Merge "pvmfw: Keep write_sysreg() unsafe"
diff --git a/libs/hyp/Android.bp b/libs/hyp/Android.bp
new file mode 100644
index 0000000..bc66190
--- /dev/null
+++ b/libs/hyp/Android.bp
@@ -0,0 +1,18 @@
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+rust_library_rlib {
+ name: "libhyp",
+ crate_name: "hyp",
+ srcs: ["src/lib.rs"],
+ prefer_rlib: true,
+ rustlibs: [
+ "libsmccc",
+ ],
+ no_stdlibs: true,
+ stdlibs: [
+ "libcore.rust_sysroot",
+ ],
+ apex_available: ["com.android.virt"],
+}
diff --git a/libs/hyp/src/hypervisor/kvm.rs b/libs/hyp/src/hypervisor/kvm.rs
new file mode 100644
index 0000000..a34acc8
--- /dev/null
+++ b/libs/hyp/src/hypervisor/kvm.rs
@@ -0,0 +1,95 @@
+// Copyright 2022, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Wrappers around calls to the KVM hypervisor.
+
+use smccc::{checked_hvc64, checked_hvc64_expect_zero, Error, Result};
+
+const ARM_SMCCC_KVM_FUNC_HYP_MEMINFO: u32 = 0xc6000002;
+const ARM_SMCCC_KVM_FUNC_MEM_SHARE: u32 = 0xc6000003;
+const ARM_SMCCC_KVM_FUNC_MEM_UNSHARE: u32 = 0xc6000004;
+
+const VENDOR_HYP_KVM_MMIO_GUARD_INFO_FUNC_ID: u32 = 0xc6000005;
+const VENDOR_HYP_KVM_MMIO_GUARD_ENROLL_FUNC_ID: u32 = 0xc6000006;
+const VENDOR_HYP_KVM_MMIO_GUARD_MAP_FUNC_ID: u32 = 0xc6000007;
+const VENDOR_HYP_KVM_MMIO_GUARD_UNMAP_FUNC_ID: u32 = 0xc6000008;
+
+/// Queries the memory protection parameters for a protected virtual machine.
+///
+/// Returns the memory protection granule size in bytes.
+pub(super) fn hyp_meminfo() -> Result<u64> {
+ let args = [0u64; 17];
+ checked_hvc64(ARM_SMCCC_KVM_FUNC_HYP_MEMINFO, args)
+}
+
+/// Shares a region of memory with the KVM host, granting it read, write and execute permissions.
+/// The size of the region is equal to the memory protection granule returned by [`hyp_meminfo`].
+pub(super) fn mem_share(base_ipa: u64) -> Result<()> {
+ let mut args = [0u64; 17];
+ args[0] = base_ipa;
+
+ checked_hvc64_expect_zero(ARM_SMCCC_KVM_FUNC_MEM_SHARE, args)
+}
+
+/// Revokes access permission from the KVM host to a memory region previously shared with
+/// [`mem_share`]. The size of the region is equal to the memory protection granule returned by
+/// [`hyp_meminfo`].
+pub(super) fn mem_unshare(base_ipa: u64) -> Result<()> {
+ let mut args = [0u64; 17];
+ args[0] = base_ipa;
+
+ checked_hvc64_expect_zero(ARM_SMCCC_KVM_FUNC_MEM_UNSHARE, args)
+}
+
+pub(super) fn mmio_guard_info() -> Result<u64> {
+ let args = [0u64; 17];
+
+ checked_hvc64(VENDOR_HYP_KVM_MMIO_GUARD_INFO_FUNC_ID, args)
+}
+
+pub(super) fn mmio_guard_enroll() -> Result<()> {
+ let args = [0u64; 17];
+
+ checked_hvc64_expect_zero(VENDOR_HYP_KVM_MMIO_GUARD_ENROLL_FUNC_ID, args)
+}
+
+pub(super) fn mmio_guard_map(ipa: u64) -> Result<()> {
+ let mut args = [0u64; 17];
+ args[0] = ipa;
+
+ // TODO(b/277859415): pKVM returns a i32 instead of a i64 in T.
+ // Drop this hack once T reaches EoL.
+ let is_i32_error_code = |n| u32::try_from(n).ok().filter(|v| (*v as i32) < 0).is_some();
+ match checked_hvc64_expect_zero(VENDOR_HYP_KVM_MMIO_GUARD_MAP_FUNC_ID, args) {
+ Err(Error::Unexpected(e)) if is_i32_error_code(e) => match e as u32 as i32 {
+ -1 => Err(Error::NotSupported),
+ -2 => Err(Error::NotRequired),
+ -3 => Err(Error::InvalidParameter),
+ ret => Err(Error::Unknown(ret as i64)),
+ },
+ res => res,
+ }
+}
+
+pub(super) fn mmio_guard_unmap(ipa: u64) -> Result<()> {
+ let mut args = [0u64; 17];
+ args[0] = ipa;
+
+ // TODO(b/277860860): pKVM returns NOT_SUPPORTED for SUCCESS in T.
+ // Drop this hack once T reaches EoL.
+ match checked_hvc64_expect_zero(VENDOR_HYP_KVM_MMIO_GUARD_UNMAP_FUNC_ID, args) {
+ Err(Error::NotSupported) | Ok(_) => Ok(()),
+ x => x,
+ }
+}
diff --git a/libs/hyp/src/hypervisor/mod.rs b/libs/hyp/src/hypervisor/mod.rs
new file mode 100644
index 0000000..5807698
--- /dev/null
+++ b/libs/hyp/src/hypervisor/mod.rs
@@ -0,0 +1,53 @@
+// Copyright 2023, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Wrappers around hypervisor back-ends.
