Merge "Update the getting started doc"
diff --git a/apex/Android.bp b/apex/Android.bp
index e39b459..1c4d357 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -92,6 +92,8 @@
"microdroid_initrd_normal",
"microdroid.json",
"microdroid_kernel",
+ // rialto_bin is a prebuilt target wrapping the signed bare-metal service VM.
+ "rialto_bin",
],
host_required: [
"vm_shell",
diff --git a/compos/tests/java/android/compos/test/ComposTestCase.java b/compos/tests/java/android/compos/test/ComposTestCase.java
index 8c7aeeb..3a09475 100644
--- a/compos/tests/java/android/compos/test/ComposTestCase.java
+++ b/compos/tests/java/android/compos/test/ComposTestCase.java
@@ -221,8 +221,11 @@
// compos.info.signature since it's only generated by CompOS.
// TODO(b/211458160): Remove cache-info.xml once we can plumb timestamp and isFactory of
// APEXes to the VM.
- return runner.run("cd " + path + "; find -type f -exec sha256sum {} \\;"
- + "| grep -v cache-info.xml | grep -v compos.info"
- + "| sort -k2");
+ return runner.run(
+ "cd "
+ + path
+ + " && find -type f -exec sha256sum {} \\;"
+ + "| grep -v cache-info.xml | grep -v compos.info"
+ + "| sort -k2");
}
}
diff --git a/javalib/src/android/system/virtualmachine/VirtualMachine.java b/javalib/src/android/system/virtualmachine/VirtualMachine.java
index 7713faf..f96effa 100644
--- a/javalib/src/android/system/virtualmachine/VirtualMachine.java
+++ b/javalib/src/android/system/virtualmachine/VirtualMachine.java
@@ -23,8 +23,6 @@
import static android.system.virtualmachine.VirtualMachineCallback.ERROR_PAYLOAD_INVALID_CONFIG;
import static android.system.virtualmachine.VirtualMachineCallback.ERROR_PAYLOAD_VERIFICATION_FAILED;
import static android.system.virtualmachine.VirtualMachineCallback.ERROR_UNKNOWN;
-import static android.system.virtualmachine.VirtualMachineCallback.STOP_REASON_BOOTLOADER_INSTANCE_IMAGE_CHANGED;
-import static android.system.virtualmachine.VirtualMachineCallback.STOP_REASON_BOOTLOADER_PUBLIC_KEY_MISMATCH;
import static android.system.virtualmachine.VirtualMachineCallback.STOP_REASON_CRASH;
import static android.system.virtualmachine.VirtualMachineCallback.STOP_REASON_HANGUP;
import static android.system.virtualmachine.VirtualMachineCallback.STOP_REASON_INFRASTRUCTURE_ERROR;
@@ -1353,10 +1351,6 @@
return STOP_REASON_PVM_FIRMWARE_PUBLIC_KEY_MISMATCH;
case DeathReason.PVM_FIRMWARE_INSTANCE_IMAGE_CHANGED:
return STOP_REASON_PVM_FIRMWARE_INSTANCE_IMAGE_CHANGED;
- case DeathReason.BOOTLOADER_PUBLIC_KEY_MISMATCH:
- return STOP_REASON_BOOTLOADER_PUBLIC_KEY_MISMATCH;
- case DeathReason.BOOTLOADER_INSTANCE_IMAGE_CHANGED:
- return STOP_REASON_BOOTLOADER_INSTANCE_IMAGE_CHANGED;
case DeathReason.MICRODROID_FAILED_TO_CONNECT_TO_VIRTUALIZATION_SERVICE:
return STOP_REASON_MICRODROID_FAILED_TO_CONNECT_TO_VIRTUALIZATION_SERVICE;
case DeathReason.MICRODROID_PAYLOAD_HAS_CHANGED:
diff --git a/libs/hyp/Android.bp b/libs/hyp/Android.bp
index bc66190..1d572e5 100644
--- a/libs/hyp/Android.bp
+++ b/libs/hyp/Android.bp
@@ -8,7 +8,10 @@
srcs: ["src/lib.rs"],
prefer_rlib: true,
rustlibs: [
- "libsmccc",
+ "libbitflags",
+ "libonce_cell_nostd",
+ "libpsci",
+ "libuuid_nostd",
],
no_stdlibs: true,
stdlibs: [
diff --git a/libs/hyp/src/error.rs b/libs/hyp/src/error.rs
new file mode 100644
index 0000000..408150e
--- /dev/null
+++ b/libs/hyp/src/error.rs
@@ -0,0 +1,52 @@
+// Copyright 2023, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Error and Result types for hypervisor.
+
+use crate::KvmError;
+use core::{fmt, result};
+use uuid::Uuid;
+
+/// Result type with hypervisor error.
+pub type Result<T> = result::Result<T, Error>;
+
+/// Hypervisor error.
+#[derive(Debug, Clone)]
+pub enum Error {
+ /// MMIO guard is not supported.
+ MmioGuardNotsupported,
+ /// Failed to invoke a certain KVM HVC function.
+ KvmError(KvmError, u32),
+ /// Unsupported Hypervisor.
+ UnsupportedHypervisorUuid(Uuid),
+ /// The MMIO_GUARD granule used by the hypervisor is not supported.
+ UnsupportedMmioGuardGranule(usize),
+}
+
+impl fmt::Display for Error {
+ fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+ match self {
+ Self::MmioGuardNotsupported => write!(f, "MMIO guard is not supported"),
+ Self::KvmError(e, function_id) => {
+ write!(f, "Failed to invoke the HVC function with function ID {function_id}: {e}")
+ }
+ Self::UnsupportedHypervisorUuid(u) => {
+ write!(f, "Unsupported Hypervisor UUID {u}")
+ }
+ Self::UnsupportedMmioGuardGranule(g) => {
+ write!(f, "Unsupported MMIO guard granule: {g}")
+ }
+ }
+ }
+}
diff --git a/libs/hyp/src/hypervisor/common.rs b/libs/hyp/src/hypervisor/common.rs
new file mode 100644
index 0000000..accef72
--- /dev/null
+++ b/libs/hyp/src/hypervisor/common.rs
@@ -0,0 +1,58 @@
+// Copyright 2023, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! This module regroups some common traits shared by all the hypervisors.
+
+use crate::error::Result;
+use bitflags::bitflags;
+
+bitflags! {
+ /// Capabilities that Hypervisor backends can declare support for.
+ pub struct HypervisorCap: u32 {
+ /// Capability for guest to share its memory with host at runtime.
+ const DYNAMIC_MEM_SHARE = 0b1;
+ }
+}
+
+/// Trait for the hypervisor.
+pub trait Hypervisor {
+ /// Initializes the hypervisor by enrolling a MMIO guard and checking the memory granule size.
+ /// By enrolling, all MMIO will be blocked unless allow-listed with `mmio_guard_map`.
+ /// Protected VMs are auto-enrolled.
+ fn mmio_guard_init(&self) -> Result<()>;
+
+ /// Maps a page containing the given memory address to the hypervisor MMIO guard.
+ /// The page size corresponds to the MMIO guard granule size.
+ fn mmio_guard_map(&self, addr: usize) -> Result<()>;
+
+ /// Unmaps a page containing the given memory address from the hypervisor MMIO guard.
+ /// The page size corresponds to the MMIO guard granule size.
+ fn mmio_guard_unmap(&self, addr: usize) -> Result<()>;
+
+ /// Shares a region of memory with host, granting it read, write and execute permissions.
+ /// The size of the region is equal to the memory protection granule returned by
+ /// [`hyp_meminfo`].
+ fn mem_share(&self, base_ipa: u64) -> Result<()>;
+
+ /// Revokes access permission from host to a memory region previously shared with
+ /// [`mem_share`]. The size of the region is equal to the memory protection granule returned by
+ /// [`hyp_meminfo`].
+ fn mem_unshare(&self, base_ipa: u64) -> Result<()>;
+
+ /// Returns the memory protection granule size in bytes.
+ fn memory_protection_granule(&self) -> Result<usize>;
+
+ /// Check if required capabilities are supported.
+ fn has_cap(&self, cap: HypervisorCap) -> bool;
+}
diff --git a/libs/hyp/src/hypervisor/gunyah.rs b/libs/hyp/src/hypervisor/gunyah.rs
new file mode 100644
index 0000000..b335c87
--- /dev/null
+++ b/libs/hyp/src/hypervisor/gunyah.rs
@@ -0,0 +1,40 @@
+use super::common::{Hypervisor, HypervisorCap};
+use crate::error::Result;
+use crate::util::SIZE_4KB;
+use uuid::{uuid, Uuid};
+
+pub(super) struct GunyahHypervisor;
+
+impl GunyahHypervisor {
+ pub const UUID: Uuid = uuid!("c1d58fcd-a453-5fdb-9265-ce36673d5f14");
+}
+
+impl Hypervisor for GunyahHypervisor {
+ fn mmio_guard_init(&self) -> Result<()> {
+ Ok(())
+ }
+
+ fn mmio_guard_map(&self, _addr: usize) -> Result<()> {
+ Ok(())
+ }
+
+ fn mmio_guard_unmap(&self, _addr: usize) -> Result<()> {
+ Ok(())
+ }
+
+ fn mem_share(&self, _base_ipa: u64) -> Result<()> {
+ unimplemented!();
+ }
+
+ fn mem_unshare(&self, _base_ipa: u64) -> Result<()> {
+ unimplemented!();
+ }
+
+ fn memory_protection_granule(&self) -> Result<usize> {
+ Ok(SIZE_4KB)
+ }
+
+ fn has_cap(&self, _cap: HypervisorCap) -> bool {
+ false
+ }
+}
diff --git a/libs/hyp/src/hypervisor/kvm.rs b/libs/hyp/src/hypervisor/kvm.rs
index a34acc8..772160e 100644
--- a/libs/hyp/src/hypervisor/kvm.rs
+++ b/libs/hyp/src/hypervisor/kvm.rs
@@ -14,7 +14,52 @@
//! Wrappers around calls to the KVM hypervisor.
-use smccc::{checked_hvc64, checked_hvc64_expect_zero, Error, Result};
+use super::common::{Hypervisor, HypervisorCap};
+use crate::error::{Error, Result};
+use crate::util::{page_address, SIZE_4KB};
+use core::fmt::{self, Display, Formatter};
+use psci::smccc::{
+ error::{positive_or_error_64, success_or_error_32, success_or_error_64},
+ hvc64,
+};
+use uuid::{uuid, Uuid};
+
+/// Error from a KVM HVC call.
+#[derive(Copy, Clone, Debug, Eq, PartialEq)]
+pub enum KvmError {
+ /// The call is not supported by the implementation.
+ NotSupported,
+ /// One of the call parameters has a non-supported value.
+ InvalidParameter,
+ /// There was an unexpected return value.
+ Unknown(i64),
+}
+
+impl From<i64> for KvmError {
+ fn from(value: i64) -> Self {
+ match value {
+ -1 => KvmError::NotSupported,
+ -3 => KvmError::InvalidParameter,
+ _ => KvmError::Unknown(value),
+ }
+ }
+}
+
+impl From<i32> for KvmError {
+ fn from(value: i32) -> Self {
+ i64::from(value).into()
+ }
+}
+
+impl Display for KvmError {
+ fn fmt(&self, f: &mut Formatter) -> fmt::Result {
+ match self {
+ Self::NotSupported => write!(f, "KVM call not supported"),
+ Self::InvalidParameter => write!(f, "KVM call received non-supported value"),
+ Self::Unknown(e) => write!(f, "Unknown return value from KVM {} ({0:#x})", e),
+ }
+ }
+}
const ARM_SMCCC_KVM_FUNC_HYP_MEMINFO: u32 = 0xc6000002;
const ARM_SMCCC_KVM_FUNC_MEM_SHARE: u32 = 0xc6000003;
@@ -25,71 +70,92 @@
const VENDOR_HYP_KVM_MMIO_GUARD_MAP_FUNC_ID: u32 = 0xc6000007;
const VENDOR_HYP_KVM_MMIO_GUARD_UNMAP_FUNC_ID: u32 = 0xc6000008;
-/// Queries the memory protection parameters for a protected virtual machine.
-///
-/// Returns the memory protection granule size in bytes.
-pub(super) fn hyp_meminfo() -> Result<u64> {
- let args = [0u64; 17];
- checked_hvc64(ARM_SMCCC_KVM_FUNC_HYP_MEMINFO, args)
+pub(super) struct KvmHypervisor;
+
+impl KvmHypervisor {
+ // Based on ARM_SMCCC_VENDOR_HYP_UID_KVM_REG values listed in Linux kernel source:
+ // https://github.com/torvalds/linux/blob/master/include/linux/arm-smccc.h
+ pub(super) const UUID: Uuid = uuid!("28b46fb6-2ec5-11e9-a9ca-4b564d003a74");
+ const CAPABILITIES: HypervisorCap = HypervisorCap::DYNAMIC_MEM_SHARE;
}
-/// Shares a region of memory with the KVM host, granting it read, write and execute permissions.
-/// The size of the region is equal to the memory protection granule returned by [`hyp_meminfo`].
-pub(super) fn mem_share(base_ipa: u64) -> Result<()> {
- let mut args = [0u64; 17];
- args[0] = base_ipa;
+impl Hypervisor for KvmHypervisor {
+ fn mmio_guard_init(&self) -> Result<()> {
+ mmio_guard_enroll()?;
+ let mmio_granule = mmio_guard_granule()?;
+ if mmio_granule != SIZE_4KB {
+ return Err(Error::UnsupportedMmioGuardGranule(mmio_granule));
+ }
+ Ok(())
+ }
- checked_hvc64_expect_zero(ARM_SMCCC_KVM_FUNC_MEM_SHARE, args)
-}
+ fn mmio_guard_map(&self, addr: usize) -> Result<()> {
+ let mut args = [0u64; 17];
+ args[0] = page_address(addr);
-/// Revokes access permission from the KVM host to a memory region previously shared with
-/// [`mem_share`]. The size of the region is equal to the memory protection granule returned by
-/// [`hyp_meminfo`].
-pub(super) fn mem_unshare(base_ipa: u64) -> Result<()> {
- let mut args = [0u64; 17];
- args[0] = base_ipa;
+ // TODO(b/277859415): pKVM returns a i32 instead of a i64 in T.
+ // Drop this hack once T reaches EoL.
+ success_or_error_32(hvc64(VENDOR_HYP_KVM_MMIO_GUARD_MAP_FUNC_ID, args)[0] as u32)
+ .map_err(|e| Error::KvmError(e, VENDOR_HYP_KVM_MMIO_GUARD_MAP_FUNC_ID))
+ }
- checked_hvc64_expect_zero(ARM_SMCCC_KVM_FUNC_MEM_UNSHARE, args)
-}
+ fn mmio_guard_unmap(&self, addr: usize) -> Result<()> {
+ let mut args = [0u64; 17];
+ args[0] = page_address(addr);
-pub(super) fn mmio_guard_info() -> Result<u64> {
- let args = [0u64; 17];
+ // TODO(b/277860860): pKVM returns NOT_SUPPORTED for SUCCESS in T.
+ // Drop this hack once T reaches EoL.
+ match success_or_error_64(hvc64(VENDOR_HYP_KVM_MMIO_GUARD_UNMAP_FUNC_ID, args)[0]) {
+ Err(KvmError::NotSupported) | Ok(_) => Ok(()),
+ Err(e) => Err(Error::KvmError(e, VENDOR_HYP_KVM_MMIO_GUARD_UNMAP_FUNC_ID)),
+ }
+ }
- checked_hvc64(VENDOR_HYP_KVM_MMIO_GUARD_INFO_FUNC_ID, args)
-}
+ fn mem_share(&self, base_ipa: u64) -> Result<()> {
+ let mut args = [0u64; 17];
+ args[0] = base_ipa;
-pub(super) fn mmio_guard_enroll() -> Result<()> {
- let args = [0u64; 17];
+ checked_hvc64_expect_zero(ARM_SMCCC_KVM_FUNC_MEM_SHARE, args)
+ }
- checked_hvc64_expect_zero(VENDOR_HYP_KVM_MMIO_GUARD_ENROLL_FUNC_ID, args)
-}
+ fn mem_unshare(&self, base_ipa: u64) -> Result<()> {
+ let mut args = [0u64; 17];
+ args[0] = base_ipa;
-pub(super) fn mmio_guard_map(ipa: u64) -> Result<()> {
- let mut args = [0u64; 17];
- args[0] = ipa;
+ checked_hvc64_expect_zero(ARM_SMCCC_KVM_FUNC_MEM_UNSHARE, args)
+ }
- // TODO(b/277859415): pKVM returns a i32 instead of a i64 in T.
- // Drop this hack once T reaches EoL.
- let is_i32_error_code = |n| u32::try_from(n).ok().filter(|v| (*v as i32) < 0).is_some();
- match checked_hvc64_expect_zero(VENDOR_HYP_KVM_MMIO_GUARD_MAP_FUNC_ID, args) {
- Err(Error::Unexpected(e)) if is_i32_error_code(e) => match e as u32 as i32 {
- -1 => Err(Error::NotSupported),
- -2 => Err(Error::NotRequired),
- -3 => Err(Error::InvalidParameter),
- ret => Err(Error::Unknown(ret as i64)),
- },
- res => res,
+ fn memory_protection_granule(&self) -> Result<usize> {
+ let args = [0u64; 17];
+ let granule = checked_hvc64(ARM_SMCCC_KVM_FUNC_HYP_MEMINFO, args)?;
+ Ok(granule.try_into().unwrap())
+ }
+
+ fn has_cap(&self, cap: HypervisorCap) -> bool {
+ Self::CAPABILITIES.contains(cap)
}
}
-pub(super) fn mmio_guard_unmap(ipa: u64) -> Result<()> {
- let mut args = [0u64; 17];
- args[0] = ipa;
+fn mmio_guard_granule() -> Result<usize> {
+ let args = [0u64; 17];
- // TODO(b/277860860): pKVM returns NOT_SUPPORTED for SUCCESS in T.
- // Drop this hack once T reaches EoL.
- match checked_hvc64_expect_zero(VENDOR_HYP_KVM_MMIO_GUARD_UNMAP_FUNC_ID, args) {
- Err(Error::NotSupported) | Ok(_) => Ok(()),
- x => x,
+ let granule = checked_hvc64(VENDOR_HYP_KVM_MMIO_GUARD_INFO_FUNC_ID, args)?;
+ Ok(granule.try_into().unwrap())
+}
+
+fn mmio_guard_enroll() -> Result<()> {
+ let args = [0u64; 17];
+ match success_or_error_64(hvc64(VENDOR_HYP_KVM_MMIO_GUARD_ENROLL_FUNC_ID, args)[0]) {
+ Ok(_) => Ok(()),
+ Err(KvmError::NotSupported) => Err(Error::MmioGuardNotsupported),
+ Err(e) => Err(Error::KvmError(e, VENDOR_HYP_KVM_MMIO_GUARD_ENROLL_FUNC_ID)),
}
}
+
+fn checked_hvc64_expect_zero(function: u32, args: [u64; 17]) -> Result<()> {
+ success_or_error_64(hvc64(function, args)[0]).map_err(|e| Error::KvmError(e, function))
+}
+
+fn checked_hvc64(function: u32, args: [u64; 17]) -> Result<u64> {
+ positive_or_error_64(hvc64(function, args)[0]).map_err(|e| Error::KvmError(e, function))
+}
diff --git a/libs/hyp/src/hypervisor/mod.rs b/libs/hyp/src/hypervisor/mod.rs
index 5807698..05c82dc 100644
--- a/libs/hyp/src/hypervisor/mod.rs
+++ b/libs/hyp/src/hypervisor/mod.rs
@@ -14,40 +14,82 @@
//! Wrappers around hypervisor back-ends.
+extern crate alloc;
+
+mod common;
+mod gunyah;
mod kvm;
-/// Queries the memory protection parameters for a protected virtual machine.
-///
-/// Returns the memory protection granule size in bytes.
-pub fn hyp_meminfo() -> smccc::Result<u64> {
- kvm::hyp_meminfo()
+use crate::error::{Error, Result};
+use alloc::boxed::Box;
+pub use common::Hypervisor;
+pub use common::HypervisorCap;
+use gunyah::GunyahHypervisor;
+pub use kvm::KvmError;
+use kvm::KvmHypervisor;
+use once_cell::race::OnceBox;
+use psci::smccc::hvc64;
+use uuid::Uuid;
+
+enum HypervisorBackend {
+ Kvm,
+ Gunyah,
}
-/// Shares a region of memory with the host, granting it read, write and execute permissions.
-/// The size of the region is equal to the memory protection granule returned by [`hyp_meminfo`].
-pub fn mem_share(base_ipa: u64) -> smccc::Result<()> {
- kvm::mem_share(base_ipa)
+impl HypervisorBackend {
+ fn get_hypervisor(&self) -> &'static dyn Hypervisor {
+ match self {
+ Self::Kvm => &KvmHypervisor,
+ Self::Gunyah => &GunyahHypervisor,
+ }
+ }
}
-/// Revokes access permission from the host to a memory region previously shared with
-/// [`mem_share`]. The size of the region is equal to the memory protection granule returned by
-/// [`hyp_meminfo`].
-pub fn mem_unshare(base_ipa: u64) -> smccc::Result<()> {
- kvm::mem_unshare(base_ipa)
+impl TryFrom<Uuid> for HypervisorBackend {
+ type Error = Error;
+
+ fn try_from(uuid: Uuid) -> Result<HypervisorBackend> {
+ match uuid {
+ GunyahHypervisor::UUID => Ok(HypervisorBackend::Gunyah),
+ KvmHypervisor::UUID => Ok(HypervisorBackend::Kvm),
+ u => Err(Error::UnsupportedHypervisorUuid(u)),
+ }
+ }
}
-pub(crate) fn mmio_guard_info() -> smccc::Result<u64> {
- kvm::mmio_guard_info()
+const ARM_SMCCC_VENDOR_HYP_CALL_UID_FUNC_ID: u32 = 0x8600ff01;
+
+fn query_vendor_hyp_call_uid() -> Uuid {
+ let args = [0u64; 17];
+ let res = hvc64(ARM_SMCCC_VENDOR_HYP_CALL_UID_FUNC_ID, args);
+
+ // KVM's UUID of "28b46fb6-2ec5-11e9-a9ca-4b564d003a74" is generated by
+ // Uuid::from_u128() from an input value of
+ // 0x28b46fb6_2ec511e9_a9ca4b56_4d003a74. ARM's SMC calling convention
+ // (Document number ARM DEN 0028E) describes the UUID register mapping such
+ // that W0 contains bytes 0..3 of UUID, with byte 0 in lower order bits. In
+ // the KVM example, byte 0 of KVM's UUID (0x28) will be returned in the low
+ // 8-bits of W0, while byte 15 (0x74) will be returned in bits 31-24 of W3.
+ //
+ // `uuid` value derived below thus need to be byte-reversed before
+ // being used in Uuid::from_u128(). Alternately use Uuid::from_u128_le()
+ // to achieve the same.
+
+ let uuid = ((res[3] as u32 as u128) << 96)
+ | ((res[2] as u32 as u128) << 64)
+ | ((res[1] as u32 as u128) << 32)
+ | (res[0] as u32 as u128);
+
+ Uuid::from_u128_le(uuid)
}
-pub(crate) fn mmio_guard_enroll() -> smccc::Result<()> {
- kvm::mmio_guard_enroll()
+fn detect_hypervisor() -> HypervisorBackend {
+ query_vendor_hyp_call_uid().try_into().expect("Unknown hypervisor")
}
-pub(crate) fn mmio_guard_map(ipa: u64) -> smccc::Result<()> {
- kvm::mmio_guard_map(ipa)
-}
+/// Gets the hypervisor singleton.
