[avb] Test latest debug initrd passes the payload verification
Test: atest libpvmfw_avb.integration_test
Bug: 256148034
Change-Id: I929cb995390345d6addbf1f9432309f1ea96559f
diff --git a/pvmfw/avb/Android.bp b/pvmfw/avb/Android.bp
index 120a720..1c5e91a 100644
--- a/pvmfw/avb/Android.bp
+++ b/pvmfw/avb/Android.bp
@@ -34,6 +34,7 @@
":avb_testkey_rsa4096_pub_bin",
":microdroid_kernel_signed",
":microdroid_initrd_normal",
+ ":microdroid_initrd_debuggable",
":test_image_with_one_hashdesc",
":unsigned_test_image",
],
diff --git a/pvmfw/avb/tests/api_test.rs b/pvmfw/avb/tests/api_test.rs
index b48ea8b..a4e890e 100644
--- a/pvmfw/avb/tests/api_test.rs
+++ b/pvmfw/avb/tests/api_test.rs
@@ -21,6 +21,7 @@
const MICRODROID_KERNEL_IMG_PATH: &str = "microdroid_kernel";
const INITRD_NORMAL_IMG_PATH: &str = "microdroid_initrd_normal.img";
+const INITRD_DEBUG_IMG_PATH: &str = "microdroid_initrd_debuggable.img";
const TEST_IMG_WITH_ONE_HASHDESC_PATH: &str = "test_image_with_one_hashdesc.img";
const UNSIGNED_TEST_IMG_PATH: &str = "unsigned_test.img";
@@ -31,19 +32,27 @@
/// This test uses the Microdroid payload compiled on the fly to check that
/// the latest payload can be verified successfully.
#[test]
-fn latest_valid_payload_passes_verification() -> Result<()> {
- let kernel = load_latest_signed_kernel()?;
- let initrd_normal = fs::read(INITRD_NORMAL_IMG_PATH)?;
- let public_key = fs::read(PUBLIC_KEY_RSA4096_PATH)?;
+fn latest_normal_payload_passes_verification() -> Result<()> {
+ assert_payload_verification_succeeds(
+ &load_latest_signed_kernel()?,
+ &load_latest_initrd_normal()?,
+ &load_trusted_public_key()?,
+ )
+}
- assert_eq!(Ok(()), verify_payload(&kernel, Some(&initrd_normal[..]), &public_key));
- Ok(())
+#[test]
+fn latest_debug_payload_passes_verification() -> Result<()> {
+ assert_payload_verification_succeeds(
+ &load_latest_signed_kernel()?,
+ &load_latest_initrd_debug()?,
+ &load_trusted_public_key()?,
+ )
}
#[test]
fn payload_expecting_no_initrd_passes_verification_with_no_initrd() -> Result<()> {
let kernel = fs::read(TEST_IMG_WITH_ONE_HASHDESC_PATH)?;
- let public_key = fs::read(PUBLIC_KEY_RSA4096_PATH)?;
+ let public_key = load_trusted_public_key()?;
assert_eq!(Ok(()), verify_payload(&kernel, None, &public_key));
Ok(())
@@ -87,7 +96,7 @@
assert_payload_verification_fails(
&fs::read(UNSIGNED_TEST_IMG_PATH)?,
&load_latest_initrd_normal()?,
- &fs::read(PUBLIC_KEY_RSA4096_PATH)?,
+ &load_trusted_public_key()?,
AvbSlotVerifyError::Io,
)
}
@@ -100,7 +109,7 @@
assert_payload_verification_fails(
&kernel,
&load_latest_initrd_normal()?,
- &fs::read(PUBLIC_KEY_RSA4096_PATH)?,
+ &load_trusted_public_key()?,
AvbSlotVerifyError::Verification,
)
}
@@ -114,7 +123,7 @@
assert_payload_verification_fails(
&kernel,
&load_latest_initrd_normal()?,
- &fs::read(PUBLIC_KEY_RSA4096_PATH)?,
+ &load_trusted_public_key()?,
AvbSlotVerifyError::InvalidMetadata,
)
}
@@ -129,6 +138,15 @@
Ok(())
}
+fn assert_payload_verification_succeeds(
+ kernel: &[u8],
+ initrd: &[u8],
+ trusted_public_key: &[u8],
+) -> Result<()> {
+ assert_eq!(Ok(()), verify_payload(kernel, Some(initrd), trusted_public_key));
+ Ok(())
+}
+
fn load_latest_signed_kernel() -> Result<Vec<u8>> {
Ok(fs::read(MICRODROID_KERNEL_IMG_PATH)?)
}
@@ -136,3 +154,11 @@
fn load_latest_initrd_normal() -> Result<Vec<u8>> {
Ok(fs::read(INITRD_NORMAL_IMG_PATH)?)
}
+
+fn load_latest_initrd_debug() -> Result<Vec<u8>> {
+ Ok(fs::read(INITRD_DEBUG_IMG_PATH)?)
+}
+
+fn load_trusted_public_key() -> Result<Vec<u8>> {
+ Ok(fs::read(PUBLIC_KEY_RSA4096_PATH)?)
+}