+
+mod kvm;
+
+/// Queries the memory protection parameters for a protected virtual machine.
+///
+/// Returns the memory protection granule size in bytes.
+pub fn hyp_meminfo() -> smccc::Result<u64> {
+ kvm::hyp_meminfo()
+}
+
+/// Shares a region of memory with the host, granting it read, write and execute permissions.
+/// The size of the region is equal to the memory protection granule returned by [`hyp_meminfo`].
+pub fn mem_share(base_ipa: u64) -> smccc::Result<()> {
+ kvm::mem_share(base_ipa)
+}
+
+/// Revokes access permission from the host to a memory region previously shared with
+/// [`mem_share`]. The size of the region is equal to the memory protection granule returned by
+/// [`hyp_meminfo`].
+pub fn mem_unshare(base_ipa: u64) -> smccc::Result<()> {
+ kvm::mem_unshare(base_ipa)
+}
+
+pub(crate) fn mmio_guard_info() -> smccc::Result<u64> {
+ kvm::mmio_guard_info()
+}
+
+pub(crate) fn mmio_guard_enroll() -> smccc::Result<()> {
+ kvm::mmio_guard_enroll()
+}
+
+pub(crate) fn mmio_guard_map(ipa: u64) -> smccc::Result<()> {
+ kvm::mmio_guard_map(ipa)
+}
+
+pub(crate) fn mmio_guard_unmap(ipa: u64) -> smccc::Result<()> {
+ kvm::mmio_guard_unmap(ipa)
+}
diff --git a/libs/hyp/src/lib.rs b/libs/hyp/src/lib.rs
new file mode 100644
index 0000000..f0f0631
--- /dev/null
+++ b/libs/hyp/src/lib.rs
@@ -0,0 +1,23 @@
+// Copyright 2023, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! This library provides wrappers around various hypervisor backends.
+
+#![no_std]
+
+mod hypervisor;
+mod util;
+
+pub use hypervisor::{hyp_meminfo, mem_share, mem_unshare};
+pub mod mmio_guard;
diff --git a/pvmfw/src/mmio_guard.rs b/libs/hyp/src/mmio_guard.rs
similarity index 79%
rename from pvmfw/src/mmio_guard.rs
rename to libs/hyp/src/mmio_guard.rs
index 95a1b7f..512eb88 100644
--- a/pvmfw/src/mmio_guard.rs
+++ b/libs/hyp/src/mmio_guard.rs
@@ -14,10 +14,11 @@
//! Safe MMIO_GUARD support.
-use crate::helpers;
use crate::hypervisor::{mmio_guard_enroll, mmio_guard_info, mmio_guard_map, mmio_guard_unmap};
+use crate::util::{page_address, SIZE_4KB};
use core::{fmt, result};
+/// MMIO guard error.
#[derive(Debug, Clone)]
pub enum Error {
/// Failed the necessary MMIO_GUARD_ENROLL call.
@@ -32,8 +33,6 @@
UnsupportedGranule(usize),
}
-type Result<T> = result::Result<T, Error>;
-
impl fmt::Display for Error {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
match self {
@@ -46,19 +45,25 @@
}
}
+/// Result type with mmio_guard::Error.
+pub type Result<T> = result::Result<T, Error>;
+
+/// Initializes the hypervisor by enrolling a MMIO guard and checking the memory granule size.
pub fn init() -> Result<()> {
mmio_guard_enroll().map_err(Error::EnrollFailed)?;
let mmio_granule = mmio_guard_info().map_err(Error::InfoFailed)? as usize;
- if mmio_granule != helpers::SIZE_4KB {
+ if mmio_granule != SIZE_4KB {
return Err(Error::UnsupportedGranule(mmio_granule));
}
Ok(())
}
+/// Maps a memory address to the hypervisor MMIO guard.
pub fn map(addr: usize) -> Result<()> {
- mmio_guard_map(helpers::page_4kb_of(addr) as u64).map_err(Error::MapFailed)
+ mmio_guard_map(page_address(addr)).map_err(Error::MapFailed)
}
+/// Unmaps a memory address from the hypervisor MMIO guard.
pub fn unmap(addr: usize) -> Result<()> {
- mmio_guard_unmap(helpers::page_4kb_of(addr) as u64).map_err(Error::UnmapFailed)
+ mmio_guard_unmap(page_address(addr)).map_err(Error::UnmapFailed)
}
diff --git a/libs/hyp/src/util.rs b/libs/hyp/src/util.rs
new file mode 100644
index 0000000..56f94fd
--- /dev/null
+++ b/libs/hyp/src/util.rs
@@ -0,0 +1,22 @@
+// Copyright 2023, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Utility functions.
+
+pub(crate) const SIZE_4KB: usize = 4 << 10;
+
+/// Computes the low memory page address of the 4KiB page containing a given address.
