[DICE] Add RKP VM marker to pvmfw DICE node for KeyMint TA in VM
Bug: 390540205
Test: atest libpvmfw.dice.test
Change-Id: Iec0174d06fb18a97aa84b39003c46e0d3d6b6ba8
diff --git a/guest/pvmfw/src/dice.rs b/guest/pvmfw/src/dice.rs
index 4df10b3..f49fedb 100644
--- a/guest/pvmfw/src/dice.rs
+++ b/guest/pvmfw/src/dice.rs
@@ -92,7 +92,8 @@
let mode = to_dice_mode(data.debug_level);
// We use rollback_index from vbmeta as the security_version field in dice certificate.
let security_version = data.rollback_index;
- let rkp_vm_marker = data.has_capability(Capability::RemoteAttest);
+ let rkp_vm_marker = data.has_capability(Capability::RemoteAttest)
+ || data.has_capability(Capability::TrustySecurityVm);
Ok(Self { code_hash, auth_hash, mode, security_version, rkp_vm_marker })
}
@@ -248,7 +249,7 @@
}
#[test]
- fn config_descriptor_with_rkp_vm() {
+ fn rkp_vm_config_descriptor_has_rkp_vm_marker() {
let vb_data =
VerifiedBootData { capabilities: vec![Capability::RemoteAttest], ..BASE_VB_DATA };
let inputs = PartialInputs::new(&vb_data).unwrap();
@@ -258,6 +259,16 @@
}
#[test]
+ fn security_vm_config_descriptor_has_rkp_vm_marker() {
+ let vb_data =
+ VerifiedBootData { capabilities: vec![Capability::TrustySecurityVm], ..BASE_VB_DATA };
+ let inputs = PartialInputs::new(&vb_data).unwrap();
+ let config_map = decode_config_descriptor(&inputs, Some(HASH));
+
+ assert!(config_map.get(&RKP_VM_MARKER_KEY).unwrap().is_null());
+ }
+
+ #[test]
fn config_descriptor_with_instance_hash() {
let vb_data =
VerifiedBootData { capabilities: vec![Capability::RemoteAttest], ..BASE_VB_DATA };