diff --git a/doc/oak_dice/all.html b/doc/oak_dice/all.html
index c23fae97833..8042a195644 100644
--- a/doc/oak_dice/all.html
+++ b/doc/oak_dice/all.html
@@ -1 +1 @@
-List of all items in this crate
\ No newline at end of file
diff --git a/doc/oak_dice/evidence/constant.CERTIFICATE_SIZE.html b/doc/oak_dice/evidence/constant.CERTIFICATE_SIZE.html
index c9c6dacc53e..9a3efdd138a 100644
--- a/doc/oak_dice/evidence/constant.CERTIFICATE_SIZE.html
+++ b/doc/oak_dice/evidence/constant.CERTIFICATE_SIZE.html
@@ -1,2 +1,2 @@
-CERTIFICATE_SIZE in oak_dice::evidence - Rust
\ No newline at end of file
diff --git a/doc/oak_dice/evidence/constant.DICE_DATA_CMDLINE_PARAM.html b/doc/oak_dice/evidence/constant.DICE_DATA_CMDLINE_PARAM.html
index aefedfcf71f..3907b3f57e1 100644
--- a/doc/oak_dice/evidence/constant.DICE_DATA_CMDLINE_PARAM.html
+++ b/doc/oak_dice/evidence/constant.DICE_DATA_CMDLINE_PARAM.html
@@ -1,3 +1,3 @@
-DICE_DATA_CMDLINE_PARAM in oak_dice::evidence - Rust
The name of the kernel command-line parameter that is used to send the physical address of the
Stage 0 DICE data struct.
\ No newline at end of file
diff --git a/doc/oak_dice/evidence/constant.P256_PRIVATE_KEY_SIZE.html b/doc/oak_dice/evidence/constant.P256_PRIVATE_KEY_SIZE.html
new file mode 100644
index 00000000000..f657a163e7b
--- /dev/null
+++ b/doc/oak_dice/evidence/constant.P256_PRIVATE_KEY_SIZE.html
@@ -0,0 +1,2 @@
+P256_PRIVATE_KEY_SIZE in oak_dice::evidence - Rust
The actual size used when encoding a Nist P256 private key.
+
\ No newline at end of file
diff --git a/doc/oak_dice/evidence/constant.PUBLIC_KEY_SIZE.html b/doc/oak_dice/evidence/constant.PUBLIC_KEY_SIZE.html
index 791e6dcc5f0..34e26cf016d 100644
--- a/doc/oak_dice/evidence/constant.PUBLIC_KEY_SIZE.html
+++ b/doc/oak_dice/evidence/constant.PUBLIC_KEY_SIZE.html
@@ -1,2 +1,2 @@
-PUBLIC_KEY_SIZE in oak_dice::evidence - Rust
The maximum size of a serialized COSE Key object representing an ECDSA public key.
\ No newline at end of file
diff --git a/doc/oak_dice/evidence/constant.STAGE0_MAGIC.html b/doc/oak_dice/evidence/constant.STAGE0_MAGIC.html
index d2544a1b35f..8771c978cac 100644
--- a/doc/oak_dice/evidence/constant.STAGE0_MAGIC.html
+++ b/doc/oak_dice/evidence/constant.STAGE0_MAGIC.html
@@ -1,2 +1,2 @@
-STAGE0_MAGIC in oak_dice::evidence - Rust
The magic number used to identify the Stage 0 DICE data in memory.
\ No newline at end of file
diff --git a/doc/oak_dice/evidence/enum.TeePlatform.html b/doc/oak_dice/evidence/enum.TeePlatform.html
index 59a05778f38..3071e24f4b8 100644
--- a/doc/oak_dice/evidence/enum.TeePlatform.html
+++ b/doc/oak_dice/evidence/enum.TeePlatform.html
@@ -1,4 +1,4 @@
-TeePlatform in oak_dice::evidence - Rust
The magic number used to identify the Stage 0 DICE data in memory.
\ No newline at end of file
diff --git a/doc/oak_dice/evidence/sidebar-items.js b/doc/oak_dice/evidence/sidebar-items.js
index 83b90eed6f5..bcb67647235 100644
--- a/doc/oak_dice/evidence/sidebar-items.js
+++ b/doc/oak_dice/evidence/sidebar-items.js
@@ -1 +1 @@
-window.SIDEBAR_ITEMS = {"constant":["CERTIFICATE_SIZE","DICE_DATA_CMDLINE_PARAM","PRIVATE_KEY_SIZE","PUBLIC_KEY_SIZE","REPORT_SIZE","STAGE0_MAGIC"],"enum":["TeePlatform"],"struct":["ApplicationKeys","ApplicationPrivateKeys","CertificateAuthority","Evidence","LayerEvidence","RestrictedKernelDiceData","RootLayerEvidence","Stage0DiceData"]};
\ No newline at end of file
+window.SIDEBAR_ITEMS = {"constant":["CERTIFICATE_SIZE","DICE_DATA_CMDLINE_PARAM","P256_PRIVATE_KEY_SIZE","PRIVATE_KEY_SIZE","PUBLIC_KEY_SIZE","REPORT_SIZE","STAGE0_MAGIC"],"enum":["TeePlatform"],"struct":["ApplicationKeys","ApplicationPrivateKeys","CertificateAuthority","Evidence","LayerEvidence","RestrictedKernelDiceData","RootLayerEvidence","Stage0DiceData"]};
\ No newline at end of file
diff --git a/doc/oak_dice/evidence/struct.ApplicationKeys.html b/doc/oak_dice/evidence/struct.ApplicationKeys.html
index f30ad98874c..9ccf81a3ccf 100644
--- a/doc/oak_dice/evidence/struct.ApplicationKeys.html
+++ b/doc/oak_dice/evidence/struct.ApplicationKeys.html
@@ -1,4 +1,4 @@
-ApplicationKeys in oak_dice::evidence - Rust
Serialized CWT certificate for the ECA private key owned by the corresponding layer. The
certificate must include measurements of the layer that owns the private key.
The SHA2-256 digest of this field must included as additional data in the signed remote
attestation report to bind the key to the report. This means that the attestation
report effectively acts as a non-standard certificate for this key.
\ No newline at end of file
diff --git a/doc/oak_functions_service/struct.OakFunctionsService.html b/doc/oak_functions_service/struct.OakFunctionsService.html
index cab74fa5ab3..bae8afeaf7a 100644
--- a/doc/oak_functions_service/struct.OakFunctionsService.html
+++ b/doc/oak_functions_service/struct.OakFunctionsService.html
@@ -1,18 +1,18 @@
OakFunctionsService in oak_functions_service - Rust
Builds the DICE evidence and certificate authority for the next DICE layer.
\ No newline at end of file
diff --git a/doc/oak_remote_attestation/dice/struct.DiceBuilder.html b/doc/oak_remote_attestation/dice/struct.DiceBuilder.html
index 8b3d9d4278c..971519bd544 100644
--- a/doc/oak_remote_attestation/dice/struct.DiceBuilder.html
+++ b/doc/oak_remote_attestation/dice/struct.DiceBuilder.html
@@ -1,5 +1,5 @@
-DiceBuilder in oak_remote_attestation::dice - Rust
Adds an additional layer of evidence to the DICE data.
@@ -7,7 +7,7 @@
provided. Adding a layer generates a new ECA private key for the layer and uses it to
replace the existing signing key. The CWT certificate contains the public key for this new
signing key.
-
Adds the CWT certificates application keys to the DICE data.
Since no additional evidence can be added after the application keys are added, this
consumes DICE data, discards the signing key and returns the finalized evidence.
Common panic routine for the kernel. This needs to be wrapped in a
panic_handler function in individual bootloader crates.
\ No newline at end of file
diff --git a/doc/oak_restricted_kernel/fn.start_kernel.html b/doc/oak_restricted_kernel/fn.start_kernel.html
index b61aebb00f6..c1c2e97140f 100644
--- a/doc/oak_restricted_kernel/fn.start_kernel.html
+++ b/doc/oak_restricted_kernel/fn.start_kernel.html
@@ -1,2 +1,2 @@
-start_kernel in oak_restricted_kernel - Rust
Main entry point for the kernel, to be called from bootloader.
\ No newline at end of file
diff --git a/doc/oak_restricted_kernel/index.html b/doc/oak_restricted_kernel/index.html
index 38f2c1f250b..7b5398dead2 100644
--- a/doc/oak_restricted_kernel/index.html
+++ b/doc/oak_restricted_kernel/index.html
@@ -1,5 +1,5 @@
oak_restricted_kernel - Rust
This code takes care of initializing the x86-64 machine properly and
handing the reins over to the oak_baremetal_runtime. It is in a separate crate so that we
could support different boot protocols (eg Linux boot protocol or PVH) that
diff --git a/doc/oak_restricted_kernel/static.FRAME_ALLOCATOR.html b/doc/oak_restricted_kernel/static.FRAME_ALLOCATOR.html
index 9dbf77c07a5..4d81cf16823 100644
--- a/doc/oak_restricted_kernel/static.FRAME_ALLOCATOR.html
+++ b/doc/oak_restricted_kernel/static.FRAME_ALLOCATOR.html
@@ -1,3 +1,3 @@
-
Allocator for physical memory frames in the system.
We reserve enough room to handle up to 512 GiB of memory, for now.
\ No newline at end of file
diff --git a/doc/oak_restricted_kernel/static.GUEST_HOST_HEAP.html b/doc/oak_restricted_kernel/static.GUEST_HOST_HEAP.html
index 09a0183a1b6..02ca262a4c5 100644
--- a/doc/oak_restricted_kernel/static.GUEST_HOST_HEAP.html
+++ b/doc/oak_restricted_kernel/static.GUEST_HOST_HEAP.html
@@ -1,2 +1,2 @@
-GUEST_HOST_HEAP in oak_restricted_kernel - Rust
The allocator for allocating space in the memory area that is shared with the hypervisor.
