1 // Copyright 2025 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ////////////////////////////////////////////////////////////////////////////////
16
17 //! Entry point to the AuthMgr-Common-Util crate which provides helper methods.
18
19 extern crate alloc;
20
21 use alloc::vec::Vec;
22 use authgraph_core::key::{
23 DiceChainEntry, AUTHORITY_HASH, COMPONENT_NAME, CONFIG_DESC, GUEST_OS_COMPONENT_NAME,
24 INSTANCE_HASH, MODE, SECURITY_VERSION,
25 };
26 use authmgr_common::{amc_err, Error, ErrorCode, Result};
27 use dice_policy::{DicePolicy, NodeConstraints, DICE_POLICY_VERSION};
28 use dice_policy_builder::{
29 constraints_on_dice_node, ConstraintSpec, ConstraintType, MissingAction, TargetEntry,
30 };
31
32 /// Construct a DICE policy for a given DICE node. This is a helper function around the
33 /// dice_policy_builder library to cater the AuthMgr specific requirement of building a DICE policy
34 /// for a client's DICE certificate.
policy_for_dice_node( dice_node: &DiceChainEntry, mut constraint_spec: Vec<ConstraintSpec>, ) -> Result<DicePolicy>35 pub fn policy_for_dice_node(
36 dice_node: &DiceChainEntry,
37 mut constraint_spec: Vec<ConstraintSpec>,
38 ) -> Result<DicePolicy> {
39 let mut constraints_list: Vec<NodeConstraints> = Vec::with_capacity(1);
40 constraints_list.push(
41 constraints_on_dice_node(
42 dice_node
43 .payload
44 .full_map
45 .as_ref()
46 .ok_or(amc_err!(UnknownError, "DICE node payload not found"))?,
47 &mut constraint_spec,
48 )
49 .map_err(|e| amc_err!(DicePolicyCreationFailed, "{}", e))?,
50 );
51 Ok(DicePolicy {
52 version: DICE_POLICY_VERSION,
53 node_constraints_list: constraints_list.into_boxed_slice(),
54 })
55 }
56
57 /// Constraints spec to create a DICE policy for a DICE cert chain of a Trusty VM.
58 /// Note that this is a helper method only. The implementors of AuthMgr-FE should build a constraint
59 /// spec according to their environment and requirements.
get_constraints_spec_for_trusty_vm() -> Vec<ConstraintSpec>60 pub fn get_constraints_spec_for_trusty_vm() -> Vec<ConstraintSpec> {
61 vec![
62 ConstraintSpec::new(
63 ConstraintType::ExactMatch,
64 vec![AUTHORITY_HASH],
65 MissingAction::Fail,
66 TargetEntry::All,
67 ),
68 ConstraintSpec::new(
69 ConstraintType::ExactMatch,
70 vec![MODE],
71 MissingAction::Fail,
72 TargetEntry::All,
73 ),
74 ConstraintSpec::new(
75 ConstraintType::GreaterOrEqual,
76 vec![CONFIG_DESC, SECURITY_VERSION],
77 MissingAction::Ignore,
78 TargetEntry::All,
79 ),
80 ConstraintSpec::new(
81 ConstraintType::ExactMatch,
82 vec![CONFIG_DESC, INSTANCE_HASH],
83 MissingAction::Fail,
84 TargetEntry::ByName(GUEST_OS_COMPONENT_NAME.to_string()),
85 ),
86 ConstraintSpec::new(
87 ConstraintType::GreaterOrEqual,
88 vec![CONFIG_DESC, SECURITY_VERSION],
89 MissingAction::Fail,
90 TargetEntry::ByName(GUEST_OS_COMPONENT_NAME.to_string()),
91 ),
92 ]
93 }
94
95 /// Constraints spec for a DICE certificate of a pvm client in Trusty.
96 /// Note that this is a helper method only. The implementors of AuthMgr-FE should build a constraint
97 /// spec according to the client configurations.
get_constraint_spec_for_static_trusty_ta() -> Vec<ConstraintSpec>98 pub fn get_constraint_spec_for_static_trusty_ta() -> Vec<ConstraintSpec> {
99 vec![ConstraintSpec::new(
100 ConstraintType::ExactMatch,
101 vec![CONFIG_DESC, COMPONENT_NAME],
102 MissingAction::Fail,
103 TargetEntry::All,
104 )]
105 }
106