summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKaruna Wadhera <kwadhera@google.com>2024-05-13 21:34:02 +0000
committerKaruna Wadhera <kwadhera@google.com>2024-05-13 21:40:04 +0000
commit5acf63604956082dfa94a601b57f8b85a6624687 (patch)
treedff3f17beebacd3f60787767da066265842f102d
parenta5c4337c5e9be00721bf0c0443084cbef5c1ce47 (diff)
downloadsecurity-5acf63604956082dfa94a601b57f8b85a6624687.tar.gz
Revert "Change mode validation for DICE chain certs"
This reverts commit 6a21b30196741d8827e054efa5f2e33cf0ec798d. Reason for revert: b/340296231 Change-Id: Ief2636375f8f135b28b510b1440dd172fba027c4
Diffstat
-rw-r--r--remote_provisioning/hwtrust/src/cbor/dice/chain.rs17
-rw-r--r--remote_provisioning/hwtrust/src/cbor/dice/entry.rs368
-rw-r--r--remote_provisioning/hwtrust/src/cbor/dice/profile.rs4
-rw-r--r--remote_provisioning/hwtrust/src/main.rs6
-rw-r--r--remote_provisioning/hwtrust/src/session.rs13
-rw-r--r--remote_provisioning/hwtrust/tests/hwtrust_cli.rs2
6 files changed, 81 insertions, 329 deletions
diff --git a/remote_provisioning/hwtrust/src/cbor/dice/chain.rs b/remote_provisioning/hwtrust/src/cbor/dice/chain.rs
index ae654ba..73ca7d3 100644
--- a/remote_provisioning/hwtrust/src/cbor/dice/chain.rs
+++ b/remote_provisioning/hwtrust/src/cbor/dice/chain.rs
@@ -29,10 +29,8 @@ impl ChainForm {
let value = it.as_slice()[0].clone();
let entry = Entry::verify_cbor_value(value, &root_public_key)
.context("parsing degenerate entry")?;
- let is_root = true;
- let fields =
- PayloadFields::from_cbor(session, entry.payload(), ConfigFormat::Android, is_root)
- .context("parsing degenerate payload")?;
+ let fields = PayloadFields::from_cbor(session, entry.payload(), ConfigFormat::Android)
+ .context("parsing degenerate payload")?;
let chain =
DegenerateChain::new(fields.issuer, fields.subject, fields.subject_public_key)
.context("creating DegenerateChain")?;
@@ -75,8 +73,7 @@ impl Chain {
for (n, value) in values.enumerate() {
let entry = Entry::verify_cbor_value(value, previous_public_key)
.with_context(|| format!("Invalid entry at index {}", n))?;
- let is_root = n == 0;
- let config_format = if is_root
+ let config_format = if n == 0
&& session.options.dice_profile_range.contains(ProfileVersion::Android14)
{
// Context: b/261647022
@@ -84,7 +81,7 @@ impl Chain {
} else {
ConfigFormat::default()
};
- let payload = Payload::from_cbor(session, entry.payload(), config_format, is_root)
+ let payload = Payload::from_cbor(session, entry.payload(), config_format)
.with_context(|| format!("Invalid payload at index {}", n))?;
payloads.push(payload);
let previous = payloads.last().unwrap();
@@ -131,7 +128,7 @@ mod tests {
#[test]
fn chain_form_valid_proper() {
let chain = fs::read("testdata/dice/valid_ed25519.chain").unwrap();
- let session = Session { options: Options { allow_any_mode: true, ..Default::default() } };
+ let session = Session { options: Options::default() };
let form = ChainForm::from_cbor(&session, &chain).unwrap();
assert!(matches!(form, ChainForm::Proper(_)));
}
@@ -147,7 +144,7 @@ mod tests {
#[test]
fn check_chain_valid_ed25519() {
let chain = fs::read("testdata/dice/valid_ed25519.chain").unwrap();
- let session = Session { options: Options { allow_any_mode: true, ..Default::default() } };
+ let session = Session { options: Options::default() };
let chain = Chain::from_cbor(&session, &chain).unwrap();
