Merge "[LSC] Add LOCAL_LICENSE_KINDS to packages/modules/Virtualization"
diff --git a/compos/composd/src/instance_manager.rs b/compos/composd/src/instance_manager.rs
index 2db13c7..98d4a1b 100644
--- a/compos/composd/src/instance_manager.rs
+++ b/compos/composd/src/instance_manager.rs
@@ -27,7 +27,7 @@
 use virtualizationservice::IVirtualizationService::IVirtualizationService;
 
 // Enough memory to complete odrefresh in the VM.
-const VM_MEMORY_MIB: i32 = 1280;
+const VM_MEMORY_MIB: i32 = 1024;
 
 pub struct InstanceManager {
     service: Strong<dyn IVirtualizationService>,
diff --git a/docs/debug/tracing.md b/docs/debug/tracing.md
index 7d7ea0c..0038440 100644
--- a/docs/debug/tracing.md
+++ b/docs/debug/tracing.md
@@ -72,4 +72,49 @@
 
 ## Microdroid VM tracing
 
+IMPORTANT: Tracing is only supported for debuggable Microdroid VMs.
+
+### Capturing trace in Microdroid
+
+Starting with Android U, Microdroid contains Perfetto tracing binaries, which makes it possible to
+capture traces inside Microdroid VM using Perfetto stack. The commands used to capture traces on
+Android should work for Microdroid VM as well, with a difference that Perfetto's tracing binaries
+are not enabled in Microdroid by default, so you need to manually start them by setting
+`persist.traced.enable` system property to `1`.
+
+Here is a quick example on how trace Microdroid VM:
+
+1. First start your VM. For this example we are going to use
+`adb shell /apex/com.android.virt/bin/vm run-microdroid`.
+
+2. Set up an adb connection with the running VM:
+```shell
+adb shell forward tcp:9876 vsock:${CID}:5555
+adb connect localhost:9876
+adb -s localhost:9876 root
+```
+Where `${CID}` corresponds to the running Microdroid VM that you want to establish adb connection
+with. List of running VMs can be obtained by running `adb shell /apex/com.android.virt/bin/vm list`.
+Alternatively you can use `vm_shell` utility to connect to a running VM, i.e.: `vm_shell connect`.
+
+3. Start Perfetto daemons and capture trace
+```shell
+adb -s localhost:9876 shell setprop persist.traced.enable 1
+${ANDROID_BULD_TOP}/external/perfetto/tools/record_android_trace \
+  -s localhost:9876 \
+  -o /tmp/microdroid-trace-file.pftrace \
+  -t 10s \
+  -b 32mb \
+  sched/sched_switch task/task_newtask sched/sched_process_exit
+```
+
+If you don't have Android repo checked out, then you can download the record_android_trace script by
+following the following [instructions](
+https://perfetto.dev/docs/quickstart/android-tracing#recording-a-trace-through-the-cmdline)
+
+More documentation on Perfetto's tracing on Android is available here:
+https://perfetto.dev/docs/quickstart/android-tracing
+
+### Capturing Microdroid boot trace
+
 TODO(b/271412868): Stay tuned, more docs are coming soon!
diff --git a/libs/apkverify/Android.bp b/libs/apkverify/Android.bp
index e556842..83dbff6 100644
--- a/libs/apkverify/Android.bp
+++ b/libs/apkverify/Android.bp
@@ -45,7 +45,9 @@
     edition: "2021",
     test_suites: ["general-tests"],
     rustlibs: [
+        "libandroid_logger",
         "libapkverify",
+        "liblog_rust",
         "libzip",
     ],
     data: ["tests/data/*"],
diff --git a/libs/apkverify/tests/apkverify_test.rs b/libs/apkverify/tests/apkverify_test.rs
index f08b357..52e1da4 100644
--- a/libs/apkverify/tests/apkverify_test.rs
+++ b/libs/apkverify/tests/apkverify_test.rs
@@ -17,6 +17,7 @@
 use apkverify::{
     get_apk_digest, get_public_key_der, testing::assert_contains, verify, SignatureAlgorithmID,
 };
+use log::info;
 use std::{fs, matches, path::Path};
 
 const KEY_NAMES_DSA: &[&str] = &["1024", "2048", "3072"];
@@ -25,8 +26,19 @@
 
 const SDK_INT: u32 = 31;
 
+/// Make sure any logging from the code under test ends up in logcat.
+fn setup() {
+    android_logger::init_once(
+        android_logger::Config::default()
+            .with_tag("apkverify_test")
+            .with_min_level(log::Level::Info),
+    );
+    info!("Test starting");
+}
+
 #[test]
 fn test_verify_truncated_cd() {
+    setup();
     use zip::result::ZipError;
     let res = verify("tests/data/v2-only-truncated-cd.apk", SDK_INT);
     // TODO(b/190343842): consider making a helper for err assertion
@@ -38,11 +50,13 @@
 
 #[test]
 fn apex_signed_with_v3_rsa_pkcs1_sha512_is_valid() {
+    setup();
     validate_apk("tests/data/test.apex", SignatureAlgorithmID::RsaPkcs1V15WithSha512);
 }
 
 #[test]
 fn apks_signed_with_v3_dsa_sha256_are_not_supported() {
+    setup();
     for key_name in KEY_NAMES_DSA.iter() {
         let res = verify(format!("tests/data/v3-only-with-dsa-sha256-{}.apk", key_name), SDK_INT);
         assert!(res.is_err(), "DSA algorithm is not supported for verification. See b/197052981.");
@@ -52,6 +66,7 @@
 
 #[test]
 fn apks_signed_with_v3_ecdsa_sha256_are_valid() {
+    setup();
     for key_name in KEY_NAMES_ECDSA.iter() {
         validate_apk(
             format!("tests/data/v3-only-with-ecdsa-sha256-{}.apk", key_name),
@@ -62,6 +77,7 @@
 
