diff options
author | Karuna Wadhera <kwadhera@google.com> | 2024-05-13 21:34:02 +0000 |
---|---|---|
committer | Karuna Wadhera <kwadhera@google.com> | 2024-05-13 21:40:04 +0000 |
commit | 5acf63604956082dfa94a601b57f8b85a6624687 (patch) | |
tree | dff3f17beebacd3f60787767da066265842f102d | |
parent | a5c4337c5e9be00721bf0c0443084cbef5c1ce47 (diff) | |
download | security-5acf63604956082dfa94a601b57f8b85a6624687.tar.gz |
Revert "Change mode validation for DICE chain certs"
This reverts commit 6a21b30196741d8827e054efa5f2e33cf0ec798d.
Reason for revert: b/340296231
Change-Id: Ief2636375f8f135b28b510b1440dd172fba027c4
-rw-r--r-- | remote_provisioning/hwtrust/src/cbor/dice/chain.rs | 17 | ||||
-rw-r--r-- | remote_provisioning/hwtrust/src/cbor/dice/entry.rs | 368 | ||||
-rw-r--r-- | remote_provisioning/hwtrust/src/cbor/dice/profile.rs | 4 | ||||
-rw-r--r-- | remote_provisioning/hwtrust/src/main.rs | 6 | ||||
-rw-r--r-- | remote_provisioning/hwtrust/src/session.rs | 13 | ||||
-rw-r--r-- | remote_provisioning/hwtrust/tests/hwtrust_cli.rs | 2 |
6 files changed, 81 insertions, 329 deletions
diff --git a/remote_provisioning/hwtrust/src/cbor/dice/chain.rs b/remote_provisioning/hwtrust/src/cbor/dice/chain.rs index ae654ba..73ca7d3 100644 --- a/remote_provisioning/hwtrust/src/cbor/dice/chain.rs +++ b/remote_provisioning/hwtrust/src/cbor/dice/chain.rs @@ -29,10 +29,8 @@ impl ChainForm { let value = it.as_slice()[0].clone(); let entry = Entry::verify_cbor_value(value, &root_public_key) .context("parsing degenerate entry")?; - let is_root = true; - let fields = - PayloadFields::from_cbor(session, entry.payload(), ConfigFormat::Android, is_root) - .context("parsing degenerate payload")?; + let fields = PayloadFields::from_cbor(session, entry.payload(), ConfigFormat::Android) + .context("parsing degenerate payload")?; let chain = DegenerateChain::new(fields.issuer, fields.subject, fields.subject_public_key) .context("creating DegenerateChain")?; @@ -75,8 +73,7 @@ impl Chain { for (n, value) in values.enumerate() { let entry = Entry::verify_cbor_value(value, previous_public_key) .with_context(|| format!("Invalid entry at index {}", n))?; - let is_root = n == 0; - let config_format = if is_root + let config_format = if n == 0 && session.options.dice_profile_range.contains(ProfileVersion::Android14) { // Context: b/261647022 @@ -84,7 +81,7 @@ impl Chain { } else { ConfigFormat::default() }; - let payload = Payload::from_cbor(session, entry.payload(), config_format, is_root) + let payload = Payload::from_cbor(session, entry.payload(), config_format) .with_context(|| format!("Invalid payload at index {}", n))?; payloads.push(payload); let previous = payloads.last().unwrap(); @@ -131,7 +128,7 @@ mod tests { #[test] fn chain_form_valid_proper() { let chain = fs::read("testdata/dice/valid_ed25519.chain").unwrap(); - let session = Session { options: Options { allow_any_mode: true, ..Default::default() } }; + let session = Session { options: Options::default() }; let form = ChainForm::from_cbor(&session, &chain).unwrap(); assert!(matches!(form, ChainForm::Proper(_))); } @@ -147,7 +144,7 @@ mod tests { #[test] fn check_chain_valid_ed25519() { let chain = fs::read("testdata/dice/valid_ed25519.chain").unwrap(); - let session = Session { options: Options { allow_any_mode: true, ..Default::default() } }; + let session = Session { options: Options::default() }; let chain = Chain::from_cbor(&session, &chain).unwrap(); assert_eq!(chain.payloads().len(), 8); } @@ -156,7 +153,7 @@ mod tests { fn check_chain_valid_ed25519_value() { let chain = fs::read("testdata/dice/valid_ed25519.chain").unwrap(); let chain = value_from_bytes(&chain).unwrap(); - let session = Session { options: Options { allow_any_mode: true, ..Default::default() } }; + let session = Session { options: Options::default() }; let chain = Chain::from_value(&session, chain).unwrap(); assert_eq!