Merge "Add VM reconciliation" into main
diff --git a/README.md b/README.md
index 827e55c..4905b56 100644
--- a/README.md
+++ b/README.md
@@ -20,6 +20,7 @@
* [Microdroid kernel](microdroid/kernel/README.md)
* [Microdroid payload](microdroid/payload/README.md)
* [vmbase](vmbase/README.md)
+* [Encrypted Storage](encryptedstore/README.md)
AVF APIs:
* [Java API](java/framework/README.md)
diff --git a/TEST_MAPPING b/TEST_MAPPING
index ec9042c..5b0c000 100644
--- a/TEST_MAPPING
+++ b/TEST_MAPPING
@@ -62,6 +62,9 @@
// TODO(b/325610326): Add this target to presubmit once there is enough
// SLO data for it.
"name": "AvfRkpdAppIntegrationTests"
+ },
+ {
+ "name": "AvfRkpdVmAttestationTestApp"
}
],
"postsubmit": [
diff --git a/compos/common/Android.bp b/compos/common/Android.bp
index 01ab7c9..72cb5e1 100644
--- a/compos/common/Android.bp
+++ b/compos/common/Android.bp
@@ -20,6 +20,7 @@
"libnum_traits",
"librustutils",
"libvmclient",
+ "libplatformproperties_rust",
],
proc_macros: ["libnum_derive"],
apex_available: [
diff --git a/compos/common/compos_client.rs b/compos/common/compos_client.rs
index 077a0ef..ffdd0ea 100644
--- a/compos/common/compos_client.rs
+++ b/compos/common/compos_client.rs
@@ -35,6 +35,7 @@
use compos_aidl_interface::aidl::com::android::compos::ICompOsService::ICompOsService;
use glob::glob;
use log::{info, warn};
+use platformproperties::hypervisorproperties;
use rustutils::system_properties;
use std::fs::File;
use std::path::{Path, PathBuf};
@@ -232,7 +233,7 @@
fn want_protected_vm() -> Result<bool> {
let have_protected_vm =
- system_properties::read_bool("ro.boot.hypervisor.protected_vm.supported", false)?;
+ hypervisorproperties::hypervisor_protected_vm_supported()?.unwrap_or(false);
if have_protected_vm {
info!("Starting protected VM");
return Ok(true);
@@ -243,8 +244,7 @@
bail!("Protected VM not supported, unable to start VM");
}
- let have_non_protected_vm =
- system_properties::read_bool("ro.boot.hypervisor.vm.supported", false)?;
+ let have_non_protected_vm = hypervisorproperties::hypervisor_vm_supported()?.unwrap_or(false);
if have_non_protected_vm {
warn!("Protected VM not supported, falling back to non-protected on debuggable build");
return Ok(false);
diff --git a/encryptedstore/README.md b/encryptedstore/README.md
new file mode 100644
index 0000000..544d6eb
--- /dev/null
+++ b/encryptedstore/README.md
@@ -0,0 +1,31 @@
+# Encrypted Storage
+
+Since Android U, AVF (with Microdroid) supports Encrypted Storage which is the storage solution
+in a VM. Within a VM, this is mounted at a path that can be retrieved via the [`AVmPayload_getEncryptedStoragePath()`][vm_payload_api].
+Any data written in encrypted storage is persisted and is available next time the VM is run.
+
+Encrypted Storage is backed by a para-virtualized block device on the guest which is further
+backed by a qcow2 disk image in the host. The block device is formatted with an ext4 filesystem.
+
+## Security
+
+Encrypted Storage uses block level encryption layer (Device-Mapper's "crypt" target) using a key
+derived from the VM secret and AES256 cipher with HCTR2 mode. The Block level encryption ensures
+the filesystem is also encrypted.
+
+### Integrity
+Encrypted Storage does not offer the level of integrity offered by primitives such as
+authenticated encryption/dm-integrity/RPMB. That level of integrity comes with substantial
+disk/performance overhead. Instead, it uses HCTR2 which is a super-pseudorandom
+permutation encryption mode, this offers better resilience against malleability attacks (than other
+modes such as XTS).