+pub fn get_hypervisor() -> &'static dyn Hypervisor {
+ static HYPERVISOR: OnceBox<HypervisorBackend> = OnceBox::new();
-pub(crate) fn mmio_guard_unmap(ipa: u64) -> smccc::Result<()> {
- kvm::mmio_guard_unmap(ipa)
+ HYPERVISOR.get_or_init(|| Box::new(detect_hypervisor())).get_hypervisor()
}
diff --git a/libs/hyp/src/lib.rs b/libs/hyp/src/lib.rs
index f0f0631..694f957 100644
--- a/libs/hyp/src/lib.rs
+++ b/libs/hyp/src/lib.rs
@@ -16,8 +16,9 @@
#![no_std]
+mod error;
mod hypervisor;
mod util;
-pub use hypervisor::{hyp_meminfo, mem_share, mem_unshare};
-pub mod mmio_guard;
+pub use error::{Error, Result};
+pub use hypervisor::{get_hypervisor, Hypervisor, HypervisorCap, KvmError};
diff --git a/libs/hyp/src/mmio_guard.rs b/libs/hyp/src/mmio_guard.rs
deleted file mode 100644
index 512eb88..0000000
--- a/libs/hyp/src/mmio_guard.rs
+++ /dev/null
@@ -1,69 +0,0 @@
-// Copyright 2022, The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-//! Safe MMIO_GUARD support.
-
-use crate::hypervisor::{mmio_guard_enroll, mmio_guard_info, mmio_guard_map, mmio_guard_unmap};
-use crate::util::{page_address, SIZE_4KB};
-use core::{fmt, result};
-
-/// MMIO guard error.
-#[derive(Debug, Clone)]
-pub enum Error {
- /// Failed the necessary MMIO_GUARD_ENROLL call.
- EnrollFailed(smccc::Error),
- /// Failed to obtain the MMIO_GUARD granule size.
- InfoFailed(smccc::Error),
- /// Failed to MMIO_GUARD_MAP a page.
- MapFailed(smccc::Error),
- /// Failed to MMIO_GUARD_UNMAP a page.
- UnmapFailed(smccc::Error),
- /// The MMIO_GUARD granule used by the hypervisor is not supported.
- UnsupportedGranule(usize),
-}
-
-impl fmt::Display for Error {
- fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
- match self {
- Self::EnrollFailed(e) => write!(f, "Failed to enroll into MMIO_GUARD: {e}"),
- Self::InfoFailed(e) => write!(f, "Failed to get the MMIO_GUARD granule: {e}"),
- Self::MapFailed(e) => write!(f, "Failed to MMIO_GUARD map: {e}"),
- Self::UnmapFailed(e) => write!(f, "Failed to MMIO_GUARD unmap: {e}"),
- Self::UnsupportedGranule(g) => write!(f, "Unsupported MMIO_GUARD granule: {g}"),
- }
- }
-}
-
-/// Result type with mmio_guard::Error.
-pub type Result<T> = result::Result<T, Error>;
-
-/// Initializes the hypervisor by enrolling a MMIO guard and checking the memory granule size.
-pub fn init() -> Result<()> {
- mmio_guard_enroll().map_err(Error::EnrollFailed)?;
- let mmio_granule = mmio_guard_info().map_err(Error::InfoFailed)? as usize;
- if mmio_granule != SIZE_4KB {
- return Err(Error::UnsupportedGranule(mmio_granule));
- }
- Ok(())
-}
-
-/// Maps a memory address to the hypervisor MMIO guard.
-pub fn map(addr: usize) -> Result<()> {
- mmio_guard_map(page_address(addr)).map_err(Error::MapFailed)
-}
-
-/// Unmaps a memory address from the hypervisor MMIO guard.
-pub fn unmap(addr: usize) -> Result<()> {
- mmio_guard_unmap(page_address(addr)).map_err(Error::UnmapFailed)
-}
diff --git a/libs/libfdt/src/lib.rs b/libs/libfdt/src/lib.rs
index 7ddf680..61b69f5 100644
--- a/libs/libfdt/src/lib.rs
+++ b/libs/libfdt/src/lib.rs
@@ -606,6 +606,26 @@
Ok(fdt)
}
+ /// Creates an empty Flattened Device Tree with a mutable slice.
+ pub fn create_empty_tree(fdt: &mut [u8]) -> Result<&mut Self> {
+ // SAFETY - fdt_create_empty_tree() only write within the specified length,
+ // and returns error if buffer was insufficient.
+ // There will be no memory write outside of the given fdt.
+ let ret = unsafe {
+ libfdt_bindgen::fdt_create_empty_tree(
+ fdt.as_mut_ptr().cast::<c_void>(),
+ fdt.len() as i32,
+ )
+ };
+ fdt_err_expect_zero(ret)?;
+
+ // SAFETY - The FDT will be validated before it is returned.
+ let fdt = unsafe { Self::unchecked_from_mut_slice(fdt) };
+ fdt.check_full()?;
+
+ Ok(fdt)
+ }
+
/// Wraps a slice containing a Flattened Device Tree.
///
/// # Safety
diff --git a/libs/smccc/Android.bp b/libs/smccc/Android.bp
deleted file mode 100644
index 96943d8..0000000
--- a/libs/smccc/Android.bp
+++ /dev/null
@@ -1,18 +0,0 @@
-package {
- default_applicable_licenses: ["Android-Apache-2.0"],
-}
-
-rust_library_rlib {
- name: "libsmccc",
- crate_name: "smccc",
- srcs: ["src/lib.rs"],
- prefer_rlib: true,
- rustlibs: [
- "libpsci",
- ],
- no_stdlibs: true,
- stdlibs: [
- "libcore.rust_sysroot",
- ],
- apex_available: ["com.android.virt"],
-}
diff --git a/libs/smccc/src/lib.rs b/libs/smccc/src/lib.rs
deleted file mode 100644
index 2cd31dc..0000000
--- a/libs/smccc/src/lib.rs
+++ /dev/null
@@ -1,22 +0,0 @@
-// Copyright 2023, The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-//! Structs and functions for making SMCCC calls following the SMC Calling
-//! Convention version 1.4.
-
-#![no_std]
-
-mod smccc;
-
-pub use smccc::{checked_hvc64, checked_hvc64_expect_zero, hvc64, Error, Result};
diff --git a/libs/smccc/src/smccc.rs b/libs/smccc/src/smccc.rs
deleted file mode 100644
index c0070e0..0000000
--- a/libs/smccc/src/smccc.rs
+++ /dev/null
@@ -1,72 +0,0 @@
-// Copyright 2022, The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-//! Structs and functions for making SMCCC calls.
-
-use core::{fmt, result};
-// Ideally, smccc shouldn't depend on psci. Smccc isn't split as a separate
-// upstream crate currently mostly for maintenance consideration.
-// See b/245889995 for more context.
-pub use psci::smccc::hvc64;
-
-/// Standard SMCCC error values as described in DEN 0028E.
-#[derive(Debug, Clone)]
-pub enum Error {
- /// The call is not supported by the implementation.
- NotSupported,
- /// The call is deemed not required by the implementation.
- NotRequired,
- /// One of the call parameters has a non-supported value.
- InvalidParameter,
- /// Negative values indicate error.
- Unknown(i64),
- /// The call returned a positive value when 0 was expected.
- Unexpected(u64),
-}
-
-impl fmt::Display for Error {
- fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
- match self {
- Self::NotSupported => write!(f, "SMCCC call not supported"),
- Self::NotRequired => write!(f, "SMCCC call not required"),
- Self::InvalidParameter => write!(f, "SMCCC call received non-supported value"),
- Self::Unexpected(v) => write!(f, "Unexpected SMCCC return value {} ({0:#x})", v),
- Self::Unknown(e) => write!(f, "Unknown SMCCC return value {} ({0:#x})", e),
- }
- }
-}
-
-/// Result type with smccc::Error.
-pub type Result<T> = result::Result<T, Error>;
-
-/// Makes a checked HVC64 call to the hypervisor, following the SMC Calling Convention version 1.4.
-/// Returns Ok only when the return code is 0.
-pub fn checked_hvc64_expect_zero(function: u32, args: [u64; 17]) -> Result<()> {
- match checked_hvc64(function, args)? {
- 0 => Ok(()),
- v => Err(Error::Unexpected(v)),
- }
-}
-
-/// Makes a checked HVC64 call to the hypervisor, following the SMC Calling Convention version 1.4.
-/// Returns Ok with the return code only when the return code >= 0.
-pub fn checked_hvc64(function: u32, args: [u64; 17]) -> Result<u64> {
- match hvc64(function, args)[0] as i64 {
- ret if ret >= 0 => Ok(ret as u64),
- -1 => Err(Error::NotSupported),
- -2 => Err(Error::NotRequired),
- -3 => Err(Error::InvalidParameter),
- ret => Err(Error::Unknown(ret)),
- }
-}
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index de06d01..1092476 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -426,7 +426,7 @@
avb_add_hash_footer {
name: "microdroid_kernel_signed",
- src: "empty_kernel",
+ src: ":empty_file",
filename: "microdroid_kernel",
partition_name: "boot",
private_key: ":microdroid_sign_key",
@@ -450,7 +450,7 @@
prebuilt_etc {
name: "microdroid_kernel",
- src: "empty_kernel",
+ src: ":empty_file",
relative_install_path: "fs",
arch: {
arm64: {
diff --git a/microdroid/empty_kernel b/microdroid/empty_kernel
deleted file mode 100644
index e69de29..0000000
--- a/microdroid/empty_kernel
+++ /dev/null
diff --git a/microdroid/init.rc b/microdroid/init.rc
index 29f8970..871db94 100644
--- a/microdroid/init.rc
+++ b/microdroid/init.rc
@@ -146,6 +146,7 @@
capabilities CHOWN DAC_OVERRIDE DAC_READ_SEARCH FOWNER SYS_ADMIN
service ueventd /system/bin/ueventd
+ user root
class core
critical
seclabel u:r:ueventd:s0
@@ -161,6 +162,7 @@
setenv HOSTNAME console
service init_debug_policy /system/bin/init_debug_policy
+ user root
oneshot
disabled
stdio_to_kmsg
diff --git a/microdroid/payload/mk_payload.cc b/microdroid/payload/mk_payload.cc
deleted file mode 100644
index d31333f..0000000
--- a/microdroid/payload/mk_payload.cc
+++ /dev/null
@@ -1,305 +0,0 @@
-/*
- * Copyright (C) 2021 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <unistd.h>
-
-#include <fstream>
-#include <iostream>
-#include <optional>
-#include <string>
-#include <vector>
-
-#include <android-base/file.h>
-#include <android-base/result.h>
-#include <image_aggregator.h>
-#include <json/json.h>
-
-#include "microdroid/metadata.h"
-
-using android::base::Dirname;
-using android::base::ErrnoError;
-using android::base::Error;
-using android::base::Result;
-using android::base::unique_fd;
-using android::microdroid::ApexPayload;
-using android::microdroid::ApkPayload;
-using android::microdroid::Metadata;
-using android::microdroid::WriteMetadata;
-
-using cuttlefish::AlignToPartitionSize;
-using cuttlefish::CreateCompositeDisk;
-using cuttlefish::kLinuxFilesystem;
-using cuttlefish::MultipleImagePartition;
-
-Result<uint32_t> GetFileSize(const std::string& path) {
- struct stat st;
- if (lstat(path.c_str(), &st) == -1) {
- return ErrnoError() << "Can't lstat " << path;
- }
- return static_cast<uint32_t>(st.st_size);
-}
-
-std::string RelativeTo(const std::string& path, const std::string& dirname) {
- bool is_absolute = !path.empty() && path[0] == '/';
- if (is_absolute || dirname == ".") {
- return path;
- } else {
- return dirname + "/" + path;
- }
-}
-
-// Returns `append` is appended to the end of filename preserving the extension.
-std::string AppendFileName(const std::string& filename, const std::string& append) {
- size_t pos = filename.find_last_of('.');
- if (pos == std::string::npos) {
- return filename + append;
- } else {
- return filename.substr(0, pos) + append + filename.substr(pos);
- }
-}
-
-struct ApexConfig {
- std::string name; // the apex name
- std::string path; // the path to the apex file
- // absolute or relative to the config file
-};
-
-struct ApkConfig {
- std::string name;
- std::string path;
- std::string idsig_path;
-};
-
-struct Config {
- std::string dirname; // config file's direname to resolve relative paths in the config
-
- std::vector<ApexConfig> apexes;
- std::optional<ApkConfig> apk;
- // This is a path in the guest side
- std::optional<std::string> payload_config_path;
-};
-
-#define DO(expr) \
- if (auto res = (expr); !res.ok()) return res.error()
-
-Result<void> ParseJson(const Json::Value& value, std::string& s) {
- if (!value.isString()) {
- return Error() << "should be a string: " << value;
- }
- s = value.asString();
- return {};
-}
-
-template <typename T>
-Result<void> ParseJson(const Json::Value& value, std::optional<T>& s) {
- if (value.isNull()) {
- s.reset();
- return {};
- }
- s.emplace();
- return ParseJson(value, *s);
-}
-
-template <typename T>
-Result<void> ParseJson(const Json::Value& values, std::vector<T>& parsed) {
- for (const Json::Value& value : values) {
- T t;
- DO(ParseJson(value, t));
- parsed.push_back(std::move(t));
- }
- return {};
-}
-
-Result<void> ParseJson(const Json::Value& value, ApexConfig& apex_config) {
- DO(ParseJson(value["name"], apex_config.name));
- DO(ParseJson(value["path"], apex_config.path));
- return {};
-}
-
-Result<void> ParseJson(const Json::Value& value, ApkConfig& apk_config) {
- DO(ParseJson(value["name"], apk_config.name));
- DO(ParseJson(value["path"], apk_config.path));
- DO(ParseJson(value["idsig_path"], apk_config.idsig_path));
- return {};
-}
-
-Result<void> ParseJson(const Json::Value& value, Config& config) {
- DO(ParseJson(value["apexes"], config.apexes));
- DO(ParseJson(value["apk"], config.apk));
- DO(ParseJson(value["payload_config_path"], config.payload_config_path));
- return {};
-}
-
-Result<Config> LoadConfig(const std::string& config_file) {
- std::ifstream in(config_file);
- Json::CharReaderBuilder builder;
- Json::Value root;
- Json::String errs;
- if (!parseFromStream(builder, in, &root, &errs)) {
- return Error() << errs;
- }
-
- Config config;
- config.dirname = Dirname(config_file);
- DO(ParseJson(root, config));
- return config;
-}
-
-#undef DO
-
-Result<void> MakeMetadata(const Config& config, const std::string& filename) {
- Metadata metadata;
- metadata.set_version(1);
-
- for (const auto& apex_config : config.apexes) {
- auto* apex = metadata.add_apexes();
- apex->set_name(apex_config.name);
- apex->set_partition_name(apex_config.name);
- apex->set_is_factory(true);
- }
-
- if (config.apk.has_value()) {
- auto* apk = metadata.mutable_apk();
- apk->set_name(config.apk->name);
- apk->set_payload_partition_name("microdroid-apk");
- apk->set_idsig_partition_name("microdroid-apk-idsig");
- }
-
- if (config.payload_config_path.has_value()) {
- *metadata.mutable_config_path() = config.payload_config_path.value();
- }
-
- std::ofstream out(filename);
- return WriteMetadata(metadata, out);
-}
-
-// fill zeros to align |file_path|'s size to BLOCK_SIZE(4096) boundary.
-// return true when the filler is needed.
-Result<bool> ZeroFiller(const std::string& file_path, const std::string& filler_path) {
- auto file_size = GetFileSize(file_path);
- if (!file_size.ok()) {
- return file_size.error();
- }
- auto disk_size = AlignToPartitionSize(*file_size);
- if (disk_size <= *file_size) {
- return false;
- }
- unique_fd fd(TEMP_FAILURE_RETRY(open(filler_path.c_str(), O_CREAT | O_WRONLY | O_TRUNC, 0600)));
- if (fd.get() == -1) {
- return ErrnoError() << "open(" << filler_path << ") failed.";
- }
- if (ftruncate(fd.get(), disk_size - *file_size) == -1) {
- return ErrnoError() << "ftruncate(" << filler_path << ") failed.";
- }
- return true;
-}
-
-Result<void> MakePayload(const Config& config, const std::string& metadata_file,
- const std::string& output_file) {
- std::vector<MultipleImagePartition> partitions;
-
- int filler_count = 0;
- auto add_partition = [&](auto partition_name, auto file_path) -> Result<void> {
- std::vector<std::string> image_files{file_path};
-
- std::string filler_path =
- AppendFileName(output_file, "-filler-" + std::to_string(filler_count++));
- if (auto ret = ZeroFiller(file_path, filler_path); !ret.ok()) {
- return ret.error();
- } else if (*ret) {
- image_files.push_back(filler_path);
- }
- partitions.push_back(MultipleImagePartition{
- .label = partition_name,
- .image_file_paths = image_files,
- .type = kLinuxFilesystem,
- .read_only = true,
- });
- return {};
- };
-
- // put metadata at the first partition
- partitions.push_back(MultipleImagePartition{
- .label = "payload-metadata",
- .image_file_paths = {metadata_file},
- .type = kLinuxFilesystem,
- .read_only = true,
- });
- // put apexes at the subsequent partitions
- for (size_t i = 0; i < config.apexes.size(); i++) {
- const auto& apex_config = config.apexes[i];
- std::string apex_path = RelativeTo(apex_config.path, config.dirname);
- if (auto ret = add_partition("microdroid-apex-" + std::to_string(i), apex_path);
- !ret.ok()) {
- return ret.error();
- }
- }
- // put apk and its idsig
- if (config.apk.has_value()) {
- std::string apk_path = RelativeTo(config.apk->path, config.dirname);
- if (auto ret = add_partition("microdroid-apk", apk_path); !ret.ok()) {
- return ret.error();
- }
- std::string idsig_path = RelativeTo(config.apk->idsig_path, config.dirname);
- if (auto ret = add_partition("microdroid-apk-idsig", idsig_path); !ret.ok()) {
- return ret.error();
- }
- }
-
- const std::string gpt_header = AppendFileName(output_file, "-header");
- const std::string gpt_footer = AppendFileName(output_file, "-footer");
- CreateCompositeDisk(partitions, gpt_header, gpt_footer, output_file);
- return {};
-}
-
-int main(int argc, char** argv) {
- if (argc < 3 || argc > 4) {
- std::cerr << "Usage: " << argv[0] << " [--metadata-only] <config> <output>\n";
- return 1;
- }
- int arg_index = 1;
- bool metadata_only = false;
- if (strcmp(argv[arg_index], "--metadata-only") == 0) {
- metadata_only = true;
- arg_index++;
- }
-
- auto config = LoadConfig(argv[arg_index++]);
- if (!config.ok()) {
- std::cerr << "bad config: " << config.error() << '\n';
- return 1;
- }
-
- const std::string output_file(argv[arg_index++]);
- const std::string metadata_file =
- metadata_only ? output_file : AppendFileName(output_file, "-metadata");
-
- if (const auto res = MakeMetadata(*config, metadata_file); !res.ok()) {
- std::cerr << res.error() << '\n';
- return 1;
- }
- if (metadata_only) {
- return 0;
- }
- if (const auto res = MakePayload(*config, metadata_file, output_file); !res.ok()) {
- std::cerr << res.error() << '\n';
- return 1;
- }
-
- return 0;
-}
diff --git a/microdroid_manager/aidl/android/system/virtualization/payload/IVmPayloadService.aidl b/microdroid_manager/aidl/android/system/virtualization/payload/IVmPayloadService.aidl
index 3859785..50d437f 100644
--- a/microdroid_manager/aidl/android/system/virtualization/payload/IVmPayloadService.aidl
+++ b/microdroid_manager/aidl/android/system/virtualization/payload/IVmPayloadService.aidl
@@ -67,4 +67,13 @@
* @throws SecurityException if the use of test APIs is not permitted.
*/
byte[] getDiceAttestationCdi();
+
+ /**
+ * Requests a certificate using the provided certificate signing request (CSR).
+ *
+ * TODO(b/271275206): Define the format of the CSR properly.
+ * @param csr the certificate signing request.
+ * @return the X.509 encoded certificate.
+ */
+ byte[] requestCertificate(in byte[] csr);
}
diff --git a/microdroid_manager/src/vm_payload_service.rs b/microdroid_manager/src/vm_payload_service.rs
index 96f51f0..11e6967 100644
--- a/microdroid_manager/src/vm_payload_service.rs
+++ b/microdroid_manager/src/vm_payload_service.rs
@@ -67,6 +67,11 @@
self.check_restricted_apis_allowed()?;
Ok(self.dice.cdi_attest().to_vec())
}
+
+ fn requestCertificate(&self, csr: &[u8]) -> binder::Result<Vec<u8>> {
+ self.check_restricted_apis_allowed()?;
+ self.virtual_machine_service.requestCertificate(csr)
+ }
}
impl Interface for VmPayloadService {}
diff --git a/pvmfw/Android.bp b/pvmfw/Android.bp
index 0571c36..0ae2203 100644
--- a/pvmfw/Android.bp
+++ b/pvmfw/Android.bp
@@ -8,6 +8,8 @@
defaults: ["vmbase_ffi_defaults"],
srcs: ["src/main.rs"],
edition: "2021",
+ // Require unsafe blocks for inside unsafe functions.
+ flags: ["-Dunsafe_op_in_unsafe_fn"],
features: [
"legacy",
],
@@ -15,22 +17,26 @@
"libaarch64_paging",
"libbssl_ffi_nostd",
"libbuddy_system_allocator",
+ "libciborium_nostd",
+ "libciborium_io_nostd",
"libdiced_open_dice_nostd",
"libfdtpci",
"libhyp",
"liblibfdt",
"liblog_rust_nostd",
"libonce_cell_nostd",
+ "libpsci",
"libpvmfw_avb_nostd",
"libpvmfw_embedded_key",
"libpvmfw_fdt_template",
- "libsmccc",
"libstatic_assertions",
"libtinyvec_nostd",
"libuuid_nostd",
"libvirtio_drivers",
"libvmbase",
+ "libzerocopy_nostd",
"libzeroize_nostd",
+ "libspin_nostd",
],
}
diff --git a/pvmfw/README.md b/pvmfw/README.md
index 4e93648..1eb7286 100644
--- a/pvmfw/README.md
+++ b/pvmfw/README.md
@@ -197,16 +197,20 @@
that it differs from the `BccHandover` defined by the specification in that its
`Bcc` field is mandatory (while optional in the original).
-Devices that fully implement DICE should provide a certificate rooted at the
-Unique Device Secret (UDS) in a boot stage preceding the pvmfw loader (typically
-ABL), in such a way that it would receive a valid `BccHandover`, that can be
-passed to [`BccHandoverMainFlow`][BccHandoverMainFlow] along with the inputs
-described below.
+Ideally devices that fully implement DICE should provide a certificate rooted at
+the Unique Device Secret (UDS) in a boot stage preceding the pvmfw loader
+(typically ABL), in such a way that it would receive a valid `BccHandover`, that
+can be passed to [`BccHandoverMainFlow`][BccHandoverMainFlow] along with the
+inputs described below.
-Otherwise, as an intermediate step towards supporting DICE throughout the
-software stack of the device, incomplete implementations may root the BCC at the
-pvmfw loader, using an arbitrary constant as initial CDI. The pvmfw loader can
-easily do so by:
+However, there is a limitation in Android 14 that means that a UDS-rooted DICE
+chain must not be used for pvmfw. A non-UDS rooted DICE chain is recommended for
+Android 14.
+
+As an intermediate step towards supporting DICE throughout the software stack of
+the device, incomplete implementations may root the BCC at the pvmfw loader,
+using an arbitrary constant as initial CDI. The pvmfw loader can easily do so
+by:
1. Building a BCC-less `BccHandover` using CBOR operations
([example][Trusty-BCC]) and containing the constant CDIs
diff --git a/pvmfw/avb/Android.bp b/pvmfw/avb/Android.bp
index 7ed4895..90f3971 100644
--- a/pvmfw/avb/Android.bp
+++ b/pvmfw/avb/Android.bp
@@ -7,6 +7,8 @@
crate_name: "pvmfw_avb",
srcs: ["src/lib.rs"],
prefer_rlib: true,
+ // Require unsafe blocks for inside unsafe functions.
+ flags: ["-Dunsafe_op_in_unsafe_fn"],
rustlibs: [
"libavb_bindgen_nostd",
"libtinyvec_nostd",
diff --git a/pvmfw/avb/src/descriptor.rs b/pvmfw/avb/src/descriptor.rs
index c54d416..cd623ac 100644
--- a/pvmfw/avb/src/descriptor.rs
+++ b/pvmfw/avb/src/descriptor.rs
@@ -14,8 +14,6 @@
//! Structs and functions relating to the descriptors.
-#![warn(unsafe_op_in_unsafe_fn)]
-
use crate::error::{AvbIOError, AvbSlotVerifyError};
use crate::partition::PartitionName;
use crate::utils::{self, is_not_null, to_nonnull, to_usize, usize_checked_add};
diff --git a/pvmfw/src/config.rs b/pvmfw/src/config.rs
index f62a580..b90b136 100644
--- a/pvmfw/src/config.rs
+++ b/pvmfw/src/config.rs
@@ -19,10 +19,11 @@
use core::mem;
use core::ops::Range;
use core::result;
+use zerocopy::{FromBytes, LayoutVerified};
/// Configuration data header.
#[repr(C, packed)]
-#[derive(Clone, Copy, Debug)]
+#[derive(Clone, Copy, Debug, FromBytes)]
struct Header {
/// Magic number; must be `Header::MAGIC`.
magic: u32,
@@ -40,6 +41,8 @@
pub enum Error {
/// Reserved region can't fit configuration header.
BufferTooSmall,
+ /// Header has the wrong alignment
+ HeaderMisaligned,
/// Header doesn't contain the expect magic value.
InvalidMagic,
/// Version of the header isn't supported.
@@ -58,6 +61,7 @@
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
match self {
Self::BufferTooSmall => write!(f, "Reserved region is smaller than config header"),
+ Self::HeaderMisaligned => write!(f, "Reserved region is misaligned"),
Self::InvalidMagic => write!(f, "Wrong magic number"),
Self::UnsupportedVersion(x, y) => write!(f, "Version {x}.{y} not supported"),
Self::InvalidFlags(v) => write!(f, "Flags value {v:#x} is incorrect or reserved"),
@@ -167,7 +171,7 @@
}
#[repr(packed)]
-#[derive(Clone, Copy, Debug)]
+#[derive(Clone, Copy, Debug, FromBytes)]
struct HeaderEntry {
offset: u32,
size: u32,
@@ -187,7 +191,9 @@
pub unsafe fn new(data: &'a mut [u8]) -> Result<Self> {
let header = data.get(..Header::PADDED_SIZE).ok_or(Error::BufferTooSmall)?;
- let header = &*(header.as_ptr() as *const Header);
+ let (header, _) =
+ LayoutVerified::<_, Header>::new_from_prefix(header).ok_or(Error::HeaderMisaligned)?;
+ let header = header.into_ref();
if header.magic != Header::MAGIC {
return Err(Error::InvalidMagic);
@@ -206,11 +212,13 @@
header.get_body_range(Entry::Bcc)?.ok_or(Error::MissingEntry(Entry::Bcc))?;
let dp_range = header.get_body_range(Entry::DebugPolicy)?;
+ let body_size = header.body_size();
+ let total_size = header.total_size();
let body = data
.get_mut(Header::PADDED_SIZE..)
.ok_or(Error::BufferTooSmall)?
- .get_mut(..header.body_size())
- .ok_or_else(|| Error::InvalidSize(header.total_size()))?;
+ .get_mut(..body_size)
+ .ok_or(Error::InvalidSize(total_size))?;
Ok(Self { body, bcc_range, dp_range })
}
diff --git a/pvmfw/src/crypto.rs b/pvmfw/src/crypto.rs
index 0785a7a..d607bee 100644
--- a/pvmfw/src/crypto.rs
+++ b/pvmfw/src/crypto.rs
@@ -248,13 +248,14 @@
///
/// # Safety
///
-/// The caller needs to ensure that the pointer points to a valid C string and that the C lifetime
-/// of the string is compatible with a static Rust lifetime.
+/// The caller needs to ensure that the pointer is null or points to a valid C string and that the
+/// C lifetime of the string is compatible with a static Rust lifetime.
unsafe fn as_static_cstr(p: *const c_char) -> Option<&'static CStr> {
if p.is_null() {
None
} else {
- Some(CStr::from_ptr(p))
+ // Safety: Safe given the requirements of this function.
+ Some(unsafe { CStr::from_ptr(p) })
}
}
diff --git a/pvmfw/src/entry.rs b/pvmfw/src/entry.rs
index e0af856..965d6b9 100644
--- a/pvmfw/src/entry.rs
+++ b/pvmfw/src/entry.rs
@@ -19,13 +19,13 @@
use crate::fdt;
use crate::heap;
use crate::helpers;
-use crate::memory::MemoryTracker;
+use crate::memory::{MemoryTracker, MEMORY};
use crate::mmu;
use crate::rand;
use core::arch::asm;
use core::num::NonZeroUsize;
use core::slice;
-use hyp::mmio_guard;
+use hyp::{get_hypervisor, HypervisorCap};
use log::debug;
use log::error;
use log::info;
@@ -109,6 +109,18 @@
RebootReason::InvalidFdt
})?;
+ if !get_hypervisor().has_cap(HypervisorCap::DYNAMIC_MEM_SHARE) {
+ let range = info.swiotlb_info.fixed_range().ok_or_else(|| {
+ error!("Pre-shared pool range not specified in swiotlb node");
+ RebootReason::InvalidFdt
+ })?;
+
+ memory.init_shared_pool(range).map_err(|e| {
+ error!("Failed to initialize pre-shared pool {e}");
+ RebootReason::InvalidFdt
+ })?;
+ }
+
let kernel_range = if let Some(r) = info.kernel_range {
memory.alloc_range(&r).map_err(|e| {
error!("Failed to obtain the kernel range with DT range: {e}");
@@ -172,12 +184,12 @@
// Use debug!() to avoid printing to the UART if we failed to configure it as only local
// builds that have tweaked the logger::init() call will actually attempt to log the message.
- mmio_guard::init().map_err(|e| {
+ get_hypervisor().mmio_guard_init().map_err(|e| {
debug!("{e}");
RebootReason::InternalError
})?;
- mmio_guard::map(console::BASE_ADDRESS).map_err(|e| {
+ get_hypervisor().mmio_guard_map(console::BASE_ADDRESS).map_err(|e| {
debug!("Failed to configure the UART: {e}");
RebootReason::InternalError
})?;
@@ -217,8 +229,8 @@
unsafe { page_table.activate() };
debug!("... Success!");
- let mut memory = MemoryTracker::new(page_table);
- let slices = MemorySlices::new(fdt, payload, payload_size, &mut memory)?;
+ MEMORY.lock().replace(MemoryTracker::new(page_table));
+ let slices = MemorySlices::new(fdt, payload, payload_size, MEMORY.lock().as_mut().unwrap())?;
rand::init().map_err(|e| {
error!("Failed to initialize rand: {e}");
@@ -226,20 +238,28 @@
})?;
// This wrapper allows main() to be blissfully ignorant of platform details.
- crate::main(slices.fdt, slices.kernel, slices.ramdisk, bcc_slice, debug_policy, &mut memory)?;
+ crate::main(
+ slices.fdt,
+ slices.kernel,
+ slices.ramdisk,
+ bcc_slice,
+ debug_policy,
+ MEMORY.lock().as_mut().unwrap(),
+ )?;
helpers::flushed_zeroize(bcc_slice);
helpers::flush(slices.fdt.as_slice());
info!("Expecting a bug making MMIO_GUARD_UNMAP return NOT_SUPPORTED on success");
- memory.mmio_unmap_all().map_err(|e| {
+ MEMORY.lock().as_mut().unwrap().mmio_unmap_all().map_err(|e| {
error!("Failed to unshare MMIO ranges: {e}");
RebootReason::InternalError
})?;
- mmio_guard::unmap(console::BASE_ADDRESS).map_err(|e| {
+ get_hypervisor().mmio_guard_unmap(console::BASE_ADDRESS).map_err(|e| {
error!("Failed to unshare the UART: {e}");
RebootReason::InternalError
})?;
+ MEMORY.lock().take().unwrap();
Ok(slices.kernel.as_ptr() as usize)
}
@@ -309,7 +329,9 @@
// pvmfw is contained in a 2MiB region so the payload can't be larger than the 2MiB alignment.
let size = helpers::align_up(base, helpers::SIZE_2MB).unwrap() - base;
- slice::from_raw_parts_mut(base as *mut u8, size)
+ // SAFETY: This region is mapped and the linker script prevents it from overlapping with other
+ // objects.
+ unsafe { slice::from_raw_parts_mut(base as *mut u8, size) }
}
enum AppendedConfigType {
@@ -328,8 +350,13 @@
impl<'a> AppendedPayload<'a> {
/// SAFETY - 'data' should respect the alignment of config::Header.
unsafe fn new(data: &'a mut [u8]) -> Option<Self> {
- match Self::guess_config_type(data) {
- AppendedConfigType::Valid => Some(Self::Config(config::Config::new(data).unwrap())),
+ // Safety: This fn has the same constraint as us.
+ match unsafe { Self::guess_config_type(data) } {
+ AppendedConfigType::Valid => {
+ // Safety: This fn has the same constraint as us.
+ let config = unsafe { config::Config::new(data) };
+ Some(Self::Config(config.unwrap()))
+ }
AppendedConfigType::NotFound if cfg!(feature = "legacy") => {
const BCC_SIZE: usize = helpers::SIZE_4KB;
warn!("Assuming the appended data at {:?} to be a raw BCC", data.as_ptr());
@@ -339,11 +366,14 @@
}
}
+ /// SAFETY - 'data' should respect the alignment of config::Header.
unsafe fn guess_config_type(data: &mut [u8]) -> AppendedConfigType {
// This function is necessary to prevent the borrow checker from getting confused
// about the ownership of data in new(); see https://users.rust-lang.org/t/78467.
let addr = data.as_ptr();
- match config::Config::new(data) {
+
+ // Safety: This fn has the same constraint as us.
+ match unsafe { config::Config::new(data) } {
Err(config::Error::InvalidMagic) => {
warn!("No configuration data found at {addr:?}");
AppendedConfigType::NotFound
diff --git a/pvmfw/src/exceptions.rs b/pvmfw/src/exceptions.rs
index 42f4c3b..462a9cc 100644
--- a/pvmfw/src/exceptions.rs
+++ b/pvmfw/src/exceptions.rs
@@ -15,40 +15,110 @@
//! Exception handlers.
use crate::{helpers::page_4kb_of, read_sysreg};
+use core::fmt;
use vmbase::console;
-use vmbase::{console::emergency_write_str, eprintln, power::reboot};
+use vmbase::logger;
+use vmbase::{eprintln, power::reboot};
-const ESR_32BIT_EXT_DABT: usize = 0x96000010;
const UART_PAGE: usize = page_4kb_of(console::BASE_ADDRESS);
+#[derive(Debug)]
+enum HandleExceptionError {
+ UnknownException,
+}
+
+impl fmt::Display for HandleExceptionError {
+ fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+ match self {
+ Self::UnknownException => write!(f, "An unknown exception occurred, not handled."),
+ }
+ }
+}
+
+#[derive(Debug, PartialEq, Copy, Clone)]
+enum Esr {
+ DataAbortTranslationFault,
+ DataAbortPermissionFault,
+ DataAbortSyncExternalAbort,
+ Unknown(usize),
+}
+
+impl Esr {
+ const EXT_DABT_32BIT: usize = 0x96000010;
+ const TRANSL_FAULT_BASE_32BIT: usize = 0x96000004;
+ const TRANSL_FAULT_ISS_MASK_32BIT: usize = !0x143;
+ const PERM_FAULT_BASE_32BIT: usize = 0x9600004C;
+ const PERM_FAULT_ISS_MASK_32BIT: usize = !0x103;
+}
+
+impl From<usize> for Esr {
+ fn from(esr: usize) -> Self {
+ if esr == Self::EXT_DABT_32BIT {
+ Self::DataAbortSyncExternalAbort
+ } else if esr & Self::TRANSL_FAULT_ISS_MASK_32BIT == Self::TRANSL_FAULT_BASE_32BIT {
+ Self::DataAbortTranslationFault
+ } else if esr & Self::PERM_FAULT_ISS_MASK_32BIT == Self::PERM_FAULT_BASE_32BIT {
+ Self::DataAbortPermissionFault
+ } else {
+ Self::Unknown(esr)
+ }
+ }
+}
+
+impl fmt::Display for Esr {
+ fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+ match self {
+ Self::DataAbortSyncExternalAbort => write!(f, "Synchronous external abort"),
+ Self::DataAbortTranslationFault => write!(f, "Translation fault"),
+ Self::DataAbortPermissionFault => write!(f, "Permission fault"),
+ Self::Unknown(v) => write!(f, "Unknown exception esr={v:#08x}"),
+ }
+ }
+}
+
+fn handle_exception(_esr: Esr, _far: usize) -> Result<(), HandleExceptionError> {
+ Err(HandleExceptionError::UnknownException)
+}
+
+#[inline]
+fn handling_uart_exception(esr: Esr, far: usize) -> bool {
+ esr == Esr::DataAbortSyncExternalAbort && page_4kb_of(far) == UART_PAGE
+}
+
#[no_mangle]
extern "C" fn sync_exception_current(_elr: u64, _spsr: u64) {
- let esr = read_sysreg!("esr_el1");
+ // Disable logging in exception handler to prevent unsafe writes to UART.
+ let _guard = logger::suppress();
+ let esr: Esr = read_sysreg!("esr_el1").into();
let far = read_sysreg!("far_el1");
- // Don't print to the UART if we're handling the exception it could raise.
- if esr != ESR_32BIT_EXT_DABT || page_4kb_of(far) != UART_PAGE {
- emergency_write_str("sync_exception_current\n");
- eprintln!("esr={esr:#08x}");
+
+ if let Err(e) = handle_exception(esr, far) {
+ // Don't print to the UART if we are handling an exception it could raise.
+ if !handling_uart_exception(esr, far) {
+ eprintln!("sync_exception_current");
+ eprintln!("{e}");
+ eprintln!("{esr}, far={far:#08x}");
+ }
+ reboot()
}
- reboot();
}
#[no_mangle]
extern "C" fn irq_current(_elr: u64, _spsr: u64) {
- emergency_write_str("irq_current\n");
+ eprintln!("irq_current");
reboot();
}
#[no_mangle]
extern "C" fn fiq_current(_elr: u64, _spsr: u64) {
- emergency_write_str("fiq_current\n");
+ eprintln!("fiq_current");
reboot();
}
#[no_mangle]
extern "C" fn serr_current(_elr: u64, _spsr: u64) {
let esr = read_sysreg!("esr_el1");
- emergency_write_str("serr_current\n");
+ eprintln!("serr_current");
eprintln!("esr={esr:#08x}");
reboot();
}
@@ -56,27 +126,27 @@
#[no_mangle]
extern "C" fn sync_lower(_elr: u64, _spsr: u64) {
let esr = read_sysreg!("esr_el1");
- emergency_write_str("sync_lower\n");
+ eprintln!("sync_lower");
eprintln!("esr={esr:#08x}");
reboot();
}
#[no_mangle]
extern "C" fn irq_lower(_elr: u64, _spsr: u64) {
- emergency_write_str("irq_lower\n");
+ eprintln!("irq_lower");
reboot();
}
#[no_mangle]
extern "C" fn fiq_lower(_elr: u64, _spsr: u64) {
- emergency_write_str("fiq_lower\n");
+ eprintln!("fiq_lower");
reboot();
}
#[no_mangle]
extern "C" fn serr_lower(_elr: u64, _spsr: u64) {
let esr = read_sysreg!("esr_el1");
- emergency_write_str("serr_lower\n");
+ eprintln!("serr_lower");
eprintln!("esr={esr:#08x}");
reboot();
}
diff --git a/pvmfw/src/fdt.rs b/pvmfw/src/fdt.rs
index c68fc6d..70916ac 100644
--- a/pvmfw/src/fdt.rs
+++ b/pvmfw/src/fdt.rs
@@ -17,6 +17,7 @@
use crate::bootargs::BootArgsIterator;
use crate::cstr;
use crate::helpers::flatten;
+use crate::helpers::RangeExt;
use crate::helpers::GUEST_PAGE_SIZE;
use crate::helpers::SIZE_4KB;
use crate::memory::BASE_ADDR;
@@ -435,40 +436,79 @@
}
#[derive(Debug)]
-struct SwiotlbInfo {
- size: u64,
- align: u64,
+pub struct SwiotlbInfo {
+ addr: Option<usize>,
+ size: usize,
+ align: usize,
+}
+
+impl SwiotlbInfo {
+ pub fn fixed_range(&self) -> Option<Range<usize>> {
+ self.addr.map(|addr| addr..addr + self.size)
+ }
}
fn read_swiotlb_info_from(fdt: &Fdt) -> libfdt::Result<SwiotlbInfo> {
let node =
fdt.compatible_nodes(cstr!("restricted-dma-pool"))?.next().ok_or(FdtError::NotFound)?;
- let size = node.getprop_u64(cstr!("size"))?.ok_or(FdtError::NotFound)?;
- let align = node.getprop_u64(cstr!("alignment"))?.ok_or(FdtError::NotFound)?;
- Ok(SwiotlbInfo { size, align })
+ let align =
+ node.getprop_u64(cstr!("alignment"))?.ok_or(FdtError::NotFound)?.try_into().unwrap();
+
+ let (addr, size) = if let Some(mut reg) = node.reg()? {
+ let reg = reg.next().ok_or(FdtError::NotFound)?;
+ let size = reg.size.ok_or(FdtError::NotFound)?;
+ reg.addr.checked_add(size).ok_or(FdtError::BadValue)?;
+ (Some(reg.addr.try_into().unwrap()), size.try_into().unwrap())
+ } else {
+ let size = node.getprop_u64(cstr!("size"))?.ok_or(FdtError::NotFound)?.try_into().unwrap();
+ (None, size)
+ };
+
+ Ok(SwiotlbInfo { addr, size, align })
}
-fn validate_swiotlb_info(swiotlb_info: &SwiotlbInfo) -> Result<(), RebootReason> {
+fn validate_swiotlb_info(
+ swiotlb_info: &SwiotlbInfo,
+ memory: &Range<usize>,
+) -> Result<(), RebootReason> {
let size = swiotlb_info.size;
let align = swiotlb_info.align;
- if size == 0 || (size % GUEST_PAGE_SIZE as u64) != 0 {
+ if size == 0 || (size % GUEST_PAGE_SIZE) != 0 {
error!("Invalid swiotlb size {:#x}", size);
return Err(RebootReason::InvalidFdt);
}
- if (align % GUEST_PAGE_SIZE as u64) != 0 {
+ if (align % GUEST_PAGE_SIZE) != 0 {
error!("Invalid swiotlb alignment {:#x}", align);
return Err(RebootReason::InvalidFdt);
}
+
+ if let Some(range) = swiotlb_info.fixed_range() {
+ if !range.is_within(memory) {
+ error!("swiotlb range {range:#x?} not part of memory range {memory:#x?}");
+ return Err(RebootReason::InvalidFdt);
+ }
+ }
+
Ok(())
}
fn patch_swiotlb_info(fdt: &mut Fdt, swiotlb_info: &SwiotlbInfo) -> libfdt::Result<()> {
let mut node =
fdt.root_mut()?.next_compatible(cstr!("restricted-dma-pool"))?.ok_or(FdtError::NotFound)?;
- node.setprop_inplace(cstr!("size"), &swiotlb_info.size.to_be_bytes())?;
node.setprop_inplace(cstr!("alignment"), &swiotlb_info.align.to_be_bytes())?;
+
+ if let Some(range) = swiotlb_info.fixed_range() {
+ node.appendprop_addrrange(
+ cstr!("reg"),
+ range.start.try_into().unwrap(),
+ range.len().try_into().unwrap(),
+ )?;
+ } else {
+ node.setprop_inplace(cstr!("size"), &swiotlb_info.size.to_be_bytes())?;
+ }
+
Ok(())
}
@@ -540,7 +580,7 @@
num_cpus: usize,
pci_info: PciInfo,
serial_info: SerialInfo,
- swiotlb_info: SwiotlbInfo,
+ pub swiotlb_info: SwiotlbInfo,
}
impl DeviceTreeInfo {
@@ -603,7 +643,7 @@
error!("Failed to read swiotlb info from DT: {e}");
RebootReason::InvalidFdt
})?;
- validate_swiotlb_info(&swiotlb_info)?;
+ validate_swiotlb_info(&swiotlb_info, &memory_range)?;
Ok(DeviceTreeInfo {
kernel_range,
diff --git a/pvmfw/src/gpt.rs b/pvmfw/src/gpt.rs
index 6af3047..c3ccb5a 100644
--- a/pvmfw/src/gpt.rs
+++ b/pvmfw/src/gpt.rs
@@ -25,6 +25,7 @@
use static_assertions::const_assert_eq;
use uuid::Uuid;
use virtio_drivers::device::blk::SECTOR_SIZE;
+use zerocopy::FromBytes;
pub enum Error {
/// VirtIO error during read operation.
@@ -101,8 +102,10 @@
fn new(mut device: VirtIOBlk) -> Result<Self> {
let mut blk = [0; Self::LBA_SIZE];
device.read_block(Header::LBA, &mut blk).map_err(Error::FailedRead)?;
- let (header_bytes, _) = blk.split_at(size_of::<Header>());
- let header = Header::from_bytes(header_bytes).ok_or(Error::InvalidHeader)?;
+ let header = Header::read_from_prefix(blk.as_slice()).unwrap();
+ if !header.is_valid() {
+ return Err(Error::InvalidHeader);
+ }
let entries_count = usize::try_from(header.entries_count()).unwrap();
Ok(Self { device, entries_count })
@@ -151,6 +154,7 @@
type Lba = u64;
/// Structure as defined in release 2.10 of the UEFI Specification (5.3.2 GPT Header).
+#[derive(FromBytes)]
#[repr(C, packed)]
struct Header {
signature: u64,
@@ -162,7 +166,7 @@
backup_lba: Lba,
first_lba: Lba,
last_lba: Lba,
- disk_guid: Uuid,
+ disk_guid: u128,
entries_lba: Lba,
entries_count: u32,
entry_size: u32,
@@ -176,20 +180,6 @@
const LBA: usize = 1;
const ENTRIES_LBA: usize = 2;
- fn from_bytes(bytes: &[u8]) -> Option<&Self> {
- let bytes = bytes.get(..size_of::<Self>())?;
- // SAFETY - We assume that bytes is properly aligned for Header and have verified above
- // that it holds enough bytes. All potential values of the slice will produce a valid
- // Header.
