1 /*
2  * Copyright 2024 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 package com.android.virt.vm_attestation.testservice;
18 
19 /** {@hide} */
20 interface IAttestationService {
21     const int PORT = 5679;
22 
23     /**
24      * The status of the attestation.
25      *
26      * The status here maps to the status defined in
27      * vm_payload/include/vm_payload.h
28      */
29     @Backing(type="int")
30     enum AttestationStatus {
31         /** The remote attestation completes successfully. */
32         OK = 0,
33 
34         /** The challenge size is not between 0 and 64. */
35         ERROR_INVALID_CHALLENGE = 1,
36 
37         /** Failed to attest the VM. Please retry at a later time. */
38         ERROR_ATTESTATION_FAILED = 2,
39 
40         /** Remote attestation is not supported in the current environment. */
41         ERROR_UNSUPPORTED = 3,
42     }
43 
44     /**
45      * The result of signing a message with the attested key.
46      */
47     parcelable SigningResult {
48         /** The DER-encoded ECDSA signature of the message. */
49         byte[] signature;
50 
51         /** The DER-encoded attestation X509 certificate chain. */
52         byte[] certificateChain;
53 
54         /** The status of the attestation. */
55         AttestationStatus status;
56     }
57 
58     /**
59      * Requests attestation with {@link AVmPayload_requestAttestation} API and signs the
60      * given message with the attested key.
61      *
62      * The remotely provisioned keys are retrieved from RKPD and are provisioned from the
63      * real RKP server.
64      *
65      * @param challenge the challenge to include in the attestation output.
66      * @param message the message to sign.
67      * @return the result of signing the message with the attested key.
68      */
signWithAttestationKey(in byte[] challenge, in byte[] message)69     SigningResult signWithAttestationKey(in byte[] challenge, in byte[] message);
70 
71     /**
72      * Requests attestation for testing with {@link AVmPayload_requestAttestationForTesting} API.
73      *
74      * A fake key pair should be provisioned with the call to
75      * {@link VirtualMachine#enableTestAttestation()} before calling this method.
76      *
77      * The attestation result will be cached in the VM and can be validated with
78      * {@link #validateAttestationResult}.
79      */
requestAttestationForTesting()80     void requestAttestationForTesting();
81 
82     /**
83      * Validates the attestation result returned by the last call to
84      * {@link #requestAttestationForTesting}.
85      */
validateAttestationResult()86     void validateAttestationResult();
87 }
88