+
+## Encrypted Storage and Updatable VMs
+
+With [Updatable VM feature][updatable_vm] shipping in Android V, Encrypted Storage can be accessed
+even after OTA/updates of boot images and apks. This requires chipsets to support [Secretkeeper HAL][sk_hal].
+
+
+[vm_payload_api]: https://cs.android.com/android/platform/superproject/main/+/main:packages/modules/Virtualization/vm_payload/include/vm_payload.h;l=2?q=vm_payload%2Finclude%2Fvm_payload.h&ss=android%2Fplatform%2Fsuperproject%2Fmain
+[updatable_vm]: https://cs.android.com/android/platform/superproject/main/+/main:packages/modules/Virtualization/docs/updatable_vm.md
+[sk_hal]: https://cs.android.com/android/platform/superproject/main/+/main:system/secretkeeper/README.md
diff --git a/java/framework/README.md b/java/framework/README.md
index cf7a6cb..bbcd0ef 100644
--- a/java/framework/README.md
+++ b/java/framework/README.md
@@ -339,6 +339,8 @@
powerful attacker could delete it, wholly or partially roll it back to an
earlier version, or modify it, corrupting the data.
+For more info see [README](https://cs.android.com/android/platform/superproject/main/+/main:packages/modules/Virtualization/java/framework/README.md)
+
# Transferring a VM
It is possible to make a copy of a VM instance. This can be used to transfer a
diff --git a/libs/bssl/src/aead.rs b/libs/bssl/src/aead.rs
index 9aa1885..311d370 100644
--- a/libs/bssl/src/aead.rs
+++ b/libs/bssl/src/aead.rs
@@ -98,7 +98,8 @@
// SAFETY: This function only reads the given data and the returned pointer is
// checked below.
let ctx = unsafe { EVP_AEAD_CTX_new(aead.0, key.as_ptr(), key.len(), tag_len) };
- let ctx = NonNull::new(ctx).ok_or(to_call_failed_error(ApiName::EVP_AEAD_CTX_new))?;
+ let ctx =
+ NonNull::new(ctx).ok_or_else(|| to_call_failed_error(ApiName::EVP_AEAD_CTX_new))?;
Ok(Self { ctx, aead })
}
@@ -132,7 +133,7 @@
)
};
check_int_result(ret, ApiName::EVP_AEAD_CTX_seal)?;
- out.get(0..out_len).ok_or(to_call_failed_error(ApiName::EVP_AEAD_CTX_seal))
+ out.get(0..out_len).ok_or_else(|| to_call_failed_error(ApiName::EVP_AEAD_CTX_seal))
}
/// Authenticates `data` and decrypts it to `out`.
@@ -166,7 +167,7 @@
)
};
check_int_result(ret, ApiName::EVP_AEAD_CTX_open)?;
- out.get(0..out_len).ok_or(to_call_failed_error(ApiName::EVP_AEAD_CTX_open))
+ out.get(0..out_len).ok_or_else(|| to_call_failed_error(ApiName::EVP_AEAD_CTX_open))
}
/// Returns the `Aead` represented by this `AeadContext`.
diff --git a/libs/bssl/src/digest.rs b/libs/bssl/src/digest.rs
index 8a51b11..42d23d9 100644
--- a/libs/bssl/src/digest.rs
+++ b/libs/bssl/src/digest.rs
@@ -121,7 +121,7 @@
pub fn new() -> Result<Self> {
// SAFETY: The returned pointer is checked below.
