Merge "Add boot time benchmark for Microdroid VM with vendor partition" into main
diff --git a/Android.bp b/Android.bp
index 4fa696f..22581b0 100644
--- a/Android.bp
+++ b/Android.bp
@@ -36,6 +36,7 @@
"release_avf_enable_dice_changes",
"release_avf_enable_llpvm_changes",
"release_avf_enable_multi_tenant_microdroid_vm",
+ "release_avf_enable_remote_attestation",
"release_avf_enable_vendor_modules",
],
properties: [
@@ -55,6 +56,9 @@
release_avf_enable_multi_tenant_microdroid_vm: {
cfgs: ["payload_not_root"],
},
+ release_avf_enable_remote_attestation: {
+ cfgs: ["remote_attestation"],
+ },
release_avf_enable_vendor_modules: {
cfgs: ["vendor_modules"],
},
diff --git a/pvmfw/src/fdt.rs b/pvmfw/src/fdt.rs
index 244b192..61de423 100644
--- a/pvmfw/src/fdt.rs
+++ b/pvmfw/src/fdt.rs
@@ -732,6 +732,7 @@
strict_boot: bool,
debug_policy: Option<&mut [u8]>,
debuggable: bool,
+ kaslr_seed: u64,
) -> libfdt::Result<()> {
if let Some(debug_policy) = debug_policy {
let backup = Vec::from(fdt.as_slice());
@@ -753,6 +754,7 @@
if let Some(mut chosen) = fdt.chosen_mut()? {
empty_or_delete_prop(&mut chosen, cstr!("avf,strict-boot"), strict_boot)?;
empty_or_delete_prop(&mut chosen, cstr!("avf,new-instance"), new_instance)?;
+ chosen.setprop_inplace(cstr!("kaslr-seed"), &kaslr_seed.to_be_bytes())?;
};
if !debuggable {
if let Some(bootargs) = read_bootargs_from(fdt)? {
diff --git a/pvmfw/src/main.rs b/pvmfw/src/main.rs
index c6aa309..d39d51c 100644
--- a/pvmfw/src/main.rs
+++ b/pvmfw/src/main.rs
@@ -52,6 +52,7 @@
use vmbase::heap;
use vmbase::memory::flush;
use vmbase::memory::MEMORY;
+use vmbase::rand;
use vmbase::virtio::pci;
const NEXT_BCC_SIZE: usize = GUEST_PAGE_SIZE;
@@ -154,12 +155,24 @@
})?;
flush(next_bcc);
+ let kaslr_seed = u64::from_ne_bytes(rand::random_array().map_err(|e| {
+ error!("Failed to generated guest KASLR seed: {e}");
+ RebootReason::InternalError
+ })?);
let strict_boot = true;
- modify_for_next_stage(fdt, next_bcc, new_instance, strict_boot, debug_policy, debuggable)
- .map_err(|e| {
- error!("Failed to configure device tree: {e}");
- RebootReason::InternalError
- })?;
+ modify_for_next_stage(
+ fdt,
+ next_bcc,
+ new_instance,
+ strict_boot,
+ debug_policy,
+ debuggable,
+ kaslr_seed,
+ )
+ .map_err(|e| {
+ error!("Failed to configure device tree: {e}");
+ RebootReason::InternalError
+ })?;
info!("Starting payload...");
diff --git a/virtualizationservice/src/aidl.rs b/virtualizationservice/src/aidl.rs
index 6f5a487..645a82b 100644
--- a/virtualizationservice/src/aidl.rs
+++ b/virtualizationservice/src/aidl.rs
@@ -160,10 +160,20 @@
fn requestCertificate(&self, csr: &[u8]) -> binder::Result<Vec<u8>> {
check_manage_access()?;
info!("Received csr. Getting certificate...");
- request_certificate(csr)
- .context("Failed to get certificate")
+ if cfg!(remote_attestation) {
+ request_certificate(csr)
+ .context("Failed to get certificate")
+ .with_log()
+ .or_service_specific_exception(-1)
+ } else {
+ Err(Status::new_exception_str(
+ ExceptionCode::UNSUPPORTED_OPERATION,
+ Some(
+ "requestCertificate is not supported with the remote_attestation feature disabled",
+ ),
+ ))
.with_log()
- .or_service_specific_exception(-1)
+ }
}
fn getAssignableDevices(&self) -> binder::Result<Vec<AssignableDevice>> {