pvmfw: Validate input BCC handover
Ensure that the BCC contained in the configuration data is properly
formatted as a "BCC Handover" [1] i.e. a CBOR-encoded map
BccHandover = {
1 : bstr .size 32, ; CDI_Attest
2 : bstr .size 32, ; CDI_Seal
3 : Bcc, ; Certificate chain
}
If not, abort the pVM boot.
[1]: https://pigweed.googlesource.com/open-dice/+/72ad792c4d9ffffef3412801b5da46568a6b3197/src/android/bcc.c#260
Bug: 256827715
Test: atest MicrodroidHostTests
Change-Id: Ibade0ebd1e50d912a59b32c1282022aa46235501
diff --git a/pvmfw/src/entry.rs b/pvmfw/src/entry.rs
index e8f9bb2..bffc140 100644
--- a/pvmfw/src/entry.rs
+++ b/pvmfw/src/entry.rs
@@ -24,6 +24,7 @@
use core::arch::asm;
use core::num::NonZeroUsize;
use core::slice;
+use dice::bcc::Handover;
use log::debug;
use log::error;
use log::info;
@@ -228,8 +229,9 @@
RebootReason::InvalidConfig
})?;
- let bcc = appended.get_bcc_mut().ok_or_else(|| {
- error!("Invalid BCC");
+ let bcc_slice = appended.get_bcc_mut();
+ let bcc = Handover::new(bcc_slice).map_err(|e| {
+ error!("Invalid BCC Handover: {e:?}");
RebootReason::InvalidBcc
})?;
@@ -243,7 +245,7 @@
let slices = MemorySlices::new(fdt, payload, payload_size, &mut memory)?;
// This wrapper allows main() to be blissfully ignorant of platform details.
- crate::main(slices.fdt, slices.kernel, slices.ramdisk, bcc, &mut memory)?;
+ crate::main(slices.fdt, slices.kernel, slices.ramdisk, &bcc, &mut memory)?;
// TODO: Overwrite BCC before jumping to payload to avoid leaking our sealing key.
@@ -366,12 +368,10 @@
}
}
- fn get_bcc_mut(&mut self) -> Option<&mut [u8]> {
- let bcc = match self {
+ fn get_bcc_mut(&mut self) -> &mut [u8] {
+ match self {
Self::LegacyBcc(ref mut bcc) => bcc,
Self::Config(ref mut cfg) => cfg.get_bcc_mut(),
- };
- // TODO(b/256148034): return None if BccHandoverParse(bcc) != kDiceResultOk.
- Some(bcc)
+ }
}
}