| // Copyright 2022, The Android Open Source Project |
| // |
| // Licensed under the Apache License, Version 2.0 (the "License"); |
| // you may not use this file except in compliance with the License. |
| // You may obtain a copy of the License at |
| // |
| // http://www.apache.org/licenses/LICENSE-2.0 |
| // |
| // Unless required by applicable law or agreed to in writing, software |
| // distributed under the License is distributed on an "AS IS" BASIS, |
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| // See the License for the specific language governing permissions and |
| // limitations under the License. |
| |
| //! pVM firmware. |
| |
| #![no_main] |
| #![no_std] |
| |
| extern crate alloc; |
| |
| mod bcc; |
| mod bootargs; |
| mod config; |
| mod device_assignment; |
| mod dice; |
| mod entry; |
| mod exceptions; |
| mod fdt; |
| mod gpt; |
| mod helpers; |
| mod instance; |
| mod memory; |
| |
| use crate::bcc::Bcc; |
| use crate::dice::PartialInputs; |
| use crate::entry::RebootReason; |
| use crate::fdt::modify_for_next_stage; |
| use crate::helpers::GUEST_PAGE_SIZE; |
| use crate::instance::EntryBody; |
| use crate::instance::Error as InstanceError; |
| use crate::instance::{get_recorded_entry, record_instance_entry}; |
| use alloc::borrow::Cow; |
| use alloc::boxed::Box; |
| use bssl_avf::Digester; |
| use core::ops::Range; |
| use cstr::cstr; |
| use diced_open_dice::{bcc_handover_parse, DiceArtifacts, Hidden}; |
| use fdtpci::{PciError, PciInfo}; |
| use libfdt::{Fdt, FdtNode}; |
| use log::{debug, error, info, trace, warn}; |
| use pvmfw_avb::verify_payload; |
| use pvmfw_avb::Capability; |
| use pvmfw_avb::DebugLevel; |
| use pvmfw_embedded_key::PUBLIC_KEY; |
| use vmbase::heap; |
| use vmbase::memory::flush; |
| use vmbase::memory::MEMORY; |
| use vmbase::rand; |
| use vmbase::virtio::pci; |
| |
| const NEXT_BCC_SIZE: usize = GUEST_PAGE_SIZE; |
| |
| fn main( |
| fdt: &mut Fdt, |
| signed_kernel: &[u8], |
| ramdisk: Option<&[u8]>, |
| current_bcc_handover: &[u8], |
| mut debug_policy: Option<&[u8]>, |
| ) -> Result<Range<usize>, RebootReason> { |
| info!("pVM firmware"); |
| debug!("FDT: {:?}", fdt.as_ptr()); |
| debug!("Signed kernel: {:?} ({:#x} bytes)", signed_kernel.as_ptr(), signed_kernel.len()); |
| debug!("AVB public key: addr={:?}, size={:#x} ({1})", PUBLIC_KEY.as_ptr(), PUBLIC_KEY.len()); |
| if let Some(rd) = ramdisk { |
| debug!("Ramdisk: {:?} ({:#x} bytes)", rd.as_ptr(), rd.len()); |
| } else { |
| debug!("Ramdisk: None"); |
| } |
| |
| let bcc_handover = bcc_handover_parse(current_bcc_handover).map_err(|e| { |
| error!("Invalid BCC Handover: {e:?}"); |
| RebootReason::InvalidBcc |
| })?; |
| trace!("BCC: {bcc_handover:x?}"); |
| |
| let cdi_seal = bcc_handover.cdi_seal(); |
| |
| let bcc = Bcc::new(bcc_handover.bcc()).map_err(|e| { |
| error!("{e}"); |
| RebootReason::InvalidBcc |
| })?; |
| |
| // The bootloader should never pass us a debug policy when the boot is secure (the bootloader |
| // is locked). If it gets it wrong, disregard it & log it, to avoid it causing problems. |
| if debug_policy.is_some() && !bcc.is_debug_mode() { |
| warn!("Ignoring debug policy, BCC does not indicate Debug mode"); |
| debug_policy = None; |
| } |
| |
| // Set up PCI bus for VirtIO devices. |
| let pci_info = PciInfo::from_fdt(fdt).map_err(handle_pci_error)?; |
| debug!("PCI: {:#x?}", pci_info); |
| let mut pci_root = pci::initialize(pci_info, MEMORY.lock().as_mut().unwrap()).map_err(|e| { |
| error!("Failed to initialize PCI: {e}"); |
| RebootReason::InternalError |
| })?; |
| |
| let verified_boot_data = verify_payload(signed_kernel, ramdisk, PUBLIC_KEY).map_err(|e| { |
| error!("Failed to verify the payload: {e}"); |
| RebootReason::PayloadVerificationError |
| })?; |
| let debuggable = verified_boot_data.debug_level != DebugLevel::None; |
| if debuggable { |
| info!("Successfully verified a debuggable payload."); |