 #[test]
 fn apks_signed_with_v3_ecdsa_sha512_are_valid() {
+    setup();
     for key_name in KEY_NAMES_ECDSA.iter() {
         validate_apk(
             format!("tests/data/v3-only-with-ecdsa-sha512-{}.apk", key_name),
@@ -72,6 +88,7 @@
 
 #[test]
 fn apks_signed_with_v3_rsa_pkcs1_sha256_are_valid() {
+    setup();
     for key_name in KEY_NAMES_RSA.iter() {
         validate_apk(
             format!("tests/data/v3-only-with-rsa-pkcs1-sha256-{}.apk", key_name),
@@ -82,6 +99,7 @@
 
 #[test]
 fn apks_signed_with_v3_rsa_pkcs1_sha512_are_valid() {
+    setup();
     for key_name in KEY_NAMES_RSA.iter() {
         validate_apk(
             format!("tests/data/v3-only-with-rsa-pkcs1-sha512-{}.apk", key_name),
@@ -91,7 +109,29 @@
 }
 
 #[test]
+fn test_verify_v3_sig_min_max_sdk() {
+    setup();
+    // The Signer for this APK has min_sdk=24, max_sdk=32.
+    let path = "tests/data/v31-rsa-2048_2-tgt-33-1-tgt-28.apk";
+
+    let res = verify(path, 23);
+    assert!(res.is_err());
+    assert_contains(&res.unwrap_err().to_string(), "0 signers found");
+
+    let res = verify(path, 24);
+    assert!(res.is_ok());
+
+    let res = verify(path, 32);
+    assert!(res.is_ok());
+
+    let res = verify(path, 33);
+    assert!(res.is_err());
+    assert_contains(&res.unwrap_err().to_string(), "0 signers found");
+}
+
+#[test]
 fn test_verify_v3_sig_does_not_verify() {
+    setup();
     let path_list = [
         "tests/data/v3-only-with-ecdsa-sha512-p521-sig-does-not-verify.apk",
         "tests/data/v3-only-with-rsa-pkcs1-sha256-3072-sig-does-not-verify.apk",
@@ -105,6 +145,7 @@
 
 #[test]
 fn test_verify_v3_digest_mismatch() {
+    setup();
     let res = verify("tests/data/v3-only-with-rsa-pkcs1-sha512-8192-digest-mismatch.apk", SDK_INT);
     assert!(res.is_err());
     assert_contains(&res.unwrap_err().to_string(), "Digest mismatch");
@@ -112,6 +153,7 @@
 
 #[test]
 fn test_verify_v3_wrong_apk_sig_block_magic() {
+    setup();
     let res =
         verify("tests/data/v3-only-with-ecdsa-sha512-p384-wrong-apk-sig-block-magic.apk", SDK_INT);
     assert!(res.is_err());
@@ -120,6 +162,7 @@
 
 #[test]
 fn test_verify_v3_apk_sig_block_size_mismatch() {
+    setup();
     let res = verify(
         "tests/data/v3-only-with-rsa-pkcs1-sha512-4096-apk-sig-block-size-mismatch.apk",
         SDK_INT,
@@ -133,6 +176,7 @@
 
 #[test]
 fn test_verify_v3_cert_and_public_key_mismatch() {
+    setup();
     let res = verify("tests/data/v3-only-cert-and-public-key-mismatch.apk", SDK_INT);
     assert!(res.is_err());
     assert_contains(&res.unwrap_err().to_string(), "Public key mismatch");
@@ -140,6 +184,7 @@
 
 #[test]
 fn test_verify_v3_empty() {
+    setup();
     let res = verify("tests/data/v3-only-empty.apk", SDK_INT);
     assert!(res.is_err());
     assert_contains(&res.unwrap_err().to_string(), "APK too small for APK Signing Block");
@@ -147,6 +192,7 @@
 
 #[test]
 fn test_verify_v3_no_certs_in_sig() {
+    setup();
     let res = verify("tests/data/v3-only-no-certs-in-sig.apk", SDK_INT);
     assert!(res.is_err());
     assert_contains(&res.unwrap_err().to_string(), "No certificates listed");
@@ -154,6 +200,7 @@
 
 #[test]
 fn test_verify_v3_no_supported_sig_algs() {
+    setup();
     let res = verify("tests/data/v3-only-no-supported-sig-algs.apk", SDK_INT);
     assert!(res.is_err());
     assert_contains(&res.unwrap_err().to_string(), "No supported APK signatures found");
@@ -161,6 +208,7 @@
 
 #[test]
 fn test_verify_v3_signatures_and_digests_block_mismatch() {
+    setup();
     let res = verify("tests/data/v3-only-signatures-and-digests-block-mismatch.apk", SDK_INT);
     assert!(res.is_err());
     assert_contains(
@@ -171,6 +219,7 @@
 
 #[test]
 fn apk_signed_with_v3_unknown_additional_attr_is_valid() {
+    setup();
     validate_apk(
         "tests/data/v3-only-unknown-additional-attr.apk",
         SignatureAlgorithmID::RsaPkcs1V15WithSha256,
@@ -179,6 +228,7 @@
 
 #[test]
 fn apk_signed_with_v3_unknown_pair_in_apk_sig_block_is_valid() {
+    setup();
     validate_apk(
         "tests/data/v3-only-unknown-pair-in-apk-sig-block.apk",
         SignatureAlgorithmID::RsaPkcs1V15WithSha256,
@@ -187,6 +237,7 @@
 
 #[test]
 fn apk_signed_with_v3_ignorable_unsupported_sig_algs_is_valid() {
+    setup();
     validate_apk(
         "tests/data/v3-only-with-ignorable-unsupported-sig-algs.apk",
         SignatureAlgorithmID::RsaPkcs1V15WithSha256,
@@ -195,6 +246,7 @@
 