- let header = unsafe { &*bytes.as_ptr().cast::<Self>() };
-
- if header.is_valid() {
- Some(header)
- } else {
- None
- }
- }
-
fn is_valid(&self) -> bool {
self.signature() == Self::SIGNATURE
&& self.header_size() == size_of::<Self>().try_into().unwrap()
diff --git a/pvmfw/src/heap.rs b/pvmfw/src/heap.rs
index eea2e98..151049e 100644
--- a/pvmfw/src/heap.rs
+++ b/pvmfw/src/heap.rs
@@ -27,15 +27,22 @@
use buddy_system_allocator::LockedHeap;
-#[global_allocator]
-static HEAP_ALLOCATOR: LockedHeap<32> = LockedHeap::<32>::new();
-
/// 128 KiB
const HEAP_SIZE: usize = 0x20000;
static mut HEAP: [u8; HEAP_SIZE] = [0; HEAP_SIZE];
+#[global_allocator]
+static HEAP_ALLOCATOR: LockedHeap<32> = LockedHeap::<32>::new();
+
+/// SAFETY: Must be called no more than once.
pub unsafe fn init() {
- HEAP_ALLOCATOR.lock().init(HEAP.as_mut_ptr() as usize, HEAP.len());
+ // SAFETY: Nothing else accesses this memory, and we hand it over to the heap to manage and
+ // never touch it again. The heap is locked, so there cannot be any races.
+ let (start, size) = unsafe { (HEAP.as_mut_ptr() as usize, HEAP.len()) };
+
+ let mut heap = HEAP_ALLOCATOR.lock();
+ // SAFETY: We are supplying a valid memory range, and we only do this once.
+ unsafe { heap.init(start, size) };
}
/// Allocate an aligned but uninitialized slice of heap.
@@ -53,7 +60,7 @@
#[no_mangle]
unsafe extern "C" fn malloc(size: usize) -> *mut c_void {
- malloc_(size, false).map_or(ptr::null_mut(), |p| p.cast::<c_void>().as_ptr())
+ allocate(size, false).map_or(ptr::null_mut(), |p| p.cast::<c_void>().as_ptr())
}
#[no_mangle]
@@ -61,31 +68,69 @@
let Some(size) = nmemb.checked_mul(size) else {
return ptr::null_mut()
};
- malloc_(size, true).map_or(ptr::null_mut(), |p| p.cast::<c_void>().as_ptr())
+ allocate(size, true).map_or(ptr::null_mut(), |p| p.cast::<c_void>().as_ptr())
}
#[no_mangle]
+/// SAFETY: ptr must be null or point to a currently-allocated block returned by allocate (either
+/// directly or via malloc or calloc). Note that this function is called directly from C, so we have
+/// to trust that the C code is doing the right thing; there are checks below which will catch some
+/// errors.
unsafe extern "C" fn free(ptr: *mut c_void) {
- if let Some(ptr) = NonNull::new(ptr).map(|p| p.cast::<usize>().as_ptr().offset(-1)) {
- if let Some(size) = NonZeroUsize::new(*ptr) {
- if let Some(layout) = malloc_layout(size) {
- HEAP_ALLOCATOR.dealloc(ptr as *mut u8, layout);
- }
+ let Some(ptr) = NonNull::new(ptr) else { return };
+ // SAFETY: The contents of the HEAP slice may change, but the address range never does.
+ let heap_range = unsafe { HEAP.as_ptr_range() };
+ assert!(
+ heap_range.contains(&(ptr.as_ptr() as *const u8)),
+ "free() called on a pointer that is not part of the HEAP: {ptr:?}"
+ );
+ let (ptr, size) = unsafe {
+ // SAFETY: ptr is non-null and was allocated by allocate, which prepends a correctly aligned
+ // usize.
+ let ptr = ptr.cast::<usize>().as_ptr().offset(-1);
+ (ptr, *ptr)
+ };
+ let size = NonZeroUsize::new(size).unwrap();
+ let layout = malloc_layout(size).unwrap();
+ // SAFETY: If our precondition is satisfied, then this is a valid currently-allocated block.
+ unsafe { HEAP_ALLOCATOR.dealloc(ptr as *mut u8, layout) }
+}
+
+/// Allocate a block of memory suitable to return from `malloc()` etc. Returns a valid pointer
+/// to a suitable aligned region of size bytes, optionally zeroed (and otherwise uninitialized), or
+/// None if size is 0 or allocation fails. The block can be freed by passing the returned pointer to
+/// `free()`.
+fn allocate(size: usize, zeroed: bool) -> Option<NonNull<usize>> {
+ let size = NonZeroUsize::new(size)?.checked_add(mem::size_of::<usize>())?;
+ let layout = malloc_layout(size)?;
+ // SAFETY: layout is known to have non-zero size.
+ let ptr = unsafe {
+ if zeroed {
+ HEAP_ALLOCATOR.alloc_zeroed(layout)
+ } else {
+ HEAP_ALLOCATOR.alloc(layout)
}
+ };
+ let ptr = NonNull::new(ptr)?.cast::<usize>().as_ptr();
+ // SAFETY: ptr points to a newly allocated block of memory which is properly aligned
+ // for a usize and is big enough to hold a usize as well as the requested number of
+ // bytes.
+ unsafe {
+ *ptr = size.get();
+ NonNull::new(ptr.offset(1))
}
}
-unsafe fn malloc_(size: usize, zeroed: bool) -> Option<NonNull<usize>> {
- let size = NonZeroUsize::new(size)?.checked_add(mem::size_of::<usize>())?;
- let layout = malloc_layout(size)?;
- let ptr =
- if zeroed { HEAP_ALLOCATOR.alloc_zeroed(layout) } else { HEAP_ALLOCATOR.alloc(layout) };
- let ptr = NonNull::new(ptr)?.cast::<usize>().as_ptr();
- *ptr = size.get();
- NonNull::new(ptr.offset(1))
+fn malloc_layout(size: NonZeroUsize) -> Option<Layout> {
+ // We want at least 8 byte alignment, and we need to be able to store a usize.
+ const ALIGN: usize = const_max_size(mem::size_of::<usize>(), mem::size_of::<u64>());
+ Layout::from_size_align(size.get(), ALIGN).ok()
}
-fn malloc_layout(size: NonZeroUsize) -> Option<Layout> {
- const ALIGN: usize = mem::size_of::<u64>();
- Layout::from_size_align(size.get(), ALIGN).ok()
+const fn const_max_size(a: usize, b: usize) -> usize {
+ if a > b {
+ a
+ } else {
+ b
+ }
}
diff --git a/pvmfw/src/helpers.rs b/pvmfw/src/helpers.rs
index 9c739d1..933a6aa 100644
--- a/pvmfw/src/helpers.rs
+++ b/pvmfw/src/helpers.rs
@@ -15,12 +15,15 @@
//! Miscellaneous helper functions.
use core::arch::asm;
+use core::ops::Range;
use zeroize::Zeroize;
pub const SIZE_4KB: usize = 4 << 10;
pub const SIZE_2MB: usize = 2 << 20;
+pub const SIZE_4MB: usize = 4 << 20;
pub const GUEST_PAGE_SIZE: usize = SIZE_4KB;
+pub const PVMFW_PAGE_SIZE: usize = SIZE_4KB;
/// Read a value from a system register.
#[macro_export]
@@ -161,6 +164,18 @@
unsafe { core::slice::from_raw_parts(original.as_ptr().cast(), len) }
}
+/// Trait to check containment of one range within another.
+pub(crate) trait RangeExt {
+ /// Returns true if `self` is contained within the `other` range.
+ fn is_within(&self, other: &Self) -> bool;
+}
+
+impl<T: PartialOrd> RangeExt for Range<T> {
+ fn is_within(&self, other: &Self) -> bool {
+ self.start >= other.start && self.end <= other.end
+ }
+}
+
/// Create &CStr out of &str literal
#[macro_export]
macro_rules! cstr {
diff --git a/pvmfw/src/hvc.rs b/pvmfw/src/hvc.rs
index 6c5017f..1e2bca2 100644
--- a/pvmfw/src/hvc.rs
+++ b/pvmfw/src/hvc.rs
@@ -15,6 +15,11 @@
//! Wrappers around calls to the hypervisor.
pub mod trng;
+use self::trng::Error;
+use psci::smccc::{
+ error::{positive_or_error_64, success_or_error_64},
+ hvc64,
+};
// TODO(b/272226230): Move all the trng functions to trng module
const ARM_SMCCC_TRNG_VERSION: u32 = 0x8400_0050;
@@ -30,7 +35,7 @@
pub fn trng_version() -> trng::Result<(u16, u16)> {
let args = [0u64; 17];
- let version = trng::hvc64(ARM_SMCCC_TRNG_VERSION, args)?[0];
+ let version = positive_or_error_64::<Error>(hvc64(ARM_SMCCC_TRNG_VERSION, args)[0])?;
Ok(((version >> 16) as u16, version as u16))
}
@@ -40,7 +45,8 @@
let mut args = [0u64; 17];
args[0] = nbits;
- let regs = trng::hvc64_expect_zero(ARM_SMCCC_TRNG_RND64, args)?;
+ let regs = hvc64(ARM_SMCCC_TRNG_RND64, args);
+ success_or_error_64::<Error>(regs[0])?;
Ok((regs[1], regs[2], regs[3]))
}
diff --git a/pvmfw/src/hvc/trng.rs b/pvmfw/src/hvc/trng.rs
index 05ecc6b..6331d66 100644
--- a/pvmfw/src/hvc/trng.rs
+++ b/pvmfw/src/hvc/trng.rs
@@ -42,23 +42,16 @@
}
}
+impl From<i64> for Error {
+ fn from(value: i64) -> Self {
+ match value {
+ -1 => Error::NotSupported,
+ -2 => Error::InvalidParameter,
+ -3 => Error::NoEntropy,
+ _ if value < 0 => Error::Unknown(value),
+ _ => Error::Unexpected(value as u64),
+ }
+ }
+}
+
pub type Result<T> = result::Result<T, Error>;
-
-pub fn hvc64(function: u32, args: [u64; 17]) -> Result<[u64; 18]> {
- let res = smccc::hvc64(function, args);
- match res[0] as i64 {
- ret if ret >= 0 => Ok(res),
- -1 => Err(Error::NotSupported),
- -2 => Err(Error::InvalidParameter),
- -3 => Err(Error::NoEntropy),
- ret => Err(Error::Unknown(ret)),
- }
-}
-
-pub fn hvc64_expect_zero(function: u32, args: [u64; 17]) -> Result<[u64; 18]> {
- let res = hvc64(function, args)?;
- match res[0] {
- 0 => Ok(res),
- v => Err(Error::Unexpected(v)),
- }
-}
diff --git a/pvmfw/src/instance.rs b/pvmfw/src/instance.rs
index a974543..95ddefd 100644
--- a/pvmfw/src/instance.rs
+++ b/pvmfw/src/instance.rs
@@ -26,13 +26,14 @@
use crate::virtio::pci::VirtIOBlkIterator;
use core::fmt;
use core::mem::size_of;
-use core::slice;
use diced_open_dice::DiceMode;
use diced_open_dice::Hash;
use diced_open_dice::Hidden;
use log::trace;
use uuid::Uuid;
use virtio_drivers::transport::pci::bus::PciRoot;
+use zerocopy::AsBytes;
+use zerocopy::FromBytes;
pub enum Error {
/// Unexpected I/O error while accessing the underlying disk.
@@ -121,7 +122,7 @@
let aead = AeadCtx::new_aes_256_gcm_randnonce(&key).map_err(Error::FailedOpen)?;
let decrypted = aead.open(&mut entry, payload).map_err(Error::FailedOpen)?;
- let body: &EntryBody = decrypted.as_ref();
+ let body = EntryBody::read_from(decrypted).unwrap();
if body.code_hash != dice_inputs.code_hash {
Err(Error::RecordedCodeHashMismatch)
} else if body.auth_hash != dice_inputs.auth_hash {
@@ -134,22 +135,21 @@
}
PvmfwEntry::New { header_index } => {
let salt = rand::random_array().map_err(Error::FailedSaltGeneration)?;
- let entry_body = EntryBody::new(dice_inputs, &salt);
- let body = entry_body.as_ref();
+ let body = EntryBody::new(dice_inputs, &salt);
let key = key.map_err(Error::FailedSeal)?;
let aead = AeadCtx::new_aes_256_gcm_randnonce(&key).map_err(Error::FailedSeal)?;
// We currently only support single-blk entries.
- assert!(body.len() + aead.aead().unwrap().max_overhead() < blk.len());
- let encrypted = aead.seal(&mut blk, body).map_err(Error::FailedSeal)?;
+ let plaintext = body.as_bytes();
+ assert!(plaintext.len() + aead.aead().unwrap().max_overhead() < blk.len());
+ let encrypted = aead.seal(&mut blk, plaintext).map_err(Error::FailedSeal)?;
let payload_size = encrypted.len();
let payload_index = header_index + 1;
instance_img.write_block(payload_index, &blk).map_err(Error::FailedIo)?;
let header = EntryHeader::new(PvmfwEntry::UUID, payload_size);
- let (blk_header, blk_rest) = blk.split_at_mut(size_of::<EntryHeader>());
- blk_header.copy_from_slice(header.as_ref());
- blk_rest.fill(0);
+ header.write_to_prefix(blk.as_mut_slice()).unwrap();
+ blk[header.as_bytes().len()..].fill(0);
instance_img.write_block(header_index, &blk).map_err(Error::FailedIo)?;
Ok((true, salt))
@@ -157,6 +157,7 @@
}
}
+#[derive(FromBytes)]
#[repr(C, packed)]
struct Header {
magic: [u8; Header::MAGIC.len()],
@@ -174,23 +175,6 @@
fn version(&self) -> u16 {
u16::from_le(self.version)
}
-
- fn from_bytes(bytes: &[u8]) -> Option<&Self> {
- let header: &Self = bytes.as_ref();
-
- if header.is_valid() {
- Some(header)
- } else {
- None
- }
- }
-}
-
-impl AsRef<Header> for [u8] {
- fn as_ref(&self) -> &Header {
- // SAFETY - Assume that the alignement and size match Header.
- unsafe { &*self.as_ptr().cast::<Header>() }
- }
}
fn find_instance_img(pci_root: &mut PciRoot) -> Result<Partition> {
@@ -223,12 +207,15 @@
let header_index = indices.next().ok_or(Error::MissingInstanceImageHeader)?;
partition.read_block(header_index, &mut blk).map_err(Error::FailedIo)?;
// The instance.img header is only used for discovery/validation.
- let _ = Header::from_bytes(&blk).ok_or(Error::InvalidInstanceImageHeader)?;
+ let header = Header::read_from_prefix(blk.as_slice()).unwrap();
+ if !header.is_valid() {
+ return Err(Error::InvalidInstanceImageHeader);
+ }
while let Some(header_index) = indices.next() {
partition.read_block(header_index, &mut blk).map_err(Error::FailedIo)?;
- let header: &EntryHeader = blk[..size_of::<EntryHeader>()].as_ref();
+ let header = EntryHeader::read_from_prefix(blk.as_slice()).unwrap();
match (header.uuid(), header.payload_size()) {
(uuid, _) if uuid.is_nil() => return Ok(PvmfwEntry::New { header_index }),
(PvmfwEntry::UUID, payload_size) => {
@@ -250,7 +237,8 @@
/// Marks the start of an instance.img entry.
///
/// Note: Virtualization/microdroid_manager/src/instance.rs uses the name "partition".
-#[repr(C)]
+#[derive(AsBytes, FromBytes)]
+#[repr(C, packed)]
struct EntryHeader {
uuid: u128,
payload_size: u64,
@@ -270,22 +258,7 @@
}
}
-impl AsRef<EntryHeader> for [u8] {
- fn as_ref(&self) -> &EntryHeader {
- assert_eq!(self.len(), size_of::<EntryHeader>());
- // SAFETY - The size of the slice was checked and any value may be considered valid.
- unsafe { &*self.as_ptr().cast::<EntryHeader>() }
- }
-}
-
-impl AsRef<[u8]> for EntryHeader {
- fn as_ref(&self) -> &[u8] {
- let s = self as *const Self;
- // SAFETY - Transmute the (valid) bytes into a slice.
- unsafe { slice::from_raw_parts(s.cast::<u8>(), size_of::<Self>()) }
- }
-}
-
+#[derive(AsBytes, FromBytes)]
#[repr(C)]
struct EntryBody {
code_hash: Hash,
@@ -320,19 +293,3 @@
}
}
}
-
-impl AsRef<EntryBody> for [u8] {
- fn as_ref(&self) -> &EntryBody {
- assert_eq!(self.len(), size_of::<EntryBody>());
- // SAFETY - The size of the slice was checked and members are validated by accessors.
- unsafe { &*self.as_ptr().cast::<EntryBody>() }
- }
-}
-
-impl AsRef<[u8]> for EntryBody {
- fn as_ref(&self) -> &[u8] {
- let s = self as *const Self;
- // SAFETY - Transmute the (valid) bytes into a slice.
- unsafe { slice::from_raw_parts(s.cast::<u8>(), size_of::<Self>()) }
- }
-}
diff --git a/pvmfw/src/main.rs b/pvmfw/src/main.rs
index a773f1a..1c22861 100644
--- a/pvmfw/src/main.rs
+++ b/pvmfw/src/main.rs
@@ -37,6 +37,7 @@
mod virtio;
use alloc::boxed::Box;
+use alloc::string::ToString;
use crate::dice::PartialInputs;
use crate::entry::RebootReason;
@@ -46,6 +47,7 @@
use crate::instance::get_or_generate_instance_salt;
use crate::memory::MemoryTracker;
use crate::virtio::pci;
+use ciborium::{de::from_reader, value::Value};
use diced_open_dice::bcc_handover_main_flow;
use diced_open_dice::bcc_handover_parse;
use diced_open_dice::DiceArtifacts;
@@ -58,6 +60,19 @@
const NEXT_BCC_SIZE: usize = GUEST_PAGE_SIZE;
+type CiboriumError = ciborium::de::Error<ciborium_io::EndOfFile>;
+
+/// Decodes the provided binary CBOR-encoded value and returns a
+/// ciborium::Value struct wrapped in Result.
+fn value_from_bytes(mut bytes: &[u8]) -> Result<Value, CiboriumError> {
+ let value = from_reader(&mut bytes)?;
+ // Ciborium tries to read one Value, but doesn't care if there is trailing data. We do.
+ if !bytes.is_empty() {
+ return Err(CiboriumError::Semantic(Some(0), "unexpected trailing data".to_string()));
+ }
+ Ok(value)
+}
+
fn main(
fdt: &mut Fdt,
signed_kernel: &[u8],
@@ -81,6 +96,18 @@
})?;
trace!("BCC: {bcc_handover:x?}");
+ // Minimal BCC verification - check the BCC exists & is valid CBOR.
+ // TODO(alanstokes): Do something more useful.
+ if let Some(bytes) = bcc_handover.bcc() {
+ let _ = value_from_bytes(bytes).map_err(|e| {
+ error!("Invalid BCC: {e:?}");
+ RebootReason::InvalidBcc
+ })?;
+ } else {
+ error!("Missing BCC");
+ return Err(RebootReason::InvalidBcc);
+ }
+
// Set up PCI bus for VirtIO devices.
let pci_info = PciInfo::from_fdt(fdt).map_err(handle_pci_error)?;
debug!("PCI: {:#x?}", pci_info);
diff --git a/pvmfw/src/memory.rs b/pvmfw/src/memory.rs
index fde3f9b..a2b7e09 100644
--- a/pvmfw/src/memory.rs
+++ b/pvmfw/src/memory.rs
@@ -16,11 +16,14 @@
#![deny(unsafe_op_in_unsafe_fn)]
-use crate::helpers::{self, align_down, align_up, page_4kb_of, SIZE_4KB};
+use crate::helpers::{self, align_down, align_up, page_4kb_of, RangeExt, SIZE_4KB, SIZE_4MB};
use crate::mmu;
use alloc::alloc::alloc_zeroed;
use alloc::alloc::dealloc;
use alloc::alloc::handle_alloc_error;
+use alloc::boxed::Box;
+use buddy_system_allocator::LockedHeap;
+use core::alloc::GlobalAlloc as _;
use core::alloc::Layout;
use core::cmp::max;
use core::cmp::min;
@@ -29,8 +32,10 @@
use core::ops::Range;
use core::ptr::NonNull;
use core::result;
-use hyp::{hyp_meminfo, mem_share, mem_unshare, mmio_guard};
+use hyp::get_hypervisor;
use log::error;
+use once_cell::race::OnceBox;
+use spin::mutex::SpinMutex;
use tinyvec::ArrayVec;
/// Base of the system's contiguous "main" memory.
@@ -40,6 +45,9 @@
pub type MemoryRange = Range<usize>;
+pub static MEMORY: SpinMutex<Option<MemoryTracker>> = SpinMutex::new(None);
+unsafe impl Send for MemoryTracker {}
+
#[derive(Clone, Copy, Debug, Default)]
enum MemoryType {
#[default]
@@ -61,8 +69,7 @@
/// True if the instance is fully contained within the passed range.
pub fn is_within(&self, range: &MemoryRange) -> bool {
- let our: &MemoryRange = self.as_ref();
- self.as_ref() == &(max(our.start, range.start)..min(our.end, range.end))
+ self.as_ref().is_within(range)
}
}
@@ -102,8 +109,10 @@
Overlaps,
/// Region couldn't be mapped.
FailedToMap,
- /// Error from an MMIO guard call.
- MmioGuard(mmio_guard::Error),
+ /// Error from the interaction with the hypervisor.
+ Hypervisor(hyp::Error),
+ /// Failure to set `SHARED_POOL`.
+ SharedPoolSetFailure,
}
impl fmt::Display for MemoryTrackerError {
@@ -116,22 +125,26 @@
Self::OutOfRange => write!(f, "Region is out of the tracked memory address space"),
Self::Overlaps => write!(f, "New region overlaps with tracked regions"),
Self::FailedToMap => write!(f, "Failed to map the new region"),
- Self::MmioGuard(e) => e.fmt(f),
+ Self::Hypervisor(e) => e.fmt(f),
+ Self::SharedPoolSetFailure => write!(f, "Failed to set SHARED_POOL"),
}
}
}
-impl From<mmio_guard::Error> for MemoryTrackerError {
- fn from(e: mmio_guard::Error) -> Self {
- Self::MmioGuard(e)
+impl From<hyp::Error> for MemoryTrackerError {
+ fn from(e: hyp::Error) -> Self {
+ Self::Hypervisor(e)
}
}
type Result<T> = result::Result<T, MemoryTrackerError>;
+static SHARED_POOL: OnceBox<LockedHeap<32>> = OnceBox::new();
+
impl MemoryTracker {
const CAPACITY: usize = 5;
const MMIO_CAPACITY: usize = 5;
+ const PVMFW_RANGE: MemoryRange = (BASE_ADDR - SIZE_4MB)..BASE_ADDR;
/// Create a new instance from an active page table, covering the maximum RAM size.
pub fn new(page_table: mmu::PageTable) -> Self {
@@ -197,7 +210,7 @@
/// appropriately.
pub fn map_mmio_range(&mut self, range: MemoryRange) -> Result<()> {
// MMIO space is below the main memory region.
- if range.end > self.total.start {
+ if range.end > self.total.start || overlaps(&Self::PVMFW_RANGE, &range) {
return Err(MemoryTrackerError::OutOfRange);
}
if self.mmio_regions.iter().any(|r| overlaps(r, &range)) {
@@ -213,7 +226,7 @@
})?;
for page_base in page_iterator(&range) {
- mmio_guard::map(page_base)?;
+ get_hypervisor().mmio_guard_map(page_base)?;
}
if self.mmio_regions.try_push(range).is_some() {
@@ -253,12 +266,37 @@
pub fn mmio_unmap_all(&self) -> Result<()> {
for region in &self.mmio_regions {
for page_base in page_iterator(region) {
- mmio_guard::unmap(page_base)?;
+ get_hypervisor().mmio_guard_unmap(page_base)?;
}
}
Ok(())
}
+
+ /// Initialize a separate heap for shared memory allocations.
