Merge "pvmfw: Zeroize BCC before jumping to payload"
diff --git a/pvmfw/Android.bp b/pvmfw/Android.bp
index 4218fae..318c7fe 100644
--- a/pvmfw/Android.bp
+++ b/pvmfw/Android.bp
@@ -22,6 +22,7 @@
"libtinyvec_nostd",
"libvirtio_drivers",
"libvmbase",
+ "libzeroize_nostd",
],
apex_available: ["com.android.virt"],
}
diff --git a/pvmfw/src/entry.rs b/pvmfw/src/entry.rs
index 2763e80..45a8459 100644
--- a/pvmfw/src/entry.rs
+++ b/pvmfw/src/entry.rs
@@ -249,7 +249,7 @@
// This wrapper allows main() to be blissfully ignorant of platform details.
crate::main(slices.fdt, slices.kernel, slices.ramdisk, &bcc, &mut memory)?;
- // TODO: Overwrite BCC before jumping to payload to avoid leaking our sealing key.
+ helpers::flushed_zeroize(bcc_slice);
info!("Expecting a bug making MMIO_GUARD_UNMAP return NOT_SUPPORTED on success");
memory.mmio_unmap_all().map_err(|e| {
diff --git a/pvmfw/src/helpers.rs b/pvmfw/src/helpers.rs
index f1ff36d..d1b828a 100644
--- a/pvmfw/src/helpers.rs
+++ b/pvmfw/src/helpers.rs
@@ -15,6 +15,7 @@
//! Miscellaneous helper functions.
use core::arch::asm;
+use zeroize::Zeroize;
pub const SIZE_4KB: usize = 4 << 10;
pub const SIZE_2MB: usize = 2 << 20;
@@ -75,3 +76,10 @@
unsafe { asm!("dc cvau, {x}", x = in(reg) line) }
}
}
+
+#[inline]
+/// Overwrites the slice with zeroes, to the point of unification.
+pub fn flushed_zeroize(reg: &mut [u8]) {
+ reg.zeroize();
+ flush_region(reg.as_ptr() as usize, reg.len())
+}