let ctx = unsafe { EVP_MD_CTX_new() };
- NonNull::new(ctx).map(Self).ok_or(to_call_failed_error(ApiName::EVP_MD_CTX_new))
+ NonNull::new(ctx).map(Self).ok_or_else(|| to_call_failed_error(ApiName::EVP_MD_CTX_new))
}
pub(crate) fn as_mut_ptr(&mut self) -> *mut EVP_MD_CTX {
diff --git a/libs/bssl/src/ec_key.rs b/libs/bssl/src/ec_key.rs
index 6c9910c..897f8a1 100644
--- a/libs/bssl/src/ec_key.rs
+++ b/libs/bssl/src/ec_key.rs
@@ -65,7 +65,7 @@
};
NonNull::new(ec_key)
.map(Self)
- .ok_or(to_call_failed_error(ApiName::EC_KEY_new_by_curve_name))
+ .ok_or_else(|| to_call_failed_error(ApiName::EC_KEY_new_by_curve_name))
}
/// Creates a new EC P-384 key pair.
@@ -76,7 +76,7 @@
};
NonNull::new(ec_key)
.map(Self)
- .ok_or(to_call_failed_error(ApiName::EC_KEY_new_by_curve_name))
+ .ok_or_else(|| to_call_failed_error(ApiName::EC_KEY_new_by_curve_name))
}
/// Constructs an `EcKey` instance from the provided COSE_Key encoded public key slice.
@@ -295,7 +295,7 @@
let ec_key = NonNull::new(ec_key)
.map(Self)
- .ok_or(to_call_failed_error(ApiName::EC_KEY_parse_private_key))?;
+ .ok_or_else(|| to_call_failed_error(ApiName::EC_KEY_parse_private_key))?;
ec_key.check_key()?;
Ok(ec_key)
}
@@ -320,7 +320,7 @@
// SAFETY: This is safe because the CBB pointer is initialized with `CBB_init_fixed()`,
// and it has been flushed, thus it has no active children.
let len = unsafe { CBB_len(cbb.as_ref()) };
- Ok(buf.get(0..len).ok_or(to_call_failed_error(ApiName::CBB_len))?.to_vec().into())
+ Ok(buf.get(0..len).ok_or_else(|| to_call_failed_error(ApiName::CBB_len))?.to_vec().into())
}
}
@@ -411,13 +411,13 @@
// SAFETY: The function reads `x` within its bounds, and the returned
// pointer is checked below.
let bn = unsafe { BN_bin2bn(x.as_ptr(), x.len(), ptr::null_mut()) };
- NonNull::new(bn).map(Self).ok_or(to_call_failed_error(ApiName::BN_bin2bn))
+ NonNull::new(bn).map(Self).ok_or_else(|| to_call_failed_error(ApiName::BN_bin2bn))
}
fn new() -> Result<Self> {
// SAFETY: The returned pointer is checked below.
let bn = unsafe { BN_new() };
- NonNull::new(bn).map(Self).ok_or(to_call_failed_error(ApiName::BN_new))
+ NonNull::new(bn).map(Self).ok_or_else(|| to_call_failed_error(ApiName::BN_new))
}
/// Converts the `BigNum` to a big-endian integer. The integer is padded with leading zeros up
diff --git a/libs/bssl/src/evp.rs b/libs/bssl/src/evp.rs
index fca189c..719bb1d 100644
--- a/libs/bssl/src/evp.rs
+++ b/libs/bssl/src/evp.rs
@@ -54,7 +54,7 @@
fn new_pkey() -> Result<NonNull<EVP_PKEY>> {
// SAFETY: The returned pointer is checked below.
let key = unsafe { EVP_PKEY_new() };
- NonNull::new(key).ok_or(to_call_failed_error(ApiName::EVP_PKEY_new))
+ NonNull::new(key).ok_or_else(|| to_call_failed_error(ApiName::EVP_PKEY_new))
}
impl TryFrom<EcKey> for PKey {
@@ -94,7 +94,7 @@
// SAFETY: This is safe because the CBB pointer is initialized with `CBB_init_fixed()`,
// and it has been flushed, thus it has no active children.
