Enable verifying vendor partition (Reland with additional edits)
This reverts commit ebab0a93000cc3414ecd77a49883fac530e35c83.
Reason for revert: Relanding change with additional edits.
This reland change will include skipping tests booting microdroid with
vendor partition in pVM. Microdroid vendor image for pVM will be
verified with root digest via ABL, and we won't have any methods to pass
information of testing images into secure place like ABL in runtime,
during the test.
Bug: 285855436
Test: atest MicrodroidTests
Test: atest MicrodroidBenchmarks#testMicrodroidDebugBootTime_withVendorPartition
Change-Id: I7266a855e8bdc79e60ceac3328bf123abb97496e
diff --git a/microdroid/fstab.microdroid b/microdroid/fstab.microdroid
index da000b9..2742757 100644
--- a/microdroid/fstab.microdroid
+++ b/microdroid/fstab.microdroid
@@ -2,6 +2,4 @@
# This is a temporary solution to unblock other devs that depend on /vendor partition in Microdroid
# The /vendor partition will only be mounted if the kernel cmdline contains
# androidboot.microdroid.mount_vendor=1.
-# TODO(b/285855430): this should probably be defined in the DT
-# TODO(b/285855436): should be mounted on top of dm-verity device
-/dev/block/by-name/microdroid-vendor /vendor ext4 noatime,ro,errors=panic wait,first_stage_mount
+/dev/block/by-name/microdroid-vendor /vendor ext4 noatime,ro,errors=panic wait,first_stage_mount,avb_hashtree_digest=/sys/firmware/devicetree/base/avf/vendor_hashtree_descriptor_root_digest
diff --git a/tests/benchmark/src/java/com/android/microdroid/benchmark/MicrodroidBenchmarks.java b/tests/benchmark/src/java/com/android/microdroid/benchmark/MicrodroidBenchmarks.java
index 1917654..e4b801a 100644
--- a/tests/benchmark/src/java/com/android/microdroid/benchmark/MicrodroidBenchmarks.java
+++ b/tests/benchmark/src/java/com/android/microdroid/benchmark/MicrodroidBenchmarks.java
@@ -262,6 +262,21 @@
@Test
public void testMicrodroidDebugBootTime_withVendorPartition() throws Exception {
+ assume().withMessage(
+ "Cuttlefish doesn't support device tree under"
+ + " /sys/firmware/devicetree/base")
+ .that(isCuttlefish())
+ .isFalse();
+ // TODO(b/317567210): Boots fails with vendor partition in HWASAN enabled microdroid
+ // after introducing verification based on DT and fstab in microdroid vendor partition.
+ assume().withMessage("Boot with vendor partition is failing in HWASAN enabled Microdroid.")
+ .that(isHwasan())
+ .isFalse();
+ assume().withMessage(
+ "Skip test for protected VM, pvmfw config data doesn't contain any"
+ + " information of test images, such as root digest.")
+ .that(mProtectedVm)
+ .isFalse();
assumeFeatureEnabled(VirtualMachineManager.FEATURE_VENDOR_MODULES);
File vendorDiskImage =
diff --git a/tests/helper/src/java/com/android/microdroid/test/device/MicrodroidDeviceTestBase.java b/tests/helper/src/java/com/android/microdroid/test/device/MicrodroidDeviceTestBase.java
index b7a34ae..817bd85 100644
--- a/tests/helper/src/java/com/android/microdroid/test/device/MicrodroidDeviceTestBase.java
+++ b/tests/helper/src/java/com/android/microdroid/test/device/MicrodroidDeviceTestBase.java
@@ -62,6 +62,10 @@
return getDeviceProperties().isCuttlefish();
}
+ public static boolean isHwasan() {
+ return getDeviceProperties().isHwasan();
+ }
+
public static boolean isUserBuild() {
return getDeviceProperties().isUserBuild();
}
diff --git a/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java b/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
index b06eea6..2367707 100644
--- a/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
+++ b/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
@@ -32,6 +32,7 @@
import static org.junit.Assert.assertThrows;
import static org.junit.Assert.assertTrue;
import static org.junit.Assume.assumeTrue;
+import static org.junit.Assume.assumeFalse;
import static java.nio.file.StandardCopyOption.REPLACE_EXISTING;
@@ -2106,6 +2107,13 @@
@Test
public void configuringVendorDiskImageRequiresCustomPermission() throws Exception {
assumeSupportedDevice();
+ assumeFalse(
+ "Cuttlefish doesn't support device tree under /sys/firmware/devicetree/base",
+ isCuttlefish());
+ // TODO(b/317567210): Boots fails with vendor partition in HWASAN enabled microdroid
+ // after introducing verification based on DT and fstab in microdroid vendor partition.
+ assumeFalse(
+ "boot with vendor partition is failing in HWASAN enabled Microdroid.", isHwasan());
assumeFeatureEnabled(VirtualMachineManager.FEATURE_VENDOR_MODULES);
File vendorDiskImage =
@@ -2131,6 +2139,17 @@
@Test
public void bootsWithVendorPartition() throws Exception {
assumeSupportedDevice();
+ assumeFalse(
+ "Cuttlefish doesn't support device tree under /sys/firmware/devicetree/base",
+ isCuttlefish());
+ // TODO(b/317567210): Boots fails with vendor partition in HWASAN enabled microdroid
+ // after introducing verification based on DT and fstab in microdroid vendor partition.
+ assumeFalse(
+ "Boot with vendor partition is failing in HWASAN enabled Microdroid.", isHwasan());
+ assumeFalse(
+ "Skip test for protected VM, pvmfw config data doesn't contain any information of"
+ + " test images, such as root digest.",
+ isProtectedVm());
assumeFeatureEnabled(VirtualMachineManager.FEATURE_VENDOR_MODULES);
grantPermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION);
@@ -2162,6 +2181,13 @@
@Test
public void creationFailsWithUnsignedVendorPartition() throws Exception {
assumeSupportedDevice();
+ assumeFalse(
+ "Cuttlefish doesn't support device tree under /sys/firmware/devicetree/base",
+ isCuttlefish());
+ // TODO(b/317567210): Boots fails with vendor partition in HWASAN enabled microdroid
+ // after introducing verification based on DT and fstab in microdroid vendor partition.
+ assumeFalse(
+ "boot with vendor partition is failing in HWASAN enabled Microdroid.", isHwasan());
assumeFeatureEnabled(VirtualMachineManager.FEATURE_VENDOR_MODULES);
grantPermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION);