Merge "[VirtMgr] Allow host-controlled avf/untrusted prop" into main
diff --git a/Android.bp b/Android.bp
index 696a963..717c902 100644
--- a/Android.bp
+++ b/Android.bp
@@ -14,6 +14,7 @@
// limitations under the License.
package {
+ default_team: "trendy_team_virtualization",
default_applicable_licenses: ["Android-Apache-2.0"],
}
@@ -62,6 +63,27 @@
},
}
+soong_config_module_type {
+ name: "avf_flag_aware_cc_defaults",
+ module_type: "cc_defaults",
+ config_namespace: "ANDROID",
+ bool_variables: [
+ "release_avf_enable_virt_cpufreq",
+ ],
+ properties: [
+ "cflags",
+ ],
+}
+
+avf_flag_aware_cc_defaults {
+ name: "avf_build_flags_cc",
+ soong_config_variables: {
+ release_avf_enable_virt_cpufreq: {
+ cflags: ["-DAVF_ENABLE_VIRT_CPUFREQ=1"],
+ },
+ },
+}
+
genrule_defaults {
name: "dts_to_dtb",
tools: ["dtc"],
diff --git a/apex/Android.bp b/apex/Android.bp
index 7c45cc5..7cc0414 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -32,7 +32,26 @@
},
}
-apex_defaults {
+soong_config_module_type {
+ name: "avf_flag_aware_apex_defaults",
+ module_type: "apex_defaults",
+ config_namespace: "ANDROID",
+ bool_variables: [
+ "release_avf_enable_device_assignment",
+ "release_avf_enable_llpvm_changes",
+ "release_avf_enable_remote_attestation",
+ "release_avf_enable_vendor_modules",
+ ],
+ properties: [
+ "androidManifest",
+ "arch",
+ "prebuilts",
+ "systemserverclasspath_fragments",
+ "vintf_fragments",
+ ],
+}
+
+avf_flag_aware_apex_defaults {
name: "com.android.virt_common",
// TODO(jiyong): make it updatable
updatable: false,
@@ -65,22 +84,13 @@
"libsso",
"libutils",
],
-}
-
-soong_config_module_type {
- name: "avf_flag_aware_apex_defaults",
- module_type: "apex_defaults",
- config_namespace: "ANDROID",
- bool_variables: [
- "release_avf_enable_device_assignment",
- "release_avf_enable_remote_attestation",
- "release_avf_enable_vendor_modules",
- ],
- properties: [
- "arch",
- "prebuilts",
- "vintf_fragments",
- ],
+ soong_config_variables: {
+ release_avf_enable_llpvm_changes: {
+ systemserverclasspath_fragments: [
+ "com.android.virt-systemserver-fragment",
+ ],
+ },
+ },
}
avf_flag_aware_apex_defaults {
@@ -143,6 +153,9 @@
},
},
},
+ release_avf_enable_llpvm_changes: {
+ androidManifest: "AndroidManifest.xml",
+ },
release_avf_enable_vendor_modules: {
prebuilts: [
"microdroid_gki-android14-6.1_initrd_debuggable",
@@ -322,3 +335,29 @@
],
},
}
+
+soong_config_module_type {
+ name: "avf_flag_aware_systemserverclasspath_fragment",
+ module_type: "systemserverclasspath_fragment",
+ config_namespace: "ANDROID",
+ bool_variables: [
+ "release_avf_enable_llpvm_changes",
+ ],
+ properties: [
+ "enabled",
+ ],
+}
+
+avf_flag_aware_systemserverclasspath_fragment {
+ name: "com.android.virt-systemserver-fragment",
+ contents: [
+ "service-virtualization",
+ ],
+ apex_available: ["com.android.virt"],
+ enabled: false,
+ soong_config_variables: {
+ release_avf_enable_llpvm_changes: {
+ enabled: true,
+ },
+ },
+}
diff --git a/apex/AndroidManifest.xml b/apex/AndroidManifest.xml
new file mode 100644
index 0000000..be52f42
--- /dev/null
+++ b/apex/AndroidManifest.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ * Copyright 2024 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ package="com.android.virt">
+ <!-- APEX does not have classes.dex -->
+ <application android:hasCode="false">
+ <apex-system-service
+ android:name="com.android.system.virtualmachine.VirtualizationSystemService"
+ />
+ </application>
+</manifest>
diff --git a/apex/empty-payload-apk/Android.bp b/apex/empty-payload-apk/Android.bp
index 8bd138f..01bf795 100644
--- a/apex/empty-payload-apk/Android.bp
+++ b/apex/empty-payload-apk/Android.bp
@@ -17,6 +17,7 @@
cc_library {
name: "MicrodroidEmptyPayloadJniLib",
+ defaults: ["avf_build_flags_cc"],
srcs: ["empty_binary.cpp"],
shared_libs: ["libvm_payload#current"],
installable: true,
diff --git a/apex/product_packages.mk b/apex/product_packages.mk
index 4c03836..a318817 100644
--- a/apex/product_packages.mk
+++ b/apex/product_packages.mk
@@ -44,3 +44,15 @@
$(error RELEASE_AVF_ENABLE_VENDOR_MODULES must also be enabled)
endif
endif
+
+ifdef RELEASE_AVF_ENABLE_LLPVM_CHANGES
+ ifndef RELEASE_AVF_ENABLE_DICE_CHANGES
+ $(error RELEASE_AVF_ENABLE_DICE_CHANGES must also be enabled)
+ endif
+endif
+
+ifdef RELEASE_AVF_ENABLE_REMOTE_ATTESTATION
+ ifndef RELEASE_AVF_ENABLE_DICE_CHANGES
+ $(error RELEASE_AVF_ENABLE_DICE_CHANGES must also be enabled)
+ endif
+endif
diff --git a/authfs/fd_server/src/aidl.rs b/authfs/fd_server/src/aidl.rs
index ada3ffb..8edd899 100644
--- a/authfs/fd_server/src/aidl.rs
+++ b/authfs/fd_server/src/aidl.rs
@@ -375,6 +375,10 @@
}
}
+// FFI types like `c_long` vary on 32/64-bit, and the check is only needed on
+// 64-bit conversions. Fixing this lint makes the code less readable.
+#[allow(unknown_lints)]
+#[allow(clippy::unnecessary_fallible_conversions)]
fn try_into_fs_stat(st: Statvfs) -> Result<FsStat, std::num::TryFromIntError> {
Ok(FsStat {
blockSize: st.block_size().try_into()?,
diff --git a/authfs/tests/benchmarks/Android.bp b/authfs/tests/benchmarks/Android.bp
index cea5a81..93ba41a 100644
--- a/authfs/tests/benchmarks/Android.bp
+++ b/authfs/tests/benchmarks/Android.bp
@@ -28,6 +28,7 @@
cc_binary {
name: "measure_io",
+ defaults: ["avf_build_flags_cc"],
srcs: [
"src/measure_io.cpp",
],
diff --git a/authfs/tests/common/src/open_then_run.rs b/authfs/tests/common/src/open_then_run.rs
index 6d828e4..a976784 100644
--- a/authfs/tests/common/src/open_then_run.rs
+++ b/authfs/tests/common/src/open_then_run.rs
@@ -161,7 +161,7 @@
android_logger::init_once(
android_logger::Config::default()
.with_tag("open_then_run")
- .with_min_level(log::Level::Debug),
+ .with_max_level(log::LevelFilter::Debug),
);
if let Err(e) = try_main() {
diff --git a/compos/apex/composd.rc b/compos/apex/composd.rc
index df04642..55f3737 100644
--- a/compos/apex/composd.rc
+++ b/compos/apex/composd.rc
@@ -19,10 +19,7 @@
interface aidl android.system.composd
disabled
oneshot
- # Explicitly specify empty capabilities, otherwise composd will inherit all
- # the capabilities from init.
- # Note: whether a process can use capabilities is controlled by SELinux, so
- # inheriting all the capabilities from init is not a security issue.
- # However, for defense-in-depth and just for the sake of bookkeeping it's
- # better to explicitly state that composd doesn't need any capabilities.
- capabilities
+ # We need SYS_NICE in order to allow the crosvm child process to use it.
+ # (b/322197421). composd itself never uses it (and isn't allowed to by
+ # SELinux).
+ capabilities SYS_NICE
diff --git a/compos/compos_key_helper/Android.bp b/compos/compos_key_helper/Android.bp
index f8dc783..4d86780 100644
--- a/compos/compos_key_helper/Android.bp
+++ b/compos/compos_key_helper/Android.bp
@@ -4,6 +4,7 @@
cc_defaults {
name: "compos_key_defaults",
+ defaults: ["avf_build_flags_cc"],
apex_available: ["com.android.compos"],
shared_libs: [
diff --git a/compos/verify/native/Android.bp b/compos/verify/native/Android.bp
index 438d93a..695d28b 100644
--- a/compos/verify/native/Android.bp
+++ b/compos/verify/native/Android.bp
@@ -24,6 +24,7 @@
cc_library_static {
name: "libcompos_verify_native_cpp",
+ defaults: ["avf_build_flags_cc"],
srcs: ["verify_native.cpp"],
static_libs: ["libcompos_key"],
shared_libs: [
diff --git a/demo_native/Android.bp b/demo_native/Android.bp
index 901f829..7ac0e61 100644
--- a/demo_native/Android.bp
+++ b/demo_native/Android.bp
@@ -4,6 +4,7 @@
cc_binary {
name: "vm_demo_native",
+ defaults: ["avf_build_flags_cc"],
srcs: ["main.cpp"],
static_libs: [
"libbase",
diff --git a/javalib/api/test-current.txt b/javalib/api/test-current.txt
index 958005f..5aff93f 100644
--- a/javalib/api/test-current.txt
+++ b/javalib/api/test-current.txt
@@ -7,12 +7,14 @@
}
public final class VirtualMachineConfig {
+ method @FlaggedApi("RELEASE_AVF_ENABLE_MULTI_TENANT_MICRODROID_VM") @NonNull public java.util.List<java.lang.String> getExtraApks();
method @FlaggedApi("RELEASE_AVF_ENABLE_VENDOR_MODULES") @Nullable public String getOs();
method @Nullable public String getPayloadConfigPath();
method public boolean isVmConsoleInputSupported();
}
public static final class VirtualMachineConfig.Builder {
+ method @FlaggedApi("RELEASE_AVF_ENABLE_MULTI_TENANT_MICRODROID_VM") @NonNull public android.system.virtualmachine.VirtualMachineConfig.Builder addExtraApk(@NonNull String);
method @FlaggedApi("RELEASE_AVF_ENABLE_VENDOR_MODULES") @NonNull public android.system.virtualmachine.VirtualMachineConfig.Builder setOs(@NonNull String);
method @NonNull @RequiresPermission(android.system.virtualmachine.VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION) public android.system.virtualmachine.VirtualMachineConfig.Builder setPayloadConfigPath(@NonNull String);
method @FlaggedApi("RELEASE_AVF_ENABLE_VENDOR_MODULES") @NonNull @RequiresPermission(android.system.virtualmachine.VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION) public android.system.virtualmachine.VirtualMachineConfig.Builder setVendorDiskImage(@NonNull java.io.File);
diff --git a/javalib/jni/Android.bp b/javalib/jni/Android.bp
index e82b2ce..74a1766 100644
--- a/javalib/jni/Android.bp
+++ b/javalib/jni/Android.bp
@@ -4,6 +4,7 @@
cc_library_shared {
name: "libvirtualizationservice_jni",
+ defaults: ["avf_build_flags_cc"],
srcs: [
"android_system_virtualmachine_VirtualizationService.cpp",
],
@@ -19,6 +20,7 @@
cc_library_shared {
name: "libvirtualmachine_jni",
+ defaults: ["avf_build_flags_cc"],
srcs: [
"android_system_virtualmachine_VirtualMachine.cpp",
],
diff --git a/javalib/service/Android.bp b/javalib/service/Android.bp
new file mode 100644
index 0000000..9c1fa01
--- /dev/null
+++ b/javalib/service/Android.bp
@@ -0,0 +1,30 @@
+// Copyright (C) 2024 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+java_library {
+ name: "service-virtualization",
+ srcs: [
+ "src/**/*.java",
+ ],
+ defaults: [
+ "framework-system-server-module-defaults",
+ ],
+ sdk_version: "system_server_current",
+ apex_available: ["com.android.virt"],
+ installable: true,
+}
diff --git a/javalib/service/src/com/android/system/virtualmachine/VirtualizationSystemService.java b/javalib/service/src/com/android/system/virtualmachine/VirtualizationSystemService.java
new file mode 100644
index 0000000..2905acd
--- /dev/null
+++ b/javalib/service/src/com/android/system/virtualmachine/VirtualizationSystemService.java
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) 2024 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.system.virtualmachine;
+
+import android.content.Context;
+import com.android.server.SystemService;
+
+/** TODO */
+public class VirtualizationSystemService extends SystemService {
+
+ public VirtualizationSystemService(Context context) {
+ super(context);
+ }
+
+ @Override
+ public void onStart() {}
+}
diff --git a/javalib/src/android/system/virtualmachine/VirtualMachine.java b/javalib/src/android/system/virtualmachine/VirtualMachine.java
index 16f9631..5025e88 100644
--- a/javalib/src/android/system/virtualmachine/VirtualMachine.java
+++ b/javalib/src/android/system/virtualmachine/VirtualMachine.java
@@ -54,6 +54,8 @@
import android.annotation.WorkerThread;
import android.content.ComponentCallbacks2;
import android.content.Context;
+import android.content.pm.ApplicationInfo;
+import android.content.pm.PackageManager;
import android.content.res.Configuration;
import android.os.Binder;
import android.os.IBinder;
@@ -76,7 +78,6 @@
import java.io.File;
import java.io.FileInputStream;
-import java.io.FileOutputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
@@ -807,10 +808,30 @@
createVmInputPipes();
}
+ VirtualMachineConfig vmConfig = getConfig();
VirtualMachineAppConfig appConfig =
- getConfig().toVsConfig(mContext.getPackageManager());
+ vmConfig.toVsConfig(mContext.getPackageManager());
appConfig.name = mName;
+ if (!vmConfig.getExtraApks().isEmpty()) {
+ // Extra APKs were specified directly, rather than via config file.
+ // We've already populated the file names for the extra APKs and IDSigs
+ // (via setupExtraApks). But we also need to open the APK files and add
+ // fds for them to the payload config.
+ // This isn't needed when the extra APKs are specified in a config file - then
+ // Virtualization Manager opens them itself.
+ List<ParcelFileDescriptor> extraApkFiles = new ArrayList<>(mExtraApks.size());
+ for (ExtraApkSpec extraApk : mExtraApks) {
+ try {
+ extraApkFiles.add(
+ ParcelFileDescriptor.open(extraApk.apk, MODE_READ_ONLY));
+ } catch (FileNotFoundException e) {
+ throw new VirtualMachineException("Failed to open extra APK", e);
+ }
+ }
+ appConfig.payload.getPayloadConfig().extraApks = extraApkFiles;
+ }
+
try {
createIdSigs(service, appConfig);
} catch (FileNotFoundException e) {
@@ -1239,6 +1260,46 @@
return result.toString();
}
+ /**
+ * Reads the payload config inside the application, parses extra APK information, and then
+ * creates corresponding idsig file paths.
+ */
+ private static List<ExtraApkSpec> setupExtraApks(
+ @NonNull Context context, @NonNull VirtualMachineConfig config, @NonNull File vmDir)
+ throws VirtualMachineException {
+ String configPath = config.getPayloadConfigPath();
+ List<String> extraApks = config.getExtraApks();
+ if (configPath != null) {
+ return setupExtraApksFromConfigFile(context, vmDir, configPath);
+ } else if (!extraApks.isEmpty()) {
+ return setupExtraApksFromList(context, vmDir, extraApks);
+ } else {
+ return Collections.emptyList();
+ }
+ }
+
+ private static List<ExtraApkSpec> setupExtraApksFromConfigFile(
+ Context context, File vmDir, String configPath) throws VirtualMachineException {
+ try (ZipFile zipFile = new ZipFile(context.getPackageCodePath())) {
+ InputStream inputStream = zipFile.getInputStream(zipFile.getEntry(configPath));
+ List<String> apkList =
+ parseExtraApkListFromPayloadConfig(
+ new JsonReader(new InputStreamReader(inputStream)));
+
+ List<ExtraApkSpec> extraApks = new ArrayList<>(apkList.size());
+ for (int i = 0; i < apkList.size(); ++i) {
+ extraApks.add(
+ new ExtraApkSpec(
+ new File(apkList.get(i)),
+ new File(vmDir, EXTRA_IDSIG_FILE_PREFIX + i)));
+ }
+
+ return extraApks;
+ } catch (IOException e) {
+ throw new VirtualMachineException("Couldn't parse extra apks from the vm config", e);
+ }
+ }
+
private static List<String> parseExtraApkListFromPayloadConfig(JsonReader reader)
throws VirtualMachineException {
/*
@@ -1275,36 +1336,28 @@
}
}
- /**
- * Reads the payload config inside the application, parses extra APK information, and then
- * creates corresponding idsig file paths.
- */
- private static List<ExtraApkSpec> setupExtraApks(
- @NonNull Context context, @NonNull VirtualMachineConfig config, @NonNull File vmDir)
- throws VirtualMachineException {
- String configPath = config.getPayloadConfigPath();
- if (configPath == null) {
- return Collections.emptyList();
- }
- try (ZipFile zipFile = new ZipFile(context.getPackageCodePath())) {
- InputStream inputStream =
- zipFile.getInputStream(zipFile.getEntry(configPath));
- List<String> apkList =
- parseExtraApkListFromPayloadConfig(
- new JsonReader(new InputStreamReader(inputStream)));
-
- List<ExtraApkSpec> extraApks = new ArrayList<>();
- for (int i = 0; i < apkList.size(); ++i) {
- extraApks.add(
- new ExtraApkSpec(
- new File(apkList.get(i)),
- new File(vmDir, EXTRA_IDSIG_FILE_PREFIX + i)));
+ private static List<ExtraApkSpec> setupExtraApksFromList(
+ Context context, File vmDir, List<String> extraApkInfo) throws VirtualMachineException {
+ int count = extraApkInfo.size();
+ List<ExtraApkSpec> extraApks = new ArrayList<>(count);
+ for (int i = 0; i < count; i++) {
+ String packageName = extraApkInfo.get(i);
+ ApplicationInfo appInfo;
+ try {
+ appInfo =
+ context.getPackageManager()
+ .getApplicationInfo(
+ packageName, PackageManager.ApplicationInfoFlags.of(0));
+ } catch (PackageManager.NameNotFoundException e) {
+ throw new VirtualMachineException("Extra APK package not found", e);
}
- return Collections.unmodifiableList(extraApks);
- } catch (IOException e) {
- throw new VirtualMachineException("Couldn't parse extra apks from the vm config", e);
+ extraApks.add(
+ new ExtraApkSpec(
+ new File(appInfo.sourceDir),
+ new File(vmDir, EXTRA_IDSIG_FILE_PREFIX + i)));
}
+ return extraApks;
}
private void importInstanceFrom(@NonNull ParcelFileDescriptor instanceFd)
diff --git a/javalib/src/android/system/virtualmachine/VirtualMachineConfig.java b/javalib/src/android/system/virtualmachine/VirtualMachineConfig.java
index e8ef195..9688789 100644
--- a/javalib/src/android/system/virtualmachine/VirtualMachineConfig.java
+++ b/javalib/src/android/system/virtualmachine/VirtualMachineConfig.java
@@ -49,7 +49,10 @@
import java.io.OutputStream;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
+import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Collections;
+import java.util.List;
import java.util.Objects;
import java.util.zip.ZipFile;
@@ -67,7 +70,7 @@
private static String[] EMPTY_STRING_ARRAY = {};
// These define the schema of the config file persisted on disk.
- private static final int VERSION = 7;
+ private static final int VERSION = 8;
private static final String KEY_VERSION = "version";
private static final String KEY_PACKAGENAME = "packageName";
private static final String KEY_APKPATH = "apkPath";
@@ -82,6 +85,7 @@
private static final String KEY_VM_CONSOLE_INPUT_SUPPORTED = "vmConsoleInputSupported";
private static final String KEY_VENDOR_DISK_IMAGE_PATH = "vendorDiskImagePath";
private static final String KEY_OS = "os";
+ private static final String KEY_EXTRA_APKS = "extraApks";
/** @hide */
@Retention(RetentionPolicy.SOURCE)
@@ -140,6 +144,8 @@
/** Absolute path to the APK file containing the VM payload. */
@Nullable private final String mApkPath;
+ private final List<String> mExtraApks;
+
@DebugLevel private final int mDebugLevel;
/**
@@ -181,6 +187,7 @@
private VirtualMachineConfig(
@Nullable String packageName,
@Nullable String apkPath,
+ List<String> extraApks,
@Nullable String payloadConfigPath,
@Nullable String payloadBinaryName,
@DebugLevel int debugLevel,
@@ -195,6 +202,11 @@
// This is only called from Builder.build(); the builder handles parameter validation.
mPackageName = packageName;
mApkPath = apkPath;
+ mExtraApks =
+ extraApks.isEmpty()
+ ? Collections.emptyList()
+ : Collections.unmodifiableList(
+ Arrays.asList(extraApks.toArray(new String[0])));
mPayloadConfigPath = payloadConfigPath;
mPayloadBinaryName = payloadBinaryName;
mDebugLevel = debugLevel;
@@ -292,6 +304,13 @@
builder.setOs(os);
}
+ String[] extraApks = b.getStringArray(KEY_EXTRA_APKS);
+ if (extraApks != null) {
+ for (String extraApk : extraApks) {
+ builder.addExtraApk(extraApk);
+ }
+ }
+
return builder.build();
}
@@ -331,6 +350,10 @@
b.putString(KEY_VENDOR_DISK_IMAGE_PATH, mVendorDiskImage.getAbsolutePath());
}
b.putString(KEY_OS, mOs);
+ if (!mExtraApks.isEmpty()) {
+ String[] extraApks = mExtraApks.toArray(new String[0]);
+ b.putStringArray(KEY_EXTRA_APKS, extraApks);
+ }
b.writeToStream(output);
}
@@ -347,6 +370,19 @@
}
/**
+ * Returns the package names of any extra APKs that have been requested for the VM. They are
+ * returned in the order in which they were added via {@link Builder#addExtraApk}.
+ *
+ * @hide
+ */
+ @TestApi
+ @FlaggedApi("RELEASE_AVF_ENABLE_MULTI_TENANT_MICRODROID_VM")
+ @NonNull
+ public List<String> getExtraApks() {
+ return mExtraApks;
+ }
+
+ /**
* Returns the path within the APK to the payload config file that defines software aspects of
* the VM.
*
@@ -495,7 +531,8 @@
&& Objects.equals(this.mPayloadConfigPath, other.mPayloadConfigPath)
&& Objects.equals(this.mPayloadBinaryName, other.mPayloadBinaryName)
&& Objects.equals(this.mPackageName, other.mPackageName)
- && Objects.equals(this.mOs, other.mOs);
+ && Objects.equals(this.mOs, other.mOs)
+ && Objects.equals(this.mExtraApks, other.mExtraApks);
}
/**
@@ -623,6 +660,7 @@
@Nullable private final String mPackageName;
@Nullable private String mApkPath;
+ private final List<String> mExtraApks = new ArrayList<>();
@Nullable private String mPayloadConfigPath;
@Nullable private String mPayloadBinaryName;
@DebugLevel private int mDebugLevel = DEBUG_LEVEL_NONE;
@@ -683,6 +721,10 @@
throw new IllegalStateException(
"setPayloadConfigPath and setOs may not both be called");
}
+ if (!mExtraApks.isEmpty()) {
+ throw new IllegalStateException(
+ "setPayloadConfigPath and addExtraApk may not both be called");
+ }
} else {
if (mPayloadConfigPath != null) {
throw new IllegalStateException(
@@ -710,6 +752,7 @@
return new VirtualMachineConfig(
packageName,
apkPath,
+ mExtraApks,
mPayloadConfigPath,
mPayloadBinaryName,
mDebugLevel,
@@ -742,6 +785,21 @@
}
/**
+ * Specify the package name of an extra APK to be included in the VM. Each extra APK is
+ * mounted, in unzipped form, inside the VM, allowing access to the code and/or data within
+ * it. The VM entry point must be in the main APK.
+ *
+ * @hide
+ */
+ @TestApi
+ @FlaggedApi("RELEASE_AVF_ENABLE_MULTI_TENANT_MICRODROID_VM")
+ @NonNull
+ public Builder addExtraApk(@NonNull String packageName) {
+ mExtraApks.add(requireNonNull(packageName, "extra APK package name must not be null"));
+ return this;
+ }
+
+ /**
* Sets the path within the APK to the payload config file that defines software aspects of
* the VM. The file is a JSON file; see
* packages/modules/Virtualization/microdroid/payload/config/src/lib.rs for the format.
diff --git a/javalib/src/android/system/virtualmachine/VirtualMachineManager.java b/javalib/src/android/system/virtualmachine/VirtualMachineManager.java
index 2802659..1607c0a 100644
--- a/javalib/src/android/system/virtualmachine/VirtualMachineManager.java
+++ b/javalib/src/android/system/virtualmachine/VirtualMachineManager.java
@@ -92,13 +92,19 @@
})
public @interface Capability {}
- /* The implementation supports creating protected VMs, whose memory is inaccessible to the
- * host OS.
+ /**
+ * The implementation supports creating protected VMs, whose memory is inaccessible to the host
+ * OS.
+ *
+ * @see VirtualMachineConfig.Builder#setProtectedVm
*/
public static final int CAPABILITY_PROTECTED_VM = 1;
- /* The implementation supports creating non-protected VMs, whose memory is accessible to the
+ /**
+ * The implementation supports creating non-protected VMs, whose memory is accessible to the
* host OS.
+ *
+ * @see VirtualMachineConfig.Builder#setProtectedVm
*/
public static final int CAPABILITY_NON_PROTECTED_VM = 2;
@@ -120,6 +126,7 @@
*/
@TestApi
public static final String FEATURE_DICE_CHANGES = IVirtualizationService.FEATURE_DICE_CHANGES;
+
/**
* Feature to run payload as non-root user.
*
@@ -204,7 +211,7 @@
*
* @see #getOrCreate
* @throws VirtualMachineException if the virtual machine exists but could not be successfully
- * retrieved.
+ * retrieved. This can be resolved by calling {@link #delete} on the VM.
* @hide
*/
@SystemApi
diff --git a/launcher/Android.bp b/launcher/Android.bp
index 6c6417f..42c18cb 100644
--- a/launcher/Android.bp
+++ b/launcher/Android.bp
@@ -4,6 +4,7 @@
cc_binary {
name: "microdroid_launcher",
+ defaults: ["avf_build_flags_cc"],
srcs: ["main.cpp"],
shared_libs: [
"libbase",
diff --git a/libs/apkmanifest/Android.bp b/libs/apkmanifest/Android.bp
index e6fcbef..54c4f6c 100644
--- a/libs/apkmanifest/Android.bp
+++ b/libs/apkmanifest/Android.bp
@@ -4,6 +4,7 @@
cc_library_shared {
name: "libapkmanifest_native",
+ defaults: ["avf_build_flags_cc"],
srcs: ["native/*.cpp"],
shared_libs: [
"libandroidfw",
diff --git a/libs/apkverify/tests/apkverify_test.rs b/libs/apkverify/tests/apkverify_test.rs
index 441b708..96fad5f 100644
--- a/libs/apkverify/tests/apkverify_test.rs
+++ b/libs/apkverify/tests/apkverify_test.rs
@@ -37,7 +37,7 @@
android_logger::init_once(
android_logger::Config::default()
.with_tag("apkverify_test")
- .with_min_level(log::Level::Info),
+ .with_max_level(log::LevelFilter::Info),
);
info!("Test starting");
}
diff --git a/libs/libfdt/Android.bp b/libs/libfdt/Android.bp
index ba9e971..b5f7471 100644
--- a/libs/libfdt/Android.bp
+++ b/libs/libfdt/Android.bp
@@ -39,6 +39,7 @@
rustlibs: [
"libcstr",
"liblibfdt_bindgen",
+ "libmemoffset_nostd",
"libzerocopy_nostd",
],
whole_static_libs: [
diff --git a/libs/libfdt/src/ctypes.rs b/libs/libfdt/src/ctypes.rs
new file mode 100644
index 0000000..640d447
--- /dev/null
+++ b/libs/libfdt/src/ctypes.rs
@@ -0,0 +1,52 @@
+// Copyright 2024, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Safe zero-cost wrappers around integer values used by libfdt.
+
+use crate::{FdtError, Result};
+
+/// Wrapper guaranteed to contain a valid phandle.
+#[repr(transparent)]
+#[derive(Debug, Copy, Clone, Eq, PartialEq, Ord, PartialOrd)]
+pub struct Phandle(u32);
+
+impl Phandle {
+ /// Minimum valid value for device tree phandles.
+ pub const MIN: Self = Self(1);
+ /// Maximum valid value for device tree phandles.
+ pub const MAX: Self = Self(libfdt_bindgen::FDT_MAX_PHANDLE);
+
+ /// Creates a new Phandle
+ pub const fn new(value: u32) -> Option<Self> {
+ if Self::MIN.0 <= value && value <= Self::MAX.0 {
+ Some(Self(value))
+ } else {
+ None
+ }
+ }
+}
+
+impl From<Phandle> for u32 {
+ fn from(phandle: Phandle) -> u32 {
+ phandle.0
+ }
+}
+
+impl TryFrom<u32> for Phandle {
+ type Error = FdtError;
+
+ fn try_from(value: u32) -> Result<Self> {
+ Self::new(value).ok_or(FdtError::BadPhandle)
+ }
+}
diff --git a/libs/libfdt/src/iterators.rs b/libs/libfdt/src/iterators.rs
index e818c68..cb7afda 100644
--- a/libs/libfdt/src/iterators.rs
+++ b/libs/libfdt/src/iterators.rs
@@ -23,6 +23,8 @@
use core::marker::PhantomData;
use core::{mem::size_of, ops::Range, slice::ChunksExact};
+use zerocopy::transmute;
+
/// Iterator over nodes sharing a same compatible string.
pub struct CompatibleIterator<'a> {
node: FdtNode<'a>,
@@ -132,12 +134,6 @@
}
}
-// Converts two cells into bytes of the same size
-fn two_cells_to_bytes(cells: [u32; 2]) -> [u8; 2 * size_of::<u32>()] {
- // SAFETY: the size of the two arrays are the same
- unsafe { core::mem::transmute::<[u32; 2], [u8; 2 * size_of::<u32>()]>(cells) }
-}
-
impl Reg<u64> {
const NUM_CELLS: usize = 2;
/// Converts addr and (optional) size to the format that is consumable by libfdt.