let len = unsafe { CBB_len(cbb.as_ref()) };
- Ok(buf.get(0..len).ok_or(to_call_failed_error(ApiName::CBB_len))?.to_vec())
+ Ok(buf.get(0..len).ok_or_else(|| to_call_failed_error(ApiName::CBB_len))?.to_vec())
}
/// This function takes a raw public key data slice and creates a `PKey` instance wrapping
@@ -118,8 +118,8 @@
raw_public_key.len(),
)
};
- let pkey =
- NonNull::new(pkey).ok_or(to_call_failed_error(ApiName::EVP_PKEY_new_raw_public_key))?;
+ let pkey = NonNull::new(pkey)
+ .ok_or_else(|| to_call_failed_error(ApiName::EVP_PKEY_new_raw_public_key))?;
Ok(Self { pkey, _inner_ec_key: None })
}
diff --git a/libs/devicemapper/src/crypt.rs b/libs/devicemapper/src/crypt.rs
index 36c45c7..3afd374 100644
--- a/libs/devicemapper/src/crypt.rs
+++ b/libs/devicemapper/src/crypt.rs
@@ -15,8 +15,8 @@
*/
/// `crypt` module implements the "crypt" target in the device mapper framework. Specifically,
-/// it provides `DmCryptTargetBuilder` struct which is used to construct a `DmCryptTarget` struct
-/// which is then given to `DeviceMapper` to create a mapper device.
+/// it provides `DmCryptTargetBuilder` struct which is used to construct a `DmCryptTarget`
+/// struct which is then given to `DeviceMapper` to create a mapper device.
use crate::DmTargetSpec;
use anyhow::{ensure, Context, Result};
@@ -33,9 +33,14 @@
/// Supported ciphers
#[derive(Clone, Copy, Debug)]
pub enum CipherType {
- // AES-256-HCTR2 takes a 32-byte key
+ /// AES256 with HCTR2 mode. HCTR2 is a tweakable super-pseudorandom permutation
+ /// length-preserving encryption mode. It is the preferred mode in absence of other
+ /// dedicated integrity primitives (such as for encryptedstore in pVM) since it is less
+ /// malleable than other modes.
AES256HCTR2,
- // XTS requires key of twice the length of the underlying block cipher i.e., 64B for AES256
+ /// AES with XTS mode. This has slight performance benefits over HCTR2. In particular, XTS is
+ /// supported by inline encryption hardware. Note that (status quo) `encryptedstore` in VMs
+ /// is the only user of this module & inline encryption is not supported by guest kernel.
AES256XTS,
}
impl CipherType {
@@ -50,7 +55,10 @@
fn get_required_key_size(&self) -> usize {
match *self {
+ // AES-256-HCTR2 takes a 32-byte key
CipherType::AES256HCTR2 => 32,
+ // XTS requires key of twice the length of the underlying block cipher
+ // i.e., 64B for AES256
CipherType::AES256XTS => 64,
}
}
diff --git a/libs/hypervisor_props/Android.bp b/libs/hypervisor_props/Android.bp
index af08b01..af6d417 100644
--- a/libs/hypervisor_props/Android.bp
+++ b/libs/hypervisor_props/Android.bp
@@ -9,7 +9,7 @@
edition: "2021",
rustlibs: [
"libanyhow",
- "librustutils",
+ "libplatformproperties_rust",
],
apex_available: [
"com.android.compos",
diff --git a/libs/hypervisor_props/src/lib.rs b/libs/hypervisor_props/src/lib.rs
index 120a48c..14614fd 100644
--- a/libs/hypervisor_props/src/lib.rs
+++ b/libs/hypervisor_props/src/lib.rs
@@ -14,18 +14,17 @@
//! Access to hypervisor capabilities via system properties set by the bootloader.