assert_eq!(chain.payloads().len(), 8);
}
@@ -156,7 +153,7 @@ mod tests {
fn check_chain_valid_ed25519_value() {
let chain = fs::read("testdata/dice/valid_ed25519.chain").unwrap();
let chain = value_from_bytes(&chain).unwrap();
- let session = Session { options: Options { allow_any_mode: true, ..Default::default() } };
+ let session = Session { options: Options::default() };
let chain = Chain::from_value(&session, chain).unwrap();
assert_eq!(chain.payloads().len(), 8);
}
diff --git a/remote_provisioning/hwtrust/src/cbor/dice/entry.rs b/remote_provisioning/hwtrust/src/cbor/dice/entry.rs
index f102ff4..1091728 100644
--- a/remote_provisioning/hwtrust/src/cbor/dice/entry.rs
+++ b/remote_provisioning/hwtrust/src/cbor/dice/entry.rs
@@ -70,28 +70,18 @@ impl Payload {
session: &Session,
bytes: &[u8],
config_format: ConfigFormat,
- is_root: bool,
) -> Result<Self> {
let entries = cbor_map_from_slice(bytes)?;
let profile_version = PayloadFields::extract_profile_version(session, &entries)?;
- Self::from_entries(
- &profile_version.into(),
- entries,
- config_format,
- is_root,
- session.options.allow_any_mode,
- )
+ Self::from_entries(&profile_version.into(), entries, config_format)
}
fn from_entries(
profile: &Profile,
entries: Vec<(Value, Value)>,
config_format: ConfigFormat,
- is_root: bool,
- allow_any_mode: bool,
) -> Result<Self> {
- let f =
- PayloadFields::from_entries(profile, entries, config_format, is_root, allow_any_mode)?;
+ let f = PayloadFields::from_entries(profile, entries, config_format)?;
PayloadBuilder::with_subject_public_key(f.subject_public_key)
.issuer(f.issuer)
.subject(f.subject)
@@ -125,17 +115,10 @@ impl PayloadFields {
session: &Session,
bytes: &[u8],
config_format: ConfigFormat,
- is_root: bool,
) -> Result<Self> {
let entries = cbor_map_from_slice(bytes)?;
let profile_version = Self::extract_profile_version(session, &entries)?;
- Self::from_entries(
- &profile_version.into(),
- entries,
- config_format,
- is_root,
- session.options.allow_any_mode,
- )
+ Self::from_entries(&profile_version.into(), entries, config_format)
}
fn extract_profile_version(
@@ -173,8 +156,6 @@ impl PayloadFields {
profile: &Profile,
entries: Vec<(Value, Value)>,
config_format: ConfigFormat,
- is_root: bool,
- allow_any_mode: bool,
) -> Result<Self> {
let mut issuer = FieldValue::new("issuer");
let mut subject = FieldValue::new("subject");
@@ -220,7 +201,7 @@ impl PayloadFields {
issuer: issuer.into_string()?,
subject: subject.into_string()?,
subject_public_key: validate_subject_public_key(profile, subject_public_key)?,
- mode: validate_mode(profile, mode, is_root, allow_any_mode)?,
+ mode: validate_mode(profile, mode)?,
code_desc: code_desc.into_optional_bytes()?,
code_hash: code_hash.into_optional_bytes()?,
config_desc,
@@ -262,13 +243,8 @@ fn validate_subject_public_key(
.context("parsing subject public key from COSE_key")
}
-fn validate_mode(
- profile: &Profile,
- mode: FieldValue,
- is_root: bool,
- allow_any_mode: bool,
-) -> Result<Option<DiceMode>> {
- if !mode.is_bytes() && profile.mode_type == ModeType::IntOrBytes {
+fn validate_mode(profile: &Profile, mode: FieldValue) -> Result<Option<DiceMode>> {
+ Ok(if !mode.is_bytes() && profile.mode_type == ModeType::IntOrBytes {
mode.into_optional_i64()?
} else {
mode.into_optional_bytes()?
@@ -280,26 +256,12 @@ fn validate_mode(
})
.transpose()?