+pub(crate) fn page_address(addr: usize) -> u64 {
+ (addr & !(SIZE_4KB - 1)).try_into().unwrap()
+}
diff --git a/pvmfw/Android.bp b/pvmfw/Android.bp
index a446c90..0571c36 100644
--- a/pvmfw/Android.bp
+++ b/pvmfw/Android.bp
@@ -17,6 +17,7 @@
"libbuddy_system_allocator",
"libdiced_open_dice_nostd",
"libfdtpci",
+ "libhyp",
"liblibfdt",
"liblog_rust_nostd",
"libonce_cell_nostd",
@@ -40,6 +41,20 @@
cmd: "touch $(out)",
}
+rust_test {
+ name: "libpvmfw.bootargs.test",
+ host_supported: true,
+ // For now, only bootargs.rs is written to be conditionally compiled with std.
+ srcs: ["src/bootargs.rs"],
+ test_suites: ["general-tests"],
+ test_options: {
+ unit_test: true,
+ },
+ rustlibs: [
+ "libzeroize",
+ ],
+}
+
cc_binary {
name: "pvmfw",
defaults: ["vmbase_elf_defaults"],
diff --git a/pvmfw/src/bootargs.rs b/pvmfw/src/bootargs.rs
new file mode 100644
index 0000000..f9c8278
--- /dev/null
+++ b/pvmfw/src/bootargs.rs
@@ -0,0 +1,211 @@
+// Copyright 2023, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Routines for parsing bootargs
+
+#[cfg(not(test))]
+use alloc::format;
+#[cfg(not(test))]
+use alloc::string::String;
+use core::ffi::CStr;
+
+/// A single boot argument ex: "panic", "init=", or "foo=1,2,3".
+pub struct BootArg<'a> {
+ arg: &'a str,
+ equal_sign: Option<usize>,
+}
+
+impl AsRef<str> for BootArg<'_> {
+ fn as_ref(&self) -> &str {
+ self.arg
+ }
+}
+
+impl BootArg<'_> {
+ /// Name of the boot argument
+ pub fn name(&self) -> &str {
+ if let Some(n) = self.equal_sign {
+ &self.arg[..n]
+ } else {
+ self.arg
+ }
+ }
+
+ /// Optional value of the boot aragument. This includes the '=' prefix.
+ pub fn value(&self) -> Option<&str> {
+ Some(&self.arg[self.equal_sign?..])
+ }
+}
+
+/// Iterator that iteratos over bootargs
+pub struct BootArgsIterator<'a> {
+ arg: &'a str,
+}
+
+impl<'a> BootArgsIterator<'a> {
+ /// Creates a new iterator from the raw boot args. The input has to be encoded in ASCII
+ pub fn new(bootargs: &'a CStr) -> Result<Self, String> {
+ let arg = bootargs.to_str().map_err(|e| format!("{e}"))?;
+ if !arg.is_ascii() {
+ return Err(format!("{arg:?} is not ASCII"));
+ }
+
+ Ok(Self { arg })
+ }
+
+ // Finds the end of a value in the given string `s`, and returns the index of the end. A value
+ // can have spaces if quoted. The quote character can't be escaped.
+ fn find_value_end(s: &str) -> usize {
+ let mut in_quote = false;
+ for (i, c) in s.char_indices() {
+ if c == '"' {
+ in_quote = !in_quote;
+ } else if c.is_whitespace() && !in_quote {
+ return i;
+ }
+ }
+ s.len()
+ }
+}
+
+impl<'a> Iterator for BootArgsIterator<'a> {
+ type Item = BootArg<'a>;
+
+ fn next(&mut self) -> Option<Self::Item> {
+ // Skip spaces to find the start of a name. If there's nothing left, that's the end of the
+ // iterator.
+ let arg = self.arg.trim_start();
+ self.arg = arg; // advance before returning
+ if arg.is_empty() {
+ return None;
+ }
+ // Name ends with either whitespace or =. If it ends with =, the value comes immediately
+ // after.
+ let name_end = arg.find(|c: char| c.is_whitespace() || c == '=').unwrap_or(arg.len());
+ let (arg, equal_sign) = match arg.chars().nth(name_end) {
+ Some(c) if c == '=' => {
+ let value_end = name_end + Self::find_value_end(&arg[name_end..]);
+ (&arg[..value_end], Some(name_end))
+ }
+ _ => (&arg[..name_end], None),
+ };
+ self.arg = &self.arg[arg.len()..]; // advance before returning
+ Some(BootArg { arg, equal_sign })
+ }
+}
+
+#[cfg(test)]
+#[allow(dead_code)]
+mod helpers;
+
+#[cfg(test)]
+mod tests {
+
+ use super::*;
+ use crate::cstr;
+
+ fn check(raw: &CStr, expected: Result<&[(&str, Option<&str>)], ()>) {
+ let actual = BootArgsIterator::new(raw);
+ assert_eq!(actual.is_err(), expected.is_err(), "Unexpected result with {raw:?}");