(chain.payloads().len(), 8); } diff --git a/remote_provisioning/hwtrust/src/cbor/dice/entry.rs b/remote_provisioning/hwtrust/src/cbor/dice/entry.rs index f102ff4..1091728 100644 --- a/remote_provisioning/hwtrust/src/cbor/dice/entry.rs +++ b/remote_provisioning/hwtrust/src/cbor/dice/entry.rs @@ -70,28 +70,18 @@ impl Payload { session: &Session, bytes: &[u8], config_format: ConfigFormat, - is_root: bool, ) -> Result<Self> { let entries = cbor_map_from_slice(bytes)?; let profile_version = PayloadFields::extract_profile_version(session, &entries)?; - Self::from_entries( - &profile_version.into(), - entries, - config_format, - is_root, - session.options.allow_any_mode, - ) + Self::from_entries(&profile_version.into(), entries, config_format) } fn from_entries( profile: &Profile, entries: Vec<(Value, Value)>, config_format: ConfigFormat, - is_root: bool, - allow_any_mode: bool, ) -> Result<Self> { - let f = - PayloadFields::from_entries(profile, entries, config_format, is_root, allow_any_mode)?; + let f = PayloadFields::from_entries(profile, entries, config_format)?; PayloadBuilder::with_subject_public_key(f.subject_public_key) .issuer(f.issuer) .subject(f.subject) @@ -125,17 +115,10 @@ impl PayloadFields { session: &Session, bytes: &[u8], config_format: ConfigFormat, - is_root: bool, ) -> Result<Self> { let entries = cbor_map_from_slice(bytes)?; let profile_version = Self::extract_profile_version(session, &entries)?; - Self::from_entries( - &profile_version.into(), - entries, - config_format, - is_root, - session.options.allow_any_mode, - ) + Self::from_entries(&profile_version.into(), entries, config_format) } fn extract_profile_version( @@ -173,8 +156,6 @@ impl PayloadFields { profile: &Profile, entries: Vec<(Value, Value)>, config_format: ConfigFormat, - is_root: bool, - allow_any_mode: bool, ) -> Result<Self> { let mut issuer = FieldValue::new("issuer"); let mut subject = FieldValue::new("subject"); @@ -220,7 +201,7 @@ impl PayloadFields { issuer: issuer.into_string()?, subject: subject.into_string()?, subject_public_key: validate_subject_public_key(profile, subject_public_key)?, - mode: validate_mode(profile, mode, is_root, allow_any_mode)?, + mode: validate_mode(profile, mode)?, code_desc: code_desc.into_optional_bytes()?, code_hash: code_hash.into_optional_bytes()?, config_desc, @@ -262,13 +243,8 @@ fn validate_subject_public_key( .context("parsing subject public key from COSE_key") } -fn validate_mode( - profile: &Profile, - mode: FieldValue, - is_root: bool, - allow_any_mode: bool, -) -> Result<Option<DiceMode>> { - if !mode.is_bytes() && profile.mode_type == ModeType::IntOrBytes { +fn validate_mode(profile: &Profile, mode: FieldValue) -> Result<Option<DiceMode>> { + Ok(if !mode.is_bytes() && profile.mode_type == ModeType::IntOrBytes { mode.into_optional_i64()? } else { mode.into_optional_bytes()? @@ -280,26 +256,12 @@ fn validate_mode( }) .transpose()? } - .map(|mode| { - let mode = match mode { - 1 => DiceMode::Normal, - 2 => DiceMode::Debug, - 3 => DiceMode::Recovery, - _ => DiceMode::NotConfigured, - }; - - if mode != DiceMode::Normal && !allow_any_mode { - let debug_allowed = is_root && profile.allow_root_mode_debug; - ensure!(debug_allowed, "Expected mode to be normal, actual mode: {:?}", mode); - ensure!( - mode == DiceMode::Debug, - "Expected mode to be normal or debug, actual mode: {:?}", - mode - ); - } - Ok(mode) - }) - .transpose() + .map(|mode| match mode { + 1 => DiceMode::Normal, + 2 => DiceMode::Debug, + 3 => DiceMode::Recovery, + _ => DiceMode::NotConfigured, + })) } fn validate_config( @@ -422,9 +384,6 @@ mod tests { use coset::CborSerializable; use std::collections::HashMap; - const ALLOW_ANY_MODE: bool = true; - const IS_ROOT: bool = true; - impl Entry { pub(in super::super) fn from_payload(payload: &Payload) -> Result<Self> { Ok(Self { payload: serialize(payload.to_cbor_value()?) }) @@ -510,8 +469,7 @@ mod tests { fields.insert(CONFIG_HASH, Value::Bytes(config_hash)); fields.insert(AUTHORITY_HASH, Value::Bytes(vec![2; 32])); let session = Session { options: Options::default() }; - Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android, !IS_ROOT) - .unwrap(); + Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap(); } #[test] @@ -524,16 +482,14 @@ mod tests { fields.insert(CONFIG_HASH, Value::Bytes(config_hash)); fields.insert(AUTHORITY_HASH, Value::Bytes(vec![2; 48])); let session = Session { options: Options::default() }; - Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android, !IS_ROOT) - .unwrap(); + Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap(); } #[test] fn valid_payload_sha512() { let fields = valid_payload_fields(); let session = Session { options: Options::default() }; - Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android, !IS_ROOT) - .unwrap(); + Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap(); } #[test] @@ -541,8 +497,7 @@ mod tests { let mut fields = valid_payload_fields(); fields.insert(KEY_USAGE, Value::Bytes(vec![0x20])); let session = Session { options: Options::default() }; - Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android, !IS_ROOT) - .unwrap(); + Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap(); } #[test] @@ -550,8 +505,7 @@ mod tests { let mut fields = valid_payload_fields(); fields.insert(KEY_USAGE, Value::Bytes(vec![0x20, 0x30, 0x40])); let session = Session { options: Options::default() }; - Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android, !IS_ROOT) - .unwrap_err(); + Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap_err(); } #[test] @@ -559,8 +513,7 @@ mod tests { let mut fields = valid_payload_fields(); fields.insert(KEY_USAGE, Value::Bytes(vec![0x10])); let session = Session { options: Options::default() }; - Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android, !IS_ROOT) - .unwrap_err(); + Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap_err(); } #[test] @@ -568,22 +521,16 @@ mod tests { let mut fields = valid_payload_fields(); fields.insert(KEY_USAGE, Value::Bytes(vec![0x21])); let session = Session { options: Options::default() }; - Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android, !IS_ROOT) - .unwrap_err(); + Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap_err(); } #[test] fn mode_not_configured() { let mut fields = valid_payload_fields(); fields.insert(MODE, Value::Bytes(vec![0])); - let mut session = Session { options: Options::default() }; - let serialized_fields = serialize_fields(fields); - Payload::from_cbor(&session, &serialized_fields, ConfigFormat::Android, !IS_ROOT) - .unwrap_err(); - session.set_allow_any_mode(true); + let session = Session { options: Options::default() }; let payload = - Payload::from_cbor(&session, &serialized_fields, ConfigFormat::Android, !IS_ROOT) - .unwrap(); + Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap(); assert_eq!(payload.mode(), DiceMode::NotConfigured); } @@ -592,110 +539,38 @@ mod tests { let mut fields = valid_payload_fields(); fields.insert(MODE, Value::Bytes(vec![1])); let session = Session { options: Options::default() }; - let payload = Payload::from_cbor( - &session, - &serialize_fields(fields), - ConfigFormat::Android, - !IS_ROOT, - ) - .unwrap(); - assert_eq!(payload.mode(), DiceMode::Normal); - } - - #[test] - fn mode_normal_root() { - let mut fields = valid_payload_fields(); - fields.insert(MODE, Value::Bytes(vec![1])); - let session = Session { options: Options::default() }; let payload = - Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android, IS_ROOT) - .unwrap(); + Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap(); assert_eq!(payload.mode(), DiceMode::Normal); } #[test] - fn mode_normal_root_debug_unexcepted() { - let mut fields = valid_payload_fields(); - fields.insert(MODE, Value::Bytes(vec![1])); - let entries = encode_fields(fields); - let profile = Profile { allow_root_mode_debug: false, ..Profile::default() }; - Payload::from_entries(&profile, entries, ConfigFormat::Android, IS_ROOT, !ALLOW_ANY_MODE) - .unwrap(); - } - - #[test] fn mode_debug() { let mut fields = valid_payload_fields(); fields.insert(MODE, Value::Bytes(vec![2])); - let mut session = Session { options: Options::default() }; - let serialized_fields = serialize_fields(fields); - Payload::from_cbor(&session, &serialized_fields, ConfigFormat::Android, !IS_ROOT) - .unwrap_err(); - session.set_allow_any_mode(true); - let payload = - Payload::from_cbor(&session, &serialized_fields, ConfigFormat::Android, !IS_ROOT) - .unwrap(); - assert_eq!