@@ -145,14 +141,10 @@
&self,
) -> ([u8; Self::NUM_CELLS * size_of::<u32>()], Option<[u8; Self::NUM_CELLS * size_of::<u32>()]>)
{
- let addr =
- two_cells_to_bytes([((self.addr >> 32) as u32).to_be(), (self.addr as u32).to_be()]);
- let size = if self.size.is_some() {
- let size = self.size.unwrap();
- Some(two_cells_to_bytes([((size >> 32) as u32).to_be(), (size as u32).to_be()]))
- } else {
- None
- };
+ let addr = transmute!([((self.addr >> 32) as u32).to_be(), (self.addr as u32).to_be()]);
+ let size =
+ self.size.map(|sz| transmute!([((sz >> 32) as u32).to_be(), (sz as u32).to_be()]));
+
(addr, size)
}
}
@@ -288,12 +280,8 @@
((self.size >> 32) as u32).to_be(),
(self.size as u32).to_be(),
];
- // SAFETY: the size of the two arrays are the same
- unsafe {
- core::mem::transmute::<[u32; Self::SIZE_CELLS], [u8; Self::SIZE_CELLS * size_of::<u32>()]>(
- buf,
- )
- }
+
+ transmute!(buf)
}
}
diff --git a/libs/libfdt/src/lib.rs b/libs/libfdt/src/lib.rs
index 8a4e251..ab3c83f 100644
--- a/libs/libfdt/src/lib.rs
+++ b/libs/libfdt/src/lib.rs
@@ -17,142 +17,26 @@
#![no_std]
+mod ctypes;
mod iterators;
+mod libfdt;
+mod result;
+pub use ctypes::Phandle;
pub use iterators::{
AddressRange, CellIterator, CompatibleIterator, DescendantsIterator, MemRegIterator,
PropertyIterator, RangesIterator, Reg, RegIterator, SubnodeIterator,
};
+pub use result::{FdtError, Result};
-use core::cmp::max;
use core::ffi::{c_int, c_void, CStr};
-use core::fmt;
-use core::mem;
use core::ops::Range;
-use core::ptr;
-use core::result;
use cstr::cstr;
+use libfdt::get_slice_at_ptr;
+use result::{fdt_err, fdt_err_expect_zero, fdt_err_or_option};
use zerocopy::AsBytes as _;
-/// Error type corresponding to libfdt error codes.
-#[derive(Clone, Copy, Debug, Eq, PartialEq)]
-pub enum FdtError {
- /// FDT_ERR_NOTFOUND
- NotFound,
- /// FDT_ERR_EXISTS
- Exists,
- /// FDT_ERR_NOSPACE
- NoSpace,
- /// FDT_ERR_BADOFFSET
- BadOffset,
- /// FDT_ERR_BADPATH
- BadPath,
- /// FDT_ERR_BADPHANDLE
- BadPhandle,
- /// FDT_ERR_BADSTATE
- BadState,
- /// FDT_ERR_TRUNCATED
- Truncated,
- /// FDT_ERR_BADMAGIC
- BadMagic,
- /// FDT_ERR_BADVERSION
- BadVersion,
- /// FDT_ERR_BADSTRUCTURE
- BadStructure,
- /// FDT_ERR_BADLAYOUT
- BadLayout,
- /// FDT_ERR_INTERNAL
- Internal,
- /// FDT_ERR_BADNCELLS
- BadNCells,
- /// FDT_ERR_BADVALUE
- BadValue,
- /// FDT_ERR_BADOVERLAY
- BadOverlay,
- /// FDT_ERR_NOPHANDLES
- NoPhandles,
- /// FDT_ERR_BADFLAGS
- BadFlags,
- /// FDT_ERR_ALIGNMENT
- Alignment,
- /// Unexpected error code
- Unknown(i32),
-}
-
-impl fmt::Display for FdtError {
- /// Prints error messages from libfdt.h documentation.
- fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
- match self {
- Self::NotFound => write!(f, "The requested node or property does not exist"),
- Self::Exists => write!(f, "Attempted to create an existing node or property"),
- Self::NoSpace => write!(f, "Insufficient buffer space to contain the expanded tree"),
- Self::BadOffset => write!(f, "Structure block offset is out-of-bounds or invalid"),
- Self::BadPath => write!(f, "Badly formatted path"),
- Self::BadPhandle => write!(f, "Invalid phandle length or value"),
- Self::BadState => write!(f, "Received incomplete device tree"),
- Self::Truncated => write!(f, "Device tree or sub-block is improperly terminated"),
- Self::BadMagic => write!(f, "Device tree header missing its magic number"),
- Self::BadVersion => write!(f, "Device tree has a version which can't be handled"),
- Self::BadStructure => write!(f, "Device tree has a corrupt structure block"),
- Self::BadLayout => write!(f, "Device tree sub-blocks in unsupported order"),
- Self::Internal => write!(f, "libfdt has failed an internal assertion"),
- Self::BadNCells => write!(f, "Bad format or value of #address-cells or #size-cells"),
- Self::BadValue => write!(f, "Unexpected property value"),
- Self::BadOverlay => write!(f, "Overlay cannot be applied"),
- Self::NoPhandles => write!(f, "Device tree doesn't have any phandle available anymore"),
- Self::BadFlags => write!(f, "Invalid flag or invalid combination of flags"),
- Self::Alignment => write!(f, "Device tree base address is not 8-byte aligned"),
- Self::Unknown(e) => write!(f, "Unknown libfdt error '{e}'"),
- }
- }
-}
-
-/// Result type with FdtError enum.
-pub type Result<T> = result::Result<T, FdtError>;
-
-fn fdt_err(val: c_int) -> Result<c_int> {
- if val >= 0 {
- Ok(val)
- } else {
- Err(match -val as _ {
- libfdt_bindgen::FDT_ERR_NOTFOUND => FdtError::NotFound,
- libfdt_bindgen::FDT_ERR_EXISTS => FdtError::Exists,
- libfdt_bindgen::FDT_ERR_NOSPACE => FdtError::NoSpace,
- libfdt_bindgen::FDT_ERR_BADOFFSET => FdtError::BadOffset,
- libfdt_bindgen::FDT_ERR_BADPATH => FdtError::BadPath,
- libfdt_bindgen::FDT_ERR_BADPHANDLE => FdtError::BadPhandle,
- libfdt_bindgen::FDT_ERR_BADSTATE => FdtError::BadState,
- libfdt_bindgen::FDT_ERR_TRUNCATED => FdtError::Truncated,
- libfdt_bindgen::FDT_ERR_BADMAGIC => FdtError::BadMagic,
- libfdt_bindgen::FDT_ERR_BADVERSION => FdtError::BadVersion,
- libfdt_bindgen::FDT_ERR_BADSTRUCTURE => FdtError::BadStructure,
- libfdt_bindgen::FDT_ERR_BADLAYOUT => FdtError::BadLayout,
- libfdt_bindgen::FDT_ERR_INTERNAL => FdtError::Internal,
- libfdt_bindgen::FDT_ERR_BADNCELLS => FdtError::BadNCells,
- libfdt_bindgen::FDT_ERR_BADVALUE => FdtError::BadValue,
- libfdt_bindgen::FDT_ERR_BADOVERLAY => FdtError::BadOverlay,
- libfdt_bindgen::FDT_ERR_NOPHANDLES => FdtError::NoPhandles,
- libfdt_bindgen::FDT_ERR_BADFLAGS => FdtError::BadFlags,
- libfdt_bindgen::FDT_ERR_ALIGNMENT => FdtError::Alignment,
- _ => FdtError::Unknown(val),
- })
- }
-}
-
-fn fdt_err_expect_zero(val: c_int) -> Result<()> {
- match fdt_err(val)? {
- 0 => Ok(()),
- _ => Err(FdtError::Unknown(val)),
- }
-}
-
-fn fdt_err_or_option(val: c_int) -> Result<Option<c_int>> {
- match fdt_err(val) {
- Ok(val) => Ok(Some(val)),
- Err(FdtError::NotFound) => Ok(None),
- Err(e) => Err(e),
- }
-}
+use crate::libfdt::{Libfdt, LibfdtMut};
/// Value of a #address-cells property.
#[derive(Copy, Clone, Debug, Eq, PartialEq)]
@@ -162,14 +46,14 @@
Triple = 3,
}
-impl TryFrom<c_int> for AddrCells {
+impl TryFrom<usize> for AddrCells {
type Error = FdtError;
- fn try_from(res: c_int) -> Result<Self> {
- match fdt_err(res)? {
- x if x == Self::Single as c_int => Ok(Self::Single),
- x if x == Self::Double as c_int => Ok(Self::Double),
- x if x == Self::Triple as c_int => Ok(Self::Triple),
+ fn try_from(value: usize) -> Result<Self> {
+ match value {
+ x if x == Self::Single as _ => Ok(Self::Single),
+ x if x == Self::Double as _ => Ok(Self::Double),
+ x if x == Self::Triple as _ => Ok(Self::Triple),
_ => Err(FdtError::BadNCells),
}
}
@@ -183,14 +67,14 @@
Double = 2,
}
-impl TryFrom<c_int> for SizeCells {
+impl TryFrom<usize> for SizeCells {
type Error = FdtError;
- fn try_from(res: c_int) -> Result<Self> {
- match fdt_err(res)? {
- x if x == Self::None as c_int => Ok(Self::None),
- x if x == Self::Single as c_int => Ok(Self::Single),
- x if x == Self::Double as c_int => Ok(Self::Double),
+ fn try_from(value: usize) -> Result<Self> {
+ match value {
+ x if x == Self::None as _ => Ok(Self::None),
+ x if x == Self::Single as _ => Ok(Self::Single),
+ x if x == Self::Double as _ => Ok(Self::Double),
_ => Err(FdtError::BadNCells),
}
}
@@ -201,18 +85,17 @@
#[derive(Debug)]
struct FdtPropertyStruct(libfdt_bindgen::fdt_property);
+impl AsRef<FdtPropertyStruct> for libfdt_bindgen::fdt_property {
+ fn as_ref(&self) -> &FdtPropertyStruct {
+ let ptr = self as *const _ as *const _;
+ // SAFETY: Types have the same layout (transparent) so the valid reference remains valid.
+ unsafe { &*ptr }
+ }
+}
+
impl FdtPropertyStruct {
fn from_offset(fdt: &Fdt, offset: c_int) -> Result<&Self> {
- let mut len = 0;
- let prop =
- // SAFETY: Accesses (read-only) are constrained to the DT totalsize.
- unsafe { libfdt_bindgen::fdt_get_property_by_offset(fdt.as_ptr(), offset, &mut len) };
- if prop.is_null() {
- fdt_err(len)?;
- return Err(FdtError::Internal); // shouldn't happen.
- }
- // SAFETY: prop is only returned when it points to valid libfdt_bindgen.
- Ok(unsafe { &*prop.cast::<FdtPropertyStruct>() })
+ Ok(fdt.get_property_by_offset(offset)?.as_ref())
}
fn name_offset(&self) -> c_int {
@@ -224,7 +107,7 @@
}
fn data_ptr(&self) -> *const c_void {
- self.0.data.as_ptr().cast::<_>()
+ self.0.data.as_ptr().cast()
}
}
@@ -253,11 +136,11 @@
}
fn next_property(&self) -> Result<Option<Self>> {
- let ret =
- // SAFETY: Accesses (read-only) are constrained to the DT totalsize.
- unsafe { libfdt_bindgen::fdt_next_property_offset(self.fdt.as_ptr(), self.offset) };
-
- fdt_err_or_option(ret)?.map(|offset| Self::new(self.fdt, offset)).transpose()
+ if let Some(offset) = self.fdt.next_property_offset(self.offset)? {
+ Ok(Some(Self::new(self.fdt, offset)?))
+ } else {
+ Ok(None)
+ }
}
}
@@ -269,31 +152,18 @@
}
impl<'a> FdtNode<'a> {
- /// Creates immutable node from a mutable node at the same offset.
- pub fn from_mut(other: &'a FdtNodeMut) -> Self {
- FdtNode { fdt: other.fdt, offset: other.offset }
- }
/// Returns parent node.
pub fn parent(&self) -> Result<Self> {
- // SAFETY: Accesses (read-only) are constrained to the DT totalsize.
- let ret = unsafe { libfdt_bindgen::fdt_parent_offset(self.fdt.as_ptr(), self.offset) };
+ let offset = self.fdt.parent_offset(self.offset)?;
- Ok(Self { fdt: self.fdt, offset: fdt_err(ret)? })
+ Ok(Self { fdt: self.fdt, offset })
}
/// Returns supernode with depth. Note that root is at depth 0.
pub fn supernode_at_depth(&self, depth: usize) -> Result<Self> {
- // SAFETY: Accesses (read-only) are constrained to the DT totalsize.
- let ret = unsafe {
- libfdt_bindgen::fdt_supernode_atdepth_offset(
- self.fdt.as_ptr(),
- self.offset,
- depth.try_into().unwrap(),
- ptr::null_mut(),
- )
- };
+ let offset = self.fdt.supernode_atdepth_offset(self.offset, depth)?;
- Ok(Self { fdt: self.fdt, offset: fdt_err(ret)? })
+ Ok(Self { fdt: self.fdt, offset })
}
/// Returns the standard (deprecated) device_type <string> property.
@@ -303,9 +173,7 @@
/// Returns the standard reg <prop-encoded-array> property.
pub fn reg(&self) -> Result<Option<RegIterator<'a>>> {
- let reg = cstr!("reg");
-
- if let Some(cells) = self.getprop_cells(reg)? {
+ if let Some(cells) = self.getprop_cells(cstr!("reg"))? {
let parent = self.parent()?;
let addr_cells = parent.address_cells()?;
@@ -319,8 +187,7 @@
/// Returns the standard ranges property.
pub fn ranges<A, P, S>(&self) -> Result<Option<RangesIterator<'a, A, P, S>>> {
- let ranges = cstr!("ranges");
- if let Some(cells) = self.getprop_cells(ranges)? {
+ if let Some(cells) = self.getprop_cells(cstr!("ranges"))? {
let parent = self.parent()?;
let addr_cells = self.address_cells()?;
let parent_addr_cells = parent.address_cells()?;
@@ -338,24 +205,17 @@
/// Returns the node name.
pub fn name(&self) -> Result<&'a CStr> {
- let mut len: c_int = 0;
- // SAFETY: Accesses are constrained to the DT totalsize (validated by ctor). On success, the
- // function returns valid null terminating string and otherwise returned values are dropped.
- let name = unsafe { libfdt_bindgen::fdt_get_name(self.fdt.as_ptr(), self.offset, &mut len) }
- as *const c_void;
- let len = usize::try_from(fdt_err(len)?).unwrap();
- let name = self.fdt.get_from_ptr(name, len + 1)?;
+ let name = self.fdt.get_name(self.offset)?;
CStr::from_bytes_with_nul(name).map_err(|_| FdtError::Internal)
}
/// Returns the value of a given <string> property.
pub fn getprop_str(&self, name: &CStr) -> Result<Option<&CStr>> {
- let value = if let Some(bytes) = self.getprop(name)? {
- Some(CStr::from_bytes_with_nul(bytes).map_err(|_| FdtError::BadValue)?)
+ if let Some(bytes) = self.getprop(name)? {
+ Ok(Some(CStr::from_bytes_with_nul(bytes).map_err(|_| FdtError::BadValue)?))
} else {
- None
- };
- Ok(value)
+ Ok(None)
+ }
}
/// Returns the value of a given property as an array of cells.
@@ -369,64 +229,25 @@
/// Returns the value of a given <u32> property.
pub fn getprop_u32(&self, name: &CStr) -> Result<Option<u32>> {
- let value = if let Some(bytes) = self.getprop(name)? {
- Some(u32::from_be_bytes(bytes.try_into().map_err(|_| FdtError::BadValue)?))
+ if let Some(bytes) = self.getprop(name)? {
+ Ok(Some(u32::from_be_bytes(bytes.try_into().map_err(|_| FdtError::BadValue)?)))
} else {
- None
- };
- Ok(value)
+ Ok(None)
+ }
}
/// Returns the value of a given <u64> property.
pub fn getprop_u64(&self, name: &CStr) -> Result<Option<u64>> {
- let value = if let Some(bytes) = self.getprop(name)? {
- Some(u64::from_be_bytes(bytes.try_into().map_err(|_| FdtError::BadValue)?))
+ if let Some(bytes) = self.getprop(name)? {
+ Ok(Some(u64::from_be_bytes(bytes.try_into().map_err(|_| FdtError::BadValue)?)))
} else {
- None
- };
- Ok(value)
+ Ok(None)
+ }
}
/// Returns the value of a given property.
pub fn getprop(&self, name: &CStr) -> Result<Option<&'a [u8]>> {
- if let Some((prop, len)) = Self::getprop_internal(self.fdt, self.offset, name)? {
- Ok(Some(self.fdt.get_from_ptr(prop, len)?))
- } else {
- Ok(None) // property was not found
- }
- }
-
- /// Returns the pointer and size of the property named `name`, in a node at offset `offset`, in
- /// a device tree `fdt`. The pointer is guaranteed to be non-null, in which case error returns.
- fn getprop_internal(
- fdt: &'a Fdt,
- offset: c_int,
- name: &CStr,
- ) -> Result<Option<(*const c_void, usize)>> {
- let mut len: i32 = 0;
- // SAFETY: Accesses are constrained to the DT totalsize (validated by ctor) and the
- // function respects the passed number of characters.
- let prop = unsafe {
- libfdt_bindgen::fdt_getprop_namelen(
- fdt.as_ptr(),
- offset,
- name.as_ptr(),
- // *_namelen functions don't include the trailing nul terminator in 'len'.
- name.to_bytes().len().try_into().map_err(|_| FdtError::BadPath)?,
- &mut len as *mut i32,
- )
- } as *const u8;
-
- let Some(len) = fdt_err_or_option(len)? else {
- return Ok(None); // Property was not found.
- };
- let len = usize::try_from(len).unwrap();
-
- if prop.is_null() {
- // We expected an error code in len but still received a valid value?!
- return Err(FdtError::Internal);
- }
- Ok(Some((prop.cast::<c_void>(), len)))
+ self.fdt.getprop_namelen(self.offset, name.to_bytes())
}
/// Returns reference to the containing device tree.
@@ -436,16 +257,9 @@
/// Returns the compatible node of the given name that is next after this node.
pub fn next_compatible(self, compatible: &CStr) -> Result<Option<Self>> {
- // SAFETY: Accesses (read-only) are constrained to the DT totalsize.
- let ret = unsafe {
- libfdt_bindgen::fdt_node_offset_by_compatible(
- self.fdt.as_ptr(),
- self.offset,
- compatible.as_ptr(),
- )
- };
+ let offset = self.fdt.node_offset_by_compatible(self.offset, compatible)?;
- Ok(fdt_err_or_option(ret)?.map(|offset| Self { fdt: self.fdt, offset }))
+ Ok(offset.map(|offset| Self { fdt: self.fdt, offset }))
}
/// Returns the first range of `reg` in this node.
@@ -454,17 +268,11 @@
}
fn address_cells(&self) -> Result<AddrCells> {
- // SAFETY: Accesses are constrained to the DT totalsize (validated by ctor).
- unsafe { libfdt_bindgen::fdt_address_cells(self.fdt.as_ptr(), self.offset) }
- .try_into()
- .map_err(|_| FdtError::Internal)
+ self.fdt.address_cells(self.offset)?.try_into()
}
fn size_cells(&self) -> Result<SizeCells> {
- // SAFETY: Accesses are constrained to the DT totalsize (validated by ctor).
- unsafe { libfdt_bindgen::fdt_size_cells(self.fdt.as_ptr(), self.offset) }
- .try_into()
- .map_err(|_| FdtError::Internal)
+ self.fdt.size_cells(self.offset)?.try_into()
}
/// Returns an iterator of subnodes
@@ -473,17 +281,15 @@
}
fn first_subnode(&self) -> Result<Option<Self>> {
- // SAFETY: Accesses (read-only) are constrained to the DT totalsize.
- let ret = unsafe { libfdt_bindgen::fdt_first_subnode(self.fdt.as_ptr(), self.offset) };
+ let offset = self.fdt.first_subnode(self.offset)?;
- Ok(fdt_err_or_option(ret)?.map(|offset| FdtNode { fdt: self.fdt, offset }))
+ Ok(offset.map(|offset| Self { fdt: self.fdt, offset }))
}
fn next_subnode(&self) -> Result<Option<Self>> {
- // SAFETY: Accesses (read-only) are constrained to the DT totalsize.
- let ret = unsafe { libfdt_bindgen::fdt_next_subnode(self.fdt.as_ptr(), self.offset) };
+ let offset = self.fdt.next_subnode(self.offset)?;
- Ok(fdt_err_or_option(ret)?.map(|offset| FdtNode { fdt: self.fdt, offset }))
+ Ok(offset.map(|offset| Self { fdt: self.fdt, offset }))
}
/// Returns an iterator of descendants
@@ -492,15 +298,11 @@
}
fn next_node(&self, depth: usize) -> Result<Option<(Self, usize)>> {
- let mut next_depth: c_int = depth.try_into().unwrap();
- // SAFETY: Accesses (read-only) are constrained to the DT totalsize.
- let ret = unsafe {
- libfdt_bindgen::fdt_next_node(self.fdt.as_ptr(), self.offset, &mut next_depth)
- };
- let Ok(next_depth) = usize::try_from(next_depth) else {
- return Ok(None);
- };
- Ok(fdt_err_or_option(ret)?.map(|offset| (FdtNode { fdt: self.fdt, offset }, next_depth)))
+ if let Some((offset, depth)) = self.fdt.next_node(self.offset, depth)? {
+ Ok(Some((Self { fdt: self.fdt, offset }, depth)))
+ } else {
+ Ok(None)
+ }
}
/// Returns an iterator of properties
@@ -509,11 +311,11 @@
}
fn first_property(&self) -> Result<Option<FdtProperty<'a>>> {
- let ret =
- // SAFETY: Accesses (read-only) are constrained to the DT totalsize.
- unsafe { libfdt_bindgen::fdt_first_property_offset(self.fdt.as_ptr(), self.offset) };
-
- fdt_err_or_option(ret)?.map(|offset| FdtProperty::new(self.fdt, offset)).transpose()
+ if let Some(offset) = self.fdt.first_property_offset(self.offset)? {
+ Ok(Some(FdtProperty::new(self.fdt, offset)?))
+ } else {
+ Ok(None)
+ }
}
/// Returns the phandle
@@ -530,28 +332,17 @@
/// Returns the subnode of the given name. The name doesn't need to be nul-terminated.
pub fn subnode(&self, name: &CStr) -> Result<Option<Self>> {
- let offset = self.subnode_offset(name.to_bytes())?;
+ let name = name.to_bytes();
+ let offset = self.fdt.subnode_offset_namelen(self.offset, name)?;
+
Ok(offset.map(|offset| Self { fdt: self.fdt, offset }))
}
/// Returns the subnode of the given name bytes
pub fn subnode_with_name_bytes(&self, name: &[u8]) -> Result<Option<Self>> {
- let offset = self.subnode_offset(name)?;
- Ok(offset.map(|offset| Self { fdt: self.fdt, offset }))
- }
+ let offset = self.fdt.subnode_offset_namelen(self.offset, name)?;
- fn subnode_offset(&self, name: &[u8]) -> Result<Option<c_int>> {
- let namelen = name.len().try_into().unwrap();
- // SAFETY: Accesses are constrained to the DT totalsize (validated by ctor).
- let ret = unsafe {
- libfdt_bindgen::fdt_subnode_offset_namelen(
- self.fdt.as_ptr(),
- self.offset,
- name.as_ptr().cast::<_>(),
- namelen,
- )
- };
- fdt_err_or_option(ret)
+ Ok(offset.map(|offset| Self { fdt: self.fdt, offset }))
}
}
@@ -561,41 +352,6 @@
}
}
-/// Phandle of a FDT node
-#[repr(transparent)]
-#[derive(Debug, Copy, Clone, Eq, PartialEq, Ord, PartialOrd)]
-pub struct Phandle(u32);
-
-impl Phandle {
- /// Minimum valid value for device tree phandles.
- pub const MIN: Self = Self(1);
- /// Maximum valid value for device tree phandles.
- pub const MAX: Self = Self(libfdt_bindgen::FDT_MAX_PHANDLE);
-
- /// Creates a new Phandle
- pub const fn new(value: u32) -> Option<Self> {
- if Self::MIN.0 <= value && value <= Self::MAX.0 {
- Some(Self(value))
- } else {
- None
- }
- }
-}
-
-impl From<Phandle> for u32 {
- fn from(phandle: Phandle) -> u32 {
- phandle.0
- }
-}
-
-impl TryFrom<u32> for Phandle {
- type Error = FdtError;
-
- fn try_from(value: u32) -> Result<Self> {
- Self::new(value).ok_or(FdtError::BadPhandle)
- }
-}
-
/// Mutable FDT node.
#[derive(Debug)]
pub struct FdtNodeMut<'a> {
@@ -606,54 +362,20 @@
impl<'a> FdtNodeMut<'a> {
/// Appends a property name-value (possibly empty) pair to the given node.
pub fn appendprop<T: AsRef<[u8]>>(&mut self, name: &CStr, value: &T) -> Result<()> {
- // SAFETY: Accesses are constrained to the DT totalsize (validated by ctor).
- let ret = unsafe {
- libfdt_bindgen::fdt_appendprop(
- self.fdt.as_mut_ptr(),
- self.offset,
- name.as_ptr(),
- value.as_ref().as_ptr().cast::<c_void>(),
- value.as_ref().len().try_into().map_err(|_| FdtError::BadValue)?,
- )
- };
-
- fdt_err_expect_zero(ret)
+ self.fdt.appendprop(self.offset, name, value.as_ref())
}
/// Appends a (address, size) pair property to the given node.
pub fn appendprop_addrrange(&mut self, name: &CStr, addr: u64, size: u64) -> Result<()> {
- // SAFETY: Accesses are constrained to the DT totalsize (validated by ctor).
- let ret = unsafe {
- libfdt_bindgen::fdt_appendprop_addrrange(
- self.fdt.as_mut_ptr(),
- self.parent()?.offset,
- self.offset,
- name.as_ptr(),
- addr,
- size,
- )
- };
-
- fdt_err_expect_zero(ret)
+ let parent = self.parent()?.offset;
+ self.fdt.appendprop_addrrange(parent, self.offset, name, addr, size)
}
/// Sets a property name-value pair to the given node.
///
/// This may create a new prop or replace existing value.
pub fn setprop(&mut self, name: &CStr, value: &[u8]) -> Result<()> {
- // SAFETY: New value size is constrained to the DT totalsize
- // (validated by underlying libfdt).
- let ret = unsafe {
- libfdt_bindgen::fdt_setprop(
- self.fdt.as_mut_ptr(),
- self.offset,
- name.as_ptr(),
- value.as_ptr().cast::<c_void>(),
- value.len().try_into().map_err(|_| FdtError::BadValue)?,
- )
- };
-
- fdt_err_expect_zero(ret)
+ self.fdt.setprop(self.offset, name, value)
}
/// Sets the value of the given property with the given value, and ensure that the given
@@ -661,18 +383,7 @@
///
/// This can only be used to replace existing value.
pub fn setprop_inplace(&mut self, name: &CStr, value: &[u8]) -> Result<()> {
- // SAFETY: fdt size is not altered
- let ret = unsafe {
- libfdt_bindgen::fdt_setprop_inplace(
- self.fdt.as_mut_ptr(),
- self.offset,
- name.as_ptr(),
- value.as_ptr().cast::<c_void>(),
- value.len().try_into().map_err(|_| FdtError::BadValue)?,
- )
- };
-
- fdt_err_expect_zero(ret)
+ self.fdt.setprop_inplace(self.offset, name, value)
}
/// Sets the value of the given (address, size) pair property with the given value, and
@@ -681,63 +392,35 @@
/// This can only be used to replace existing value.
pub fn setprop_addrrange_inplace(&mut self, name: &CStr, addr: u64, size: u64) -> Result<()> {
let pair = [addr.to_be(), size.to_be()];
- self.setprop_inplace(name, pair.as_bytes())
+ self.fdt.setprop_inplace(self.offset, name, pair.as_bytes())
}
/// Sets a flag-like empty property.
///
/// This may create a new prop or replace existing value.
pub fn setprop_empty(&mut self, name: &CStr) -> Result<()> {
- self.setprop(name, &[])
+ self.fdt.setprop(self.offset, name, &[])
}
/// Deletes the given property.
pub fn delprop(&mut self, name: &CStr) -> Result<()> {
- // SAFETY: Accesses are constrained to the DT totalsize (validated by ctor) when the
- // library locates the node's property. Removing the property may shift the offsets of
- // other nodes and properties but the borrow checker should prevent this function from
- // being called when FdtNode instances are in use.
- let ret = unsafe {
- libfdt_bindgen::fdt_delprop(self.fdt.as_mut_ptr(), self.offset, name.as_ptr())
- };
-
- fdt_err_expect_zero(ret)
+ self.fdt.delprop(self.offset, name)
}
/// Deletes the given property effectively from DT, by setting it with FDT_NOP.
pub fn nop_property(&mut self, name: &CStr) -> Result<()> {
- // SAFETY: Accesses are constrained to the DT totalsize (validated by ctor) when the
- // library locates the node's property.
- let ret = unsafe {
- libfdt_bindgen::fdt_nop_property(self.fdt.as_mut_ptr(), self.offset, name.as_ptr())
- };
-
- fdt_err_expect_zero(ret)
+ self.fdt.nop_property(self.offset, name)
}
/// Trims the size of the given property to new_size.
pub fn trimprop(&mut self, name: &CStr, new_size: usize) -> Result<()> {
- let (prop, len) =
- FdtNode::getprop_internal(self.fdt, self.offset, name)?.ok_or(FdtError::NotFound)?;
- if len == new_size {
- return Ok(());
- }
- if new_size > len {
- return Err(FdtError::NoSpace);
- }
+ let prop = self.as_node().getprop(name)?.ok_or(FdtError::NotFound)?;
- // SAFETY: new_size is smaller than the old size
- let ret = unsafe {
- libfdt_bindgen::fdt_setprop(
- self.fdt.as_mut_ptr(),
- self.offset,
- name.as_ptr(),
- prop.cast::<c_void>(),
- new_size.try_into().map_err(|_| FdtError::BadValue)?,
- )
- };
-
- fdt_err_expect_zero(ret)
+ match prop.len() {
+ x if x == new_size => Ok(()),
+ x if x < new_size => Err(FdtError::NoSpace),
+ _ => self.fdt.setprop_placeholder(self.offset, name, new_size).map(|_| ()),
+ }
}
/// Returns reference to the containing device tree.