+ if actual.is_err() {
+ return;
+ }
+ let mut actual = actual.unwrap();
+
+ for (name, value) in expected.unwrap() {
+ let actual = actual.next();
+ assert!(actual.is_some(), "Expected ({}, {:?}) from {raw:?}", name, value);
+ let actual = actual.unwrap();
+ assert_eq!(name, &actual.name(), "Unexpected name from {raw:?}");
+ assert_eq!(value, &actual.value(), "Unexpected value from {raw:?}");
+ }
+ let remaining = actual.next();
+ assert!(
+ remaining.is_none(),
+ "Unexpected extra item from {raw:?}. Got ({}, {:?})",
+ remaining.as_ref().unwrap().name(),
+ remaining.as_ref().unwrap().value()
+ );
+ }
+
+ #[test]
+ fn empty() {
+ check(cstr!(""), Ok(&[]));
+ check(cstr!(" "), Ok(&[]));
+ check(cstr!(" \n "), Ok(&[]));
+ }
+
+ #[test]
+ fn single() {
+ check(cstr!("foo"), Ok(&[("foo", None)]));
+ check(cstr!(" foo"), Ok(&[("foo", None)]));
+ check(cstr!("foo "), Ok(&[("foo", None)]));
+ check(cstr!(" foo "), Ok(&[("foo", None)]));
+ }
+
+ #[test]
+ fn single_with_value() {
+ check(cstr!("foo=bar"), Ok(&[("foo", Some("=bar"))]));
+ check(cstr!(" foo=bar"), Ok(&[("foo", Some("=bar"))]));
+ check(cstr!("foo=bar "), Ok(&[("foo", Some("=bar"))]));
+ check(cstr!(" foo=bar "), Ok(&[("foo", Some("=bar"))]));
+
+ check(cstr!("foo="), Ok(&[("foo", Some("="))]));
+ check(cstr!(" foo="), Ok(&[("foo", Some("="))]));
+ check(cstr!("foo= "), Ok(&[("foo", Some("="))]));
+ check(cstr!(" foo= "), Ok(&[("foo", Some("="))]));
+ }
+
+ #[test]
+ fn single_with_quote() {
+ check(cstr!("foo=hello\" \"world"), Ok(&[("foo", Some("=hello\" \"world"))]));
+ }
+
+ #[test]
+ fn invalid_encoding() {
+ check(CStr::from_bytes_with_nul(&[255, 255, 255, 0]).unwrap(), Err(()));
+ }
+
+ #[test]
+ fn multiple() {
+ check(
+ cstr!(" a=b c=d e= f g "),
+ Ok(&[("a", Some("=b")), ("c", Some("=d")), ("e", Some("=")), ("f", None), ("g", None)]),
+ );
+ check(
+ cstr!(" a=b \n c=d e= f g"),
+ Ok(&[("a", Some("=b")), ("c", Some("=d")), ("e", Some("=")), ("f", None), ("g", None)]),
+ );
+ }
+
+ #[test]
+ fn incomplete_quote() {
+ check(
+ cstr!("foo=incomplete\" quote bar=y"),
+ Ok(&[("foo", Some("=incomplete\" quote bar=y"))]),
+ );
+ }
+
+ #[test]
+ fn complex() {
+ check(cstr!(" a a1= b=c d=e,f,g x=\"value with quote\" y=val\"ue with \"multiple\" quo\"te "), Ok(&[
+ ("a", None),
+ ("a1", Some("=")),
+ ("b", Some("=c")),
+ ("d", Some("=e,f,g")),
+ ("x", Some("=\"value with quote\"")),
+ ("y", Some("=val\"ue with \"multiple\" quo\"te")),
+ ]));
+ }
+}
diff --git a/pvmfw/src/entry.rs b/pvmfw/src/entry.rs
index 00f0e9b..e0af856 100644
--- a/pvmfw/src/entry.rs
+++ b/pvmfw/src/entry.rs
@@ -20,12 +20,12 @@
use crate::heap;
use crate::helpers;
use crate::memory::MemoryTracker;
-use crate::mmio_guard;
use crate::mmu;
use crate::rand;
use core::arch::asm;
use core::num::NonZeroUsize;
use core::slice;
+use hyp::mmio_guard;
use log::debug;
use log::error;
use log::info;
diff --git a/pvmfw/src/fdt.rs b/pvmfw/src/fdt.rs
index d15eaba..c68fc6d 100644
--- a/pvmfw/src/fdt.rs
+++ b/pvmfw/src/fdt.rs
@@ -14,12 +14,14 @@
//! High-level FDT functions.
+use crate::bootargs::BootArgsIterator;
use crate::cstr;
use crate::helpers::flatten;
use crate::helpers::GUEST_PAGE_SIZE;
use crate::helpers::SIZE_4KB;
use crate::memory::BASE_ADDR;
use crate::memory::MAX_ADDR;
+use crate::Box;
use crate::RebootReason;
use alloc::ffi::CString;
use alloc::vec::Vec;
@@ -97,7 +99,9 @@
fn patch_bootargs(fdt: &mut Fdt, bootargs: &CStr) -> libfdt::Result<()> {
let mut node = fdt.chosen_mut()?.ok_or(FdtError::NotFound)?;
- // TODO(b/275306568) filter out dangerous options
+ // This function is called before the verification is done. So, we just copy the bootargs to
+ // the new FDT unmodified. This will be filtered again in the modify_for_next_stage function
+ // if the VM is not debuggable.