+ ///
+ /// Some hypervisors such as Gunyah do not support a MemShare API for guest
+ /// to share its memory with host. Instead they allow host to designate part
+ /// of guest memory as "shared" ahead of guest starting its execution. The
+ /// shared memory region is indicated in swiotlb node. On such platforms use
+ /// a separate heap to allocate buffers that can be shared with host.
+ pub fn init_shared_pool(&mut self, range: Range<usize>) -> Result<()> {
+ let size = NonZeroUsize::new(range.len()).unwrap();
+ let range = self.alloc_mut(range.start, size)?;
+ let shared_pool = LockedHeap::<32>::new();
+
+ // SAFETY - `range` should be a valid region of memory as validated by
+ // `validate_swiotlb_info` and not used by any other rust code.
+ unsafe {
+ shared_pool.lock().init(range.start, range.len());
+ }
+
+ SHARED_POOL
+ .set(Box::new(shared_pool))
+ .map_err(|_| MemoryTrackerError::SharedPoolSetFailure)?;
+
+ Ok(())
+ }
}
impl Drop for MemoryTracker {
@@ -278,12 +316,12 @@
/// Gives the KVM host read, write and execute permissions on the given memory range. If the range
/// is not aligned with the memory protection granule then it will be extended on either end to
/// align.
-fn share_range(range: &MemoryRange, granule: usize) -> smccc::Result<()> {
+fn share_range(range: &MemoryRange, granule: usize) -> hyp::Result<()> {
for base in (align_down(range.start, granule)
.expect("Memory protection granule was not a power of two")..range.end)
.step_by(granule)
{
- mem_share(base as u64)?;
+ get_hypervisor().mem_share(base as u64)?;
}
Ok(())
}
@@ -291,24 +329,36 @@
/// Removes permission from the KVM host to access the given memory range which was previously
/// shared. If the range is not aligned with the memory protection granule then it will be extended
/// on either end to align.
-fn unshare_range(range: &MemoryRange, granule: usize) -> smccc::Result<()> {
+fn unshare_range(range: &MemoryRange, granule: usize) -> hyp::Result<()> {
for base in (align_down(range.start, granule)
.expect("Memory protection granule was not a power of two")..range.end)
.step_by(granule)
{
- mem_unshare(base as u64)?;
+ get_hypervisor().mem_unshare(base as u64)?;
}
Ok(())
}
-/// Allocates a memory range of at least the given size from the global allocator, and shares it
-/// with the host. Returns a pointer to the buffer.
+/// Allocates a memory range of at least the given size that is shared with
+/// host. Returns a pointer to the buffer.
///
/// It will be aligned to the memory sharing granule size supported by the hypervisor.
-pub fn alloc_shared(size: usize) -> smccc::Result<NonNull<u8>> {
+pub fn alloc_shared(size: usize) -> hyp::Result<NonNull<u8>> {
let layout = shared_buffer_layout(size)?;
let granule = layout.align();
+ if let Some(shared_pool) = SHARED_POOL.get() {
+ // Safe because `shared_buffer_layout` panics if the size is 0, so the
+ // layout must have a non-zero size.
+ let buffer = unsafe { shared_pool.alloc_zeroed(layout) };
+
+ let Some(buffer) = NonNull::new(buffer) else {
+ handle_alloc_error(layout);
+ };
+
+ return Ok(buffer);
+ }
+
// Safe because `shared_buffer_layout` panics if the size is 0, so the layout must have a
// non-zero size.
let buffer = unsafe { alloc_zeroed(layout) };
@@ -333,10 +383,18 @@
///
/// The memory must have been allocated by `alloc_shared` with the same size, and not yet
/// deallocated.
-pub unsafe fn dealloc_shared(vaddr: NonNull<u8>, size: usize) -> smccc::Result<()> {
+pub unsafe fn dealloc_shared(vaddr: NonNull<u8>, size: usize) -> hyp::Result<()> {
let layout = shared_buffer_layout(size)?;
let granule = layout.align();
+ if let Some(shared_pool) = SHARED_POOL.get() {
+ // Safe because the memory was allocated by `alloc_shared` above using
+ // the same allocator, and the layout is the same as was used then.
+ unsafe { shared_pool.dealloc(vaddr.as_ptr(), layout) };
+
+ return Ok(());
+ }
+
let paddr = virt_to_phys(vaddr);
unshare_range(&(paddr..paddr + layout.size()), granule)?;
// Safe because the memory was allocated by `alloc_shared` above using the same allocator, and
@@ -352,9 +410,9 @@
/// It will be aligned to the memory sharing granule size supported by the hypervisor.
///
/// Panics if `size` is 0.
-fn shared_buffer_layout(size: usize) -> smccc::Result<Layout> {
+fn shared_buffer_layout(size: usize) -> hyp::Result<Layout> {
assert_ne!(size, 0);
- let granule = hyp_meminfo()? as usize;
+ let granule = get_hypervisor().memory_protection_granule()?;
let allocated_size =
align_up(size, granule).expect("Memory protection granule was not a power of two");
Ok(Layout::from_size_align(allocated_size, granule).unwrap())
diff --git a/pvmfw/src/mmu.rs b/pvmfw/src/mmu.rs
index fa94e85..c21b69b 100644
--- a/pvmfw/src/mmu.rs
+++ b/pvmfw/src/mmu.rs
@@ -15,6 +15,7 @@
//! Memory management.
use crate::helpers;
+use crate::helpers::PVMFW_PAGE_SIZE;
use aarch64_paging::idmap::IdMap;
use aarch64_paging::paging::Attributes;
use aarch64_paging::paging::MemoryRegion;
@@ -44,6 +45,13 @@
start..end
}
+/// Region allocated for the stack.
+fn stack_range() -> Range<usize> {
+ const STACK_PAGES: usize = 8;
+
+ layout::stack_range(STACK_PAGES * PVMFW_PAGE_SIZE)
+}
+
impl PageTable {
const ASID: usize = 1;
const ROOT_LEVEL: usize = 1;
@@ -53,7 +61,8 @@
let mut page_table = Self { idmap: IdMap::new(Self::ASID, Self::ROOT_LEVEL) };
page_table.map_code(&layout::text_range())?;
- page_table.map_data(&layout::writable_region())?;
+ page_table.map_data(&layout::scratch_range())?;
+ page_table.map_data(&stack_range())?;
page_table.map_rodata(&layout::rodata_range())?;
page_table.map_data(&appended_payload_range())?;
diff --git a/pvmfw/src/virtio/hal.rs b/pvmfw/src/virtio/hal.rs
index 5f70b33..7598a55 100644
--- a/pvmfw/src/virtio/hal.rs
+++ b/pvmfw/src/virtio/hal.rs
@@ -9,7 +9,21 @@
pub struct HalImpl;
-impl Hal for HalImpl {
+/// Implements the `Hal` trait for `HalImpl`.
+///
+/// # Safety
+///
+/// Callers of this implementatation must follow the safety requirements documented for the unsafe
+/// methods.
+unsafe impl Hal for HalImpl {
+ /// Allocates the given number of contiguous physical pages of DMA memory for VirtIO use.
+ ///
+ /// # Implementation Safety
+ ///
+ /// `dma_alloc` ensures the returned DMA buffer is not aliased with any other allocation or
+ /// reference in the program until it is deallocated by `dma_dealloc` by allocating a unique
+ /// block of memory using `alloc_shared` and returning a non-null pointer to it that is
+ /// aligned to `PAGE_SIZE`.
fn dma_alloc(pages: usize, _direction: BufferDirection) -> (PhysAddr, NonNull<u8>) {
debug!("dma_alloc: pages={}", pages);
let size = pages * PAGE_SIZE;
@@ -19,7 +33,7 @@
(paddr, vaddr)
}
- fn dma_dealloc(paddr: PhysAddr, vaddr: NonNull<u8>, pages: usize) -> i32 {
+ unsafe fn dma_dealloc(paddr: PhysAddr, vaddr: NonNull<u8>, pages: usize) -> i32 {
debug!("dma_dealloc: paddr={:#x}, pages={}", paddr, pages);
let size = pages * PAGE_SIZE;
// Safe because the memory was allocated by `dma_alloc` above using the same allocator, and
@@ -30,7 +44,13 @@
0
}
- fn mmio_phys_to_virt(paddr: PhysAddr, size: usize) -> NonNull<u8> {
+ /// Converts a physical address used for MMIO to a virtual address which the driver can access.
+ ///
+ /// # Implementation Safety
+ ///
+ /// `mmio_phys_to_virt` satisfies the requirement by checking that the mapped memory region
+ /// is within the PCI MMIO range.
+ unsafe fn mmio_phys_to_virt(paddr: PhysAddr, size: usize) -> NonNull<u8> {
let pci_info = PCI_INFO.get().expect("VirtIO HAL used before PCI_INFO was initialised");
// Check that the region is within the PCI MMIO range that we read from the device tree. If
// not, the host is probably trying to do something malicious.
@@ -48,7 +68,7 @@
phys_to_virt(paddr)
}
- fn share(buffer: NonNull<[u8]>, direction: BufferDirection) -> PhysAddr {
+ unsafe fn share(buffer: NonNull<[u8]>, direction: BufferDirection) -> PhysAddr {
let size = buffer.len();
// TODO: Copy to a pre-shared region rather than allocating and sharing each time.
@@ -63,7 +83,7 @@
virt_to_phys(copy)
}
- fn unshare(paddr: PhysAddr, buffer: NonNull<[u8]>, direction: BufferDirection) {
+ unsafe fn unshare(paddr: PhysAddr, buffer: NonNull<[u8]>, direction: BufferDirection) {
let vaddr = phys_to_virt(paddr);
let size = buffer.len();
if direction == BufferDirection::DeviceToDriver {
diff --git a/rialto/Android.bp b/rialto/Android.bp
index 5034bf4..cf81563 100644
--- a/rialto/Android.bp
+++ b/rialto/Android.bp
@@ -13,7 +13,6 @@
"libbuddy_system_allocator",
"libhyp",
"liblog_rust_nostd",
- "libsmccc",
"libvmbase",
],
apex_available: ["com.android.virt"],
diff --git a/rialto/src/error.rs b/rialto/src/error.rs
index 8f34676..754e554 100644
--- a/rialto/src/error.rs
+++ b/rialto/src/error.rs
@@ -16,14 +16,14 @@
use aarch64_paging::MapError;
use core::{fmt, result};
-use hyp::mmio_guard::Error as MmioError;
+use hyp::Error as HypervisorError;
pub type Result<T> = result::Result<T, Error>;
#[derive(Clone, Debug)]
pub enum Error {
- /// MMIO guard failed.
- MmioGuard(MmioError),
+ /// Hypervisor error.
+ Hypervisor(HypervisorError),
/// Failed when attempting to map some range in the page table.
PageTableMapping(MapError),
/// Failed to initialize the logger.
@@ -33,7 +33,7 @@
impl fmt::Display for Error {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
match self {
- Self::MmioGuard(e) => write!(f, "MMIO guard failed: {e}."),
+ Self::Hypervisor(e) => write!(f, "MMIO guard failed: {e}."),
Self::PageTableMapping(e) => {
write!(f, "Failed when attempting to map some range in the page table: {e}.")
}
@@ -42,9 +42,9 @@
}
}
-impl From<MmioError> for Error {
- fn from(e: MmioError) -> Self {
- Self::MmioGuard(e)
+impl From<HypervisorError> for Error {
+ fn from(e: HypervisorError) -> Self {
+ Self::Hypervisor(e)
}
}
diff --git a/rialto/src/main.rs b/rialto/src/main.rs
index 76f5495..03fa107 100644
--- a/rialto/src/main.rs
+++ b/rialto/src/main.rs
@@ -28,11 +28,13 @@
paging::{Attributes, MemoryRegion},
};
use buddy_system_allocator::LockedHeap;
-use hyp::mmio_guard;
+use core::ops::Range;
+use hyp::get_hypervisor;
use log::{debug, error, info};
-use vmbase::{main, power::reboot};
+use vmbase::{layout, main, power::reboot};
const SZ_1K: usize = 1024;
+const SZ_4K: usize = 4 * SZ_1K;
const SZ_64K: usize = 64 * SZ_1K;
const SZ_1M: usize = 1024 * SZ_1K;
const SZ_1G: usize = 1024 * SZ_1M;
@@ -63,16 +65,8 @@
static mut HEAP: [u8; SZ_64K] = [0; SZ_64K];
-unsafe fn kimg_ptr(sym: &u8) -> *const u8 {
- sym as *const u8
-}
-
-unsafe fn kimg_addr(sym: &u8) -> usize {
- kimg_ptr(sym) as usize
-}
-
-unsafe fn kimg_region(begin: &u8, end: &u8) -> MemoryRegion {
- MemoryRegion::new(kimg_addr(begin), kimg_addr(end))
+fn into_memreg(r: &Range<usize>) -> MemoryRegion {
+ MemoryRegion::new(r.start, r.end)
}
fn init_heap() {
@@ -80,28 +74,28 @@
unsafe {
HEAP_ALLOCATOR.lock().init(&mut HEAP as *mut u8 as usize, HEAP.len());
}
- info!("Initialized heap.");
}
fn init_kernel_pgt(pgt: &mut IdMap) -> Result<()> {
// The first 1 GiB of address space is used by crosvm for MMIO.
let reg_dev = MemoryRegion::new(0, SZ_1G);
- // SAFETY: Taking addresses of kernel image sections to set up page table
- // mappings. Not taking ownerhip of the memory.
- let reg_text = unsafe { kimg_region(&text_begin, &text_end) };
- let reg_rodata = unsafe { kimg_region(&rodata_begin, &rodata_end) };
- let reg_data = unsafe { kimg_region(&data_begin, &boot_stack_end) };
+ let reg_text = into_memreg(&layout::text_range());
+ let reg_rodata = into_memreg(&layout::rodata_range());
+ let reg_scratch = into_memreg(&layout::scratch_range());
+ let reg_stack = into_memreg(&layout::stack_range(40 * SZ_4K));
debug!("Preparing kernel page table.");
debug!(" dev: {}-{}", reg_dev.start(), reg_dev.end());
debug!(" text: {}-{}", reg_text.start(), reg_text.end());
debug!(" rodata: {}-{}", reg_rodata.start(), reg_rodata.end());
- debug!(" data: {}-{}", reg_data.start(), reg_data.end());
+ debug!(" scratch:{}-{}", reg_scratch.start(), reg_scratch.end());
+ debug!(" stack: {}-{}", reg_stack.start(), reg_stack.end());
pgt.map_range(®_dev, PROT_DEV)?;
pgt.map_range(®_text, PROT_RX)?;
pgt.map_range(®_rodata, PROT_RO)?;
- pgt.map_range(®_data, PROT_RW)?;
+ pgt.map_range(®_scratch, PROT_RW)?;
+ pgt.map_range(®_stack, PROT_RW)?;
pgt.activate();
info!("Activated kernel page table.");
@@ -109,11 +103,11 @@
}
fn try_init_logger() -> Result<()> {
- match mmio_guard::init() {
+ match get_hypervisor().mmio_guard_init() {
// pKVM blocks MMIO by default, we need to enable MMIO guard to support logging.
- Ok(()) => mmio_guard::map(vmbase::console::BASE_ADDRESS)?,
+ Ok(()) => get_hypervisor().mmio_guard_map(vmbase::console::BASE_ADDRESS)?,
// MMIO guard enroll is not supported in unprotected VM.
- Err(mmio_guard::Error::EnrollFailed(smccc::Error::NotSupported)) => {}
+ Err(hyp::Error::MmioGuardNotsupported) => {}
Err(e) => return Err(e.into()),
};
vmbase::logger::init(log::LevelFilter::Debug).map_err(|_| Error::LoggerInit)
@@ -121,7 +115,6 @@
fn try_main() -> Result<()> {
info!("Welcome to Rialto!");
- init_heap();
let mut pgt = IdMap::new(PT_ASID, PT_ROOT_LEVEL);
init_kernel_pgt(&mut pgt)?;
@@ -130,6 +123,7 @@
/// Entry point for Rialto.
pub fn main(_a0: u64, _a1: u64, _a2: u64, _a3: u64) {
+ init_heap();
if try_init_logger().is_err() {
// Don't log anything if the logger initialization fails.
reboot();
@@ -143,13 +137,4 @@
}
}
-extern "C" {
- static text_begin: u8;
- static text_end: u8;
- static rodata_begin: u8;
- static rodata_end: u8;
- static data_begin: u8;
- static boot_stack_end: u8;
-}
-
main!(main);
diff --git a/service_vm/client_apk/Android.bp b/service_vm/client_apk/Android.bp
new file mode 100644
index 0000000..e5084d4
--- /dev/null
+++ b/service_vm/client_apk/Android.bp
@@ -0,0 +1,37 @@
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+android_app {
+ name: "ServiceVmClientApp",
+ installable: true,
+ jni_libs: ["libservice_vm_client"],
+ jni_uses_platform_apis: true,
+ use_embedded_native_libs: true,
+ sdk_version: "system_current",
+ compile_multilib: "first",
+ apex_available: ["com.android.virt"],
+}
+
+rust_defaults {
+ name: "service_vm_client_defaults",
+ crate_name: "service_vm_client",
+ srcs: ["src/main.rs"],
+ prefer_rlib: true,
+ rustlibs: [
+ "libandroid_logger",
+ "libanyhow",
+ "liblog_rust",
+ "libvm_payload_bindgen",
+ ],
+}
+
+rust_ffi {
+ name: "libservice_vm_client",
+ defaults: ["service_vm_client_defaults"],
+ // TODO(b/250854486): Remove the sanitize section once the bug is fixed.
+ sanitize: {
+ address: false,
+ hwaddress: false,
+ },
+}
diff --git a/service_vm/client_apk/AndroidManifest.xml b/service_vm/client_apk/AndroidManifest.xml
new file mode 100644
index 0000000..b3598fc
--- /dev/null
+++ b/service_vm/client_apk/AndroidManifest.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2023 The Android Open Source Project
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ package="com.android.virt.service_vm.client">
+ <uses-permission android:name="android.permission.MANAGE_VIRTUAL_MACHINE" />
+ <uses-permission android:name="android.permission.USE_CUSTOM_VIRTUAL_MACHINE" />
+
+ <application android:hasCode="false"/>
+</manifest>
diff --git a/service_vm/client_apk/assets/config.json b/service_vm/client_apk/assets/config.json
new file mode 100644
index 0000000..02749fe
--- /dev/null
+++ b/service_vm/client_apk/assets/config.json
@@ -0,0 +1,10 @@
+{
+ "os": {
+ "name": "microdroid"
+ },
+ "task": {
+ "type": "microdroid_launcher",
+ "command": "libservice_vm_client.so"
+ },
+ "export_tombstones": true
+ }
\ No newline at end of file
diff --git a/service_vm/client_apk/src/main.rs b/service_vm/client_apk/src/main.rs
new file mode 100644
index 0000000..1f8db96
--- /dev/null
+++ b/service_vm/client_apk/src/main.rs
@@ -0,0 +1,71 @@
+// Copyright 2023, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Main executable of Service VM client.
+
+use anyhow::Result;
+use log::{error, info};
+use std::{ffi::c_void, panic};
+use vm_payload_bindgen::AVmPayload_requestCertificate;
+
+/// Entry point of the Service VM client.
+#[allow(non_snake_case)]
+#[no_mangle]
+pub extern "C" fn AVmPayload_main() {
+ android_logger::init_once(
+ android_logger::Config::default()
+ .with_tag("service_vm_client")
+ .with_min_level(log::Level::Debug),
+ );
+ // Redirect panic messages to logcat.
+ panic::set_hook(Box::new(|panic_info| {
+ error!("{}", panic_info);
+ }));
+ if let Err(e) = try_main() {
+ error!("failed with {:?}", e);
+ std::process::exit(1);
+ }
+}
+
+fn try_main() -> Result<()> {
+ info!("Welcome to Service VM Client!");
+ let csr = b"Hello from Service VM";
+ let certificate = request_certificate(csr);
+ info!("Certificate: {:?}", certificate);
+ Ok(())
+}
+
+fn request_certificate(csr: &[u8]) -> Vec<u8> {
+ // SAFETY: It is safe as we only request the size of the certificate in this call.
+ let certificate_size = unsafe {
+ AVmPayload_requestCertificate(
+ csr.as_ptr() as *const c_void,
+ csr.len(),
+ [].as_mut_ptr() as *mut c_void,
+ 0,
+ )
+ };
+ let mut certificate = vec![0u8; certificate_size];
+ // SAFETY: It is safe as we only write the data into the given buffer within the buffer
+ // size in this call.
+ unsafe {
+ AVmPayload_requestCertificate(
+ csr.as_ptr() as *const c_void,
+ csr.len(),
+ certificate.as_mut_ptr() as *mut c_void,
+ certificate.len(),
+ );
+ };
+ certificate
+}
diff --git a/tests/helper/src/java/com/android/microdroid/test/common/MetricsProcessor.java b/tests/helper/src/java/com/android/microdroid/test/common/MetricsProcessor.java
index 42eb6a1..dd68d6a 100644
--- a/tests/helper/src/java/com/android/microdroid/test/common/MetricsProcessor.java
+++ b/tests/helper/src/java/com/android/microdroid/test/common/MetricsProcessor.java
@@ -50,8 +50,8 @@
Collections.sort(values);
double sum = 0;
- double min = Double.MAX_VALUE;
- double max = Double.MIN_VALUE;
+ double min = Double.POSITIVE_INFINITY;
+ double max = Double.NEGATIVE_INFINITY;
for (Double d : values) {
sum += d;
if (min > d) min = d;
@@ -63,7 +63,7 @@
sqSum += (d - avg) * (d - avg);
}
double stdDev = Math.sqrt(sqSum / (values.size() - 1));
- double median = Double.MIN_VALUE;
+ double median = Double.NaN;
if (values.size() > 0) {
int rank = values.size() / 2;
if (values.size() % 2 == 0) {
diff --git a/tests/hostside/AndroidTest.xml b/tests/hostside/AndroidTest.xml
index 429d910..18728ad 100644
--- a/tests/hostside/AndroidTest.xml
+++ b/tests/hostside/AndroidTest.xml
@@ -25,8 +25,6 @@
<option name="force-root" value="false"/>
</target_preparer>
- <target_preparer class="com.android.microdroid.test.preparer.DisableMicrodroidDebugPolicyPreparer" />
-
<test class="com.android.compatibility.common.tradefed.testtype.JarHostTest" >
<option name="jar" value="MicrodroidHostTestCases.jar" />
</test>
diff --git a/tests/hostside/java/com/android/microdroid/test/PvmfwDebugPolicyHostTests.java b/tests/hostside/java/com/android/microdroid/test/DebugPolicyHostTests.java
similarity index 81%
rename from tests/hostside/java/com/android/microdroid/test/PvmfwDebugPolicyHostTests.java
rename to tests/hostside/java/com/android/microdroid/test/DebugPolicyHostTests.java
index 0f6d095..014f9f0 100644
--- a/tests/hostside/java/com/android/microdroid/test/PvmfwDebugPolicyHostTests.java
+++ b/tests/hostside/java/com/android/microdroid/test/DebugPolicyHostTests.java
@@ -48,11 +48,10 @@
import java.io.File;
import java.util.Objects;
import java.util.concurrent.TimeUnit;
-import java.io.FileNotFoundException;
-/** Tests debug policy of pvmfw.bin with custom debug policy */
+/** Tests debug policy */
@RunWith(DeviceJUnit4ClassRunner.class)
-public class PvmfwDebugPolicyHostTests extends MicrodroidHostTestCaseBase {
+public class DebugPolicyHostTests extends MicrodroidHostTestCaseBase {
@NonNull private static final String PVMFW_FILE_NAME = "pvmfw_test.bin";
@NonNull private static final String BCC_FILE_NAME = "bcc.dat";
@NonNull private static final String PACKAGE_FILE_NAME = "MicrodroidTestApp.apk";
@@ -70,6 +69,16 @@
@NonNull private static final String CUSTOM_PVMFW_IMG_PATH = TEST_ROOT + PVMFW_FILE_NAME;
@NonNull private static final String CUSTOM_PVMFW_IMG_PATH_PROP = "hypervisor.pvmfw.path";
+ @NonNull private static final String CUSTOM_DEBUG_POLICY_FILE_NAME = "debug_policy.dtb";
+
+ @NonNull
+ private static final String CUSTOM_DEBUG_POLICY_PATH =
+ TEST_ROOT + CUSTOM_DEBUG_POLICY_FILE_NAME;
+
+ @NonNull
+ private static final String CUSTOM_DEBUG_POLICY_PATH_PROP =
+ "hypervisor.virtualizationmanager.debug_policy.path";
+
@NonNull
private static final String AVF_DEBUG_POLICY_ADB_DT_PROP_PATH = "/avf/guest/microdroid/adb";
@@ -93,6 +102,7 @@
@Nullable private TestDevice mAndroidDevice;
@Nullable private ITestDevice mMicrodroidDevice;
@Nullable private File mCustomPvmfwBinFileOnHost;
+ @Nullable private File mCustomDebugPolicyFileOnHost;
@Before
public void setUp() throws Exception {
@@ -114,12 +124,14 @@
mBccFileOnHost =
getTestInformation().getDependencyFile(BCC_FILE_NAME, /* targetFirst= */ false);
- // Prepare for loading pvmfw.bin
- // File will be setup in individual test,
- // and then pushed to device in launchProtectedVmAndWaitForBootCompleted.