\ No newline at end of file
diff --git a/doc/oak_restricted_kernel/static.PAGE_TABLES.html b/doc/oak_restricted_kernel/static.PAGE_TABLES.html
index 85a8edbe493..64ad8835143 100644
--- a/doc/oak_restricted_kernel/static.PAGE_TABLES.html
+++ b/doc/oak_restricted_kernel/static.PAGE_TABLES.html
@@ -1,2 +1,2 @@
-PAGE_TABLES in oak_restricted_kernel - Rust
\ No newline at end of file
diff --git a/doc/oak_restricted_kernel/static.VMA_ALLOCATOR.html b/doc/oak_restricted_kernel/static.VMA_ALLOCATOR.html
index 7994bb2bd39..42ffcad9165 100644
--- a/doc/oak_restricted_kernel/static.VMA_ALLOCATOR.html
+++ b/doc/oak_restricted_kernel/static.VMA_ALLOCATOR.html
@@ -1,2 +1,2 @@
-VMA_ALLOCATOR in oak_restricted_kernel - Rust
\ No newline at end of file
diff --git a/doc/search-index.js b/doc/search-index.js
index b6e4de73541..ebbbc676f6a 100644
--- a/doc/search-index.js
+++ b/doc/search-index.js
@@ -19,7 +19,7 @@ var searchIndex = JSON.parse('{\
"oak_containers_syslogd":{"doc":"","t":"DLLLLLLLLLLLLLMAFFALLLLLLFSSSDDSSSSSLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLMLLLLLLLLLLLAMLLLLLLLLLLLMMLLLLLDFFFFFFLLLL","n":["Args","augment_args","augment_args_for_update","borrow","borrow_mut","command","command_for_update","fmt","from","from_arg_matches","from_arg_matches_mut","group_id","into","into_request","launcher_addr","log_relay","main","signal_handler","systemd_journal","try_from","try_into","type_id","update_from_arg_matches","update_from_arg_matches_mut","vzip","run","ALL_NAMESPACES","CURRENT_USER","INCLUDE_DEFAULT_NAMESPACE","Journal","JournalOpenFlags","LOCAL_ONLY","OS_ROOT","RUNTIME_ONLY","SYSTEM","TAKE_DIRECTORY_FD","all","bitand","bitand_assign","bitor","bitor_assign","bits","bits","bitxor","bitxor_assign","borrow","borrow","borrow_mut","borrow_mut","complement","contains","difference","drop","empty","extend","fmt","fmt","fmt","fmt","from","from","from_bits","from_bits_retain","from_bits_retain","from_bits_truncate","from_iter","from_name","insert","intersection","intersects","into","into","into_iter","into_iter","into_request","into_request","is_all","is_empty","iter","iter_names","journal","new","next","next","next_data","not","remove","seek_head","set","sub","sub_assign","symmetric_difference","systemd_sys","terminate","toggle","try_from","try_from","try_into","try_into","type_id","type_id","union","vzip","vzip","wait","_data","_marker","borrow","borrow_mut","from","into","into_request","sd_journal","sd_journal_close","sd_journal_enumerate_data","sd_journal_next","sd_journal_open","sd_journal_seek_head","sd_journal_wait","try_from","try_into","type_id","vzip"],"q":[[0,"oak_containers_syslogd"],[25,"oak_containers_syslogd::log_relay"],[26,"oak_containers_syslogd::systemd_journal"],[105,"oak_containers_syslogd::systemd_journal::systemd_sys"],[123,"clap::builder::command"],[124,"core::fmt"],[125,"core::fmt"],[126,"clap"],[127,"core::result"],[128,"clap::util::id"],[129,"core::option"],[130,"tonic::request"],[131,"core::error"],[132,"alloc::boxed"],[133,"signal_hook_tokio"],[134,"tokio::sync::once_cell"],[135,"alloc::sync"],[136,"core::any"],[137,"oak_containers_orchestrator_client"],[138,"anyhow"],[139,"core::ffi"],[140,"core::iter::traits::collect"],[141,"bitflags::iter"],[142,"bitflags::iter"],[143,"alloc::string"],[144,"std::collections::hash::map"]],"d":["","","","","","","","","Returns the argument unchanged.","","","","Calls U::from(self).","","","","","","","","","","","","","","","","","Simple wrapper around libsystemd for reading entries from …","","","","","","","Returns the set containing all flags.","Returns the intersection between the two sets of flags.","Disables all flags disabled in the set.","Returns the union of the two sets of flags.","Adds the set of flags.","","Returns the raw value of the flags currently stored.","Returns the left flags, but with all the right flags …","Toggles the set of flags.","","","","","Returns the complement of this set of flags.","Returns true if all of the flags in other are contained …","Returns the difference between the flags in self and other.","","Returns an empty set of flags.","","","","","","Returns the argument unchanged.","Returns the argument unchanged.","Convert from underlying bit representation, unless that …","Convert from underlying bit representation, preserving all …","","Convert from underlying bit representation, dropping any …","","Get the value for a flag from its stringified name.","Inserts the specified flags in-place.","Returns the intersection between the flags in self and …","Returns true if there are flags common to both self and …","Calls U::from(self).","Calls U::from(self).","","","","","Returns true if all flags are currently set.","Returns true if no flags are currently stored.","Iterate over enabled flag values.","Iterate over enabled flag values with their stringified …","","","Reads the next entry from the journal; returns None if …","","","Returns the complement of this set of flags.","Removes the specified flags in-place.","Moves the cursor to before the first record in the journal.","Inserts or removes the specified flags depending on the …","Returns the set difference of the two sets of flags.","Disables all flags enabled in the set.","Returns the symmetric difference between the flags in self …","","","Toggles the specified flags in-place.","","","","","","","Returns the union of between the flags in self and other.","","","Blocks until something is added to the journal.","","","","","Returns the argument unchanged.","Calls U::from(self).","","Opaque type representing the systemd journal obtained via …","","","","","","","","","",""],"i":[0,2,2,2,2,2,2,2,2,2,2,2,2,2,2,0,0,0,0,2,2,2,2,2,2,0,20,20,20,0,0,20,20,20,20,20,20,20,20,20,20,20,20,20,20,23,20,23,20,20,20,20,23,20,20,20,20,20,20,23,20,20,20,20,20,20,20,20,20,20,23,20,23,20,23,20,20,20,20,20,23,23,23,23,23,20,20,23,20,20,20,20,0,23,20,23,20,23,20,23,20,20,23,20,23,33,33,33,33,33,33,33,0,0,0,0,0,0,0,33,33,33,33],"f":[0,[1,1],[1,1],[-1,-2,[],[]],[-1,-2,[],[]],[[],1],[[],1],[[2,3],4],[-1,-1,[]],[5,[[7,[2,6]]]],[5,[[7,[2,6]]]],[[],[[9,[8]]]],[-1,-2,[],[]],[-1,[[10,[-2]]],[],[]],0,0,[[],[[7,[11,[13,[12]]]]]],[[14,[16,[[15,[11]]]]],11],0,[-1,[[7,[-2]]],[],[]],[-1,[[7,[-2]]],[],[]],[-1,17,[]],[[2,5],[[7,[11,6]]]],[[2,5],[[7,[11,6]]]],[-1,-2,[],[]],[[18,[16,[[15,[11]]]]],[[19,[11]]]],0,0,0,0,0,0,0,0,0,0,[[],20],[[20,20],20],[[20,20],11],[[20,20],20],[[20,20],11],[20,21],[20,21],[[20,20],20],[[20,20],11],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[20,20],[[20,20],22],[[20,20],20],[23,11],[[],20],[[20,-1],11,24],[[20,3],4],[[20,3],4],[[20,3],4],[[20,3],4],[-1,-1,[]],[-1,-1,[]],[21,[[9,[20]]]],[21,20],[21,20],[21,20],[-1,20,24],[25,[[9,[20]]]],[[20,20],11],[[20,20],20],[[20,20],22],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[20],[-1,[[10,[-2]]],[],[]],[-1,[[10,[-2]]],[],[]],[20,22],[20,22],[20,[[26,[20]]]],[20,[[27,[20]]]],0,[[20,[16,[[15,[11]]]]],[[7,[23,28]]]],[23,[[7,[[9,[[30,[29,29]]]],28]]]],[23,9],[23,[[7,[[9,[[32,[31]]]],28]]]],[20,20],[[20,20],11],[23,[[7,[11,28]]]],[[20,20,22],11],[[20,20],20],[[20,20],11],[[20,20],20],0,0,[[20,20],11],[-1,[[7,[-2]]],[],[]],[-1,[[7,[-2]]],[],[]],[-1,[[7,[-2]]],[],[]],[-1,[[7,[-2]]],[],[]],[-1,17,[]],[-1,17,[]],[[20,20],20],[-1,-2,[],[]],[-1,-2,[],[]],[23,[[7,[22,28]]]],0,0,[-1,-2,[],[]],[-1,-2,[],[]],[-1,-1,[]],[-1,-2,[],[]],[-1,[[10,[-2]]],[],[]],0,0,0,0,0,0,0,[-1,[[7,[-2]]],[],[]],[-1,[[7,[-2]]],[],[]],[-1,17,[]],[-1,-2,[],[]]],"c":[],"p":[[3,"Command",123],[3,"Args",0],[3,"Formatter",124],[6,"Result",124],[3,"ArgMatches",125],[6,"Error",126],[4,"Result",127],[3,"Id",128],[4,"Option",129],[3,"Request",130],[15,"tuple"],[8,"Error",131],[3,"Box",132],[6,"Signals",133],[3,"OnceCell",134],[3,"Arc",135],[3,"TypeId",136],[3,"LauncherClient",137],[6,"Result",138],[3,"JournalOpenFlags",26],[6,"c_int",139],[15,"bool"],[3,"Journal",26],[8,"IntoIterator",140],[15,"str"],[3,"Iter",141],[3,"IterNames",141],[4,"Errno",142],[3,"String",143],[3,"HashMap",144],[15,"u8"],[15,"slice"],[3,"sd_journal",105]],"b":[[41,"impl-Flags-for-JournalOpenFlags"],[42,"impl-JournalOpenFlags"],[55,"impl-Binary-for-JournalOpenFlags"],[56,"impl-LowerHex-for-JournalOpenFlags"],[57,"impl-UpperHex-for-JournalOpenFlags"],[58,"impl-Octal-for-JournalOpenFlags"],[62,"impl-JournalOpenFlags"],[63,"impl-Flags-for-JournalOpenFlags"],[82,"impl-Journal"],[83,"impl-Iterator-for-Journal"]]},\
