1 // Copyright 2021, The Android Open Source Project
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 //! Main entry point for the android.hardware.security.dice service.
16
17 use anyhow::Result;
18 use diced::{
19 dice,
20 hal_node::{DiceArtifacts, DiceDevice, ResidentHal, UpdatableDiceArtifacts},
21 };
22 use diced_sample_inputs::make_sample_bcc_and_cdis;
23 use serde::{Deserialize, Serialize};
24 use std::convert::TryInto;
25 use std::panic;
26 use std::sync::Arc;
27
28 static DICE_HAL_SERVICE_NAME: &str = "android.hardware.security.dice.IDiceDevice/default";
29
30 #[derive(Debug, Serialize, Deserialize, Clone)]
31 struct InsecureSerializableArtifacts {
32 cdi_attest: [u8; dice::CDI_SIZE],
33 cdi_seal: [u8; dice::CDI_SIZE],
34 bcc: Vec<u8>,
35 }
36
37 impl DiceArtifacts for InsecureSerializableArtifacts {
cdi_attest(&self) -> &[u8; dice::CDI_SIZE]38 fn cdi_attest(&self) -> &[u8; dice::CDI_SIZE] {
39 &self.cdi_attest
40 }
cdi_seal(&self) -> &[u8; dice::CDI_SIZE]41 fn cdi_seal(&self) -> &[u8; dice::CDI_SIZE] {
42 &self.cdi_seal
43 }
bcc(&self) -> Vec<u8>44 fn bcc(&self) -> Vec<u8> {
45 self.bcc.clone()
46 }
47 }
48
49 impl UpdatableDiceArtifacts for InsecureSerializableArtifacts {
with_artifacts<F, T>(&self, f: F) -> Result<T> where F: FnOnce(&dyn DiceArtifacts) -> Result<T>,50 fn with_artifacts<F, T>(&self, f: F) -> Result<T>
51 where
52 F: FnOnce(&dyn DiceArtifacts) -> Result<T>,
53 {
54 f(self)
55 }
update(self, new_artifacts: &impl DiceArtifacts) -> Result<Self>56 fn update(self, new_artifacts: &impl DiceArtifacts) -> Result<Self> {
57 Ok(Self {
58 cdi_attest: *new_artifacts.cdi_attest(),
59 cdi_seal: *new_artifacts.cdi_seal(),
60 bcc: new_artifacts.bcc(),
61 })
62 }
63 }
64
main()65 fn main() {
66 android_logger::init_once(
67 android_logger::Config::default()
68 .with_tag("android.hardware.security.dice")
69 .with_min_level(log::Level::Debug),
70 );
71 // Redirect panic messages to logcat.
72 panic::set_hook(Box::new(|panic_info| {
73 log::error!("{}", panic_info);
74 }));
75
76 // Saying hi.
77 log::info!("android.hardware.security.dice is starting.");
78
79 let (cdi_attest, cdi_seal, bcc) =
80 make_sample_bcc_and_cdis().expect("Failed to construct sample dice chain.");
81
82 let hal_impl = Arc::new(
83 unsafe {
84 // Safety: ResidentHal cannot be used in multi threaded processes.
85 // This service does not start a thread pool. The main thread is the only thread
86 // joining the thread pool, thereby keeping the process single threaded.
87 ResidentHal::new(InsecureSerializableArtifacts {
88 cdi_attest: cdi_attest[..]
89 .try_into()
90 .expect("Failed to convert cdi_attest to array reference."),
91 cdi_seal: cdi_seal[..]
92 .try_into()
93 .expect("Failed to convert cdi_seal to array reference."),
94 bcc,
95 })
96 }
97 .expect("Failed to create ResidentHal implementation."),
98 );
99
100 let hal = DiceDevice::new_as_binder(hal_impl).expect("Failed to construct hal service.");
101
102 binder::add_service(DICE_HAL_SERVICE_NAME, hal.as_binder())
103 .expect("Failed to register IDiceDevice Service");
104
105 log::info!("Joining thread pool now.");
106 binder::ProcessState::join_thread_pool();
107 }
108