+ // Prepare for system properties for custom debug policy.
+ // File will be prepared later in individual test by setupCustomDebugPolicy()
+ // and then pushed to device when launching with launchProtectedVmAndWaitForBootCompleted()
+ // or tryLaunchProtectedNonDebuggableVm().
mCustomPvmfwBinFileOnHost =
FileUtil.createTempFile(CUSTOM_PVMFW_FILE_PREFIX, CUSTOM_PVMFW_FILE_SUFFIX);
mAndroidDevice.setProperty(CUSTOM_PVMFW_IMG_PATH_PROP, CUSTOM_PVMFW_IMG_PATH);
+ mAndroidDevice.setProperty(CUSTOM_DEBUG_POLICY_PATH_PROP, CUSTOM_DEBUG_POLICY_PATH);
// Prepare for launching microdroid
mAndroidDevice.installPackage(findTestFile(PACKAGE_FILE_NAME), /* reinstall */ false);
@@ -138,7 +150,8 @@
}
mAndroidDevice.uninstallPackage(PACKAGE_NAME);
- // Cleanup for custom pvmfw.bin
+ // Cleanup for custom debug policies
+ mAndroidDevice.setProperty(CUSTOM_DEBUG_POLICY_PATH_PROP, "");
mAndroidDevice.setProperty(CUSTOM_PVMFW_IMG_PATH_PROP, "");
FileUtil.deleteFile(mCustomPvmfwBinFileOnHost);
@@ -148,21 +161,15 @@
}
@Test
- public void testAdb_boots() throws Exception {
- assumeTrue(
- "Skip if host wouldn't install adbd",
- isDebugPolicyEnabled(AVF_DEBUG_POLICY_ADB_DT_PROP_PATH));
-
- Pvmfw pvmfw = createPvmfw("avf_debug_policy_with_adb.dtbo");
- pvmfw.serialize(mCustomPvmfwBinFileOnHost);
+ public void testAdbInDebugPolicy_withDebugLevelNone_bootWithAdbConnection() throws Exception {
+ prepareCustomDebugPolicy("avf_debug_policy_with_adb.dtbo");
launchProtectedVmAndWaitForBootCompleted(MICRODROID_DEBUG_NONE);
}
@Test
- public void testNoAdb_boots() throws Exception {
- Pvmfw pvmfw = createPvmfw("avf_debug_policy_without_adb.dtbo");
- pvmfw.serialize(mCustomPvmfwBinFileOnHost);
+ public void testNoAdbInDebugPolicy_withDebugLevelNone_boots() throws Exception {
+ prepareCustomDebugPolicy("avf_debug_policy_without_adb.dtbo");
// VM would boot, but cannot verify directly because of no adbd in the VM.
CommandResult result = tryLaunchProtectedNonDebuggableVm();
@@ -173,9 +180,8 @@
}
@Test
- public void testNoAdb_noConnection() throws Exception {
- Pvmfw pvmfw = createPvmfw("avf_debug_policy_without_adb.dtbo");
- pvmfw.serialize(mCustomPvmfwBinFileOnHost);
+ public void testNoAdbInDebugPolicy_withDebugLevelNone_noConnection() throws Exception {
+ prepareCustomDebugPolicy("avf_debug_policy_without_adb.dtbo");
assertThrows(
"Microdroid shouldn't be recognized because of missing adb connection",
@@ -185,6 +191,13 @@
MICRODROID_DEBUG_NONE, BOOT_FAILURE_WAIT_TIME_MS));
}
+ @Test
+ public void testNoAdbInDebugPolicy_withDebugLevelFull_bootWithAdbConnection() throws Exception {
+ prepareCustomDebugPolicy("avf_debug_policy_without_adb.dtbo");
+
+ launchProtectedVmAndWaitForBootCompleted(MICRODROID_DEBUG_FULL);
+ }
+
private boolean isDebugPolicyEnabled(@NonNull String dtPropertyPath)
throws DeviceNotAvailableException {
CommandRunner runner = new CommandRunner(mAndroidDevice);
@@ -208,14 +221,16 @@
return new CommandRunner(mMicrodroidDevice).run("xxd", "-p", path);
}
- @NonNull
- private Pvmfw createPvmfw(@NonNull String debugPolicyFileName) throws FileNotFoundException {
- File file =
+ private void prepareCustomDebugPolicy(@NonNull String debugPolicyFileName) throws Exception {
+ mCustomDebugPolicyFileOnHost =
getTestInformation()
.getDependencyFile(debugPolicyFileName, /* targetFirst= */ false);
- return new Pvmfw.Builder(mPvmfwBinFileOnHost, mBccFileOnHost)
- .setDebugPolicyOverlay(file)
- .build();
+
+ Pvmfw pvmfw =
+ new Pvmfw.Builder(mPvmfwBinFileOnHost, mBccFileOnHost)
+ .setDebugPolicyOverlay(mCustomDebugPolicyFileOnHost)
+ .build();
+ pvmfw.serialize(mCustomPvmfwBinFileOnHost);
}
private boolean hasConsoleOutput(@NonNull CommandResult result)
@@ -242,6 +257,7 @@
.debugLevel(debugLevel)
.protectedVm(/* protectedVm= */ true)
.addBootFile(mCustomPvmfwBinFileOnHost, PVMFW_FILE_NAME)
+ .addBootFile(mCustomDebugPolicyFileOnHost, CUSTOM_DEBUG_POLICY_FILE_NAME)
.setAdbConnectTimeoutMs(adbTimeoutMs)
.build(mAndroidDevice);
assertThat(mMicrodroidDevice.waitForBootComplete(BOOT_COMPLETE_TIMEOUT_MS)).isTrue();
@@ -256,7 +272,8 @@
// but non-debuggable VM may not enable adb.
CommandRunner runner = new CommandRunner(mAndroidDevice);
runner.run("mkdir", "-p", TEST_ROOT);
- mAndroidDevice.pushFile(mCustomPvmfwBinFileOnHost, TEST_ROOT + PVMFW_FILE_NAME);
+ mAndroidDevice.pushFile(mCustomPvmfwBinFileOnHost, CUSTOM_PVMFW_IMG_PATH);
+ mAndroidDevice.pushFile(mCustomDebugPolicyFileOnHost, CUSTOM_DEBUG_POLICY_PATH);
// This will fail because app wouldn't finish itself.
// But let's run the app once and get logs.
diff --git a/virtualizationmanager/Android.bp b/virtualizationmanager/Android.bp
index c913d02..59e507f 100644
--- a/virtualizationmanager/Android.bp
+++ b/virtualizationmanager/Android.bp
@@ -56,6 +56,7 @@
"libvmconfig",
"libzip",
"libvsock",
+ "liblibfdt",
// TODO(b/202115393) stabilize the interface
"packagemanager_aidl-rust",
],
@@ -78,5 +79,9 @@
rustlibs: [
"libtempfile",
],
+ data: [
+ ":test_avf_debug_policy_with_adb",
+ ":test_avf_debug_policy_without_adb",
+ ],
test_suites: ["general-tests"],
}
diff --git a/virtualizationmanager/src/aidl.rs b/virtualizationmanager/src/aidl.rs
index 468ee19..f57cb59 100644
--- a/virtualizationmanager/src/aidl.rs
+++ b/virtualizationmanager/src/aidl.rs
@@ -1184,6 +1184,31 @@
))
}
}
+
+ fn requestCertificate(&self, csr: &[u8]) -> binder::Result<Vec<u8>> {
+ let cid = self.cid;
+ let Some(vm) = self.state.lock().unwrap().get_vm(cid) else {
+ error!("requestCertificate is called from an unknown CID {cid}");
+ return Err(Status::new_service_specific_error_str(
+ -1,
+ Some(format!("cannot find a VM with CID {}", cid)),
+ ))
+ };
+ let instance_img_path = vm.temporary_directory.join("rkpvm_instance.img");
+ let instance_img = OpenOptions::new()
+ .create(true)
+ .read(true)
+ .write(true)
+ .open(instance_img_path)
+ .map_err(|e| {
+ error!("Failed to create rkpvm_instance.img file: {:?}", e);
+ Status::new_service_specific_error_str(
+ -1,
+ Some(format!("Failed to create rkpvm_instance.img file: {:?}", e)),
+ )
+ })?;
+ GLOBAL_SERVICE.requestCertificate(csr, &ParcelFileDescriptor::new(instance_img))
+ }
}
impl VirtualMachineService {
diff --git a/virtualizationmanager/src/crosvm.rs b/virtualizationmanager/src/crosvm.rs
index 60dd4cf..856ff1e 100644
--- a/virtualizationmanager/src/crosvm.rs
+++ b/virtualizationmanager/src/crosvm.rs
@@ -639,10 +639,6 @@
"PVM_FIRMWARE_INSTANCE_IMAGE_CHANGED" => {
return DeathReason::PVM_FIRMWARE_INSTANCE_IMAGE_CHANGED
}
- "BOOTLOADER_PUBLIC_KEY_MISMATCH" => return DeathReason::BOOTLOADER_PUBLIC_KEY_MISMATCH,
- "BOOTLOADER_INSTANCE_IMAGE_CHANGED" => {
- return DeathReason::BOOTLOADER_INSTANCE_IMAGE_CHANGED
- }
"MICRODROID_FAILED_TO_CONNECT_TO_VIRTUALIZATION_SERVICE" => {
return DeathReason::MICRODROID_FAILED_TO_CONNECT_TO_VIRTUALIZATION_SERVICE
}
diff --git a/virtualizationmanager/src/debug_config.rs b/virtualizationmanager/src/debug_config.rs
index e8863c7..7172e7d 100644
--- a/virtualizationmanager/src/debug_config.rs
+++ b/virtualizationmanager/src/debug_config.rs
@@ -17,16 +17,134 @@
use android_system_virtualizationservice::aidl::android::system::virtualizationservice::{
VirtualMachineAppConfig::DebugLevel::DebugLevel,
};
-use std::fs::File;
-use std::io::Read;
-use log::info;
+use anyhow::{anyhow, Context, Error, Result};
+use std::fs;
+use std::io::ErrorKind;
+use std::path::{Path, PathBuf};
+use std::ffi::{CString, NulError};
+use log::{warn, info};
use rustutils::system_properties;
+use libfdt::{Fdt, FdtError};
+use lazy_static::lazy_static;
-const DEBUG_POLICY_LOG_PATH: &str = "/proc/device-tree/avf/guest/common/log";
-const DEBUG_POLICY_RAMDUMP_PATH: &str = "/proc/device-tree/avf/guest/common/ramdump";
-const DEBUG_POLICY_ADB_PATH: &str = "/proc/device-tree/avf/guest/microdroid/adb";
+const CUSTOM_DEBUG_POLICY_OVERLAY_SYSPROP: &str =
+ "hypervisor.virtualizationmanager.debug_policy.path";
+const DEVICE_TREE_EMPTY_TREE_SIZE_BYTES: usize = 100; // rough estimation.
-const SYSPROP_CUSTOM_DEBUG_POLICY_PATH: &str = "hypervisor.virtualizationmanager.debug_policy.path";
+struct DPPath {
+ node_path: CString,
+ prop_name: CString,
+}
+
+impl DPPath {
+ fn new(node_path: &str, prop_name: &str) -> Result<Self, NulError> {
+ Ok(Self { node_path: CString::new(node_path)?, prop_name: CString::new(prop_name)? })
+ }
+
+ fn to_path(&self) -> PathBuf {
+ // SAFETY -- unwrap() is safe for to_str() because node_path and prop_name were &str.
+ PathBuf::from(
+ [
+ "/sys/firmware/devicetree/base",
+ self.node_path.to_str().unwrap(),
+ "/",
+ self.prop_name.to_str().unwrap(),
+ ]
+ .concat(),
+ )
+ }
+}
+
+lazy_static! {
+ static ref DP_LOG_PATH: DPPath = DPPath::new("/avf/guest/common", "log").unwrap();
+ static ref DP_RAMDUMP_PATH: DPPath = DPPath::new("/avf/guest/common", "ramdump").unwrap();
+ static ref DP_ADB_PATH: DPPath = DPPath::new("/avf/guest/microdroid", "adb").unwrap();
+}
+
+/// Get debug policy value in bool. It's true iff the value is explicitly set to <1>.
+fn get_debug_policy_bool(path: &Path) -> Result<bool> {
+ let value = match fs::read(path) {
+ Ok(value) => value,
+ Err(error) if error.kind() == ErrorKind::NotFound => return Ok(false),
+ Err(error) => Err(error).with_context(|| format!("Failed to read {path:?}"))?,
+ };
+
+ // DT spec uses big endian although Android is always little endian.
+ match u32::from_be_bytes(value.try_into().map_err(|_| anyhow!("Malformed value in {path:?}"))?)
+ {
+ 0 => Ok(false),
+ 1 => Ok(true),
+ value => Err(anyhow!("Invalid value {value} in {path:?}")),
+ }
+}
+
+/// Get property value in bool. It's true iff the value is explicitly set to <1>.
+/// It takes path as &str instead of &Path, because we don't want OsStr.
+fn get_fdt_prop_bool(fdt: &Fdt, path: &DPPath) -> Result<bool> {
+ let (node_path, prop_name) = (&path.node_path, &path.prop_name);
+ let node = match fdt.node(node_path) {
+ Ok(Some(node)) => node,
+ Err(error) if error != FdtError::NotFound => Err(error)
+ .map_err(Error::msg)
+ .with_context(|| format!("Failed to get node {node_path:?}"))?,
+ _ => return Ok(false),
+ };
+
+ match node.getprop_u32(prop_name) {
+ Ok(Some(0)) => Ok(false),
+ Ok(Some(1)) => Ok(true),
+ Ok(Some(_)) => Err(anyhow!("Invalid prop value {prop_name:?} in node {node_path:?}")),
+ Err(error) if error != FdtError::NotFound => Err(error)
+ .map_err(Error::msg)
+ .with_context(|| format!("Failed to get prop {prop_name:?}")),
+ _ => Ok(false),
+ }
+}
+
+/// Fdt with owned vector.
+struct OwnedFdt {
+ buffer: Vec<u8>,
+}
+
+impl OwnedFdt {
+ fn from_overlay_onto_new_fdt(overlay_file_path: &Path) -> Result<Self> {
+ let mut overlay_buf = match fs::read(overlay_file_path) {
+ Ok(fdt) => fdt,
+ Err(error) if error.kind() == ErrorKind::NotFound => Default::default(),
+ Err(error) => {
+ Err(error).with_context(|| format!("Failed to read {overlay_file_path:?}"))?
+ }
+ };
+
+ let overlay_buf_size = overlay_buf.len();
+
+ let fdt_estimated_size = overlay_buf_size + DEVICE_TREE_EMPTY_TREE_SIZE_BYTES;
+ let mut fdt_buf = vec![0_u8; fdt_estimated_size];
+ let fdt = Fdt::create_empty_tree(fdt_buf.as_mut_slice())
+ .map_err(Error::msg)
+ .context("Failed to create an empty device tree")?;
+
+ if !overlay_buf.is_empty() {
+ let overlay_fdt = Fdt::from_mut_slice(overlay_buf.as_mut_slice())
+ .map_err(Error::msg)
+ .with_context(|| "Malformed {overlay_file_path:?}")?;
+
+ // SAFETY - Return immediately if error happens. Damaged fdt_buf and fdt are discarded.
+ unsafe {
+ fdt.apply_overlay(overlay_fdt).map_err(Error::msg).with_context(|| {
+ "Failed to overlay {overlay_file_path:?} onto empty device tree"
+ })?;
+ }
+ }
+
+ Ok(Self { buffer: fdt_buf })
+ }
+
+ fn as_fdt(&self) -> &Fdt {
+ // SAFETY - Checked validity of buffer when instantiate.
+ unsafe { Fdt::unchecked_from_slice(&self.buffer) }
+ }
+}
/// Debug configurations for both debug level and debug policy
#[derive(Debug)]
@@ -37,43 +155,36 @@
debug_policy_adb: bool,
}
-/// Get debug policy value in bool. It's true iff the value is explicitly set to <1>.
-fn get_debug_policy_bool(path: &'static str) -> Option<bool> {
- let mut file = File::open(path).ok()?;
- let mut log: [u8; 4] = Default::default();
- file.read_exact(&mut log).ok()?;
- // DT spec uses big endian although Android is always little endian.
- Some(u32::from_be_bytes(log) == 1)
-}
-
impl DebugConfig {
pub fn new(debug_level: DebugLevel) -> Self {
- match system_properties::read(SYSPROP_CUSTOM_DEBUG_POLICY_PATH).unwrap_or_default() {
- Some(debug_policy_path) if !debug_policy_path.is_empty() => {
- // TODO: Read debug policy file and override log, adb, ramdump for testing.
- info!("Debug policy is disabled by sysprop");
- Self {
- debug_level,
- debug_policy_log: false,
- debug_policy_ramdump: false,
- debug_policy_adb: false,
- }
+ match system_properties::read(CUSTOM_DEBUG_POLICY_OVERLAY_SYSPROP).unwrap_or_default() {
+ Some(path) if !path.is_empty() => {
+ match Self::from_custom_debug_overlay_policy(debug_level, Path::new(&path)) {
+ Ok(debug_config) => {
+ info!("Loaded custom debug policy overlay {path}: {debug_config:?}");
+ return debug_config;
+ }
+ Err(err) => warn!("Failed to load custom debug policy overlay {path}: {err:?}"),
+ };
}
_ => {
- let debug_config = Self {
- debug_level,
- debug_policy_log: get_debug_policy_bool(DEBUG_POLICY_LOG_PATH)
- .unwrap_or_default(),
- debug_policy_ramdump: get_debug_policy_bool(DEBUG_POLICY_RAMDUMP_PATH)
- .unwrap_or_default(),
- debug_policy_adb: get_debug_policy_bool(DEBUG_POLICY_ADB_PATH)
- .unwrap_or_default(),
+ match Self::from_host(debug_level) {
+ Ok(debug_config) => {
+ info!("Loaded debug policy from host OS: {debug_config:?}");
+ return debug_config;
+ }
+ Err(err) => warn!("Failed to load debug policy from host OS: {err:?}"),
};
- info!("Loaded debug policy from host OS: {:?}", debug_config);
-
- debug_config
}
}
+
+ info!("Debug policy is disabled");
+ Self {
+ debug_level,
+ debug_policy_log: false,
+ debug_policy_ramdump: false,
+ debug_policy_adb: false,
+ }
}
/// Get whether console output should be configred for VM to leave console and adb log.
@@ -91,4 +202,123 @@
pub fn is_ramdump_needed(&self) -> bool {
self.debug_level != DebugLevel::NONE || self.debug_policy_ramdump
}
+
+ // TODO: Remove this code path in user build for removing libfdt depenency.
+ fn from_custom_debug_overlay_policy(debug_level: DebugLevel, path: &Path) -> Result<Self> {
+ match OwnedFdt::from_overlay_onto_new_fdt(path) {
+ Ok(fdt) => Ok(Self {
+ debug_level,
+ debug_policy_log: get_fdt_prop_bool(fdt.as_fdt(), &DP_LOG_PATH)?,
+ debug_policy_ramdump: get_fdt_prop_bool(fdt.as_fdt(), &DP_RAMDUMP_PATH)?,
+ debug_policy_adb: get_fdt_prop_bool(fdt.as_fdt(), &DP_ADB_PATH)?,
+ }),
+ Err(err) => Err(err),
+ }
+ }
+
+ fn from_host(debug_level: DebugLevel) -> Result<Self> {
+ Ok(Self {
+ debug_level,
+ debug_policy_log: get_debug_policy_bool(&DP_LOG_PATH.to_path())?,
+ debug_policy_ramdump: get_debug_policy_bool(&DP_RAMDUMP_PATH.to_path())?,
+ debug_policy_adb: get_debug_policy_bool(&DP_ADB_PATH.to_path())?,
+ })
+ }
+}
+
+#[cfg(test)]
+mod tests {
+ use super::*;
+ use anyhow::ensure;
+
+ fn can_set_sysprop() -> bool {
+ if let Ok(Some(value)) = system_properties::read("ro.build.type") {
+ return "user".eq(&value);
+ }
+ false // if we're in doubt, skip test.
+ }
+
+ #[test]
+ fn test_read_avf_debug_policy_with_adb() -> Result<()> {
+ let debug_config = DebugConfig::from_custom_debug_overlay_policy(
+ DebugLevel::FULL,
+ "avf_debug_policy_with_adb.dtbo".as_ref(),
+ )
+ .unwrap();
+
+ assert_eq!(DebugLevel::FULL, debug_config.debug_level);
+ assert!(!debug_config.debug_policy_log);
+ assert!(!debug_config.debug_policy_ramdump);
+ assert!(debug_config.debug_policy_adb);
+
+ Ok(())
+ }
+
+ #[test]
+ fn test_read_avf_debug_policy_without_adb() -> Result<()> {
+ let debug_config = DebugConfig::from_custom_debug_overlay_policy(
+ DebugLevel::FULL,
+ "avf_debug_policy_without_adb.dtbo".as_ref(),
+ )
+ .unwrap();
+
+ assert_eq!(DebugLevel::FULL, debug_config.debug_level);
+ assert!(!debug_config.debug_policy_log);
+ assert!(!debug_config.debug_policy_ramdump);
+ assert!(!debug_config.debug_policy_adb);
+
+ Ok(())
+ }
+
+ #[test]
+ fn test_invalid_sysprop_disables_debug_policy() -> Result<()> {
+ let debug_config = DebugConfig::from_custom_debug_overlay_policy(
+ DebugLevel::NONE,
+ "/a/does/not/exist/path.dtbo".as_ref(),
+ )
+ .unwrap();
+
+ assert_eq!(DebugLevel::NONE, debug_config.debug_level);
+ assert!(!debug_config.debug_policy_log);
+ assert!(!debug_config.debug_policy_ramdump);
+ assert!(!debug_config.debug_policy_adb);
+
+ Ok(())
+ }
+
+ fn test_new_with_custom_policy_internal() -> Result<()> {
+ let debug_config = DebugConfig::new(DebugLevel::NONE);
+
+ ensure!(debug_config.debug_level == DebugLevel::NONE);
+ ensure!(!debug_config.debug_policy_log);
+ ensure!(!debug_config.debug_policy_ramdump);
+ ensure!(debug_config.debug_policy_adb);
+
+ Ok(())
+ }
+
+ #[test]
+ fn test_new_with_custom_policy() -> Result<()> {
+ if !can_set_sysprop() {
+ // Skip test if we can't override sysprop.
