pvmfw: Support QTVMs through missing DICE handover
As pvmfw-in-QTVM receives a configuration data that is dynamically
generated per VM by Gunyah's Resource Manager (RM) and as QTVM guests do
not rely on DICE, a missing DICE handover in the config data gets
interpreted as "QTVM mode", where AVB is skipped (because QTVMs rely on
TZ-enabled PIL verification) and RBP and DICE must be skipped as a
result, as they lack useful inputs.
This change should not affect other distributions of pvmfw, as the DICE
handover is mandatory and well-behaved pvmfw loaders (ABL) MUST provide
one, as per the requirements of Android 25Q2.
Test: m pvmfw
Bug: 393977894
Change-Id: I74c8b81b396ccb20f987ef152af72c73a213e3d6
diff --git a/guest/pvmfw/src/main.rs b/guest/pvmfw/src/main.rs
index d83df5c..db60849 100644
--- a/guest/pvmfw/src/main.rs
+++ b/guest/pvmfw/src/main.rs
@@ -80,7 +80,13 @@
debug_policy = None;
}
- let (verified_boot_data, debuggable, guest_page_size) = {
+ // Policy/Hidden ABI: If the pvmfw loader (typically ABL) didn't pass a DICE handover (which is
+ // technically still mandatory, as per the config data specification), skip DICE, AVB, and RBP.
+ // This is to support Qualcomm QTVMs, which perform guest image verification in TrustZone.
+ let (verified_boot_data, debuggable, guest_page_size) = if current_dice_handover.is_none() {
+ warn!("Verified boot is disabled!");
+ (None, false, SIZE_4KB)
+ } else {
let (dat, debug, sz) = perform_verified_boot(signed_kernel, ramdisk)?;
(Some(dat), debug, sz)
};