}
- .map(|mode| {
- let mode = match mode {
- 1 => DiceMode::Normal,
- 2 => DiceMode::Debug,
- 3 => DiceMode::Recovery,
- _ => DiceMode::NotConfigured,
- };
-
- if mode != DiceMode::Normal && !allow_any_mode {
- let debug_allowed = is_root && profile.allow_root_mode_debug;
- ensure!(debug_allowed, "Expected mode to be normal, actual mode: {:?}", mode);
- ensure!(
- mode == DiceMode::Debug,
- "Expected mode to be normal or debug, actual mode: {:?}",
- mode
- );
- }
- Ok(mode)
- })
- .transpose()
+ .map(|mode| match mode {
+ 1 => DiceMode::Normal,
+ 2 => DiceMode::Debug,
+ 3 => DiceMode::Recovery,
+ _ => DiceMode::NotConfigured,
+ }))
}
fn validate_config(
@@ -422,9 +384,6 @@ mod tests {
use coset::CborSerializable;
use std::collections::HashMap;
- const ALLOW_ANY_MODE: bool = true;
- const IS_ROOT: bool = true;
-
impl Entry {
pub(in super::super) fn from_payload(payload: &Payload) -> Result<Self> {
Ok(Self { payload: serialize(payload.to_cbor_value()?) })
@@ -510,8 +469,7 @@ mod tests {
fields.insert(CONFIG_HASH, Value::Bytes(config_hash));
fields.insert(AUTHORITY_HASH, Value::Bytes(vec![2; 32]));
let session = Session { options: Options::default() };
- Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android, !IS_ROOT)
- .unwrap();
+ Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap();
}
#[test]
@@ -524,16 +482,14 @@ mod tests {
fields.insert(CONFIG_HASH, Value::Bytes(config_hash));
fields.insert(AUTHORITY_HASH, Value::Bytes(vec![2; 48]));
let session = Session { options: Options::default() };
- Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android, !IS_ROOT)
- .unwrap();
+ Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap();
}
#[test]
fn valid_payload_sha512() {
let fields = valid_payload_fields();
let session = Session { options: Options::default() };
- Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android, !IS_ROOT)
- .unwrap();
+ Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap();
}
#[test]
@@ -541,8 +497,7 @@ mod tests {
let mut fields = valid_payload_fields();
fields.insert(KEY_USAGE, Value::Bytes(vec![0x20]));
let session = Session { options: Options::default() };
- Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android, !IS_ROOT)
- .unwrap();
+ Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap();
}
#[test]
@@ -550,8 +505,7 @@ mod tests {
let mut fields = valid_payload_fields();
fields.insert(KEY_USAGE, Value::Bytes(vec![0x20, 0x30, 0x40]));
let session = Session { options: Options::default() };
- Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android, !IS_ROOT)
- .unwrap_err();
+ Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap_err();
}
#[test]
@@ -559,8 +513,7 @@ mod tests {
let mut fields = valid_payload_fields();
fields.insert(KEY_USAGE, Value::Bytes(vec![0x10]));
let session = Session { options: Options::default() };
- Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android, !IS_ROOT)
- .unwrap_err();
+ Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap_err();
}
#[test]
@@ -568,22 +521,16 @@ mod tests {
let mut fields = valid_payload_fields();
fields.insert(KEY_USAGE, Value::Bytes(vec![0x21]));
let session = Session { options: Options::default() };
- Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android, !IS_ROOT)
- .unwrap_err();
+ Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap_err();
}
#[test]
fn mode_not_configured() {
let mut fields = valid_payload_fields();
fields.insert(MODE, Value::Bytes(vec![0]));
- let mut session = Session { options: Options::default() };
- let serialized_fields = serialize_fields(fields);
- Payload::from_cbor(&session, &serialized_fields, ConfigFormat::Android, !IS_ROOT)
- .unwrap_err();
- session.set_allow_any_mode(true);
+ let session = Session { options: Options::default() };
let payload =
- Payload::from_cbor(&session, &serialized_fields, ConfigFormat::Android, !IS_ROOT)
- .unwrap();
+ Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap();
assert_eq!(payload.mode(), DiceMode::NotConfigured);
}
@@ -592,110 +539,38 @@ mod tests {
let mut fields = valid_payload_fields();
fields.insert(MODE, Value::Bytes(vec![1]));
let session = Session { options: Options::default() };
- let payload = Payload::from_cbor(
- &session,
- &serialize_fields(fields),
- ConfigFormat::Android,
- !IS_ROOT,
- )
- .unwrap();
- assert_eq!(payload.mode(), DiceMode::Normal);
- }
-
- #[test]
- fn mode_normal_root() {
- let mut fields = valid_payload_fields();
- fields.insert(MODE, Value::Bytes(vec![1]));