@@ -753,126 +436,76 @@
/// Adds new subnodes to the given node.
pub fn add_subnodes(&mut self, names: &[&CStr]) -> Result<()> {
for name in names {
- self.add_subnode_offset(name.to_bytes())?;
+ self.fdt.add_subnode_namelen(self.offset, name.to_bytes())?;
}
Ok(())
}
/// Adds a new subnode to the given node and return it as a FdtNodeMut on success.
pub fn add_subnode(&'a mut self, name: &CStr) -> Result<Self> {
- let offset = self.add_subnode_offset(name.to_bytes())?;
+ let name = name.to_bytes();
+ let offset = self.fdt.add_subnode_namelen(self.offset, name)?;
+
Ok(Self { fdt: self.fdt, offset })
}
/// Adds a new subnode to the given node with name and namelen, and returns it as a FdtNodeMut
/// on success.
pub fn add_subnode_with_namelen(&'a mut self, name: &CStr, namelen: usize) -> Result<Self> {
- let offset = { self.add_subnode_offset(&name.to_bytes()[..namelen])? };
- Ok(Self { fdt: self.fdt, offset })
- }
+ let name = &name.to_bytes()[..namelen];
+ let offset = self.fdt.add_subnode_namelen(self.offset, name)?;
- fn add_subnode_offset(&mut self, name: &[u8]) -> Result<c_int> {
- let namelen = name.len().try_into().unwrap();
- // SAFETY: Accesses are constrained to the DT totalsize (validated by ctor).
- let ret = unsafe {
- libfdt_bindgen::fdt_add_subnode_namelen(
- self.fdt.as_mut_ptr(),
- self.offset,
- name.as_ptr().cast::<_>(),
- namelen,
- )
- };
- fdt_err(ret)
+ Ok(Self { fdt: self.fdt, offset })
}
/// Returns the first subnode of this
pub fn first_subnode(&'a mut self) -> Result<Option<Self>> {
- // SAFETY: Accesses (read-only) are constrained to the DT totalsize.
- let ret = unsafe { libfdt_bindgen::fdt_first_subnode(self.fdt.as_ptr(), self.offset) };
+ let offset = self.fdt.first_subnode(self.offset)?;
- Ok(fdt_err_or_option(ret)?.map(|offset| Self { fdt: self.fdt, offset }))
+ Ok(offset.map(|offset| Self { fdt: self.fdt, offset }))
}
/// Returns the next subnode that shares the same parent with this
pub fn next_subnode(self) -> Result<Option<Self>> {
- // SAFETY: Accesses (read-only) are constrained to the DT totalsize.
- let ret = unsafe { libfdt_bindgen::fdt_next_subnode(self.fdt.as_ptr(), self.offset) };
+ let offset = self.fdt.next_subnode(self.offset)?;
- Ok(fdt_err_or_option(ret)?.map(|offset| Self { fdt: self.fdt, offset }))
+ Ok(offset.map(|offset| Self { fdt: self.fdt, offset }))
}
/// Deletes the current node and returns the next subnode
- pub fn delete_and_next_subnode(mut self) -> Result<Option<Self>> {
- // SAFETY: Accesses (read-only) are constrained to the DT totalsize.
- let ret = unsafe { libfdt_bindgen::fdt_next_subnode(self.fdt.as_ptr(), self.offset) };
+ pub fn delete_and_next_subnode(self) -> Result<Option<Self>> {
+ let next_offset = self.fdt.next_subnode(self.offset)?;
- let next_offset = fdt_err_or_option(ret)?;
-
- if Some(self.offset) == next_offset {
- return Err(FdtError::Internal);
- }
-
- // SAFETY: nop_self() only touches bytes of the self and its properties and subnodes, and
- // doesn't alter any other blob in the tree. self.fdt and next_offset would remain valid.
- unsafe { self.nop_self()? };
-
- Ok(next_offset.map(|offset| Self { fdt: self.fdt, offset }))
- }
-
- fn next_node_offset(&self, depth: usize) -> Result<Option<(c_int, usize)>> {
- let mut next_depth: c_int = depth.try_into().or(Err(FdtError::BadValue))?;
- // SAFETY: Accesses (read-only) are constrained to the DT totalsize.
- let ret = unsafe {
- libfdt_bindgen::fdt_next_node(self.fdt.as_ptr(), self.offset, &mut next_depth)
- };
- let Ok(next_depth) = usize::try_from(next_depth) else {
- return Ok(None);
- };
- Ok(fdt_err_or_option(ret)?.map(|offset| (offset, next_depth)))
+ self.delete_and_next(next_offset)
}
/// Returns the next node
pub fn next_node(self, depth: usize) -> Result<Option<(Self, usize)>> {
- Ok(self
- .next_node_offset(depth)?
- .map(|(offset, next_depth)| (FdtNodeMut { fdt: self.fdt, offset }, next_depth)))
+ let next = self.fdt.next_node(self.offset, depth)?;
+
+ Ok(next.map(|(offset, depth)| (Self { fdt: self.fdt, offset }, depth)))
}
/// Deletes this and returns the next node
- pub fn delete_and_next_node(mut self, depth: usize) -> Result<Option<(Self, usize)>> {
- // Skip all would-be-removed descendants.
- let mut iter = self.next_node_offset(depth)?;
- while let Some((descendant_offset, descendant_depth)) = iter {
- if descendant_depth <= depth {
- break;
- }
- let descendant = FdtNodeMut { fdt: self.fdt, offset: descendant_offset };
- iter = descendant.next_node_offset(descendant_depth)?;
+ pub fn delete_and_next_node(self, depth: usize) -> Result<Option<(Self, usize)>> {
+ let next_node = self.fdt.next_node_skip_subnodes(self.offset, depth)?;
+ if let Some((offset, depth)) = next_node {
+ let next_node = self.delete_and_next(Some(offset))?.unwrap();
+ Ok(Some((next_node, depth)))
+ } else {
+ Ok(None)
}
- // SAFETY: This consumes self, so invalid node wouldn't be used any further
- unsafe { self.nop_self()? };
- Ok(iter.map(|(offset, next_depth)| (FdtNodeMut { fdt: self.fdt, offset }, next_depth)))
}
fn parent(&'a self) -> Result<FdtNode<'a>> {
- // SAFETY: Accesses (read-only) are constrained to the DT totalsize.
- let ret = unsafe { libfdt_bindgen::fdt_parent_offset(self.fdt.as_ptr(), self.offset) };
-
- Ok(FdtNode { fdt: &*self.fdt, offset: fdt_err(ret)? })
+ self.as_node().parent()
}
/// Returns the compatible node of the given name that is next after this node.
pub fn next_compatible(self, compatible: &CStr) -> Result<Option<Self>> {
- // SAFETY: Accesses (read-only) are constrained to the DT totalsize.
- let ret = unsafe {
- libfdt_bindgen::fdt_node_offset_by_compatible(
- self.fdt.as_ptr(),
- self.offset,
- compatible.as_ptr(),
- )
- };
+ let offset = self.fdt.node_offset_by_compatible(self.offset, compatible)?;
- Ok(fdt_err_or_option(ret)?.map(|offset| Self { fdt: self.fdt, offset }))
+ Ok(offset.map(|offset| Self { fdt: self.fdt, offset }))
}
/// Deletes the node effectively by overwriting this node and its subtree with nop tags.
@@ -887,43 +520,25 @@
// node, and delete the current node, the Rust borrow checker kicks in. The next node has a
// mutable reference to DT, so we can't use current node (which also has a mutable reference to
// DT).
- pub fn delete_and_next_compatible(mut self, compatible: &CStr) -> Result<Option<Self>> {
- // SAFETY: Accesses (read-only) are constrained to the DT totalsize.
- let ret = unsafe {
- libfdt_bindgen::fdt_node_offset_by_compatible(
- self.fdt.as_ptr(),
- self.offset,
- compatible.as_ptr(),
- )
- };
- let next_offset = fdt_err_or_option(ret)?;
+ pub fn delete_and_next_compatible(self, compatible: &CStr) -> Result<Option<Self>> {
+ let next_offset = self.fdt.node_offset_by_compatible(self.offset, compatible)?;
+ self.delete_and_next(next_offset)
+ }
+
+ fn delete_and_next(self, next_offset: Option<c_int>) -> Result<Option<Self>> {
if Some(self.offset) == next_offset {
return Err(FdtError::Internal);
}
- // SAFETY: nop_self() only touches bytes of the self and its properties and subnodes, and
- // doesn't alter any other blob in the tree. self.fdt and next_offset would remain valid.
- unsafe { self.nop_self()? };
+ self.fdt.nop_node(self.offset)?;
Ok(next_offset.map(|offset| Self { fdt: self.fdt, offset }))
}
/// Deletes this node effectively from DT, by setting it with FDT_NOP
- pub fn nop(mut self) -> Result<()> {
- // SAFETY: This consumes self, so invalid node wouldn't be used any further
- unsafe { self.nop_self() }
- }
-
- /// Deletes this node effectively from DT, by setting it with FDT_NOP.
- /// This only changes bytes of the node and its properties and subnodes, and doesn't alter or
- /// move any other part of the tree.
- /// SAFETY: This node is no longer valid.
- unsafe fn nop_self(&mut self) -> Result<()> {
- // SAFETY: Accesses are constrained to the DT totalsize (validated by ctor).
- let ret = unsafe { libfdt_bindgen::fdt_nop_node(self.fdt.as_mut_ptr(), self.offset) };
-
- fdt_err_expect_zero(ret)
+ pub fn nop(self) -> Result<()> {
+ self.fdt.nop_node(self.offset)
}
}
@@ -934,14 +549,31 @@
buffer: [u8],
}
+// SAFETY: Fdt calls check_full() before safely returning a &Self, making it impossible for trait
+// methods to be called on invalid device trees.
+unsafe impl Libfdt for Fdt {
+ fn as_fdt_slice(&self) -> &[u8] {
+ &self.buffer[..self.totalsize()]
+ }
+}
+
+// SAFETY: Fdt calls check_full() before safely returning a &Self, making it impossible for trait
+// methods to be called on invalid device trees.
+unsafe impl LibfdtMut for Fdt {
+ fn as_fdt_slice_mut(&mut self) -> &mut [u8] {
+ &mut self.buffer
+ }
+}
+
impl Fdt {
/// Wraps a slice containing a Flattened Device Tree.
///
/// Fails if the FDT does not pass validation.
pub fn from_slice(fdt: &[u8]) -> Result<&Self> {
- // SAFETY: The FDT will be validated before it is returned.
+ libfdt::check_full(fdt)?;
+ // SAFETY: The FDT was validated.
let fdt = unsafe { Self::unchecked_from_slice(fdt) };
- fdt.check_full()?;
+
Ok(fdt)
}
@@ -949,67 +581,58 @@
///
/// Fails if the FDT does not pass validation.
pub fn from_mut_slice(fdt: &mut [u8]) -> Result<&mut Self> {
- // SAFETY: The FDT will be validated before it is returned.
+ libfdt::check_full(fdt)?;
+ // SAFETY: The FDT was validated.
let fdt = unsafe { Self::unchecked_from_mut_slice(fdt) };
- fdt.check_full()?;
+
Ok(fdt)
}
/// Creates an empty Flattened Device Tree with a mutable slice.
pub fn create_empty_tree(fdt: &mut [u8]) -> Result<&mut Self> {
- // SAFETY: fdt_create_empty_tree() only write within the specified length,
- // and returns error if buffer was insufficient.
- // There will be no memory write outside of the given fdt.
- let ret = unsafe {
- libfdt_bindgen::fdt_create_empty_tree(
- fdt.as_mut_ptr().cast::<c_void>(),
- fdt.len() as i32,
- )
- };
- fdt_err_expect_zero(ret)?;
+ libfdt::create_empty_tree(fdt)?;
- // SAFETY: The FDT will be validated before it is returned.
- let fdt = unsafe { Self::unchecked_from_mut_slice(fdt) };
- fdt.check_full()?;
-
- Ok(fdt)
+ Self::from_mut_slice(fdt)
}
/// Wraps a slice containing a Flattened Device Tree.
///
/// # Safety
///
- /// The returned FDT might be invalid, only use on slices containing a valid DT.
+ /// It is undefined to call this function on a slice that does not contain a valid device tree.
pub unsafe fn unchecked_from_slice(fdt: &[u8]) -> &Self {
- // SAFETY: Fdt is a wrapper around a [u8], so the transmute is valid. The caller is
- // responsible for ensuring that it is actually a valid FDT.
- unsafe { mem::transmute::<&[u8], &Self>(fdt) }
+ let self_ptr = fdt as *const _ as *const _;
+ // SAFETY: The pointer is non-null, dereferenceable, and points to allocated memory.
+ unsafe { &*self_ptr }
}
/// Wraps a mutable slice containing a Flattened Device Tree.
///
/// # Safety
///
- /// The returned FDT might be invalid, only use on slices containing a valid DT.
+ /// It is undefined to call this function on a slice that does not contain a valid device tree.
pub unsafe fn unchecked_from_mut_slice(fdt: &mut [u8]) -> &mut Self {
- // SAFETY: Fdt is a wrapper around a [u8], so the transmute is valid. The caller is
- // responsible for ensuring that it is actually a valid FDT.
- unsafe { mem::transmute::<&mut [u8], &mut Self>(fdt) }
+ let self_mut_ptr = fdt as *mut _ as *mut _;
+ // SAFETY: The pointer is non-null, dereferenceable, and points to allocated memory.
+ unsafe { &mut *self_mut_ptr }
}
- /// Updates this FDT from a slice containing another FDT.
- pub fn copy_from_slice(&mut self, new_fdt: &[u8]) -> Result<()> {
- if self.buffer.len() < new_fdt.len() {
- Err(FdtError::NoSpace)
- } else {
- let totalsize = self.totalsize();
- self.buffer[..new_fdt.len()].clone_from_slice(new_fdt);
- // Zeroize the remaining part. We zeroize up to the size of the original DT because
- // zeroizing the entire buffer (max 2MB) is not necessary and may increase the VM boot
- // time.
- self.buffer[new_fdt.len()..max(new_fdt.len(), totalsize)].fill(0_u8);
- Ok(())
+ /// Updates this FDT from another FDT.
+ pub fn clone_from(&mut self, other: &Self) -> Result<()> {
+ let new_len = other.buffer.len();
+ if self.buffer.len() < new_len {
+ return Err(FdtError::NoSpace);
}
+
+ let zeroed_len = self.totalsize().checked_sub(new_len);
+ let (cloned, zeroed) = self.buffer.split_at_mut(new_len);
+
+ cloned.clone_from_slice(&other.buffer);
+ if let Some(len) = zeroed_len {
+ zeroed[..len].fill(0);
+ }
+
+ Ok(())
}
/// Unpacks the DT to cover the whole slice it is contained in.
@@ -1056,11 +679,8 @@
///
/// NOTE: This does not support individual "/memory@XXXX" banks.
pub fn memory(&self) -> Result<MemRegIterator> {
- let memory_node_name = cstr!("/memory");
- let memory_device_type = cstr!("memory");
-
- let node = self.node(memory_node_name)?.ok_or(FdtError::NotFound)?;
- if node.device_type()? != Some(memory_device_type) {
+ let node = self.node(cstr!("/memory"))?.ok_or(FdtError::NotFound)?;
+ if node.device_type()? != Some(cstr!("memory")) {
return Err(FdtError::BadValue);
}
node.reg()?.ok_or(FdtError::BadValue).map(MemRegIterator::new)
@@ -1098,7 +718,9 @@
/// Returns a tree node by its full path.
pub fn node(&self, path: &CStr) -> Result<Option<FdtNode>> {
- Ok(self.path_offset(path.to_bytes())?.map(|offset| FdtNode { fdt: self, offset }))
+ let offset = self.path_offset_namelen(path.to_bytes())?;
+
+ Ok(offset.map(|offset| FdtNode { fdt: self, offset }))
}
/// Iterate over nodes with a given compatible string.
@@ -1108,30 +730,21 @@
/// Returns max phandle in the tree.
pub fn max_phandle(&self) -> Result<Phandle> {
- let mut phandle: u32 = 0;
- // SAFETY: Accesses (read-only) are constrained to the DT totalsize.
- let ret = unsafe { libfdt_bindgen::fdt_find_max_phandle(self.as_ptr(), &mut phandle) };
-
- fdt_err_expect_zero(ret)?;
- phandle.try_into()
+ self.find_max_phandle()
}
/// Returns a node with the phandle
pub fn node_with_phandle(&self, phandle: Phandle) -> Result<Option<FdtNode>> {
- let offset = self.node_offset_with_phandle(phandle)?;
+ let offset = self.node_offset_by_phandle(phandle)?;
+
Ok(offset.map(|offset| FdtNode { fdt: self, offset }))
}
/// Returns a mutable node with the phandle
pub fn node_mut_with_phandle(&mut self, phandle: Phandle) -> Result<Option<FdtNodeMut>> {
- let offset = self.node_offset_with_phandle(phandle)?;
- Ok(offset.map(|offset| FdtNodeMut { fdt: self, offset }))
- }
+ let offset = self.node_offset_by_phandle(phandle)?;
- fn node_offset_with_phandle(&self, phandle: Phandle) -> Result<Option<c_int>> {
- // SAFETY: Accesses are constrained to the DT totalsize.
- let ret = unsafe { libfdt_bindgen::fdt_node_offset_by_phandle(self.as_ptr(), phandle.0) };
- fdt_err_or_option(ret)
+ Ok(offset.map(|offset| FdtNodeMut { fdt: self, offset }))
}
/// Returns the mutable root node of the tree.
@@ -1141,56 +754,35 @@
/// Returns a mutable tree node by its full path.
pub fn node_mut(&mut self, path: &CStr) -> Result<Option<FdtNodeMut>> {
- Ok(self.path_offset(path.to_bytes())?.map(|offset| FdtNodeMut { fdt: self, offset }))
+ let offset = self.path_offset_namelen(path.to_bytes())?;
+
+ Ok(offset.map(|offset| FdtNodeMut { fdt: self, offset }))
+ }
+
+ fn next_node_skip_subnodes(&self, node: c_int, depth: usize) -> Result<Option<(c_int, usize)>> {
+ let mut iter = self.next_node(node, depth)?;
+ while let Some((offset, next_depth)) = iter {
+ if next_depth <= depth {
+ return Ok(Some((offset, next_depth)));
+ }
+ iter = self.next_node(offset, next_depth)?;
+ }
+
+ Ok(None)
}
/// Returns the device tree as a slice (may be smaller than the containing buffer).
pub fn as_slice(&self) -> &[u8] {
- &self.buffer[..self.totalsize()]
- }
-
- fn path_offset(&self, path: &[u8]) -> Result<Option<c_int>> {
- let len = path.len().try_into().map_err(|_| FdtError::BadPath)?;
- // SAFETY: Accesses are constrained to the DT totalsize (validated by ctor) and the
- // function respects the passed number of characters.
- let ret = unsafe {
- // *_namelen functions don't include the trailing nul terminator in 'len'.
- libfdt_bindgen::fdt_path_offset_namelen(self.as_ptr(), path.as_ptr().cast::<_>(), len)
- };
-
- fdt_err_or_option(ret)
- }
-
- fn check_full(&self) -> Result<()> {
- // SAFETY: Only performs read accesses within the limits of the slice. If successful, this
- // call guarantees to other unsafe calls that the header contains a valid totalsize (w.r.t.
- // 'len' i.e. the self.fdt slice) that those C functions can use to perform bounds
- // checking. The library doesn't maintain an internal state (such as pointers) between
- // calls as it expects the client code to keep track of the objects (DT, nodes, ...).
- let ret = unsafe { libfdt_bindgen::fdt_check_full(self.as_ptr(), self.capacity()) };
- fdt_err_expect_zero(ret)
+ self.as_fdt_slice()
}
fn get_from_ptr(&self, ptr: *const c_void, len: usize) -> Result<&[u8]> {
- let ptr = ptr as usize;
- let offset = ptr.checked_sub(self.as_ptr() as usize).ok_or(FdtError::Internal)?;
- self.buffer.get(offset..(offset + len)).ok_or(FdtError::Internal)
- }
-
- fn string(&self, offset: c_int) -> Result<&CStr> {
- // SAFETY: Accesses (read-only) are constrained to the DT totalsize.
- let res = unsafe { libfdt_bindgen::fdt_string(self.as_ptr(), offset) };
- if res.is_null() {
- return Err(FdtError::Internal);
- }
-
- // SAFETY: Non-null return from fdt_string() is valid null-terminating string within FDT.
- Ok(unsafe { CStr::from_ptr(res) })
+ get_slice_at_ptr(self.as_fdt_slice(), ptr.cast(), len).ok_or(FdtError::Internal)
}
/// Returns a shared pointer to the device tree.
pub fn as_ptr(&self) -> *const c_void {
- self.buffer.as_ptr().cast::<_>()
+ self.buffer.as_ptr().cast()
}
fn as_mut_ptr(&mut self) -> *mut c_void {
@@ -1202,7 +794,7 @@
}
fn header(&self) -> &libfdt_bindgen::fdt_header {
- let p = self.as_ptr().cast::<_>();
+ let p = self.as_ptr().cast();
// SAFETY: A valid FDT (verified by constructor) must contain a valid fdt_header.
unsafe { &*p }
}
diff --git a/libs/libfdt/src/libfdt.rs b/libs/libfdt/src/libfdt.rs
new file mode 100644
index 0000000..7737718
--- /dev/null
+++ b/libs/libfdt/src/libfdt.rs
@@ -0,0 +1,455 @@
+// Copyright 2024, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Low-level libfdt_bindgen wrapper, easy to integrate safely in higher-level APIs.
+//!
+//! These traits decouple the safe libfdt C function calls from the representation of those
+//! user-friendly higher-level types, allowing the trait to be shared between different ones,
+//! adapted to their use-cases (e.g. alloc-based userspace or statically allocated no_std).
+
+use core::ffi::{c_int, CStr};
+use core::mem;
+use core::ptr;
+
+use crate::{fdt_err, fdt_err_expect_zero, fdt_err_or_option, FdtError, Phandle, Result};
+
+// Function names are the C function names without the `fdt_` prefix.
+
+/// Safe wrapper around `fdt_create_empty_tree()` (C function).
+pub(crate) fn create_empty_tree(fdt: &mut [u8]) -> Result<()> {
+ let len = fdt.len().try_into().unwrap();
+ let fdt = fdt.as_mut_ptr().cast();
+ // SAFETY: fdt_create_empty_tree() only write within the specified length,
+ // and returns error if buffer was insufficient.
+ // There will be no memory write outside of the given fdt.
+ let ret = unsafe { libfdt_bindgen::fdt_create_empty_tree(fdt, len) };
+
+ fdt_err_expect_zero(ret)
+}
+
+/// Safe wrapper around `fdt_check_full()` (C function).
+pub(crate) fn check_full(fdt: &[u8]) -> Result<()> {
+ let len = fdt.len();
+ let fdt = fdt.as_ptr().cast();
+ // SAFETY: Only performs read accesses within the limits of the slice. If successful, this
+ // call guarantees to other unsafe calls that the header contains a valid totalsize (w.r.t.
+ // 'len' i.e. the self.fdt slice) that those C functions can use to perform bounds
+ // checking. The library doesn't maintain an internal state (such as pointers) between
+ // calls as it expects the client code to keep track of the objects (DT, nodes, ...).
+ let ret = unsafe { libfdt_bindgen::fdt_check_full(fdt, len) };
+
+ fdt_err_expect_zero(ret)
+}
+
+/// Wrapper for the read-only libfdt.h functions.
+///
+/// # Safety
+///
+/// Implementors must ensure that at any point where a method of this trait is called, the
+/// underlying type returns the bytes of a valid device tree (as validated by `check_full`)
+/// through its `.as_fdt_slice` method.
+pub(crate) unsafe trait Libfdt {
+ /// Provides an immutable slice containing the device tree.
+ ///
+ /// The implementation must ensure that the size of the returned slice and
+ /// `fdt_header::totalsize` match.
+ fn as_fdt_slice(&self) -> &[u8];
+
+ /// Safe wrapper around `fdt_path_offset_namelen()` (C function).
+ fn path_offset_namelen(&self, path: &[u8]) -> Result<Option<c_int>> {
+ let fdt = self.as_fdt_slice().as_ptr().cast();
+ // *_namelen functions don't include the trailing nul terminator in 'len'.
+ let len = path.len().try_into().map_err(|_| FdtError::BadPath)?;
+ let path = path.as_ptr().cast();
+ // SAFETY: Accesses are constrained to the DT totalsize (validated by ctor) and the
+ // function respects the passed number of characters.
+ let ret = unsafe { libfdt_bindgen::fdt_path_offset_namelen(fdt, path, len) };
+
+ fdt_err_or_option(ret)
+ }
+
+ /// Safe wrapper around `fdt_node_offset_by_phandle()` (C function).
+ fn node_offset_by_phandle(&self, phandle: Phandle) -> Result<Option<c_int>> {
+ let fdt = self.as_fdt_slice().as_ptr().cast();
+ let phandle = phandle.into();
+ // SAFETY: Accesses are constrained to the DT totalsize.
+ let ret = unsafe { libfdt_bindgen::fdt_node_offset_by_phandle(fdt, phandle) };
+
+ fdt_err_or_option(ret)
+ }
+
+ /// Safe wrapper around `fdt_node_offset_by_compatible()` (C function).
+ fn node_offset_by_compatible(&self, prev: c_int, compatible: &CStr) -> Result<Option<c_int>> {
+ let fdt = self.as_fdt_slice().as_ptr().cast();
+ let compatible = compatible.as_ptr();
+ // SAFETY: Accesses (read-only) are constrained to the DT totalsize.
+ let ret = unsafe { libfdt_bindgen::fdt_node_offset_by_compatible(fdt, prev, compatible) };
+
+ fdt_err_or_option(ret)
+ }
+
+ /// Safe wrapper around `fdt_next_node()` (C function).
+ fn next_node(&self, node: c_int, depth: usize) -> Result<Option<(c_int, usize)>> {
+ let fdt = self.as_fdt_slice().as_ptr().cast();
+ let mut depth = depth.try_into().unwrap();
+ // SAFETY: Accesses (read-only) are constrained to the DT totalsize.
+ let ret = unsafe { libfdt_bindgen::fdt_next_node(fdt, node, &mut depth) };
+
+ match fdt_err_or_option(ret)? {
+ Some(offset) if depth >= 0 => {
+ let depth = depth.try_into().unwrap();
+ Ok(Some((offset, depth)))
+ }
+ _ => Ok(None),
+ }
+ }
+
+ /// Safe wrapper around `fdt_parent_offset()` (C function).
+ ///
+ /// Note that this function returns a `Err` when called on a root.
+ fn parent_offset(&self, node: c_int) -> Result<c_int> {
+ let fdt = self.as_fdt_slice().as_ptr().cast();
+ // SAFETY: Accesses (read-only) are constrained to the DT totalsize.
+ let ret = unsafe { libfdt_bindgen::fdt_parent_offset(fdt, node) };
+
+ fdt_err(ret)
+ }
+
+ /// Safe wrapper around `fdt_supernode_atdepth_offset()` (C function).
+ ///
+ /// Note that this function returns a `Err` when called on a node at a depth shallower than
+ /// the provided `depth`.
+ fn supernode_atdepth_offset(&self, node: c_int, depth: usize) -> Result<c_int> {
+ let fdt = self.as_fdt_slice().as_ptr().cast();
+ let depth = depth.try_into().unwrap();
+ let nodedepth = ptr::null_mut();
+ let ret =
+ // SAFETY: Accesses (read-only) are constrained to the DT totalsize.
+ unsafe { libfdt_bindgen::fdt_supernode_atdepth_offset(fdt, node, depth, nodedepth) };
+
+ fdt_err(ret)
+ }
+
+ /// Safe wrapper around `fdt_subnode_offset_namelen()` (C function).
+ fn subnode_offset_namelen(&self, parent: c_int, name: &[u8]) -> Result<Option<c_int>> {
+ let fdt = self.as_fdt_slice().as_ptr().cast();
+ let namelen = name.len().try_into().unwrap();
+ let name = name.as_ptr().cast();
+ // SAFETY: Accesses are constrained to the DT totalsize (validated by ctor).
+ let ret = unsafe { libfdt_bindgen::fdt_subnode_offset_namelen(fdt, parent, name, namelen) };
+
+ fdt_err_or_option(ret)
+ }
+ /// Safe wrapper around `fdt_first_subnode()` (C function).
+ fn first_subnode(&self, node: c_int) -> Result<Option<c_int>> {
+ let fdt = self.as_fdt_slice().as_ptr().cast();
+ // SAFETY: Accesses (read-only) are constrained to the DT totalsize.
+ let ret = unsafe { libfdt_bindgen::fdt_first_subnode(fdt, node) };
+
+ fdt_err_or_option(ret)
+ }
+
+ /// Safe wrapper around `fdt_next_subnode()` (C function).
+ fn next_subnode(&self, node: c_int) -> Result<Option<c_int>> {
+ let fdt = self.as_fdt_slice().as_ptr().cast();
+ // SAFETY: Accesses (read-only) are constrained to the DT totalsize.
+ let ret = unsafe { libfdt_bindgen::fdt_next_subnode(fdt, node) };
+
+ fdt_err_or_option(ret)
+ }
+
+ /// Safe wrapper around `fdt_address_cells()` (C function).
+ fn address_cells(&self, node: c_int) -> Result<usize> {
+ let fdt = self.as_fdt_slice().as_ptr().cast();
+ // SAFETY: Accesses are constrained to the DT totalsize (validated by ctor).
+ let ret = unsafe { libfdt_bindgen::fdt_address_cells(fdt, node) };
+
+ Ok(fdt_err(ret)?.try_into().unwrap())
+ }
+
+ /// Safe wrapper around `fdt_size_cells()` (C function).
+ fn size_cells(&self, node: c_int) -> Result<usize> {
+ let fdt = self.as_fdt_slice().as_ptr().cast();
+ // SAFETY: Accesses are constrained to the DT totalsize (validated by ctor).
+ let ret = unsafe { libfdt_bindgen::fdt_size_cells(fdt, node) };
+
+ Ok(fdt_err(ret)?.try_into().unwrap())
+ }
+
+ /// Safe wrapper around `fdt_get_name()` (C function).
+ fn get_name(&self, node: c_int) -> Result<&[u8]> {
+ let fdt = self.as_fdt_slice().as_ptr().cast();
+ let mut len = 0;
+ // SAFETY: Accesses are constrained to the DT totalsize (validated by ctor). On success, the
+ // function returns valid null terminating string and otherwise returned values are dropped.
+ let name = unsafe { libfdt_bindgen::fdt_get_name(fdt, node, &mut len) };
+ let len = usize::try_from(fdt_err(len)?).unwrap().checked_add(1).unwrap();
+
+ get_slice_at_ptr(self.as_fdt_slice(), name.cast(), len).ok_or(FdtError::Internal)
+ }
+
+ /// Safe wrapper around `fdt_getprop_namelen()` (C function).
+ fn getprop_namelen(&self, node: c_int, name: &[u8]) -> Result<Option<&[u8]>> {
+ let fdt = self.as_fdt_slice().as_ptr().cast();
+ let namelen = name.len().try_into().map_err(|_| FdtError::BadPath)?;
+ let name = name.as_ptr().cast();
+ let mut len = 0;
+ let prop =
+ // SAFETY: Accesses are constrained to the DT totalsize (validated by ctor) and the
+ // function respects the passed number of characters.
