pvmfw: Validate input BCC handover
Ensure that the BCC contained in the configuration data is properly
formatted as a "BCC Handover" [1] i.e. a CBOR-encoded map
BccHandover = {
1 : bstr .size 32, ; CDI_Attest
2 : bstr .size 32, ; CDI_Seal
3 : Bcc, ; Certificate chain
}
If not, abort the pVM boot.
[1]: https://pigweed.googlesource.com/open-dice/+/72ad792c4d9ffffef3412801b5da46568a6b3197/src/android/bcc.c#260
Bug: 256827715
Test: atest MicrodroidHostTests
Change-Id: Ibade0ebd1e50d912a59b32c1282022aa46235501
diff --git a/pvmfw/Android.bp b/pvmfw/Android.bp
index 0da24c7..6a01713 100644
--- a/pvmfw/Android.bp
+++ b/pvmfw/Android.bp
@@ -15,6 +15,7 @@
"libaarch64_paging",
"libavb_nostd",
"libbuddy_system_allocator",
+ "libdice_nostd",
"liblibfdt",
"liblog_rust_nostd",
"libpvmfw_embedded_key",
diff --git a/pvmfw/src/entry.rs b/pvmfw/src/entry.rs
index e8f9bb2..bffc140 100644
--- a/pvmfw/src/entry.rs
+++ b/pvmfw/src/entry.rs
@@ -24,6 +24,7 @@
use core::arch::asm;
use core::num::NonZeroUsize;
use core::slice;
+use dice::bcc::Handover;
use log::debug;
use log::error;
use log::info;
@@ -228,8 +229,9 @@
RebootReason::InvalidConfig
})?;
- let bcc = appended.get_bcc_mut().ok_or_else(|| {
- error!("Invalid BCC");
+ let bcc_slice = appended.get_bcc_mut();
+ let bcc = Handover::new(bcc_slice).map_err(|e| {
+ error!("Invalid BCC Handover: {e:?}");
RebootReason::InvalidBcc
})?;
@@ -243,7 +245,7 @@
let slices = MemorySlices::new(fdt, payload, payload_size, &mut memory)?;
// This wrapper allows main() to be blissfully ignorant of platform details.
- crate::main(slices.fdt, slices.kernel, slices.ramdisk, bcc, &mut memory)?;
+ crate::main(slices.fdt, slices.kernel, slices.ramdisk, &bcc, &mut memory)?;
// TODO: Overwrite BCC before jumping to payload to avoid leaking our sealing key.
@@ -366,12 +368,10 @@
}
}
- fn get_bcc_mut(&mut self) -> Option<&mut [u8]> {
- let bcc = match self {
+ fn get_bcc_mut(&mut self) -> &mut [u8] {
+ match self {
Self::LegacyBcc(ref mut bcc) => bcc,
Self::Config(ref mut cfg) => cfg.get_bcc_mut(),
- };
- // TODO(b/256148034): return None if BccHandoverParse(bcc) != kDiceResultOk.
- Some(bcc)
+ }
}
}
diff --git a/pvmfw/src/main.rs b/pvmfw/src/main.rs
index e6a158d..07cbd0c 100644
--- a/pvmfw/src/main.rs
+++ b/pvmfw/src/main.rs
@@ -39,14 +39,15 @@
};
use avb::PUBLIC_KEY;
use avb_nostd::verify_image;
+use dice::bcc;
use libfdt::Fdt;
-use log::{debug, error, info};
+use log::{debug, error, info, trace};
fn main(
fdt: &Fdt,
signed_kernel: &[u8],
ramdisk: Option<&[u8]>,
- bcc: &[u8],
+ bcc: &bcc::Handover,
memory: &mut MemoryTracker,
) -> Result<(), RebootReason> {
info!("pVM firmware");
@@ -57,7 +58,7 @@
} else {
debug!("Ramdisk: None");
}
- debug!("BCC: {:?} ({:#x} bytes)", bcc.as_ptr(), bcc.len());
+ trace!("BCC: {bcc:x?}");
// Set up PCI bus for VirtIO devices.
let pci_node = pci_node(fdt)?;