- let session = Session { options: Options::default() };
let payload =
- Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android, IS_ROOT)
- .unwrap();
+ Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap();
assert_eq!(payload.mode(), DiceMode::Normal);
}
#[test]
- fn mode_normal_root_debug_unexcepted() {
- let mut fields = valid_payload_fields();
- fields.insert(MODE, Value::Bytes(vec![1]));
- let entries = encode_fields(fields);
- let profile = Profile { allow_root_mode_debug: false, ..Profile::default() };
- Payload::from_entries(&profile, entries, ConfigFormat::Android, IS_ROOT, !ALLOW_ANY_MODE)
- .unwrap();
- }
-
- #[test]
fn mode_debug() {
let mut fields = valid_payload_fields();
fields.insert(MODE, Value::Bytes(vec![2]));
- let mut session = Session { options: Options::default() };
- let serialized_fields = serialize_fields(fields);
- Payload::from_cbor(&session, &serialized_fields, ConfigFormat::Android, !IS_ROOT)
- .unwrap_err();
- session.set_allow_any_mode(true);
- let payload =
- Payload::from_cbor(&session, &serialized_fields, ConfigFormat::Android, !IS_ROOT)
- .unwrap();
- assert_eq!(payload.mode(), DiceMode::Debug);
- }
-
- #[test]
- fn mode_debug_root() {
- let mut fields = valid_payload_fields();
- fields.insert(MODE, Value::Bytes(vec![2]));
let session = Session { options: Options::default() };
let payload =
- Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android, IS_ROOT)
- .unwrap();
+ Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap();
assert_eq!(payload.mode(), DiceMode::Debug);
}
#[test]
- fn mode_debug_root_debug_unexcepted() {
- let mut fields = valid_payload_fields();
- fields.insert(MODE, Value::Bytes(vec![2]));
- let entries = encode_fields(fields);
- let profile = Profile { allow_root_mode_debug: false, ..Profile::default() };
- Payload::from_entries(&profile, entries, ConfigFormat::Android, IS_ROOT, !ALLOW_ANY_MODE)
- .unwrap_err();
- }
-
- #[test]
fn mode_recovery() {
let mut fields = valid_payload_fields();
fields.insert(MODE, Value::Bytes(vec![3]));
- let mut session = Session { options: Options::default() };
- let serialized_fields = serialize_fields(fields);
- Payload::from_cbor(&session, &serialized_fields, ConfigFormat::Android, !IS_ROOT)
- .unwrap_err();
- session.set_allow_any_mode(true);
+ let session = Session { options: Options::default() };
let payload =
- Payload::from_cbor(&session, &serialized_fields, ConfigFormat::Android, !IS_ROOT)
- .unwrap();
+ Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap();
assert_eq!(payload.mode(), DiceMode::Recovery);
}
#[test]
- fn mode_recovery_root() {
- let mut fields = valid_payload_fields();
- fields.insert(MODE, Value::Bytes(vec![3]));
- let session = Session { options: Options::default() };
- Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android, IS_ROOT)
- .unwrap_err();
- }
-
- #[test]
fn mode_invalid_becomes_not_configured() {
let mut fields = valid_payload_fields();
fields.insert(MODE, Value::Bytes(vec![4]));
- let mut session = Session { options: Options::default() };
- session.set_allow_any_mode(true);
- let payload = Payload::from_cbor(
- &session,
- &serialize_fields(fields),
- ConfigFormat::Android,
- !IS_ROOT,
- )
- .unwrap();
+ let session = Session { options: Options::default() };
+ let payload =
+ Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap();
assert_eq!(payload.mode(), DiceMode::NotConfigured);
}
@@ -704,8 +579,7 @@ mod tests {
let mut fields = valid_payload_fields();
fields.insert(MODE, Value::Bytes(vec![0, 1]));
let session = Session { options: Options::default() };
- Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android, !IS_ROOT)
- .unwrap_err();
+ Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap_err();
}
#[test]
@@ -713,23 +587,10 @@ mod tests {
let mut fields = valid_payload_fields();
fields.insert(MODE, Value::from(2));
let entries = encode_fields(fields);
- Payload::from_entries(
- &Profile::default(),
- entries.clone(),
- ConfigFormat::Android,
- !IS_ROOT,
- ALLOW_ANY_MODE,
- )
- .unwrap_err();
+ Payload::from_entries(&Profile::default(), entries.clone(), ConfigFormat::Android)
+ .unwrap_err();
let profile = Profile { mode_type: ModeType::IntOrBytes, ..Profile::default() };
- let payload = Payload::from_entries(
- &profile,
- entries,
- ConfigFormat::Android,
- !IS_ROOT,
- ALLOW_ANY_MODE,
- )
- .unwrap();
+ let payload = Payload::from_entries(&profile, entries, ConfigFormat::Android).unwrap();