 #[test]
 fn apk_signed_with_v3_stamp_is_valid() {
+    setup();
     validate_apk("tests/data/v3-only-with-stamp.apk", SignatureAlgorithmID::EcdsaWithSha256);
 }
 
diff --git a/libs/apkverify/tests/data/v31-rsa-2048_2-tgt-33-1-tgt-28.apk b/libs/apkverify/tests/data/v31-rsa-2048_2-tgt-33-1-tgt-28.apk
new file mode 100644
index 0000000..aeaec33
--- /dev/null
+++ b/libs/apkverify/tests/data/v31-rsa-2048_2-tgt-33-1-tgt-28.apk
Binary files differ
diff --git a/libs/fdtpci/src/lib.rs b/libs/fdtpci/src/lib.rs
index e32e16d..96d98d6 100644
--- a/libs/fdtpci/src/lib.rs
+++ b/libs/fdtpci/src/lib.rs
@@ -197,24 +197,32 @@
     Ok(memory_address..memory_address + memory_size)
 }
 
+/// Encodes memory flags of a PCI range
 #[derive(Copy, Clone, Debug, Eq, PartialEq)]
-struct PciMemoryFlags(u32);
+pub struct PciMemoryFlags(pub u32);
 
 impl PciMemoryFlags {
+    /// Returns whether this PCI range is prefetchable
     pub fn prefetchable(self) -> bool {
         self.0 & 0x80000000 != 0
     }
 
+    /// Returns the type of this PCI range
     pub fn range_type(self) -> PciRangeType {
         PciRangeType::from((self.0 & 0x3000000) >> 24)
     }
 }
 
+/// Type of a PCI range
 #[derive(Copy, Clone, Debug, Eq, PartialEq)]
-enum PciRangeType {
+pub enum PciRangeType {
+    /// Range represents the PCI configuration space
     ConfigurationSpace,
+    /// Range is on IO space
     IoSpace,
+    /// Range is on 32-bit MMIO space
     Memory32,
+    /// Range is on 64-bit MMIO space
     Memory64,
 }
 
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index a2a4138..0abaf79 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -70,7 +70,6 @@
         "libartpalette-system",
 
         "apexd.microdroid",
-        "atrace",
         "debuggerd",
         "linker",
         "tombstoned.microdroid",
@@ -89,6 +88,12 @@
         "libvm_payload", // used by payload to interact with microdroid manager
 
         "prng_seeder_microdroid",
+
+        // Binaries required to capture traces in Microdroid.
+        "atrace",
+        "traced",
+        "traced_probes",
+        "perfetto",
     ] + microdroid_shell_and_utilities,
     multilib: {
         common: {
diff --git a/pvmfw/Android.bp b/pvmfw/Android.bp
index b56df4f..0d845f9 100644
--- a/pvmfw/Android.bp
+++ b/pvmfw/Android.bp
@@ -54,6 +54,7 @@
     // partition image. This is just to package the unstripped file into the
     // symbols zip file for debugging purpose.
     installable: true,
+    native_coverage: false,
 }
 
 raw_binary {
diff --git a/pvmfw/platform.dts b/pvmfw/platform.dts
index 056fa2f..127f69a 100644
--- a/pvmfw/platform.dts
+++ b/pvmfw/platform.dts
@@ -245,4 +245,11 @@
 		clock-names = "apb_pclk";
 		clocks = <&clk>;
 	};
+
+	vmwdt@3000 {
+		compatible = "qemu,vcpu-stall-detector";
+		reg = <0x00 0x3000 0x00 0x1000>;
+		clock-frequency = <10>;
+		timeout-sec = <8>;
+	};
 };
diff --git a/pvmfw/src/fdt.rs b/pvmfw/src/fdt.rs
index 793eaac..f4b0244 100644
--- a/pvmfw/src/fdt.rs
+++ b/pvmfw/src/fdt.rs
@@ -14,10 +14,19 @@
 
 //! High-level FDT functions.
 
+use crate::helpers::GUEST_PAGE_SIZE;
+use crate::RebootReason;
 use core::ffi::CStr;
+use core::num::NonZeroUsize;
 use core::ops::Range;
+use fdtpci::PciMemoryFlags;
+use fdtpci::PciRangeType;
+use libfdt::AddressRange;
+use libfdt::CellIterator;
 use libfdt::Fdt;
 use libfdt::FdtError;
+use log::error;
+use tinyvec::ArrayVec;
 
 /// Extract from /config the address range containing the pre-loaded kernel.
 pub fn kernel_range(fdt: &libfdt::Fdt) -> libfdt::Result<Option<Range<usize>>> {
@@ -51,6 +60,405 @@
     Ok(None)
 }
 