node.setprop(cstr!("bootargs"), bootargs.to_bytes_with_nul())
}
@@ -675,6 +679,7 @@
new_instance: bool,
strict_boot: bool,
debug_policy: Option<&mut [u8]>,
+ debuggable: bool,
) -> libfdt::Result<()> {
fdt.unpack()?;
@@ -690,6 +695,12 @@
info!("No debug policy found.");
}
+ if debuggable {
+ if let Some(bootargs) = read_bootargs_from(fdt)? {
+ filter_out_dangerous_bootargs(fdt, &bootargs)?;
+ }
+ }
+
fdt.pack()?;
Ok(())
@@ -745,3 +756,48 @@
}
Ok(())
}
+
+fn read_common_debug_policy(fdt: &Fdt, debug_feature_name: &CStr) -> libfdt::Result<bool> {
+ if let Some(node) = fdt.node(cstr!("/avf/guest/common"))? {
+ if let Some(value) = node.getprop_u32(debug_feature_name)? {
+ return Ok(value == 1);
+ }
+ }
+ Ok(false) // if the policy doesn't exist or not 1, don't enable the debug feature
+}
+
+fn filter_out_dangerous_bootargs(fdt: &mut Fdt, bootargs: &CStr) -> libfdt::Result<()> {
+ let has_crashkernel = read_common_debug_policy(fdt, cstr!("ramdump"))?;
+ let has_console = read_common_debug_policy(fdt, cstr!("log"))?;
+
+ let accepted: &[(&str, Box<dyn Fn(Option<&str>) -> bool>)] = &[
+ ("panic", Box::new(|v| if let Some(v) = v { v == "=-1" } else { false })),
+ ("crashkernel", Box::new(|_| has_crashkernel)),
+ ("console", Box::new(|_| has_console)),
+ ];
+
+ // parse and filter out unwanted
+ let mut filtered = Vec::new();
+ for arg in BootArgsIterator::new(bootargs).map_err(|e| {
+ info!("Invalid bootarg: {e}");
+ FdtError::BadValue
+ })? {
+ match accepted.iter().find(|&t| t.0 == arg.name()) {
+ Some((_, pred)) if pred(arg.value()) => filtered.push(arg),
+ _ => debug!("Rejected bootarg {}", arg.as_ref()),
+ }
+ }
+
+ // flatten into a new C-string
+ let mut new_bootargs = Vec::new();
+ for (i, arg) in filtered.iter().enumerate() {
+ if i != 0 {
+ new_bootargs.push(b' '); // separator
+ }
+ new_bootargs.extend_from_slice(arg.as_ref().as_bytes());
+ }
+ new_bootargs.push(b'\0');
+
+ let mut node = fdt.chosen_mut()?.ok_or(FdtError::NotFound)?;
+ node.setprop(cstr!("bootargs"), new_bootargs.as_slice())
+}
diff --git a/pvmfw/src/hvc.rs b/pvmfw/src/hvc.rs
index f44e26e..6c5017f 100644
--- a/pvmfw/src/hvc.rs
+++ b/pvmfw/src/hvc.rs
@@ -16,9 +16,7 @@
pub mod trng;
-use log::info;
-use smccc::{self, checked_hvc64, checked_hvc64_expect_zero};
-
+// TODO(b/272226230): Move all the trng functions to trng module
const ARM_SMCCC_TRNG_VERSION: u32 = 0x8400_0050;
#[allow(dead_code)]
const ARM_SMCCC_TRNG_FEATURES: u32 = 0x8400_0051;
@@ -27,85 +25,6 @@
#[allow(dead_code)]
const ARM_SMCCC_TRNG_RND32: u32 = 0x8400_0053;
const ARM_SMCCC_TRNG_RND64: u32 = 0xc400_0053;
-const ARM_SMCCC_KVM_FUNC_HYP_MEMINFO: u32 = 0xc6000002;
-const ARM_SMCCC_KVM_FUNC_MEM_SHARE: u32 = 0xc6000003;
-const ARM_SMCCC_KVM_FUNC_MEM_UNSHARE: u32 = 0xc6000004;
-const VENDOR_HYP_KVM_MMIO_GUARD_INFO_FUNC_ID: u32 = 0xc6000005;
-const VENDOR_HYP_KVM_MMIO_GUARD_ENROLL_FUNC_ID: u32 = 0xc6000006;
-const VENDOR_HYP_KVM_MMIO_GUARD_MAP_FUNC_ID: u32 = 0xc6000007;
-const VENDOR_HYP_KVM_MMIO_GUARD_UNMAP_FUNC_ID: u32 = 0xc6000008;
-
-/// Queries the memory protection parameters for a protected virtual machine.
-///
-/// Returns the memory protection granule size in bytes.
-pub fn kvm_hyp_meminfo() -> smccc::Result<u64> {
- let args = [0u64; 17];
- checked_hvc64(ARM_SMCCC_KVM_FUNC_HYP_MEMINFO, args)
-}
-
-/// Shares a region of memory with the KVM host, granting it read, write and execute permissions.
-/// The size of the region is equal to the memory protection granule returned by [`hyp_meminfo`].
-pub fn kvm_mem_share(base_ipa: u64) -> smccc::Result<()> {
- let mut args = [0u64; 17];
- args[0] = base_ipa;
-
- checked_hvc64_expect_zero(ARM_SMCCC_KVM_FUNC_MEM_SHARE, args)
-}
-
-/// Revokes access permission from the KVM host to a memory region previously shared with
-/// [`mem_share`]. The size of the region is equal to the memory protection granule returned by
-/// [`hyp_meminfo`].
-pub fn kvm_mem_unshare(base_ipa: u64) -> smccc::Result<()> {
- let mut args = [0u64; 17];
- args[0] = base_ipa;
-
- checked_hvc64_expect_zero(ARM_SMCCC_KVM_FUNC_MEM_UNSHARE, args)
-}
-
-pub fn kvm_mmio_guard_info() -> smccc::Result<u64> {
- let args = [0u64; 17];
-
- checked_hvc64(VENDOR_HYP_KVM_MMIO_GUARD_INFO_FUNC_ID, args)
-}
-
-pub fn kvm_mmio_guard_enroll() -> smccc::Result<()> {
- let args = [0u64; 17];
-
- checked_hvc64_expect_zero(VENDOR_HYP_KVM_MMIO_GUARD_ENROLL_FUNC_ID, args)
-}
-
-pub fn kvm_mmio_guard_map(ipa: u64) -> smccc::Result<()> {
- let mut args = [0u64; 17];
- args[0] = ipa;
-
- // TODO(b/277859415): pKVM returns a i32 instead of a i64 in T.
