pvmfw: Integrate verify_payload
Call the payload verification function that has until now been developed
in userspace, as part of libpvmfw_avb_nostd.
Bug: 256148034
Test: atest MicrodroidHostTests
Change-Id: I899084346156a341e91dc8dbf7f04093f8331925
diff --git a/pvmfw/Android.bp b/pvmfw/Android.bp
index ed3ef8d..f5e214e 100644
--- a/pvmfw/Android.bp
+++ b/pvmfw/Android.bp
@@ -18,6 +18,7 @@
"libfdtpci",
"liblibfdt",
"liblog_rust_nostd",
+ "libpvmfw_avb_nostd",
"libpvmfw_embedded_key",
"libtinyvec_nostd",
"libvirtio_drivers",
diff --git a/pvmfw/src/entry.rs b/pvmfw/src/entry.rs
index e979a95..1b35c79 100644
--- a/pvmfw/src/entry.rs
+++ b/pvmfw/src/entry.rs
@@ -47,7 +47,6 @@
/// The provided ramdisk was invalid.
InvalidRamdisk,
/// Failed to verify the payload.
- #[allow(dead_code)]
PayloadVerificationError,
}
diff --git a/pvmfw/src/main.rs b/pvmfw/src/main.rs
index 4d1ddfe..b0177bf 100644
--- a/pvmfw/src/main.rs
+++ b/pvmfw/src/main.rs
@@ -34,7 +34,7 @@
mod smccc;
use crate::{
- avb::PUBLIC_KEY, // Keep the public key here otherwise the signing script will be broken.
+ avb::PUBLIC_KEY,
entry::RebootReason,
memory::MemoryTracker,
pci::{find_virtio_devices, map_mmio},
@@ -43,6 +43,7 @@
use fdtpci::{PciError, PciInfo};
use libfdt::Fdt;
use log::{debug, error, info, trace};
+use pvmfw_avb::verify_payload;
fn main(
fdt: &Fdt,
@@ -71,6 +72,11 @@
let mut pci_root = unsafe { pci_info.make_pci_root() };
find_virtio_devices(&mut pci_root).map_err(handle_pci_error)?;
+ verify_payload(signed_kernel, PUBLIC_KEY).map_err(|e| {
+ error!("Failed to verify the payload: {e}");
+ RebootReason::PayloadVerificationError
+ })?;
+
info!("Starting payload...");
Ok(())
}