[avb] Collect kernel/initrd digests when verification succeeds

Bug: 265897559
Test: m pvmfw_img && atest libpvmfw_avb.integration_test
Change-Id: I6f281090d0f53464824d80e1348f4d099330ad31
diff --git a/pvmfw/src/main.rs b/pvmfw/src/main.rs
index eabdfe8..b343e7b 100644
--- a/pvmfw/src/main.rs
+++ b/pvmfw/src/main.rs
@@ -78,28 +78,11 @@
     let mut pci_root = pci::initialise(pci_info, memory)?;
     find_virtio_devices(&mut pci_root).map_err(handle_pci_error)?;
 
-    verify_payload(signed_kernel, ramdisk, PUBLIC_KEY).map_err(|e| {
+    let verified_boot_data = verify_payload(signed_kernel, ramdisk, PUBLIC_KEY).map_err(|e| {
         error!("Failed to verify the payload: {e}");
         RebootReason::PayloadVerificationError
     })?;
 
-    let debug_mode = false; // TODO(b/256148034): Derive the DICE mode from the received initrd.
-    const HASH_SIZE: usize = 64;
-    let mut hashes = [0; HASH_SIZE * 2]; // TODO(b/256148034): Extract AvbHashDescriptor digests.
-    hashes[..HASH_SIZE].copy_from_slice(&::dice::hash(signed_kernel).map_err(|_| {
-        error!("Failed to hash the kernel");
-        RebootReason::InternalError
-    })?);
-    // Note: Using signed_kernel currently makes the DICE code input depend on its VBMeta fields.
-    let code_hash = if let Some(rd) = ramdisk {
-        hashes[HASH_SIZE..].copy_from_slice(&::dice::hash(rd).map_err(|_| {
-            error!("Failed to hash the ramdisk");
-            RebootReason::InternalError
-        })?);
-        &hashes[..]
-    } else {
-        &hashes[..HASH_SIZE]
-    };
     let next_bcc = heap::aligned_boxed_slice(NEXT_BCC_SIZE, GUEST_PAGE_SIZE).ok_or_else(|| {
         error!("Failed to allocate the next-stage BCC");
         RebootReason::InternalError
@@ -107,7 +90,7 @@
     // By leaking the slice, its content will be left behind for the next stage.
     let next_bcc = Box::leak(next_bcc);
     let next_bcc_size =
-        derive_next_bcc(bcc, next_bcc, code_hash, debug_mode, PUBLIC_KEY).map_err(|e| {
+        derive_next_bcc(bcc, next_bcc, &verified_boot_data, PUBLIC_KEY).map_err(|e| {
             error!("Failed to derive next-stage DICE secrets: {e:?}");
             RebootReason::SecretDerivationError
         })?;