commit 12e4c865f5369710412f2567571a18ff9bb9ebae
author Alice Wang <aliceywang@google.com> Mon Dec 11 13:52:27 2023 +0000
committer Alice Wang <aliceywang@google.com> Wed Dec 13 13:06:26 2023 +0000
tree 3b9e5b6bf23d521b36b2aaea487e46b3878a923e
parent 418f16b6d1116806cdb2c1bff8fa49ed2b6d2000

[rkpvm] Implement RKP VM rollback protection in pvmfw

Bug: 313608221
Test: atest rialto_test
Change-Id: Iba3836cae1b2df16d0da69f80310ff0552961c95

pvmfw/src/instance.rs

diff --git a/pvmfw/src/instance.rs b/pvmfw/src/instance.rs
index f2cd6a3..a998bfb 100644
--- a/pvmfw/src/instance.rs
+++ b/pvmfw/src/instance.rs
@@ -141,6 +141,17 @@
             let decrypted = aead.open(&mut entry, payload).map_err(Error::FailedOpen)?;
 
             let body = EntryBody::read_from(decrypted).unwrap();
+            if dice_inputs.rkp_vm_marker {
+                // The RKP VM is allowed to run if it has passed the verified boot check and
+                // contains the expected version in its AVB footer.
+                // The comparison below with the previous boot information is skipped to enable the
+                // simultaneous update of the pvmfw and RKP VM.
+                // For instance, when both the pvmfw and RKP VM are updated, the code hash of the
+                // RKP VM will differ from the one stored in the instance image. In this case, the
+                // RKP VM is still allowed to run.
+                // This ensures that the updated RKP VM will retain the same CDIs in the next stage.
+                return Ok((false, body.salt));
+            }
             if body.code_hash != dice_inputs.code_hash {
                 Err(Error::RecordedCodeHashMismatch)
             } else if body.auth_hash != dice_inputs.auth_hash {