pvmfw: Validate input BCC handover
Ensure that the BCC contained in the configuration data is properly
formatted as a "BCC Handover" [1] i.e. a CBOR-encoded map
BccHandover = {
1 : bstr .size 32, ; CDI_Attest
2 : bstr .size 32, ; CDI_Seal
3 : Bcc, ; Certificate chain
}
If not, abort the pVM boot.
[1]: https://pigweed.googlesource.com/open-dice/+/72ad792c4d9ffffef3412801b5da46568a6b3197/src/android/bcc.c#260
Bug: 256827715
Test: atest MicrodroidHostTests
Change-Id: Ibade0ebd1e50d912a59b32c1282022aa46235501
diff --git a/pvmfw/src/main.rs b/pvmfw/src/main.rs
index e6a158d..07cbd0c 100644
--- a/pvmfw/src/main.rs
+++ b/pvmfw/src/main.rs
@@ -39,14 +39,15 @@
};
use avb::PUBLIC_KEY;
use avb_nostd::verify_image;
+use dice::bcc;
use libfdt::Fdt;
-use log::{debug, error, info};
+use log::{debug, error, info, trace};
fn main(
fdt: &Fdt,
signed_kernel: &[u8],
ramdisk: Option<&[u8]>,
- bcc: &[u8],
+ bcc: &bcc::Handover,
memory: &mut MemoryTracker,
) -> Result<(), RebootReason> {
info!("pVM firmware");
@@ -57,7 +58,7 @@
} else {
debug!("Ramdisk: None");
}
- debug!("BCC: {:?} ({:#x} bytes)", bcc.as_ptr(), bcc.len());
+ trace!("BCC: {bcc:x?}");
// Set up PCI bus for VirtIO devices.
let pci_node = pci_node(fdt)?;