| info!("Please disregard any previous libavb ERROR about initrd_normal."); |
| } |
| |
| let next_bcc = heap::aligned_boxed_slice(NEXT_BCC_SIZE, GUEST_PAGE_SIZE).ok_or_else(|| { |
| error!("Failed to allocate the next-stage BCC"); |
| RebootReason::InternalError |
| })?; |
| // By leaking the slice, its content will be left behind for the next stage. |
| let next_bcc = Box::leak(next_bcc); |
| |
| let dice_inputs = PartialInputs::new(&verified_boot_data).map_err(|e| { |
| error!("Failed to compute partial DICE inputs: {e:?}"); |
| RebootReason::InternalError |
| })?; |
| |
| let instance_hash = if cfg!(llpvm_changes) { Some(salt_from_instance_id(fdt)?) } else { None }; |
| let defer_rollback_protection = should_defer_rollback_protection(fdt)? |
| && verified_boot_data.has_capability(Capability::SecretkeeperProtection); |
| let (new_instance, salt) = if defer_rollback_protection { |
| info!("Guest OS is capable of Secretkeeper protection, deferring rollback protection"); |
| // rollback_index of the image is used as security_version and is expected to be > 0 to |
| // discourage implicit allocation. |
| if verified_boot_data.rollback_index == 0 { |
| error!("Expected positive rollback_index, found 0"); |
| return Err(RebootReason::InvalidPayload); |
| }; |
| (false, instance_hash.unwrap()) |
| } else if verified_boot_data.has_capability(Capability::RemoteAttest) { |
| info!("Service VM capable of remote attestation detected, performing version checks"); |
| if service_vm_version::VERSION != verified_boot_data.rollback_index { |
| // For RKP VM, we only boot if the version in the AVB footer of its kernel matches |
| // the one embedded in pvmfw at build time. |
| // This prevents the pvmfw from booting a roll backed RKP VM. |
| error!( |
| "Service VM version mismatch: expected {}, found {}", |
| service_vm_version::VERSION, |
| verified_boot_data.rollback_index |
| ); |
| return Err(RebootReason::InvalidPayload); |
| } |
| (false, instance_hash.unwrap()) |
| } else { |
| info!("Fallback to instance.img based rollback checks"); |
| let (recorded_entry, mut instance_img, header_index) = |
| get_recorded_entry(&mut pci_root, cdi_seal).map_err(|e| { |
| error!("Failed to get entry from instance.img: {e}"); |
| RebootReason::InternalError |
| })?; |
| let (new_instance, salt) = if let Some(entry) = recorded_entry { |
| check_dice_measurements_match_entry(&dice_inputs, &entry)?; |
| let salt = instance_hash.unwrap_or(entry.salt); |
| (false, salt) |
| } else { |
| // New instance! |
| let salt = instance_hash.map_or_else(rand::random_array, Ok).map_err(|e| { |
| error!("Failed to generated instance.img salt: {e}"); |
| RebootReason::InternalError |
| })?; |
| |
| let entry = EntryBody::new(&dice_inputs, &salt); |
| record_instance_entry(&entry, cdi_seal, &mut instance_img, header_index).map_err( |
| |e| { |
| error!("Failed to get recorded entry in instance.img: {e}"); |
| RebootReason::InternalError |
| }, |
| )?; |
| (true, salt) |
| }; |
| (new_instance, salt) |
| }; |
| trace!("Got salt for instance: {salt:x?}"); |
| |
| let new_bcc_handover = if cfg!(dice_changes) { |
| Cow::Borrowed(current_bcc_handover) |
| } else { |
| // It is possible that the DICE chain we were given is rooted in the UDS. We do not want to |
| // give such a chain to the payload, or even the associated CDIs. So remove the |
| // entire chain we were given and taint the CDIs. Note that the resulting CDIs are |
| // still deterministically derived from those we received, so will vary iff they do. |
| // TODO(b/280405545): Remove this post Android 14. |
| let truncated_bcc_handover = bcc::truncate(bcc_handover).map_err(|e| { |
| error!("{e}"); |
| RebootReason::InternalError |
| })?; |
| Cow::Owned(truncated_bcc_handover) |
| }; |
| |
| dice_inputs |
| .write_next_bcc( |
| new_bcc_handover.as_ref(), |
| &salt, |
| instance_hash, |
