Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / 16fb8555e8a8e39a7339f7a29f2e3c4aea918d7d^! / . / compos / common
commit16fb8555e8a8e39a7339f7a29f2e3c4aea918d7d[log] [tgz]
authorAlan Stokes <alanstokes@google.com>Thu Feb 10 15:07:27 2022 +0000
committerAlan Stokes <alanstokes@google.com>Thu Feb 17 16:58:32 2022 +0000
treebb85000ec0f7df1fe64b933a211c77952ae82240
parentdcff1e7e2330ec7f83ad5e620aaa8c41d0663499 [diff]
Rewrite key management & signing

Extend compos_helper to support signing, use it from CompOS.

Expose the public key from the VM. Rename compos_verify_key to
compos_verify and get it to verify the signature against the current
instance's public key.

Also move DICE access to compos_key_main. There's no use having it in
the library - neither the tests nor compos_verify can use it - and it
complicates the build rules.

There's a lot more that can be deleted, but I'll do that in a
follow-up; this is big enough already.

Bug: 218494522
Test: atest CompOsSigningHostTest CompOsDenialHostTest
Change-Id: I2d71f68a595d5ddadb2e7b16937fa6855f5db0ab

diff --git a/compos/common/compos_client.rs b/compos/common/compos_client.rs
index b754ba7..dcacb0f 100644
--- a/compos/common/compos_client.rs
+++ b/compos/common/compos_client.rs

@@ -114,6 +114,7 @@
             let log_fd = ParcelFileDescriptor::new(log_fd);
             // Full debug is not available in a protected VM
             let debug_level = if protected_vm { DebugLevel::APP_ONLY } else { DebugLevel::FULL };
+            info!("Debug mode is {:?}", debug_level);
             (Some(console_fd), Some(log_fd), debug_level)
         } else {
             (None, None, DebugLevel::NONE)

diff --git a/compos/common/odrefresh.rs b/compos/common/odrefresh.rs
index 7fe6ed5..390e50c 100644
--- a/compos/common/odrefresh.rs
+++ b/compos/common/odrefresh.rs

@@ -23,6 +23,18 @@
 /// The path to the odrefresh binary
 pub const ODREFRESH_PATH: &str = "/apex/com.android.art/bin/odrefresh";
 
+/// The path under which odrefresh writes compiled artifacts
+pub const ODREFRESH_OUTPUT_ROOT_DIR: &str = "/data/misc/apexdata/com.android.art";
+
+/// The directory under ODREFRESH_OUTPUT_ROOT_DIR where pending artifacts are written
+pub const PENDING_ARTIFACTS_SUBDIR: &str = "compos-pending";
+
+/// The directory under ODREFRESH_OUTPUT_ROOT_DIR where test artifacts are written
+pub const TEST_ARTIFACTS_SUBDIR: &str = "test-artifacts";
+
+/// The directory under ODREFRESH_OUTPUT_ROOT_DIR where the current (active) artifacts are stored
+pub const CURRENT_ARTIFACTS_SUBDIR: &str = "dalvik-cache";
+
 // The highest "standard" exit code defined in sysexits.h (as EX__MAX); odrefresh error codes
 // start above here to avoid clashing.
 // TODO: What if this changes?

diff --git a/compos/common/timeouts.rs b/compos/common/timeouts.rs
index e6cc430..b3ec1e5 100644
--- a/compos/common/timeouts.rs
+++ b/compos/common/timeouts.rs

@@ -56,7 +56,7 @@
     // Note: the source of truth for these odrefresh timeouts is art/odrefresh/odr_config.h.
     odrefresh_max_execution_time: Duration::from_secs(300),
     odrefresh_max_child_process_time: Duration::from_secs(90),
-    vm_max_time_to_ready: Duration::from_secs(15),
+    vm_max_time_to_ready: Duration::from_secs(20),
 };
 
 /// The timeouts that we use when need_extra_time() returns true.