+ return Ok(());
+ }
+
+ // Setup
+ let old_sysprop = system_properties::read(CUSTOM_DEBUG_POLICY_OVERLAY_SYSPROP)
+ .context("Failed to read existing sysprop")?
+ .unwrap_or_default();
+ let file_name = "avf_debug_policy_with_adb.dtbo";
+ system_properties::write(CUSTOM_DEBUG_POLICY_OVERLAY_SYSPROP, file_name)
+ .context("Failed to set sysprop")?;
+
+ // Run test
+ let test_result = test_new_with_custom_policy_internal();
+
+ // Clean up.
+ system_properties::write(CUSTOM_DEBUG_POLICY_OVERLAY_SYSPROP, &old_sysprop)
+ .context("Failed to restore sysprop")?;
+
+ test_result
+ }
}
diff --git a/virtualizationservice/Android.bp b/virtualizationservice/Android.bp
index f7202da..6b39ff9 100644
--- a/virtualizationservice/Android.bp
+++ b/virtualizationservice/Android.bp
@@ -28,6 +28,7 @@
"libandroid_logger",
"libanyhow",
"libbinder_rs",
+ "libvmclient",
"liblibc",
"liblog_rust",
"libnix",
diff --git a/virtualizationservice/aidl/android/system/virtualizationcommon/DeathReason.aidl b/virtualizationservice/aidl/android/system/virtualizationcommon/DeathReason.aidl
index 3f47002..0164de4 100644
--- a/virtualizationservice/aidl/android/system/virtualizationcommon/DeathReason.aidl
+++ b/virtualizationservice/aidl/android/system/virtualizationcommon/DeathReason.aidl
@@ -38,10 +38,7 @@
PVM_FIRMWARE_PUBLIC_KEY_MISMATCH = 7,
/** The pVM firmware failed to verify the VM because the instance image changed. */
PVM_FIRMWARE_INSTANCE_IMAGE_CHANGED = 8,
- /** The bootloader failed to verify the VM because the public key doesn't match. */
- BOOTLOADER_PUBLIC_KEY_MISMATCH = 9,
- /** The bootloader failed to verify the VM because the instance image changed. */
- BOOTLOADER_INSTANCE_IMAGE_CHANGED = 10,
+ // 9 & 10 intentionally removed.
/** The microdroid failed to connect to VirtualizationService's RPC server. */
MICRODROID_FAILED_TO_CONNECT_TO_VIRTUALIZATION_SERVICE = 11,
/** The payload for microdroid is changed. */
diff --git a/virtualizationservice/aidl/android/system/virtualizationservice_internal/IVirtualizationServiceInternal.aidl b/virtualizationservice/aidl/android/system/virtualizationservice_internal/IVirtualizationServiceInternal.aidl
index 5422a48..cc59b3f 100644
--- a/virtualizationservice/aidl/android/system/virtualizationservice_internal/IVirtualizationServiceInternal.aidl
+++ b/virtualizationservice/aidl/android/system/virtualizationservice_internal/IVirtualizationServiceInternal.aidl
@@ -49,4 +49,14 @@
/** Get a list of all currently running VMs. */
VirtualMachineDebugInfo[] debugListVms();
+
+ /**
+ * Requests a certificate using the provided certificate signing request (CSR).
+ *
+ * @param csr the certificate signing request.
+ * @param instanceImgFd The file descriptor of the instance image. The file should be open for
+ * both reading and writing.
+ * @return the X.509 encoded certificate.
+ */
+ byte[] requestCertificate(in byte[] csr, in ParcelFileDescriptor instanceImgFd);
}
diff --git a/virtualizationservice/aidl/android/system/virtualmachineservice/IVirtualMachineService.aidl b/virtualizationservice/aidl/android/system/virtualmachineservice/IVirtualMachineService.aidl
index 3fdb48a..7b90714 100644
--- a/virtualizationservice/aidl/android/system/virtualmachineservice/IVirtualMachineService.aidl
+++ b/virtualizationservice/aidl/android/system/virtualmachineservice/IVirtualMachineService.aidl
@@ -44,4 +44,12 @@
* Notifies that an error has occurred inside the VM.
*/
void notifyError(ErrorCode errorCode, in String message);
+
+ /**
+ * Requests a certificate using the provided certificate signing request (CSR).
+ *
+ * @param csr the certificate signing request.
+ * @return the X.509 encoded certificate.
+ */
+ byte[] requestCertificate(in byte[] csr);
}
diff --git a/virtualizationservice/src/aidl.rs b/virtualizationservice/src/aidl.rs
index e0b78ba..5c5a7e4 100644
--- a/virtualizationservice/src/aidl.rs
+++ b/virtualizationservice/src/aidl.rs
@@ -16,8 +16,12 @@
use crate::{get_calling_pid, get_calling_uid};
use crate::atom::{forward_vm_booted_atom, forward_vm_creation_atom, forward_vm_exited_atom};
+use crate::rkpvm::request_certificate;
use android_os_permissions_aidl::aidl::android::os::IPermissionController;
-use android_system_virtualizationservice::aidl::android::system::virtualizationservice::VirtualMachineDebugInfo::VirtualMachineDebugInfo;
+use android_system_virtualizationservice::{
+ aidl::android::system::virtualizationservice::VirtualMachineDebugInfo::VirtualMachineDebugInfo,
+ binder::ParcelFileDescriptor,
+};
use android_system_virtualizationservice_internal::aidl::android::system::virtualizationservice_internal::{
AtomVmBooted::AtomVmBooted,
AtomVmCreationRequested::AtomVmCreationRequested,
@@ -26,13 +30,13 @@
IVirtualizationServiceInternal::IVirtualizationServiceInternal,
};
use android_system_virtualmachineservice::aidl::android::system::virtualmachineservice::IVirtualMachineService::VM_TOMBSTONES_SERVICE_PORT;
-use anyhow::{anyhow, bail, Context, Result};
+use anyhow::{anyhow, ensure, Context, Result};
use binder::{self, BinderFeatures, ExceptionCode, Interface, LazyServiceGuard, Status, Strong};
use libc::VMADDR_CID_HOST;
use log::{error, info, warn};
use rustutils::system_properties;
use std::collections::HashMap;
-use std::fs::{create_dir, read_dir, remove_dir, remove_file, set_permissions, Permissions};
+use std::fs::{create_dir, remove_dir_all, set_permissions, Permissions};
use std::io::{Read, Write};
use std::os::unix::fs::PermissionsExt;
use std::os::unix::raw::{pid_t, uid_t};
@@ -153,6 +157,19 @@
.collect();
Ok(cids)
}
+
+ fn requestCertificate(
+ &self,
+ csr: &[u8],
+ instance_img_fd: &ParcelFileDescriptor,
+ ) -> binder::Result<Vec<u8>> {
+ check_manage_access()?;
+ info!("Received csr. Getting certificate...");
+ request_certificate(csr, instance_img_fd).map_err(|e| {
+ error!("Failed to get certificate. Error: {e:?}");
+ Status::new_exception_str(ExceptionCode::SERVICE_SPECIFIC, Some(e.to_string()))
+ })
+ }
}
#[derive(Debug, Default)]
@@ -268,20 +285,10 @@
/// Removes a directory owned by a different user by first changing its owner back
/// to VirtualizationService.
pub fn remove_temporary_dir(path: &PathBuf) -> Result<()> {
- if !path.as_path().is_dir() {
- bail!("Path {:?} is not a directory", path);
- }
+ ensure!(path.as_path().is_dir(), "Path {:?} is not a directory", path);
chown(path, Some(Uid::current()), None)?;
set_permissions(path, Permissions::from_mode(0o700))?;
- remove_temporary_files(path)?;
- remove_dir(path)?;
- Ok(())
-}
-
-pub fn remove_temporary_files(path: &PathBuf) -> Result<()> {
- for dir_entry in read_dir(path)? {
- remove_file(dir_entry?.path())?;
- }
+ remove_dir_all(path)?;
Ok(())
}
diff --git a/virtualizationservice/src/atom.rs b/virtualizationservice/src/atom.rs
index 47a1603..4aa3550 100644
--- a/virtualizationservice/src/atom.rs
+++ b/virtualizationservice/src/atom.rs
@@ -87,12 +87,6 @@
DeathReason::PVM_FIRMWARE_INSTANCE_IMAGE_CHANGED => {
vm_exited::DeathReason::PvmFirmwareInstanceImageChanged
}
- DeathReason::BOOTLOADER_PUBLIC_KEY_MISMATCH => {
- vm_exited::DeathReason::BootloaderPublicKeyMismatch
- }
- DeathReason::BOOTLOADER_INSTANCE_IMAGE_CHANGED => {
- vm_exited::DeathReason::BootloaderInstanceImageChanged
- }
DeathReason::MICRODROID_FAILED_TO_CONNECT_TO_VIRTUALIZATION_SERVICE => {
vm_exited::DeathReason::MicrodroidFailedToConnectToVirtualizationService
}
diff --git a/virtualizationservice/src/main.rs b/virtualizationservice/src/main.rs
index 64ccb13..bf8b944 100644
--- a/virtualizationservice/src/main.rs
+++ b/virtualizationservice/src/main.rs
@@ -16,6 +16,7 @@
mod aidl;
mod atom;
+mod rkpvm;
use crate::aidl::{
remove_temporary_dir, BINDER_SERVICE_IDENTIFIER, TEMPORARY_DIRECTORY,
diff --git a/virtualizationservice/src/rkpvm.rs b/virtualizationservice/src/rkpvm.rs
new file mode 100644
index 0000000..a4649f6
--- /dev/null
+++ b/virtualizationservice/src/rkpvm.rs
@@ -0,0 +1,95 @@
+// Copyright 2023, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Handles the RKP (Remote Key Provisioning) VM and host communication.
+//! The RKP VM will be recognized and attested by the RKP server periodically and
+//! serves as a trusted platform to attest a client VM.
+
+use android_system_virtualizationservice::{
+ aidl::android::system::virtualizationservice::{
+ CpuTopology::CpuTopology, DiskImage::DiskImage, Partition::Partition,
+ PartitionType::PartitionType, VirtualMachineConfig::VirtualMachineConfig,
+ VirtualMachineRawConfig::VirtualMachineRawConfig,
+ },
+ binder::{ParcelFileDescriptor, ProcessState},
+};
+use anyhow::{anyhow, Context, Result};
+use log::info;
+use std::fs::File;
+use std::time::Duration;
+use vmclient::VmInstance;
+
+const RIALTO_PATH: &str = "/apex/com.android.virt/etc/rialto.bin";
+
+pub(crate) fn request_certificate(
+ csr: &[u8],
+ instance_img_fd: &ParcelFileDescriptor,
+) -> Result<Vec<u8>> {
+ // We need to start the thread pool for Binder to work properly, especially link_to_death.
+ ProcessState::start_thread_pool();
+
+ let virtmgr = vmclient::VirtualizationService::new().context("Failed to spawn virtmgr")?;
+ let service = virtmgr.connect().context("virtmgr failed to connect")?;
+ info!("service_vm: Connected to VirtualizationService");
+ // TODO(b/272226230): Either turn rialto into the service VM or use an empty payload here.
+ // If using an empty payload, the service code will be part of pvmfw.
+ let rialto = File::open(RIALTO_PATH).context("Failed to open Rialto kernel binary")?;
+
+ // TODO(b/272226230): Initialize the partition from virtualization manager.
+ const INSTANCE_IMG_SIZE_BYTES: i64 = 1 << 20; // 1MB
+ service
+ .initializeWritablePartition(
+ instance_img_fd,
+ INSTANCE_IMG_SIZE_BYTES,
+ PartitionType::ANDROID_VM_INSTANCE,
+ )
+ .context("Failed to initialize instange.img")?;
+ let instance_img =
+ instance_img_fd.as_ref().try_clone().context("Failed to clone instance.img")?;
+ let instance_img = ParcelFileDescriptor::new(instance_img);
+ let writable_partitions = vec![Partition {
+ label: "vm-instance".to_owned(),
+ image: Some(instance_img),
+ writable: true,
+ }];
+ info!("service_vm: Finished initializing instance.img...");
+
+ let config = VirtualMachineConfig::RawConfig(VirtualMachineRawConfig {
+ name: String::from("Service VM"),
+ kernel: None,
+ initrd: None,
+ params: None,
+ bootloader: Some(ParcelFileDescriptor::new(rialto)),
+ disks: vec![DiskImage { image: None, partitions: writable_partitions, writable: true }],
+ protectedVm: true,
+ memoryMib: 300,
+ cpuTopology: CpuTopology::ONE_CPU,
+ platformVersion: "~1.0".to_string(),
+ taskProfiles: vec![],
+ gdbPort: 0, // No gdb
+ });
+ let vm = VmInstance::create(service.as_ref(), &config, None, None, None)
+ .context("Failed to create service VM")?;
+
+ info!("service_vm: Starting Service VM...");
+ vm.start().context("Failed to start service VM")?;
+
+ // TODO(b/274441673): The host can send the CSR to the RKP VM for attestation.
+ // Wait for VM to finish.
+ vm.wait_for_death_with_timeout(Duration::from_secs(10))
+ .ok_or_else(|| anyhow!("Timed out waiting for VM exit"))?;
+
+ info!("service_vm: Finished getting the certificate");
+ Ok([b"Return: ", csr].concat())
+}
diff --git a/vm_payload/Android.bp b/vm_payload/Android.bp
index 967d1cf..77dbb6b 100644
--- a/vm_payload/Android.bp
+++ b/vm_payload/Android.bp
@@ -10,6 +10,8 @@
srcs: ["src/*.rs"],
include_dirs: ["include"],
prefer_rlib: true,
+ // Require unsafe blocks for inside unsafe functions.
+ flags: ["-Dunsafe_op_in_unsafe_fn"],
rustlibs: [
"android.system.virtualization.payload-rust",
"libandroid_logger",
@@ -36,7 +38,10 @@
crate_name: "vm_payload_bindgen",
source_stem: "bindings",
apex_available: ["com.android.compos"],
- visibility: ["//packages/modules/Virtualization/compos"],
+ visibility: [
+ "//packages/modules/Virtualization/compos",
+ "//packages/modules/Virtualization/service_vm/client_apk",
+ ],
shared_libs: [
"libvm_payload#current",
],
diff --git a/vm_payload/include-restricted/vm_payload_restricted.h b/vm_payload/include-restricted/vm_payload_restricted.h
index 7f17cde..1e0c3cc 100644
--- a/vm_payload/include-restricted/vm_payload_restricted.h
+++ b/vm_payload/include-restricted/vm_payload_restricted.h
@@ -22,6 +22,10 @@
#include "vm_payload.h"
+#if !defined(__INTRODUCED_IN)
+#define __INTRODUCED_IN(__api_level) /* nothing */
+#endif
+
// The functions declared here are restricted to VMs created with a config file;
// they will fail if called in other VMs. The ability to create such VMs
// requires the android.permission.USE_CUSTOM_VIRTUAL_MACHINE permission, and is
@@ -51,4 +55,18 @@
*/
size_t AVmPayload_getDiceAttestationCdi(void* _Nullable data, size_t size);
+/**
+ * Requests a certificate using the provided certificate signing request (CSR).
+ *
+ * \param csr A pointer to the CSR buffer.
+ * \param csr_size The size of the CSR buffer.
+ * \param buffer A pointer to the certificate buffer.
+ * \param size number of bytes that can be written to the certificate buffer.
+ *
+ * \return the total size of the certificate
+ */
+size_t AVmPayload_requestCertificate(const void* _Nonnull csr, size_t csr_size,
+ void* _Nullable buffer, size_t size)
+ __INTRODUCED_IN(__ANDROID_API_V__);
+
__END_DECLS
diff --git a/vm_payload/libvm_payload.map.txt b/vm_payload/libvm_payload.map.txt
index a2402d1..f0d867e 100644
--- a/vm_payload/libvm_payload.map.txt
+++ b/vm_payload/libvm_payload.map.txt
@@ -7,6 +7,7 @@
AVmPayload_getDiceAttestationCdi; # systemapi
AVmPayload_getApkContentsPath; # systemapi
AVmPayload_getEncryptedStoragePath; # systemapi
+ AVmPayload_requestCertificate; # systemapi introduced=35
local:
*;
};
diff --git a/vm_payload/src/api.rs b/vm_payload/src/api.rs
index 4b565e0..00d7299 100644
--- a/vm_payload/src/api.rs
+++ b/vm_payload/src/api.rs
@@ -14,9 +14,6 @@
//! This module handles the interaction with virtual machine payload service.
-// We're implementing unsafe functions, but we still want warnings on unsafe usage within them.
-#![warn(unsafe_op_in_unsafe_fn)]
-
use android_system_virtualization_payload::aidl::android::system::virtualization::payload::IVmPayloadService::{
ENCRYPTEDSTORE_MOUNTPOINT, IVmPayloadService, VM_PAYLOAD_SERVICE_SOCKET_NAME, VM_APK_CONTENTS_PATH};
use anyhow::{ensure, bail, Context, Result};
@@ -256,6 +253,52 @@
get_vm_payload_service()?.getDiceAttestationCdi().context("Cannot get attestation CDI")
}
+/// Requests a certificate using the provided certificate signing request (CSR).
+/// Panics on failure.
+///
+/// # Safety
+///
+/// Behavior is undefined if any of the following conditions are violated:
+///
+/// * `csr` must be [valid] for reads of `csr_size` bytes.
+/// * `buffer` must be [valid] for writes of `size` bytes. `buffer` can be null if `size` is 0.
+///
+/// [valid]: ptr#safety
+#[no_mangle]
+pub unsafe extern "C" fn AVmPayload_requestCertificate(
+ csr: *const u8,
+ csr_size: usize,
+ buffer: *mut u8,
+ size: usize,
+) -> usize {
+ initialize_logging();
+
+ // SAFETY: See the requirements on `csr` above.
+ let csr = unsafe { std::slice::from_raw_parts(csr, csr_size) };
+ let certificate = unwrap_or_abort(try_request_certificate(csr));
+
+ if size != 0 || buffer.is_null() {
+ // SAFETY: See the requirements on `buffer` above. The number of bytes copied doesn't exceed
+ // the length of either buffer, and `certificate` cannot overlap `buffer` because we just
+ // allocated it.
+ unsafe {
+ ptr::copy_nonoverlapping(
+ certificate.as_ptr(),
+ buffer,
+ std::cmp::min(certificate.len(), size),
+ );
+ }
+ }
+ certificate.len()
+}
+
+fn try_request_certificate(csr: &[u8]) -> Result<Vec<u8>> {
+ let certificate = get_vm_payload_service()?
+ .requestCertificate(csr)
+ .context("Failed to request certificate")?;
+ Ok(certificate)
+}
+
/// Gets the path to the APK contents.
#[no_mangle]
pub extern "C" fn AVmPayload_getApkContentsPath() -> *const c_char {
diff --git a/vm_payload/src/lib.rs b/vm_payload/src/lib.rs
index 5c3ee31..4d059d1 100644
--- a/vm_payload/src/lib.rs
+++ b/vm_payload/src/lib.rs
@@ -17,6 +17,7 @@
mod api;
pub use api::{
- AVmPayload_getDiceAttestationCdi, AVmPayload_getDiceAttestationChain,
- AVmPayload_getVmInstanceSecret, AVmPayload_notifyPayloadReady,
+ AVmPayload_getCertificate, AVmPayload_getDiceAttestationCdi,
+ AVmPayload_getDiceAttestationChain, AVmPayload_getVmInstanceSecret,
+ AVmPayload_notifyPayloadReady,
};
diff --git a/vmbase/README.md b/vmbase/README.md
index 552ac31..7f621fb 100644
--- a/vmbase/README.md
+++ b/vmbase/README.md
@@ -51,12 +51,14 @@
entry point. Instead, `vmbase` provides a macro to specify your main function:
```rust
-use vmbase::{main, println};
+use vmbase::{logger, main};
+use log::{info, LevelFilter};
main!(main);
pub fn main(arg0: u64, arg1: u64, arg2: u64, arg3: u64) {
- println!("Hello world");
+ logger::init(LevelFilter::Info).unwrap();
+ info!("Hello world");
}
```
diff --git a/vmbase/entry.S b/vmbase/entry.S
index 408f5d1..9f6993a 100644
--- a/vmbase/entry.S
+++ b/vmbase/entry.S
@@ -208,8 +208,14 @@
stp q0, q1, [x28], #32
b 2b
-3: /* Prepare the stack. */
- adr_l x30, boot_stack_end
+3: /* Prepare the exception handler stack (SP_EL1). */
+ adr_l x30, init_eh_stack_pointer
+ msr spsel, #1
+ mov sp, x30
+
+ /* Prepare the main thread stack (SP_EL0). */
+ adr_l x30, init_stack_pointer
+ msr spsel, #0
mov sp, x30
/* Set up exception vector. */
diff --git a/vmbase/example/Android.bp b/vmbase/example/Android.bp
index 26be51b..dc9a090 100644
--- a/vmbase/example/Android.bp
+++ b/vmbase/example/Android.bp
@@ -18,7 +18,6 @@
"libvirtio_drivers",
"libvmbase",
],
- apex_available: ["com.android.virt"],
}
cc_binary {
@@ -34,7 +33,6 @@
"image.ld",
":vmbase_sections",
],
- apex_available: ["com.android.virt"],
}
raw_binary {
diff --git a/vmbase/example/src/exceptions.rs b/vmbase/example/src/exceptions.rs
index 0e637ac..0522013 100644
--- a/vmbase/example/src/exceptions.rs
+++ b/vmbase/example/src/exceptions.rs
@@ -15,56 +15,56 @@
//! Exception handlers.
use core::arch::asm;
-use vmbase::{console::emergency_write_str, eprintln, power::reboot};
+use vmbase::{eprintln, power::reboot};
#[no_mangle]
extern "C" fn sync_exception_current(_elr: u64, _spsr: u64) {
- emergency_write_str("sync_exception_current\n");
+ eprintln!("sync_exception_current");
print_esr();
reboot();
}
#[no_mangle]
extern "C" fn irq_current(_elr: u64, _spsr: u64) {
- emergency_write_str("irq_current\n");
+ eprintln!("irq_current");
reboot();
}
#[no_mangle]
extern "C" fn fiq_current(_elr: u64, _spsr: u64) {
- emergency_write_str("fiq_current\n");
+ eprintln!("fiq_current");
reboot();
}
#[no_mangle]
extern "C" fn serr_current(_elr: u64, _spsr: u64) {
- emergency_write_str("serr_current\n");
+ eprintln!("serr_current");
print_esr();
reboot();
}
#[no_mangle]
extern "C" fn sync_lower(_elr: u64, _spsr: u64) {
- emergency_write_str("sync_lower\n");
+ eprintln!("sync_lower");
print_esr();
reboot();
}
#[no_mangle]
extern "C" fn irq_lower(_elr: u64, _spsr: u64) {
- emergency_write_str("irq_lower\n");
+ eprintln!("irq_lower");
reboot();
}
#[no_mangle]
extern "C" fn fiq_lower(_elr: u64, _spsr: u64) {
- emergency_write_str("fiq_lower\n");
+ eprintln!("fiq_lower");
reboot();
}
#[no_mangle]
extern "C" fn serr_lower(_elr: u64, _spsr: u64) {
- emergency_write_str("serr_lower\n");
+ eprintln!("serr_lower");
print_esr();
reboot();
}
diff --git a/vmbase/example/src/layout.rs b/vmbase/example/src/layout.rs
index 4c3af6d..2e9d27a 100644
--- a/vmbase/example/src/layout.rs
+++ b/vmbase/example/src/layout.rs
@@ -17,8 +17,8 @@
use aarch64_paging::paging::{MemoryRegion, VirtualAddress};
use core::arch::asm;
use core::ops::Range;
+use log::info;
use vmbase::layout;
-use vmbase::println;
use vmbase::STACK_CHK_GUARD;
/// The first 1 GiB of memory are used for MMIO.