+ unsafe { libfdt_bindgen::fdt_getprop_namelen(fdt, node, name, namelen, &mut len) };
+
+ if let Some(len) = fdt_err_or_option(len)? {
+ let len = usize::try_from(len).unwrap();
+ let bytes = get_slice_at_ptr(self.as_fdt_slice(), prop.cast(), len);
+
+ Ok(Some(bytes.ok_or(FdtError::Internal)?))
+ } else {
+ Ok(None)
+ }
+ }
+
+ /// Safe wrapper around `fdt_get_property_by_offset()` (C function).
+ fn get_property_by_offset(&self, offset: c_int) -> Result<&libfdt_bindgen::fdt_property> {
+ let mut len = 0;
+ let fdt = self.as_fdt_slice().as_ptr().cast();
+ // SAFETY: Accesses (read-only) are constrained to the DT totalsize.
+ let prop = unsafe { libfdt_bindgen::fdt_get_property_by_offset(fdt, offset, &mut len) };
+
+ let data_len = fdt_err(len)?.try_into().unwrap();
+ // TODO(stable_feature(offset_of)): mem::offset_of!(fdt_property, data).
+ let data_offset = memoffset::offset_of!(libfdt_bindgen::fdt_property, data);
+ let len = data_offset.checked_add(data_len).ok_or(FdtError::Internal)?;
+
+ if !is_aligned(prop) || get_slice_at_ptr(self.as_fdt_slice(), prop.cast(), len).is_none() {
+ return Err(FdtError::Internal);
+ }
+
+ // SAFETY: The pointer is properly aligned, struct is fully contained in the DT slice.
+ let prop = unsafe { &*prop };
+
+ if data_len != u32::from_be(prop.len).try_into().unwrap() {
+ return Err(FdtError::BadLayout);
+ }
+
+ Ok(prop)
+ }
+
+ /// Safe wrapper around `fdt_first_property_offset()` (C function).
+ fn first_property_offset(&self, node: c_int) -> Result<Option<c_int>> {
+ let fdt = self.as_fdt_slice().as_ptr().cast();
+ // SAFETY: Accesses (read-only) are constrained to the DT totalsize.
+ let ret = unsafe { libfdt_bindgen::fdt_first_property_offset(fdt, node) };
+
+ fdt_err_or_option(ret)
+ }
+
+ /// Safe wrapper around `fdt_next_property_offset()` (C function).
+ fn next_property_offset(&self, prev: c_int) -> Result<Option<c_int>> {
+ let fdt = self.as_fdt_slice().as_ptr().cast();
+ // SAFETY: Accesses (read-only) are constrained to the DT totalsize.
+ let ret = unsafe { libfdt_bindgen::fdt_next_property_offset(fdt, prev) };
+
+ fdt_err_or_option(ret)
+ }
+
+ /// Safe wrapper around `fdt_find_max_phandle()` (C function).
+ fn find_max_phandle(&self) -> Result<Phandle> {
+ let fdt = self.as_fdt_slice().as_ptr().cast();
+ let mut phandle = 0;
+ // SAFETY: Accesses (read-only) are constrained to the DT totalsize.
+ let ret = unsafe { libfdt_bindgen::fdt_find_max_phandle(fdt, &mut phandle) };
+
+ fdt_err_expect_zero(ret)?;
+
+ phandle.try_into()
+ }
+
+ /// Safe wrapper around `fdt_string()` (C function).
+ fn string(&self, offset: c_int) -> Result<&CStr> {
+ let fdt = self.as_fdt_slice().as_ptr().cast();
+ // SAFETY: Accesses (read-only) are constrained to the DT totalsize.
+ let ptr = unsafe { libfdt_bindgen::fdt_string(fdt, offset) };
+ let bytes =
+ get_slice_from_ptr(self.as_fdt_slice(), ptr.cast()).ok_or(FdtError::Internal)?;
+
+ CStr::from_bytes_until_nul(bytes).map_err(|_| FdtError::Internal)
+ }
+}
+
+/// Wrapper for the read-write libfdt.h functions.
+///
+/// # Safety
+///
+/// Implementors must ensure that at any point where a method of this trait is called, the
+/// underlying type returns the bytes of a valid device tree (as validated by `check_full`)
+/// through its `.as_fdt_slice_mut` method.
+///
+/// Some methods may make previously returned values such as node or string offsets or phandles
+/// invalid by modifying the device tree (e.g. by inserting or removing new nodes or properties).
+/// As most methods take or return such values, instead of marking them all as unsafe, this trait
+/// is marked as unsafe as implementors must ensure that methods that modify the validity of those
+/// values are never called while the values are still in use.
+pub(crate) unsafe trait LibfdtMut {
+ /// Provides a mutable pointer to a buffer containing the device tree.
+ ///
+ /// The implementation must ensure that the size of the returned slice is at least
+ /// `fdt_header::totalsize`, to allow for device tree growth.
+ fn as_fdt_slice_mut(&mut self) -> &mut [u8];
+
+ /// Safe wrapper around `fdt_nop_node()` (C function).
+ fn nop_node(&mut self, node: c_int) -> Result<()> {
+ let fdt = self.as_fdt_slice_mut().as_mut_ptr().cast();
+ // SAFETY: Accesses are constrained to the DT totalsize (validated by ctor).
+ let ret = unsafe { libfdt_bindgen::fdt_nop_node(fdt, node) };
+
+ fdt_err_expect_zero(ret)
+ }
+
+ /// Safe wrapper around `fdt_add_subnode_namelen()` (C function).
+ fn add_subnode_namelen(&mut self, node: c_int, name: &[u8]) -> Result<c_int> {
+ let fdt = self.as_fdt_slice_mut().as_mut_ptr().cast();
+ let namelen = name.len().try_into().unwrap();
+ let name = name.as_ptr().cast();
+ // SAFETY: Accesses are constrained to the DT totalsize (validated by ctor).
+ let ret = unsafe { libfdt_bindgen::fdt_add_subnode_namelen(fdt, node, name, namelen) };
+
+ fdt_err(ret)
+ }
+
+ /// Safe wrapper around `fdt_setprop()` (C function).
+ fn setprop(&mut self, node: c_int, name: &CStr, value: &[u8]) -> Result<()> {
+ let fdt = self.as_fdt_slice_mut().as_mut_ptr().cast();
+ let name = name.as_ptr();
+ let len = value.len().try_into().map_err(|_| FdtError::BadValue)?;
+ let value = value.as_ptr().cast();
+ // SAFETY: New value size is constrained to the DT totalsize
+ // (validated by underlying libfdt).
+ let ret = unsafe { libfdt_bindgen::fdt_setprop(fdt, node, name, value, len) };
+
+ fdt_err_expect_zero(ret)
+ }
+
+ /// Safe wrapper around `fdt_setprop_placeholder()` (C function).
+ fn setprop_placeholder(&mut self, node: c_int, name: &CStr, size: usize) -> Result<&mut [u8]> {
+ let fdt = self.as_fdt_slice_mut().as_mut_ptr().cast();
+ let name = name.as_ptr();
+ let len = size.try_into().unwrap();
+ let mut data = ptr::null_mut();
+ let ret =
+ // SAFETY: Accesses are constrained to the DT totalsize (validated by ctor).
+ unsafe { libfdt_bindgen::fdt_setprop_placeholder(fdt, node, name, len, &mut data) };
+
+ fdt_err_expect_zero(ret)?;
+
+ get_mut_slice_at_ptr(self.as_fdt_slice_mut(), data.cast(), size).ok_or(FdtError::Internal)
+ }
+
+ /// Safe wrapper around `fdt_setprop_inplace()` (C function).
+ fn setprop_inplace(&mut self, node: c_int, name: &CStr, value: &[u8]) -> Result<()> {
+ let fdt = self.as_fdt_slice_mut().as_mut_ptr().cast();
+ let name = name.as_ptr();
+ let len = value.len().try_into().map_err(|_| FdtError::BadValue)?;
+ let value = value.as_ptr().cast();
+ // SAFETY: New value size is constrained to the DT totalsize
+ // (validated by underlying libfdt).
+ let ret = unsafe { libfdt_bindgen::fdt_setprop_inplace(fdt, node, name, value, len) };
+
+ fdt_err_expect_zero(ret)
+ }
+
+ /// Safe wrapper around `fdt_appendprop()` (C function).
+ fn appendprop(&mut self, node: c_int, name: &CStr, value: &[u8]) -> Result<()> {
+ let fdt = self.as_fdt_slice_mut().as_mut_ptr().cast();
+ let name = name.as_ptr();
+ let len = value.len().try_into().map_err(|_| FdtError::BadValue)?;
+ let value = value.as_ptr().cast();
+ // SAFETY: Accesses are constrained to the DT totalsize (validated by ctor).
+ let ret = unsafe { libfdt_bindgen::fdt_appendprop(fdt, node, name, value, len) };
+
+ fdt_err_expect_zero(ret)
+ }
+
+ /// Safe wrapper around `fdt_appendprop_addrrange()` (C function).
+ fn appendprop_addrrange(
+ &mut self,
+ parent: c_int,
+ node: c_int,
+ name: &CStr,
+ addr: u64,
+ size: u64,
+ ) -> Result<()> {
+ let fdt = self.as_fdt_slice_mut().as_mut_ptr().cast();
+ let name = name.as_ptr();
+ // SAFETY: Accesses are constrained to the DT totalsize (validated by ctor).
+ let ret = unsafe {
+ libfdt_bindgen::fdt_appendprop_addrrange(fdt, parent, node, name, addr, size)
+ };
+
+ fdt_err_expect_zero(ret)
+ }
+
+ /// Safe wrapper around `fdt_delprop()` (C function).
+ fn delprop(&mut self, node: c_int, name: &CStr) -> Result<()> {
+ let fdt = self.as_fdt_slice_mut().as_mut_ptr().cast();
+ let name = name.as_ptr();
+ // SAFETY: Accesses are constrained to the DT totalsize (validated by ctor) when the
+ // library locates the node's property. Removing the property may shift the offsets of
+ // other nodes and properties but the borrow checker should prevent this function from
+ // being called when FdtNode instances are in use.
+ let ret = unsafe { libfdt_bindgen::fdt_delprop(fdt, node, name) };
+
+ fdt_err_expect_zero(ret)
+ }
+
+ /// Safe wrapper around `fdt_nop_property()` (C function).
+ fn nop_property(&mut self, node: c_int, name: &CStr) -> Result<()> {
+ let fdt = self.as_fdt_slice_mut().as_mut_ptr().cast();
+ let name = name.as_ptr();
+ // SAFETY: Accesses are constrained to the DT totalsize (validated by ctor) when the
+ // library locates the node's property.
+ let ret = unsafe { libfdt_bindgen::fdt_nop_property(fdt, node, name) };
+
+ fdt_err_expect_zero(ret)
+ }
+}
+
+pub(crate) fn get_slice_at_ptr(s: &[u8], p: *const u8, len: usize) -> Option<&[u8]> {
+ let offset = get_slice_ptr_offset(s, p)?;
+
+ s.get(offset..offset.checked_add(len)?)
+}
+
+fn get_mut_slice_at_ptr(s: &mut [u8], p: *mut u8, len: usize) -> Option<&mut [u8]> {
+ let offset = get_slice_ptr_offset(s, p)?;
+
+ s.get_mut(offset..offset.checked_add(len)?)
+}
+
+fn get_slice_from_ptr(s: &[u8], p: *const u8) -> Option<&[u8]> {
+ s.get(get_slice_ptr_offset(s, p)?..)
+}
+
+fn get_slice_ptr_offset(s: &[u8], p: *const u8) -> Option<usize> {
+ s.as_ptr_range().contains(&p).then(|| {
+ // SAFETY: Both pointers are in bounds, derive from the same object, and size_of::<T>()=1.
+ (unsafe { p.offset_from(s.as_ptr()) }) as usize
+ // TODO(stable_feature(ptr_sub_ptr)): p.sub_ptr()
+ })
+}
+
+// TODO(stable_feature(pointer_is_aligned)): p.is_aligned()
+fn is_aligned<T>(p: *const T) -> bool {
+ (p as usize) % mem::align_of::<T>() == 0
+}
diff --git a/libs/libfdt/src/result.rs b/libs/libfdt/src/result.rs
new file mode 100644
index 0000000..9643e1e
--- /dev/null
+++ b/libs/libfdt/src/result.rs
@@ -0,0 +1,139 @@
+// Copyright 2024, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Rust types related to the libfdt C integer results.
+
+use core::ffi::c_int;
+use core::fmt;
+use core::result;
+
+/// Error type corresponding to libfdt error codes.
+#[derive(Clone, Copy, Debug, Eq, PartialEq)]
+pub enum FdtError {
+ /// FDT_ERR_NOTFOUND
+ NotFound,
+ /// FDT_ERR_EXISTS
+ Exists,
+ /// FDT_ERR_NOSPACE
+ NoSpace,
+ /// FDT_ERR_BADOFFSET
+ BadOffset,
+ /// FDT_ERR_BADPATH
+ BadPath,
+ /// FDT_ERR_BADPHANDLE
+ BadPhandle,
+ /// FDT_ERR_BADSTATE
+ BadState,
+ /// FDT_ERR_TRUNCATED
+ Truncated,
+ /// FDT_ERR_BADMAGIC
+ BadMagic,
+ /// FDT_ERR_BADVERSION
+ BadVersion,
+ /// FDT_ERR_BADSTRUCTURE
+ BadStructure,
+ /// FDT_ERR_BADLAYOUT
+ BadLayout,
+ /// FDT_ERR_INTERNAL
+ Internal,
+ /// FDT_ERR_BADNCELLS
+ BadNCells,
+ /// FDT_ERR_BADVALUE
+ BadValue,
+ /// FDT_ERR_BADOVERLAY
+ BadOverlay,
+ /// FDT_ERR_NOPHANDLES
+ NoPhandles,
+ /// FDT_ERR_BADFLAGS
+ BadFlags,
+ /// FDT_ERR_ALIGNMENT
+ Alignment,
+ /// Unexpected error code
+ Unknown(i32),
+}
+
+impl fmt::Display for FdtError {
+ /// Prints error messages from libfdt.h documentation.
+ fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+ match self {
+ Self::NotFound => write!(f, "The requested node or property does not exist"),
+ Self::Exists => write!(f, "Attempted to create an existing node or property"),
+ Self::NoSpace => write!(f, "Insufficient buffer space to contain the expanded tree"),
+ Self::BadOffset => write!(f, "Structure block offset is out-of-bounds or invalid"),
+ Self::BadPath => write!(f, "Badly formatted path"),
+ Self::BadPhandle => write!(f, "Invalid phandle length or value"),
+ Self::BadState => write!(f, "Received incomplete device tree"),
+ Self::Truncated => write!(f, "Device tree or sub-block is improperly terminated"),
+ Self::BadMagic => write!(f, "Device tree header missing its magic number"),
+ Self::BadVersion => write!(f, "Device tree has a version which can't be handled"),
+ Self::BadStructure => write!(f, "Device tree has a corrupt structure block"),
+ Self::BadLayout => write!(f, "Device tree sub-blocks in unsupported order"),
+ Self::Internal => write!(f, "libfdt has failed an internal assertion"),
+ Self::BadNCells => write!(f, "Bad format or value of #address-cells or #size-cells"),
+ Self::BadValue => write!(f, "Unexpected property value"),
+ Self::BadOverlay => write!(f, "Overlay cannot be applied"),
+ Self::NoPhandles => write!(f, "Device tree doesn't have any phandle available anymore"),
+ Self::BadFlags => write!(f, "Invalid flag or invalid combination of flags"),
+ Self::Alignment => write!(f, "Device tree base address is not 8-byte aligned"),
+ Self::Unknown(e) => write!(f, "Unknown libfdt error '{e}'"),
+ }
+ }
+}
+
+/// Result type with FdtError enum.
+pub type Result<T> = result::Result<T, FdtError>;
+
+pub(crate) fn fdt_err(val: c_int) -> Result<c_int> {
+ if val >= 0 {
+ Ok(val)
+ } else {
+ Err(match -val as _ {
+ libfdt_bindgen::FDT_ERR_NOTFOUND => FdtError::NotFound,
+ libfdt_bindgen::FDT_ERR_EXISTS => FdtError::Exists,
+ libfdt_bindgen::FDT_ERR_NOSPACE => FdtError::NoSpace,
+ libfdt_bindgen::FDT_ERR_BADOFFSET => FdtError::BadOffset,
+ libfdt_bindgen::FDT_ERR_BADPATH => FdtError::BadPath,
+ libfdt_bindgen::FDT_ERR_BADPHANDLE => FdtError::BadPhandle,
+ libfdt_bindgen::FDT_ERR_BADSTATE => FdtError::BadState,
+ libfdt_bindgen::FDT_ERR_TRUNCATED => FdtError::Truncated,
+ libfdt_bindgen::FDT_ERR_BADMAGIC => FdtError::BadMagic,
+ libfdt_bindgen::FDT_ERR_BADVERSION => FdtError::BadVersion,
+ libfdt_bindgen::FDT_ERR_BADSTRUCTURE => FdtError::BadStructure,
+ libfdt_bindgen::FDT_ERR_BADLAYOUT => FdtError::BadLayout,
+ libfdt_bindgen::FDT_ERR_INTERNAL => FdtError::Internal,
+ libfdt_bindgen::FDT_ERR_BADNCELLS => FdtError::BadNCells,
+ libfdt_bindgen::FDT_ERR_BADVALUE => FdtError::BadValue,
+ libfdt_bindgen::FDT_ERR_BADOVERLAY => FdtError::BadOverlay,
+ libfdt_bindgen::FDT_ERR_NOPHANDLES => FdtError::NoPhandles,
+ libfdt_bindgen::FDT_ERR_BADFLAGS => FdtError::BadFlags,
+ libfdt_bindgen::FDT_ERR_ALIGNMENT => FdtError::Alignment,
+ _ => FdtError::Unknown(val),
+ })
+ }
+}
+
+pub(crate) fn fdt_err_expect_zero(val: c_int) -> Result<()> {
+ match fdt_err(val)? {
+ 0 => Ok(()),
+ _ => Err(FdtError::Unknown(val)),
+ }
+}
+
+pub(crate) fn fdt_err_or_option(val: c_int) -> Result<Option<c_int>> {
+ match fdt_err(val) {
+ Ok(val) => Ok(Some(val)),
+ Err(FdtError::NotFound) => Ok(None),
+ Err(e) => Err(e),
+ }
+}
diff --git a/microdroid/kdump/Android.bp b/microdroid/kdump/Android.bp
index b9a18fe..6c85c43 100644
--- a/microdroid/kdump/Android.bp
+++ b/microdroid/kdump/Android.bp
@@ -4,6 +4,7 @@
cc_binary {
name: "microdroid_kexec",
+ defaults: ["avf_build_flags_cc"],
stem: "kexec_load",
srcs: ["kexec.c"],
installable: false,
@@ -13,6 +14,7 @@
cc_binary {
name: "microdroid_crashdump",
+ defaults: ["avf_build_flags_cc"],
stem: "crashdump",
srcs: ["crashdump.c"],
static_executable: true,
diff --git a/microdroid/payload/Android.bp b/microdroid/payload/Android.bp
index 4814a64..06764a5 100644
--- a/microdroid/payload/Android.bp
+++ b/microdroid/payload/Android.bp
@@ -4,6 +4,7 @@
cc_defaults {
name: "microdroid_metadata_default",
+ defaults: ["avf_build_flags_cc"],
host_supported: true,
srcs: [
"metadata.proto",
diff --git a/pvmfw/Android.bp b/pvmfw/Android.bp
index b7b17e4..9a2b3ef 100644
--- a/pvmfw/Android.bp
+++ b/pvmfw/Android.bp
@@ -294,6 +294,7 @@
// numbers defined in the ARM DT binding headers
cc_object {
name: "pvmfw_platform.dts.preprocessed",
+ defaults: ["avf_build_flags_cc"],
header_libs: ["arm_dt_bindings_headers"],
host_supported: true,
srcs: [":pvmfw_platform.dts.renamed"],
diff --git a/pvmfw/avb/Android.bp b/pvmfw/avb/Android.bp
index 6df1c4d..6101a0c 100644
--- a/pvmfw/avb/Android.bp
+++ b/pvmfw/avb/Android.bp
@@ -9,7 +9,6 @@
srcs: ["src/lib.rs"],
prefer_rlib: true,
rustlibs: [
- "libavb_bindgen_nostd",
"libavb_rs_nostd",
"libtinyvec_nostd",
],
diff --git a/pvmfw/avb/src/descriptor.rs b/pvmfw/avb/src/descriptor.rs
deleted file mode 100644
index a3db0e5..0000000
--- a/pvmfw/avb/src/descriptor.rs
+++ /dev/null
@@ -1,23 +0,0 @@
-// Copyright 2023, The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-//! Structs and functions relating to the descriptors.
-
-mod collection;
-mod common;
-mod hash;
-mod property;
-
-pub(crate) use collection::Descriptors;
-pub use hash::Digest;
diff --git a/pvmfw/avb/src/descriptor/collection.rs b/pvmfw/avb/src/descriptor/collection.rs
deleted file mode 100644
index 6784758..0000000
--- a/pvmfw/avb/src/descriptor/collection.rs
+++ /dev/null
@@ -1,190 +0,0 @@
-// Copyright 2023, The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-//! Structs and functions relating to the descriptor collection.
-
-use super::common::get_valid_descriptor;
-use super::hash::HashDescriptor;
-use super::property::PropertyDescriptor;
-use crate::partition::PartitionName;
-use crate::utils::{to_usize, usize_checked_add};
-use crate::PvmfwVerifyError;
-use avb::{IoError, IoResult, SlotVerifyError, SlotVerifyNoDataResult, VbmetaData};
-use avb_bindgen::{
- avb_descriptor_foreach, avb_descriptor_validate_and_byteswap, AvbDescriptor, AvbDescriptorTag,
-};
-use core::{ffi::c_void, mem::size_of, slice};
-use tinyvec::ArrayVec;
-
-/// `Descriptors` can have at most one `HashDescriptor` per known partition and at most one
-/// `PropertyDescriptor`.
-#[derive(Default)]
-pub(crate) struct Descriptors<'a> {
- hash_descriptors: ArrayVec<[HashDescriptor<'a>; PartitionName::NUM_OF_KNOWN_PARTITIONS]>,
- prop_descriptor: Option<PropertyDescriptor<'a>>,
-}
-
-impl<'a> Descriptors<'a> {
- /// Builds `Descriptors` from `VbmetaData`.
- /// Returns an error if the given `VbmetaData` contains non-hash descriptor, hash
- /// descriptor of unknown `PartitionName` or duplicated hash descriptors.
- pub(crate) fn from_vbmeta(vbmeta: &'a VbmetaData) -> Result<Self, PvmfwVerifyError> {
- let mut res: IoResult<Self> = Ok(Self::default());
- // SAFETY: It is safe as `vbmeta.data()` contains a valid VBMeta structure.
- let output = unsafe {
- avb_descriptor_foreach(
- vbmeta.data().as_ptr(),
- vbmeta.data().len(),
- Some(check_and_save_descriptor),
- &mut res as *mut _ as *mut c_void,
- )
- };
- if output == res.is_ok() {
- res.map_err(PvmfwVerifyError::InvalidDescriptors)
- } else {
- Err(SlotVerifyError::InvalidMetadata.into())
- }
- }
-
- pub(crate) fn num_hash_descriptor(&self) -> usize {
- self.hash_descriptors.len()
- }
-
- /// Finds the `HashDescriptor` for the given `PartitionName`.
- /// Throws an error if no corresponding descriptor found.
- pub(crate) fn find_hash_descriptor(
- &self,
- partition_name: PartitionName,
- ) -> SlotVerifyNoDataResult<&HashDescriptor> {
- self.hash_descriptors
- .iter()
- .find(|d| d.partition_name == partition_name)
- .ok_or(SlotVerifyError::InvalidMetadata)
- }
-
- pub(crate) fn has_property_descriptor(&self) -> bool {
- self.prop_descriptor.is_some()
- }
-
- pub(crate) fn find_property_value(&self, key: &[u8]) -> Option<&[u8]> {
- self.prop_descriptor.as_ref().filter(|desc| desc.key == key).map(|desc| desc.value)
- }
-
- fn push(&mut self, descriptor: Descriptor<'a>) -> IoResult<()> {
- match descriptor {
- Descriptor::Hash(d) => self.push_hash_descriptor(d),
- Descriptor::Property(d) => self.push_property_descriptor(d),
- }
- }
-
- fn push_hash_descriptor(&mut self, descriptor: HashDescriptor<'a>) -> IoResult<()> {
- if self.hash_descriptors.iter().any(|d| d.partition_name == descriptor.partition_name) {
- return Err(IoError::Io);
- }
- self.hash_descriptors.push(descriptor);
- Ok(())
- }
-
- fn push_property_descriptor(&mut self, descriptor: PropertyDescriptor<'a>) -> IoResult<()> {
- if self.prop_descriptor.is_some() {
- return Err(IoError::Io);
- }
- self.prop_descriptor.replace(descriptor);
- Ok(())
- }
-}
-
-/// # Safety
-///
-/// Behavior is undefined if any of the following conditions are violated:
-/// * The `descriptor` pointer must be non-null and points to a valid `AvbDescriptor` struct.
-/// * The `user_data` pointer must be non-null, points to a valid `IoResult<Descriptors>`
-/// struct and is initialized.
-unsafe extern "C" fn check_and_save_descriptor(
- descriptor: *const AvbDescriptor,
- user_data: *mut c_void,
-) -> bool {
- // SAFETY: It is safe because the caller ensures that `user_data` points to a valid struct and
- // is initialized.
- let Some(res) = (unsafe { (user_data as *mut IoResult<Descriptors>).as_mut() }) else {
- return false;
- };
- let Ok(descriptors) = res else {
- return false;
- };
- // SAFETY: It is safe because the caller ensures that the `descriptor` pointer is non-null
- // and valid.
- unsafe { try_check_and_save_descriptor(descriptor, descriptors) }.map_or_else(
- |e| {
- *res = Err(e);
- false
- },
- |_| true,
- )
-}
-
-/// # Safety
-///
-/// Behavior is undefined if any of the following conditions are violated:
-/// * The `descriptor` pointer must be non-null and points to a valid `AvbDescriptor` struct.
-unsafe fn try_check_and_save_descriptor(
- descriptor: *const AvbDescriptor,
- descriptors: &mut Descriptors,
-) -> IoResult<()> {
- // SAFETY: It is safe because the caller ensures that `descriptor` is a non-null pointer
- // pointing to a valid struct.
- let descriptor = unsafe { Descriptor::from_descriptor_ptr(descriptor)? };
- descriptors.push(descriptor)
-}
-
-enum Descriptor<'a> {
- Hash(HashDescriptor<'a>),
- Property(PropertyDescriptor<'a>),
-}
-
-impl<'a> Descriptor<'a> {
- /// # Safety
- ///
- /// Behavior is undefined if any of the following conditions are violated:
- /// * The `descriptor` pointer must be non-null and point to a valid `AvbDescriptor`.
- unsafe fn from_descriptor_ptr(descriptor: *const AvbDescriptor) -> IoResult<Self> {
- let avb_descriptor =
- // SAFETY: It is safe as the raw pointer `descriptor` is non-null and points to
- // a valid `AvbDescriptor`.
- unsafe { get_valid_descriptor(descriptor, avb_descriptor_validate_and_byteswap)? };
- let len = usize_checked_add(
- size_of::<AvbDescriptor>(),
- to_usize(avb_descriptor.num_bytes_following)?,
- )?;
- // SAFETY: It is safe because the caller ensures that `descriptor` is a non-null pointer
- // pointing to a valid struct.
- let data = unsafe { slice::from_raw_parts(descriptor as *const u8, len) };
- match avb_descriptor.tag.try_into() {
- Ok(AvbDescriptorTag::AVB_DESCRIPTOR_TAG_HASH) => {
- // SAFETY: It is safe because the caller ensures that `descriptor` is a non-null
- // pointer pointing to a valid struct.
- let descriptor = unsafe { HashDescriptor::from_descriptor_ptr(descriptor, data)? };
- Ok(Self::Hash(descriptor))
- }
- Ok(AvbDescriptorTag::AVB_DESCRIPTOR_TAG_PROPERTY) => {
- let descriptor =
- // SAFETY: It is safe because the caller ensures that `descriptor` is a non-null
- // pointer pointing to a valid struct.
- unsafe { PropertyDescriptor::from_descriptor_ptr(descriptor, data)? };
- Ok(Self::Property(descriptor))
- }
- _ => Err(IoError::NoSuchValue),
- }
- }
-}
diff --git a/pvmfw/avb/src/descriptor/common.rs b/pvmfw/avb/src/descriptor/common.rs
deleted file mode 100644
index 6063a7c..0000000
--- a/pvmfw/avb/src/descriptor/common.rs
+++ /dev/null
@@ -1,40 +0,0 @@
-// Copyright 2023, The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-//! Structs and functions used by all the descriptors.
-
-use crate::utils::is_not_null;
-use avb::{IoError, IoResult};
-use core::mem::MaybeUninit;
-
-/// # Safety
-///
-/// Behavior is undefined if any of the following conditions are violated:
-/// * The `descriptor_ptr` pointer must be non-null and point to a valid `AvbDescriptor`.
-pub(super) unsafe fn get_valid_descriptor<T>(
- descriptor_ptr: *const T,
- descriptor_validate_and_byteswap: unsafe extern "C" fn(src: *const T, dest: *mut T) -> bool,
-) -> IoResult<T> {
- is_not_null(descriptor_ptr)?;
- // SAFETY: It is safe because the caller ensures that `descriptor_ptr` is a non-null pointer
- // pointing to a valid struct.
- let descriptor = unsafe {
- let mut desc = MaybeUninit::uninit();
- if !descriptor_validate_and_byteswap(descriptor_ptr, desc.as_mut_ptr()) {
- return Err(IoError::Io);
- }
- desc.assume_init()
- };
- Ok(descriptor)
-}
diff --git a/pvmfw/avb/src/descriptor/hash.rs b/pvmfw/avb/src/descriptor/hash.rs
deleted file mode 100644
index 35db66d..0000000
--- a/pvmfw/avb/src/descriptor/hash.rs
+++ /dev/null
@@ -1,101 +0,0 @@
-// Copyright 2023, The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-//! Structs and functions relating to the hash descriptor.
-
-use super::common::get_valid_descriptor;
-use crate::partition::PartitionName;
-use crate::utils::{to_usize, usize_checked_add};
-use avb::{IoError, IoResult};
-use avb_bindgen::{
- avb_hash_descriptor_validate_and_byteswap, AvbDescriptor, AvbHashDescriptor,
- AVB_SHA256_DIGEST_SIZE,
-};
-use core::{mem::size_of, ops::Range};
-
-/// Digest type for kernel and initrd.