assert_eq!(payload.mode(), DiceMode::Debug);
}
@@ -738,8 +599,7 @@ mod tests {
let mut fields = valid_payload_fields();
fields.insert(SUBJECT_PUBLIC_KEY, Value::Bytes(vec![17; 64]));
let session = Session { options: Options::default() };
- Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android, !IS_ROOT)
- .unwrap_err();
+ Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap_err();
}
#[test]
@@ -748,7 +608,7 @@ mod tests {
fields.insert(KEY_USAGE, Value::Bytes(vec![0x20, 0x00, 0x00]));
let cbor = serialize_fields(fields);
let session = Session { options: Options::default() };
- Payload::from_cbor(&session, &cbor, ConfigFormat::Android, !IS_ROOT).unwrap();
+ Payload::from_cbor(&session, &cbor, ConfigFormat::Android).unwrap();
}
#[test]
@@ -757,7 +617,7 @@ mod tests {
fields.insert(KEY_USAGE, Value::Bytes(vec![0x20, 0xbe, 0xef]));
let cbor = serialize_fields(fields);
let session = Session { options: Options::default() };
- Payload::from_cbor(&session, &cbor, ConfigFormat::Android, !IS_ROOT).unwrap_err();
+ Payload::from_cbor(&session, &cbor, ConfigFormat::Android).unwrap_err();
}
#[test]
@@ -765,17 +625,10 @@ mod tests {
let mut fields = valid_payload_fields();
fields.insert(KEY_USAGE, Value::Bytes(vec![0x00, 0x20]));
let entries = encode_fields(fields);
- Payload::from_entries(
- &Profile::default(),
- entries.clone(),
- ConfigFormat::Android,
- false,
- false,
- )
- .unwrap_err();
+ Payload::from_entries(&Profile::default(), entries.clone(), ConfigFormat::Android)
+ .unwrap_err();
let profile = Profile { allow_big_endian_key_usage: true, ..Profile::default() };
- Payload::from_entries(&profile, entries, ConfigFormat::Android, !IS_ROOT, !ALLOW_ANY_MODE)
- .unwrap();
+ Payload::from_entries(&profile, entries, ConfigFormat::Android).unwrap();
}
#[test]
@@ -783,17 +636,10 @@ mod tests {
let mut fields = valid_payload_fields();
fields.insert(KEY_USAGE, Value::Bytes(vec![0x00, 0xfe, 0x20]));
let entries = encode_fields(fields);
- Payload::from_entries(
- &Profile::default(),
- entries.clone(),
- ConfigFormat::Android,
- false,
- false,
- )
- .unwrap_err();
- let profile = Profile { allow_big_endian_key_usage: true, ..Profile::default() };
- Payload::from_entries(&profile, entries, ConfigFormat::Android, !IS_ROOT, !ALLOW_ANY_MODE)
+ Payload::from_entries(&Profile::default(), entries.clone(), ConfigFormat::Android)
.unwrap_err();
+ let profile = Profile { allow_big_endian_key_usage: true, ..Profile::default() };
+ Payload::from_entries(&profile, entries, ConfigFormat::Android).unwrap_err();
}
#[test]
@@ -801,17 +647,10 @@ mod tests {
let mut fields = valid_payload_fields();
fields.insert(KEY_USAGE, Value::Bytes(vec![0x00, 0x10]));
let entries = encode_fields(fields);
- Payload::from_entries(
- &Profile::default(),
- entries.clone(),
- ConfigFormat::Android,
- false,
- false,
- )
- .unwrap_err();
- let profile = Profile { allow_big_endian_key_usage: true, ..Profile::default() };
- Payload::from_entries(&profile, entries, ConfigFormat::Android, !IS_ROOT, !ALLOW_ANY_MODE)
+ Payload::from_entries(&Profile::default(), entries.clone(), ConfigFormat::Android)
.unwrap_err();
+ let profile = Profile { allow_big_endian_key_usage: true, ..Profile::default() };
+ Payload::from_entries(&profile, entries, ConfigFormat::Android).unwrap_err();
}
#[test]
@@ -819,17 +658,10 @@ mod tests {
let mut fields = valid_payload_fields();
fields.insert(KEY_USAGE, Value::Bytes(vec![]));
let entries = encode_fields(fields);
- Payload::from_entries(
- &Profile::default(),
- entries.clone(),
- ConfigFormat::Android,
- false,
- false,
- )
- .unwrap_err();
- let profile = Profile { allow_big_endian_key_usage: true, ..Profile::default() };
- Payload::from_entries(&profile, entries, ConfigFormat::Android, !IS_ROOT, !ALLOW_ANY_MODE)
+ Payload::from_entries(&Profile::default(), entries.clone(), ConfigFormat::Android)
.unwrap_err();
+ let profile = Profile { allow_big_endian_key_usage: true, ..Profile::default() };
+ Payload::from_entries(&profile, entries, ConfigFormat::Android).unwrap_err();
}
#[test]
@@ -840,8 +672,7 @@ mod tests {
fields.insert(CONFIG_DESC, Value::Bytes(config_desc));
fields.insert(CONFIG_HASH, Value::Bytes(config_hash));
let session = Session { options: Options::default() };
- Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android, !IS_ROOT)
- .unwrap();
+ Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap();
}
#[test]
@@ -852,8 +683,7 @@ mod tests {
fields.insert(CONFIG_DESC, Value::Bytes(config_desc));