-use anyhow::{Error, Result};
-use rustutils::system_properties;
+use anyhow::Result;
+use platformproperties::hypervisorproperties;
/// Returns whether there is a hypervisor present that supports non-protected VMs.
pub fn is_vm_supported() -> Result<bool> {
- system_properties::read_bool("ro.boot.hypervisor.vm.supported", false).map_err(Error::new)
+ Ok(hypervisorproperties::hypervisor_vm_supported()?.unwrap_or(false))
}
/// Returns whether there is a hypervisor present that supports protected VMs.
pub fn is_protected_vm_supported() -> Result<bool> {
- system_properties::read_bool("ro.boot.hypervisor.protected_vm.supported", false)
- .map_err(Error::new)
+ Ok(hypervisorproperties::hypervisor_protected_vm_supported()?.unwrap_or(false))
}
/// Returns whether there is a hypervisor present that supports any sort of VM, either protected
@@ -36,5 +35,5 @@
/// Returns the version of the hypervisor, if there is one.
pub fn version() -> Result<Option<String>> {
- system_properties::read("ro.boot.hypervisor.version").map_err(Error::new)
+ Ok(hypervisorproperties::hypervisor_version()?)
}
diff --git a/microdroid/init_debug_policy/src/init_debug_policy.rs b/microdroid/init_debug_policy/src/init_debug_policy.rs
index 90d04ac..c443088 100644
--- a/microdroid/init_debug_policy/src/init_debug_policy.rs
+++ b/microdroid/init_debug_policy/src/init_debug_policy.rs
@@ -15,7 +15,7 @@
//! Applies debug policies when booting microdroid
use rustutils::system_properties;
-use rustutils::system_properties::PropertyWatcherError;
+use rustutils::system_properties::error::PropertyWatcherError;
use std::fs::File;
use std::io::Read;
diff --git a/microdroid_manager/src/dice.rs b/microdroid_manager/src/dice.rs
index 7f65159..cecf413 100644
--- a/microdroid_manager/src/dice.rs
+++ b/microdroid_manager/src/dice.rs
@@ -13,12 +13,12 @@
// limitations under the License.
use crate::instance::{ApexData, ApkData};
-use crate::{is_debuggable, MicrodroidData};
+use crate::{is_debuggable, is_strict_boot, MicrodroidData};
use anyhow::{bail, Context, Result};
use ciborium::{cbor, Value};
use coset::CborSerializable;
use dice_driver::DiceDriver;
-use diced_open_dice::OwnedDiceArtifacts;
+use diced_open_dice::{Hidden, OwnedDiceArtifacts, HIDDEN_SIZE};
use microdroid_metadata::PayloadMetadata;
use openssl::sha::{sha512, Sha512};
use std::iter::once;
@@ -53,10 +53,37 @@
let debuggable = is_debuggable()?;
// Send the details to diced
- let hidden = instance_data.salt.clone().try_into().unwrap();
+ let hidden = if cfg!(llpvm_changes) {
+ hidden_input_from_instance_id()?
+ } else {
+ instance_data.salt.clone().try_into().unwrap()
+ };
dice.derive(code_hash, &config_descriptor, authority_hash, debuggable, hidden)
}
+// Get the "Hidden input" for DICE derivation.
+// This provides differentiation of secrets for different VM instances with same payload.
+fn hidden_input_from_instance_id() -> Result<Hidden> {
+ // For protected VM: this is all 0s, pvmfw ensures differentiation is added early in secrets.
+ // For non-protected VM: this is derived from instance_id of the VM instance.
+ let hidden_input = if !is_strict_boot() {
+ if let Some(id) = super::get_instance_id()? {
+ sha512(&id)
+ } else {
+ // TODO(b/325094712): Absence of instance_id occurs due to missing DT in some
+ // x86_64 test devices (such as Cuttlefish). From security perspective, this is
+ // acceptable for non-protected VM.
