Merge "Make the RKP VM marker affect the sealing CDI" into main
diff --git a/pvmfw/Android.bp b/pvmfw/Android.bp
index 9a2b3ef..6a6d199 100644
--- a/pvmfw/Android.bp
+++ b/pvmfw/Android.bp
@@ -110,6 +110,7 @@
"libciborium",
"libdiced_open_dice_nostd",
"libpvmfw_avb_nostd",
+ "libzerocopy_nostd",
],
}
diff --git a/pvmfw/src/dice.rs b/pvmfw/src/dice.rs
index 99bf589..540fd03 100644
--- a/pvmfw/src/dice.rs
+++ b/pvmfw/src/dice.rs
@@ -21,6 +21,7 @@
Hash, InputValues, HIDDEN_SIZE,
};
use pvmfw_avb::{Capability, DebugLevel, Digest, VerifiedBootData};
+use zerocopy::AsBytes;
fn to_dice_mode(debug_level: DebugLevel) -> DiceMode {
match debug_level {
@@ -72,12 +73,30 @@
Config::Descriptor(config),
self.auth_hash,
self.mode,
- *salt,
+ self.make_hidden(salt)?,
);
let _ = bcc_handover_main_flow(current_bcc_handover, &dice_inputs, next_bcc)?;
Ok(())
}
+ fn make_hidden(&self, salt: &[u8; HIDDEN_SIZE]) -> diced_open_dice::Result<[u8; HIDDEN_SIZE]> {
+ // We want to make sure we get a different sealing CDI for:
+ // - VMs with different salt values
+ // - An RKP VM and any other VM (regardless of salt)
+ // The hidden input for DICE affects the sealing CDI (but the values in the config
+ // descriptor do not).
+ // Since the hidden input has to be a fixed size, create it as a hash of the values we
+ // want included.
+ #[derive(AsBytes)]
+ #[repr(C, packed)]
+ struct HiddenInput {
+ rkp_vm_marker: bool,
+ salt: [u8; HIDDEN_SIZE],
+ }
+
+ hash(HiddenInput { rkp_vm_marker: self.rkp_vm_marker, salt: *salt }.as_bytes())
+ }
+
fn generate_config_descriptor<'a>(
&self,
config_descriptor_buffer: &'a mut [u8],