(payload.mode(), DiceMode::Debug); - } - - #[test] - fn mode_debug_root() { - let mut fields = valid_payload_fields(); - fields.insert(MODE, Value::Bytes(vec![2])); let session = Session { options: Options::default() }; let payload = - Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android, IS_ROOT) - .unwrap(); + Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap(); assert_eq!(payload.mode(), DiceMode::Debug); } #[test] - fn mode_debug_root_debug_unexcepted() { - let mut fields = valid_payload_fields(); - fields.insert(MODE, Value::Bytes(vec![2])); - let entries = encode_fields(fields); - let profile = Profile { allow_root_mode_debug: false, ..Profile::default() }; - Payload::from_entries(&profile, entries, ConfigFormat::Android, IS_ROOT, !ALLOW_ANY_MODE) - .unwrap_err(); - } - - #[test] fn mode_recovery() { let mut fields = valid_payload_fields(); fields.insert(MODE, Value::Bytes(vec![3])); - let mut session = Session { options: Options::default() }; - let serialized_fields = serialize_fields(fields); - Payload::from_cbor(&session, &serialized_fields, ConfigFormat::Android, !IS_ROOT) - .unwrap_err(); - session.set_allow_any_mode(true); + let session = Session { options: Options::default() }; let payload = - Payload::from_cbor(&session, &serialized_fields, ConfigFormat::Android, !IS_ROOT) - .unwrap(); + Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap(); assert_eq!(payload.mode(), DiceMode::Recovery); } #[test] - fn mode_recovery_root() { - let mut fields = valid_payload_fields(); - fields.insert(MODE, Value::Bytes(vec![3])); - let session = Session { options: Options::default() }; - Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android, IS_ROOT) - .unwrap_err(); - } - - #[test] fn mode_invalid_becomes_not_configured() { let mut fields = valid_payload_fields(); fields.insert(MODE, Value::Bytes(vec![4])); - let mut session = Session { options: Options::default() }; - session.set_allow_any_mode(true); - let payload = Payload::from_cbor( - &session, - &serialize_fields(fields), - ConfigFormat::Android, - !IS_ROOT, - ) - .unwrap(); + let session = Session { options: Options::default() }; + let payload = + Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap(); assert_eq!(payload.mode(), DiceMode::NotConfigured); } @@ -704,8 +579,7 @@ mod tests { let mut fields = valid_payload_fields(); fields.insert(MODE, Value::Bytes(vec![0, 1])); let session = Session { options: Options::default() }; - Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android, !IS_ROOT) - .unwrap_err(); + Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap_err(); } #[test] @@ -713,23 +587,10 @@ mod tests { let mut fields = valid_payload_fields(); fields.insert(MODE, Value::from(2)); let entries = encode_fields(fields); - Payload::from_entries( - &Profile::default(), - entries.clone(), - ConfigFormat::Android, - !IS_ROOT, - ALLOW_ANY_MODE, - ) - .unwrap_err(); + Payload::from_entries(&Profile::default(), entries.clone(), ConfigFormat::Android) + .unwrap_err(); let profile = Profile { mode_type: ModeType::IntOrBytes, ..Profile::default() }; - let payload = Payload::from_entries( - &profile, - entries, - ConfigFormat::Android, - !IS_ROOT, - ALLOW_ANY_MODE, - ) - .unwrap(); + let payload = Payload::from_entries(&profile, entries, ConfigFormat::Android).unwrap(); assert_eq!