- // Drop this hack once T reaches EoL.
- let is_i32_error_code = |n| u32::try_from(n).ok().filter(|v| (*v as i32) < 0).is_some();
- match checked_hvc64_expect_zero(VENDOR_HYP_KVM_MMIO_GUARD_MAP_FUNC_ID, args) {
- Err(smccc::Error::Unexpected(e)) if is_i32_error_code(e) => {
- info!("Handled a pKVM bug by interpreting the MMIO_GUARD_MAP return value as i32");
- match e as u32 as i32 {
- -1 => Err(smccc::Error::NotSupported),
- -2 => Err(smccc::Error::NotRequired),
- -3 => Err(smccc::Error::InvalidParameter),
- ret => Err(smccc::Error::Unknown(ret as i64)),
- }
- }
- res => res,
- }
-}
-
-pub fn kvm_mmio_guard_unmap(ipa: u64) -> smccc::Result<()> {
- let mut args = [0u64; 17];
- args[0] = ipa;
-
- // TODO(b/277860860): pKVM returns NOT_SUPPORTED for SUCCESS in T.
- // Drop this hack once T reaches EoL.
- match checked_hvc64_expect_zero(VENDOR_HYP_KVM_MMIO_GUARD_UNMAP_FUNC_ID, args) {
- Err(smccc::Error::NotSupported) | Ok(_) => Ok(()),
- x => x,
- }
-}
/// Returns the (major, minor) version tuple, as defined by the SMCCC TRNG.
pub fn trng_version() -> trng::Result<(u16, u16)> {
diff --git a/pvmfw/src/hypervisor.rs b/pvmfw/src/hypervisor.rs
deleted file mode 100644
index 22609c5..0000000
--- a/pvmfw/src/hypervisor.rs
+++ /dev/null
@@ -1,45 +0,0 @@
-// Copyright 2023, The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-//! Wrappers around hypervisor back-ends.
-
-use crate::hvc;
-
-pub fn hyp_meminfo() -> smccc::Result<u64> {
- hvc::kvm_hyp_meminfo()
-}
-
-pub fn mem_share(base_ipa: u64) -> smccc::Result<()> {
- hvc::kvm_mem_share(base_ipa)
-}
-
-pub fn mem_unshare(base_ipa: u64) -> smccc::Result<()> {
- hvc::kvm_mem_unshare(base_ipa)
-}
-
-pub fn mmio_guard_info() -> smccc::Result<u64> {
- hvc::kvm_mmio_guard_info()
-}
-
-pub fn mmio_guard_enroll() -> smccc::Result<()> {
- hvc::kvm_mmio_guard_enroll()
-}
-
-pub fn mmio_guard_map(ipa: u64) -> smccc::Result<()> {
- hvc::kvm_mmio_guard_map(ipa)
-}
-
-pub fn mmio_guard_unmap(ipa: u64) -> smccc::Result<()> {
- hvc::kvm_mmio_guard_unmap(ipa)
-}
diff --git a/pvmfw/src/main.rs b/pvmfw/src/main.rs
index fd6054f..a773f1a 100644
--- a/pvmfw/src/main.rs
+++ b/pvmfw/src/main.rs
@@ -19,6 +19,7 @@
extern crate alloc;
+mod bootargs;
mod config;
mod crypto;
mod dice;
@@ -29,10 +30,8 @@
mod heap;
mod helpers;
mod hvc;
-mod hypervisor;
mod instance;
mod memory;
-mod mmio_guard;
mod mmu;
mod rand;
mod virtio;
@@ -54,6 +53,7 @@
use libfdt::Fdt;
use log::{debug, error, info, trace};
use pvmfw_avb::verify_payload;
+use pvmfw_avb::DebugLevel;
use pvmfw_embedded_key::PUBLIC_KEY;
const NEXT_BCC_SIZE: usize = GUEST_PAGE_SIZE;
@@ -121,10 +121,12 @@
flush(next_bcc);
let strict_boot = true;
- modify_for_next_stage(fdt, next_bcc, new_instance, strict_boot, debug_policy).map_err(|e| {
- error!("Failed to configure device tree: {e}");
- RebootReason::InternalError
- })?;
+ let debuggable = verified_boot_data.debug_level != DebugLevel::None;
+ modify_for_next_stage(fdt, next_bcc, new_instance, strict_boot, debug_policy, debuggable)
+ .map_err(|e| {
+ error!("Failed to configure device tree: {e}");
+ RebootReason::InternalError
+ })?;
info!("Starting payload...");
Ok(())
diff --git a/pvmfw/src/memory.rs b/pvmfw/src/memory.rs
index d26a4ba..fde3f9b 100644
--- a/pvmfw/src/memory.rs
+++ b/pvmfw/src/memory.rs
@@ -17,8 +17,6 @@
#![deny(unsafe_op_in_unsafe_fn)]
use crate::helpers::{self, align_down, align_up, page_4kb_of, SIZE_4KB};
-use crate::hypervisor::{hyp_meminfo, mem_share, mem_unshare};
-use crate::mmio_guard;
use crate::mmu;
use alloc::alloc::alloc_zeroed;
use alloc::alloc::dealloc;
@@ -31,6 +29,7 @@
use core::ops::Range;
use core::ptr::NonNull;
use core::result;
