CTS: Encrypted storage is inaccessible to diff VM
Test that encrypted storage of 1 pVM should not be accessible by a VM
with different identity.
Well not really.. The storage image of pvm1 (atleast after first boot)
contains encrypted filesystem which should mean nothing more than random
garbage when a different VM tries to access it. encryptedstore will fail
to 'mount' this filesystem.
This is equivalent to testing that sealing key derived for a different
instance image is different.
Test: #encryptedStorageIsInaccessibleToDiffVm
Bug: 259233794
Change-Id: I54cc84d7e1a5949879dd9bc7268d3a0e801c7649
diff --git a/encryptedstore/src/main.rs b/encryptedstore/src/main.rs
index 2f54534..96c80db 100644
--- a/encryptedstore/src/main.rs
+++ b/encryptedstore/src/main.rs
@@ -46,6 +46,7 @@
let blkdevice = Path::new(matches.get_one::<String>("blkdevice").unwrap());
let key = matches.get_one::<String>("key").unwrap();
let mountpoint = Path::new(matches.get_one::<String>("mountpoint").unwrap());
+ // Note this error context is used in MicrodroidTests.
encryptedstore_init(blkdevice, key, mountpoint).context(format!(
"Unable to initialize encryptedstore on {:?} & mount at {:?}",
blkdevice, mountpoint
diff --git a/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java b/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
index 9cafd68..984b10b 100644
--- a/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
+++ b/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
@@ -1303,6 +1303,65 @@
@Test
@CddTest(requirements = {"9.17/C-1-1", "9.17/C-2-1"})
+ public void encryptedStorageIsInaccessibleToDifferentVm() throws Exception {
+ assumeSupportedKernel();
+
+ VirtualMachineConfig config =
+ newVmConfigBuilder()
+ .setPayloadBinaryName("MicrodroidTestNativeLib.so")
+ .setMemoryBytes(minMemoryRequired())
+ .setEncryptedStorageBytes(4_000_000)
+ .setDebugLevel(DEBUG_LEVEL_FULL)
+ .setVmOutputCaptured(true)
+ .build();
+
+ VirtualMachine vm = forceCreateNewVirtualMachine("test_vm", config);
+
+ TestResults testResults =
+ runVmTestService(
+ vm,
+ (ts, tr) -> {
+ ts.writeToFile(
+ /* content= */ EXAMPLE_STRING,
+ /* path= */ "/mnt/encryptedstore/test_file");
+ });
+ assertThat(testResults.mException).isNull();
+
+ // Start a different vm (this changes the vm identity)
+ VirtualMachine diff_test_vm = forceCreateNewVirtualMachine("diff_test_vm", config);
+
+ // Replace the backing storage image to the original one
+ File storageImgOrig = getVmFile("test_vm", "storage.img");
+ File storageImgNew = getVmFile("diff_test_vm", "storage.img");
+ Files.copy(storageImgOrig.toPath(), storageImgNew.toPath(), REPLACE_EXISTING);
+ assertFileContentsAreEqualInTwoVms("storage.img", "test_vm", "diff_test_vm");
+
+ CompletableFuture<Boolean> onPayloadReadyExecuted = new CompletableFuture<>();
+ CompletableFuture<Boolean> onStoppedExecuted = new CompletableFuture<>();
+ VmEventListener listener =
+ new VmEventListener() {
+ @Override
+ public void onPayloadReady(VirtualMachine vm) {
+ onPayloadReadyExecuted.complete(true);
+ super.onPayloadReady(vm);
+ }
+
+ @Override
+ public void onStopped(VirtualMachine vm, int reason) {
+ onStoppedExecuted.complete(true);
+ super.onStopped(vm, reason);
+ }
+ };
+ listener.runToFinish(TAG, diff_test_vm);
+
+ // Assert that payload never started & logs contains encryptedstore initialization error
+ assertThat(onStoppedExecuted.getNow(false)).isTrue();
+ assertThat(onPayloadReadyExecuted.getNow(false)).isFalse();
+ assertThat(listener.getConsoleOutput()).contains("Unable to initialize encryptedstore");
+ }
+
+ @Test
+ @CddTest(requirements = {"9.17/C-1-1", "9.17/C-2-1"})
public void microdroidLauncherHasEmptyCapabilities() throws Exception {
assumeSupportedKernel();