(payload.mode(), DiceMode::Debug); } @@ -738,8 +599,7 @@ mod tests { let mut fields = valid_payload_fields(); fields.insert(SUBJECT_PUBLIC_KEY, Value::Bytes(vec![17; 64])); let session = Session { options: Options::default() }; - Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android, !IS_ROOT) - .unwrap_err(); + Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap_err(); } #[test] @@ -748,7 +608,7 @@ mod tests { fields.insert(KEY_USAGE, Value::Bytes(vec![0x20, 0x00, 0x00])); let cbor = serialize_fields(fields); let session = Session { options: Options::default() }; - Payload::from_cbor(&session, &cbor, ConfigFormat::Android, !IS_ROOT).unwrap(); + Payload::from_cbor(&session, &cbor, ConfigFormat::Android).unwrap(); } #[test] @@ -757,7 +617,7 @@ mod tests { fields.insert(KEY_USAGE, Value::Bytes(vec![0x20, 0xbe, 0xef])); let cbor = serialize_fields(fields); let session = Session { options: Options::default() }; - Payload::from_cbor(&session, &cbor, ConfigFormat::Android, !IS_ROOT).unwrap_err(); + Payload::from_cbor(&session, &cbor, ConfigFormat::Android).unwrap_err(); } #[test] @@ -765,17 +625,10 @@ mod tests { let mut fields = valid_payload_fields(); fields.insert(KEY_USAGE, Value::Bytes(vec![0x00, 0x20])); let entries = encode_fields(fields); - Payload::from_entries( - &Profile::default(), - entries.clone(), - ConfigFormat::Android, - false, - false, - ) - .unwrap_err(); + Payload::from_entries(&Profile::default(), entries.clone(), ConfigFormat::Android) + .unwrap_err(); let profile = Profile { allow_big_endian_key_usage: true, ..Profile::default() }; - Payload::from_entries(&profile, entries, ConfigFormat::Android, !IS_ROOT, !ALLOW_ANY_MODE) - .unwrap(); + Payload::from_entries(&profile, entries, ConfigFormat::Android).unwrap(); } #[test] @@ -783,17 +636,10 @@ mod tests { let mut fields = valid_payload_fields(); fields.insert(KEY_USAGE, Value::Bytes(vec![0x00, 0xfe, 0x20])); let entries = encode_fields(fields); - Payload::from_entries( - &Profile::default(), - entries.clone(), - ConfigFormat::Android, - false, - false, - ) - .unwrap_err(); - let profile = Profile { allow_big_endian_key_usage: true, ..Profile::default() }; - Payload::from_entries(&profile, entries, ConfigFormat::Android, !IS_ROOT, !ALLOW_ANY_MODE) + Payload::from_entries(&Profile::default(), entries.clone(), ConfigFormat::Android) .unwrap_err(); + let profile = Profile { allow_big_endian_key_usage: true, ..Profile::default() }; + Payload::from_entries(&profile, entries, ConfigFormat::Android).unwrap_err(); } #[test] @@ -801,17 +647,10 @@ mod tests { let mut fields = valid_payload_fields(); fields.insert(KEY_USAGE, Value::Bytes(vec![0x00, 0x10])); let entries = encode_fields(fields); - Payload::from_entries( - &Profile::default(), - entries.clone(), - ConfigFormat::Android, - false, - false, - ) - .unwrap_err(); - let profile = Profile { allow_big_endian_key_usage: true, ..Profile::default() }; - Payload::from_entries(&profile, entries, ConfigFormat::Android, !IS_ROOT, !ALLOW_ANY_MODE) + Payload::from_entries(&Profile::default(), entries.clone(), ConfigFormat::Android) .unwrap_err(); + let profile = Profile { allow_big_endian_key_usage: true, ..Profile::default() }; + Payload::from_entries(&profile, entries, ConfigFormat::Android).unwrap_err(); } #[test] @@ -819,17 +658,10 @@ mod tests { let mut fields = valid_payload_fields(); fields.insert(KEY_USAGE, Value::Bytes(vec![])); let entries = encode_fields(fields); - Payload::from_entries( - &Profile::default(), - entries.clone(), - ConfigFormat::Android, - false, - false, - ) - .unwrap_err(); - let profile = Profile { allow_big_endian_key_usage: true, ..Profile::default() }; - Payload::from_entries(&profile, entries, ConfigFormat::Android, !IS_ROOT, !ALLOW_ANY_MODE) + Payload::from_entries(&Profile::default(), entries.clone(), ConfigFormat::Android) .unwrap_err(); + let profile = Profile { allow_big_endian_key_usage: true, ..Profile::default() }; + Payload::from_entries(&profile, entries, ConfigFormat::Android).unwrap_err(); } #[test] @@ -840,8 +672,7 @@ mod tests { fields.insert(CONFIG_DESC, Value::Bytes(config_desc)); fields.insert(CONFIG_HASH, Value::Bytes(config_hash)); let session = Session { options: Options::default() }; - Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android, !IS_ROOT) - .unwrap(); + Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap(); } #[test] @@ -852,8 +683,7 @@ mod tests { fields.insert(CONFIG_DESC, Value::Bytes(config_desc)); fields.insert(CONFIG_HASH, Value::Bytes(config_hash)); let session = Session { options: Options::default() }; - Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android, !IS_ROOT) - .unwrap_err(); + Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap_err(); } #[test] @@ -864,8 +694,7 @@ mod tests { fields.insert(CONFIG_DESC, Value::Bytes(config_desc)); fields.insert(CONFIG_HASH, Value::Bytes(config_hash)); let session = Session { options: Options::default() }; - Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android, !IS_ROOT) - .unwrap_err(); + Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap_err(); } #[test] @@ -876,8 +705,7 @@ mod tests { fields.insert(CONFIG_DESC, Value::Bytes(config_desc)); fields.insert(CONFIG_HASH, Value::Bytes(config_hash)); let session = Session { options: Options::default() }; - Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android, !IS_ROOT) - .unwrap(); + Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap(); } #[test] @@ -888,13 +716,8 @@ mod tests { fields.insert(CONFIG_DESC, Value::Bytes(config_desc)); fields.insert(CONFIG_HASH, Value::Bytes(config_hash)); let session = Session { options: Options::default() }; - let payload = Payload::from_cbor( - &session, - &serialize_fields(fields), - ConfigFormat::Android, - !IS_ROOT, - ) - .unwrap(); + let payload = + Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap(); let extensions = payload.config_desc().extensions(); let extensions = HashMap::<_, _>::from_iter(extensions.to_owned()); assert_eq!(extensions.get("-71000").unwrap(), "Text(\"custom hi\")"); @@ -908,9 +731,8 @@ mod tests { fields.insert(CONFIG_DESC, Value::Bytes(vec![0xcd; 64])); let cbor = serialize_fields(fields); let session = Session { options: Options::default() }; - Payload::from_cbor(&session, &cbor, ConfigFormat::Android, false).unwrap_err(); - let payload = - Payload::from_cbor(&session, &cbor, ConfigFormat::AndroidOrIgnored, !IS_ROOT).unwrap(); + Payload::from_cbor(&session, &cbor, ConfigFormat::Android).unwrap_err(); + let payload = Payload::from_cbor(&session, &cbor, ConfigFormat::AndroidOrIgnored).unwrap(); assert_eq!(payload.config_desc(), &ConfigDesc::default()); } @@ -926,22 +748,9 @@ mod tests { let entries = encode_fields(fields); let profile = Profile { component_version_type: ComponentVersionType::Int, ..Profile::default() }; - Payload::from_entries( - &profile, - entries.clone(), - ConfigFormat::Android, - !IS_ROOT, - !ALLOW_ANY_MODE, - ) - .unwrap_err(); - let payload = Payload::from_entries( - &Profile::default(), - entries, - ConfigFormat::Android, - false, - false, - ) - .unwrap(); + Payload::from_entries(&profile, entries.clone(), ConfigFormat::Android).unwrap_err(); + let payload = + Payload::from_entries(&Profile::default(), entries, ConfigFormat::Android).unwrap(); assert_eq!( payload.config_desc().component_version(), Some(&ComponentVersion::String("It's version 4".to_string())) @@ -957,7 +766,7 @@ mod tests { fields.insert(CONFIG_HASH, Value::Bytes(config_hash)); let cbor = serialize_fields(fields); let session = Session { options: Options::default() }; - let payload = Payload::from_cbor(&session, &cbor, ConfigFormat::Android, !IS_ROOT).unwrap(); + let payload = Payload::from_cbor(&session, &cbor, ConfigFormat::Android).unwrap(); assert_eq!(payload.config_desc().security_version(), Some(0x12345678)); } @@ -969,23 +778,10 @@ mod tests { fields.insert(CONFIG_DESC, Value::Bytes(config_desc)); fields.insert(CONFIG_HASH, Value::Bytes(config_hash)); let entries = encode_fields(fields); - Payload::from_entries( - &Profile::default(), - entries.clone(), - ConfigFormat::Android, - false, - false, - ) - .unwrap_err(); + Payload::from_entries(&Profile::default(), entries.clone(), ConfigFormat::Android) + .unwrap_err(); let profile = Profile { security_version_optional: true, ..Profile::default() }; - let payload = Payload::from_entries( - &profile, - entries, - ConfigFormat::Android, - !IS_ROOT, - !ALLOW_ANY_MODE, - ) - .unwrap(); + let payload = Payload::from_entries(&profile, entries, ConfigFormat::Android).unwrap(); assert_eq!