+use hyp::{hyp_meminfo, mem_share, mem_unshare, mmio_guard};
use log::error;
use tinyvec::ArrayVec;
diff --git a/rialto/Android.bp b/rialto/Android.bp
index c2a19f3..5034bf4 100644
--- a/rialto/Android.bp
+++ b/rialto/Android.bp
@@ -11,7 +11,9 @@
rustlibs: [
"libaarch64_paging",
"libbuddy_system_allocator",
+ "libhyp",
"liblog_rust_nostd",
+ "libsmccc",
"libvmbase",
],
apex_available: ["com.android.virt"],
@@ -36,7 +38,7 @@
}
raw_binary {
- name: "rialto",
+ name: "rialto_unsigned",
src: ":rialto_elf",
enabled: false,
target: {
@@ -46,6 +48,42 @@
},
}
+// python -c "import hashlib; print(hashlib.sha256(b'rialto_salt').hexdigest())"
+rialto_salt = "ea9d8c3ae1785396884d0c16c7652921874e2b8703f336ff23760f2049ee9e29"
+
+filegroup {
+ name: "rialto_sign_key",
+ srcs: [":avb_testkey_rsa4096"],
+}
+
+avb_add_hash_footer {
+ name: "rialto_signed",
+ src: ":empty_file",
+ filename: "rialto",
+ partition_name: "boot",
+ private_key: ":rialto_sign_key",
+ salt: rialto_salt,
+ enabled: false,
+ arch: {
+ arm64: {
+ src: ":rialto_unsigned",
+ enabled: true,
+ },
+ },
+}
+
+prebuilt_etc {
+ name: "rialto_bin",
+ filename: "rialto.bin",
+ target: {
+ android_arm64: {
+ src: ":rialto_signed",
+ },
+ },
+ src: ":empty_file",
+ installable: false,
+}
+
rust_test {
name: "rialto_test",
crate_name: "rialto_test",
@@ -62,7 +100,8 @@
"libvmclient",
],
data: [
- ":rialto",
+ ":rialto_bin",
+ ":rialto_unsigned",
],
test_suites: ["general-tests"],
enabled: false,
diff --git a/rialto/src/error.rs b/rialto/src/error.rs
new file mode 100644
index 0000000..8f34676
--- /dev/null
+++ b/rialto/src/error.rs
@@ -0,0 +1,55 @@
+// Copyright 2022, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! This module contains the error thrown by Rialto.
+
+use aarch64_paging::MapError;
+use core::{fmt, result};
+use hyp::mmio_guard::Error as MmioError;
+
+pub type Result<T> = result::Result<T, Error>;
+
+#[derive(Clone, Debug)]
+pub enum Error {
+ /// MMIO guard failed.
+ MmioGuard(MmioError),
+ /// Failed when attempting to map some range in the page table.
+ PageTableMapping(MapError),
+ /// Failed to initialize the logger.
+ LoggerInit,
+}
+
+impl fmt::Display for Error {
+ fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+ match self {
+ Self::MmioGuard(e) => write!(f, "MMIO guard failed: {e}."),
+ Self::PageTableMapping(e) => {
+ write!(f, "Failed when attempting to map some range in the page table: {e}.")
+ }
+ Self::LoggerInit => write!(f, "Failed to initialize the logger."),
+ }
+ }
+}
+
+impl From<MmioError> for Error {
+ fn from(e: MmioError) -> Self {
+ Self::MmioGuard(e)
+ }
+}
+
+impl From<MapError> for Error {
+ fn from(e: MapError) -> Self {
+ Self::PageTableMapping(e)
+ }
+}
diff --git a/rialto/src/main.rs b/rialto/src/main.rs
index 59ee0b6..76f5495 100644
--- a/rialto/src/main.rs
+++ b/rialto/src/main.rs
@@ -17,18 +17,20 @@
#![no_main]
#![no_std]
+mod error;
mod exceptions;
extern crate alloc;
+use crate::error::{Error, Result};
use aarch64_paging::{
idmap::IdMap,
paging::{Attributes, MemoryRegion},
- MapError,
};
use buddy_system_allocator::LockedHeap;
-use log::{debug, info};
-use vmbase::main;
+use hyp::mmio_guard;
+use log::{debug, error, info};
+use vmbase::{main, power::reboot};
const SZ_1K: usize = 1024;
const SZ_64K: usize = 64 * SZ_1K;
@@ -81,7 +83,7 @@
info!("Initialized heap.");
}
-fn init_kernel_pgt(pgt: &mut IdMap) -> Result<(), MapError> {
+fn init_kernel_pgt(pgt: &mut IdMap) -> Result<()> {
// The first 1 GiB of address space is used by crosvm for MMIO.
let reg_dev = MemoryRegion::new(0, SZ_1G);
// SAFETY: Taking addresses of kernel image sections to set up page table
@@ -106,15 +108,39 @@
Ok(())
}
-/// Entry point for Rialto.