+/// Read and validate the size and base address of memory, and returns the size
+fn parse_memory_node(fdt: &libfdt::Fdt) -> Result<NonZeroUsize, RebootReason> {
+    let memory_range = fdt
+        .memory()
+        // Actually, these checks are unnecessary because we read /memory node in entry.rs
+        // where the exactly same checks are done. We are repeating the same check just for
+        // extra safety (in case when the code structure changes in the future).
+        .map_err(|e| {
+            error!("Failed to get /memory from the DT: {e}");
+            RebootReason::InvalidFdt
+        })?
+        .ok_or_else(|| {
+            error!("Node /memory was found empty");
+            RebootReason::InvalidFdt
+        })?
+        .next()
+        .ok_or_else(|| {
+            error!("Failed to read memory range from the DT");
+            RebootReason::InvalidFdt
+        })?;
+
+    let base = memory_range.start;
+    if base as u64 != DeviceTreeInfo::RAM_BASE_ADDR {
+        error!("Memory base address {:#x} is not {:#x}", base, DeviceTreeInfo::RAM_BASE_ADDR);
+        return Err(RebootReason::InvalidFdt);
+    }
+
+    let size = memory_range.len(); // end is exclusive
+    if size % GUEST_PAGE_SIZE != 0 {
+        error!("Memory size {:#x} is not a multiple of page size {:#x}", size, GUEST_PAGE_SIZE);
+        return Err(RebootReason::InvalidFdt);
+    }
+    // In the u-boot implementation, we checked if base + size > u64::MAX, but we don't need that
+    // because memory() function uses checked_add when constructing the Range object. If an
+    // overflow happened, we should have gotten None from the next() call above and would have
+    // bailed already.
+
+    NonZeroUsize::new(size).ok_or_else(|| {
+        error!("Memory size can't be 0");
+        RebootReason::InvalidFdt
+    })
+}
+
+/// Read the number of CPUs
+fn parse_cpu_nodes(fdt: &libfdt::Fdt) -> Result<NonZeroUsize, RebootReason> {
+    let num = fdt
+        .compatible_nodes(CStr::from_bytes_with_nul(b"arm,arm-v8\0").unwrap())
+        .map_err(|e| {
+            error!("Failed to read compatible nodes \"arm,arm-v8\" from DT: {e}");
+            RebootReason::InvalidFdt
+        })?
+        .count();
+    NonZeroUsize::new(num).ok_or_else(|| {
+        error!("Number of CPU can't be 0");
+        RebootReason::InvalidFdt
+    })
+}
+
+#[derive(Debug)]
+#[allow(dead_code)] // TODO: remove this
+struct PciInfo {
+    ranges: [Range<u64>; 2],
+    num_irq: usize,
+}
+
+/// Read and validate PCI node
+fn parse_pci_nodes(fdt: &libfdt::Fdt) -> Result<PciInfo, RebootReason> {
+    let node = fdt
+        .compatible_nodes(CStr::from_bytes_with_nul(b"pci-host-cam-generic\0").unwrap())
+        .map_err(|e| {
+            error!("Failed to read compatible node \"pci-host-cam-generic\" from DT: {e}");
+            RebootReason::InvalidFdt
+        })?
+        .next()
+        .ok_or_else(|| {
+            // pvmfw requires at least one pci device (virtio-blk) for the instance disk. So,
+            // let's fail early.
+            error!("Compatible node \"pci-host-cam-generic\" doesn't exist");
+            RebootReason::InvalidFdt
+        })?;
+
+    let mut iter = node
+        .ranges::<(u32, u64), u64, u64>()
+        .map_err(|e| {
+            error!("Failed to read ranges from PCI node: {e}");
+            RebootReason::InvalidFdt
+        })?
+        .ok_or_else(|| {
+            error!("PCI node missing ranges property");
+            RebootReason::InvalidFdt
+        })?;
+
+    let range0 = iter.next().ok_or_else(|| {
+        error!("First range missing in PCI node");
+        RebootReason::InvalidFdt
+    })?;
+    let range0 = get_and_validate_pci_range(&range0)?;
+
+    let range1 = iter.next().ok_or_else(|| {
+        error!("Second range missing in PCI node");
+        RebootReason::InvalidFdt
+    })?;
+    let range1 = get_and_validate_pci_range(&range1)?;
+
+    let num_irq = count_and_validate_pci_irq_masks(&node)?;
+
+    validate_pci_irq_maps(&node)?;
+
+    Ok(PciInfo { ranges: [range0, range1], num_irq })
+}
+
+fn get_and_validate_pci_range(
+    range: &AddressRange<(u32, u64), u64, u64>,
+) -> Result<Range<u64>, RebootReason> {
+    let mem_flags = PciMemoryFlags(range.addr.0);
+    let range_type = mem_flags.range_type();
+    let prefetchable = mem_flags.prefetchable();
+    let bus_addr = range.addr.1;
+    let cpu_addr = range.parent_addr;
+    let size = range.size;
+    if range_type != PciRangeType::Memory64 {
+        error!("Invalid range type {:?} for bus address {:#x} in PCI node", range_type, bus_addr);
+        return Err(RebootReason::InvalidFdt);
+    }
+    if prefetchable {
+        error!("PCI bus address {:#x} in PCI node is prefetchable", bus_addr);
+        return Err(RebootReason::InvalidFdt);
+    }
+    // Enforce ID bus-to-cpu mappings, as used by crosvm.