"oak_core":{"doc":"","t":"AAAIDLLLLLLLKLKLLLLDLLLLLLLLLLDLLLLLLLLFLLLL","n":["samplestore","sync","timer","SampleStore","StaticSampleStore","borrow","borrow_mut","eq","fmt","from","into","new","percentile","percentile","record","record","try_from","try_into","type_id","OnceCell","borrow","borrow_mut","from","get","into","new","set","try_from","try_into","type_id","Timer","borrow","borrow_mut","elapsed","fmt","from","into","new","new_rdtsc","rdtsc","timed","try_from","try_into","type_id"],"q":[[0,"oak_core"],[3,"oak_core::samplestore"],[19,"oak_core::sync"],[30,"oak_core::timer"],[44,"core::fmt"],[45,"core::fmt"],[46,"core::result"],[47,"core::any"],[48,"core::ops::function"]],"d":["","","","","Basic probabilisting sample store to compute percentiles …","","","","","Returns the argument unchanged.","Calls U::from(self).","","Gets the n-th percentile. n needs to be between 0 and 100, …","","Records a new data point value.","","","","","A synchronised implementation of a cell that can be …","","","Returns the argument unchanged.","Gets a reference to the inner value if the cell has been …","Calls U::from(self).","","Sets the inner value of the cell if it has not been …","","","","Measures the number of clock cycles between new() and …","","","Returns the approximate number of clock cycles elapsed …","","Returns the argument unchanged.","Calls U::from(self).","","Constructs a new timer, recording the current tick counter …","Read the timestamp counter register from the CPU.","Returns the approximate number of clock cycles it took to …","","",""],"i":[0,0,0,0,0,1,1,1,1,1,1,1,14,1,14,1,1,1,1,0,11,11,11,11,11,11,11,11,11,11,0,12,12,12,12,12,12,12,12,0,12,12,12,12],"f":[0,0,0,0,0,[-1,-2,[],[]],[-1,-2,[],[]],[[1,1],2],[[1,3],4],[-1,-1,[]],[-1,-2,[],[]],[[],[[5,[1]]]],[[-1,6],[[5,[7]]],[]],[[1,6],[[5,[7]]]],[[-1,7],8,[]],[[1,7],8],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,10,[]],0,[-1,-2,[],[]],[-1,-2,[],[]],[-1,-1,[]],[[[11,[-1]]],[[5,[-1]]],[]],[-1,-2,[],[]],[[],[[11,[-1]]],[]],[[[11,[-1]],-1],[[9,[8,-1]]],[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,10,[]],0,[-1,-2,[],[]],[-1,-2,[],[]],[12,7],[[12,3],4],[-1,-1,[]],[-1,-2,[],[]],[7,12],[[],12],[[],7],[-1,7,13],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,10,[]]],"c":[],"p":[[3,"StaticSampleStore",3],[15,"bool"],[3,"Formatter",44],[6,"Result",44],[4,"Option",45],[15,"f64"],[15,"u64"],[15,"tuple"],[4,"Result",46],[3,"TypeId",47],[3,"OnceCell",19],[3,"Timer",30],[8,"FnOnce",48],[8,"SampleStore",3]],"b":[]},\
"oak_crypto":{"doc":"","t":"AAAAIDDDIDLLLLLLLLLLLLLLLLLLLLLKKLLLLLLLLLLLLLLLLLLLLLGDDLLLLLLLLLLLLLLLLAAADDDDMLLLLLLLLMLLLLLLLLLLLLLLLLLLLLMMLLLLLLLLLLLLLLLLMMMMMMLMLLLLLLLLLLLLLLLLDLLLLLLL","n":["encryptor","hpke","proto","signer","AsyncRecipientContextGenerator","AsyncServerEncryptor","ClientEncryptor","EncryptionKeyProvider","RecipientContextGenerator","ServerEncryptor","borrow","borrow","borrow","borrow","borrow_mut","borrow_mut","borrow_mut","borrow_mut","create","create","decrypt","decrypt","decrypt","default","encrypt","encrypt","encrypt","from","from","from","from","generate_recipient_context","generate_recipient_context","generate_recipient_context","get_serialized_public_key","into","into","into","into","new","new","new","try_from","try_from","try_from","try_from","try_into","try_into","try_into","try_into","type_id","type_id","type_id","type_id","PublicKey","RecipientContext","SenderContext","borrow","borrow","borrow_mut","borrow_mut","deserialize","from","from","into","into","serialize","try_from","try_from","try_into","try_into","type_id","type_id","oak","crypto","v1","AeadEncryptedMessage","CryptoContext","EncryptedRequest","EncryptedResponse","associated_data","borrow","borrow","borrow","borrow","borrow_mut","borrow_mut","borrow_mut","borrow_mut","ciphertext","clear","clear","clear","clear","clone","clone","clone","clone","clone_into","clone_into","clone_into","clone_into","default","default","default","default","encoded_len","encoded_len","encoded_len","encoded_len","encrypted_message","encrypted_message","eq","eq","eq","eq","fmt","fmt","fmt","fmt","from","from","from","from","into","into","into","into","request_base_nonce","request_key","request_sequence_number","response_base_nonce","response_key","response_sequence_number","serialized_encapsulated_public_key","serialized_encapsulated_public_key","to_owned","to_owned","to_owned","to_owned","try_from","try_from","try_from","try_from","try_into","try_into","try_into","try_into","type_id","type_id","type_id","type_id","Signer","borrow","borrow_mut","from","into","try_from","try_into","type_id"],"q":[[0,"oak_crypto"],[4,"oak_crypto::encryptor"],[54,"oak_crypto::hpke"],[73,"oak_crypto::proto"],[74,"oak_crypto::proto::oak"],[75,"oak_crypto::proto::oak::crypto"],[76,"oak_crypto::proto::oak::crypto::v1"],[152,"oak_crypto::signer"],[160,"anyhow"],[161,"alloc::sync"],[162,"alloc::vec"],[163,"core::future::future"],[164,"alloc::boxed"],[165,"core::pin"],[166,"core::result"],[167,"core::any"],[168,"core::fmt"],[169,"core::fmt"]],"d":["Implementation of the Bidirectional Hybrid Public Key …","","","","","Encryptor object for decrypting client requests that are …","Encryptor object for encrypting client requests that will …","","","Encryptor object for decrypting client requests that are …","","","","","","","","","Creates an HPKE crypto context by generating an new …","","Decrypts a EncryptedResponse proto message using AEAD. …","Decrypts a EncryptedRequest proto message using AEAD. …","Decrypts a EncryptedRequest proto message using AEAD. …","","Encrypts plaintext and authenticates associated_data using …","Encrypts plaintext and authenticates associated_data using …","Encrypts plaintext and authenticates associated_data using …","Returns the argument unchanged.","Returns the argument unchanged.","Returns the argument unchanged.","Returns the argument unchanged.","","","","Returns a NIST P-256 SEC1 encoded point public key. …","Calls U::from(self).","Calls U::from(self).","Calls U::from(self).","Calls U::from(self).","Creates a crypto provider with a newly generated key pair.","","","","","","","","","","","","","","","","","","","","","","Deserializes recipient context from a CryptoContext …","Returns the argument unchanged.","Returns the argument unchanged.","Calls U::from(self).","Calls U::from(self).","Serializes recipient context into a CryptoContext Protobuf …","","","","","","","","","","Message encrypted with Authenticated Encryption with …","Envelope containing session keys required to …","Request message encrypted using Hybrid Public Key …","Response message encrypted Hybrid Public Key Encryption …","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","Message encrypted with Authenticated Encryption with …","Message encrypted with Authenticated Encryption with …","","","","","","","","","Returns the argument unchanged.","Returns the argument unchanged.","Returns the argument unchanged.","Returns the argument unchanged.","Calls U::from(self).","Calls U::from(self).","Calls U::from(self).","Calls U::from(self).","","AEAD key and nonce for encrypting/decrypting client …","","","Symmetric key and nonce for encrypting/decrypting enclave …","","Returns the value of serialized_encapsulated_public_key, …","Ephemeral Diffie-Hellman client public key that is needed …","","","","","","","","","","","","","","","","","","","","Returns the argument unchanged.","Calls