commit 3722a60821e7ca54b55ead673b25c82421d5eccd
author Shikha Panwar <shikhapanwar@google.com> Thu Dec 05 18:21:39 2024 +0000
committer Shikha Panwar <shikhapanwar@google.com> Thu Dec 05 18:35:38 2024 +0000
tree fe9ca9a5d5257e72b72b0faed923d8364efdc42c
parent 73a36c714000825e515f374e0c7709a8dd07e57a

Non protected VM to use Secretkeeper

This ensures feature parity, more extensive testing.

Note on backward compatibility: Android can still run VM on devices with
no Secretkeeper by toggling `defer-rollback-protection`.

Test: atest MicrodroidTests#encryptedStorageIsPersistent
Bug: 382476448
Change-Id: Id16a9025170bae397631e68179681a1b759e8bc0

guest/microdroid_manager/src/vm_secret.rs

diff --git a/guest/microdroid_manager/src/vm_secret.rs b/guest/microdroid_manager/src/vm_secret.rs
index 1ad2d88..90330d8 100644
--- a/guest/microdroid_manager/src/vm_secret.rs
+++ b/guest/microdroid_manager/src/vm_secret.rs
@@ -98,27 +98,23 @@
 
         let explicit_dice = OwnedDiceArtifactsWithExplicitKey::from_owned_artifacts(dice_artifacts)
             .context("Failed to get Dice artifacts in explicit key format")?;
-        // For pVM, skp_secret are stored in Secretkeeper. For non-protected it is all 0s.
+        let sk_service = get_secretkeeper_service(vm_service)?;
+        let mut session =
+            SkSession::new(sk_service, &explicit_dice, Some(get_secretkeeper_identity()?))?;
+        let id = super::get_instance_id()?.ok_or(anyhow!("Missing instance_id"))?;
+        let explicit_dice_chain = explicit_dice
+            .explicit_key_dice_chain()
+            .ok_or(anyhow!("Missing explicit dice chain, this is unusual"))?;
+        let policy = sealing_policy(explicit_dice_chain)
+            .map_err(|e| anyhow!("Failed to build a sealing_policy: {e}"))?;
+
         let mut skp_secret = Zeroizing::new([0u8; SECRET_SIZE]);
-        if super::is_strict_boot() {
-            let sk_service = get_secretkeeper_service(vm_service)?;
-            let mut session =
-                SkSession::new(sk_service, &explicit_dice, Some(get_secretkeeper_identity()?))?;
-            let id = super::get_instance_id()?.ok_or(anyhow!("Missing instance_id"))?;
-            let explicit_dice_chain = explicit_dice
-                .explicit_key_dice_chain()
-                .ok_or(anyhow!("Missing explicit dice chain, this is unusual"))?;
-            let policy = sealing_policy(explicit_dice_chain)
-                .map_err(|e| anyhow!("Failed to build a sealing_policy: {e}"))?;
-            if let Some(secret) = get_secret(&mut session, id, Some(policy.clone()))? {
-                *skp_secret = secret;
-            } else {
-                log::warn!(
-                    "No entry found in Secretkeeper for this VM instance, creating new secret."
-                );
-                *skp_secret = rand::random();
-                store_secret(&mut session, id, skp_secret.clone(), policy)?;
-            }
+        if let Some(secret) = get_secret(&mut session, id, Some(policy.clone()))? {
+            *skp_secret = secret
+        } else {
+            log::warn!("No entry found in Secretkeeper for this VM instance, creating new secret.");
+            *skp_secret = rand::random();
+            store_secret(&mut session, id, skp_secret.clone(), policy)?;
         }
         Ok(Self::V2 {
             dice_artifacts: explicit_dice,