fields.insert(CONFIG_HASH, Value::Bytes(config_hash));
let session = Session { options: Options::default() };
- Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android, !IS_ROOT)
- .unwrap_err();
+ Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap_err();
}
#[test]
@@ -864,8 +694,7 @@ mod tests {
fields.insert(CONFIG_DESC, Value::Bytes(config_desc));
fields.insert(CONFIG_HASH, Value::Bytes(config_hash));
let session = Session { options: Options::default() };
- Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android, !IS_ROOT)
- .unwrap_err();
+ Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap_err();
}
#[test]
@@ -876,8 +705,7 @@ mod tests {
fields.insert(CONFIG_DESC, Value::Bytes(config_desc));
fields.insert(CONFIG_HASH, Value::Bytes(config_hash));
let session = Session { options: Options::default() };
- Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android, !IS_ROOT)
- .unwrap();
+ Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap();
}
#[test]
@@ -888,13 +716,8 @@ mod tests {
fields.insert(CONFIG_DESC, Value::Bytes(config_desc));
fields.insert(CONFIG_HASH, Value::Bytes(config_hash));
let session = Session { options: Options::default() };
- let payload = Payload::from_cbor(
- &session,
- &serialize_fields(fields),
- ConfigFormat::Android,
- !IS_ROOT,
- )
- .unwrap();
+ let payload =
+ Payload::from_cbor(&session, &serialize_fields(fields), ConfigFormat::Android).unwrap();
let extensions = payload.config_desc().extensions();
let extensions = HashMap::<_, _>::from_iter(extensions.to_owned());
assert_eq!(extensions.get("-71000").unwrap(), "Text(\"custom hi\")");
@@ -908,9 +731,8 @@ mod tests {
fields.insert(CONFIG_DESC, Value::Bytes(vec![0xcd; 64]));
let cbor = serialize_fields(fields);
let session = Session { options: Options::default() };
- Payload::from_cbor(&session, &cbor, ConfigFormat::Android, false).unwrap_err();
- let payload =
- Payload::from_cbor(&session, &cbor, ConfigFormat::AndroidOrIgnored, !IS_ROOT).unwrap();
+ Payload::from_cbor(&session, &cbor, ConfigFormat::Android).unwrap_err();
+ let payload = Payload::from_cbor(&session, &cbor, ConfigFormat::AndroidOrIgnored).unwrap();
assert_eq!(payload.config_desc(), &ConfigDesc::default());
}
@@ -926,22 +748,9 @@ mod tests {
let entries = encode_fields(fields);
let profile =
Profile { component_version_type: ComponentVersionType::Int, ..Profile::default() };
- Payload::from_entries(
- &profile,
- entries.clone(),
- ConfigFormat::Android,
- !IS_ROOT,
- !ALLOW_ANY_MODE,
- )
- .unwrap_err();
- let payload = Payload::from_entries(
- &Profile::default(),
- entries,
- ConfigFormat::Android,
- false,
- false,
- )
- .unwrap();
+ Payload::from_entries(&profile, entries.clone(), ConfigFormat::Android).unwrap_err();
+ let payload =
+ Payload::from_entries(&Profile::default(), entries, ConfigFormat::Android).unwrap();
assert_eq!(
payload.config_desc().component_version(),
Some(&ComponentVersion::String("It's version 4".to_string()))
@@ -957,7 +766,7 @@ mod tests {
fields.insert(CONFIG_HASH, Value::Bytes(config_hash));
let cbor = serialize_fields(fields);
let session = Session { options: Options::default() };
- let payload = Payload::from_cbor(&session, &cbor, ConfigFormat::Android, !IS_ROOT).unwrap();
+ let payload = Payload::from_cbor(&session, &cbor, ConfigFormat::Android).unwrap();
assert_eq!(payload.config_desc().security_version(), Some(0x12345678));
}
@@ -969,23 +778,10 @@ mod tests {
fields.insert(CONFIG_DESC, Value::Bytes(config_desc));
fields.insert(CONFIG_HASH, Value::Bytes(config_hash));
let entries = encode_fields(fields);
- Payload::from_entries(
- &Profile::default(),
- entries.clone(),
- ConfigFormat::Android,
- false,
- false,
- )
- .unwrap_err();
+ Payload::from_entries(&Profile::default(), entries.clone(), ConfigFormat::Android)
+ .unwrap_err();
let profile = Profile { security_version_optional: true, ..Profile::default() };
- let payload = Payload::from_entries(
- &profile,
- entries,
- ConfigFormat::Android,
- !IS_ROOT,
- !ALLOW_ANY_MODE,
- )
- .unwrap();
+ let payload = Payload::from_entries(&profile, entries, ConfigFormat::Android).unwrap();
assert_eq!(payload.config_desc().security_version(), None);
}
@@ -1002,7 +798,7 @@ mod tests {
fields.insert(CONFIG_HASH, Value::Bytes(config_hash));
let cbor = serialize_fields(fields);
let session = Session { options: Options::default() };
- let payload = Payload::from_cbor(&session, &cbor, ConfigFormat::Android, !IS_ROOT).unwrap();