U::from(self).","","",""],"i":[0,0,0,0,0,0,0,0,0,0,13,3,7,12,13,3,7,12,3,7,3,7,12,13,3,7,12,13,3,7,12,5,18,13,13,13,3,7,12,13,7,12,13,3,7,12,13,3,7,12,13,3,7,12,0,0,0,27,14,27,14,14,27,14,27,14,14,27,14,27,14,27,14,0,0,0,0,0,0,0,22,11,8,22,21,11,8,22,21,22,11,8,22,21,11,8,22,21,11,8,22,21,11,8,22,21,11,8,22,21,11,8,11,8,22,21,11,8,22,21,11,8,22,21,11,8,22,21,21,21,21,21,21,21,11,11,11,8,22,21,11,8,22,21,11,8,22,21,11,8,22,21,0,28,28,28,28,28,28,28],"f":[0,0,0,0,0,0,0,0,0,0,[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[[[2,[1]]],[[4,[3]]]],[[[2,[1]],[6,[5]]],[[4,[7]]]],[[3,8],[[4,[[10,[[9,[1]],[9,[1]]]]]]]],[[7,11],[[4,[[10,[[9,[1]],[9,[1]]]]]]]],[[12,11],[[4,[[10,[[9,[1]],[9,[1]]]]]]]],[[],13],[[3,[2,[1]],[2,[1]]],[[4,[11]]]],[[7,[2,[1]],[2,[1]]],[[4,[8]]]],[[12,[2,[1]],[2,[1]]],[[4,[8]]]],[-1,-1,[]],[-1,-1,[]],[-1,-1,[]],[-1,-1,[]],[[-1,[2,[1]]],[[4,[14]]],[]],[[-1,[2,[1]]],[[17,[[16,[15]]]]],[]],[[13,[2,[1]]],[[4,[14]]]],[13,[[9,[1]]]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[[],13],[14,7],[[[6,[18]]],12],[-1,[[19,[-2]]],[],[]],[-1,[[19,[-2]]],[],[]],[-1,[[19,[-2]]],[],[]],[-1,[[19,[-2]]],[],[]],[-1,[[19,[-2]]],[],[]],[-1,[[19,[-2]]],[],[]],[-1,[[19,[-2]]],[],[]],[-1,[[19,[-2]]],[],[]],[-1,20,[]],[-1,20,[]],[-1,20,[]],[-1,20,[]],0,0,0,[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[21,[[4,[14]]]],[-1,-1,[]],[-1,-1,[]],[-1,-2,[],[]],[-1,-2,[],[]],[14,[[4,[21]]]],[-1,[[19,[-2]]],[],[]],[-1,[[19,[-2]]],[],[]],[-1,[[19,[-2]]],[],[]],[-1,[[19,[-2]]],[],[]],[-1,20,[]],[-1,20,[]],0,0,0,0,0,0,0,0,[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],0,[11,10],[8,10],[22,10],[21,10],[11,11],[8,8],[22,22],[21,21],[[-1,-2],10,[],[]],[[-1,-2],10,[],[]],[[-1,-2],10,[],[]],[[-1,-2],10,[],[]],[[],11],[[],8],[[],22],[[],21],[11,23],[8,23],[22,23],[21,23],0,0,[[11,11],24],[[8,8],24],[[22,22],24],[[21,21],24],[[11,25],26],[[8,25],26],[[22,25],26],[[21,25],26],[-1,-1,[]],[-1,-1,[]],[-1,-1,[]],[-1,-1,[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],0,0,0,0,0,0,[11,[[2,[1]]]],0,[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,[[19,[-2]]],[],[]],[-1,[[19,[-2]]],[],[]],[-1,[[19,[-2]]],[],[]],[-1,[[19,[-2]]],[],[]],[-1,[[19,[-2]]],[],[]],[-1,[[19,[-2]]],[],[]],[-1,[[19,[-2]]],[],[]],[-1,[[19,[-2]]],[],[]],[-1,20,[]],[-1,20,[]],[-1,20,[]],[-1,20,[]],0,[-1,-2,[],[]],[-1,-2,[],[]],[-1,-1,[]],[-1,-2,[],[]],[-1,[[19,[-2]]],[],[]],[-1,[[19,[-2]]],[],[]],[-1,20,[]]],"c":[],"p":[[15,"u8"],[15,"slice"],[3,"ClientEncryptor",4],[6,"Result",160],[8,"RecipientContextGenerator",4],[3,"Arc",161],[3,"ServerEncryptor",4],[3,"EncryptedResponse",76],[3,"Vec",162],[15,"tuple"],[3,"EncryptedRequest",76],[3,"AsyncServerEncryptor",4],[3,"EncryptionKeyProvider",4],[3,"RecipientContext",54],[8,"Future",163],[3,"Box",164],[3,"Pin",165],[8,"AsyncRecipientContextGenerator",4],[4,"Result",166],[3,"TypeId",167],[3,"CryptoContext",76],[3,"AeadEncryptedMessage",76],[15,"usize"],[15,"bool"],[3,"Formatter",168],[6,"Result",168],[3,"SenderContext",54],[3,"Signer",152]],"b":[]},\
-"oak_dice":{"doc":"Structs and helpers for implementing DICE-based …","t":"AARSSSSSSRRRSSSRRDRRRRRRLLLLLLLLLLLLLLLFFFFLLLLLLLLLLLLLLLFFFFFLLLLLLLLLLLLLLLLLLLLLFNDDRDRDNDRRRDDRDENMLLLLLLLLLLLLLLLLLLLLLLMMMMMLLLLLLLLLLLLLLLLLLLLLLLMMMMMMMMMMLLLLLLLLLLLLLLLLLLLLLLLLLLLLL","n":["cert","evidence","ACPI_MEASUREMENT_ID","CONTENT_COMMITMENT","CRL_SIGN","DATA_ENCIPHERMENT","DECIPHER_ONLY","DIGITAL_SIGNATURE","ENCIPHER_ONLY","INITRD_MEASUREMENT_ID","KERNEL_COMMANDLINE_MEASUREMENT_ID","KERNEL_MEASUREMENT_ID","KEY_AGREEMENT","KEY_CERT_SIGN","KEY_ENCIPHERMENT","KEY_ID_LENGTH","KEY_USAGE_ID","KeyUsage","LAYER_2_CODE_MEASUREMENT_ID","LAYER_3_CODE_MEASUREMENT_ID","LAYER_3_CONFIG_MEASUREMENT_ID","MEMORY_MAP_MEASUREMENT_ID","SETUP_DATA_MEASUREMENT_ID","SUBJECT_PUBLIC_KEY_ID","all","bitand","bitand_assign","bitor","bitor_assign","bits","bits","bitxor","bitxor_assign","borrow","borrow_mut","clone","clone_into","complement","contains","cose_key_to_hpke_public_key","cose_key_to_verifying_key","derive_kem_public_key_id","derive_verifying_key_id","difference","empty","extend","fmt","fmt","fmt","fmt","fmt","from","from_bits","from_bits_retain","from_bits_retain","from_bits_truncate","from_iter","from_name","generate_ecdsa_key_pair","generate_kem_certificate","generate_signing_certificate","get_claims_set_from_certificate_bytes","hpke_public_key_to_cose_key","insert","intersection","intersects","into","into_iter","is_all","is_empty","iter","iter_names","not","remove","set","sub","sub_assign","symmetric_difference","to_owned","toggle","try_from","try_into","type_id","union","verifying_key_to_cose_key","AmdSevSnp","ApplicationKeys","ApplicationPrivateKeys","CERTIFICATE_SIZE","CertificateAuthority","DICE_DATA_CMDLINE_PARAM","Evidence","IntelTdx","LayerEvidence","PRIVATE_KEY_SIZE","PUBLIC_KEY_SIZE","REPORT_SIZE","RestrictedKernelDiceData","RootLayerEvidence","STAGE0_MAGIC","Stage0DiceData","TeePlatform","Unspecified","application_keys","borrow","borrow","borrow","borrow","borrow","borrow","borrow","borrow","borrow","borrow_mut","borrow_mut","borrow_mut","borrow_mut","borrow_mut","borrow_mut","borrow_mut","borrow_mut","borrow_mut","clone","clone_into","drop","drop","eca_certificate","eca_private_key","eca_public_key","encryption_private_key","encryption_public_key_certificate","eq","fmt","fmt","from","from","from","from","from","from","from","from","from","from_repr","get_tee_platform","into","into","into","into","into","into","into","into","into","layer_1_certificate_authority","layer_1_evidence","magic","remote_attestation_report","restricted_kernel_evidence","root_layer_evidence","root_layer_evidence","signing_private_key","signing_public_key_certificate","tee_platform","to_owned","to_string","try_from","try_from","try_from","try_from","try_from","try_from","try_from","try_from","try_from","try_into","try_into","try_into","try_into","try_into","try_into","try_into","try_into","try_into","type_id","type_id","type_id","type_id","type_id","type_id","type_id","type_id","type_id"],"q":[[0,"oak_dice"],[2,"oak_dice::cert"],[85,"oak_dice::evidence"],[193,"coset::key"],[194,"alloc::vec"],[195,"core::result"],[196,"p256::ecdsa"],[197,"core::iter::traits::collect"],[198,"core::fmt"],[199,"core::fmt"],[200,"p256::ecdsa"],[201,"coset::cwt"],[202,"ciborium::value"],[203,"coset::sign"],[204,"coset::common"],[205,"coset::cwt"],[206,"bitflags::iter"],[207,"core::fmt"]],"d":["Constants and helper functions to work with CWT-based DICE …","C-like structs for representing DICE data in environments …","ID for the CWT private claim ID corresponding to the hash …","","","","","","","ID for the CWT private claim ID corresponding to the …","ID for the CWT private claim ID corresponding to the VM …","ID for the CWT private claim ID corresponding to the VM …","","","","Length of the unique ID for ECDSA keys generated.","ID for the bitstring used to describe the intended usage …","Intended usage of a key.","ID for the CWT private claim label corresponding to the …","ID for the CWT private claim label corresponding to the …","ID for the CWT private claim label corresponding to the …","ID for the CWT private claim ID corresponding to the …","ID for the CWT private claim ID corresponding to the VM …","ID for the CWT private claim corresponding to the Subject …","Returns the set containing all flags.","Returns the intersection between the two sets of flags.","Disables all flags disabled in the set.","Returns the union of the two sets of flags.","Adds the set of flags.","Returns the raw value of the flags currently stored.","","Returns the left flags, but with all the right flags …","Toggles the set of flags.","","","","","Returns the complement of this set of flags.","Returns true if all of the flags in other are contained …","Converts a COSE_Key to a serialized HPKE KEM public key.","Converts a COSE_Key to a ECDSA verifying key.","Derives an ID from an HPKE KEM public key.","Derives an ID from a verifying key.","Returns the difference between the flags in self and other.","Returns an empty set of flags.","","","","","","","Returns the argument unchanged.","Convert from underlying bit representation, unless that …","Convert from underlying bit representation, preserving all …","","Convert from underlying bit representation, dropping any …","","Get the value for a flag from its stringified name.","Generates private/public ECDSA key pair.","Generates a CWT certificate representing a Key …","Generates a CWT certificate representing an ECDSA signing …","Parses a bytes slice as a CWT certificate and extracts the …","Converts a serialized HPKE KEM public key to a COSE_Key …","Inserts the specified flags in-place.","Returns the intersection between the flags in self and …","Returns true if there are flags common to both self and …","Calls U::from(self).","","Returns true if all flags are currently set.","Returns true if no flags are currently stored.","Iterate over enabled flag values.","Iterate over enabled flag values with their stringified …","Returns the complement of this set of flags.","Removes the specified flags in-place.","Inserts or removes the specified flags depending on the …","Returns the set difference of the two sets of flags.","Disables all flags enabled in the set.","Returns the symmetric difference between the flags in self …","","Toggles the specified flags in-place.","","","","Returns the union of between the flags in self and other.","Converts an ECDSA verifying key to a COSE_Key …","AMD SEV-SNP.","Certificates for the ECDSA keys that can be used for an …","ECDSA private keys that can be used for an application for …","The maximum size of a serialized CWT certificate.","Private key that can be used by a layer to sign a …","The name of the kernel command-line parameter that is used …","Wrapper for passing the attestation evidence from the …","Intel TDX.","Attestation evidence for non-root layers.","The maximum size of an ECDSA private key.","The maximum size of a serialized COSE Key object …","The maximum size of the signed attestation report.","Wrapper for passing the attestation evidence and private …","Attestation evidence generated by Stage 0.","The magic number used to identify the Stage 0 DICE data in …","Wrapper for passing DICE info from Stage0 to the next …","The hardware platform providing the Trusted Execution …","Platform is not specified.","Keys (and associated certificates) that can be used by the …","","","","","","","","","","","","","","","","","","","","","","","Serialized CWT certificate for the ECA private key owned …","The RAW bytes representing an ECDSA private key.","Serialized COSE Key representation of the ECDSA public key …","The RAW bytes representing an ECDSA private key that can …","Serialized CWT certificate for the encryption private key. …","","","","Returns the argument unchanged.","Returns the argument unchanged.","Returns the argument unchanged.","Returns the argument unchanged.","Returns the argument unchanged.","Returns the argument unchanged.","Returns the argument unchanged.","Returns the argument unchanged.","Returns the argument unchanged.","Try to create Self from the raw representation","","Calls U::from(self).","Calls U::from(self).","Calls U::from(self).","Calls U::from(self).","Calls U::from(self).","Calls U::from(self).","Calls U::from(self).","Calls U::from(self).","Calls U::from(self).","","The evidence about the next layer.","Magic number that is expected to always be set to the …","Byte representation of the signed attestation report …","The evidence about the Restricted Kernel.","The evidence about Stage 0 and the initial state of the VM.","Evidence about Stage 0 and the initial state of the VM.","The RAW bytes representing an ECDSA private key that can …","Serialized CWT certificate for the signing private key. …","The hardware platform that generated the remote …","","","","","","","","","","","","","","","","","","","","","","","","","","","","",""],"i":[0,0,0,1,1,1,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,27,0,0,0,0,0,0,27,0,0,0,0,0,0,0,0,0,27,33,27,32,34,28,35,36,29,33,37,27,32,34,28,35,36,29,33,37,27,27,28,29,34,28,32,29,36,27,27,27,27,32,34,28,35,36,29,33,37,27,32,27,32,34,28,35,36,29,33,37,35,35,35,32,33,35,33,29,36,32,27,27,27,32,34,28,35,36,29,33,37,27,32,34,28,35,36,29,33,37,27,32,34,28,35,36,29,33,37],"f":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,[[],1],[[1,1],1],[[1,1],2],[[1,1],1],[[1,1],2],[1,3],[1,3],[[1,1],1],[[1,1],2],[-1,-2,[],[]],[-1,-2,[],[]],[1,1],[[-1,-2],2,[],[]],[1,1],[[1,1],4],[5,[[9,[[7,[6]],8]]]],[5,[[9,[10,8]]]],[[[11,[6]]],[[12,[6]]]],[10,[[12,[6]]]],[[1,1],1],[[],1],[[1,-1],2,13],[[1,14],15],[[1,14],15],[[1,14],15],[[1,14],15],[[1,14],15],[-1,-1,[]],[3,[[16,[1]]]],[3,1],[3,1],[3,1],[-1,1,13],[8,[[16,[1]]]],[[],[[2,[17,10]]]],[[17,18,[11,[6]],[7,[[2,[19,20]]]]],[[9,[21,22]]]],[[17,18,10,[7,[[2,[19,20]]]]],[[9,[21,22]]]],[[[11,[6]]],[[9,[23,22]]]],[[[11,[6]]],5],[[1,1],2],[[1,1],1],[[1,1],4],[-1,-2,[],[]],[1],[1,4],[1,4],[1,[[24,[1]]]],[1,[[25,[1]]]],[1,1],[[1,1],2],[[1,1,4],2],[[1,1],1],[[1,1],2],[[1,1],1],[-1,-2,[],[]],[[1,1],2],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,26,[]],[[1,1],1],[10,5],0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[27,27],[[-1,-2],2,[],[]],[28,2],[29,2],0,0,0,0,0,[[27,27],4],[[27,14],[[9,[2,30]]]],[[27,14],15],[-1,-1,[]],[-1,-1,[]],[-1,-1,[]],[-1,-1,[]],[-1,-1,[]],[-1,-1,[]],[-1,-1,[]],[-1,-1,[]],[-1,-1,[]],[31,[[16,[27]]]],[32,[[16,[27]]]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],0,0,0,0,0,0,0,0,0,0,[-1,-2,[],[]],[-1,18,[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,26,[]],[-1,26,[]],[-1,26,[]],[-1,26,[]],[-1,26,[]],[-1,26,[]],[-1,26,[]],[-1,26,[]],[-1,26,[]]],"c":[],"p":[[3,"KeyUsage",2],[15,"tuple"],[15,"u16"],[15,"bool"],[3,"CoseKey",193],[15,"u8"],[3,"Vec",194],[15,"str"],[4,"Result",195],[6,"VerifyingKey",196],[15,"slice"],[15,"array"],[8,"IntoIterator",197],[3,"Formatter",198],[6,"Result",198],[4,"Option",199],[6,"SigningKey",196],[3,"String",200],[6,"ClaimName",201],[4,"Value",202],[3,"CoseSign1",203],[4,"CoseError",204],[3,"ClaimsSet",201],[3,"Iter",205],[3,"IterNames",205],[3,"TypeId",206],[4,"TeePlatform",85],[3,"CertificateAuthority",85],[3,"ApplicationPrivateKeys",85],[3,"Error",198],[15,"u64"],[3,"RootLayerEvidence",85],[3,"Evidence",85],[3,"LayerEvidence",85],[3,"Stage0DiceData",85],[3,"ApplicationKeys",85],[3,"RestrictedKernelDiceData",85]],"b":[[29,"impl-KeyUsage"],[30,"impl-Flags-for-KeyUsage"],[46,"impl-Debug-for-KeyUsage"],[47,"impl-Octal-for-KeyUsage"],[48,"impl-LowerHex-for-KeyUsage"],[49,"impl-UpperHex-for-KeyUsage"],[50,"impl-Binary-for-KeyUsage"],[53,"impl-KeyUsage"],[54,"impl-Flags-for-KeyUsage"],[132,"impl-Display-for-TeePlatform"],[133,"impl-Debug-for-TeePlatform"]]},\
+"oak_dice":{"doc":"Structs and helpers for implementing DICE-based …","t":"AARSSSSSSRRRSSSRRDRRRRRRLLLLLLLLLLLLLLLFFFFLLLLLLLLLLLLLLLFFFFFLLLLLLLLLLLLLLLLLLLLLFNDDRDRDNDRRRRDDRDENMMLLLLLLLLLLLLLLLLLLLLLLMMMMMLMLLLLLLLLLLLLLLLLLLLLLLMMMMMMMMMMLLLLLLLLLLLLLLLLLLLLLLLLLLLLL","n":["cert","evidence","ACPI_MEASUREMENT_ID","CONTENT_COMMITMENT","CRL_SIGN","DATA_ENCIPHERMENT","DECIPHER_ONLY","DIGITAL_SIGNATURE","ENCIPHER_ONLY","INITRD_MEASUREMENT_ID","KERNEL_COMMANDLINE_MEASUREMENT_ID","KERNEL_MEASUREMENT_ID","KEY_AGREEMENT","KEY_CERT_SIGN","KEY_ENCIPHERMENT","KEY_ID_LENGTH","KEY_USAGE_ID","KeyUsage","LAYER_2_CODE_MEASUREMENT_ID","LAYER_3_CODE_MEASUREMENT_ID","LAYER_3_CONFIG_MEASUREMENT_ID","MEMORY_MAP_MEASUREMENT_ID","SETUP_DATA_MEASUREMENT_ID","SUBJECT_PUBLIC_KEY_ID","all","bitand","bitand_assign","bitor","bitor_assign","bits","bits","bitxor","bitxor_assign","borrow","borrow_mut","clone","clone_into","complement","contains","cose_key_to_hpke_public_key","cose_key_to_verifying_key","derive_kem_public_key_id","derive_verifying_key_id","difference","empty","extend","fmt","fmt","fmt","fmt","fmt","from","from_bits","from_bits_retain","from_bits_retain","from_bits_truncate","from_iter","from_name","generate_ecdsa_key_pair","generate_kem_certificate","generate_signing_certificate","get_claims_set_from_certificate_bytes","hpke_public_key_to_cose_key","insert","intersection","intersects","into","into_iter","is_all","is_empty","iter","iter_names","not","remove","set","sub","sub_assign","symmetric_difference","to_owned","toggle","try_from","try_into","type_id","union","verifying_key_to_cose_key","AmdSevSnp","ApplicationKeys","ApplicationPrivateKeys","CERTIFICATE_SIZE","CertificateAuthority","DICE_DATA_CMDLINE_PARAM","Evidence","IntelTdx","LayerEvidence","P256_PRIVATE_KEY_SIZE","PRIVATE_KEY_SIZE","PUBLIC_KEY_SIZE","REPORT_SIZE","RestrictedKernelDiceData","RootLayerEvidence","STAGE0_MAGIC","Stage0DiceData","TeePlatform","Unspecified","application_keys","application_private_keys","borrow","borrow","borrow","borrow","borrow","borrow","borrow","borrow","borrow","borrow_mut","borrow_mut","borrow_mut","borrow_mut","borrow_mut","borrow_mut","borrow_mut","borrow_mut","borrow_mut","clone","clone_into","drop","drop","eca_certificate","eca_private_key","eca_public_key","encryption_private_key","encryption_public_key_certificate","eq","evidence","fmt","fmt","from","from","from","from","from","from","from","from","from","from_repr","get_tee_platform","into","into","into","into","into","into","into","into","into","layer_1_certificate_authority","layer_1_evidence","magic","remote_attestation_report","restricted_kernel_evidence","root_layer_evidence","root_layer_evidence","signing_private_key","signing_public_key_certificate","tee_platform","to_owned","to_string","try_from","try_from","try_from","try_from","try_from","try_from","try_from","try_from","try_from","try_into","try_into","try_into","try_into","try_into","try_into","try_into","try_into","try_into","type_id","type_id","type_id","type_id","type_id","type_id","type_id","type_id","type_id"],"q":[[0,"oak_dice"],[2,"oak_dice::cert"],[85,"oak_dice::evidence"],[196,"coset::key"],[197,"alloc::vec"],[198,"core::result"],[199,"p256::ecdsa"],[200,"core::iter::traits::collect"],[201,"core::fmt"],[202,"core::fmt"],[203,"p256::ecdsa"],[204,"coset::cwt"],[205,"ciborium::value"],[206,"coset::sign"],[207,"coset::common"],[208,"coset::cwt"],[209,"bitflags::iter"],[210,"core::fmt"]],"d":["Constants