-pub type Digest = [u8; AVB_SHA256_DIGEST_SIZE as usize];
-
-pub(crate) struct HashDescriptor<'a> {
- pub(crate) partition_name: PartitionName,
- pub(crate) digest: &'a Digest,
-}
-
-impl<'a> Default for HashDescriptor<'a> {
- fn default() -> Self {
- Self { partition_name: Default::default(), digest: &Self::EMPTY_DIGEST }
- }
-}
-
-impl<'a> HashDescriptor<'a> {
- const EMPTY_DIGEST: Digest = [0u8; AVB_SHA256_DIGEST_SIZE as usize];
-
- /// # Safety
- ///
- /// Behavior is undefined if any of the following conditions are violated:
- /// * The `descriptor` pointer must be non-null and point to a valid `AvbDescriptor`.
- pub(super) unsafe fn from_descriptor_ptr(
- descriptor: *const AvbDescriptor,
- data: &'a [u8],
- ) -> IoResult<Self> {
- // SAFETY: It is safe as the raw pointer `descriptor` is non-null and points to
- // a valid `AvbDescriptor`.
- let h = unsafe { HashDescriptorHeader::from_descriptor_ptr(descriptor)? };
- let partition_name = data
- .get(h.partition_name_range()?)
- .ok_or(IoError::RangeOutsidePartition)?
- .try_into()?;
- let digest = data
- .get(h.digest_range()?)
- .ok_or(IoError::RangeOutsidePartition)?
- .try_into()
- .map_err(|_| IoError::InvalidValueSize)?;
- Ok(Self { partition_name, digest })
- }
-}
-
-struct HashDescriptorHeader(AvbHashDescriptor);
-
-impl HashDescriptorHeader {
- /// # Safety
- ///
- /// Behavior is undefined if any of the following conditions are violated:
- /// * The `descriptor` pointer must be non-null and point to a valid `AvbDescriptor`.
- unsafe fn from_descriptor_ptr(descriptor: *const AvbDescriptor) -> IoResult<Self> {
- // SAFETY: It is safe as the raw pointer `descriptor` is non-null and points to
- // a valid `AvbDescriptor`.
- unsafe {
- get_valid_descriptor(
- descriptor as *const AvbHashDescriptor,
- avb_hash_descriptor_validate_and_byteswap,
- )
- .map(Self)
- }
- }
-
- fn partition_name_end(&self) -> IoResult<usize> {
- usize_checked_add(size_of::<AvbHashDescriptor>(), to_usize(self.0.partition_name_len)?)
- }
-
- fn partition_name_range(&self) -> IoResult<Range<usize>> {
- let start = size_of::<AvbHashDescriptor>();
- Ok(start..(self.partition_name_end()?))
- }
-
- fn digest_range(&self) -> IoResult<Range<usize>> {
- let start = usize_checked_add(self.partition_name_end()?, to_usize(self.0.salt_len)?)?;
- let end = usize_checked_add(start, to_usize(self.0.digest_len)?)?;
- Ok(start..end)
- }
-}
diff --git a/pvmfw/avb/src/descriptor/property.rs b/pvmfw/avb/src/descriptor/property.rs
deleted file mode 100644
index 8145d64..0000000
--- a/pvmfw/avb/src/descriptor/property.rs
+++ /dev/null
@@ -1,92 +0,0 @@
-// Copyright 2023, The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-//! Structs and functions relating to the property descriptor.
-
-use super::common::get_valid_descriptor;
-use crate::utils::{to_usize, usize_checked_add};
-use avb::{IoError, IoResult};
-use avb_bindgen::{
- avb_property_descriptor_validate_and_byteswap, AvbDescriptor, AvbPropertyDescriptor,
-};
-use core::mem::size_of;
-
-pub(super) struct PropertyDescriptor<'a> {
- pub(super) key: &'a [u8],
- pub(super) value: &'a [u8],
-}
-
-impl<'a> PropertyDescriptor<'a> {
- /// # Safety
- ///
- /// Behavior is undefined if any of the following conditions are violated:
- /// * The `descriptor` pointer must be non-null and point to a valid `AvbDescriptor`.
- pub(super) unsafe fn from_descriptor_ptr(
- descriptor: *const AvbDescriptor,
- data: &'a [u8],
- ) -> IoResult<Self> {
- // SAFETY: It is safe as the raw pointer `descriptor` is non-null and points to
- // a valid `AvbDescriptor`.
- let h = unsafe { PropertyDescriptorHeader::from_descriptor_ptr(descriptor)? };
- let key = Self::get_valid_slice(data, h.key_start(), h.key_end()?)?;
- let value = Self::get_valid_slice(data, h.value_start()?, h.value_end()?)?;
- Ok(Self { key, value })
- }
-
- fn get_valid_slice(data: &[u8], start: usize, end: usize) -> IoResult<&[u8]> {
- const NUL_BYTE: u8 = b'\0';
-
- match data.get(end) {
- Some(&NUL_BYTE) => data.get(start..end).ok_or(IoError::RangeOutsidePartition),
- _ => Err(IoError::NoSuchValue),
- }
- }
-}
-
-struct PropertyDescriptorHeader(AvbPropertyDescriptor);
-
-impl PropertyDescriptorHeader {
- /// # Safety
- ///
- /// Behavior is undefined if any of the following conditions are violated:
- /// * The `descriptor` pointer must be non-null and point to a valid `AvbDescriptor`.
- unsafe fn from_descriptor_ptr(descriptor: *const AvbDescriptor) -> IoResult<Self> {
- // SAFETY: It is safe as the raw pointer `descriptor` is non-null and points to
- // a valid `AvbDescriptor`.
- unsafe {
- get_valid_descriptor(
- descriptor as *const AvbPropertyDescriptor,
- avb_property_descriptor_validate_and_byteswap,
- )
- .map(Self)
- }
- }
-
- fn key_start(&self) -> usize {
- size_of::<AvbPropertyDescriptor>()
- }
-
- fn key_end(&self) -> IoResult<usize> {
- usize_checked_add(self.key_start(), to_usize(self.0.key_num_bytes)?)
- }
-
- fn value_start(&self) -> IoResult<usize> {
- // There is a NUL byte between key and value.
- usize_checked_add(self.key_end()?, 1)
- }
-
- fn value_end(&self) -> IoResult<usize> {
- usize_checked_add(self.value_start()?, to_usize(self.0.value_num_bytes)?)
- }
-}
diff --git a/pvmfw/avb/src/error.rs b/pvmfw/avb/src/error.rs
index 4e3f27e..2e1950a 100644
--- a/pvmfw/avb/src/error.rs
+++ b/pvmfw/avb/src/error.rs
@@ -15,7 +15,7 @@
//! This module contains the error thrown by the payload verification API
//! and other errors used in the library.
-use avb::{IoError, SlotVerifyError};
+use avb::{DescriptorError, SlotVerifyError};
use core::fmt;
/// Wrapper around `SlotVerifyError` to add custom pvmfw errors.
@@ -25,7 +25,7 @@
/// Passthrough `SlotVerifyError` with no `SlotVerifyData`.
AvbError(SlotVerifyError<'static>),
/// VBMeta has invalid descriptors.
- InvalidDescriptors(IoError),
+ InvalidDescriptors(DescriptorError),
/// Unknown vbmeta property.
UnknownVbmetaProperty,
}
@@ -37,6 +37,12 @@
}
}
+impl From<DescriptorError> for PvmfwVerifyError {
+ fn from(error: DescriptorError) -> Self {
+ Self::InvalidDescriptors(error)
+ }
+}
+
impl fmt::Display for PvmfwVerifyError {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
match self {
diff --git a/pvmfw/avb/src/lib.rs b/pvmfw/avb/src/lib.rs
index 9c3fe11..fd68652 100644
--- a/pvmfw/avb/src/lib.rs
+++ b/pvmfw/avb/src/lib.rs
@@ -18,13 +18,10 @@
extern crate alloc;
-mod descriptor;
mod error;
mod ops;
mod partition;
-mod utils;
mod verify;
-pub use descriptor::Digest;
pub use error::PvmfwVerifyError;
-pub use verify::{verify_payload, Capability, DebugLevel, VerifiedBootData};
+pub use verify::{verify_payload, Capability, DebugLevel, Digest, VerifiedBootData};
diff --git a/pvmfw/avb/src/partition.rs b/pvmfw/avb/src/partition.rs
index c05a0ac..02a78c6 100644
--- a/pvmfw/avb/src/partition.rs
+++ b/pvmfw/avb/src/partition.rs
@@ -27,8 +27,6 @@
}
impl PartitionName {
- pub(crate) const NUM_OF_KNOWN_PARTITIONS: usize = 3;
-
const KERNEL_PARTITION_NAME: &'static [u8] = b"boot\0";
const INITRD_NORMAL_PARTITION_NAME: &'static [u8] = b"initrd_normal\0";
const INITRD_DEBUG_PARTITION_NAME: &'static [u8] = b"initrd_debug\0";
diff --git a/pvmfw/avb/src/utils.rs b/pvmfw/avb/src/utils.rs
deleted file mode 100644
index b4f099b..0000000
--- a/pvmfw/avb/src/utils.rs
+++ /dev/null
@@ -1,33 +0,0 @@
-// Copyright 2023, The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-//! Common utility functions.
-
-use avb::{IoError, IoResult};
-
-pub(crate) fn is_not_null<T>(ptr: *const T) -> IoResult<()> {
- if ptr.is_null() {
- Err(IoError::NoSuchValue)
- } else {
- Ok(())
- }
-}
-
-pub(crate) fn to_usize<T: TryInto<usize>>(num: T) -> IoResult<usize> {
- num.try_into().map_err(|_| IoError::InvalidValueSize)
-}
-
-pub(crate) fn usize_checked_add(x: usize, y: usize) -> IoResult<usize> {
- x.checked_add(y).ok_or(IoError::InvalidValueSize)
-}
diff --git a/pvmfw/avb/src/verify.rs b/pvmfw/avb/src/verify.rs
index a85dbbb..2ebe9a1 100644
--- a/pvmfw/avb/src/verify.rs
+++ b/pvmfw/avb/src/verify.rs
@@ -14,17 +14,22 @@
//! This module handles the pvmfw payload verification.
-use crate::descriptor::{Descriptors, Digest};
use crate::ops::{Ops, Payload};
use crate::partition::PartitionName;
use crate::PvmfwVerifyError;
use alloc::vec;
use alloc::vec::Vec;
-use avb::{PartitionData, SlotVerifyError, SlotVerifyNoDataResult, VbmetaData};
+use avb::{
+ Descriptor, DescriptorError, DescriptorResult, HashDescriptor, PartitionData,
+ PropertyDescriptor, SlotVerifyError, SlotVerifyNoDataResult, VbmetaData,
+};
// We use this for the rollback_index field if SlotVerifyData has empty rollback_indexes
const DEFAULT_ROLLBACK_INDEX: u64 = 0;
+/// SHA256 digest type for kernel and initrd.
+pub type Digest = [u8; 32];
+
/// Verified data returned when the payload verification succeeds.
#[derive(Debug, PartialEq, Eq)]
pub struct VerifiedBootData<'a> {
@@ -68,15 +73,21 @@
}
impl Capability {
- const KEY: &'static [u8] = b"com.android.virt.cap";
+ const KEY: &'static str = "com.android.virt.cap";
const REMOTE_ATTEST: &'static [u8] = b"remote_attest";
const SECRETKEEPER_PROTECTION: &'static [u8] = b"secretkeeper_protection";
const SEPARATOR: u8 = b'|';
- fn get_capabilities(property_value: &[u8]) -> Result<Vec<Self>, PvmfwVerifyError> {
+ /// Returns the capabilities indicated in `descriptor`, or error if the descriptor has
+ /// unexpected contents.
+ fn get_capabilities(descriptor: &PropertyDescriptor) -> Result<Vec<Self>, PvmfwVerifyError> {
+ if descriptor.key != Self::KEY {
+ return Err(PvmfwVerifyError::UnknownVbmetaProperty);
+ }
+
let mut res = Vec::new();
- for v in property_value.split(|b| *b == Self::SEPARATOR) {
+ for v in descriptor.value.split(|b| *b == Self::SEPARATOR) {
let cap = match v {
Self::REMOTE_ATTEST => Self::RemoteAttest,
Self::SECRETKEEPER_PROTECTION => Self::SecretkeeperProtection,
@@ -106,16 +117,6 @@
}
}
-fn verify_vbmeta_has_only_one_hash_descriptor(
- descriptors: &Descriptors,
-) -> SlotVerifyNoDataResult<()> {
- if descriptors.num_hash_descriptor() == 1 {
- Ok(())
- } else {
- Err(SlotVerifyError::InvalidMetadata)
- }
-}
-
fn verify_loaded_partition_has_expected_length(
loaded_partitions: &[PartitionData],
partition_name: PartitionName,
@@ -142,15 +143,91 @@
/// Verifies that the vbmeta contains at most one property descriptor and it indicates the
/// vm type is service VM.
fn verify_property_and_get_capabilities(
- descriptors: &Descriptors,
+ descriptors: &[Descriptor],
) -> Result<Vec<Capability>, PvmfwVerifyError> {
- if !descriptors.has_property_descriptor() {
- return Ok(vec![]);
+ let mut iter = descriptors.iter().filter_map(|d| match d {
+ Descriptor::Property(p) => Some(p),
+ _ => None,
+ });
+
+ let descriptor = match iter.next() {
+ // No property descriptors -> no capabilities.
+ None => return Ok(vec![]),
+ Some(d) => d,
+ };
+
+ // Multiple property descriptors -> error.
+ if iter.next().is_some() {
+ return Err(DescriptorError::InvalidContents.into());
}
- descriptors
- .find_property_value(Capability::KEY)
- .ok_or(PvmfwVerifyError::UnknownVbmetaProperty)
- .and_then(Capability::get_capabilities)
+
+ Capability::get_capabilities(descriptor)
+}
+
+/// Hash descriptors extracted from a vbmeta image.
+///
+/// We always have a kernel hash descriptor and may have initrd normal or debug descriptors.
+struct HashDescriptors<'a> {
+ kernel: &'a HashDescriptor<'a>,
+ initrd_normal: Option<&'a HashDescriptor<'a>>,
+ initrd_debug: Option<&'a HashDescriptor<'a>>,
+}
+
+impl<'a> HashDescriptors<'a> {
+ /// Extracts the hash descriptors from all vbmeta descriptors. Any unexpected hash descriptor
+ /// is an error.
+ fn get(descriptors: &'a [Descriptor<'a>]) -> DescriptorResult<Self> {
+ let mut kernel = None;
+ let mut initrd_normal = None;
+ let mut initrd_debug = None;
+
+ for descriptor in descriptors.iter().filter_map(|d| match d {
+ Descriptor::Hash(h) => Some(h),
+ _ => None,
+ }) {
+ let target = match descriptor
+ .partition_name
+ .as_bytes()
+ .try_into()
+ .map_err(|_| DescriptorError::InvalidContents)?
+ {
+ PartitionName::Kernel => &mut kernel,
+ PartitionName::InitrdNormal => &mut initrd_normal,
+ PartitionName::InitrdDebug => &mut initrd_debug,
+ };
+
+ if target.is_some() {
+ // Duplicates of the same partition name is an error.
+ return Err(DescriptorError::InvalidContents);
+ }
+ target.replace(descriptor);
+ }
+
+ // Kernel is required, the others are optional.
+ Ok(Self {
+ kernel: kernel.ok_or(DescriptorError::InvalidContents)?,
+ initrd_normal,
+ initrd_debug,
+ })
+ }
+
+ /// Returns an error if either initrd descriptor exists.
+ fn verify_no_initrd(&self) -> Result<(), PvmfwVerifyError> {
+ match self.initrd_normal.or(self.initrd_debug) {
+ Some(_) => Err(SlotVerifyError::InvalidMetadata.into()),
+ None => Ok(()),
+ }
+ }
+}
+
+/// Returns a copy of the SHA256 digest in `descriptor`, or error if the sizes don't match.
+fn copy_digest(descriptor: &HashDescriptor) -> SlotVerifyNoDataResult<Digest> {
+ let mut digest = Digest::default();
+ if descriptor.digest.len() != digest.len() {
+ return Err(SlotVerifyError::InvalidMetadata);
+ }
+ digest.clone_from_slice(descriptor.digest);
+ Ok(digest)
}
/// Verifies the given initrd partition, and checks that the resulting contents looks like expected.
@@ -186,15 +263,15 @@
verify_only_one_vbmeta_exists(vbmeta_images)?;
let vbmeta_image = &vbmeta_images[0];
verify_vbmeta_is_from_kernel_partition(vbmeta_image)?;
- let descriptors = Descriptors::from_vbmeta(vbmeta_image)?;
+ let descriptors = vbmeta_image.descriptors()?;
+ let hash_descriptors = HashDescriptors::get(&descriptors)?;
let capabilities = verify_property_and_get_capabilities(&descriptors)?;
- let kernel_descriptor = descriptors.find_hash_descriptor(PartitionName::Kernel)?;
if initrd.is_none() {
- verify_vbmeta_has_only_one_hash_descriptor(&descriptors)?;
+ hash_descriptors.verify_no_initrd()?;
return Ok(VerifiedBootData {
debug_level: DebugLevel::None,
- kernel_digest: *kernel_descriptor.digest,
+ kernel_digest: copy_digest(hash_descriptors.kernel)?,
initrd_digest: None,
public_key: trusted_public_key,
capabilities,
@@ -204,19 +281,19 @@
let initrd = initrd.unwrap();
let mut initrd_ops = Ops::new(&payload);
- let (debug_level, initrd_partition_name) =
+ let (debug_level, initrd_descriptor) =
if verify_initrd(&mut initrd_ops, PartitionName::InitrdNormal, initrd).is_ok() {
- (DebugLevel::None, PartitionName::InitrdNormal)
+ (DebugLevel::None, hash_descriptors.initrd_normal)
} else if verify_initrd(&mut initrd_ops, PartitionName::InitrdDebug, initrd).is_ok() {
- (DebugLevel::Full, PartitionName::InitrdDebug)
+ (DebugLevel::Full, hash_descriptors.initrd_debug)
} else {
return Err(SlotVerifyError::Verification(None).into());
};
- let initrd_descriptor = descriptors.find_hash_descriptor(initrd_partition_name)?;
+ let initrd_descriptor = initrd_descriptor.ok_or(DescriptorError::InvalidContents)?;
Ok(VerifiedBootData {
debug_level,
- kernel_digest: *kernel_descriptor.digest,
- initrd_digest: Some(*initrd_descriptor.digest),
+ kernel_digest: copy_digest(hash_descriptors.kernel)?,
+ initrd_digest: Some(copy_digest(initrd_descriptor)?),
public_key: trusted_public_key,
capabilities,
rollback_index,
diff --git a/pvmfw/avb/tests/api_test.rs b/pvmfw/avb/tests/api_test.rs
index 6dc5a0a..c6f26ac 100644
--- a/pvmfw/avb/tests/api_test.rs
+++ b/pvmfw/avb/tests/api_test.rs
@@ -17,7 +17,7 @@
mod utils;
use anyhow::{anyhow, Result};
-use avb::{IoError, SlotVerifyError};
+use avb::{DescriptorError, SlotVerifyError};
use avb_bindgen::{AvbFooter, AvbVBMetaImageHeader};
use pvmfw_avb::{verify_payload, Capability, DebugLevel, PvmfwVerifyError, VerifiedBootData};
use std::{fs, mem::size_of, ptr};
@@ -88,7 +88,7 @@
&fs::read(TEST_IMG_WITH_NON_INITRD_HASHDESC_PATH)?,
/* initrd= */ None,
&load_trusted_public_key()?,
- PvmfwVerifyError::InvalidDescriptors(IoError::NoSuchPartition),
+ PvmfwVerifyError::InvalidDescriptors(DescriptorError::InvalidContents),
)
}
@@ -98,7 +98,7 @@
&fs::read(TEST_IMG_WITH_INITRD_AND_NON_INITRD_DESC_PATH)?,
&load_latest_initrd_normal()?,
&load_trusted_public_key()?,
- PvmfwVerifyError::InvalidDescriptors(IoError::NoSuchPartition),
+ PvmfwVerifyError::InvalidDescriptors(DescriptorError::InvalidContents),
)
}
@@ -142,7 +142,7 @@
&fs::read(TEST_IMG_WITH_MULTIPLE_PROPS_PATH)?,
/* initrd= */ None,
&load_trusted_public_key()?,
- PvmfwVerifyError::InvalidDescriptors(IoError::Io),
+ PvmfwVerifyError::InvalidDescriptors(DescriptorError::InvalidContents),
)
}
diff --git a/pvmfw/src/fdt.rs b/pvmfw/src/fdt.rs
index 2ea4599..ac52be9 100644
--- a/pvmfw/src/fdt.rs
+++ b/pvmfw/src/fdt.rs
@@ -35,18 +35,19 @@
use libfdt::CellIterator;
use libfdt::Fdt;
use libfdt::FdtError;
-use libfdt::FdtNode;
use libfdt::FdtNodeMut;
use log::debug;
use log::error;
use log::info;
use log::warn;
+use static_assertions::const_assert;
use tinyvec::ArrayVec;
use vmbase::fdt::SwiotlbInfo;
use vmbase::layout::{crosvm::MEM_START, MAX_VIRT_ADDR};
use vmbase::memory::SIZE_4KB;
use vmbase::util::flatten;
use vmbase::util::RangeExt as _;
+use zerocopy::AsBytes as _;
/// An enumeration of errors that can occur during the FDT validation.
#[derive(Clone, Debug)]
@@ -164,39 +165,47 @@
}
fn patch_memory_range(fdt: &mut Fdt, memory_range: &Range<usize>) -> libfdt::Result<()> {
- let size = memory_range.len() as u64;
+ let addr = u64::try_from(MEM_START).unwrap();
+ let size = u64::try_from(memory_range.len()).unwrap();
fdt.node_mut(cstr!("/memory"))?
.ok_or(FdtError::NotFound)?
- .setprop_inplace(cstr!("reg"), flatten(&[MEM_START.to_be_bytes(), size.to_be_bytes()]))
+ .setprop_inplace(cstr!("reg"), [addr.to_be(), size.to_be()].as_bytes())
}
-/// Read the number of CPUs from DT
-fn read_num_cpus_from(fdt: &Fdt) -> libfdt::Result<usize> {
- Ok(fdt.compatible_nodes(cstr!("arm,arm-v8"))?.count())
-}
+#[derive(Debug, Default)]
+struct CpuInfo {}
-/// Validate number of CPUs
-fn validate_num_cpus(num_cpus: usize) -> Result<(), FdtValidationError> {
- if num_cpus == 0 || DeviceTreeInfo::gic_patched_size(num_cpus).is_none() {
- Err(FdtValidationError::InvalidCpuCount(num_cpus))
- } else {
- Ok(())
+fn read_cpu_info_from(fdt: &Fdt) -> libfdt::Result<ArrayVec<[CpuInfo; DeviceTreeInfo::MAX_CPUS]>> {
+ let mut cpus = ArrayVec::new();
+
+ let mut cpu_nodes = fdt.compatible_nodes(cstr!("arm,arm-v8"))?;
+ for _cpu in cpu_nodes.by_ref().take(cpus.capacity()) {
+ let info = CpuInfo {};
+ cpus.push(info);
}
+ if cpu_nodes.next().is_some() {
+ warn!("DT has more than {} CPU nodes: discarding extra nodes.", cpus.capacity());
+ }
+
+ Ok(cpus)
}
-/// Patch DT by keeping `num_cpus` number of arm,arm-v8 compatible nodes, and pruning the rest.
-fn patch_num_cpus(fdt: &mut Fdt, num_cpus: usize) -> libfdt::Result<()> {
- let cpu = cstr!("arm,arm-v8");
- let mut next = fdt.root_mut()?.next_compatible(cpu)?;
- for _ in 0..num_cpus {
- next = if let Some(current) = next {
- current.next_compatible(cpu)?
- } else {
- return Err(FdtError::NoSpace);
- };
+fn validate_cpu_info(cpus: &[CpuInfo]) -> Result<(), FdtValidationError> {
+ if cpus.is_empty() {
+ return Err(FdtValidationError::InvalidCpuCount(0));
+ }
+
+ Ok(())
+}
+
+fn patch_cpus(fdt: &mut Fdt, cpus: &[CpuInfo]) -> libfdt::Result<()> {
+ const COMPAT: &CStr = cstr!("arm,arm-v8");
+ let mut next = fdt.root_mut()?.next_compatible(COMPAT)?;
+ for _cpu in cpus {
+ next = next.ok_or(FdtError::NoSpace)?.next_compatible(COMPAT)?;
}
while let Some(current) = next {
- next = current.delete_and_next_compatible(cpu)?;
+ next = current.delete_and_next_compatible(COMPAT)?;
}
Ok(())
}
@@ -486,11 +495,17 @@
}
fn read_serial_info_from(fdt: &Fdt) -> libfdt::Result<SerialInfo> {
- let mut addrs: ArrayVec<[u64; SerialInfo::MAX_SERIALS]> = Default::default();
- for node in fdt.compatible_nodes(cstr!("ns16550a"))?.take(SerialInfo::MAX_SERIALS) {
+ let mut addrs = ArrayVec::new();
+
+ let mut serial_nodes = fdt.compatible_nodes(cstr!("ns16550a"))?;
+ for node in serial_nodes.by_ref().take(addrs.capacity()) {
let reg = node.first_reg()?;
addrs.push(reg.addr);
}
+ if serial_nodes.next().is_some() {
+ warn!("DT has more than {} UART nodes: discarding extra nodes.", addrs.capacity());
+ }
+
Ok(SerialInfo { addrs })
}
@@ -499,11 +514,8 @@
let name = cstr!("ns16550a");
let mut next = fdt.root_mut()?.next_compatible(name);
while let Some(current) = next? {
- let reg = FdtNode::from_mut(¤t)
- .reg()?
- .ok_or(FdtError::NotFound)?
- .next()
- .ok_or(FdtError::NotFound)?;
+ let reg =
+ current.as_node().reg()?.ok_or(FdtError::NotFound)?.next().ok_or(FdtError::NotFound)?;
next = if !serial_info.addrs.contains(®.addr) {
current.delete_and_next_compatible(name)
} else {
@@ -574,21 +586,17 @@
let mut range1 = ranges.next().ok_or(FdtError::NotFound)?;
let addr = range0.addr;
- // `validate_num_cpus()` checked that this wouldn't panic
+ // `read_cpu_info_from()` guarantees that we have at most MAX_CPUS.
+ const_assert!(DeviceTreeInfo::gic_patched_size(DeviceTreeInfo::MAX_CPUS).is_some());
let size = u64::try_from(DeviceTreeInfo::gic_patched_size(num_cpus).unwrap()).unwrap();
// range1 is just below range0
range1.addr = addr - size;
range1.size = Some(size);
- let range0 = range0.to_cells();
- let range1 = range1.to_cells();
- let value = [
- range0.0, // addr
- range0.1.unwrap(), //size
- range1.0, // addr
- range1.1.unwrap(), //size
- ];
+ let (addr0, size0) = range0.to_cells();
+ let (addr1, size1) = range1.to_cells();
+ let value = [addr0, size0.unwrap(), addr1, size1.unwrap()];
let mut node =
fdt.root_mut()?.next_compatible(cstr!("arm,gic-v3"))?.ok_or(FdtError::NotFound)?;
@@ -612,17 +620,11 @@
*v = v.to_be();
}
- // SAFETY: array size is the same
- let value = unsafe {
- core::mem::transmute::<
- [u32; NUM_INTERRUPTS * CELLS_PER_INTERRUPT],
- [u8; NUM_INTERRUPTS * CELLS_PER_INTERRUPT * size_of::<u32>()],
- >(value.into_inner())
- };
+ let value = value.into_inner();
let mut node =
fdt.root_mut()?.next_compatible(cstr!("arm,armv8-timer"))?.ok_or(FdtError::NotFound)?;
- node.setprop_inplace(cstr!("interrupts"), value.as_slice())
+ node.setprop_inplace(cstr!("interrupts"), value.as_bytes())
}
#[derive(Debug)]
@@ -631,7 +633,7 @@
pub initrd_range: Option<Range<usize>>,
pub memory_range: Range<usize>,
bootargs: Option<CString>,
- num_cpus: usize,
+ cpus: ArrayVec<[CpuInfo; DeviceTreeInfo::MAX_CPUS]>,
pci_info: PciInfo,
serial_info: SerialInfo,
pub swiotlb_info: SwiotlbInfo,
@@ -640,7 +642,9 @@
}
impl DeviceTreeInfo {
- fn gic_patched_size(num_cpus: usize) -> Option<usize> {
+ const MAX_CPUS: usize = 16;
+
+ const fn gic_patched_size(num_cpus: usize) -> Option<usize> {
const GIC_REDIST_SIZE_PER_CPU: usize = 32 * SIZE_4KB;
GIC_REDIST_SIZE_PER_CPU.checked_mul(num_cpus)
@@ -667,7 +671,9 @@
let info = parse_device_tree(fdt, vm_dtbo.as_deref())?;
- fdt.copy_from_slice(pvmfw_fdt_template::RAW).map_err(|e| {
+ // SAFETY: We trust that the template (hardcoded in our RO data) is a valid DT.
+ let fdt_template = unsafe { Fdt::unchecked_from_slice(pvmfw_fdt_template::RAW) };
+ fdt.clone_from(fdt_template).map_err(|e| {
error!("Failed to instantiate FDT from the template DT: {e}");
RebootReason::InvalidFdt
})?;
@@ -736,12 +742,12 @@
RebootReason::InvalidFdt
})?;
- let num_cpus = read_num_cpus_from(fdt).map_err(|e| {
- error!("Failed to read num cpus from DT: {e}");
+ let cpus = read_cpu_info_from(fdt).map_err(|e| {
+ error!("Failed to read CPU info from DT: {e}");
RebootReason::InvalidFdt
})?;
- validate_num_cpus(num_cpus).map_err(|e| {
- error!("Failed to validate num cpus from DT: {e}");
+ validate_cpu_info(&cpus).map_err(|e| {
+ error!("Failed to validate CPU info from DT: {e}");
RebootReason::InvalidFdt
})?;
@@ -789,7 +795,7 @@
initrd_range,
memory_range,
bootargs,
- num_cpus,
+ cpus,
pci_info,
serial_info,
swiotlb_info,
@@ -815,7 +821,7 @@
RebootReason::InvalidFdt
})?;
}
- patch_num_cpus(fdt, info.num_cpus).map_err(|e| {
+ patch_cpus(fdt, &info.cpus).map_err(|e| {
error!("Failed to patch cpus to DT: {e}");
RebootReason::InvalidFdt
})?;
@@ -831,11 +837,11 @@
error!("Failed to patch swiotlb info to DT: {e}");
RebootReason::InvalidFdt
})?;
- patch_gic(fdt, info.num_cpus).map_err(|e| {
+ patch_gic(fdt, info.cpus.len()).map_err(|e| {
error!("Failed to patch gic info to DT: {e}");
RebootReason::InvalidFdt
})?;
- patch_timer(fdt, info.num_cpus).map_err(|e| {
+ patch_timer(fdt, info.cpus.len()).map_err(|e| {
error!("Failed to patch timer info to DT: {e}");
RebootReason::InvalidFdt
})?;
@@ -941,7 +947,7 @@
// SAFETY: on failure, the corrupted DT is restored using the backup.
if let Err(e) = unsafe { fdt.apply_overlay(overlay) } {
warn!("Failed to apply debug policy: {e}. Recovering...");
- fdt.copy_from_slice(backup_fdt.as_slice())?;
+ fdt.clone_from(backup_fdt)?;
// A successful restoration is considered success because an invalid debug policy
// shouldn't DOS the pvmfw
Ok(false)
diff --git a/rialto/Android.bp b/rialto/Android.bp
index c102c89..d7aac35 100644
--- a/rialto/Android.bp
+++ b/rialto/Android.bp
@@ -133,11 +133,11 @@
"libandroid_logger",
"libanyhow",
"libbssl_avf_nostd",
- "libciborium",
"libclient_vm_csr",
"libcoset",
"liblibc",
"liblog_rust",
+ "libhwtrust",
"libservice_vm_comm",
"libservice_vm_fake_chain",
"libservice_vm_manager",
diff --git a/rialto/src/main.rs b/rialto/src/main.rs
index e705562..ad9b776 100644
--- a/rialto/src/main.rs
+++ b/rialto/src/main.rs
@@ -37,7 +37,7 @@
use hyp::{get_mem_sharer, get_mmio_guard};
use libfdt::FdtError;
use log::{debug, error, info};
-use service_vm_comm::{RequestProcessingError, Response, ServiceVmRequest, VmType};
+use service_vm_comm::{ServiceVmRequest, VmType};
use service_vm_fake_chain::service_vm;
use service_vm_requests::process_request;
use virtio_drivers::{
@@ -177,15 +177,7 @@
let mut vsock_stream = VsockStream::new(socket_device, host_addr())?;
while let ServiceVmRequest::Process(req) = vsock_stream.read_request()? {
- let mut response = process_request(req, bcc_handover.as_ref());
- // TODO(b/185878400): We don't want to issue a certificate to pVM when the client VM
- // attestation is unfinished. The following code should be removed once the
- // verification is completed.