+ log::warn!(
+ "Instance Id missing, this may lead to 2 non protected VMs having same secrets"
+ );
+ [0u8; HIDDEN_SIZE]
+ }
+ } else {
+ [0u8; HIDDEN_SIZE]
+ };
+ Ok(hidden_input)
+}
+
struct Subcomponent {
name: String,
version: u64,
diff --git a/microdroid_manager/src/instance.rs b/microdroid_manager/src/instance.rs
index 888c451..2d39cd8 100644
--- a/microdroid_manager/src/instance.rs
+++ b/microdroid_manager/src/instance.rs
@@ -273,6 +273,8 @@
#[derive(Debug, Serialize, Deserialize, PartialEq, Eq)]
pub struct MicrodroidData {
+ // `salt` is obsolete, it was used as a differentiator for non-protected VM instances running
+ // same payload. Instance-id (present in DT) is used for that now.
pub salt: Vec<u8>, // Should be [u8; 64] but that isn't serializable.
pub apk_data: ApkData,
pub extra_apks_data: Vec<ApkData>,
diff --git a/microdroid_manager/src/main.rs b/microdroid_manager/src/main.rs
index 8d2c629..2386bd4 100644
--- a/microdroid_manager/src/main.rs
+++ b/microdroid_manager/src/main.rs
@@ -41,7 +41,7 @@
use keystore2_crypto::ZVec;
use libc::VMADDR_CID_HOST;
use log::{error, info};
-use microdroid_metadata::PayloadMetadata;
+use microdroid_metadata::{Metadata, PayloadMetadata};
use microdroid_payload_config::{ApkConfig, OsConfig, Task, TaskType, VmPayloadConfig};
use nix::sys::signal::Signal;
use payload::load_metadata;
@@ -72,6 +72,7 @@
"/proc/device-tree/virtualization/guest/debug-microdroid,no-verified-boot";
const SECRETKEEPER_KEY: &str = "/proc/device-tree/avf/secretkeeper_public_key";
const INSTANCE_ID_PATH: &str = "/proc/device-tree/avf/untrusted/instance-id";
+const DEFER_ROLLBACK_PROTECTION: &str = "/proc/device-tree/avf/untrusted/defer-rollback-protection";
const ENCRYPTEDSTORE_BIN: &str = "/system/bin/encryptedstore";
const ZIPFUSE_BIN: &str = "/system/bin/zipfuse";
@@ -161,6 +162,10 @@
Ok(instance_id)
}
+fn should_defer_rollback_protection() -> bool {
+ Path::new(DEFER_ROLLBACK_PROTECTION).exists()
+}
+
fn main() -> Result<()> {
// If debuggable, print full backtrace to console log with stdio_to_kmsg
if is_debuggable()? {
@@ -235,17 +240,12 @@
}
}
-fn try_run_payload(
- service: &Strong<dyn IVirtualMachineService>,
- vm_payload_service_fd: OwnedFd,
-) -> Result<i32> {
- let metadata = load_metadata().context("Failed to load payload metadata")?;
- let dice = DiceDriver::new(Path::new("/dev/open-dice0"), is_strict_boot())
- .context("Failed to load DICE")?;
-
+fn verify_payload_with_instance_img(
+ metadata: &Metadata,
+ dice: &DiceDriver,
+) -> Result<MicrodroidData> {
let mut instance = InstanceDisk::new().context("Failed to load instance.img")?;
- let saved_data =
- instance.read_microdroid_data(&dice).context("Failed to read identity data")?;
+ let saved_data = instance.read_microdroid_data(dice).context("Failed to read identity data")?;
if is_strict_boot() {
// Provisioning must happen on the first boot and never again.
@@ -265,7 +265,7 @@
}
// Verify the payload before using it.