+ let payload = Payload::from_cbor(&session, &cbor, ConfigFormat::Android).unwrap();
assert_eq!(payload.config_desc().security_version(), Some(0xcafe));
}
@@ -1013,7 +809,7 @@ mod tests {
fields.insert(CONFIG_DESC, Value::Bytes(config_desc));
let cbor = serialize_fields(fields);
let session = Session { options: Options::default() };
- Payload::from_cbor(&session, &cbor, ConfigFormat::Android, !IS_ROOT).unwrap_err();
+ Payload::from_cbor(&session, &cbor, ConfigFormat::Android).unwrap_err();
}
#[test]
@@ -1025,7 +821,7 @@ mod tests {
fields.insert(CONFIG_HASH, Value::Bytes(config_hash));
let cbor = serialize_fields(fields);
let session = Session { options: Options::default() };
- let payload = Payload::from_cbor(&session, &cbor, ConfigFormat::Android, !IS_ROOT).unwrap();
+ let payload = Payload::from_cbor(&session, &cbor, ConfigFormat::Android).unwrap();
assert!(payload.config_desc().resettable());
}
@@ -1038,7 +834,7 @@ mod tests {
fields.insert(CONFIG_HASH, Value::Bytes(config_hash));
let cbor = serialize_fields(fields);
let session = Session { options: Options::default() };
- let payload = Payload::from_cbor(&session, &cbor, ConfigFormat::Android, !IS_ROOT).unwrap();
+ let payload = Payload::from_cbor(&session, &cbor, ConfigFormat::Android).unwrap();
assert!(payload.config_desc().rkp_vm_marker());
}
@@ -1051,7 +847,7 @@ mod tests {
fields.insert(CONFIG_HASH, Value::Bytes(config_hash));
let cbor = serialize_fields(fields);
let session = Session { options: Options::default() };
- let payload = Payload::from_cbor(&session, &cbor, ConfigFormat::Android, !IS_ROOT).unwrap();
+ let payload = Payload::from_cbor(&session, &cbor, ConfigFormat::Android).unwrap();
assert!(!payload.config_desc().resettable());
assert!(!payload.config_desc().rkp_vm_marker());
}
@@ -1061,14 +857,7 @@ mod tests {
let mut fields = valid_payload_fields();
fields.remove(&CONFIG_HASH);
let entries = encode_fields(fields);
- Payload::from_entries(
- &Profile::default(),
- entries,
- ConfigFormat::Android,
- !IS_ROOT,
- !ALLOW_ANY_MODE,
- )
- .unwrap_err();
+ Payload::from_entries(&Profile::default(), entries, ConfigFormat::Android).unwrap_err();
}
#[test]
@@ -1084,17 +873,10 @@ mod tests {
.unwrap();
fields.insert(SUBJECT_PUBLIC_KEY, Value::Bytes(serialize(subject_public_key)));
let entries = encode_fields(fields);
- Payload::from_entries(
- &Profile::default(),
- entries.clone(),
- ConfigFormat::Android,
- false,
- false,
- )
- .unwrap_err();
+ Payload::from_entries(&Profile::default(), entries.clone(), ConfigFormat::Android)
+ .unwrap_err();
let profile = Profile { key_ops_type: KeyOpsType::IntOrArray, ..Profile::default() };
- Payload::from_entries(&profile, entries, ConfigFormat::Android, !IS_ROOT, !ALLOW_ANY_MODE)
- .unwrap();
+ Payload::from_entries(&profile, entries, ConfigFormat::Android).unwrap();
}
#[test]
@@ -1111,7 +893,6 @@ mod tests {
let session = Session {
options: Options {
dice_profile_range: DiceProfileRange::new(expected_version, expected_version),
- ..Default::default()
},
};
let profile_version =
@@ -1128,7 +909,6 @@ mod tests {
ProfileVersion::Android13,
ProfileVersion::Android16,
),
- ..Default::default()
},
};
let mut fields = valid_payload_fields();
@@ -1145,7 +925,6 @@ mod tests {
ProfileVersion::Android13,
ProfileVersion::Android16,
),
- ..Default::default()
},
};
let mut fields = valid_payload_fields();
@@ -1163,7 +942,6 @@ mod tests {
ProfileVersion::Android15,
ProfileVersion::Android15,
),
- ..Default::default()
},
};
let mut fields = valid_payload_fields();
@@ -1185,7 +963,6 @@ mod tests {
expected_version,
ProfileVersion::Android16,
),
- ..Default::default()
},
};
let profile_version =
@@ -1204,7 +981,6 @@ mod tests {
min_version,
ProfileVersion::Android16,
),
- ..Default::default()
},
};
PayloadFields::extract_profile_version(&session, &entries).unwrap_err();
@@ -1227,7 +1003,7 @@ mod tests {
(CONFIG_DESC, Value::Bytes(config_desc)),
(CONFIG_HASH, Value::Bytes(config_hash)),
(AUTHORITY_HASH, Value::Bytes(vec![2; 64])),
- (MODE, Value::Bytes(vec![1])),
+ (MODE, Value::Bytes(vec![0])),
])
}
diff --git a/remote_provisioning/hwtrust/src/cbor/dice/profile.rs b/remote_provisioning/hwtrust/src/cbor/dice/profile.rs
index 9d5e8b2..de28d3f 100644
--- a/remote_provisioning/hwtrust/src/cbor/dice/profile.rs
+++ b/remote_provisioning/hwtrust/src/cbor/dice/profile.rs
@@ -34,9 +34,6 @@ pub(super) struct Profile {
/// Whether the security version is a required field in the configuration descriptor.
