• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2023, The Android Open Source Project
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 //! Code to inspect/manipulate the DICE Chain we receive from our loader.
16 
17 // TODO(b/279910232): Unify this, somehow, with the similar but different code in hwtrust.
18 
19 use alloc::vec;
20 use alloc::vec::Vec;
21 use ciborium::value::Value;
22 use core::fmt;
23 use core::mem::size_of;
24 use coset::{iana, Algorithm, CborSerializable, CoseKey};
25 use diced_open_dice::{BccHandover, Cdi, DiceArtifacts, DiceMode};
26 use log::trace;
27 
28 type Result<T> = core::result::Result<T, DiceChainError>;
29 
30 pub enum DiceChainError {
31     CborDecodeError,
32     CborEncodeError,
33     CosetError(coset::CoseError),
34     DiceError(diced_open_dice::DiceError),
35     Malformed(&'static str),
36     Missing,
37 }
38 
39 impl From<coset::CoseError> for DiceChainError {
from(e: coset::CoseError) -> Self40     fn from(e: coset::CoseError) -> Self {
41         Self::CosetError(e)
42     }
43 }
44 
45 impl fmt::Display for DiceChainError {
fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result46     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
47         match self {
48             Self::CborDecodeError => write!(f, "Error parsing DICE chain CBOR"),
49             Self::CborEncodeError => write!(f, "Error encoding DICE chain CBOR"),
50             Self::CosetError(e) => write!(f, "Encountered an error with coset: {e}"),
51             Self::DiceError(e) => write!(f, "Dice error: {e:?}"),
52             Self::Malformed(s) => {
53                 write!(f, "DICE chain does not have the expected CBOR structure: {s}")
54             }
55             Self::Missing => write!(f, "Missing DICE chain"),
56         }
57     }
58 }
59 
60 /// Return a new CBOR encoded BccHandover that is based on the incoming CDIs but does not chain
61 /// from the received DICE chain.
62 #[cfg_attr(test, allow(dead_code))]
truncate(handover: BccHandover) -> Result<Vec<u8>>63 pub fn truncate(handover: BccHandover) -> Result<Vec<u8>> {
64     // Note: The strings here are deliberately different from those used in a normal DICE handover
65     // because we want this to not be equivalent to any valid DICE derivation.
66     let cdi_seal = taint_cdi(handover.cdi_seal(), "TaintCdiSeal")?;
67     let cdi_attest = taint_cdi(handover.cdi_attest(), "TaintCdiAttest")?;
68 
69     // BccHandover = {
70     //   1 : bstr .size 32,     ; CDI_Attest
71     //   2 : bstr .size 32,     ; CDI_Seal
72     //   ? 3 : Bcc,             ; Certificate chain
73     // }
74     let handover: Vec<(Value, Value)> =
75         vec![(1.into(), cdi_attest.as_slice().into()), (2.into(), cdi_seal.as_slice().into())];
76     cbor_util::serialize(&handover).map_err(|_| DiceChainError::CborEncodeError)
77 }
78 
79 #[cfg_attr(test, allow(dead_code))]
taint_cdi(cdi: &Cdi, info: &str) -> Result<Cdi>80 fn taint_cdi(cdi: &Cdi, info: &str) -> Result<Cdi> {
81     // An arbitrary value generated randomly.
82     const SALT: [u8; 64] = [
83         0xdc, 0x0d, 0xe7, 0x40, 0x47, 0x9d, 0x71, 0xb8, 0x69, 0xd0, 0x71, 0x85, 0x27, 0x47, 0xf5,
84         0x65, 0x7f, 0x16, 0xfa, 0x59, 0x23, 0x19, 0x6a, 0x6b, 0x77, 0x41, 0x01, 0x45, 0x90, 0x3b,
85         0xfa, 0x68, 0xad, 0xe5, 0x26, 0x31, 0x5b, 0x40, 0x85, 0x71, 0x97, 0x12, 0xbd, 0x0b, 0x38,
86         0x5c, 0x98, 0xf3, 0x0e, 0xe1, 0x7c, 0x82, 0x23, 0xa4, 0x38, 0x38, 0x85, 0x84, 0x85, 0x0d,
87         0x02, 0x90, 0x60, 0xd3,
88     ];
89     let mut result = [0u8; size_of::<Cdi>()];
90     diced_open_dice::kdf(cdi.as_slice(), &SALT, info.as_bytes(), result.as_mut_slice())
91         .map_err(DiceChainError::DiceError)?;
92     Ok(result)
93 }
94 
95 /// Represents a (partially) decoded DICE chain.