and helper functions to work with CWT-based DICE …","C-like structs for representing DICE data in environments …","ID for the CWT private claim ID corresponding to the hash …","","","","","","","ID for the CWT private claim ID corresponding to the …","ID for the CWT private claim ID corresponding to the VM …","ID for the CWT private claim ID corresponding to the VM …","","","","Length of the unique ID for ECDSA keys generated.","ID for the bitstring used to describe the intended usage …","Intended usage of a key.","ID for the CWT private claim label corresponding to the …","ID for the CWT private claim label corresponding to the …","ID for the CWT private claim label corresponding to the …","ID for the CWT private claim ID corresponding to the …","ID for the CWT private claim ID corresponding to the VM …","ID for the CWT private claim corresponding to the Subject …","Returns the set containing all flags.","Returns the intersection between the two sets of flags.","Disables all flags disabled in the set.","Returns the union of the two sets of flags.","Adds the set of flags.","Returns the raw value of the flags currently stored.","","Returns the left flags, but with all the right flags …","Toggles the set of flags.","","","","","Returns the complement of this set of flags.","Returns true if all of the flags in other are contained …","Converts a COSE_Key to a serialized HPKE KEM public key.","Converts a COSE_Key to a ECDSA verifying key.","Derives an ID from an HPKE KEM public key.","Derives an ID from a verifying key.","Returns the difference between the flags in self and other.","Returns an empty set of flags.","","","","","","","Returns the argument unchanged.","Convert from underlying bit representation, unless that …","Convert from underlying bit representation, preserving all …","","Convert from underlying bit representation, dropping any …","","Get the value for a flag from its stringified name.","Generates private/public ECDSA key pair.","Generates a CWT certificate representing a Key …","Generates a CWT certificate representing an ECDSA signing …","Parses a bytes slice as a CWT certificate and extracts the …","Converts a serialized HPKE KEM public key to a COSE_Key …","Inserts the specified flags in-place.","Returns the intersection between the flags in self and …","Returns true if there are flags common to both self and …","Calls U::from(self).","","Returns true if all flags are currently set.","Returns true if no flags are currently stored.","Iterate over enabled flag values.","Iterate over enabled flag values with their stringified …","Returns the complement of this set of flags.","Removes the specified flags in-place.","Inserts or removes the specified flags depending on the …","Returns the set difference of the two sets of flags.","Disables all flags enabled in the set.","Returns the symmetric difference between the flags in self …","","Toggles the specified flags in-place.","","","","Returns the union of between the flags in self and other.","Converts an ECDSA verifying key to a COSE_Key …","AMD SEV-SNP.","Certificates for the ECDSA keys that can be used for an …","ECDSA private keys that can be used for an application for …","The maximum size of a serialized CWT certificate.","Private key that can be used by a layer to sign a …","The name of the kernel command-line parameter that is used …","Wrapper for passing the attestation evidence from the …","Intel TDX.","Attestation evidence for non-root layers.","The actual size used when encoding a Nist P256 private key.","The maximum size of an ECDSA private key.","The maximum size of a serialized COSE Key object …","The maximum size of the signed attestation report.","Wrapper for passing the attestation evidence and private …","Attestation evidence generated by Stage 0.","The magic number used to identify the Stage 0 DICE data in …","Wrapper for passing DICE info from Stage0 to the next …","The hardware platform providing the Trusted Execution …","Platform is not specified.","Keys (and associated certificates) that can be used by the …","","","","","","","","","","","","","","","","","","","","","","","","Serialized CWT certificate for the ECA private key owned …","The RAW bytes representing an ECDSA private key.","Serialized COSE Key representation of the ECDSA public key …","The RAW bytes representing an ECDSA private key that can …","Serialized CWT certificate for the encryption private key. …","","","","","Returns the argument unchanged.","Returns the argument unchanged.","Returns the argument unchanged.","Returns the argument unchanged.","Returns the argument unchanged.","Returns the argument unchanged.","Returns the argument unchanged.","Returns the argument unchanged.","Returns the argument unchanged.","Try to create Self from the raw representation","","Calls U::from(self).","Calls U::from(self).","Calls U::from(self).","Calls U::from(self).","Calls U::from(self).","Calls U::from(self).","Calls U::from(self).","Calls U::from(self).","Calls U::from(self).","","The evidence about the next layer.","Magic number that is expected to always be set to the …","Byte representation of the signed attestation report …","The evidence about the Restricted Kernel.","The evidence about Stage 0 and the initial state of the VM.","Evidence about Stage 0 and the initial state of the VM.","The RAW bytes representing an ECDSA private key that can …","Serialized CWT certificate for the signing private key. …","The hardware platform that generated the remote …","","","","","","","","","","","","","","","","","","","","","","","","","","","","",""],"i":[0,0,0,1,1,1,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,27,0,0,0,0,0,0,27,0,0,0,0,0,0,0,0,0,0,27,33,34,27,32,35,28,36,37,29,33,34,27,32,35,28,36,37,29,33,34,27,27,28,29,35,28,32,29,37,27,34,27,27,27,32,35,28,36,37,29,33,34,27,32,27,32,35,28,36,37,29,33,34,36,36,36,32,33,36,33,29,37,32,27,27,27,32,35,28,36,37,29,33,34,27,32,35,28,36,37,29,33,34,27,32,35,28,36,37,29,33,34],"f":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,[[],1],[[1,1],1],[[1,1],2],[[1,1],1],[[1,1],2],[1,3],[1,3],[[1,1],1],[[1,1],2],[-1,-2,[],[]],[-1,-2,[],[]],[1,1],[[-1,-2],2,[],[]],[1,1],[[1,1],4],[5,[[9,[[7,[6]],8]]]],[5,[[9,[10,8]]]],[[[11,[6]]],[[12,[6]]]],[10,[[12,[6]]]],[[1,1],1],[[],1],[[1,-1],2,13],[[1,14],15],[[1,14],15],[[1,14],15],[[1,14],15],[[1,14],15],[-1,-1,[]],[3,[[16,[1]]]],[3,1],[3,1],[3,1],[-1,1,13],[8,[[16,[1]]]],[[],[[2,[17,10]]]],[[17,18,[11,[6]],[7,[[2,[19,20]]]]],[[9,[21,22]]]],[[17,18,10,[7,[[2,[19,20]]]]],[[9,[21,22]]]],[[[11,[6]]],[[9,[23,22]]]],[[[11,[6]]],5],[[1,1],2],[[1,1],1],[[1,1],4],[-1,-2,[],[]],[1],[1,4],[1,4],[1,[[24,[1]]]],[1,[[25,[1]]]],[1,1],[[1,1],2],[[1,1,4],2],[[1,1],1],[[1,1],2],[[1,1],1],[-1,-2,[],[]],[[1,1],2],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,26,[]],[[1,1],1],[10,5],0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[27,27],[[-1,-2],2,[],[]],[28,2],[29,2],0,0,0,0,0,[[27,27],4],0,[[27,14],15],[[27,14],[[9,[2,30]]]],[-1,-1,[]],[-1,-1,[]],[-1,-1,[]],[-1,-1,[]],[-1,-1,[]],[-1,-1,[]],[-1,-1,[]],[-1,-1,[]],[-1,-1,[]],[31,[[16,[27]]]],[32,[[16,[27]]]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],0,0,0,0,0,0,0,0,0,0,[-1,-2,[],[]],[-1,18,[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,[[9,[-2]]],[],[]],[-1,26,[]],[-1,26,[]],[-1,26,[]],[-1,26,[]],[-1,26,[]],[-1,26,[]],[-1,26,[]],[-1,26,[]],[-1,26,[]]],"c":[],"p":[[3,"KeyUsage",2],[15,"tuple"],[15,"u16"],[15,"bool"],[3,"CoseKey",196],[15,"u8"],[3,"Vec",197],[15,"str"],[4,"Result",198],[6,"VerifyingKey",199],[15,"slice"],[15,"array"],[8,"IntoIterator",200],[3,"Formatter",201],[6,"Result",201],[4,"Option",202],[6,"SigningKey",199],[3,"String",203],[6,"ClaimName",204],[4,"Value",205],[3,"CoseSign1",206],[4,"CoseError",207],[3,"ClaimsSet",204],[3,"Iter",208],[3,"IterNames",208],[3,"TypeId",209],[4,"TeePlatform",85],[3,"CertificateAuthority",85],[3,"ApplicationPrivateKeys",85],[3,"Error",201],[15,"u64"],[3,"RootLayerEvidence",85],[3,"Evidence",85],[3,"RestrictedKernelDiceData",85],[3,"LayerEvidence",85],[3,"Stage0DiceData",85],[3,"ApplicationKeys",85]],"b":[[29,"impl-KeyUsage"],[30,"impl-Flags-for-KeyUsage"],[46,"impl-Debug-for-KeyUsage"],[47,"impl-Octal-for-KeyUsage"],[48,"impl-LowerHex-for-KeyUsage"],[49,"impl-UpperHex-for-KeyUsage"],[50,"impl-Binary-for-KeyUsage"],[53,"impl-KeyUsage"],[54,"impl-Flags-for-KeyUsage"],[135,"impl-Debug-for-TeePlatform"],[136,"impl-Display-for-TeePlatform"]]},\