- if vm_type() == VmType::ProtectedVm
- && matches!(response, Response::RequestClientVmAttestation(_))
- {
- response = Response::Err(RequestProcessingError::OperationUnimplemented);
- }
+ let response = process_request(req, bcc_handover.as_ref());
vsock_stream.write_response(&response)?;
vsock_stream.flush()?;
}
diff --git a/rialto/tests/test.rs b/rialto/tests/test.rs
index c918db5..8899875 100644
--- a/rialto/tests/test.rs
+++ b/rialto/tests/test.rs
@@ -23,9 +23,9 @@
};
use anyhow::{bail, Context, Result};
use bssl_avf::{sha256, EcKey, PKey};
-use ciborium::value::Value;
use client_vm_csr::generate_attestation_key_and_csr;
use coset::{CborSerializable, CoseMac0, CoseSign};
+use hwtrust::{rkp, session::Session};
use log::info;
use service_vm_comm::{
ClientVmAttestationParams, Csr, CsrPayload, EcdsaP256KeyPair, GenerateCertificateRequestParams,
@@ -37,7 +37,6 @@
use service_vm_manager::ServiceVm;
use std::fs;
use std::fs::File;
-use std::io;
use std::panic;
use std::path::PathBuf;
use std::str::FromStr;
@@ -272,22 +271,16 @@
Ok(())
}
-/// TODO(b/300625792): Check the CSR with libhwtrust once the CSR is complete.
fn check_csr(csr: Vec<u8>) -> Result<()> {
- let mut reader = io::Cursor::new(csr);
- let csr: Value = ciborium::from_reader(&mut reader)?;
- match csr {
- Value::Array(arr) => {
- assert_eq!(4, arr.len());
- }
- _ => bail!("Incorrect CSR format: {csr:?}"),
- }
+ let _csr = rkp::Csr::from_cbor(&Session::default(), &csr[..]).context("Failed to parse CSR")?;
Ok(())
}
fn start_service_vm(vm_type: VmType) -> Result<ServiceVm> {
android_logger::init_once(
- android_logger::Config::default().with_tag("rialto").with_min_level(log::Level::Debug),
+ android_logger::Config::default()
+ .with_tag("rialto")
+ .with_max_level(log::LevelFilter::Debug),
);
// Redirect panic messages to logcat.
panic::set_hook(Box::new(|panic_info| {
diff --git a/service_vm/test_apk/Android.bp b/service_vm/demo_apk/Android.bp
similarity index 67%
rename from service_vm/test_apk/Android.bp
rename to service_vm/demo_apk/Android.bp
index 4da3f81..3750fe6 100644
--- a/service_vm/test_apk/Android.bp
+++ b/service_vm/demo_apk/Android.bp
@@ -3,9 +3,9 @@
}
android_app {
- name: "ServiceVmClientTestApp",
+ name: "VmAttestationDemoApp",
installable: true,
- jni_libs: ["libservice_vm_client"],
+ jni_libs: ["libvm_attestation_payload"],
jni_uses_platform_apis: true,
use_embedded_native_libs: true,
sdk_version: "system_current",
@@ -14,8 +14,8 @@
}
rust_defaults {
- name: "service_vm_client_defaults",
- crate_name: "service_vm_client",
+ name: "vm_attestation_payload_defaults",
+ crate_name: "vm_attestation_payload",
defaults: ["avf_build_flags_rust"],
srcs: ["src/main.rs"],
prefer_rlib: true,
@@ -28,6 +28,6 @@
}
rust_ffi {
- name: "libservice_vm_client",
- defaults: ["service_vm_client_defaults"],
+ name: "libvm_attestation_payload",
+ defaults: ["vm_attestation_payload_defaults"],
}
diff --git a/service_vm/test_apk/AndroidManifest.xml b/service_vm/demo_apk/AndroidManifest.xml
similarity index 94%
rename from service_vm/test_apk/AndroidManifest.xml
rename to service_vm/demo_apk/AndroidManifest.xml
index b3598fc..228195d 100644
--- a/service_vm/test_apk/AndroidManifest.xml
+++ b/service_vm/demo_apk/AndroidManifest.xml
@@ -13,7 +13,7 @@
limitations under the License.
-->
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
- package="com.android.virt.service_vm.client">
+ package="com.android.virt.vm_attestation.demo">
<uses-permission android:name="android.permission.MANAGE_VIRTUAL_MACHINE" />
<uses-permission android:name="android.permission.USE_CUSTOM_VIRTUAL_MACHINE" />
diff --git a/service_vm/demo_apk/README.md b/service_vm/demo_apk/README.md
new file mode 100644
index 0000000..551d47b
--- /dev/null
+++ b/service_vm/demo_apk/README.md
@@ -0,0 +1,53 @@
+# VmAttestationDemoApp
+
+## Overview
+
+The *VmAttestationDemoApp* is an Android application that provides a practical
+demonstration of how to interact with the VM Attestation APIs. This app focuses
+on the payload of the Android app and the payload performs two main tasks:
+requesting attestation and validating the attestation result.
+
+## Building
+
+To build the VmAttestationDemoApp, use the following command:
+
+```
+m VmAttestationDemoApp
+```
+
+## Installing
+
+To install the app on your device, execute the following command:
+
+```
+adb install $ANDROID_PRODUCT_OUT/system/app/VmAttestationDemoApp/VmAttestationDemoApp.apk
+```
+
+## Running
+
+Before running the app, make sure that the device has an internet connection and
+that the remote provisioning host is not empty. You can use the following
+command to check the remote provisioning host:
+
+```
+$ adb shell getprop remote_provisioning.hostname
+remoteprovisioning.googleapis.com
+```
+
+Once you have confirmed the remote provisioning host, you can run the app using
+the following command:
+
+```
+TEST_ROOT=/data/local/tmp/virt && adb shell /apex/com.android.virt/bin/vm run-app \
+ --config-path assets/config.json --debug full \
+ $(adb shell pm path com.android.virt.vm_attestation.demo | cut -c 9-) \
+ $TEST_ROOT/VmAttestationDemoApp.apk.idsig \
+ $TEST_ROOT/instance.vm_attestation.debug.img --protected
+```
+
+Please note that remote attestation is only available for protected VMs.
+Therefore, ensure that the VM is launched in protected mode using the
+`--protected` flag.
+
+If everything is set up correctly, you should be able to see the attestation
+result printed out in the VM logs.
diff --git a/service_vm/test_apk/assets/config.json b/service_vm/demo_apk/assets/config.json
similarity index 74%
rename from service_vm/test_apk/assets/config.json
rename to service_vm/demo_apk/assets/config.json
index 02749fe..1684696 100644
--- a/service_vm/test_apk/assets/config.json
+++ b/service_vm/demo_apk/assets/config.json
@@ -4,7 +4,7 @@
},
"task": {
"type": "microdroid_launcher",
- "command": "libservice_vm_client.so"
+ "command": "libvm_attestation_payload.so"
},
"export_tombstones": true
}
\ No newline at end of file
diff --git a/service_vm/test_apk/src/main.rs b/service_vm/demo_apk/src/main.rs
similarity index 98%
rename from service_vm/test_apk/src/main.rs
rename to service_vm/demo_apk/src/main.rs
index ba65aca..0d1efb0 100644
--- a/service_vm/test_apk/src/main.rs
+++ b/service_vm/demo_apk/src/main.rs
@@ -36,7 +36,7 @@
android_logger::init_once(
android_logger::Config::default()
.with_tag("service_vm_client")
- .with_min_level(log::Level::Debug),
+ .with_max_level(log::LevelFilter::Debug),
);
// Redirect panic messages to logcat.
panic::set_hook(Box::new(|panic_info| {
@@ -224,6 +224,6 @@
// static string.
let message = unsafe { AVmAttestationResult_resultToString(status) };
// SAFETY: The pointer returned by `AVmAttestationResult_resultToString` is guaranteed to
- // point to a valid C String.
+ // point to a valid C String that lives forever.
unsafe { CStr::from_ptr(message) }
}
diff --git a/service_vm/requests/src/rkp.rs b/service_vm/requests/src/rkp.rs
index 9901a92..569ab01 100644
--- a/service_vm/requests/src/rkp.rs
+++ b/service_vm/requests/src/rkp.rs
@@ -76,13 +76,10 @@
public_keys.push(public_key.to_cbor_value()?);
}
// Builds `CsrPayload`.
- // TODO(b/299256925): The device information is currently empty as we do not
- // have sufficient details to include.
- let device_info = Value::Map(Vec::new());
let csr_payload = cbor!([
Value::Integer(CSR_PAYLOAD_SCHEMA_V3.into()),
Value::Text(String::from(CERTIFICATE_TYPE)),
- device_info,
+ device_info(),
Value::Array(public_keys),
])?;
let csr_payload = cbor_util::serialize(&csr_payload)?;
@@ -107,6 +104,22 @@
Ok(cbor_util::serialize(&auth_req)?)
}
+/// Generates the device info required by the RKP server as a temporary placeholder.
+/// More details in b/301592917.
+fn device_info() -> Value {
+ cbor!({"brand" => "aosp-avf",
+ "manufacturer" => "aosp-avf",
+ "product" => "avf",
+ "model" => "avf",
+ "device" => "avf",
+ "vbmeta_digest" => Value::Bytes(vec![0u8; 0]),
+ "system_patch_level" => 202402,
+ "boot_patch_level" => 20240202,
+ "vendor_patch_level" => 20240202,
+ "fused" => 1})
+ .unwrap()
+}
+
fn derive_hmac_key(dice_artifacts: &dyn DiceArtifacts) -> Result<Zeroizing<[u8; HMAC_KEY_LENGTH]>> {
let mut key = Zeroizing::new([0u8; HMAC_KEY_LENGTH]);
kdf(dice_artifacts.cdi_seal(), &HMAC_KEY_SALT, HMAC_KEY_INFO, key.as_mut()).map_err(|e| {
diff --git a/tests/aidl/Android.bp b/tests/aidl/Android.bp
index 7e22646..ed4e8ff 100644
--- a/tests/aidl/Android.bp
+++ b/tests/aidl/Android.bp
@@ -1,5 +1,4 @@
package {
- default_team: "trendy_team_virtualization",
default_applicable_licenses: ["Android-Apache-2.0"],
}
diff --git a/tests/benchmark/Android.bp b/tests/benchmark/Android.bp
index 31fe0f6..413ffe4 100644
--- a/tests/benchmark/Android.bp
+++ b/tests/benchmark/Android.bp
@@ -1,5 +1,4 @@
package {
- default_team: "trendy_team_virtualization",
default_applicable_licenses: ["Android-Apache-2.0"],
}
@@ -34,6 +33,7 @@
cc_library_shared {
name: "MicrodroidBenchmarkNativeLib",
+ defaults: ["avf_build_flags_cc"],
srcs: ["src/native/*.cpp"],
local_include_dirs: ["src/native/include"],
static_libs: [
diff --git a/tests/benchmark/src/java/com/android/microdroid/benchmark/MicrodroidBenchmarks.java b/tests/benchmark/src/java/com/android/microdroid/benchmark/MicrodroidBenchmarks.java
index b9faa85..e9c84fb 100644
--- a/tests/benchmark/src/java/com/android/microdroid/benchmark/MicrodroidBenchmarks.java
+++ b/tests/benchmark/src/java/com/android/microdroid/benchmark/MicrodroidBenchmarks.java
@@ -49,6 +49,7 @@
import org.junit.After;
import org.junit.Before;
+import org.junit.Ignore;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.Timeout;
@@ -276,6 +277,10 @@
(builder) -> builder);
}
+ // TODO(b/323768068): Enable this test when we can inject vendor digest for test purpose.
+ // After introducing VM reference DT, non-pVM cannot trust test_microdroid_vendor_image.img
+ // as well, because it doesn't pass the hashtree digest of testing image into VM.
+ @Ignore
@Test
public void testMicrodroidDebugBootTime_withVendorPartition() throws Exception {
assume().withMessage("Cuttlefish doesn't support device tree under" + " /proc/device-tree")
@@ -286,11 +291,6 @@
assume().withMessage("Boot with vendor partition is failing in HWASAN enabled Microdroid.")
.that(isHwasan())
.isFalse();
- assume().withMessage(
- "Skip test for protected VM, pvmfw config data doesn't contain any"
- + " information of test images, such as root digest.")
- .that(mProtectedVm)
- .isFalse();
assumeFeatureEnabled(VirtualMachineManager.FEATURE_VENDOR_MODULES);
File vendorDiskImage =
diff --git a/tests/benchmark/src/jni/Android.bp b/tests/benchmark/src/jni/Android.bp
index c2e1b7c..bfc3ef3 100644
--- a/tests/benchmark/src/jni/Android.bp
+++ b/tests/benchmark/src/jni/Android.bp
@@ -1,10 +1,10 @@
package {
- default_team: "trendy_team_virtualization",
default_applicable_licenses: ["Android-Apache-2.0"],
}
cc_library_shared {
name: "libiovsock_host_jni",
+ defaults: ["avf_build_flags_cc"],
srcs: ["io_vsock_host_jni.cpp"],
header_libs: ["jni_headers"],
shared_libs: ["libbase"],
diff --git a/tests/benchmark_hostside/Android.bp b/tests/benchmark_hostside/Android.bp
index 8727b05..b613a8a 100644
--- a/tests/benchmark_hostside/Android.bp
+++ b/tests/benchmark_hostside/Android.bp
@@ -1,5 +1,4 @@
package {
- default_team: "trendy_team_virtualization",
default_applicable_licenses: ["Android-Apache-2.0"],
}
diff --git a/tests/helper/Android.bp b/tests/helper/Android.bp
index 9223391..614c70c 100644
--- a/tests/helper/Android.bp
+++ b/tests/helper/Android.bp
@@ -1,5 +1,4 @@
package {
- default_team: "trendy_team_virtualization",
default_applicable_licenses: ["Android-Apache-2.0"],
}
diff --git a/tests/helper/src/java/com/android/microdroid/test/device/MicrodroidDeviceTestBase.java b/tests/helper/src/java/com/android/microdroid/test/device/MicrodroidDeviceTestBase.java
index 15e175b..8e11218 100644
--- a/tests/helper/src/java/com/android/microdroid/test/device/MicrodroidDeviceTestBase.java
+++ b/tests/helper/src/java/com/android/microdroid/test/device/MicrodroidDeviceTestBase.java
@@ -150,8 +150,15 @@
public VirtualMachine forceCreateNewVirtualMachine(String name, VirtualMachineConfig config)
throws VirtualMachineException {
final VirtualMachineManager vmm = getVirtualMachineManager();
- VirtualMachine existingVm = vmm.get(name);
- if (existingVm != null) {
+ boolean deleteExisting;
+ try {
+ deleteExisting = vmm.get(name) != null;
+ } catch (VirtualMachineException e) {
+ // VM exists, i.e. there are some files for it, but they could not be successfully
+ // loaded.
+ deleteExisting = true;
+ }
+ if (deleteExisting) {
vmm.delete(name);
}
return vmm.create(name, config);
diff --git a/tests/hostside/Android.bp b/tests/hostside/Android.bp
index 2cfaffa..e3d9cbe 100644
--- a/tests/hostside/Android.bp
+++ b/tests/hostside/Android.bp
@@ -1,5 +1,4 @@
package {
- default_team: "trendy_team_virtualization",
default_applicable_licenses: ["Android-Apache-2.0"],
}
diff --git a/tests/hostside/helper/Android.bp b/tests/hostside/helper/Android.bp
index 890e14a..75553d0 100644
--- a/tests/hostside/helper/Android.bp
+++ b/tests/hostside/helper/Android.bp
@@ -1,5 +1,4 @@
package {
- default_team: "trendy_team_virtualization",
default_applicable_licenses: ["Android-Apache-2.0"],
}
diff --git a/tests/hostside/java/com/android/microdroid/test/MicrodroidHostTests.java b/tests/hostside/java/com/android/microdroid/test/MicrodroidHostTests.java
index 7a5d69b..2cd4577 100644
--- a/tests/hostside/java/com/android/microdroid/test/MicrodroidHostTests.java
+++ b/tests/hostside/java/com/android/microdroid/test/MicrodroidHostTests.java
@@ -90,7 +90,7 @@
private static final String SHELL_PACKAGE_NAME = "com.android.shell";
private static final String VIRT_APEX = "/apex/com.android.virt/";
- private static final int MIN_MEM_ARM64 = 160;
+ private static final int MIN_MEM_ARM64 = 170;
private static final int MIN_MEM_X86_64 = 196;
private static final int BOOT_COMPLETE_TIMEOUT = 30000; // 30 seconds
diff --git a/tests/no_avf/Android.bp b/tests/no_avf/Android.bp
index cdc9e9f..22d099e 100644
--- a/tests/no_avf/Android.bp
+++ b/tests/no_avf/Android.bp
@@ -1,5 +1,4 @@
package {
- default_team: "trendy_team_virtualization",
default_applicable_licenses: ["Android-Apache-2.0"],
}
diff --git a/tests/pvmfw/Android.bp b/tests/pvmfw/Android.bp
index 03dcc35..c12f67a 100644
--- a/tests/pvmfw/Android.bp
+++ b/tests/pvmfw/Android.bp
@@ -1,5 +1,4 @@
package {
- default_team: "trendy_team_virtualization",
default_applicable_licenses: ["Android-Apache-2.0"],
}
diff --git a/tests/pvmfw/helper/Android.bp b/tests/pvmfw/helper/Android.bp
index 7258c68..1b96842 100644
--- a/tests/pvmfw/helper/Android.bp
+++ b/tests/pvmfw/helper/Android.bp
@@ -1,5 +1,4 @@
package {
- default_team: "trendy_team_virtualization",
default_applicable_licenses: ["Android-Apache-2.0"],
}
diff --git a/tests/pvmfw/tools/Android.bp b/tests/pvmfw/tools/Android.bp
index e4a31d5..7bd3ef5 100644
--- a/tests/pvmfw/tools/Android.bp
+++ b/tests/pvmfw/tools/Android.bp
@@ -1,5 +1,4 @@
package {
- default_team: "trendy_team_virtualization",
default_applicable_licenses: ["Android-Apache-2.0"],
}
diff --git a/tests/testapk/Android.bp b/tests/testapk/Android.bp
index 10bbfb4..2a04103 100644
--- a/tests/testapk/Android.bp
+++ b/tests/testapk/Android.bp
@@ -1,5 +1,4 @@
package {
- default_team: "trendy_team_virtualization",
default_applicable_licenses: ["Android-Apache-2.0"],
}
@@ -68,6 +67,7 @@
// (MicrodroidTestApp) can start a payload defined in the another app (MicrodroidVmShareApp).
cc_defaults {
name: "MicrodroidTestNativeLibDefaults",
+ defaults: ["avf_build_flags_cc"],
srcs: ["src/native/testbinary.cpp"],
stl: "libc++_static",
header_libs: ["vm_payload_restricted_headers"],
@@ -99,12 +99,14 @@
cc_library_shared {
name: "MicrodroidTestNativeLibSub",
+ defaults: ["avf_build_flags_cc"],
srcs: ["src/native/testlib.cpp"],
stl: "libc++_static",
}
cc_library_shared {
name: "MicrodroidIdleNativeLib",
+ defaults: ["avf_build_flags_cc"],
srcs: ["src/native/idlebinary.cpp"],
header_libs: ["vm_payload_headers"],
stl: "libc++_static",
@@ -113,6 +115,7 @@
// An empty payload missing AVmPayload_main
cc_library_shared {
name: "MicrodroidEmptyNativeLib",
+ defaults: ["avf_build_flags_cc"],
srcs: ["src/native/emptybinary.cpp"],
stl: "none",
}
@@ -120,6 +123,7 @@
// A payload that exits immediately on start
cc_library_shared {
name: "MicrodroidExitNativeLib",
+ defaults: ["avf_build_flags_cc"],
srcs: ["src/native/exitbinary.cpp"],
header_libs: ["vm_payload_headers"],
stl: "libc++_static",
@@ -128,6 +132,7 @@
// A payload which tries to link against libselinux, one of private libraries
cc_library_shared {
name: "MicrodroidPrivateLinkingNativeLib",
+ defaults: ["avf_build_flags_cc"],
srcs: ["src/native/idlebinary.cpp"],
header_libs: ["vm_payload_headers"],
// HACK: linking against "libselinux" will embed libselinux.so into the apk
@@ -139,6 +144,7 @@
// A payload that crashes immediately on start
cc_library_shared {
name: "MicrodroidCrashNativeLib",
+ defaults: ["avf_build_flags_cc"],
srcs: ["src/native/crashbinary.cpp"],
header_libs: ["vm_payload_headers"],
stl: "libc++_static",
diff --git a/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java b/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
index df6280d..4e340f0 100644
--- a/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
+++ b/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
@@ -142,7 +142,6 @@
@Before
public void setup() {
- grantPermission(VirtualMachine.MANAGE_VIRTUAL_MACHINE_PERMISSION);
prepareTestSetup(mProtectedVm, mGki);
// USE_CUSTOM_VIRTUAL_MACHINE permission has protection level signature|development, meaning
// that it will be automatically granted when test apk is installed. We have some tests
@@ -155,13 +154,12 @@
@After
public void tearDown() {
- revokePermission(VirtualMachine.MANAGE_VIRTUAL_MACHINE_PERMISSION);
revokePermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION);
}
private static final long ONE_MEBI = 1024 * 1024;
- private static final long MIN_MEM_ARM64 = 160 * ONE_MEBI;
+ private static final long MIN_MEM_ARM64 = 170 * ONE_MEBI;
private static final long MIN_MEM_X86_64 = 196 * ONE_MEBI;
private static final String EXAMPLE_STRING = "Literally any string!! :)";
@@ -229,32 +227,6 @@
testResults.assertNoException();
assertThat(testResults.mAddInteger).isEqualTo(37 + 73);
}
-
- @Test
- @CddTest(
- requirements = {
- "9.17/C-1-1",
- "9.17/C-1-2",
- "9.17/C-1-4",
- })
- public void createVmRequiresPermission() {
- assumeSupportedDevice();
-
- revokePermission(VirtualMachine.MANAGE_VIRTUAL_MACHINE_PERMISSION);
-
- VirtualMachineConfig config =
- newVmConfigBuilderWithPayloadBinary("MicrodroidTestNativeLib.so")
- .setMemoryBytes(minMemoryRequired())
- .build();
-
- SecurityException e =
- assertThrows(
- SecurityException.class,
- () -> forceCreateNewVirtualMachine("test_vm_requires_permission", config));
- assertThat(e).hasMessageThat()
- .contains("android.permission.MANAGE_VIRTUAL_MACHINE permission");
- }
-
@Test
@CddTest(requirements = {"9.17/C-1-1"})
public void autoCloseVm() throws Exception {
@@ -481,29 +453,32 @@
// Minimal has as little as specified as possible; everything that can be is defaulted.
VirtualMachineConfig.Builder minimalBuilder =
new VirtualMachineConfig.Builder(getContext())
- .setPayloadBinaryName("binary.so")
+ .setPayloadConfigPath("config/path")
.setProtectedVm(isProtectedVm());
VirtualMachineConfig minimal = minimalBuilder.build();
assertThat(minimal.getApkPath()).isNull();
+ assertThat(minimal.getExtraApks()).isEmpty();
assertThat(minimal.getDebugLevel()).isEqualTo(DEBUG_LEVEL_NONE);
assertThat(minimal.getMemoryBytes()).isEqualTo(0);
assertThat(minimal.getCpuTopology()).isEqualTo(CPU_TOPOLOGY_ONE_CPU);
- assertThat(minimal.getPayloadBinaryName()).isEqualTo("binary.so");
- assertThat(minimal.getPayloadConfigPath()).isNull();
+ assertThat(minimal.getPayloadBinaryName()).isNull();
+ assertThat(minimal.getPayloadConfigPath()).isEqualTo("config/path");
assertThat(minimal.isProtectedVm()).isEqualTo(isProtectedVm());
assertThat(minimal.isEncryptedStorageEnabled()).isFalse();
assertThat(minimal.getEncryptedStorageBytes()).isEqualTo(0);
assertThat(minimal.isVmOutputCaptured()).isEqualTo(false);
- assertThat(minimal.getOs()).isEqualTo("microdroid");
+ assertThat(minimal.getOs()).isNull();
// Maximal has everything that can be set to some non-default value. (And has different
// values than minimal for the required fields.)
VirtualMachineConfig.Builder maximalBuilder =
new VirtualMachineConfig.Builder(getContext())
.setProtectedVm(mProtectedVm)
- .setPayloadConfigPath("config/path")
+ .setPayloadBinaryName("binary.so")
.setApkPath("/apk/path")
+ .addExtraApk("package.name1")
+ .addExtraApk("package.name2")
.setDebugLevel(DEBUG_LEVEL_FULL)
.setMemoryBytes(42)
.setCpuTopology(CPU_TOPOLOGY_MATCH_HOST)
@@ -512,25 +487,28 @@
VirtualMachineConfig maximal = maximalBuilder.build();
assertThat(maximal.getApkPath()).isEqualTo("/apk/path");
+ assertThat(maximal.getExtraApks())
+ .containsExactly("package.name1", "package.name2")
+ .inOrder();
assertThat(maximal.getDebugLevel()).isEqualTo(DEBUG_LEVEL_FULL);
assertThat(maximal.getMemoryBytes()).isEqualTo(42);
assertThat(maximal.getCpuTopology()).isEqualTo(CPU_TOPOLOGY_MATCH_HOST);
- assertThat(maximal.getPayloadBinaryName()).isNull();
- assertThat(maximal.getPayloadConfigPath()).isEqualTo("config/path");
+ assertThat(maximal.getPayloadBinaryName()).isEqualTo("binary.so");
+ assertThat(maximal.getPayloadConfigPath()).isNull();
assertThat(maximal.isProtectedVm()).isEqualTo(isProtectedVm());
assertThat(maximal.isEncryptedStorageEnabled()).isTrue();
assertThat(maximal.getEncryptedStorageBytes()).isEqualTo(1_000_000);
assertThat(maximal.isVmOutputCaptured()).isEqualTo(true);
- assertThat(maximal.getOs()).isNull();
+ assertThat(maximal.getOs()).isEqualTo("microdroid");
assertThat(minimal.isCompatibleWith(maximal)).isFalse();
assertThat(minimal.isCompatibleWith(minimal)).isTrue();
assertThat(maximal.isCompatibleWith(maximal)).isTrue();
- VirtualMachineConfig os = minimalBuilder.setOs("microdroid_gki-android14-6.1").build();
+ VirtualMachineConfig os = maximalBuilder.setOs("microdroid_gki-android14-6.1").build();
assertThat(os.getPayloadBinaryName()).isEqualTo("binary.so");
assertThat(os.getOs()).isEqualTo("microdroid_gki-android14-6.1");
- assertThat(os.isCompatibleWith(minimal)).isFalse();
+ assertThat(os.isCompatibleWith(maximal)).isFalse();
}
@Test
@@ -542,6 +520,7 @@
// All your null are belong to me.
assertThrows(NullPointerException.class, () -> new VirtualMachineConfig.Builder(null));
assertThrows(NullPointerException.class, () -> builder.setApkPath(null));
+ assertThrows(NullPointerException.class, () -> builder.addExtraApk(null));
assertThrows(NullPointerException.class, () -> builder.setPayloadConfigPath(null));
assertThrows(NullPointerException.class, () -> builder.setPayloadBinaryName(null));
assertThrows(NullPointerException.class, () -> builder.setVendorDiskImage(null));
@@ -607,6 +586,7 @@
.isTrue();
// Changes that must be incompatible, since they must change the VM identity.
