• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2024 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //      http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ////////////////////////////////////////////////////////////////////////////////
16 
17 //! Unit tests for the AuthMgr BE core functionality using different trait implementations.
18 use crate::mock_storage::MockPersistentStorage;
19 use crate::AuthMgrBeDevice;
20 use authgraph_core::key::{CertChain, DiceChainEntry, InstanceIdentifier, Policy};
21 use authgraph_core_test::{
22     create_dice_cert_chain_for_guest_os, create_dice_leaf_cert, CdiValues, SAMPLE_INSTANCE_HASH,
23 };
24 use authmgr_be::authorization::AuthMgrBE;
25 use authmgr_be::data_structures::MemoryLimits;
26 use authmgr_be_test::{test_auth_mgr_protocol_succeeds_single_pvm, Client, PVM};
27 use authmgr_common::signed_connection_request::TEMP_AUTHMGR_BE_TRANSPORT_ID;
28 use authmgr_common_util::{
29     get_constraint_spec_for_static_trusty_ta, get_constraints_spec_for_trusty_vm,
30     policy_for_dice_node,
31 };
32 use coset::CborSerializable;
33 use std::collections::HashMap;
34 
35 const HWCRYPTO_SERVICE_NAME: &str = "hwcrypto";
36 const SECURE_STORAGE_SERVICE_NAME: &str = "secure_storage";
37 
38 #[test]
test_auth_mgr_protocol_single_pvm()39 fn test_auth_mgr_protocol_single_pvm() {
40     // Create a single persistent pvm with two clients, with the corresponding entries in the
41     // AuthMgrBeDevice
42     let (sign_key, cdi_values, dice_cert) =
43         create_dice_cert_chain_for_guest_os(Some(SAMPLE_INSTANCE_HASH), 1);
44     let cert_chain = CertChain::from_slice(&dice_cert).expect("error in decoding the dice cert");
45     let pvm_instance_id = cert_chain
46         .extract_instance_identifier_in_guest_os_entry()
47         .expect("error in extracting instance id")
48         .unwrap();
49     let constraint_spec = get_constraints_spec_for_trusty_vm();
50 
51     let dice_policy = Policy(
52         dice_policy_builder::policy_for_dice_chain(&dice_cert, constraint_spec)
53             .expect("failed to build DICE policy for pvm")
54             .to_vec()
55             .expect("failed to encode DICE policy for pvm"),
56     );
57 
58     let transport_id = u16::from_le_bytes([0x08, 0x04]);
59     let crypto_traits = crate::crypto_trait_impls();
60     let mut pvm = PVM::new(
61         cert_chain,
62         dice_policy.clone(),
63         sign_key,
64         crypto_traits.ecdsa,
65         crypto_traits.rng,
66         transport_id,
67     );
68 
69     let leaf_cert_bytes_km = create_dice_leaf_cert(
70         CdiValues { cdi_attest: cdi_values.cdi_attest, cdi_seal: cdi_values.cdi_seal },
71         "keymint",
72         1,
73     );
74     let dice_leaf_km =
75         DiceChainEntry::from_slice(&leaf_cert_bytes_km).expect("error in decoding leaf cert");
76     let client_constraint_spec_km = get_constraint_spec_for_static_trusty_ta();
77     let dice_leaf_policy_km = Policy(
78         policy_for_dice_node(&dice_leaf_km, client_constraint_spec_km)
79             .expect("failed to create dice policy for keymint")
80             .to_vec()
81             .expect("failed to encode policy for keymint TA"),
82     );
83     let km_ta = Client::new(
84         dice_leaf_km,
85         dice_leaf_policy_km,
86         vec![HWCRYPTO_SERVICE_NAME.to_string(), SECURE_STORAGE_SERVICE_NAME.to_string()],
87         crate::crypto_trait_impls().rng,
88     );
89     pvm.add_client(km_ta);
90 
91     let leaf_cert_bytes_wv = create_dice_leaf_cert(cdi_values, "widevine", 1);
92     let dice_leaf_wv =
93         DiceChainEntry::from_slice(&leaf_cert_bytes_wv).expect("error in decoding leaf cert");
94     let client_constraint_spec_wv = get_constraint_spec_for_static_trusty_ta();
95     let dice_leaf_policy_wv = Policy(
96         policy_for_dice_node(&dice_leaf_wv, client_constraint_spec_wv)
97             .expect("failed to create dice policy for widevine")
98             .to_vec()
99             .expect("failed to encode policy for widevine TA"),
100     );
101     let wv_ta = Client::new(
102         dice_leaf_wv,
103         dice_leaf_policy_wv,
104         vec![HWCRYPTO_SERVICE_NAME.to_string(), SECURE_STORAGE_SERVICE_NAME.to_string()],
105         crate::crypto_trait_impls().rng,
106     );
107     pvm.add_client(wv_ta);
108 
109     let mut allowed_persistent_instances = HashMap::<InstanceIdentifier, Policy>::new();
110     allowed_persistent_instances.insert(pvm_instance_id.clone(), dice_policy);
111 
112     let device = AuthMgrBeDevice::new(TEMP_AUTHMGR_BE_TRANSPORT_ID, allowed_persistent_instances);
113 
114     let mut authmgr_be = AuthMgrBE::new(
115         crate::crypto_trait_impls(),
116         Box::new(device),
117         Box::new(MockPersistentStorage::new()),
118         MemoryLimits::default(),
119     )
120     .expect("error in creating AuthMgrBE.");
121 
122     test_auth_mgr_protocol_succeeds_single_pvm(&mut authmgr_be, pvm);
123 }
124