commit 8383c54b3362906f55be3a9f8ccba575e984952e
author Pierre-Clément Tosi <ptosi@google.com> Tue Nov 01 14:07:29 2022 +0000
committer Pierre-Clément Tosi <ptosi@google.com> Tue Dec 13 16:23:49 2022 +0000
tree 5d707215ee2aad3f065296c870f2af26c4815a82
parent 51c68e509148396b6465ac4efdd473c97eaed59d

pvmfw: Zeroize BCC before jumping to payload

As the BCC contains secrets used by pvmfw, zeroize it (and flush to PoU)
to ensure that we don't leak those secrets to the payload.

Bug: 256827715
Test: Read BCC from payload
Change-Id: I38a4296e51c18936b9d42da8e76517fc99a2b98f

pvmfw/Android.bp

diff --git a/pvmfw/Android.bp b/pvmfw/Android.bp
index b6c115b..356e58f 100644
--- a/pvmfw/Android.bp
+++ b/pvmfw/Android.bp
@@ -21,6 +21,7 @@
         "libpvmfw_embedded_key",
         "libtinyvec_nostd",
         "libvmbase",
+        "libzeroize_nostd",
     ],
     apex_available: ["com.android.virt"],
 }

pvmfw/src/entry.rs

diff --git a/pvmfw/src/entry.rs b/pvmfw/src/entry.rs
index bffc140..c527e22 100644
--- a/pvmfw/src/entry.rs
+++ b/pvmfw/src/entry.rs
@@ -247,7 +247,7 @@
     // This wrapper allows main() to be blissfully ignorant of platform details.
     crate::main(slices.fdt, slices.kernel, slices.ramdisk, &bcc, &mut memory)?;
 
-    // TODO: Overwrite BCC before jumping to payload to avoid leaking our sealing key.
+    helpers::flushed_zeroize(bcc_slice);
 
     info!("Expecting a bug making MMIO_GUARD_UNMAP return NOT_SUPPORTED on success");
     memory.mmio_unmap_all().map_err(|e| {

pvmfw/src/helpers.rs

diff --git a/pvmfw/src/helpers.rs b/pvmfw/src/helpers.rs
index f1ff36d..d1b828a 100644
--- a/pvmfw/src/helpers.rs
+++ b/pvmfw/src/helpers.rs
@@ -15,6 +15,7 @@
 //! Miscellaneous helper functions.
 
 use core::arch::asm;
+use zeroize::Zeroize;
 
 pub const SIZE_4KB: usize = 4 << 10;
 pub const SIZE_2MB: usize = 2 << 20;
@@ -75,3 +76,10 @@
         unsafe { asm!("dc cvau, {x}", x = in(reg) line) }
     }
 }
+
+#[inline]
+/// Overwrites the slice with zeroes, to the point of unification.
+pub fn flushed_zeroize(reg: &mut [u8]) {
+    reg.zeroize();
+    flush_region(reg.as_ptr() as usize, reg.len())
+}