include/dice/android.h

*60b67249SAndroid Build Coastguard Worker// Copyright 2021 Google LLC
*60b67249SAndroid Build Coastguard Worker//
*60b67249SAndroid Build Coastguard Worker// Licensed under the Apache License, Version 2.0 (the "License"); you may not
*60b67249SAndroid Build Coastguard Worker// use this file except in compliance with the License. You may obtain a copy of
*60b67249SAndroid Build Coastguard Worker// the License at
*60b67249SAndroid Build Coastguard Worker//
*60b67249SAndroid Build Coastguard Worker//     https://www.apache.org/licenses/LICENSE-2.0
*60b67249SAndroid Build Coastguard Worker//
*60b67249SAndroid Build Coastguard Worker// Unless required by applicable law or agreed to in writing, software
*60b67249SAndroid Build Coastguard Worker// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
*60b67249SAndroid Build Coastguard Worker// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
*60b67249SAndroid Build Coastguard Worker// License for the specific language governing permissions and limitations under
*60b67249SAndroid Build Coastguard Worker// the License.
*60b67249SAndroid Build Coastguard Worker
*60b67249SAndroid Build Coastguard Worker#ifndef DICE_ANDROID_H_
*60b67249SAndroid Build Coastguard Worker#define DICE_ANDROID_H_
*60b67249SAndroid Build Coastguard Worker
*60b67249SAndroid Build Coastguard Worker#include <stdbool.h>
*60b67249SAndroid Build Coastguard Worker
*60b67249SAndroid Build Coastguard Worker#include "dice/dice.h"
*60b67249SAndroid Build Coastguard Worker
*60b67249SAndroid Build Coastguard Worker#ifdef __cplusplus
*60b67249SAndroid Build Coastguard Workerextern "C" {
*60b67249SAndroid Build Coastguard Worker#endif
*60b67249SAndroid Build Coastguard Worker
*60b67249SAndroid Build Coastguard Worker#define DICE_ANDROID_CONFIG_COMPONENT_NAME (1 << 0)
*60b67249SAndroid Build Coastguard Worker#define DICE_ANDROID_CONFIG_COMPONENT_VERSION (1 << 1)
*60b67249SAndroid Build Coastguard Worker#define DICE_ANDROID_CONFIG_RESETTABLE (1 << 2)
*60b67249SAndroid Build Coastguard Worker#define DICE_ANDROID_CONFIG_SECURITY_VERSION (1 << 3)
*60b67249SAndroid Build Coastguard Worker#define DICE_ANDROID_CONFIG_RKP_VM_MARKER (1 << 4)
*60b67249SAndroid Build Coastguard Worker
*60b67249SAndroid Build Coastguard Worker// Contains the input values used to construct the Android Profile for DICE
*60b67249SAndroid Build Coastguard Worker// configuration descriptor. The fields to include in the configuration
*60b67249SAndroid Build Coastguard Worker// descriptor are selected in the |configs| bitfield.
*60b67249SAndroid Build Coastguard Worker//
*60b67249SAndroid Build Coastguard Worker// Fields:
*60b67249SAndroid Build Coastguard Worker//    configs: A bitfield selecting the config fields to include.
*60b67249SAndroid Build Coastguard Worker//    component_name: Name of the component.
*60b67249SAndroid Build Coastguard Worker//    component_version: Version of the component.
*60b67249SAndroid Build Coastguard Worker//    security_version: Monotonically increasing version of the component.
*60b67249SAndroid Build Coastguard Workertypedef struct DiceAndroidConfigValues_ {
*60b67249SAndroid Build Coastguard Worker  uint32_t configs;
*60b67249SAndroid Build Coastguard Worker  const char* component_name;
*60b67249SAndroid Build Coastguard Worker  uint64_t component_version;
*60b67249SAndroid Build Coastguard Worker  uint64_t security_version;
*60b67249SAndroid Build Coastguard Worker} DiceAndroidConfigValues;
*60b67249SAndroid Build Coastguard Worker
*60b67249SAndroid Build Coastguard Worker// Formats a configuration descriptor following the Android Profile for DICE
*60b67249SAndroid Build Coastguard Worker// specification. On success, |actual_size| is set to the number of bytes used.
*60b67249SAndroid Build Coastguard Worker// If kDiceResultBufferTooSmall is returned |actual_size| will be set to the
*60b67249SAndroid Build Coastguard Worker// required size of the buffer.
*60b67249SAndroid Build Coastguard WorkerDiceResult DiceAndroidFormatConfigDescriptor(
*60b67249SAndroid Build Coastguard Worker    const DiceAndroidConfigValues* config_values, size_t buffer_size,
*60b67249SAndroid Build Coastguard Worker    uint8_t* buffer, size_t* actual_size);
*60b67249SAndroid Build Coastguard Worker
*60b67249SAndroid Build Coastguard Worker// Executes the main Android DICE flow.
*60b67249SAndroid Build Coastguard Worker//
*60b67249SAndroid Build Coastguard Worker// Call this instead of DiceMainFlow when the next certificate should be
*60b67249SAndroid Build Coastguard Worker// appended to an existing Android DICE chain. However, when using
*60b67249SAndroid Build Coastguard Worker// the Android DICE handover format, use DiceAndroidHandoverMainFlow instead.