96 pub struct DiceChainInfo {
97     is_debug_mode: bool,
98     leaf_subject_pubkey: PublicKey,
99 }
100 
101 impl DiceChainInfo {
new(handover: Option<&[u8]>) -> Result<Self>102     pub fn new(handover: Option<&[u8]>) -> Result<Self> {
103         let handover = handover.filter(|h| !h.is_empty()).ok_or(DiceChainError::Missing)?;
104 
105         // We don't attempt to fully validate the DICE chain (e.g. we don't check the signatures) -
106         // we have to trust our loader. But if it's invalid CBOR or otherwise clearly ill-formed,
107         // something is very wrong, so we fail.
108         let handover_cbor =
109             cbor_util::deserialize(handover).map_err(|_| DiceChainError::CborDecodeError)?;
110 
111         // Bcc = [
112         //   PubKeyEd25519 / PubKeyECDSA256, // DK_pub
113         //   + BccEntry,                     // Root -> leaf (KM_pub)
114         // ]
115         let dice_chain = match handover_cbor {
116             Value::Array(v) if v.len() >= 2 => v,
117             _ => return Err(DiceChainError::Malformed("Invalid top level value")),
118         };
119         // Decode all the DICE payloads to make sure they are well-formed.
120         let payloads = dice_chain
121             .into_iter()
122             .skip(1)
123             .map(|v| DiceChainEntry::new(v).payload())
124             .collect::<Result<Vec<_>>>()?;
125 
126         let is_debug_mode = is_any_payload_debug_mode(&payloads)?;
127         // Safe to unwrap because we checked the length above.
128         let leaf_subject_pubkey = payloads.last().unwrap().subject_public_key()?;
129         Ok(Self { is_debug_mode, leaf_subject_pubkey })
130     }
131 
132     /// Returns whether any node in the received DICE chain is marked as debug (and hence is not
133     /// secure).
is_debug_mode(&self) -> bool134     pub fn is_debug_mode(&self) -> bool {
135         self.is_debug_mode
136     }
137 
leaf_subject_pubkey(&self) -> &PublicKey138     pub fn leaf_subject_pubkey(&self) -> &PublicKey {
139         &self.leaf_subject_pubkey
140     }
141 }
142 
is_any_payload_debug_mode(payloads: &[DiceChainEntryPayload]) -> Result<bool>143 fn is_any_payload_debug_mode(payloads: &[DiceChainEntryPayload]) -> Result<bool> {
144     // Check if any payload in the chain is marked as Debug mode, which means the device is not
145     // secure. (Normal means it is a secure boot, for that stage at least; we ignore recovery
146     // & not configured /invalid values, since it's not clear what they would mean in this
147     // context.)
148     for payload in payloads {
149         if payload.is_debug_mode()? {
150             return Ok(true);
151         }
152     }
153     Ok(false)
154 }
155 
156 #[repr(transparent)]
157 struct DiceChainEntry(Value);
158 
159 #[derive(Debug, Clone)]
160 pub struct PublicKey {
161     /// The COSE key algorithm for the public key, representing the value of the `alg`
162     /// field in the COSE key format of the public key. See RFC 8152, section 7 for details.
163     pub cose_alg: iana::Algorithm,
164 }
165 
166 impl DiceChainEntry {
new(entry: Value) -> Self167     pub fn new(entry: Value) -> Self {
168         Self(entry)
169     }
170 
payload(&self) -> Result<DiceChainEntryPayload>171     pub fn payload(&self) -> Result<DiceChainEntryPayload> {
172         // BccEntry = [                                  // COSE_Sign1 (untagged)
173         //     protected : bstr .cbor {
174         //         1 : AlgorithmEdDSA / AlgorithmES256,  // Algorithm
175         //     },
176         //     unprotected: {},
177         //     payload: bstr .cbor BccPayload,
178         //     signature: bstr // PureEd25519(SigningKey, bstr .cbor BccEntryInput) /
179         //                     // ECDSA(SigningKey, bstr .cbor BccEntryInput)
180         //     // See RFC 8032 for details of how to encode the signature value for Ed25519.