+ assertConfigCompatible(baseline, newBaselineBuilder().addExtraApk("foo")).isFalse();
assertConfigCompatible(baseline, newBaselineBuilder().setDebugLevel(DEBUG_LEVEL_FULL))
.isFalse();
assertConfigCompatible(baseline, newBaselineBuilder().setPayloadBinaryName("different"))
@@ -931,7 +911,34 @@
vm,
(ts, tr) -> {
tr.mExtraApkTestProp =
- ts.readProperty("debug.microdroid.test.extra_apk");
+ ts.readProperty(
+ "debug.microdroid.test.extra_apk_build_manifest");
+ });
+ assertThat(testResults.mExtraApkTestProp).isEqualTo("PASS");
+ }
+
+ @Test
+ @CddTest(requirements = {"9.17/C-1-1", "9.17/C-2-1"})
+ public void extraApkInVmConfig() throws Exception {
+ assumeSupportedDevice();
+ assumeFeatureEnabled(VirtualMachineManager.FEATURE_MULTI_TENANT);
+
+ grantPermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION);
+ VirtualMachineConfig config =
+ newVmConfigBuilderWithPayloadBinary("MicrodroidTestNativeLib.so")
+ .setMemoryBytes(minMemoryRequired())
+ .setDebugLevel(DEBUG_LEVEL_FULL)
+ .addExtraApk(VM_SHARE_APP_PACKAGE_NAME)
+ .build();
+ VirtualMachine vm = forceCreateNewVirtualMachine("test_vm_extra_apk", config);
+
+ TestResults testResults =
+ runVmTestService(
+ TAG,
+ vm,
+ (ts, tr) -> {
+ tr.mExtraApkTestProp =
+ ts.readProperty("debug.microdroid.test.extra_apk_vm_share");
});
assertThat(testResults.mExtraApkTestProp).isEqualTo("PASS");
}
@@ -994,8 +1001,7 @@
.setDebugLevel(fromLevel)
.setVmOutputCaptured(false);
VirtualMachineConfig normalConfig = builder.build();
- forceCreateNewVirtualMachine("test_vm", normalConfig);
- assertThat(tryBootVm(TAG, "test_vm").payloadStarted).isTrue();
+ assertThat(tryBootVmWithConfig(normalConfig, "test_vm").payloadStarted).isTrue();
// Try to run the VM again with the previous instance.img
// We need to make sure that no changes on config don't invalidate the identity, to compare
@@ -1159,18 +1165,6 @@
assertThrows(Exception.class, () -> launchVmAndGetCdis("test_vm"));
}
- @Test
- public void isFeatureEnabled_requiresManagePermission() throws Exception {
- revokePermission(VirtualMachine.MANAGE_VIRTUAL_MACHINE_PERMISSION);
-
- VirtualMachineManager vmm = getVirtualMachineManager();
- SecurityException e =
- assertThrows(SecurityException.class, () -> vmm.isFeatureEnabled("whatever"));
- assertThat(e)
- .hasMessageThat()
- .contains("android.permission.MANAGE_VIRTUAL_MACHINE permission");
- }
-
private static final UUID MICRODROID_PARTITION_UUID =
UUID.fromString("cf9afe9a-0662-11ec-a329-c32663a09d75");
private static final UUID PVM_FW_PARTITION_UUID =
@@ -1208,8 +1202,7 @@
.setDebugLevel(DEBUG_LEVEL_FULL)
.build();
- forceCreateNewVirtualMachine(vmName, config);
- assertThat(tryBootVm(TAG, vmName).payloadStarted).isTrue();
+ assertThat(tryBootVmWithConfig(config, vmName).payloadStarted).isTrue();
File instanceImgPath = getVmFile(vmName, "instance.img");
return new RandomAccessFile(instanceImgPath, "rw");
}
@@ -1262,13 +1255,12 @@
@Test
public void bootFailsWhenConfigIsInvalid() throws Exception {
grantPermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION);
- VirtualMachineConfig normalConfig =
+ VirtualMachineConfig config =
newVmConfigBuilderWithPayloadConfig("assets/" + os() + "/vm_config_no_task.json")
.setDebugLevel(DEBUG_LEVEL_FULL)
.build();
- forceCreateNewVirtualMachine("test_vm_invalid_config", normalConfig);
- BootResult bootResult = tryBootVm(TAG, "test_vm_invalid_config");
+ BootResult bootResult = tryBootVmWithConfig(config, "test_vm_invalid_config");
assertThat(bootResult.payloadStarted).isFalse();
assertThat(bootResult.deathReason).isEqualTo(
VirtualMachineCallback.STOP_REASON_MICRODROID_INVALID_PAYLOAD_CONFIG);
@@ -1276,17 +1268,49 @@
@Test
public void bootFailsWhenBinaryNameIsInvalid() throws Exception {
- VirtualMachineConfig.Builder builder =
- newVmConfigBuilderWithPayloadBinary("DoesNotExist.so");
- VirtualMachineConfig normalConfig = builder.setDebugLevel(DEBUG_LEVEL_FULL).build();
- forceCreateNewVirtualMachine("test_vm_invalid_binary_path", normalConfig);
+ VirtualMachineConfig config =
+ newVmConfigBuilderWithPayloadBinary("DoesNotExist.so")
+ .setDebugLevel(DEBUG_LEVEL_FULL)
+ .build();
- BootResult bootResult = tryBootVm(TAG, "test_vm_invalid_binary_path");
+ BootResult bootResult = tryBootVmWithConfig(config, "test_vm_invalid_binary_path");
assertThat(bootResult.payloadStarted).isFalse();
assertThat(bootResult.deathReason)
.isEqualTo(VirtualMachineCallback.STOP_REASON_MICRODROID_UNKNOWN_RUNTIME_ERROR);
}
+ @Test
+ public void bootFailsWhenApkPathIsInvalid() {
+ VirtualMachineConfig config =
+ newVmConfigBuilderWithPayloadBinary("MicrodroidTestNativeLib.so")
+ .setDebugLevel(DEBUG_LEVEL_FULL)
+ .setApkPath("/does/not/exist")
+ .build();
+
+ assertThrowsVmExceptionContaining(
+ () -> tryBootVmWithConfig(config, "test_vm_invalid_apk_path"),
+ "Failed to open APK");
+ }
+
+ @Test
+ public void bootFailsWhenExtraApkPackageIsInvalid() {
+ VirtualMachineConfig config =
+ newVmConfigBuilderWithPayloadBinary("MicrodroidTestNativeLib.so")
+ .setDebugLevel(DEBUG_LEVEL_FULL)
+ .addExtraApk("com.example.nosuch.package")
+ .build();
+ assertThrowsVmExceptionContaining(
+ () -> tryBootVmWithConfig(config, "test_vm_invalid_extra_apk_package"),
+ "Extra APK package not found");
+ }
+
+ private BootResult tryBootVmWithConfig(VirtualMachineConfig config, String vmName)
+ throws Exception {
+ try (VirtualMachine ignored = forceCreateNewVirtualMachine(vmName, config)) {
+ return tryBootVm(TAG, vmName);
+ }
+ }
+
// Checks whether microdroid_launcher started but payload failed. reason must be recorded in the
// console output.
private void assertThatPayloadFailsDueTo(VirtualMachine vm, String reason) throws Exception {
@@ -2133,7 +2157,7 @@
.contains("android.permission.USE_CUSTOM_VIRTUAL_MACHINE permission");
}
- // TODO(b/323768068): Enable this test when we can inject vendor hashkey for test purpose.
+ // TODO(b/323768068): Enable this test when we can inject vendor digest for test purpose.
// After introducing VM reference DT, non-pVM cannot trust test_microdroid_vendor_image.img
// as well, because it doesn't pass the hashtree digest of testing image into VM.
@Ignore
@@ -2195,8 +2219,7 @@
.setDebugLevel(DEBUG_LEVEL_FULL)
.build();
- VirtualMachine vm = forceCreateNewVirtualMachine("test_boot_with_unsigned_vendor", config);
- BootResult bootResult = tryBootVm(TAG, "test_boot_with_unsigned_vendor");
+ BootResult bootResult = tryBootVmWithConfig(config, "test_boot_with_unsigned_vendor");
assertThat(bootResult.payloadStarted).isFalse();
assertThat(bootResult.deathReason).isEqualTo(VirtualMachineCallback.STOP_REASON_REBOOT);
}
diff --git a/tests/testapk/src/native/testbinary.cpp b/tests/testapk/src/native/testbinary.cpp
index c9b5e3a..1a75102 100644
--- a/tests/testapk/src/native/testbinary.cpp
+++ b/tests/testapk/src/native/testbinary.cpp
@@ -349,7 +349,7 @@
return {};
}
-Result<void> verify_apk() {
+Result<void> verify_build_manifest() {
const char* path = "/mnt/extra-apk/0/assets/build_manifest.pb";
std::string str;
@@ -364,6 +364,17 @@
return {};
}
+Result<void> verify_vm_share() {
+ const char* path = "/mnt/extra-apk/0/assets/vmshareapp.txt";
+
+ std::string str;
+ if (!android::base::ReadFileToString(path, &str)) {
+ return ErrnoError() << "failed to read vmshareapp.txt";
+ }
+
+ return {};
+}
+
} // Anonymous namespace
extern "C" int AVmPayload_main() {
@@ -372,8 +383,10 @@
// Make sure we can call into other shared libraries.
testlib_sub();
- // Extra apks may be missing; this is not a fatal error
- report_test("extra_apk", verify_apk());
+ // Report various things that aren't always fatal - these are checked in MicrodroidTests as
+ // appropriate.
+ report_test("extra_apk_build_manifest", verify_build_manifest());
+ report_test("extra_apk_vm_share", verify_vm_share());
__system_property_set("debug.microdroid.app.run", "true");
diff --git a/tests/vendor_images/Android.bp b/tests/vendor_images/Android.bp
index ecf0bb4..26dbc01 100644
--- a/tests/vendor_images/Android.bp
+++ b/tests/vendor_images/Android.bp
@@ -1,5 +1,4 @@
package {
- default_team: "trendy_team_virtualization",
default_applicable_licenses: ["Android-Apache-2.0"],
}
diff --git a/tests/vmshareapp/Android.bp b/tests/vmshareapp/Android.bp
index d4113bf..5f6dc57 100644
--- a/tests/vmshareapp/Android.bp
+++ b/tests/vmshareapp/Android.bp
@@ -1,5 +1,4 @@
package {
- default_team: "trendy_team_virtualization",
default_applicable_licenses: ["Android-Apache-2.0"],
}
diff --git a/tests/vmshareapp/aidl/Android.bp b/tests/vmshareapp/aidl/Android.bp
index 09e3405..df4a4b4 100644
--- a/tests/vmshareapp/aidl/Android.bp
+++ b/tests/vmshareapp/aidl/Android.bp
@@ -1,5 +1,4 @@
package {
- default_team: "trendy_team_virtualization",
default_applicable_licenses: ["Android-Apache-2.0"],
}
diff --git a/tests/vmshareapp/assets/vmshareapp.txt b/tests/vmshareapp/assets/vmshareapp.txt
new file mode 100644
index 0000000..02fdd71
--- /dev/null
+++ b/tests/vmshareapp/assets/vmshareapp.txt
@@ -0,0 +1 @@
+Marker file for the vmshareapp APK
diff --git a/virtualizationmanager/fsfdt/Android.bp b/virtualizationmanager/fsfdt/Android.bp
index 3a42bf3..7a1e5ed 100644
--- a/virtualizationmanager/fsfdt/Android.bp
+++ b/virtualizationmanager/fsfdt/Android.bp
@@ -17,8 +17,8 @@
],
}
-rust_library_rlib {
- name: "libfsfdt",
+rust_defaults {
+ name: "libfsfdt_default",
crate_name: "fsfdt",
defaults: ["avf_build_flags_rust"],
edition: "2021",
@@ -30,3 +30,17 @@
],
apex_available: ["com.android.virt"],
}
+
+rust_library_rlib {
+ name: "libfsfdt",
+ defaults: ["libfsfdt_default"],
+}
+
+rust_test {
+ name: "libfsfdt_test",
+ defaults: ["libfsfdt_default"],
+ data: ["testdata/**/*"],
+ data_bins: ["dtc_static"],
+ rustlibs: ["libtempfile"],
+ compile_multilib: "first",
+}
diff --git a/virtualizationmanager/fsfdt/src/lib.rs b/virtualizationmanager/fsfdt/src/lib.rs
index a2ca519..549df04 100644
--- a/virtualizationmanager/fsfdt/src/lib.rs
+++ b/virtualizationmanager/fsfdt/src/lib.rs
@@ -98,3 +98,56 @@
Ok(())
}
}
+
+#[cfg(test)]
+mod test {
+ use super::*;
+ use std::io::Write;
+ use std::process::Command;
+ use tempfile::NamedTempFile;
+
+ const TEST_FS_FDT_ROOT_PATH: &str = "testdata/fs";
+ const BUF_SIZE_MAX: usize = 1024;
+
+ fn dts_from_fs(path: &Path) -> String {
+ let path = path.to_str().unwrap();
+ let res = Command::new("./dtc_static")
+ .args(["-f", "-s", "-I", "fs", "-O", "dts", path])
+ .output()
+ .unwrap();
+ assert!(res.status.success(), "{res:?}");
+ String::from_utf8(res.stdout).unwrap()
+ }
+
+ fn dts_from_dtb(path: &Path) -> String {
+ let path = path.to_str().unwrap();
+ let res = Command::new("./dtc_static")
+ .args(["-f", "-s", "-I", "dtb", "-O", "dts", path])
+ .output()
+ .unwrap();
+ assert!(res.status.success(), "{res:?}");
+ String::from_utf8(res.stdout).unwrap()
+ }
+
+ fn to_temp_file(fdt: &Fdt) -> Result<NamedTempFile> {
+ let mut file = NamedTempFile::new()?;
+ file.as_file_mut().write_all(fdt.as_slice())?;
+ file.as_file_mut().sync_all()?;
+
+ Ok(file)
+ }
+
+ #[test]
+ fn test_from_fs() {
+ let fs_path = Path::new(TEST_FS_FDT_ROOT_PATH);
+
+ let mut data = vec![0_u8; BUF_SIZE_MAX];
+ let fdt = Fdt::from_fs(fs_path, &mut data).unwrap();
+ let file = to_temp_file(fdt).unwrap();
+
+ let expected = dts_from_fs(fs_path);
+ let actual = dts_from_dtb(file.path());
+
+ assert_eq!(&expected, &actual);
+ }
+}
diff --git a/virtualizationmanager/fsfdt/testdata/fs/avf/reference/oem/stub b/virtualizationmanager/fsfdt/testdata/fs/avf/reference/oem/stub
new file mode 100644
index 0000000..2e73f18
--- /dev/null
+++ b/virtualizationmanager/fsfdt/testdata/fs/avf/reference/oem/stub
Binary files differ
diff --git a/virtualizationmanager/fsfdt/testdata/fs/avf/reference/vendor/empty b/virtualizationmanager/fsfdt/testdata/fs/avf/reference/vendor/empty
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/virtualizationmanager/fsfdt/testdata/fs/avf/reference/vendor/empty
diff --git a/virtualizationmanager/fsfdt/testdata/fs/avf/reference/vendor/vendor_extra_node/flag b/virtualizationmanager/fsfdt/testdata/fs/avf/reference/vendor/vendor_extra_node/flag
new file mode 100644
index 0000000..accba00
--- /dev/null
+++ b/virtualizationmanager/fsfdt/testdata/fs/avf/reference/vendor/vendor_extra_node/flag
Binary files differ
diff --git a/virtualizationmanager/fsfdt/testdata/fs/avf/reference/vendor_hashtree_descriptor_root_digest b/virtualizationmanager/fsfdt/testdata/fs/avf/reference/vendor_hashtree_descriptor_root_digest
new file mode 100644
index 0000000..e901bb1
--- /dev/null
+++ b/virtualizationmanager/fsfdt/testdata/fs/avf/reference/vendor_hashtree_descriptor_root_digest
Binary files differ
diff --git a/virtualizationmanager/fsfdt/testdata/fs/avf/reference/vendor_image_key b/virtualizationmanager/fsfdt/testdata/fs/avf/reference/vendor_image_key
new file mode 100644
index 0000000..4d02944
--- /dev/null
+++ b/virtualizationmanager/fsfdt/testdata/fs/avf/reference/vendor_image_key
Binary files differ
diff --git a/virtualizationmanager/src/aidl.rs b/virtualizationmanager/src/aidl.rs
index ca23305..d9d10ea 100644
--- a/virtualizationmanager/src/aidl.rs
+++ b/virtualizationmanager/src/aidl.rs
@@ -1434,6 +1434,70 @@
}
}
+struct SecretkeeperProxy(Strong<dyn ISecretkeeper>);
+
+impl Interface for SecretkeeperProxy {}
+
+impl ISecretkeeper for SecretkeeperProxy {
+ fn processSecretManagementRequest(&self, req: &[u8]) -> binder::Result<Vec<u8>> {
+ // Pass the request to the channel, and read the response.
+ self.0.processSecretManagementRequest(req)
+ }
+
+ fn getAuthGraphKe(&self) -> binder::Result<Strong<dyn IAuthGraphKeyExchange>> {
+ let ag = AuthGraphKeyExchangeProxy(self.0.getAuthGraphKe()?);
+ Ok(BnAuthGraphKeyExchange::new_binder(ag, BinderFeatures::default()))
+ }
+
+ fn deleteIds(&self, ids: &[SecretId]) -> binder::Result<()> {
+ self.0.deleteIds(ids)
+ }
+
+ fn deleteAll(&self) -> binder::Result<()> {
+ self.0.deleteAll()
+ }
+}
+
+struct AuthGraphKeyExchangeProxy(Strong<dyn IAuthGraphKeyExchange>);
+
+impl Interface for AuthGraphKeyExchangeProxy {}
+
+impl IAuthGraphKeyExchange for AuthGraphKeyExchangeProxy {
+ fn create(&self) -> binder::Result<SessionInitiationInfo> {
+ self.0.create()
+ }
+
+ fn init(
+ &self,
+ peer_pub_key: &PubKey,
+ peer_id: &Identity,
+ peer_nonce: &[u8],
+ peer_version: i32,
+ ) -> binder::Result<KeInitResult> {
+ self.0.init(peer_pub_key, peer_id, peer_nonce, peer_version)
+ }
+
+ fn finish(
+ &self,
+ peer_pub_key: &PubKey,
+ peer_id: &Identity,
+ peer_signature: &SessionIdSignature,
+ peer_nonce: &[u8],
+ peer_version: i32,
+ own_key: &Key,
+ ) -> binder::Result<SessionInfo> {
+ self.0.finish(peer_pub_key, peer_id, peer_signature, peer_nonce, peer_version, own_key)
+ }
+
+ fn authenticationComplete(
+ &self,
+ peer_signature: &SessionIdSignature,
+ shared_keys: &[AuthgraphArc; 2],
+ ) -> binder::Result<[AuthgraphArc; 2]> {
+ self.0.authenticationComplete(peer_signature, shared_keys)
+ }
+}
+
#[cfg(test)]
mod tests {
use super::*;
@@ -1650,67 +1714,3 @@
Ok(())
}
}
-
-struct SecretkeeperProxy(Strong<dyn ISecretkeeper>);
-
-impl Interface for SecretkeeperProxy {}
-
-impl ISecretkeeper for SecretkeeperProxy {
- fn processSecretManagementRequest(&self, req: &[u8]) -> binder::Result<Vec<u8>> {
- // Pass the request to the channel, and read the response.
- self.0.processSecretManagementRequest(req)
- }
-
- fn getAuthGraphKe(&self) -> binder::Result<Strong<dyn IAuthGraphKeyExchange>> {
- let ag = AuthGraphKeyExchangeProxy(self.0.getAuthGraphKe()?);
- Ok(BnAuthGraphKeyExchange::new_binder(ag, BinderFeatures::default()))
- }
-
- fn deleteIds(&self, ids: &[SecretId]) -> binder::Result<()> {
- self.0.deleteIds(ids)
- }
-
- fn deleteAll(&self) -> binder::Result<()> {
- self.0.deleteAll()
- }
-}
-
-struct AuthGraphKeyExchangeProxy(Strong<dyn IAuthGraphKeyExchange>);
-
-impl Interface for AuthGraphKeyExchangeProxy {}
-
-impl IAuthGraphKeyExchange for AuthGraphKeyExchangeProxy {
- fn create(&self) -> binder::Result<SessionInitiationInfo> {
- self.0.create()
- }
-
- fn init(
- &self,
- peer_pub_key: &PubKey,
- peer_id: &Identity,
- peer_nonce: &[u8],
- peer_version: i32,
- ) -> binder::Result<KeInitResult> {
- self.0.init(peer_pub_key, peer_id, peer_nonce, peer_version)
- }
-
- fn finish(
- &self,
- peer_pub_key: &PubKey,
- peer_id: &Identity,
- peer_signature: &SessionIdSignature,
- peer_nonce: &[u8],
- peer_version: i32,
- own_key: &Key,
- ) -> binder::Result<SessionInfo> {
- self.0.finish(peer_pub_key, peer_id, peer_signature, peer_nonce, peer_version, own_key)
- }
-
- fn authenticationComplete(
- &self,
- peer_signature: &SessionIdSignature,
- shared_keys: &[AuthgraphArc; 2],
- ) -> binder::Result<[AuthgraphArc; 2]> {
- self.0.authenticationComplete(peer_signature, shared_keys)
- }
-}
diff --git a/vm_payload/Android.bp b/vm_payload/Android.bp
index 286612c..a745fd6 100644
--- a/vm_payload/Android.bp
+++ b/vm_payload/Android.bp
@@ -53,7 +53,7 @@
],
visibility: [
"//packages/modules/Virtualization/compos",
- "//packages/modules/Virtualization/service_vm/test_apk",
+ "//packages/modules/Virtualization/service_vm:__subpackages__",
],
shared_libs: [
"libvm_payload#current",
@@ -63,6 +63,7 @@
// Shared library for clients to link against.
cc_library_shared {
name: "libvm_payload",
+ defaults: ["avf_build_flags_cc"],
shared_libs: [
"libbinder_ndk",
"libbinder_rpc_unstable",
@@ -84,6 +85,7 @@
// declaration of AVmPayload_main().
cc_library_headers {
name: "vm_payload_headers",
+ defaults: ["avf_build_flags_cc"],
apex_available: ["com.android.compos"],
export_include_dirs: ["include"],
}
@@ -91,6 +93,7 @@
// Restricted headers for use by internal clients & associated tests.
cc_library_headers {
name: "vm_payload_restricted_headers",
+ defaults: ["avf_build_flags_cc"],
header_libs: ["vm_payload_headers"],
export_header_lib_headers: ["vm_payload_headers"],
export_include_dirs: ["include-restricted"],
diff --git a/vm_payload/src/api.rs b/vm_payload/src/api.rs
deleted file mode 100644
index 7978059..0000000
--- a/vm_payload/src/api.rs
+++ /dev/null
@@ -1,509 +0,0 @@
-// Copyright 2022, The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-//! This module handles the interaction with virtual machine payload service.
-
-use android_system_virtualization_payload::aidl::android::system::virtualization::payload:: IVmPayloadService::{
- IVmPayloadService, ENCRYPTEDSTORE_MOUNTPOINT, VM_APK_CONTENTS_PATH,
- VM_PAYLOAD_SERVICE_SOCKET_NAME, AttestationResult::AttestationResult,
-};
-use anyhow::{bail, ensure, Context, Result};
-use binder::{
- unstable_api::{new_spibinder, AIBinder},
- Strong, ExceptionCode,
-};
-use lazy_static::lazy_static;
-use log::{error, info, LevelFilter};
-use rpcbinder::{RpcServer, RpcSession};
-use openssl::{ec::EcKey, sha::sha256, ecdsa::EcdsaSig};
-use std::convert::Infallible;
-use std::ffi::{CString, CStr};
-use std::fmt::Debug;
-use std::os::raw::{c_char, c_void};
-use std::path::Path;
-use std::ptr::{self, NonNull};
-use std::sync::{
- atomic::{AtomicBool, Ordering},
- Mutex,
-};
-use vm_payload_status_bindgen::attestation_status_t;
-
-lazy_static! {
- static ref VM_APK_CONTENTS_PATH_C: CString =
- CString::new(VM_APK_CONTENTS_PATH).expect("CString::new failed");
- static ref PAYLOAD_CONNECTION: Mutex<Option<Strong<dyn IVmPayloadService>>> = Mutex::default();
- static ref VM_ENCRYPTED_STORAGE_PATH_C: CString =
- CString::new(ENCRYPTEDSTORE_MOUNTPOINT).expect("CString::new failed");
-}
-
-static ALREADY_NOTIFIED: AtomicBool = AtomicBool::new(false);
-
-/// Return a connection to the payload service in Microdroid Manager. Uses the existing connection
-/// if there is one, otherwise attempts to create a new one.
-fn get_vm_payload_service() -> Result<Strong<dyn IVmPayloadService>> {
- let mut connection = PAYLOAD_CONNECTION.lock().unwrap();
- if let Some(strong) = &*connection {
- Ok(strong.clone())
- } else {
- let new_connection: Strong<dyn IVmPayloadService> = RpcSession::new()
- .setup_unix_domain_client(VM_PAYLOAD_SERVICE_SOCKET_NAME)
- .context(format!("Failed to connect to service: {}", VM_PAYLOAD_SERVICE_SOCKET_NAME))?;
- *connection = Some(new_connection.clone());
- Ok(new_connection)
- }
-}
-
-/// Make sure our logging goes to logcat. It is harmless to call this more than once.
-fn initialize_logging() {
- android_logger::init_once(
- android_logger::Config::default().with_tag("vm_payload").with_max_level(LevelFilter::Info),
- );
-}
-
-/// In many cases clients can't do anything useful if API calls fail, and the failure
-/// generally indicates that the VM is exiting or otherwise doomed. So rather than
-/// returning a non-actionable error indication we just log the problem and abort
-/// the process.
-fn unwrap_or_abort<T, E: Debug>(result: Result<T, E>) -> T {
- result.unwrap_or_else(|e| {
- let msg = format!("{:?}", e);
- error!("{msg}");
- panic!("{msg}")
- })
-}
-
-/// Notifies the host that the payload is ready.
-/// Panics on failure.
-#[no_mangle]
-pub extern "C" fn AVmPayload_notifyPayloadReady() {
- initialize_logging();
-
- if !ALREADY_NOTIFIED.swap(true, Ordering::Relaxed) {
- unwrap_or_abort(try_notify_payload_ready());
-
- info!("Notified host payload ready successfully");
- }
-}
-
-/// Notifies the host that the payload is ready.
-/// Returns a `Result` containing error information if failed.
-fn try_notify_payload_ready() -> Result<()> {
- get_vm_payload_service()?.notifyPayloadReady().context("Cannot notify payload ready")
-}
-
-/// Runs a binder RPC server, serving the supplied binder service implementation on the given vsock
-/// port.
-///
-/// If and when the server is ready for connections (it is listening on the port), `on_ready` is
-/// called to allow appropriate action to be taken - e.g. to notify clients that they may now
-/// attempt to connect.
-///
-/// The current thread joins the binder thread pool to handle incoming messages.
-/// This function never returns.
-///
-/// Panics on error (including unexpected server exit).
-///
-/// # Safety
-///
-/// If present, the `on_ready` callback must be a valid function pointer, which will be called at
-/// most once, while this function is executing, with the `param` parameter.
-#[no_mangle]
-pub unsafe extern "C" fn AVmPayload_runVsockRpcServer(
- service: *mut AIBinder,
- port: u32,
- on_ready: Option<unsafe extern "C" fn(param: *mut c_void)>,
- param: *mut c_void,
-) -> Infallible {
- initialize_logging();
-
- // SAFETY: try_run_vsock_server has the same requirements as this function
- unwrap_or_abort(unsafe { try_run_vsock_server(service, port, on_ready, param) })
-}
-
-/// # Safety: Same as `AVmPayload_runVsockRpcServer`.
-unsafe fn try_run_vsock_server(
- service: *mut AIBinder,
- port: u32,
- on_ready: Option<unsafe extern "C" fn(param: *mut c_void)>,
- param: *mut c_void,
-) -> Result<Infallible> {
- // SAFETY: AIBinder returned has correct reference count, and the ownership can
- // safely be taken by new_spibinder.
- let service = unsafe { new_spibinder(service) };
- if let Some(service) = service {
- match RpcServer::new_vsock(service, libc::VMADDR_CID_HOST, port) {
- Ok(server) => {
- if let Some(on_ready) = on_ready {
- // SAFETY: We're calling the callback with the parameter specified within the
- // allowed lifetime.
- unsafe { on_ready(param) };
- }
- server.join();
- bail!("RpcServer unexpectedly terminated");
- }
- Err(err) => {
- bail!("Failed to start RpcServer: {:?}", err);
- }
- }
- } else {
- bail!("Failed to convert the given service from AIBinder to SpIBinder.");
- }
-}
-
-/// Get a secret that is uniquely bound to this VM instance.
-/// Panics on failure.
-///
-/// # Safety
-///
-/// Behavior is undefined if any of the following conditions are violated:
-///
-/// * `identifier` must be [valid] for reads of `identifier_size` bytes.
-/// * `secret` must be [valid] for writes of `size` bytes.
-///
-/// [valid]: ptr#safety
-#[no_mangle]
-pub unsafe extern "C" fn AVmPayload_getVmInstanceSecret(
- identifier: *const u8,
- identifier_size: usize,
- secret: *mut u8,
- size: usize,
-) {
- initialize_logging();
-
- // SAFETY: See the requirements on `identifier` above.
- let identifier = unsafe { std::slice::from_raw_parts(identifier, identifier_size) };
- let vm_secret = unwrap_or_abort(try_get_vm_instance_secret(identifier, size));
-
- // SAFETY: See the requirements on `secret` above; `vm_secret` is known to have length `size`,
- // and cannot overlap `secret` because we just allocated it.
- unsafe {
- ptr::copy_nonoverlapping(vm_secret.as_ptr(), secret, size);
- }
-}
-
-fn try_get_vm_instance_secret(identifier: &[u8], size: usize) -> Result<Vec<u8>> {
- let vm_secret = get_vm_payload_service()?
- .getVmInstanceSecret(identifier, i32::try_from(size)?)
- .context("Cannot get VM instance secret")?;
- ensure!(
- vm_secret.len() == size,
- "Returned secret has {} bytes, expected {}",
- vm_secret.len(),
- size
- );
- Ok(vm_secret)
-}
-
-/// Get the VM's attestation chain.
-/// Panics on failure.
-///
-/// # Safety
-///
-/// Behavior is undefined if any of the following conditions are violated:
-///
-/// * `data` must be [valid] for writes of `size` bytes, if size > 0.
-///
-/// [valid]: ptr#safety
-#[no_mangle]
-pub unsafe extern "C" fn AVmPayload_getDiceAttestationChain(data: *mut u8, size: usize) -> usize {
- initialize_logging();
-
- let chain = unwrap_or_abort(try_get_dice_attestation_chain());
- if size != 0 {
- // SAFETY: See the requirements on `data` above. The number of bytes copied doesn't exceed
- // the length of either buffer, and `chain` cannot overlap `data` because we just allocated
- // it. We allow data to be null, which is never valid, but only if size == 0 which is
- // checked above.
- unsafe { ptr::copy_nonoverlapping(chain.as_ptr(), data, std::cmp::min(chain.len(), size)) };
- }
- chain.len()
-}
-
-fn try_get_dice_attestation_chain() -> Result<Vec<u8>> {
- get_vm_payload_service()?.getDiceAttestationChain().context("Cannot get attestation chain")
-}
-
-/// Get the VM's attestation CDI.
-/// Panics on failure.
-///
-/// # Safety
-///
-/// Behavior is undefined if any of the following conditions are violated:
-///
-/// * `data` must be [valid] for writes of `size` bytes, if size > 0.
-///
-/// [valid]: ptr#safety
-#[no_mangle]
-pub unsafe extern "C" fn AVmPayload_getDiceAttestationCdi(data: *mut u8, size: usize) -> usize {
- initialize_logging();
-
- let cdi = unwrap_or_abort(try_get_dice_attestation_cdi());
- if size != 0 {
- // SAFETY: See the requirements on `data` above. The number of bytes copied doesn't exceed
- // the length of either buffer, and `cdi` cannot overlap `data` because we just allocated
- // it. We allow data to be null, which is never valid, but only if size == 0 which is
- // checked above.