pub(super) security_version_optional: bool,
-
- /// Whether the root certificate is allowed to have its mode set to debug.
- pub(super) allow_root_mode_debug: bool,
}
/// Type allowed for the DICE certificate mode field.
@@ -82,7 +79,6 @@ impl Profile {
allow_big_endian_key_usage: true,
config_hash_unverified: true,
security_version_optional: true,
- allow_root_mode_debug: true,
..Self::default()
}
}
diff --git a/remote_provisioning/hwtrust/src/main.rs b/remote_provisioning/hwtrust/src/main.rs
index a95dd10..d5d8a61 100644
--- a/remote_provisioning/hwtrust/src/main.rs
+++ b/remote_provisioning/hwtrust/src/main.rs
@@ -46,9 +46,6 @@ enum Action {
struct DiceChainArgs {
/// Path to a file containing a DICE chain
chain: String,
- /// Allow non-normal modes
- #[clap(long)]
- allow_any_mode: bool,
}
#[derive(Parser)]
@@ -127,8 +124,7 @@ fn main() -> Result<()> {
}
fn verify_dice_chain(args: &Args, sub_args: &DiceChainArgs) -> Result<()> {
- let mut session = session_from_vsr(args.vsr);
- session.set_allow_any_mode(sub_args.allow_any_mode);
+ let session = session_from_vsr(args.vsr);
let chain = dice::Chain::from_cbor(&session, &fs::read(&sub_args.chain)?)?;
if args.verbose {
print!("{}", chain);
diff --git a/remote_provisioning/hwtrust/src/session.rs b/remote_provisioning/hwtrust/src/session.rs
index b9701dc..0b90ed6 100644
--- a/remote_provisioning/hwtrust/src/session.rs
+++ b/remote_provisioning/hwtrust/src/session.rs
@@ -15,15 +15,6 @@ pub struct Session {
pub struct Options {
/// The range of supported Android Profile for DICE versions.
pub dice_profile_range: DiceProfileRange,
- /// Allows DICE chains to have non-normal mode values.
- pub allow_any_mode: bool,
-}
-
-impl Session {
- /// Set allow_any_mode.
- pub fn set_allow_any_mode(&mut self, allow_any_mode: bool) {
- self.options.allow_any_mode = allow_any_mode
- }
}
/// An inclusive range of Android Profile for DICE versions.
@@ -66,7 +57,6 @@ impl Options {
ProfileVersion::Android13,
ProfileVersion::Android13,
),
- ..Default::default()
}
}
@@ -77,7 +67,6 @@ impl Options {
ProfileVersion::Android14,
ProfileVersion::Android14,
),
- ..Default::default()
}
}
@@ -88,7 +77,6 @@ impl Options {
ProfileVersion::Android14,
ProfileVersion::Android15,
),
- ..Default::default()
}
}
@@ -99,7 +87,6 @@ impl Options {
ProfileVersion::Android14,
ProfileVersion::Android16,
),
- ..Default::default()
}
}
}
diff --git a/remote_provisioning/hwtrust/tests/hwtrust_cli.rs b/remote_provisioning/hwtrust/tests/hwtrust_cli.rs
index a0c7289..8136a7d 100644
--- a/remote_provisioning/hwtrust/tests/hwtrust_cli.rs
+++ b/remote_provisioning/hwtrust/tests/hwtrust_cli.rs
@@ -8,7 +8,7 @@ fn hwtrust_bin() -> &'static str {
#[test]
fn exit_code_for_good_chain() {
let output = Command::new(hwtrust_bin())
- .args(["dice-chain", "--allow-any-mode", "testdata/dice/valid_ed25519.chain"])
+ .args(["dice-chain", "testdata/dice/valid_ed25519.chain"])
.output()
.unwrap();
assert!(output.status.success());
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-10 15:28:59 +0000