Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / 781afeee375709cb133743b9ded37f8954c8991e^! / .
commit781afeee375709cb133743b9ded37f8954c8991e[log] [tgz]
authorPierre-Clément Tosi <ptosi@google.com>Mon Jan 27 20:51:27 2025 +0000
committerPierre-Clément Tosi <ptosi@google.com>Mon Jan 27 21:46:04 2025 +0000
tree66c99bd9d45453b2244a0e6bda406b9be1d614d1
parent5467ed3115132766c20e413297901848bf0eee5b [diff]
pvmfw: avb: Add API tests for tampered initrd

Add tests specifically covering a tampered initrd of unmodified size.

Add comment explaining why pvmfw::avb::Ops::verify_partition() works on
initrd, so that I don't have to go back and read libavb code again next
time I come across this code and have inevitably forgotten why it works.

Test: TH
Change-Id: I1597037f3d28d927a591eefc6570cfbedba9ad94

diff --git a/guest/pvmfw/avb/src/ops.rs b/guest/pvmfw/avb/src/ops.rs
index 62bf239..780e23b 100644
--- a/guest/pvmfw/avb/src/ops.rs
+++ b/guest/pvmfw/avb/src/ops.rs

@@ -60,6 +60,14 @@
         &mut self,
         partition_name: &CStr,
     ) -> SlotVerifyResult<SlotVerifyData<'a>> {
+        // Note that this call manages to verify the initrd images using hashes contained in the
+        // (unique) VBMeta from the end of self.kernel because if
+        //
+        // - read_from_partition("vbmeta") returns AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION and
+        // - we do NOT pass AVB_SLOT_VERIFY_FLAGS_NO_VBMETA_PARTITION to slot_verify()
+        //
+        // then libavb (specifically, avb_slot_verify()) falls back to retrieving VBMeta from the
+        // footer of the "boot" partition i.e. self.kernel (see PartitionName::Kernel).
         slot_verify(
             self,
             &[partition_name],

diff --git a/guest/pvmfw/avb/tests/api_test.rs b/guest/pvmfw/avb/tests/api_test.rs
index 29a6277..df33830 100644
--- a/guest/pvmfw/avb/tests/api_test.rs
+++ b/guest/pvmfw/avb/tests/api_test.rs

@@ -356,6 +356,32 @@
 }
 
 #[test]
+fn tampered_normal_initrd_fails_verification() -> Result<()> {
+    let mut initrd = load_latest_initrd_normal()?;
+    initrd[1] = !initrd[1]; // Flip the bits
+
+    assert_payload_verification_with_initrd_fails(
+        &load_latest_signed_kernel()?,
+        &initrd,
+        &load_trusted_public_key()?,
+        SlotVerifyError::Verification(None).into(),
+    )
+}
+
+#[test]
+fn tampered_debug_initrd_fails_verification() -> Result<()> {
+    let mut initrd = load_latest_initrd_debug()?;
+    initrd[1] = !initrd[1]; // Flip the bits
+
+    assert_payload_verification_with_initrd_fails(
+        &load_latest_signed_kernel()?,
+        &initrd,
+        &load_trusted_public_key()?,
+        SlotVerifyError::Verification(None).into(),
+    )
+}
+
+#[test]
 fn tampered_vbmeta_fails_verification() -> Result<()> {
     let mut kernel = load_latest_signed_kernel()?;
     let footer = extract_avb_footer(&kernel)?;