Add support for the Android security version
Allow for the security version that's specified by the Android Profile
for DICE to be included in the configuration descriptor.
Bug: 282205139
Change-Id: I3ef01b87bbca4a1086c4d669da85965072f2a34e
Reviewed-on: https://pigweed-review.googlesource.com/c/open-dice/+/164491
Reviewed-by: Max Bires <jbires@google.com>
Reviewed-by: Darren Krahn <dkrahn@google.com>
Commit-Queue: Andrew Scull <ascull@google.com>
diff --git a/include/dice/android.h b/include/dice/android.h
index 69d87a1..5ca1f8b 100644
--- a/include/dice/android.h
+++ b/include/dice/android.h
@@ -26,6 +26,7 @@
#define DICE_ANDROID_CONFIG_COMPONENT_NAME (1 << 0)
#define DICE_ANDROID_CONFIG_COMPONENT_VERSION (1 << 1)
#define DICE_ANDROID_CONFIG_RESETTABLE (1 << 2)
+#define DICE_ANDROID_CONFIG_SECURITY_VERSION (1 << 3)
// Contains the input values used to construct the Android Profile for DICE
// configuration descriptor. Optional fields are selected in the |inputs|
@@ -35,10 +36,12 @@
// configs: A bitfield selecting the config fields to include.
// component_name: Name of the component.
// component_version: Version of the component.
+// security_version: Monotonically increasing version of the component.
typedef struct DiceAndroidConfigValues_ {
uint32_t configs;
const char* component_name;
uint64_t component_version;
+ uint64_t security_version;
} DiceAndroidConfigValues;
// Formats a configuration descriptor following the Android Profile for DICE
diff --git a/src/android.c b/src/android.c
index f3d1b2d..5fd4a5c 100644
--- a/src/android.c
+++ b/src/android.c
@@ -41,6 +41,7 @@
static const int64_t kComponentNameLabel = -70002;
static const int64_t kComponentVersionLabel = -70003;
static const int64_t kResettableLabel = -70004;
+ static const int64_t kSecurityVersion = -70005;
// AndroidConfigDescriptor = {
// ? -70002 : tstr, ; Component name
@@ -63,6 +64,10 @@
CborWriteInt(kResettableLabel, &out);
CborWriteNull(&out);
}
+ if (config_values->configs & DICE_ANDROID_CONFIG_SECURITY_VERSION) {
+ CborWriteInt(kSecurityVersion, &out);
+ CborWriteUint(config_values->security_version, &out);
+ }
*actual_size = CborOutSize(&out);
if (CborOutOverflowed(&out)) {
return kDiceResultBufferTooSmall;
diff --git a/src/android_test.cc b/src/android_test.cc
index e7bc394..c90bed1 100644
--- a/src/android_test.cc
+++ b/src/android_test.cc
@@ -44,9 +44,11 @@
DiceAndroidConfigValues config_values = {
.configs = DICE_ANDROID_CONFIG_COMPONENT_NAME |
DICE_ANDROID_CONFIG_COMPONENT_VERSION |
- DICE_ANDROID_CONFIG_RESETTABLE,
+ DICE_ANDROID_CONFIG_RESETTABLE |
+ DICE_ANDROID_CONFIG_SECURITY_VERSION,
.component_name = "Test Component Name",
.component_version = 0x232a13dec90f42b5,
+ .security_version = 0xfab777c1,
};
size_t buffer_size;
DiceResult result =
@@ -54,10 +56,11 @@
EXPECT_EQ(kDiceResultBufferTooSmall, result);
std::vector<uint8_t> buffer(buffer_size);
const uint8_t expected[] = {
- 0xa3, 0x3a, 0x00, 0x01, 0x11, 0x71, 0x73, 'T', 'e', 's', 't', ' ',
+ 0xa4, 0x3a, 0x00, 0x01, 0x11, 0x71, 0x73, 'T', 'e', 's', 't', ' ',
'C', 'o', 'm', 'p', 'o', 'n', 'e', 'n', 't', ' ', 'N', 'a',
'm', 'e', 0x3a, 0x00, 0x01, 0x11, 0x72, 0x1b, 0x23, 0x2a, 0x13, 0xde,
- 0xc9, 0x0f, 0x42, 0xb5, 0x3a, 0x00, 0x01, 0x11, 0x73, 0xf6};
+ 0xc9, 0x0f, 0x42, 0xb5, 0x3a, 0x00, 0x01, 0x11, 0x73, 0xf6, 0x3a, 0x00,
+ 0x01, 0x11, 0x74, 0x1a, 0xfa, 0xb7, 0x77, 0xc1};
EXPECT_EQ(sizeof(expected), buffer.size());
result = DiceAndroidFormatConfigDescriptor(&config_values, buffer.size(),
buffer.data(), &buffer_size);