*60b67249SAndroid Build Coastguard Worker//
*60b67249SAndroid Build Coastguard Worker// Given the current CDIs, a full set of input values, and the current Android
*60b67249SAndroid Build Coastguard Worker// DICE chain, computes the next CDIs and the extended DICE chain. On success,
*60b67249SAndroid Build Coastguard Worker// |actual_size| is set to the number of bytes used. If
*60b67249SAndroid Build Coastguard Worker// kDiceResultBufferTooSmall is returned |actual_size| will be set to the
*60b67249SAndroid Build Coastguard Worker// required size of the buffer.
*60b67249SAndroid Build Coastguard WorkerDiceResult DiceAndroidMainFlow(void* context,
*60b67249SAndroid Build Coastguard Worker                               const uint8_t current_cdi_attest[DICE_CDI_SIZE],
*60b67249SAndroid Build Coastguard Worker                               const uint8_t current_cdi_seal[DICE_CDI_SIZE],
*60b67249SAndroid Build Coastguard Worker                               const uint8_t* chain, size_t chain_size,
*60b67249SAndroid Build Coastguard Worker                               const DiceInputValues* input_values,
*60b67249SAndroid Build Coastguard Worker                               size_t buffer_size, uint8_t* buffer,
*60b67249SAndroid Build Coastguard Worker                               size_t* actual_size,
*60b67249SAndroid Build Coastguard Worker                               uint8_t next_cdi_attest[DICE_CDI_SIZE],
*60b67249SAndroid Build Coastguard Worker                               uint8_t next_cdi_seal[DICE_CDI_SIZE]);
*60b67249SAndroid Build Coastguard Worker
*60b67249SAndroid Build Coastguard Worker// Executes the main Android DICE handover flow.
*60b67249SAndroid Build Coastguard Worker//
*60b67249SAndroid Build Coastguard Worker// Call this instead of DiceAndroidMainFlow when using the Android DICE handover
*60b67249SAndroid Build Coastguard Worker// format to combine the Android DICE chain and CDIs in a single CBOR object.
*60b67249SAndroid Build Coastguard Worker//
*60b67249SAndroid Build Coastguard Worker// Given a full set of input values and the current Android DICE handover
*60b67249SAndroid Build Coastguard Worker// object, computes the handover data for the next stage. On success,
*60b67249SAndroid Build Coastguard Worker// |actual_size| is set to the number of bytes used. If
*60b67249SAndroid Build Coastguard Worker// kDiceResultBufferTooSmall is returned |actual_size| will be set to the
*60b67249SAndroid Build Coastguard Worker// required size of the buffer.
*60b67249SAndroid Build Coastguard Worker//
*60b67249SAndroid Build Coastguard Worker// Using the Android DICE handover object is one option for passing the values
*60b67249SAndroid Build Coastguard Worker// between boot stages. Passing the bytes between stages is a problem left to
*60b67249SAndroid Build Coastguard Worker// the caller.
*60b67249SAndroid Build Coastguard WorkerDiceResult DiceAndroidHandoverMainFlow(void* context, const uint8_t* handover,
*60b67249SAndroid Build Coastguard Worker                                       size_t handover_size,
*60b67249SAndroid Build Coastguard Worker                                       const DiceInputValues* input_values,
*60b67249SAndroid Build Coastguard Worker                                       size_t buffer_size, uint8_t* buffer,
*60b67249SAndroid Build Coastguard Worker                                       size_t* actual_size);
*60b67249SAndroid Build Coastguard Worker
*60b67249SAndroid Build Coastguard Worker// Parses an Android DICE handover object to extract the fields.
*60b67249SAndroid Build Coastguard Worker//
*60b67249SAndroid Build Coastguard Worker// Given a pointer to an Android DICE handover object, returns pointers to the
*60b67249SAndroid Build Coastguard Worker// CDIs and DICE chain. If the DICE chain is not included in the handover
*60b67249SAndroid Build Coastguard Worker// object, the pointer is NULL and the size is 0.
*60b67249SAndroid Build Coastguard WorkerDiceResult DiceAndroidHandoverParse(const uint8_t* handover,
*60b67249SAndroid Build Coastguard Worker                                    size_t handover_size,
*60b67249SAndroid Build Coastguard Worker                                    const uint8_t** cdi_attest,
*60b67249SAndroid Build Coastguard Worker                                    const uint8_t** cdi_seal,
*60b67249SAndroid Build Coastguard Worker                                    const uint8_t** chain, size_t* chain_size);
*60b67249SAndroid Build Coastguard Worker
*60b67249SAndroid Build Coastguard Worker#ifdef __cplusplus
*60b67249SAndroid Build Coastguard Worker}  // extern "C"
*60b67249SAndroid Build Coastguard Worker#endif
*60b67249SAndroid Build Coastguard Worker
*60b67249SAndroid Build Coastguard Worker#endif  // DICE_ANDROID_H_