[attestation] Optimize request processing in Service VM
Prior to this cl, the Service VM started and stopped for each
individual request, leading to inefficiency during the AVF key
provisioning phase where 20+ requests might arrive in quick
succession.
This cl optimized this process by adding a 1-second delay before
the Service VM shuts down. This delay ensures the Service VM
remains active if requests are closely spaced, preventing
unnecessary restarts during batch processing.
This cl decreases the total duration for AVF key provisioning
from ~5 seconds to 790ms on a local device.
Bug: 327186248
Test: atest AvfRkpdVmAttestationTestApp \
VmAttestationTestApp
Change-Id: I6500a535b0cd43d804281e77e90cda5d242bc41a
diff --git a/virtualizationservice/src/aidl.rs b/virtualizationservice/src/aidl.rs
index 208bdce..0adde99 100644
--- a/virtualizationservice/src/aidl.rs
+++ b/virtualizationservice/src/aidl.rs
@@ -269,6 +269,13 @@
.context("Failed to generate ECDSA P-256 key pair for testing")
.with_log()
.or_service_specific_exception(-1)?;
+ // Wait until the service VM shuts down, so that the Service VM will be restarted when
+ // the key generated in the current session will be used for attestation.
+ // This ensures that different Service VM sessions have the same KEK for the key blob.
+ service_vm_manager::wait_until_service_vm_shuts_down()
+ .context("Failed to wait until the service VM shuts down")
+ .with_log()
+ .or_service_specific_exception(-1)?;
match res {
Response::GenerateEcdsaP256KeyPair(key_pair) => {
FAKE_PROVISIONED_KEY_BLOB_FOR_TESTING
diff --git a/virtualizationservice/src/rkpvm.rs b/virtualizationservice/src/rkpvm.rs
index 67ba740..6898921 100644
--- a/virtualizationservice/src/rkpvm.rs
+++ b/virtualizationservice/src/rkpvm.rs
@@ -21,28 +21,25 @@
use service_vm_comm::{
ClientVmAttestationParams, GenerateCertificateRequestParams, Request, Response,
};
-use service_vm_manager::ServiceVm;
+use service_vm_manager::process_request;
pub(crate) fn request_attestation(
csr: Vec<u8>,
remotely_provisioned_key_blob: Vec<u8>,
remotely_provisioned_cert: Vec<u8>,
) -> Result<Vec<u8>> {
- let mut vm = ServiceVm::start()?;
-
let params =
ClientVmAttestationParams { csr, remotely_provisioned_key_blob, remotely_provisioned_cert };
let request = Request::RequestClientVmAttestation(params);
- match vm.process_request(request).context("Failed to process request")? {
+ match process_request(request).context("Failed to process request")? {
Response::RequestClientVmAttestation(cert) => Ok(cert),
other => bail!("Incorrect response type {other:?}"),
}
}
pub(crate) fn generate_ecdsa_p256_key_pair() -> Result<Response> {
- let mut vm = ServiceVm::start()?;
let request = Request::GenerateEcdsaP256KeyPair;
- vm.process_request(request).context("Failed to process request")
+ process_request(request).context("Failed to process request")
}
pub(crate) fn generate_certificate_request(
@@ -55,6 +52,5 @@
};
let request = Request::GenerateCertificateRequest(params);
- let mut vm = ServiceVm::start()?;
- vm.process_request(request).context("Failed to process request")
+ process_request(request).context("Failed to process request")
}