Revert "Microdroid: Skip instance.img checks"
Revert submission 2982081
Reason for revert: There are tests failing which needs modification. Revert for immediate mitigation.
Reverted changes: /q/submissionid:2982081
Change-Id: I20a97efe5fc78b709626c842c4f523f8003e9476
diff --git a/microdroid_manager/src/main.rs b/microdroid_manager/src/main.rs
index e8017e8..0d67632 100644
--- a/microdroid_manager/src/main.rs
+++ b/microdroid_manager/src/main.rs
@@ -42,7 +42,7 @@
use keystore2_crypto::ZVec;
use libc::VMADDR_CID_HOST;
use log::{error, info};
-use microdroid_metadata::{Metadata, PayloadMetadata};
+use microdroid_metadata::PayloadMetadata;
use microdroid_payload_config::{ApkConfig, OsConfig, Task, TaskType, VmPayloadConfig};
use nix::sys::signal::Signal;
use payload::load_metadata;
@@ -236,12 +236,16 @@
}
}
-fn verify_payload_with_instance_img(
- metadata: &Metadata,
- dice: &DiceDriver,
-) -> Result<MicrodroidData> {
+fn try_run_payload(
+ service: &Strong<dyn IVirtualMachineService>,
+ vm_payload_service_fd: OwnedFd,
+) -> Result<i32> {
+ let metadata = load_metadata().context("Failed to load payload metadata")?;
+ let dice = DiceDriver::new(Path::new("/dev/open-dice0")).context("Failed to load DICE")?;
+
let mut instance = InstanceDisk::new().context("Failed to load instance.img")?;
- let saved_data = instance.read_microdroid_data(dice).context("Failed to read identity data")?;
+ let saved_data =
+ instance.read_microdroid_data(&dice).context("Failed to read identity data")?;
if is_strict_boot() {
// Provisioning must happen on the first boot and never again.
@@ -261,7 +265,7 @@
}
// Verify the payload before using it.
- let extracted_data = verify_payload(metadata, saved_data.as_ref())
+ let extracted_data = verify_payload(&metadata, saved_data.as_ref())
.context("Payload verification failed")
.map_err(|e| MicrodroidError::PayloadVerificationFailed(e.to_string()))?;
@@ -285,28 +289,10 @@
} else {
info!("Saving verified data.");
instance
- .write_microdroid_data(&extracted_data, dice)
+ .write_microdroid_data(&extracted_data, &dice)
.context("Failed to write identity data")?;
extracted_data
};
- Ok(instance_data)
-}
-
-fn try_run_payload(
- service: &Strong<dyn IVirtualMachineService>,
- vm_payload_service_fd: OwnedFd,
-) -> Result<i32> {
- let metadata = load_metadata().context("Failed to load payload metadata")?;
- let dice = DiceDriver::new(Path::new("/dev/open-dice0")).context("Failed to load DICE")?;
-
- // TODO(b/291306122): Checking with host about Secretkeeper support multiple times introduces
- // a whole range of security vulnerability since host can give different answers. Guest should
- // check only once and the same answer should be known to pVM Firmware and Microdroid.
- let instance_data = if let Some(_sk) = vm_secret::is_sk_supported(service)? {
- verify_payload(&metadata, None)?
- } else {
- verify_payload_with_instance_img(&metadata, &dice)?
- };
let payload_metadata = metadata.payload.ok_or_else(|| {
MicrodroidError::PayloadInvalidConfig("No payload config in metadata".to_string())
diff --git a/microdroid_manager/src/vm_secret.rs b/microdroid_manager/src/vm_secret.rs
index 7b65491..5ceedea 100644
--- a/microdroid_manager/src/vm_secret.rs
+++ b/microdroid_manager/src/vm_secret.rs
@@ -279,9 +279,9 @@
anyhow!("{:?}", err)
}
-/// Get the secretkeeper connection if supported. Host can be consulted whether the device supports
-/// secretkeeper but that should be used with caution for protected VM.
-pub fn is_sk_supported(
+// Get the secretkeeper connection if supported. Host can be consulted whether the device supports
+// secretkeeper but that should be used with caution for protected VM.
+fn is_sk_supported(
host: &Strong<dyn IVirtualMachineService>,
) -> Result<Option<Strong<dyn ISecretkeeper>>> {
let sk = if cfg!(llpvm_changes) {