+    if bus_addr != cpu_addr {
+        error!("PCI bus address: {:#x} is different from CPU address: {:#x}", bus_addr, cpu_addr);
+        return Err(RebootReason::InvalidFdt);
+    }
+    let bus_end = bus_addr.checked_add(size).ok_or_else(|| {
+        error!("PCI address range size {:#x} too big", size);
+        RebootReason::InvalidFdt
+    })?;
+    Ok(bus_addr..bus_end)
+}
+
+/// Iterator that takes N cells as a chunk
+struct CellChunkIterator<'a, const N: usize> {
+    cells: CellIterator<'a>,
+}
+
+impl<'a, const N: usize> CellChunkIterator<'a, N> {
+    fn new(cells: CellIterator<'a>) -> Self {
+        Self { cells }
+    }
+}
+
+impl<'a, const N: usize> Iterator for CellChunkIterator<'a, N> {
+    type Item = [u32; N];
+    fn next(&mut self) -> Option<Self::Item> {
+        let mut ret: Self::Item = [0; N];
+        for i in ret.iter_mut() {
+            *i = self.cells.next()?;
+        }
+        Some(ret)
+    }
+}
+
+fn count_and_validate_pci_irq_masks(pci_node: &libfdt::FdtNode) -> Result<usize, RebootReason> {
+    const IRQ_MASK_CELLS: usize = 4;
+    const IRQ_MASK_ADDR_HI: u32 = 0xf800;
+    const IRQ_MASK_ADDR_ME: u32 = 0x0;
+    const IRQ_MASK_ADDR_LO: u32 = 0x0;
+    const IRQ_MASK_ANY_IRQ: u32 = 0x7;
+    const EXPECTED: [u32; IRQ_MASK_CELLS] =
+        [IRQ_MASK_ADDR_HI, IRQ_MASK_ADDR_ME, IRQ_MASK_ADDR_LO, IRQ_MASK_ANY_IRQ];
+    let name = CStr::from_bytes_with_nul(b"interrupt-map-mask\0").unwrap();
+    let mut irq_count: usize = 0;
+    for irq_mask in CellChunkIterator::<IRQ_MASK_CELLS>::new(
+        pci_node
+            .getprop_cells(name)
+            .map_err(|e| {
+                error!("Failed to read interrupt-map-mask property: {e}");
+                RebootReason::InvalidFdt
+            })?
+            .ok_or_else(|| {
+                error!("PCI node missing interrupt-map-mask property");
+                RebootReason::InvalidFdt
+            })?,
+    ) {
+        if irq_mask != EXPECTED {
+            error!("invalid irq mask {:?}", irq_mask);
+            return Err(RebootReason::InvalidFdt);
+        }
+        irq_count += 1;
+    }
+    Ok(irq_count)
+}
+
+fn validate_pci_irq_maps(pci_node: &libfdt::FdtNode) -> Result<(), RebootReason> {
+    const IRQ_MAP_CELLS: usize = 10;
+    const PCI_DEVICE_IDX: usize = 11;
+    const PCI_IRQ_ADDR_ME: u32 = 0;
+    const PCI_IRQ_ADDR_LO: u32 = 0;
+    const PCI_IRQ_INTC: u32 = 1;
+    const AARCH64_IRQ_BASE: u32 = 4; // from external/crosvm/aarch64/src/lib.rs
+    const GIC_SPI: u32 = 0;
+    const IRQ_TYPE_LEVEL_HIGH: u32 = 4;
+
+    let mut phys_hi: u32 = 0;
+    let mut irq_nr = AARCH64_IRQ_BASE;
+
+    let name = CStr::from_bytes_with_nul(b"interrupt-map\0").unwrap();
+    for irq_map in CellChunkIterator::<IRQ_MAP_CELLS>::new(
+        pci_node
+            .getprop_cells(name)
+            .map_err(|e| {
+                error!("Failed to read interrupt-map property: {e}");
+                RebootReason::InvalidFdt
+            })?
+            .ok_or_else(|| {
+                error!("PCI node missing interrupt-map property");
+                RebootReason::InvalidFdt
+            })?,
+    ) {
+        phys_hi += 0x1 << PCI_DEVICE_IDX;
+
+        let pci_addr = (irq_map[0], irq_map[1], irq_map[2]);
+        let pci_irq_number = irq_map[3];
+        let _controller_phandle = irq_map[4]; // skipped.
+        let gic_addr = (irq_map[5], irq_map[6]); // address-cells is <2> for GIC
+                                                 // interrupt-cells is <3> for GIC
+        let gic_peripheral_interrupt_type = irq_map[7];
+        let gic_irq_number = irq_map[8];
+        let gic_irq_type = irq_map[9];
+
+        let expected_pci_addr = (phys_hi, PCI_IRQ_ADDR_ME, PCI_IRQ_ADDR_LO);
+
+        if pci_addr != expected_pci_addr {
+            error!("PCI device address {:#x} {:#x} {:#x} in interrupt-map is different from expected address \
+                   {:#x} {:#x} {:#x}",
+                   pci_addr.0, pci_addr.1, pci_addr.2, expected_pci_addr.0, expected_pci_addr.1, expected_pci_addr.2);
+            return Err(RebootReason::InvalidFdt);
+        }
+        if pci_irq_number != PCI_IRQ_INTC {
+            error!(
+                "PCI INT# {:#x} in interrupt-map is different from expected value {:#x}",
+                pci_irq_number, PCI_IRQ_INTC
+            );
+            return Err(RebootReason::InvalidFdt);
+        }
+        if gic_addr != (0, 0) {
+            error!(
+                "GIC address {:#x} {:#x} in interrupt-map is different from expected address \
+                   {:#x} {:#x}",
+                gic_addr.0, gic_addr.1, 0, 0
+            );
+            return Err(RebootReason::InvalidFdt);
+        }
+        if gic_peripheral_interrupt_type != GIC_SPI {
+            error!("GIC peripheral interrupt type {:#x} in interrupt-map is different from expected value \
