Enable verifying vendor partition
This change would make the vendor partition be verified by root digest
in DT node. Root digest is passed from the host for the non-protected
VM, and from the pvmfw for the protected VM. This change should be
submitted after supporting passing root digest for the pvmfw.
Bug: 285855436
Test: atest MicrodroidTests
Test: atest MicrodroidBenchmarks#testMicrodroidDebugBootTime_withVendorPartition
Test: adb shell /apex/com.android.virt/bin/vm run-microdroid --vendor /vendor/etc/avf/microdroid/microdroid_vendor.img
Test: adb shell /apex/com.android.virt/bin/vm run-microdroid --vendor /vendor/etc/avf/microdroid/microdroid_vendor.img --protected
Change-Id: Ic9de35509a42ecdc7b00cc2ec3dd2dbcc1d71125
diff --git a/microdroid/fstab.microdroid b/microdroid/fstab.microdroid
index da000b9..2742757 100644
--- a/microdroid/fstab.microdroid
+++ b/microdroid/fstab.microdroid
@@ -2,6 +2,4 @@
# This is a temporary solution to unblock other devs that depend on /vendor partition in Microdroid
# The /vendor partition will only be mounted if the kernel cmdline contains
# androidboot.microdroid.mount_vendor=1.
-# TODO(b/285855430): this should probably be defined in the DT
-# TODO(b/285855436): should be mounted on top of dm-verity device
-/dev/block/by-name/microdroid-vendor /vendor ext4 noatime,ro,errors=panic wait,first_stage_mount
+/dev/block/by-name/microdroid-vendor /vendor ext4 noatime,ro,errors=panic wait,first_stage_mount,avb_hashtree_digest=/sys/firmware/devicetree/base/avf/vendor_hashtree_descriptor_root_digest