- let extracted_data = verify_payload(&metadata, saved_data.as_ref())
+ let extracted_data = verify_payload(metadata, saved_data.as_ref())
.context("Payload verification failed")
.map_err(|e| MicrodroidError::PayloadVerificationFailed(e.to_string()))?;
@@ -289,10 +289,29 @@
} else {
info!("Saving verified data.");
instance
- .write_microdroid_data(&extracted_data, &dice)
+ .write_microdroid_data(&extracted_data, dice)
.context("Failed to write identity data")?;
extracted_data
};
+ Ok(instance_data)
+}
+
+fn try_run_payload(
+ service: &Strong<dyn IVirtualMachineService>,
+ vm_payload_service_fd: OwnedFd,
+) -> Result<i32> {
+ let metadata = load_metadata().context("Failed to load payload metadata")?;
+ let dice = DiceDriver::new(Path::new("/dev/open-dice0"), is_strict_boot())
+ .context("Failed to load DICE")?;
+
+ // Microdroid skips checking payload against instance image iff the device supports
+ // secretkeeper. In that case Microdroid use VmSecret::V2, which provide protection against
+ // rollback of boot images and packages.
+ let instance_data = if should_defer_rollback_protection() {
+ verify_payload(&metadata, None)?
+ } else {
+ verify_payload_with_instance_img(&metadata, &dice)?
+ };
let payload_metadata = metadata.payload.ok_or_else(|| {
MicrodroidError::PayloadInvalidConfig("No payload config in metadata".to_string())
diff --git a/microdroid_manager/src/verify.rs b/microdroid_manager/src/verify.rs
index 445c1ae..65c32b0 100644
--- a/microdroid_manager/src/verify.rs
+++ b/microdroid_manager/src/verify.rs
@@ -169,13 +169,14 @@
// verified is consistent with the root hash) or because we have the saved APK data which will
// be checked as identical to the data we have verified.
- // Use the salt from a verified instance, or generate a salt for a new instance.
- let salt = if let Some(saved_data) = saved_data {
- saved_data.salt.clone()
- } else if is_strict_boot() {
- // No need to add more entropy as a previous stage must have used a new, random salt.
+ let salt = if cfg!(llpvm_changes) || is_strict_boot() {
+ // Salt is obsolete with llpvm_changes.
vec![0u8; 64]
+ } else if let Some(saved_data) = saved_data {
+ // Use the salt from a verified instance.
+ saved_data.salt.clone()
} else {
+ // Generate a salt for a new instance.
let mut salt = vec![0u8; 64];
salt.as_mut_slice().try_fill(&mut rand::thread_rng())?;
salt
diff --git a/microdroid_manager/src/vm_secret.rs b/microdroid_manager/src/vm_secret.rs
index 5ceedea..ed8ab1d 100644
--- a/microdroid_manager/src/vm_secret.rs
+++ b/microdroid_manager/src/vm_secret.rs
@@ -91,28 +91,19 @@
vm_service: &Strong<dyn IVirtualMachineService>,
) -> Result<Self> {
ensure!(dice_artifacts.bcc().is_some(), "Dice chain missing");
-
- let Some(sk_service) =
- is_sk_supported(vm_service).context("Failed to check if Secretkeeper is supported")?
- else {
- // Use V1 secrets if Secretkeeper is not supported.
+ if !crate::should_defer_rollback_protection() {
return Ok(Self::V1 { dice_artifacts });
- };
+ }
let explicit_dice = OwnedDiceArtifactsWithExplicitKey::from_owned_artifacts(dice_artifacts)
.context("Failed to get Dice artifacts in explicit key format")?;
// For pVM, skp_secret are stored in Secretkeeper. For non-protected it is all 0s.
let mut skp_secret = Zeroizing::new([0u8; SECRET_SIZE]);
if super::is_strict_boot() {
- let mut session = SkSession::new(
- sk_service,
- &explicit_dice,
- Some(get_secretkeeper_identity().context("Failed to get secretkeeper identity")?),
- )
- .context("Failed to setup a Secretkeeper session")?;
- let id = super::get_instance_id()
- .context("Failed to get instance-id")?