+                   {:#x}", gic_peripheral_interrupt_type, GIC_SPI);
+            return Err(RebootReason::InvalidFdt);
+        }
+        if gic_irq_number != irq_nr {
+            error!(
+                "GIC irq number {:#x} in interrupt-map is unexpected. Expected {:#x}",
+                gic_irq_number, irq_nr
+            );
+            return Err(RebootReason::InvalidFdt);
+        }
+        irq_nr += 1; // move to next irq
+        if gic_irq_type != IRQ_TYPE_LEVEL_HIGH {
+            error!(
+                "IRQ type in {:#x} is invalid. Must be LEVEL_HIGH {:#x}",
+                gic_irq_type, IRQ_TYPE_LEVEL_HIGH
+            );
+            return Err(RebootReason::InvalidFdt);
+        }
+    }
+    Ok(())
+}
+
+#[derive(Default, Debug)]
+#[allow(dead_code)] // TODO: remove this
+pub struct SerialInfo {
+    addrs: ArrayVec<[u64; Self::SERIAL_MAX_COUNT]>,
+}
+
+impl SerialInfo {
+    const SERIAL_MAX_COUNT: usize = 4;
+}
+
+fn parse_serial_nodes(fdt: &libfdt::Fdt) -> Result<SerialInfo, RebootReason> {
+    let mut ret: SerialInfo = Default::default();
+    for (i, node) in fdt
+        .compatible_nodes(CStr::from_bytes_with_nul(b"ns16550a\0").unwrap())
+        .map_err(|e| {
+            error!("Failed to read compatible nodes \"ns16550a\" from DT: {e}");
+            RebootReason::InvalidFdt
+        })?
+        .enumerate()
+    {
+        if i >= ret.addrs.capacity() {
+            error!("Too many serials: {i}");
+            return Err(RebootReason::InvalidFdt);
+        }
+        let reg = node
+            .reg()
+            .map_err(|e| {
+                error!("Failed to read reg property from \"ns16550a\" node: {e}");
+                RebootReason::InvalidFdt
+            })?
+            .ok_or_else(|| {
+                error!("No reg property in \"ns16550a\" node");
+                RebootReason::InvalidFdt
+            })?
+            .next()
+            .ok_or_else(|| {
+                error!("No value in reg property of \"ns16550a\" node");
+                RebootReason::InvalidFdt
+            })?;
+        ret.addrs.push(reg.addr);
+    }
+    Ok(ret)
+}
+
+#[derive(Debug)]
+#[allow(dead_code)] // TODO: remove this
+pub struct SwiotlbInfo {
+    size: u64,
+    align: u64,
+}
+
+fn parse_swiotlb_nodes(fdt: &libfdt::Fdt) -> Result<SwiotlbInfo, RebootReason> {
+    let node = fdt
+        .compatible_nodes(CStr::from_bytes_with_nul(b"restricted-dma-pool\0").unwrap())
+        .map_err(|e| {
+            error!("Failed to read compatible nodes \"restricted-dma-pool\" from DT: {e}");
+            RebootReason::InvalidFdt
+        })?
+        .next()
+        .ok_or_else(|| {
+            error!("No compatible node \"restricted-dma-pool\" in DT");
+            RebootReason::InvalidFdt
+        })?;
+    let size = node
+        .getprop_u64(CStr::from_bytes_with_nul(b"size\0").unwrap())
+        .map_err(|e| {
+            error!("Failed to read \"size\" property of \"restricted-dma-pool\": {e}");
+            RebootReason::InvalidFdt
+        })?
+        .ok_or_else(|| {
+            error!("No \"size\" property in \"restricted-dma-pool\"");
+            RebootReason::InvalidFdt
+        })?;
+
+    let align = node
+        .getprop_u64(CStr::from_bytes_with_nul(b"alignment\0").unwrap())
+        .map_err(|e| {
+            error!("Failed to read \"alignment\" property of \"restricted-dma-pool\": {e}");
+            RebootReason::InvalidFdt
+        })?
+        .ok_or_else(|| {
+            error!("No \"alignment\" property in \"restricted-dma-pool\"");
+            RebootReason::InvalidFdt
+        })?;
+
+    if size == 0 || (size % GUEST_PAGE_SIZE as u64) != 0 {
+        error!("Invalid swiotlb size {:#x}", size);
+        return Err(RebootReason::InvalidFdt);
+    }
+
+    if (align % GUEST_PAGE_SIZE as u64) != 0 {
+        error!("Invalid swiotlb alignment {:#x}", align);
+        return Err(RebootReason::InvalidFdt);
+    }
+
+    Ok(SwiotlbInfo { size, align })
+}
+
+#[derive(Debug)]
+#[allow(dead_code)] // TODO: remove this
+pub struct DeviceTreeInfo {
+    memory_size: NonZeroUsize,
+    num_cpu: NonZeroUsize,
+    pci_info: PciInfo,
+    serial_info: SerialInfo,
+    swiotlb_info: SwiotlbInfo,
+}
+
+impl DeviceTreeInfo {
+    const RAM_BASE_ADDR: u64 = 0x8000_0000;
+}
+
+pub fn parse_device_tree(fdt: &libfdt::Fdt) -> Result<DeviceTreeInfo, RebootReason> {
+    Ok(DeviceTreeInfo {
+        memory_size: parse_memory_node(fdt)?,
+        num_cpu: parse_cpu_nodes(fdt)?,
+        pci_info: parse_pci_nodes(fdt)?,
+        serial_info: parse_serial_nodes(fdt)?,
+        swiotlb_info: parse_swiotlb_nodes(fdt)?,
+    })
+}
+
 /// Modifies the input DT according to the fields of the configuration.
 pub fn modify_for_next_stage(
     fdt: &mut Fdt,
diff --git a/pvmfw/src/heap.rs b/pvmfw/src/heap.rs
index 435a6ff..eea2e98 100644
--- a/pvmfw/src/heap.rs
+++ b/pvmfw/src/heap.rs
@@ -53,7 +53,15 @@
 