- unsafe { ptr::copy_nonoverlapping(cdi.as_ptr(), data, std::cmp::min(cdi.len(), size)) };
- }
- cdi.len()
-}
-
-fn try_get_dice_attestation_cdi() -> Result<Vec<u8>> {
- get_vm_payload_service()?.getDiceAttestationCdi().context("Cannot get attestation CDI")
-}
-
-/// Requests the remote attestation of the client VM.
-///
-/// The challenge will be included in the certificate chain in the attestation result,
-/// serving as proof of the freshness of the result.
-///
-/// # Safety
-///
-/// Behavior is undefined if any of the following conditions are violated:
-///
-/// * `challenge` must be [valid] for reads of `challenge_size` bytes.
-/// * `res` must be [valid] to write the attestation result.
-/// * The region of memory beginning at `challenge` with `challenge_size` bytes must not
-/// overlap with the region of memory `res` points to.
-///
-/// [valid]: ptr#safety
-#[no_mangle]
-pub unsafe extern "C" fn AVmPayload_requestAttestation(
- challenge: *const u8,
- challenge_size: usize,
- res: &mut *mut AttestationResult,
-) -> attestation_status_t {
- initialize_logging();
- const MAX_CHALLENGE_SIZE: usize = 64;
- if challenge_size > MAX_CHALLENGE_SIZE {
- return attestation_status_t::ATTESTATION_ERROR_INVALID_CHALLENGE;
- }
- let challenge = if challenge_size == 0 {
- &[]
- } else {
- // SAFETY: The caller guarantees that `challenge` is valid for reads of
- // `challenge_size` bytes and `challenge_size` is not zero.
- unsafe { std::slice::from_raw_parts(challenge, challenge_size) }
- };
- let service = unwrap_or_abort(get_vm_payload_service());
- match service.requestAttestation(challenge) {
- Ok(attestation_res) => {
- *res = Box::into_raw(Box::new(attestation_res));
- attestation_status_t::ATTESTATION_OK
- }
- Err(e) => {
- error!("Remote attestation failed: {e:?}");
- binder_status_to_attestation_status(e)
- }
- }
-}
-
-fn binder_status_to_attestation_status(status: binder::Status) -> attestation_status_t {
- match status.exception_code() {
- ExceptionCode::UNSUPPORTED_OPERATION => attestation_status_t::ATTESTATION_ERROR_UNSUPPORTED,
- _ => attestation_status_t::ATTESTATION_ERROR_ATTESTATION_FAILED,
- }
-}
-
-/// Converts the return value from `AVmPayload_requestAttestation` to a text string
-/// representing the error code.
-#[no_mangle]
-pub extern "C" fn AVmAttestationResult_resultToString(
- status: attestation_status_t,
-) -> *const c_char {
- let message = match status {
- attestation_status_t::ATTESTATION_OK => {
- CStr::from_bytes_with_nul(b"The remote attestation completes successfully.\0").unwrap()
- }
- attestation_status_t::ATTESTATION_ERROR_INVALID_CHALLENGE => {
- CStr::from_bytes_with_nul(b"The challenge size is not between 0 and 64.\0").unwrap()
- }
- attestation_status_t::ATTESTATION_ERROR_ATTESTATION_FAILED => {
- CStr::from_bytes_with_nul(b"Failed to attest the VM. Please retry at a later time.\0")
- .unwrap()
- }
- attestation_status_t::ATTESTATION_ERROR_UNSUPPORTED => CStr::from_bytes_with_nul(
- b"Remote attestation is not supported in the current environment.\0",
- )
- .unwrap(),
- };
- message.as_ptr()
-}
-
-/// Reads the DER-encoded ECPrivateKey structure specified in [RFC 5915 s3] for the
-/// EC P-256 private key from the provided attestation result.
-///
-/// # Safety
-///
-/// Behavior is undefined if any of the following conditions are violated:
-///
-/// * `data` must be [valid] for writes of `size` bytes, if size > 0.
-/// * The region of memory beginning at `data` with `size` bytes must not overlap with the
-/// region of memory `res` points to.
-///
-/// [valid]: ptr#safety
-/// [RFC 5915 s3]: https://datatracker.ietf.org/doc/html/rfc5915#section-3
-#[no_mangle]
-pub unsafe extern "C" fn AVmAttestationResult_getPrivateKey(
- res: &AttestationResult,
- data: *mut u8,
- size: usize,
-) -> usize {
- let private_key = &res.privateKey;
- if size != 0 {
- let data = NonNull::new(data).expect("data must not be null when size > 0");
- // SAFETY: See the requirements on `data` above. The number of bytes copied doesn't exceed
- // the length of either buffer, and the caller ensures that `private_key` cannot overlap
- // `data`. We allow data to be null, which is never valid, but only if size == 0
- // which is checked above.
- unsafe {
- ptr::copy_nonoverlapping(
- private_key.as_ptr(),
- data.as_ptr(),
- std::cmp::min(private_key.len(), size),
- )
- };
- }
- private_key.len()
-}
-
-/// Signs the given message using ECDSA P-256, the message is first hashed with SHA-256 and
-/// then it is signed with the attested EC P-256 private key in the attestation result.
-///
-/// # Safety
-///
-/// Behavior is undefined if any of the following conditions are violated:
-///
-/// * `message` must be [valid] for reads of `message_size` bytes.
-/// * `data` must be [valid] for writes of `size` bytes, if size > 0.
-/// * The region of memory beginning at `data` with `size` bytes must not overlap with the
-/// region of memory `res` or `message` point to.
-///
-///
-/// [valid]: ptr#safety
-#[no_mangle]
-pub unsafe extern "C" fn AVmAttestationResult_sign(
- res: &AttestationResult,
- message: *const u8,
- message_size: usize,
- data: *mut u8,
- size: usize,
-) -> usize {
- if message_size == 0 {
- panic!("Message to be signed must not be empty.")
- }
- // SAFETY: See the requirements on `message` above.
- let message = unsafe { std::slice::from_raw_parts(message, message_size) };
- let signature = unwrap_or_abort(try_ecdsa_sign(message, &res.privateKey));
- if size != 0 {
- let data = NonNull::new(data).expect("data must not be null when size > 0");
- // SAFETY: See the requirements on `data` above. The number of bytes copied doesn't exceed
- // the length of either buffer, and the caller ensures that `signature` cannot overlap
- // `data`. We allow data to be null, which is never valid, but only if size == 0
- // which is checked above.
- unsafe {
- ptr::copy_nonoverlapping(
- signature.as_ptr(),
- data.as_ptr(),
- std::cmp::min(signature.len(), size),
- )
- };
- }
- signature.len()
-}
-
-fn try_ecdsa_sign(message: &[u8], der_encoded_ec_private_key: &[u8]) -> Result<Vec<u8>> {
- let private_key = EcKey::private_key_from_der(der_encoded_ec_private_key)?;
- let digest = sha256(message);
- let sig = EcdsaSig::sign(&digest, &private_key)?;
- Ok(sig.to_der()?)
-}
-
-/// Gets the number of certificates in the certificate chain.
-#[no_mangle]
-pub extern "C" fn AVmAttestationResult_getCertificateCount(res: &AttestationResult) -> usize {
- res.certificateChain.len()
-}
-
-/// Retrieves the certificate at the given `index` from the certificate chain in the provided
-/// attestation result.
-///
-/// # Safety
-///
-/// Behavior is undefined if any of the following conditions are violated:
-///
-/// * `data` must be [valid] for writes of `size` bytes, if size > 0.
-/// * `index` must be within the range of [0, number of certificates). The number of certificates
-/// can be obtained with `AVmAttestationResult_getCertificateCount`.
-/// * The region of memory beginning at `data` with `size` bytes must not overlap with the
-/// region of memory `res` points to.
-///
-/// [valid]: ptr#safety
-#[no_mangle]
-pub unsafe extern "C" fn AVmAttestationResult_getCertificateAt(
- res: &AttestationResult,
- index: usize,
- data: *mut u8,
- size: usize,
-) -> usize {
- let certificate =
- &res.certificateChain.get(index).expect("The index is out of bounds.").encodedCertificate;
- if size != 0 {
- let data = NonNull::new(data).expect("data must not be null when size > 0");
- // SAFETY: See the requirements on `data` above. The number of bytes copied doesn't exceed
- // the length of either buffer, and the caller ensures that `certificate` cannot overlap
- // `data`. We allow data to be null, which is never valid, but only if size == 0
- // which is checked above.
- unsafe {
- ptr::copy_nonoverlapping(
- certificate.as_ptr(),
- data.as_ptr(),
- std::cmp::min(certificate.len(), size),
- )
- };
- }
- certificate.len()
-}
-
-/// Frees all the data owned by given attestation result and result itself.
-///
-/// # Safety
-///
-/// Behavior is undefined if any of the following conditions are violated:
-///
-/// * `res` must point to a valid `AttestationResult` and has not been freed before.
-#[no_mangle]
-pub unsafe extern "C" fn AVmAttestationResult_free(res: *mut AttestationResult) {
- if !res.is_null() {
- // SAFETY: The result is only freed once is ensured by the caller.
- let res = unsafe { Box::from_raw(res) };
- drop(res)
- }
-}
-
-/// Gets the path to the APK contents.
-#[no_mangle]
-pub extern "C" fn AVmPayload_getApkContentsPath() -> *const c_char {
- VM_APK_CONTENTS_PATH_C.as_ptr()
-}
-
-/// Gets the path to the VM's encrypted storage.
-#[no_mangle]
-pub extern "C" fn AVmPayload_getEncryptedStoragePath() -> *const c_char {
- if Path::new(ENCRYPTEDSTORE_MOUNTPOINT).exists() {
- VM_ENCRYPTED_STORAGE_PATH_C.as_ptr()
- } else {
- ptr::null()
- }
-}
diff --git a/vm_payload/src/lib.rs b/vm_payload/src/lib.rs
index 9e10895..7978059 100644
--- a/vm_payload/src/lib.rs
+++ b/vm_payload/src/lib.rs
@@ -12,14 +12,498 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-//! Library for payload to communicate with the Microdroid Manager.
+//! This module handles the interaction with virtual machine payload service.
-mod api;
-
-pub use api::{
- AVmAttestationResult_free, AVmAttestationResult_getCertificateAt,
- AVmAttestationResult_getCertificateCount, AVmAttestationResult_getPrivateKey,
- AVmAttestationResult_resultToString, AVmAttestationResult_sign,
- AVmPayload_getDiceAttestationCdi, AVmPayload_getDiceAttestationChain,
- AVmPayload_getVmInstanceSecret, AVmPayload_notifyPayloadReady, AVmPayload_requestAttestation,
+use android_system_virtualization_payload::aidl::android::system::virtualization::payload:: IVmPayloadService::{
+ IVmPayloadService, ENCRYPTEDSTORE_MOUNTPOINT, VM_APK_CONTENTS_PATH,
+ VM_PAYLOAD_SERVICE_SOCKET_NAME, AttestationResult::AttestationResult,
};
+use anyhow::{bail, ensure, Context, Result};
+use binder::{
+ unstable_api::{new_spibinder, AIBinder},
+ Strong, ExceptionCode,
+};
+use lazy_static::lazy_static;
+use log::{error, info, LevelFilter};
+use rpcbinder::{RpcServer, RpcSession};
+use openssl::{ec::EcKey, sha::sha256, ecdsa::EcdsaSig};
+use std::convert::Infallible;
+use std::ffi::{CString, CStr};
+use std::fmt::Debug;
+use std::os::raw::{c_char, c_void};
+use std::path::Path;
+use std::ptr::{self, NonNull};
+use std::sync::{
+ atomic::{AtomicBool, Ordering},
+ Mutex,
+};
+use vm_payload_status_bindgen::attestation_status_t;
+
+lazy_static! {
+ static ref VM_APK_CONTENTS_PATH_C: CString =
+ CString::new(VM_APK_CONTENTS_PATH).expect("CString::new failed");
+ static ref PAYLOAD_CONNECTION: Mutex<Option<Strong<dyn IVmPayloadService>>> = Mutex::default();
+ static ref VM_ENCRYPTED_STORAGE_PATH_C: CString =
+ CString::new(ENCRYPTEDSTORE_MOUNTPOINT).expect("CString::new failed");
+}
+
+static ALREADY_NOTIFIED: AtomicBool = AtomicBool::new(false);
+
+/// Return a connection to the payload service in Microdroid Manager. Uses the existing connection
+/// if there is one, otherwise attempts to create a new one.
+fn get_vm_payload_service() -> Result<Strong<dyn IVmPayloadService>> {
+ let mut connection = PAYLOAD_CONNECTION.lock().unwrap();
+ if let Some(strong) = &*connection {
+ Ok(strong.clone())
+ } else {
+ let new_connection: Strong<dyn IVmPayloadService> = RpcSession::new()
+ .setup_unix_domain_client(VM_PAYLOAD_SERVICE_SOCKET_NAME)
+ .context(format!("Failed to connect to service: {}", VM_PAYLOAD_SERVICE_SOCKET_NAME))?;
+ *connection = Some(new_connection.clone());
+ Ok(new_connection)
+ }
+}
+
+/// Make sure our logging goes to logcat. It is harmless to call this more than once.
+fn initialize_logging() {
+ android_logger::init_once(
+ android_logger::Config::default().with_tag("vm_payload").with_max_level(LevelFilter::Info),
+ );
+}
+
+/// In many cases clients can't do anything useful if API calls fail, and the failure
+/// generally indicates that the VM is exiting or otherwise doomed. So rather than
+/// returning a non-actionable error indication we just log the problem and abort
+/// the process.
+fn unwrap_or_abort<T, E: Debug>(result: Result<T, E>) -> T {
+ result.unwrap_or_else(|e| {
+ let msg = format!("{:?}", e);
+ error!("{msg}");
+ panic!("{msg}")
+ })
+}
+
+/// Notifies the host that the payload is ready.
+/// Panics on failure.
+#[no_mangle]
+pub extern "C" fn AVmPayload_notifyPayloadReady() {
+ initialize_logging();
+
+ if !ALREADY_NOTIFIED.swap(true, Ordering::Relaxed) {
+ unwrap_or_abort(try_notify_payload_ready());
+
+ info!("Notified host payload ready successfully");
+ }
+}
+
+/// Notifies the host that the payload is ready.
+/// Returns a `Result` containing error information if failed.
+fn try_notify_payload_ready() -> Result<()> {
+ get_vm_payload_service()?.notifyPayloadReady().context("Cannot notify payload ready")
+}
+
+/// Runs a binder RPC server, serving the supplied binder service implementation on the given vsock
+/// port.
+///
+/// If and when the server is ready for connections (it is listening on the port), `on_ready` is
+/// called to allow appropriate action to be taken - e.g. to notify clients that they may now
+/// attempt to connect.
+///
+/// The current thread joins the binder thread pool to handle incoming messages.
+/// This function never returns.
+///
+/// Panics on error (including unexpected server exit).
+///
+/// # Safety
+///
+/// If present, the `on_ready` callback must be a valid function pointer, which will be called at
+/// most once, while this function is executing, with the `param` parameter.
+#[no_mangle]
+pub unsafe extern "C" fn AVmPayload_runVsockRpcServer(
+ service: *mut AIBinder,
+ port: u32,
+ on_ready: Option<unsafe extern "C" fn(param: *mut c_void)>,
+ param: *mut c_void,
+) -> Infallible {
+ initialize_logging();
+
+ // SAFETY: try_run_vsock_server has the same requirements as this function
+ unwrap_or_abort(unsafe { try_run_vsock_server(service, port, on_ready, param) })
+}
+
+/// # Safety: Same as `AVmPayload_runVsockRpcServer`.
+unsafe fn try_run_vsock_server(
+ service: *mut AIBinder,
+ port: u32,
+ on_ready: Option<unsafe extern "C" fn(param: *mut c_void)>,
+ param: *mut c_void,
+) -> Result<Infallible> {
+ // SAFETY: AIBinder returned has correct reference count, and the ownership can
+ // safely be taken by new_spibinder.
+ let service = unsafe { new_spibinder(service) };
+ if let Some(service) = service {
+ match RpcServer::new_vsock(service, libc::VMADDR_CID_HOST, port) {
+ Ok(server) => {
+ if let Some(on_ready) = on_ready {
+ // SAFETY: We're calling the callback with the parameter specified within the
+ // allowed lifetime.
+ unsafe { on_ready(param) };
+ }
+ server.join();
+ bail!("RpcServer unexpectedly terminated");
+ }
+ Err(err) => {
+ bail!("Failed to start RpcServer: {:?}", err);
+ }
+ }
+ } else {
+ bail!("Failed to convert the given service from AIBinder to SpIBinder.");
+ }
+}
+
+/// Get a secret that is uniquely bound to this VM instance.
+/// Panics on failure.
+///
+/// # Safety
+///
+/// Behavior is undefined if any of the following conditions are violated:
+///
+/// * `identifier` must be [valid] for reads of `identifier_size` bytes.
+/// * `secret` must be [valid] for writes of `size` bytes.
+///
+/// [valid]: ptr#safety
+#[no_mangle]
+pub unsafe extern "C" fn AVmPayload_getVmInstanceSecret(
+ identifier: *const u8,
+ identifier_size: usize,
+ secret: *mut u8,
+ size: usize,
+) {
+ initialize_logging();
+
+ // SAFETY: See the requirements on `identifier` above.
+ let identifier = unsafe { std::slice::from_raw_parts(identifier, identifier_size) };
+ let vm_secret = unwrap_or_abort(try_get_vm_instance_secret(identifier, size));
+
+ // SAFETY: See the requirements on `secret` above; `vm_secret` is known to have length `size`,
+ // and cannot overlap `secret` because we just allocated it.
+ unsafe {
+ ptr::copy_nonoverlapping(vm_secret.as_ptr(), secret, size);
+ }
+}
+
+fn try_get_vm_instance_secret(identifier: &[u8], size: usize) -> Result<Vec<u8>> {
+ let vm_secret = get_vm_payload_service()?
+ .getVmInstanceSecret(identifier, i32::try_from(size)?)
+ .context("Cannot get VM instance secret")?;
+ ensure!(
+ vm_secret.len() == size,
+ "Returned secret has {} bytes, expected {}",
+ vm_secret.len(),
+ size
+ );
+ Ok(vm_secret)
+}
+
+/// Get the VM's attestation chain.
+/// Panics on failure.
+///
+/// # Safety
+///
+/// Behavior is undefined if any of the following conditions are violated:
+///
+/// * `data` must be [valid] for writes of `size` bytes, if size > 0.
+///
+/// [valid]: ptr#safety
+#[no_mangle]
+pub unsafe extern "C" fn AVmPayload_getDiceAttestationChain(data: *mut u8, size: usize) -> usize {
+ initialize_logging();
+
+ let chain = unwrap_or_abort(try_get_dice_attestation_chain());
+ if size != 0 {
+ // SAFETY: See the requirements on `data` above. The number of bytes copied doesn't exceed
+ // the length of either buffer, and `chain` cannot overlap `data` because we just allocated
+ // it. We allow data to be null, which is never valid, but only if size == 0 which is
+ // checked above.
+ unsafe { ptr::copy_nonoverlapping(chain.as_ptr(), data, std::cmp::min(chain.len(), size)) };
+ }
+ chain.len()
+}
+
+fn try_get_dice_attestation_chain() -> Result<Vec<u8>> {
+ get_vm_payload_service()?.getDiceAttestationChain().context("Cannot get attestation chain")
+}
+
+/// Get the VM's attestation CDI.
+/// Panics on failure.
+///
+/// # Safety
+///
+/// Behavior is undefined if any of the following conditions are violated:
+///
+/// * `data` must be [valid] for writes of `size` bytes, if size > 0.
+///
+/// [valid]: ptr#safety
+#[no_mangle]
+pub unsafe extern "C" fn AVmPayload_getDiceAttestationCdi(data: *mut u8, size: usize) -> usize {
+ initialize_logging();
+
+ let cdi = unwrap_or_abort(try_get_dice_attestation_cdi());
+ if size != 0 {
+ // SAFETY: See the requirements on `data` above. The number of bytes copied doesn't exceed
+ // the length of either buffer, and `cdi` cannot overlap `data` because we just allocated
+ // it. We allow data to be null, which is never valid, but only if size == 0 which is
+ // checked above.
+ unsafe { ptr::copy_nonoverlapping(cdi.as_ptr(), data, std::cmp::min(cdi.len(), size)) };
+ }
+ cdi.len()
+}
+
+fn try_get_dice_attestation_cdi() -> Result<Vec<u8>> {
+ get_vm_payload_service()?.getDiceAttestationCdi().context("Cannot get attestation CDI")
+}
+
+/// Requests the remote attestation of the client VM.
+///
+/// The challenge will be included in the certificate chain in the attestation result,
+/// serving as proof of the freshness of the result.
+///
+/// # Safety
+///
+/// Behavior is undefined if any of the following conditions are violated:
+///
+/// * `challenge` must be [valid] for reads of `challenge_size` bytes.
+/// * `res` must be [valid] to write the attestation result.
+/// * The region of memory beginning at `challenge` with `challenge_size` bytes must not
+/// overlap with the region of memory `res` points to.
+///
+/// [valid]: ptr#safety
+#[no_mangle]
+pub unsafe extern "C" fn AVmPayload_requestAttestation(
+ challenge: *const u8,
+ challenge_size: usize,
+ res: &mut *mut AttestationResult,
+) -> attestation_status_t {
+ initialize_logging();
+ const MAX_CHALLENGE_SIZE: usize = 64;
+ if challenge_size > MAX_CHALLENGE_SIZE {
+ return attestation_status_t::ATTESTATION_ERROR_INVALID_CHALLENGE;
+ }
+ let challenge = if challenge_size == 0 {
+ &[]
+ } else {
+ // SAFETY: The caller guarantees that `challenge` is valid for reads of
+ // `challenge_size` bytes and `challenge_size` is not zero.
+ unsafe { std::slice::from_raw_parts(challenge, challenge_size) }
+ };
+ let service = unwrap_or_abort(get_vm_payload_service());
+ match service.requestAttestation(challenge) {
+ Ok(attestation_res) => {
+ *res = Box::into_raw(Box::new(attestation_res));
+ attestation_status_t::ATTESTATION_OK
+ }
+ Err(e) => {
+ error!("Remote attestation failed: {e:?}");
+ binder_status_to_attestation_status(e)
+ }
+ }
+}
+
+fn binder_status_to_attestation_status(status: binder::Status) -> attestation_status_t {
+ match status.exception_code() {
+ ExceptionCode::UNSUPPORTED_OPERATION => attestation_status_t::ATTESTATION_ERROR_UNSUPPORTED,
+ _ => attestation_status_t::ATTESTATION_ERROR_ATTESTATION_FAILED,
+ }
+}
+
+/// Converts the return value from `AVmPayload_requestAttestation` to a text string
+/// representing the error code.
+#[no_mangle]
+pub extern "C" fn AVmAttestationResult_resultToString(
+ status: attestation_status_t,
+) -> *const c_char {
+ let message = match status {
+ attestation_status_t::ATTESTATION_OK => {
+ CStr::from_bytes_with_nul(b"The remote attestation completes successfully.\0").unwrap()
+ }
+ attestation_status_t::ATTESTATION_ERROR_INVALID_CHALLENGE => {
+ CStr::from_bytes_with_nul(b"The challenge size is not between 0 and 64.\0").unwrap()
+ }
+ attestation_status_t::ATTESTATION_ERROR_ATTESTATION_FAILED => {
+ CStr::from_bytes_with_nul(b"Failed to attest the VM. Please retry at a later time.\0")
+ .unwrap()
+ }
+ attestation_status_t::ATTESTATION_ERROR_UNSUPPORTED => CStr::from_bytes_with_nul(
+ b"Remote attestation is not supported in the current environment.\0",
+ )
+ .unwrap(),
+ };
+ message.as_ptr()
+}
+
+/// Reads the DER-encoded ECPrivateKey structure specified in [RFC 5915 s3] for the
+/// EC P-256 private key from the provided attestation result.
+///
+/// # Safety
+///
+/// Behavior is undefined if any of the following conditions are violated:
+///
+/// * `data` must be [valid] for writes of `size` bytes, if size > 0.
+/// * The region of memory beginning at `data` with `size` bytes must not overlap with the
+/// region of memory `res` points to.
+///
+/// [valid]: ptr#safety
+/// [RFC 5915 s3]: https://datatracker.ietf.org/doc/html/rfc5915#section-3
+#[no_mangle]
+pub unsafe extern "C" fn AVmAttestationResult_getPrivateKey(
+ res: &AttestationResult,
+ data: *mut u8,
+ size: usize,
+) -> usize {
+ let private_key = &res.privateKey;
+ if size != 0 {
+ let data = NonNull::new(data).expect("data must not be null when size > 0");
+ // SAFETY: See the requirements on `data` above. The number of bytes copied doesn't exceed
+ // the length of either buffer, and the caller ensures that `private_key` cannot overlap
+ // `data`. We allow data to be null, which is never valid, but only if size == 0
+ // which is checked above.
+ unsafe {
+ ptr::copy_nonoverlapping(
+ private_key.as_ptr(),
+ data.as_ptr(),
+ std::cmp::min(private_key.len(), size),
+ )
+ };
+ }
+ private_key.len()
+}
+
+/// Signs the given message using ECDSA P-256, the message is first hashed with SHA-256 and
+/// then it is signed with the attested EC P-256 private key in the attestation result.
+///
+/// # Safety
+///
+/// Behavior is undefined if any of the following conditions are violated:
+///
+/// * `message` must be [valid] for reads of `message_size` bytes.
+/// * `data` must be [valid] for writes of `size` bytes, if size > 0.
+/// * The region of memory beginning at `data` with `size` bytes must not overlap with the
+/// region of memory `res` or `message` point to.
+///
+///
+/// [valid]: ptr#safety
+#[no_mangle]
+pub unsafe extern "C" fn AVmAttestationResult_sign(
+ res: &AttestationResult,
+ message: *const u8,
+ message_size: usize,
+ data: *mut u8,
+ size: usize,
+) -> usize {
+ if message_size == 0 {
+ panic!("Message to be signed must not be empty.")
+ }
+ // SAFETY: See the requirements on `message` above.
+ let message = unsafe { std::slice::from_raw_parts(message, message_size) };
+ let signature = unwrap_or_abort(try_ecdsa_sign(message, &res.privateKey));
+ if size != 0 {
+ let data = NonNull::new(data).expect("data must not be null when size > 0");
+ // SAFETY: See the requirements on `data` above. The number of bytes copied doesn't exceed
+ // the length of either buffer, and the caller ensures that `signature` cannot overlap
+ // `data`. We allow data to be null, which is never valid, but only if size == 0
+ // which is checked above.
+ unsafe {
+ ptr::copy_nonoverlapping(
+ signature.as_ptr(),
+ data.as_ptr(),
+ std::cmp::min(signature.len(), size),
+ )
+ };
+ }
+ signature.len()
+}
+
+fn try_ecdsa_sign(message: &[u8], der_encoded_ec_private_key: &[u8]) -> Result<Vec<u8>> {
+ let private_key = EcKey::private_key_from_der(der_encoded_ec_private_key)?;
+ let digest = sha256(message);
+ let sig = EcdsaSig::sign(&digest, &private_key)?;
+ Ok(sig.to_der()?)
+}
+
+/// Gets the number of certificates in the certificate chain.
+#[no_mangle]
+pub extern "C" fn AVmAttestationResult_getCertificateCount(res: &AttestationResult) -> usize {
+ res.certificateChain.len()
+}
+
+/// Retrieves the certificate at the given `index` from the certificate chain in the provided
+/// attestation result.
+///
+/// # Safety
+///
+/// Behavior is undefined if any of the following conditions are violated:
+///
+/// * `data` must be [valid] for writes of `size` bytes, if size > 0.
+/// * `index` must be within the range of [0, number of certificates). The number of certificates
+/// can be obtained with `AVmAttestationResult_getCertificateCount`.
+/// * The region of memory beginning at `data` with `size` bytes must not overlap with the
+/// region of memory `res` points to.
+///
+/// [valid]: ptr#safety
+#[no_mangle]
+pub unsafe extern "C" fn AVmAttestationResult_getCertificateAt(
+ res: &AttestationResult,
+ index: usize,
+ data: *mut u8,
+ size: usize,
+) -> usize {
+ let certificate =
+ &res.certificateChain.get(index).expect("The index is out of bounds.").encodedCertificate;
+ if size != 0 {
+ let data = NonNull::new(data).expect("data must not be null when size > 0");
+ // SAFETY: See the requirements on `data` above. The number of bytes copied doesn't exceed
+ // the length of either buffer, and the caller ensures that `certificate` cannot overlap
+ // `data`. We allow data to be null, which is never valid, but only if size == 0
+ // which is checked above.
+ unsafe {
+ ptr::copy_nonoverlapping(
+ certificate.as_ptr(),
+ data.as_ptr(),
+ std::cmp::min(certificate.len(), size),
+ )
+ };
+ }
+ certificate.len()
+}
+
+/// Frees all the data owned by given attestation result and result itself.
+///
+/// # Safety
+///
+/// Behavior is undefined if any of the following conditions are violated:
+///
+/// * `res` must point to a valid `AttestationResult` and has not been freed before.
+#[no_mangle]
+pub unsafe extern "C" fn AVmAttestationResult_free(res: *mut AttestationResult) {
+ if !res.is_null() {
+ // SAFETY: The result is only freed once is ensured by the caller.
+ let res = unsafe { Box::from_raw(res) };
+ drop(res)
+ }
+}
+
+/// Gets the path to the APK contents.
+#[no_mangle]
+pub extern "C" fn AVmPayload_getApkContentsPath() -> *const c_char {
+ VM_APK_CONTENTS_PATH_C.as_ptr()
+}
+
+/// Gets the path to the VM's encrypted storage.
+#[no_mangle]
+pub extern "C" fn AVmPayload_getEncryptedStoragePath() -> *const c_char {
+ if Path::new(ENCRYPTEDSTORE_MOUNTPOINT).exists() {
+ VM_ENCRYPTED_STORAGE_PATH_C.as_ptr()
+ } else {
+ ptr::null()
+ }
+}
diff --git a/vmbase/Android.bp b/vmbase/Android.bp
index e682773..07e1b4c 100644
--- a/vmbase/Android.bp
+++ b/vmbase/Android.bp
@@ -41,6 +41,7 @@
// Used by extra cc_library_static linked into the final ELF.
cc_defaults {
name: "vmbase_cc_defaults",
+ defaults: ["avf_build_flags_cc"],
nocrt: true,
no_libcrt: true,
system_shared_libs: [],
diff --git a/vmbase/example/tests/test.rs b/vmbase/example/tests/test.rs
index 17ff947..2df5a80 100644
--- a/vmbase/example/tests/test.rs
+++ b/vmbase/example/tests/test.rs
@@ -42,7 +42,9 @@
#[test]
fn test_run_example_vm() -> Result<(), Error> {
android_logger::init_once(
- android_logger::Config::default().with_tag("vmbase").with_min_level(log::Level::Debug),
+ android_logger::Config::default()
+ .with_tag("vmbase")
+ .with_max_level(log::LevelFilter::Debug),
);
// Redirect panic messages to logcat.