"oak_docker_linux_init":{"doc":"","t":"RAFF","n":["DOCKER_COMMAND_PATH","init","main","init"],"q":[[0,"oak_docker_linux_init"],[3,"oak_docker_linux_init::init"],[4,"anyhow"]],"d":["","","","Performs the minimum initialization required from the …"],"i":[0,0,0,0],"f":[0,0,[[],1],[[],[[3,[2]]]]],"c":[],"p":[[15,"never"],[15,"tuple"],[6,"Result",4]],"b":[]},\
"oak_echo_linux_init":{"doc":"","t":"RAFFF","n":["DEVICE_PATH","init","main","set_console_to_raw_mode","init"],"q":[[0,"oak_echo_linux_init"],[4,"oak_echo_linux_init::init"],[5,"std::os::fd::raw"],[6,"anyhow"]],"d":["","","","","Performs the minimum initialization required from the …"],"i":[0,0,0,0,0],"f":[0,0,[[],1],[2,3],[[],[[4,[3]]]]],"c":[],"p":[[15,"never"],[6,"RawFd",5],[15,"tuple"],[6,"Result",6]],"b":[]},\
"oak_echo_service":{"doc":"","t":"DLLLLLLALLLIDDDDDMMLLLLLLLLLLLLLLLLLLLLKLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL","n":["EchoService","borrow","borrow_mut","default","echo","from","into","proto","try_from","try_into","type_id","Echo","EchoAsyncClient","EchoClient","EchoRequest","EchoResponse","EchoServer","body","body","borrow","borrow","borrow","borrow","borrow","borrow_mut","borrow_mut","borrow_mut","borrow_mut","borrow_mut","clear","clear","clone","clone","clone","clone_into","clone_into","clone_into","default","default","echo","echo","echo","encoded_len","encoded_len","eq","eq","fmt","fmt","from","from","from","from","from","into","into","into","into","into","invoke","new","new","new","to_owned","to_owned","to_owned","try_from","try_from","try_from","try_from","try_from","try_into","try_into","try_into","try_into","try_into","type_id","type_id","type_id","type_id","type_id"],"q":[[0,"oak_echo_service"],[11,"oak_echo_service::proto"],[80,"micro_rpc::status"],[81,"core::result"],[82,"core::any"],[83,"core::clone"],[84,"micro_rpc"],[85,"micro_rpc"],[86,"core::fmt"]],"d":["","","","","","Returns the argument unchanged.","Calls U::from(self).","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","Returns the argument unchanged.","Returns the argument unchanged.","Returns the argument unchanged.","Returns the argument unchanged.","Returns the argument unchanged.","Calls U::from(self).","Calls U::from(self).","Calls U::from(self).","Calls U::from(self).","Calls U::from(self).","","","","","","","","","","","","","","","","","","","","","",""],"i":[0,1,1,1,1,1,1,0,1,1,1,0,0,0,0,0,0,2,3,10,12,2,3,8,10,12,2,3,8,2,3,2,3,8,2,3,8,2,3,22,10,12,2,3,2,3,2,3,10,12,2,3,8,10,12,2,3,8,8,10,12,8,2,3,8,10,12,2,3,8,10,12,2,3,8,10,12,2,3,8],"f":[0,[-1,-2,[],[]],[-1,-2,[],[]],[[],1],[[1,2],[[5,[3,4]]]],[-1,-1,[]],[-1,-2,[],[]],0,[-1,[[5,[-2]]],[],[]],[-1,[[5,[-2]]],[],[]],[-1,6,[]],0,0,0,0,0,0,0,0,[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[2,7],[3,7],[2,2],[3,3],[[[8,[-1]]],[[8,[-1]]],9],[[-1,-2],7,[],[]],[[-1,-2],7,[],[]],[[-1,-2],7,[],[]],[[],2],[[],3],[[-1,2],[[5,[3,4]]],[]],[[[10,[-1]],2],[[5,[[5,[3,4]]]]],11],[[[12,[-1]],2],[[5,[[5,[3,4]]]]],13],[2,14],[3,14],[[2,2],15],[[3,3],15],[[2,16],17],[[3,16],17],[-1,-1,[]],[-1,-1,[]],[-1,-1,[]],[-1,-1,[]],[-1,-1,[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[[[8,[-1]],[19,[18]]],[[5,[[20,[18]],21]]],22],[-1,[[10,[-1]]],11],[-1,[[12,[-1]]],13],[-1,[[8,[-1]]],22],[-1,-2,[],[]],[-1,-2,[],[]],[-1,-2,[],[]],[-1,[[5,[-2]]],[],[]],[-1,[[5,[-2]]],[],[]],[-1,[[5,[-2]]],[],[]],[-1,[[5,[-2]]],[],[]],[-1,[[5,[-2]]],[],[]],[-1,[[5,[-2]]],[],[]],[-1,[[5,[-2]]],[],[]],[-1,[[5,[-2]]],[],[]],[-1,[[5,[-2]]],[],[]],[-1,[[5,[-2]]],[],[]],[-1,6,[]],[-1,6,[]],[-1,6,[]],[-1,6,[]],[-1,6,[]]],"c":[],"p":[[3,"EchoService",0],[3,"EchoRequest",11],[3,"EchoResponse",11],[3,"Status",80],[4,"Result",81],[3,"TypeId",82],[15,"tuple"],[3,"EchoServer",11],[8,"Clone",83],[3,"EchoClient",11],[8,"Transport",84],[3,"EchoAsyncClient",11],[8,"AsyncTransport",84],[15,"usize"],[15,"bool"],[3,"Formatter",85],[6,"Result",85],[15,"u8"],[15,"slice"],[3,"Vec",86],[15,"never"],[8,"Echo",11]],"b":[]},\
diff --git a/doc/src-files.js b/doc/src-files.js
index a448bb54e6a..754db134204 100644
--- a/doc/src-files.js
+++ b/doc/src-files.js
@@ -41,7 +41,7 @@ var srcIndex = JSON.parse('{\
"oak_linux_boot_params":["",[],["lib.rs"]],\
"oak_remote_attestation":["",[],["attester.rs","dice.rs","handler.rs","lib.rs"]],\
"oak_remote_attestation_verification":["",[],["lib.rs","rekor.rs","verifier.rs"]],\
-"oak_restricted_kernel":["",[["boot",[],["mod.rs"]],["mm",[],["bitmap_frame_allocator.rs","encrypted_mapper.rs","frame_allocator.rs","mod.rs","page_tables.rs","virtual_address_allocator.rs"]],["syscall",[],["channel.rs","dice_data.rs","fd.rs","key.rs","mmap.rs","mod.rs","process.rs","stdio.rs"]]],["acpi.rs","args.rs","avx.rs","descriptors.rs","elf.rs","ghcb.rs","interrupts.rs","lib.rs","libm.rs","logging.rs","memory.rs","payload.rs","shutdown.rs","snp.rs","snp_guest.rs","virtio.rs"]],\
+"oak_restricted_kernel":["",[["boot",[],["mod.rs"]],["mm",[],["bitmap_frame_allocator.rs","encrypted_mapper.rs","frame_allocator.rs","mod.rs","page_tables.rs","virtual_address_allocator.rs"]],["syscall",[],["channel.rs","dice_data.rs","fd.rs","key.rs","mmap.rs","mod.rs","process.rs","stdio.rs"]]],["acpi.rs","args.rs","avx.rs","descriptors.rs","dice_attestation.rs","elf.rs","ghcb.rs","interrupts.rs","lib.rs","libm.rs","logging.rs","memory.rs","payload.rs","shutdown.rs","snp.rs","snp_guest.rs","virtio.rs"]],\
"oak_restricted_kernel_api":["",[],["channel.rs","lib.rs","logging.rs","raw_syscall.rs","syscall.rs"]],\
"oak_restricted_kernel_interface":["",[],["errno.rs","lib.rs","syscalls.rs"]],\
"oak_sev_guest":["",[],["ap_jump_table.rs","cpuid.rs","crypto.rs","ghcb.rs","guest.rs","instructions.rs","interrupts.rs","io.rs","lib.rs","msr.rs","secrets.rs","vmsa.rs"]],\
diff --git a/doc/src/oak_dice/evidence.rs.html b/doc/src/oak_dice/evidence.rs.html
index bcdcc6ca245..7f8d19654f3 100644
--- a/doc/src/oak_dice/evidence.rs.html
+++ b/doc/src/oak_dice/evidence.rs.html
@@ -181,6 +181,9 @@
181182183
+184
+185
+186
//
// Copyright 2023 The Project Oak Authors
//
@@ -209,6 +212,9 @@
/// The maximum size of an ECDSA private key.
pub const PRIVATE_KEY_SIZE: usize = 64;
+/// The actual size used when encoding a Nist P256 private key.
+pub const P256_PRIVATE_KEY_SIZE: usize = 32;
+
/// The maximum size of a serialized COSE Key object representing an ECDSA public key.
pub const PUBLIC_KEY_SIZE: usize = 256;
@@ -359,8 +365,8 @@
#[derive(AsBytes, FromZeroes, FromBytes)]
#[repr(C)]
pub struct RestrictedKernelDiceData {
- evidence: Evidence,
- application_private_keys: ApplicationPrivateKeys,
+ pub evidence: Evidence,
+ pub application_private_keys: ApplicationPrivateKeys,
}
static_assertions::assert_eq_size!([u8; 5520], RestrictedKernelDiceData);
diff --git a/doc/src/oak_functions_service/lib.rs.html b/doc/src/oak_functions_service/lib.rs.html
index 336b052f2cd..9c4e763c859 100644
--- a/doc/src/oak_functions_service/lib.rs.html
+++ b/doc/src/oak_functions_service/lib.rs.html
@@ -187,25 +187,6 @@
187188189
-190
-191
-192
-193
-194
-195
-196
-197
-198
-199
-200
-201
-202
-203
-204
-205
-206
-207
-208
//
// Copyright 2022 The Project Oak Authors
//
@@ -247,10 +228,10 @@
pub mod lookup;
pub mod wasm;
-use alloc::{format, sync::Arc, vec, vec::Vec};
+use alloc::{format, string::ToString, sync::Arc, vec, vec::Vec};
use instance::OakFunctionsInstance;
use oak_core::sync::OnceCell;
-use oak_crypto::{encryptor::EncryptionKeyProvider, proto::oak::crypto::v1::EncryptedRequest};
+use oak_crypto::encryptor::EncryptionKeyProvider;
use oak_remote_attestation::{
attester::{AttestationReportGenerator, Attester},
handler::EncryptionHandler,
@@ -337,16 +318,14 @@
let encryption_key_provider = self.encryption_key_provider.clone();
let instance = self.get_instance()?;
- // TODO(#4037): Remove once explicit crypto protos are implemented.