(payload.config_desc().security_version(), None); } @@ -1002,7 +798,7 @@ mod tests { fields.insert(CONFIG_HASH, Value::Bytes(config_hash)); let cbor = serialize_fields(fields); let session = Session { options: Options::default() }; - let payload = Payload::from_cbor(&session, &cbor, ConfigFormat::Android, !IS_ROOT).unwrap(); + let payload = Payload::from_cbor(&session, &cbor, ConfigFormat::Android).unwrap(); assert_eq!(payload.config_desc().security_version(), Some(0xcafe)); } @@ -1013,7 +809,7 @@ mod tests { fields.insert(CONFIG_DESC, Value::Bytes(config_desc)); let cbor = serialize_fields(fields); let session = Session { options: Options::default() }; - Payload::from_cbor(&session, &cbor, ConfigFormat::Android, !IS_ROOT).unwrap_err(); + Payload::from_cbor(&session, &cbor, ConfigFormat::Android).unwrap_err(); } #[test] @@ -1025,7 +821,7 @@ mod tests { fields.insert(CONFIG_HASH, Value::Bytes(config_hash)); let cbor = serialize_fields(fields); let session = Session { options: Options::default() }; - let payload = Payload::from_cbor(&session, &cbor, ConfigFormat::Android, !IS_ROOT).unwrap(); + let payload = Payload::from_cbor(&session, &cbor, ConfigFormat::Android).unwrap(); assert!(payload.config_desc().resettable()); } @@ -1038,7 +834,7 @@ mod tests { fields.insert(CONFIG_HASH, Value::Bytes(config_hash)); let cbor = serialize_fields(fields); let session = Session { options: Options::default() }; - let payload = Payload::from_cbor(&session, &cbor, ConfigFormat::Android, !IS_ROOT).unwrap(); + let payload = Payload::from_cbor(&session, &cbor, ConfigFormat::Android).unwrap(); assert!(payload.config_desc().rkp_vm_marker()); } @@ -1051,7 +847,7 @@ mod tests { fields.insert(CONFIG_HASH, Value::Bytes(config_hash)); let cbor = serialize_fields(fields); let session = Session { options: Options::default() }; - let payload = Payload::from_cbor(&session, &cbor, ConfigFormat::Android, !IS_ROOT).unwrap(); + let payload = Payload::from_cbor(&session, &cbor, ConfigFormat::Android).unwrap(); assert!(!payload.config_desc().resettable()); assert!(!payload.config_desc().rkp_vm_marker()); } @@ -1061,14 +857,7 @@ mod tests { let mut fields = valid_payload_fields(); fields.remove(&CONFIG_HASH); let entries = encode_fields(fields); - Payload::from_entries( - &Profile::default(), - entries, - ConfigFormat::Android, - !IS_ROOT, - !ALLOW_ANY_MODE, - ) - .unwrap_err(); + Payload::from_entries(&Profile::default(), entries, ConfigFormat::Android).unwrap_err(); } #[test] @@ -1084,17 +873,10 @@ mod tests { .unwrap(); fields.insert(SUBJECT_PUBLIC_KEY, Value::Bytes(serialize(subject_public_key))); let entries = encode_fields(fields); - Payload::from_entries( - &Profile::default(), - entries.clone(), - ConfigFormat::Android, - false, - false, - ) - .unwrap_err(); + Payload::from_entries(&Profile::default(), entries.clone(), ConfigFormat::Android) + .unwrap_err(); let profile = Profile { key_ops_type: KeyOpsType::IntOrArray, ..Profile::default() }; - Payload::from_entries(&profile, entries, ConfigFormat::Android, !IS_ROOT, !ALLOW_ANY_MODE) - .unwrap(); + Payload::from_entries(&profile, entries, ConfigFormat::Android).unwrap(); } #[test] @@ -1111,7 +893,6 @@ mod tests { let session = Session { options: Options { dice_profile_range: DiceProfileRange::new(expected_version, expected_version), - ..Default::default() }, }; let profile_version = @@ -1128,7 +909,6 @@ mod tests { ProfileVersion::Android13, ProfileVersion::Android16, ), - ..Default::default() }, }; let mut fields = valid_payload_fields(); @@ -1145,7 +925,6 @@ mod tests { ProfileVersion::Android13, ProfileVersion::Android16, ), - ..Default::default() }, }; let mut fields = valid_payload_fields(); @@ -1163,7 +942,6 @@ mod tests { ProfileVersion::Android15, ProfileVersion::Android15, ), - ..Default::default() }, }; let mut fields = valid_payload_fields(); @@ -1185,7 +963,6 @@ mod tests { expected_version, ProfileVersion::Android16, ), - ..Default::default() }, }; let profile_version = @@ -1204,7 +981,6 @@ mod tests { min_version, ProfileVersion::Android16, ), - ..Default::default() }, }; PayloadFields::extract_profile_version(&session, &entries).unwrap_err(); @@ -1227,7 +1003,7 @@ mod tests { (CONFIG_DESC, Value::Bytes(config_desc)), (CONFIG_HASH, Value::Bytes(config_hash)), (AUTHORITY_HASH, Value::Bytes(vec![2; 64])), - (MODE, Value::Bytes(vec![1])), + (MODE, Value::Bytes(vec![0])), ]) } diff --git a/remote_provisioning/hwtrust/src/cbor/dice/profile.rs b/remote_provisioning/hwtrust/src/cbor/dice/profile.rs index 9d5e8b2..de28d3f 100644 --- a/remote_provisioning/hwtrust/src/cbor/dice/profile.rs +++ b/remote_provisioning/hwtrust/src/cbor/dice/profile.rs @@ -34,9 +34,6 @@ pub(super) struct Profile { /// Whether the security version is a required field in the configuration descriptor. pub(super) security_version_optional: bool, - - /// Whether the root certificate is allowed to have its mode set to debug. - pub(super) allow_root_mode_debug: bool, } /// Type allowed for the DICE certificate mode field. @@ -82,7 +79,6 @@ impl Profile { allow_big_endian_key_usage: true, config_hash_unverified: true, security_version_optional: true, - allow_root_mode_debug: true, ..Self::default() } } diff --git a/remote_provisioning/hwtrust/src/main.rs b/remote_provisioning/hwtrust/src/main.rs index a95dd10..d5d8a61 100644 --- a/remote_provisioning/hwtrust/src/main.rs +++ b/remote_provisioning/hwtrust/src/main.rs @@ -46,9 +46,6 @@ enum Action { struct DiceChainArgs { /// Path to a file containing a DICE chain chain: String, - /// Allow non-normal modes - #[clap(long)] - allow_any_mode: bool, } #[derive(Parser)] @@ -127,8 +124,7 @@ fn main() -> Result<()> { } fn verify_dice_chain(args: &Args, sub_args: &DiceChainArgs) -> Result<()> { - let mut session = session_from_vsr(args.vsr); - session.set_allow_any_mode(sub_args.allow_any_mode); + let session = session_from_vsr(args.vsr); let chain = dice::Chain::from_cbor(&session, &fs::read(&sub_args.chain)?)?; if args.verbose { print!("{}", chain); diff --git a/remote_provisioning/hwtrust/src/session.rs b/remote_provisioning/hwtrust/src/session.rs index b9701dc..0b90ed6 100644 --- a/remote_provisioning/hwtrust/src/session.rs +++ b/remote_provisioning/hwtrust/src/session.rs @@ -15,15 +15,6 @@ pub struct Session { pub struct Options { /// The range of supported Android Profile for DICE versions. pub dice_profile_range: DiceProfileRange, - /// Allows DICE chains to have non-normal mode values. - pub allow_any_mode: bool, -} - -impl Session { - /// Set allow_any_mode. - pub fn set_allow_any_mode(&mut self, allow_any_mode: bool) { - self.options.allow_any_mode = allow_any_mode - } } /// An inclusive range of Android Profile for DICE versions. @@ -66,7 +57,6 @@ impl Options { ProfileVersion::Android13, ProfileVersion::Android13, ), - ..Default::default() } } @@ -77,7 +67,6 @@ impl Options { ProfileVersion::Android14, ProfileVersion::Android14, ), - ..Default::default() } } @@ -88,7 +77,6 @@ impl Options { ProfileVersion::Android14, ProfileVersion::Android15, ), - ..Default::default() } } @@ -99,7 +87,6 @@ impl Options { ProfileVersion::Android14, ProfileVersion::Android16, ), - ..Default::default() } } } diff --git a/remote_provisioning/hwtrust/tests/hwtrust_cli.rs b/remote_provisioning/hwtrust/tests/hwtrust_cli.rs index a0c7289..8136a7d 100644 --- a/remote_provisioning/hwtrust/tests/hwtrust_cli.rs +++ b/remote_provisioning/hwtrust/tests/hwtrust_cli.rs @@ -8,7 +8,7 @@ fn hwtrust_bin() -> &'static str { #[test] fn exit_code_for_good_chain() { let output = Command::new(hwtrust_bin()) - .args(["dice-chain", "--allow-any-mode", "testdata/dice/valid_ed25519.chain"]) + .args(["dice-chain", "testdata/dice/valid_ed25519.chain"]) .output() .unwrap(); assert!(output.status.success()); |