@@ -55,13 +55,13 @@
/// Writable data region for the stack.
pub fn boot_stack_range() -> Range<VirtualAddress> {
- into_va_range(layout::boot_stack_range())
+ const PAGE_SIZE: usize = 4 << 10;
+ into_va_range(layout::stack_range(40 * PAGE_SIZE))
}
-/// Writable data, including the stack.
-pub fn writable_region() -> MemoryRegion {
- let r = layout::writable_region();
- MemoryRegion::new(r.start, r.end)
+/// Writable data region for allocations.
+pub fn scratch_range() -> Range<VirtualAddress> {
+ into_va_range(layout::scratch_range())
}
fn data_load_address() -> VirtualAddress {
@@ -74,14 +74,14 @@
pub fn print_addresses() {
let dtb = dtb_range();
- println!("dtb: {}..{} ({} bytes)", dtb.start, dtb.end, dtb.end - dtb.start);
+ info!("dtb: {}..{} ({} bytes)", dtb.start, dtb.end, dtb.end - dtb.start);
let text = text_range();
- println!("text: {}..{} ({} bytes)", text.start, text.end, text.end - text.start);
+ info!("text: {}..{} ({} bytes)", text.start, text.end, text.end - text.start);
let rodata = rodata_range();
- println!("rodata: {}..{} ({} bytes)", rodata.start, rodata.end, rodata.end - rodata.start);
- println!("binary end: {}", binary_end());
+ info!("rodata: {}..{} ({} bytes)", rodata.start, rodata.end, rodata.end - rodata.start);
+ info!("binary end: {}", binary_end());
let data = data_range();
- println!(
+ info!(
"data: {}..{} ({} bytes, loaded at {})",
data.start,
data.end,
@@ -89,9 +89,9 @@
data_load_address(),
);
let bss = bss_range();
- println!("bss: {}..{} ({} bytes)", bss.start, bss.end, bss.end - bss.start);
+ info!("bss: {}..{} ({} bytes)", bss.start, bss.end, bss.end - bss.start);
let boot_stack = boot_stack_range();
- println!(
+ info!(
"boot_stack: {}..{} ({} bytes)",
boot_stack.start,
boot_stack.end,
diff --git a/vmbase/example/src/main.rs b/vmbase/example/src/main.rs
index 9ec2dc4..3bf850c 100644
--- a/vmbase/example/src/main.rs
+++ b/vmbase/example/src/main.rs
@@ -24,8 +24,8 @@
extern crate alloc;
use crate::layout::{
- bionic_tls, dtb_range, print_addresses, rodata_range, stack_chk_guard, text_range,
- writable_region, DEVICE_REGION,
+ bionic_tls, boot_stack_range, dtb_range, print_addresses, rodata_range, scratch_range,
+ stack_chk_guard, text_range, DEVICE_REGION,
};
use crate::pci::{check_pci, get_bar_region};
use aarch64_paging::{idmap::IdMap, paging::Attributes};
@@ -34,8 +34,8 @@
use core::ffi::CStr;
use fdtpci::PciInfo;
use libfdt::Fdt;
-use log::{debug, info, trace, LevelFilter};
-use vmbase::{logger, main, println};
+use log::{debug, error, info, trace, warn, LevelFilter};
+use vmbase::{logger, main};
static INITIALISED_DATA: [u32; 4] = [1, 2, 3, 4];
static mut ZEROED_DATA: [u32; 10] = [0; 10];
@@ -55,7 +55,7 @@
pub fn main(arg0: u64, arg1: u64, arg2: u64, arg3: u64) {
logger::init(LevelFilter::Debug).unwrap();
- println!("Hello world");
+ info!("Hello world");
info!("x0={:#018x}, x1={:#018x}, x2={:#018x}, x3={:#018x}", arg0, arg1, arg2, arg3);
print_addresses();
assert_eq!(arg0, dtb_range().start.0 as u64);
@@ -100,7 +100,13 @@
.unwrap();
idmap
.map_range(
- &writable_region(),
+ &scratch_range().into(),
+ Attributes::NORMAL | Attributes::NON_GLOBAL | Attributes::EXECUTE_NEVER,
+ )
+ .unwrap();
+ idmap
+ .map_range(
+ &boot_stack_range().into(),
Attributes::NORMAL | Attributes::NON_GLOBAL | Attributes::EXECUTE_NEVER,
)
.unwrap();
@@ -127,6 +133,8 @@
let mut pci_root = unsafe { pci_info.make_pci_root() };
check_pci(&mut pci_root);
+
+ emit_suppressed_log();
}
fn check_stack_guard() {
@@ -236,3 +244,21 @@
]
);
}
+
+macro_rules! log_all_levels {
+ ($msg:literal) => {{
+ error!($msg);
+ warn!($msg);
+ info!($msg);
+ debug!($msg);
+ trace!($msg);
+ }};
+}
+
+fn emit_suppressed_log() {
+ {
+ let _guard = logger::suppress();
+ log_all_levels!("Suppressed message");
+ }
+ log_all_levels!("Unsuppressed message");
+}
diff --git a/vmbase/example/src/pci.rs b/vmbase/example/src/pci.rs
index 117cbc8..41a3ff4 100644
--- a/vmbase/example/src/pci.rs
+++ b/vmbase/example/src/pci.rs
@@ -98,7 +98,7 @@
struct HalImpl;
-impl Hal for HalImpl {
+unsafe impl Hal for HalImpl {
fn dma_alloc(pages: usize, _direction: BufferDirection) -> (PhysAddr, NonNull<u8>) {
debug!("dma_alloc: pages={}", pages);
let layout = Layout::from_size_align(pages * PAGE_SIZE, PAGE_SIZE).unwrap();
@@ -110,7 +110,7 @@
(paddr, vaddr)
}
- fn dma_dealloc(paddr: PhysAddr, vaddr: NonNull<u8>, pages: usize) -> i32 {
+ unsafe fn dma_dealloc(paddr: PhysAddr, vaddr: NonNull<u8>, pages: usize) -> i32 {
debug!("dma_dealloc: paddr={:#x}, pages={}", paddr, pages);
let layout = Layout::from_size_align(pages * PAGE_SIZE, PAGE_SIZE).unwrap();
// Safe because the memory was allocated by `dma_alloc` above using the same allocator, and
@@ -121,17 +121,17 @@
0
}
- fn mmio_phys_to_virt(paddr: PhysAddr, _size: usize) -> NonNull<u8> {
+ unsafe fn mmio_phys_to_virt(paddr: PhysAddr, _size: usize) -> NonNull<u8> {
NonNull::new(paddr as _).unwrap()
}
- fn share(buffer: NonNull<[u8]>, _direction: BufferDirection) -> PhysAddr {
+ unsafe fn share(buffer: NonNull<[u8]>, _direction: BufferDirection) -> PhysAddr {
let vaddr = buffer.cast();
// Nothing to do, as the host already has access to all memory.
virt_to_phys(vaddr)
}
- fn unshare(_paddr: PhysAddr, _buffer: NonNull<[u8]>, _direction: BufferDirection) {
+ unsafe fn unshare(_paddr: PhysAddr, _buffer: NonNull<[u8]>, _direction: BufferDirection) {
// Nothing to do, as the host already has access to all memory and we didn't copy the buffer
// anywhere else.
}
diff --git a/vmbase/example/tests/test.rs b/vmbase/example/tests/test.rs
index 8f0eaa5..9088f1a 100644
--- a/vmbase/example/tests/test.rs
+++ b/vmbase/example/tests/test.rs
@@ -24,6 +24,7 @@
use anyhow::{Context, Error};
use log::info;
use std::{
+ collections::{HashSet, VecDeque},
fs::File,
io::{self, BufRead, BufReader, Read, Write},
os::unix::io::FromRawFd,
@@ -89,7 +90,7 @@
taskProfiles: vec![],
gdbPort: 0, // no gdb
});
- let console = android_log_fd()?;
+ let (handle, console) = android_log_fd()?;
let (mut log_reader, log_writer) = pipe()?;
let vm = VmInstance::create(service.as_ref(), &config, Some(console), Some(log_writer), None)
.context("Failed to create VM")?;
@@ -99,6 +100,7 @@
// Wait for VM to finish, and check that it shut down cleanly.
let death_reason = vm.wait_for_death();
assert_eq!(death_reason, DeathReason::Shutdown);
+ handle.join().unwrap();
// Check that the expected string was written to the log VirtIO console device.
let expected = "Hello VirtIO console\n";
@@ -109,15 +111,10 @@
Ok(())
}
-fn android_log_fd() -> io::Result<File> {
+fn android_log_fd() -> Result<(thread::JoinHandle<()>, File), io::Error> {
let (reader, writer) = pipe()?;
-
- thread::spawn(|| {
- for line in BufReader::new(reader).lines() {
- info!("{}", line.unwrap());
- }
- });
- Ok(writer)
+ let handle = thread::spawn(|| VmLogProcessor::new(reader).run().unwrap());
+ Ok((handle, writer))
}
fn pipe() -> io::Result<(File, File)> {
@@ -129,3 +126,51 @@
Ok((reader, writer))
}
+
+struct VmLogProcessor {
+ reader: Option<File>,
+ expected: VecDeque<String>,
+ unexpected: HashSet<String>,
+ had_unexpected: bool,
+}
+
+impl VmLogProcessor {
+ fn messages() -> (VecDeque<String>, HashSet<String>) {
+ let mut expected = VecDeque::new();
+ let mut unexpected = HashSet::new();
+ for log_lvl in ["[ERROR]", "[WARN]", "[INFO]", "[DEBUG]"] {
+ expected.push_back(format!("{log_lvl} Unsuppressed message"));
+ unexpected.insert(format!("{log_lvl} Suppressed message"));
+ }
+ (expected, unexpected)
+ }
+
+ fn new(reader: File) -> Self {
+ let (expected, unexpected) = Self::messages();
+ Self { reader: Some(reader), expected, unexpected, had_unexpected: false }
+ }
+
+ fn verify(&mut self, msg: &str) {
+ if self.expected.front() == Some(&msg.to_owned()) {
+ self.expected.pop_front();
+ }
+ if !self.had_unexpected && self.unexpected.contains(msg) {
+ self.had_unexpected = true;
+ }
+ }
+
+ fn run(mut self) -> Result<(), &'static str> {
+ for line in BufReader::new(self.reader.take().unwrap()).lines() {
+ let msg = line.unwrap();
+ info!("{msg}");
+ self.verify(&msg);
+ }
+ if !self.expected.is_empty() {
+ Err("missing expected log message")
+ } else if self.had_unexpected {
+ Err("unexpected log message")
+ } else {
+ Ok(())
+ }
+ }
+}
diff --git a/vmbase/sections.ld b/vmbase/sections.ld
index 87b909d..5232d30 100644
--- a/vmbase/sections.ld
+++ b/vmbase/sections.ld
@@ -39,12 +39,10 @@
* Collect together the code. This is page aligned so it can be mapped
* as executable-only.
*/
- .init : ALIGN(4096) {
+ .text : ALIGN(4096) {
text_begin = .;
*(.init.entry)
*(.init.*)
- } >image
- .text : {
*(.text.*)
} >image
text_end = .;
@@ -62,6 +60,17 @@
} >image
rodata_end = .;
+ .eh_stack (NOLOAD) : ALIGN(4096) {
+ /*
+ * Get stack overflow guard from the previous page being from
+ * .rodata and mapped read-only or left unmapped.
+ */
+ eh_stack_limit = .;
+ . += 4096;
+ . = ALIGN(4096);
+ init_eh_stack_pointer = .;
+ } >writable_data
+
/*
* Collect together the read-write data including .bss at the end which
* will be zero'd by the entry code. This is page aligned so it can be
@@ -91,11 +100,11 @@
bss_end = .;
} >writable_data
+ init_stack_pointer = ORIGIN(writable_data) + LENGTH(writable_data);
.stack (NOLOAD) : ALIGN(4096) {
- boot_stack_begin = .;
- . += 40 * 4096;
- . = ALIGN(4096);
- boot_stack_end = .;
+ . += 4096; /* Ensure we have one guard page for overflow. */
+ stack_limit = .;
+ . = init_stack_pointer;
} >writable_data
/*
diff --git a/vmbase/src/console.rs b/vmbase/src/console.rs
index fabea91..7c8ddf6 100644
--- a/vmbase/src/console.rs
+++ b/vmbase/src/console.rs
@@ -40,14 +40,14 @@
/// Writes a string to the console.
///
/// Panics if [`init`] was not called first.
-pub fn write_str(s: &str) {
+pub(crate) fn write_str(s: &str) {
CONSOLE.lock().as_mut().unwrap().write_str(s).unwrap();
}
/// Writes a formatted string to the console.
///
/// Panics if [`init`] was not called first.
-pub fn write_args(format_args: Arguments) {
+pub(crate) fn write_args(format_args: Arguments) {
write(CONSOLE.lock().as_mut().unwrap(), format_args).unwrap();
}
@@ -69,20 +69,10 @@
let _ = write(&mut uart, format_args);
}
-/// Prints the given string to the console.
-///
-/// Panics if the console has not yet been initialised. May hang if used in an exception context;
-/// use `eprint!` instead.
-#[macro_export]
-macro_rules! print {
- ($($arg:tt)*) => ($crate::console::write_args(format_args!($($arg)*)));
-}
-
/// Prints the given formatted string to the console, followed by a newline.
///
/// Panics if the console has not yet been initialised. May hang if used in an exception context;
/// use `eprintln!` instead.
-#[macro_export]
macro_rules! println {
() => ($crate::console::write_str("\n"));
($($arg:tt)*) => ({
@@ -91,6 +81,8 @@
);
}
+pub(crate) use println; // Make it available in this crate.
+
/// Prints the given string to the console in an emergency, such as an exception handler.
///
/// Never panics.
diff --git a/vmbase/src/entry.rs b/vmbase/src/entry.rs
index 1510ae2..8cdfe77 100644
--- a/vmbase/src/entry.rs
+++ b/vmbase/src/entry.rs
@@ -36,12 +36,14 @@
/// Example:
///
/// ```rust
-/// use vmbase::main;
+/// use vmbase::{logger, main};
+/// use log::{info, LevelFilter};
///
/// main!(my_main);
///
/// fn my_main() {
-/// println!("Hello world");
+/// logger::init(LevelFilter::Info).unwrap();
+/// info!("Hello world");
/// }
/// ```
#[macro_export]
diff --git a/vmbase/src/layout.rs b/vmbase/src/layout.rs
index b0a5173..ead4f8e 100644
--- a/vmbase/src/layout.rs
+++ b/vmbase/src/layout.rs
@@ -14,53 +14,73 @@
//! Memory layout.
-use crate::linker;
use core::ops::Range;
use core::ptr::addr_of;
+/// Get an address from a linker-defined symbol.
+#[macro_export]
+macro_rules! linker_addr {
+ ($symbol:ident) => {{
+ unsafe { addr_of!($crate::linker::$symbol) as usize }
+ }};
+}
+
+/// Get the address range between a pair of linker-defined symbols.
+#[macro_export]
+macro_rules! linker_region {
+ ($begin:ident,$end:ident) => {{
+ let start = linker_addr!($begin);
+ let end = linker_addr!($end);
+
+ start..end
+ }};
+}
+
/// Memory reserved for the DTB.
pub fn dtb_range() -> Range<usize> {
- unsafe { (addr_of!(linker::dtb_begin) as usize)..(addr_of!(linker::dtb_end) as usize) }
+ linker_region!(dtb_begin, dtb_end)
}
/// Executable code.
pub fn text_range() -> Range<usize> {
- unsafe { (addr_of!(linker::text_begin) as usize)..(addr_of!(linker::text_end) as usize) }
+ linker_region!(text_begin, text_end)
}
/// Read-only data.
pub fn rodata_range() -> Range<usize> {
- unsafe { (addr_of!(linker::rodata_begin) as usize)..(addr_of!(linker::rodata_end) as usize) }
+ linker_region!(rodata_begin, rodata_end)
}
/// Initialised writable data.
pub fn data_range() -> Range<usize> {
- unsafe { (addr_of!(linker::data_begin) as usize)..(addr_of!(linker::data_end) as usize) }
+ linker_region!(data_begin, data_end)
}
/// Zero-initialised writable data.
pub fn bss_range() -> Range<usize> {
- unsafe { (addr_of!(linker::bss_begin) as usize)..(addr_of!(linker::bss_end) as usize) }
+ linker_region!(bss_begin, bss_end)
}
/// Writable data region for the stack.
-pub fn boot_stack_range() -> Range<usize> {
- unsafe {
- (addr_of!(linker::boot_stack_begin) as usize)..(addr_of!(linker::boot_stack_end) as usize)
- }
+pub fn stack_range(stack_size: usize) -> Range<usize> {
+ let end = linker_addr!(init_stack_pointer);
+ let start = end.checked_sub(stack_size).unwrap();
+ assert!(start >= linker_addr!(stack_limit));
+
+ start..end
}
-/// Writable data, including the stack.
-pub fn writable_region() -> Range<usize> {
- data_range().start..boot_stack_range().end
+/// All writable sections, excluding the stack.
+pub fn scratch_range() -> Range<usize> {
+ linker_region!(eh_stack_limit, bss_end)
}
/// Read-write data (original).
pub fn data_load_address() -> usize {
- unsafe { addr_of!(linker::data_lma) as usize }
+ linker_addr!(data_lma)
}
/// End of the binary image.
pub fn binary_end() -> usize {
- unsafe { addr_of!(linker::bin_end) as usize }
+ linker_addr!(bin_end)
}
diff --git a/vmbase/src/linker.rs b/vmbase/src/linker.rs
index f4baae8..97bef3f 100644
--- a/vmbase/src/linker.rs
+++ b/vmbase/src/linker.rs
@@ -19,10 +19,6 @@
pub static __stack_chk_guard: u64;
/// First byte beyond the pre-loaded binary.
pub static bin_end: u8;
- /// First byte of the `.stack` section.
- pub static boot_stack_begin: u8;
- /// First byte beyond the `.stack` section.
- pub static boot_stack_end: u8;
/// First byte of the `.bss` section.
pub static bss_begin: u8;
/// First byte beyond the `.bss` section.
@@ -37,10 +33,16 @@
pub static dtb_begin: u8;
/// First byte beyond the `.dtb` section.
pub static dtb_end: u8;
+ /// First byte of the region available for the exception handler stack.
+ pub static eh_stack_limit: u8;
+ /// First byte past the region available for the stack.
+ pub static init_stack_pointer: u8;
/// First byte of the `.rodata` section.
pub static rodata_begin: u8;
/// First byte beyond the `.rodata` section.
pub static rodata_end: u8;
+ /// First byte of the region available for the stack.
+ pub static stack_limit: u8;
/// First byte of the `.text` section.
pub static text_begin: u8;
/// First byte beyond the `.text` section.
diff --git a/vmbase/src/logger.rs b/vmbase/src/logger.rs
index 5f0f1c2..94dc880 100644
--- a/vmbase/src/logger.rs
+++ b/vmbase/src/logger.rs
@@ -20,27 +20,71 @@
extern crate log;
-use super::println;
+use crate::console::println;
+use core::sync::atomic::{AtomicBool, Ordering};
use log::{LevelFilter, Log, Metadata, Record, SetLoggerError};
-struct Logger;
-static LOGGER: Logger = Logger;
+struct Logger {
+ is_enabled: AtomicBool,
+}
+static mut LOGGER: Logger = Logger::new();
+
+impl Logger {
+ const fn new() -> Self {
+ Self { is_enabled: AtomicBool::new(true) }
+ }
+
+ fn swap_enabled(&mut self, enabled: bool) -> bool {
+ self.is_enabled.swap(enabled, Ordering::Relaxed)
+ }
+}
impl Log for Logger {
fn enabled(&self, _metadata: &Metadata) -> bool {
- true
+ self.is_enabled.load(Ordering::Relaxed)
}
fn log(&self, record: &Record) {
- println!("[{}] {}", record.level(), record.args());
+ if self.enabled(record.metadata()) {
+ println!("[{}] {}", record.level(), record.args());
+ }
}
fn flush(&self) {}
}
+/// An RAII implementation of a log suppressor. When the instance is dropped, logging is re-enabled.
+pub struct SuppressGuard {
+ old_enabled: bool,
+}
+
+impl SuppressGuard {
+ fn new() -> Self {
+ // Safe because it modifies an atomic.
+ unsafe { Self { old_enabled: LOGGER.swap_enabled(false) } }
+ }
+}
+
+impl Drop for SuppressGuard {
+ fn drop(&mut self) {
+ // Safe because it modifies an atomic.
+ unsafe {
+ LOGGER.swap_enabled(self.old_enabled);
+ }
+ }
+}
+
/// Initialize vmbase logger with a given max logging level.
pub fn init(max_level: LevelFilter) -> Result<(), SetLoggerError> {
- log::set_logger(&LOGGER)?;
+ // Safe because it only sets the global logger.
+ unsafe {
+ log::set_logger(&LOGGER)?;
+ }
log::set_max_level(max_level);
Ok(())
}
+
+/// Suppress logging until the return value goes out of scope.
+pub fn suppress() -> SuppressGuard {
+ SuppressGuard::new()
+}
diff --git a/vmclient/src/death_reason.rs b/vmclient/src/death_reason.rs
index c417a7c..0610c1a 100644
--- a/vmclient/src/death_reason.rs
+++ b/vmclient/src/death_reason.rs
@@ -37,10 +37,6 @@
PvmFirmwarePublicKeyMismatch,
/// The pVM firmware failed to verify the VM because the instance image changed.
PvmFirmwareInstanceImageChanged,
- /// The bootloader failed to verify the VM because the public key doesn't match.
- BootloaderPublicKeyMismatch,
- /// The bootloader failed to verify the VM because the instance image changed.
- BootloaderInstanceImageChanged,
/// The microdroid failed to connect to VirtualizationService's RPC server.
MicrodroidFailedToConnectToVirtualizationService,
/// The payload for microdroid is changed.
@@ -71,10 +67,6 @@
AidlDeathReason::PVM_FIRMWARE_INSTANCE_IMAGE_CHANGED => {
Self::PvmFirmwareInstanceImageChanged
}
- AidlDeathReason::BOOTLOADER_PUBLIC_KEY_MISMATCH => Self::BootloaderPublicKeyMismatch,
- AidlDeathReason::BOOTLOADER_INSTANCE_IMAGE_CHANGED => {
- Self::BootloaderInstanceImageChanged
- }
AidlDeathReason::MICRODROID_FAILED_TO_CONNECT_TO_VIRTUALIZATION_SERVICE => {
Self::MicrodroidFailedToConnectToVirtualizationService
}