challenge.to_vec(),
52 };
53 let request = Request::GenerateCertificateRequest(params);
54
55 process_request(request).context("Failed to process request")
56 }
57