 #[no_mangle]
 unsafe extern "C" fn malloc(size: usize) -> *mut c_void {
-    malloc_(size).map_or(ptr::null_mut(), |p| p.cast::<c_void>().as_ptr())
+    malloc_(size, false).map_or(ptr::null_mut(), |p| p.cast::<c_void>().as_ptr())
+}
+
+#[no_mangle]
+unsafe extern "C" fn calloc(nmemb: usize, size: usize) -> *mut c_void {
+    let Some(size) = nmemb.checked_mul(size) else {
+        return ptr::null_mut()
+    };
+    malloc_(size, true).map_or(ptr::null_mut(), |p| p.cast::<c_void>().as_ptr())
 }
 
 #[no_mangle]
@@ -67,9 +75,11 @@
     }
 }
 
-unsafe fn malloc_(size: usize) -> Option<NonNull<usize>> {
+unsafe fn malloc_(size: usize, zeroed: bool) -> Option<NonNull<usize>> {
     let size = NonZeroUsize::new(size)?.checked_add(mem::size_of::<usize>())?;
-    let ptr = HEAP_ALLOCATOR.alloc(malloc_layout(size)?);
+    let layout = malloc_layout(size)?;
+    let ptr =
+        if zeroed { HEAP_ALLOCATOR.alloc_zeroed(layout) } else { HEAP_ALLOCATOR.alloc(layout) };
     let ptr = NonNull::new(ptr)?.cast::<usize>().as_ptr();
     *ptr = size.get();
     NonNull::new(ptr.offset(1))
diff --git a/pvmfw/src/hvc.rs b/pvmfw/src/hvc.rs
index 319ff9d..08edd86 100644
--- a/pvmfw/src/hvc.rs
+++ b/pvmfw/src/hvc.rs
@@ -38,14 +38,14 @@
 /// Queries the memory protection parameters for a protected virtual machine.
 ///
 /// Returns the memory protection granule size in bytes.
-pub fn hyp_meminfo() -> smccc::Result<u64> {
+pub fn kvm_hyp_meminfo() -> smccc::Result<u64> {
     let args = [0u64; 17];
     checked_hvc64(ARM_SMCCC_KVM_FUNC_HYP_MEMINFO, args)
 }
 
 /// Shares a region of memory with the KVM host, granting it read, write and execute permissions.
 /// The size of the region is equal to the memory protection granule returned by [`hyp_meminfo`].
-pub fn mem_share(base_ipa: u64) -> smccc::Result<()> {
+pub fn kvm_mem_share(base_ipa: u64) -> smccc::Result<()> {
     let mut args = [0u64; 17];
     args[0] = base_ipa;
 
@@ -55,26 +55,26 @@
 /// Revokes access permission from the KVM host to a memory region previously shared with
 /// [`mem_share`]. The size of the region is equal to the memory protection granule returned by
 /// [`hyp_meminfo`].
-pub fn mem_unshare(base_ipa: u64) -> smccc::Result<()> {
+pub fn kvm_mem_unshare(base_ipa: u64) -> smccc::Result<()> {
     let mut args = [0u64; 17];
     args[0] = base_ipa;
 
     checked_hvc64_expect_zero(ARM_SMCCC_KVM_FUNC_MEM_UNSHARE, args)
 }
 
-pub fn mmio_guard_info() -> smccc::Result<u64> {
+pub fn kvm_mmio_guard_info() -> smccc::Result<u64> {
     let args = [0u64; 17];
 
     checked_hvc64(VENDOR_HYP_KVM_MMIO_GUARD_INFO_FUNC_ID, args)
 }
 
-pub fn mmio_guard_enroll() -> smccc::Result<()> {
+pub fn kvm_mmio_guard_enroll() -> smccc::Result<()> {
     let args = [0u64; 17];
 
     checked_hvc64_expect_zero(VENDOR_HYP_KVM_MMIO_GUARD_ENROLL_FUNC_ID, args)
 }
 
-pub fn mmio_guard_map(ipa: u64) -> smccc::Result<()> {
+pub fn kvm_mmio_guard_map(ipa: u64) -> smccc::Result<()> {
     let mut args = [0u64; 17];
     args[0] = ipa;
 
@@ -94,7 +94,7 @@
     }
 }
 
-pub fn mmio_guard_unmap(ipa: u64) -> smccc::Result<()> {
+pub fn kvm_mmio_guard_unmap(ipa: u64) -> smccc::Result<()> {
     let mut args = [0u64; 17];
     args[0] = ipa;
 
diff --git a/pvmfw/src/hypervisor.rs b/pvmfw/src/hypervisor.rs
new file mode 100644
index 0000000..e06d809
--- /dev/null
+++ b/pvmfw/src/hypervisor.rs
@@ -0,0 +1,46 @@
+// Copyright 2023, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Wrappers around hypervisor back-ends.
+
+use crate::hvc;
+use crate::smccc;
+
+pub fn hyp_meminfo() -> smccc::Result<u64> {
+    hvc::kvm_hyp_meminfo()
+}
+
+pub fn mem_share(base_ipa: u64) -> smccc::Result<()> {
+    hvc::kvm_mem_share(base_ipa)
+}
+
+pub fn mem_unshare(base_ipa: u64) -> smccc::Result<()> {
+    hvc::kvm_mem_unshare(base_ipa)
+}
+
+pub fn mmio_guard_info() -> smccc::Result<u64> {
+    hvc::kvm_mmio_guard_info()
+}
+
+pub fn mmio_guard_enroll() -> smccc::Result<()> {
+    hvc::kvm_mmio_guard_enroll()
+}
+
+pub fn mmio_guard_map(ipa: u64) -> smccc::Result<()> {
+    hvc::kvm_mmio_guard_map(ipa)
+}
+
+pub fn mmio_guard_unmap(ipa: u64) -> smccc::Result<()> {
+    hvc::kvm_mmio_guard_unmap(ipa)
+}
diff --git a/pvmfw/src/main.rs b/pvmfw/src/main.rs
index d89e718..e1ecac4 100644
--- a/pvmfw/src/main.rs
+++ b/pvmfw/src/main.rs
@@ -31,6 +31,7 @@
 mod heap;
 mod helpers;
 mod hvc;
+mod hypervisor;
 mod instance;
 mod memory;
 mod mmio_guard;
@@ -44,6 +45,7 @@
 use crate::dice::PartialInputs;
 use crate::entry::RebootReason;
 use crate::fdt::modify_for_next_stage;
+use crate::fdt::parse_device_tree;
 use crate::helpers::flush;
 use crate::helpers::GUEST_PAGE_SIZE;
 use crate::instance::get_or_generate_instance_salt;
@@ -82,6 +84,11 @@
     })?;
     trace!("BCC: {bcc_handover:x?}");
 