- // Deserialize request.
- let encrypted_request = EncryptedRequest::decode(request.body.as_ref()).map_err(|err| {
+ let encrypted_request = request.encrypted_request.ok_or_else(|| {
micro_rpc::Status::new_with_message(
- micro_rpc::StatusCode::Internal,
- format!("couldn't deserialize request: {:?}", err),
+ micro_rpc::StatusCode::InvalidArgument,
+ "InvokeRequest doesn't contain an encrypted request".to_string(),
)
})?;
- let mut result = EncryptionHandler::create(encryption_key_provider, |r| {
+ EncryptionHandler::create(encryption_key_provider, |r| {
// Wrap the invocation result (which may be an Error) into a micro RPC Response
// wrapper protobuf, and encode that as bytes.
let response_result: Result<Vec<u8>, micro_rpc::Status> =
@@ -367,24 +346,7 @@
micro_rpc::StatusCode::Internal,
format!("couldn't call handle_user_request handler: {:?}", err),
)
- });
-
- // TODO(#4037): Remove once explicit crypto protos are implemented.
- if let Ok(ref mut result) = result {
- // Serialize response.
- let serialized_response = result
- .encrypted_response
- .as_ref()
- .ok_or_else(|| {
- micro_rpc::Status::new_with_message(
- micro_rpc::StatusCode::Internal,
- "no encrypted response provided",
- )
- })?
- .encode_to_vec();
- result.body = serialized_response;
- }
- result
+ })
}
fn extend_next_lookup_data(
diff --git a/doc/src/oak_remote_attestation/dice.rs.html b/doc/src/oak_remote_attestation/dice.rs.html
index 248d6a86fc1..8d243fd1c7e 100644
--- a/doc/src/oak_remote_attestation/dice.rs.html
+++ b/doc/src/oak_remote_attestation/dice.rs.html
@@ -246,9 +246,6 @@
246247248
-249
-250
-251
//
// Copyright 2023 The Project Oak Authors
//
@@ -285,9 +282,6 @@
};
use p256::ecdsa::{SigningKey, VerifyingKey};
-/// The actual size used when encoding a Nist P256 private key.
-const P256_PRIVATE_KEY_SIZE: usize = 32;
-
/// The size of the attestation report generated by AMD SEV-SNP.
///
/// See Table 21 in <https://www.amd.com/system/files/TechDocs/56860.pdf>.
@@ -474,7 +468,7 @@
});
let certificate_authority = Some(CertificateAuthority {
eca_private_key: value.layer_1_certificate_authority.eca_private_key
- [..P256_PRIVATE_KEY_SIZE]
+ [..oak_dice::evidence::P256_PRIVATE_KEY_SIZE]
.to_vec(),
});
diff --git a/doc/src/oak_restricted_kernel/dice_attestation.rs.html b/doc/src/oak_restricted_kernel/dice_attestation.rs.html
new file mode 100644
index 00000000000..e74541777f9
--- /dev/null
+++ b/doc/src/oak_restricted_kernel/dice_attestation.rs.html
@@ -0,0 +1,191 @@
+dice_attestation.rs - source
//
+// Copyright 2023 The Project Oak Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+use crate::alloc::string::ToString;
+use coset::CborSerializable;
+use zerocopy::FromZeroes;
+
+/// Generates an ECA certificate for use by the application.
+fn generate_application_certificate(
+ kernel_signing_key: &p256::ecdsa::SigningKey,
+ kernel_cert_issuer: alloc::string::String,
+ application_verifying_key: &p256::ecdsa::VerifyingKey,
+ app_digest: &[u8],
+) -> coset::CoseSign1 {
+ let additional_claims = alloc::vec![(
+ coset::cwt::ClaimName::PrivateUse(oak_dice::cert::LAYER_2_CODE_MEASUREMENT_ID),
+ coset::cbor::value::Value::Bytes(app_digest.into()),
+ )];
+ oak_dice::cert::generate_signing_certificate(
+ kernel_signing_key,
+ kernel_cert_issuer,
+ application_verifying_key,
+ additional_claims,
+ )
+ .expect("couldn't generate signing certificate")
+}
+
+/// Generates attestation evidence for the 'measurement' of the application.
+pub fn generate_dice_data(
+ stage0_dice_data: oak_dice::evidence::Stage0DiceData,
+ app_digest: &[u8],
+) -> oak_dice::evidence::RestrictedKernelDiceData {
+ let (application_signing_key, application_verifying_key) =
+ oak_dice::cert::generate_ecdsa_key_pair();
+
+ let kernel_signing_key = p256::ecdsa::SigningKey::from_slice(
+ &stage0_dice_data
+ .layer_1_certificate_authority
+ .eca_private_key[..oak_dice::evidence::P256_PRIVATE_KEY_SIZE],
+ )
+ .expect("failed to parse the layer1 ECDSA private key bytes");
+
+ let application_eca_cert = generate_application_certificate(
+ &kernel_signing_key,
+ // TODO(#4074): Pass the correct cert issuer by parsing the stage0_dice_data and retrieving
+ // it.
+ "Mock Cert issuer.".to_string(),
+ &application_verifying_key,
+ app_digest,
+ );
+
+ let application_keys = {
+ let mut keys = oak_dice::evidence::ApplicationKeys::new_zeroed();
+ let application_eca_cert_vec = application_eca_cert
+ .to_vec()
+ .expect("couldn't serialize application signing 1 ECA certificate");
+ keys.signing_public_key_certificate[..application_eca_cert_vec.len()]
+ .copy_from_slice(&application_eca_cert_vec);
+ // TODO(#4074): Implement the encryption key.
+ keys
+ };
+
+ let application_private_keys: oak_dice::evidence::ApplicationPrivateKeys = {
+ let signing_private_key_bytes = application_signing_key.to_bytes();
+ let mut keys = oak_dice::evidence::ApplicationPrivateKeys::new_zeroed();
+ keys.signing_private_key[..signing_private_key_bytes.as_slice().len()]
+ .copy_from_slice(signing_private_key_bytes.as_slice());
+ // TODO(#4074): Implement the encryption key.
+ keys
+ };
+
+ let evidence = oak_dice::evidence::Evidence {
+ root_layer_evidence: stage0_dice_data.root_layer_evidence,
+ restricted_kernel_evidence: stage0_dice_data.layer_1_evidence,
+ application_keys,
+ };
+
+ oak_dice::evidence::RestrictedKernelDiceData {
+ evidence,
+ application_private_keys,
+ }
+}
+
\ No newline at end of file
diff --git a/doc/src/oak_restricted_kernel/lib.rs.html b/doc/src/oak_restricted_kernel/lib.rs.html
index 33f5c810420..cfeaa548f92 100644
--- a/doc/src/oak_restricted_kernel/lib.rs.html
+++ b/doc/src/oak_restricted_kernel/lib.rs.html
@@ -395,6 +395,10 @@
395396397
+398
+399
+400
+401
//
// Copyright 2022 The Project Oak Authors
//
@@ -438,6 +442,7 @@
mod avx;
mod boot;
mod descriptors;
+mod dice_attestation;
mod elf;
mod ghcb;
mod interrupts;
@@ -580,7 +585,7 @@
.unwrap()
};
- let _stage0_dice_data = {
+ let stage0_dice_data = {
let dice_memory_slice = {
let e820_dice_data_entry = info
.e820_table()
@@ -724,6 +729,9 @@
let application = payload::Application::load_raw(&mut *channel)
.expect("failed to load application binary from channel");
+ let restricted_kernel_dice_data =
+ dice_attestation::generate_dice_data(stage0_dice_data, application.digest());
+
let derived_key = if sev_snp_enabled {
snp_guest::get_derived_key().expect("couldn't derive key")
} else {
@@ -736,7 +744,7 @@
extraction.input_ikm(application.digest());
let (derived_key, _) = extraction.finalize();
- syscall::enable_syscalls(channel, derived_key.into());
+ syscall::enable_syscalls(channel, restricted_kernel_dice_data, derived_key.into());
// Safety: we've loaded the Restricted Application. Whether that's valid or not is no longer
// under the kernel's control.
diff --git a/doc/src/oak_restricted_kernel/syscall/mod.rs.html b/doc/src/oak_restricted_kernel/syscall/mod.rs.html
index 9e071060237..ee111f5198f 100644
--- a/doc/src/oak_restricted_kernel/syscall/mod.rs.html
+++ b/doc/src/oak_restricted_kernel/syscall/mod.rs.html
@@ -251,10 +251,6 @@
251252253
-254
-255
-256
-257
//
// Copyright 2022 The Project Oak Authors
//
@@ -320,15 +316,11 @@
user_flags: usize,
}
-fn mock_dice_data() -> DiceData {
- <DiceData as zerocopy::FromZeroes>::new_zeroed()
-}
-
-pub fn enable_syscalls(channel: Box<dyn Channel>, derived_key: DerivedKey) {
+pub fn enable_syscalls(channel: Box<dyn Channel>, dice_data: DiceData, derived_key: DerivedKey) {
channel::register(channel);
stdio::register();
key::register(derived_key);
- dice_data::register(mock_dice_data());
+ dice_data::register(dice_data);
// Allocate a stack for the system call handler.
let kernel_sp = mm::allocate_stack();