[avb] Collect kernel/initrd digests when verification succeeds
Bug: 265897559
Test: m pvmfw_img && atest libpvmfw_avb.integration_test
Change-Id: I6f281090d0f53464824d80e1348f4d099330ad31
diff --git a/pvmfw/avb/tests/utils.rs b/pvmfw/avb/tests/utils.rs
index 0a2eac6..8756d06 100644
--- a/pvmfw/avb/tests/utils.rs
+++ b/pvmfw/avb/tests/utils.rs
@@ -16,12 +16,13 @@
//! Utility functions used by API tests.
-use anyhow::Result;
+use anyhow::{anyhow, Result};
use avb_bindgen::{
avb_footer_validate_and_byteswap, avb_vbmeta_image_header_to_host_byte_order, AvbFooter,
AvbVBMetaImageHeader,
};
-use pvmfw_avb::{verify_payload, AvbSlotVerifyError, DebugLevel};
+use openssl::sha;
+use pvmfw_avb::{verify_payload, AvbSlotVerifyError, DebugLevel, Digest};
use std::{
fs,
mem::{size_of, transmute, MaybeUninit},
@@ -34,22 +35,22 @@
pub const PUBLIC_KEY_RSA2048_PATH: &str = "data/testkey_rsa2048_pub.bin";
-pub fn assert_payload_verification_with_initrd_eq(
+pub fn assert_payload_verification_with_initrd_fails(
kernel: &[u8],
initrd: &[u8],
trusted_public_key: &[u8],
- expected_result: Result<DebugLevel, AvbSlotVerifyError>,
+ expected_error: AvbSlotVerifyError,
) -> Result<()> {
- assert_payload_verification_eq(kernel, Some(initrd), trusted_public_key, expected_result)
+ assert_payload_verification_fails(kernel, Some(initrd), trusted_public_key, expected_error)
}
-pub fn assert_payload_verification_eq(
+pub fn assert_payload_verification_fails(
kernel: &[u8],
initrd: Option<&[u8]>,
trusted_public_key: &[u8],
- expected_result: Result<DebugLevel, AvbSlotVerifyError>,
+ expected_error: AvbSlotVerifyError,
) -> Result<()> {
- assert_eq!(expected_result, verify_payload(kernel, initrd, trusted_public_key));
+ assert_eq!(expected_error, verify_payload(kernel, initrd, trusted_public_key).unwrap_err());
Ok(())
}
@@ -95,3 +96,34 @@
};
Ok(vbmeta_header)
}
+
+pub fn assert_latest_payload_verification_passes(
+ initrd: &[u8],
+ initrd_salt: &[u8],
+ expected_debug_level: DebugLevel,
+) -> Result<()> {
+ let kernel = load_latest_signed_kernel()?;
+ let verified_boot_data = verify_payload(&kernel, Some(initrd), &load_trusted_public_key()?)
+ .map_err(|e| anyhow!("Verification failed. Error: {}", e))?;
+
+ assert_eq!(expected_debug_level, verified_boot_data.debug_level);
+
+ let footer = extract_avb_footer(&kernel)?;
+ assert_eq!(
+ hash(&[&hash(&[b"bootloader"]), &kernel[..usize::try_from(footer.original_image_size)?]]),
+ verified_boot_data.kernel_digest,
+ "Kernel digest is not equal to the expected."
+ );
+ assert_eq!(
+ hash(&[&hash(&[initrd_salt]), initrd,]),
+ verified_boot_data.initrd_digest.unwrap(),
+ "initrd digest is not equal to the expected."
+ );
+ Ok(())
+}
+
+pub fn hash(inputs: &[&[u8]]) -> Digest {
+ let mut digester = sha::Sha256::new();
+ inputs.iter().for_each(|input| digester.update(input));
+ digester.finish()
+}