181         // ]
182         let payload = self
183             .payload_bytes()
184             .ok_or(DiceChainError::Malformed("Invalid DiceChainEntryPayload"))?;
185         let payload =
186             cbor_util::deserialize(payload).map_err(|_| DiceChainError::CborDecodeError)?;
187         trace!("DiceChainEntryPayload: {payload:?}");
188         Ok(DiceChainEntryPayload(payload))
189     }
190 
payload_bytes(&self) -> Option<&Vec<u8>>191     fn payload_bytes(&self) -> Option<&Vec<u8>> {
192         let entry = self.0.as_array()?;
193         if entry.len() != 4 {
194             return None;
195         };
196         entry[2].as_bytes()
197     }
198 }
199 
200 const KEY_MODE: i32 = -4670551;
201 const MODE_DEBUG: u8 = DiceMode::kDiceModeDebug as u8;
202 const SUBJECT_PUBLIC_KEY: i32 = -4670552;
203 
204 #[repr(transparent)]
205 struct DiceChainEntryPayload(Value);
206 
207 impl DiceChainEntryPayload {
is_debug_mode(&self) -> Result<bool>208     pub fn is_debug_mode(&self) -> Result<bool> {
209         // BccPayload = {                     // CWT
210         // ...
211         //     ? -4670551 : bstr,             // Mode
212         // ...
213         // }
214 
215         let Some(value) = self.value_from_key(KEY_MODE) else { return Ok(false) };
216 
217         // Mode is supposed to be encoded as a 1-byte bstr, but some implementations instead
218         // encode it as an integer. Accept either. See b/273552826.
219         // If Mode is omitted, it should be treated as if it was Unknown, according to the Open
220         // Profile for DICE spec.
221         let mode = if let Some(bytes) = value.as_bytes() {
222             if bytes.len() != 1 {
223                 return Err(DiceChainError::Malformed("Invalid mode bstr"));
224             }
225             bytes[0].into()
226         } else {
227             value.as_integer().ok_or(DiceChainError::Malformed("Invalid type for mode"))?
228         };
229         Ok(mode == MODE_DEBUG.into())
230     }
231 
subject_public_key(&self) -> Result<PublicKey>232     fn subject_public_key(&self) -> Result<PublicKey> {
233         // BccPayload = {                             ; CWT [RFC8392]
234         // ...
235         //   -4670552 : bstr .cbor PubKeyEd25519 /
236         //              bstr .cbor PubKeyECDSA256 /
237         //              bstr .cbor PubKeyECDSA384,    ; Subject Public Key
238         // ...
239         // }
240         self.value_from_key(SUBJECT_PUBLIC_KEY)
241             .ok_or(DiceChainError::Malformed("Subject public key missing"))?
242             .as_bytes()
243             .ok_or(DiceChainError::Malformed("Subject public key is not a byte string"))
244             .and_then(|v| PublicKey::from_slice(v))
245     }
246 
value_from_key(&self, key: i32) -> Option<&Value>247     fn value_from_key(&self, key: i32) -> Option<&Value> {
248         // BccPayload is just a map; we only use integral keys, but in general it's legitimate
249         // for other things to be present, or for the key we care about not to be present.
250         // Ciborium represents the map as a Vec, preserving order (and allowing duplicate keys,
251         // which we ignore) but preventing fast lookup.
252         let payload = self.0.as_map()?;
253         for (k, v) in payload {
254             if k.as_integer() == Some(key.into()) {
255                 return Some(v);
256             }
257         }
258         None
259     }
260 }
261 
262 impl PublicKey {
from_slice(slice: &[u8]) -> Result<Self>263     fn from_slice(slice: &[u8]) -> Result<Self> {
264         let key = CoseKey::from_slice(slice)?;
265         let Some(Algorithm::Assigned(cose_alg)) = key.alg else {
266             return Err(DiceChainError::Malformed("Invalid algorithm in public key"));
267         };
268         Ok(Self { cose_alg })
269     }
270 }
271