-pub fn main(_a0: u64, _a1: u64, _a2: u64, _a3: u64) {
- vmbase::logger::init(log::LevelFilter::Debug).unwrap();
+fn try_init_logger() -> Result<()> {
+ match mmio_guard::init() {
+ // pKVM blocks MMIO by default, we need to enable MMIO guard to support logging.
+ Ok(()) => mmio_guard::map(vmbase::console::BASE_ADDRESS)?,
+ // MMIO guard enroll is not supported in unprotected VM.
+ Err(mmio_guard::Error::EnrollFailed(smccc::Error::NotSupported)) => {}
+ Err(e) => return Err(e.into()),
+ };
+ vmbase::logger::init(log::LevelFilter::Debug).map_err(|_| Error::LoggerInit)
+}
+fn try_main() -> Result<()> {
info!("Welcome to Rialto!");
init_heap();
let mut pgt = IdMap::new(PT_ASID, PT_ROOT_LEVEL);
- init_kernel_pgt(&mut pgt).unwrap();
+ init_kernel_pgt(&mut pgt)?;
+ Ok(())
+}
+
+/// Entry point for Rialto.
+pub fn main(_a0: u64, _a1: u64, _a2: u64, _a3: u64) {
+ if try_init_logger().is_err() {
+ // Don't log anything if the logger initialization fails.
+ reboot();
+ }
+ match try_main() {
+ Ok(()) => info!("Rialto ends successfully."),
+ Err(e) => {
+ error!("Rialto failed with {e}");
+ reboot()
+ }
+ }
}
extern "C" {
diff --git a/rialto/tests/test.rs b/rialto/tests/test.rs
index be5f118..7048b44 100644
--- a/rialto/tests/test.rs
+++ b/rialto/tests/test.rs
@@ -16,7 +16,8 @@
use android_system_virtualizationservice::{
aidl::android::system::virtualizationservice::{
- CpuTopology::CpuTopology, VirtualMachineConfig::VirtualMachineConfig,
+ CpuTopology::CpuTopology, DiskImage::DiskImage, Partition::Partition,
+ PartitionType::PartitionType, VirtualMachineConfig::VirtualMachineConfig,
VirtualMachineRawConfig::VirtualMachineRawConfig,
},
binder::{ParcelFileDescriptor, ProcessState},
@@ -31,11 +32,28 @@
use std::time::Duration;
use vmclient::{DeathReason, VmInstance};
-const RIALTO_PATH: &str = "/data/local/tmp/rialto_test/arm64/rialto.bin";
+const SIGNED_RIALTO_PATH: &str = "/data/local/tmp/rialto_test/arm64/rialto.bin";
+const UNSIGNED_RIALTO_PATH: &str = "/data/local/tmp/rialto_test/arm64/rialto_unsigned.bin";
+const INSTANCE_IMG_PATH: &str = "/data/local/tmp/rialto_test/arm64/instance.img";
+const INSTANCE_IMG_SIZE: i64 = 1024 * 1024; // 1MB
-/// Runs the Rialto VM as a non-protected VM via VirtualizationService.
#[test]
-fn test_boots() -> Result<(), Error> {
+fn boot_rialto_in_protected_vm_successfully() -> Result<(), Error> {
+ boot_rialto_successfully(
+ SIGNED_RIALTO_PATH,
+ true, // protected_vm
+ )
+}
+
+#[test]
+fn boot_rialto_in_unprotected_vm_successfully() -> Result<(), Error> {
+ boot_rialto_successfully(
+ UNSIGNED_RIALTO_PATH,
+ false, // protected_vm
+ )
+}
+
+fn boot_rialto_successfully(rialto_path: &str, protected_vm: bool) -> Result<(), Error> {
android_logger::init_once(
android_logger::Config::default().with_tag("rialto").with_min_level(log::Level::Debug),
);
@@ -52,18 +70,44 @@
vmclient::VirtualizationService::new().context("Failed to spawn VirtualizationService")?;
let service = virtmgr.connect().context("Failed to connect to VirtualizationService")?;
- let rialto = File::open(RIALTO_PATH).context("Failed to open Rialto kernel binary")?;
+ let rialto = File::open(rialto_path).context("Failed to open Rialto kernel binary")?;
let console = android_log_fd()?;
let log = android_log_fd()?;
+ let disks = if protected_vm {
+ let instance_img = File::options()
+ .create(true)
+ .read(true)
+ .write(true)
+ .truncate(true)
+ .open(INSTANCE_IMG_PATH)?;
+ let instance_img = ParcelFileDescriptor::new(instance_img);
+
+ service
+ .initializeWritablePartition(
+ &instance_img,
+ INSTANCE_IMG_SIZE,
+ PartitionType::ANDROID_VM_INSTANCE,
+ )
+ .context("Failed to initialize instange.img")?;
+ let writable_partitions = vec![Partition {
+ label: "vm-instance".to_owned(),
+ image: Some(instance_img),
+ writable: true,
+ }];
+ vec![DiskImage { image: None, partitions: writable_partitions, writable: true }]
+ } else {
+ vec![]
+ };
+
let config = VirtualMachineConfig::RawConfig(VirtualMachineRawConfig {
name: String::from("RialtoTest"),
kernel: None,
initrd: None,
params: None,
bootloader: Some(ParcelFileDescriptor::new(rialto)),
- disks: vec![],
- protectedVm: false,
+ disks,
+ protectedVm: protected_vm,
memoryMib: 300,
cpuTopology: CpuTopology::ONE_CPU,
platformVersion: "~1.0".to_string(),