+    // This parsing step includes validation. So this effectively ensures that the DT can't be
+    // abused by the host to attack pvmfw in pci::initialize below.
+    let device_tree_info = parse_device_tree(fdt)?;
+    debug!("Device tree info: {:?}", device_tree_info);
+
     // Set up PCI bus for VirtIO devices.
     let pci_info = PciInfo::from_fdt(fdt).map_err(handle_pci_error)?;
     debug!("PCI: {:#x?}", pci_info);
diff --git a/pvmfw/src/memory.rs b/pvmfw/src/memory.rs
index 86fcd00..17dd36b 100644
--- a/pvmfw/src/memory.rs
+++ b/pvmfw/src/memory.rs
@@ -17,7 +17,7 @@
 #![deny(unsafe_op_in_unsafe_fn)]
 
 use crate::helpers::{self, align_down, align_up, page_4kb_of, SIZE_4KB};
-use crate::hvc::{hyp_meminfo, mem_share, mem_unshare};
+use crate::hypervisor::{hyp_meminfo, mem_share, mem_unshare};
 use crate::mmio_guard;
 use crate::mmu;
 use crate::smccc;
diff --git a/pvmfw/src/mmio_guard.rs b/pvmfw/src/mmio_guard.rs
index e5f376e..dac26e0 100644
--- a/pvmfw/src/mmio_guard.rs
+++ b/pvmfw/src/mmio_guard.rs
@@ -15,7 +15,7 @@
 //! Safe MMIO_GUARD support.
 
 use crate::helpers;
-use crate::hvc::{mmio_guard_enroll, mmio_guard_info, mmio_guard_map, mmio_guard_unmap};
+use crate::hypervisor::{mmio_guard_enroll, mmio_guard_info, mmio_guard_map, mmio_guard_unmap};
 use crate::smccc;
 use core::{fmt, result};
 
diff --git a/tests/hostside/java/com/android/microdroid/test/MicrodroidHostTests.java b/tests/hostside/java/com/android/microdroid/test/MicrodroidHostTests.java
index 1fa0afe..687756e 100644
--- a/tests/hostside/java/com/android/microdroid/test/MicrodroidHostTests.java
+++ b/tests/hostside/java/com/android/microdroid/test/MicrodroidHostTests.java
@@ -56,7 +56,6 @@
 import org.json.JSONObject;
 import org.junit.After;
 import org.junit.Before;
-import org.junit.Ignore;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.TestName;
@@ -527,13 +526,14 @@
         return !result.trim().isEmpty();
     }
 
-    private boolean isTombstoneGeneratedWithCmd(String configPath, String... crashCommand)
-            throws Exception {
+    private boolean isTombstoneGeneratedWithCmd(
+            boolean protectedVm, String configPath, String... crashCommand) throws Exception {
         mMicrodroidDevice =
                 MicrodroidBuilder.fromDevicePath(getPathForPackage(PACKAGE_NAME), configPath)
                         .debugLevel("full")
                         .memoryMib(minMemorySize())
                         .cpuTopology("match_host")
+                        .protectedVm(protectedVm)
                         .build(getAndroidDevice());
         mMicrodroidDevice.waitForBootComplete(BOOT_COMPLETE_TIMEOUT);
         mMicrodroidDevice.enableAdbRoot();
@@ -552,6 +552,7 @@
     public void testTombstonesAreGeneratedUponUserspaceCrash() throws Exception {
         assertThat(
                         isTombstoneGeneratedWithCmd(
+                                false,
                                 "assets/vm_config.json",
                                 "kill",
                                 "-SIGSEGV",
@@ -563,6 +564,7 @@
     public void testTombstonesAreNotGeneratedIfNotExportedUponUserspaceCrash() throws Exception {
         assertThat(
                         isTombstoneGeneratedWithCmd(
+                                false,
                                 "assets/vm_config_no_tombstone.json",
                                 "kill",
                                 "-SIGSEGV",
@@ -570,17 +572,33 @@
                 .isFalse();
     }
 
-    @Test
-    @Ignore("b/243630590: Temporal workaround until lab devices has flashed new DPM")
-    public void testTombstonesAreGeneratedUponKernelCrash() throws Exception {
+    private void testTombstonesAreGeneratedUponKernelCrash(boolean protectedVm) throws Exception {
         assumeFalse("Cuttlefish is not supported", isCuttlefish());
         assumeFalse("Skipping test because ramdump is disabled on user build", isUserBuild());
         assertThat(
                         isTombstoneGeneratedWithCmd(
-                                "assets/vm_config.json", "echo", "c", ">", "/proc/sysrq-trigger"))
+                                protectedVm,
+                                "assets/vm_config.json",
+                                "echo",
+                                "c",
+                                ">",
+                                "/proc/sysrq-trigger"))
                 .isTrue();
     }
 
+    @Test
+    public void testTombstonesAreGeneratedUponKernelCrashOnNonPvm() throws Exception {
+        testTombstonesAreGeneratedUponKernelCrash(false);
+    }
+
+    @Test
+    public void testTombstonesAreGeneratedUponKernelCrashOnPvm() throws Exception {
+        assumeTrue(
+                "Protected VMs are not supported",
+                getAndroidDevice().supportsMicrodroid(/*protectedVm=*/ true));
+        testTombstonesAreGeneratedUponKernelCrash(true);
+    }
+
     private boolean isTombstoneGeneratedWithVmRunApp(boolean debuggable, String... additionalArgs)
             throws Exception {
         // we can't use microdroid builder as it wants ADB connection (debuggable)