| defer_rollback_protection, |
| next_bcc, |
| ) |
| .map_err(|e| { |
| error!("Failed to derive next-stage DICE secrets: {e:?}"); |
| RebootReason::SecretDerivationError |
| })?; |
| flush(next_bcc); |
| |
| let kaslr_seed = u64::from_ne_bytes(rand::random_array().map_err(|e| { |
| error!("Failed to generated guest KASLR seed: {e}"); |
| RebootReason::InternalError |
| })?); |
| let strict_boot = true; |
| modify_for_next_stage( |
| fdt, |
| next_bcc, |
| new_instance, |
| strict_boot, |
| debug_policy, |
| debuggable, |
| kaslr_seed, |
| ) |
| .map_err(|e| { |
| error!("Failed to configure device tree: {e}"); |
| RebootReason::InternalError |
| })?; |
| |
| info!("Starting payload..."); |
| |
| let bcc_range = { |
| let r = next_bcc.as_ptr_range(); |
| (r.start as usize)..(r.end as usize) |
| }; |
| |
| Ok(bcc_range) |
| } |
| |
| fn check_dice_measurements_match_entry( |
| dice_inputs: &PartialInputs, |
| entry: &EntryBody, |
| ) -> Result<(), RebootReason> { |
| ensure_dice_measurements_match_entry(dice_inputs, entry).map_err(|e| { |
| error!( |
| "Dice measurements do not match recorded entry. \ |
| This may be because of update: {e}" |
| ); |
| RebootReason::InternalError |
| })?; |
| |
| Ok(()) |
| } |
| |
| fn ensure_dice_measurements_match_entry( |
| dice_inputs: &PartialInputs, |
| entry: &EntryBody, |
| ) -> Result<(), InstanceError> { |
| if entry.code_hash != dice_inputs.code_hash { |
| Err(InstanceError::RecordedCodeHashMismatch) |
| } else if entry.auth_hash != dice_inputs.auth_hash { |
| Err(InstanceError::RecordedAuthHashMismatch) |
| } else if entry.mode() != dice_inputs.mode { |
| Err(InstanceError::RecordedDiceModeMismatch) |
| } else { |
| Ok(()) |
| } |
| } |
| |
| // Get the "salt" which is one of the input for DICE derivation. |
| // This provides differentiation of secrets for different VM instances with same payloads. |
| fn salt_from_instance_id(fdt: &Fdt) -> Result<Hidden, RebootReason> { |
| let id = instance_id(fdt)?; |
| let salt = Digester::sha512() |
| .digest(&[&b"InstanceId:"[..], id].concat()) |
| .map_err(|e| { |
| error!("Failed to get digest of instance-id: {e}"); |
| RebootReason::InternalError |
| })? |
| .try_into() |
| .map_err(|_| RebootReason::InternalError)?; |
| Ok(salt) |
| } |
| |
| fn instance_id(fdt: &Fdt) -> Result<&[u8], RebootReason> { |
| let node = avf_untrusted_node(fdt)?; |
| let id = node.getprop(cstr!("instance-id")).map_err(|e| { |
| error!("Failed to get instance-id in DT: {e}"); |
| RebootReason::InvalidFdt |
| })?; |
| id.ok_or_else(|| { |
| error!("Missing instance-id"); |
| RebootReason::InvalidFdt |
| }) |
| } |
| |
| fn should_defer_rollback_protection(fdt: &Fdt) -> Result<bool, RebootReason> { |
| let node = avf_untrusted_node(fdt)?; |
| let defer_rbp = node |
| .getprop(cstr!("defer-rollback-protection")) |
| .map_err(|e| { |
| error!("Failed to get defer-rollback-protection property in DT: {e}"); |
| RebootReason::InvalidFdt |
| })? |
| .is_some(); |
| Ok(defer_rbp) |
| } |
| |
| fn avf_untrusted_node(fdt: &Fdt) -> Result<FdtNode, RebootReason> { |
| let node = fdt.node(cstr!("/avf/untrusted")).map_err(|e| { |
| error!("Failed to get /avf/untrusted node: {e}"); |
| RebootReason::InvalidFdt |
| })?; |
| node.ok_or_else(|| { |
| error!("/avf/untrusted node is missing in DT"); |
| RebootReason::InvalidFdt |
| }) |
| } |
| |
| /// Logs the given PCI error and returns the appropriate `RebootReason`. |
| fn handle_pci_error(e: PciError) -> RebootReason { |
| error!("{}", e); |
| match e { |
| PciError::FdtErrorPci(_) |
| | PciError::FdtNoPci |
| | PciError::FdtErrorReg(_) |
| | PciError::FdtMissingReg |
| | PciError::FdtRegEmpty |
| | PciError::FdtRegMissingSize |
| | PciError::CamWrongSize(_) |
| | PciError::FdtErrorRanges(_) |
| | PciError::FdtMissingRanges |
| | PciError::RangeAddressMismatch { .. } |
| | PciError::NoSuitableRange => RebootReason::InvalidFdt, |
| } |
| } |