- .ok_or(anyhow!("Missing instance-id"))?;
+ let sk_service = get_secretkeeper_service(vm_service)?;
+ let mut session =
+ SkSession::new(sk_service, &explicit_dice, Some(get_secretkeeper_identity()?))?;
+ let id = super::get_instance_id()?.ok_or(anyhow!("Missing instance_id"))?;
let explicit_dice_chain = explicit_dice
.explicit_key_dice_chain()
.ok_or(anyhow!("Missing explicit dice chain, this is unusual"))?;
@@ -279,22 +270,15 @@
anyhow!("{:?}", err)
}
-// Get the secretkeeper connection if supported. Host can be consulted whether the device supports
-// secretkeeper but that should be used with caution for protected VM.
-fn is_sk_supported(
+fn get_secretkeeper_service(
host: &Strong<dyn IVirtualMachineService>,
-) -> Result<Option<Strong<dyn ISecretkeeper>>> {
- let sk = if cfg!(llpvm_changes) {
- host.getSecretkeeper()
- // TODO rename this error!
- .map_err(|e| {
- super::MicrodroidError::FailedToConnectToVirtualizationService(format!(
- "Failed to get Secretkeeper: {e:?}"
- ))
- })?
- } else {
- // LLPVM flag is disabled
- None
- };
- Ok(sk)
+) -> Result<Strong<dyn ISecretkeeper>> {
+ Ok(host
+ .getSecretkeeper()
+ // TODO rename this error!
+ .map_err(|e| {
+ super::MicrodroidError::FailedToConnectToVirtualizationService(format!(
+ "Failed to get Secretkeeper: {e:?}"
+ ))
+ })?)
}
diff --git a/pvmfw/Android.bp b/pvmfw/Android.bp
index cce0e73..4ee02c1 100644
--- a/pvmfw/Android.bp
+++ b/pvmfw/Android.bp
@@ -74,16 +74,19 @@
srcs: ["src/device_assignment.rs"],
defaults: ["libpvmfw.test.defaults"],
rustlibs: [
+ "libdts",
"libhyp",
"liblibfdt",
"liblog_rust",
"libpvmfw_fdt_template",
+ "libzerocopy",
],
data: [
":test_pvmfw_devices_vm_dtbo",
":test_pvmfw_devices_vm_dtbo_without_symbols",
":test_pvmfw_devices_vm_dtbo_with_duplicated_iommus",
":test_pvmfw_devices_overlapping_pvmfw",
+ ":test_pvmfw_devices_vm_dtbo_with_dependencies",
":test_pvmfw_devices_with_rng",
":test_pvmfw_devices_with_multiple_devices_iommus",
":test_pvmfw_devices_with_iommu_sharing",
@@ -92,7 +95,13 @@
":test_pvmfw_devices_without_iommus",
":test_pvmfw_devices_with_duplicated_pviommus",
":test_pvmfw_devices_with_multiple_reg_iommus",
+ ":test_pvmfw_devices_with_dependency",
+ ":test_pvmfw_devices_with_dependency_loop",
+ ":test_pvmfw_devices_with_multiple_dependencies",
+ ":test_pvmfw_devices_expected_dt",
],
+ data_bins: ["dtc_static"],
+ compile_multilib: "first",
// To use libpvmfw_fdt_template for testing
enabled: false,
target: {
@@ -136,6 +145,14 @@
out: ["test_pvmfw_devices_vm_dtbo_with_duplicated_iommus.dtbo"],
}
+genrule {
+ name: "test_pvmfw_devices_vm_dtbo_with_dependencies",
+ tools: ["dtc"],
+ cmd: "$(location dtc) -@ -I dts -O dtb $(in) -o $(out)",
+ srcs: ["testdata/test_pvmfw_devices_vm_dtbo_with_dependencies.dts"],
+ out: ["test_pvmfw_devices_vm_dtbo_with_dependencies.dtbo"],
+}
+
genrule_defaults {
name: "test_device_assignment_dts_to_dtb",
defaults: ["dts_to_dtb"],
@@ -205,6 +222,53 @@
out: ["test_pvmfw_devices_with_multiple_reg_iommus.dtb"],
}
+genrule {
+ name: "test_pvmfw_devices_with_dependency",
+ defaults: ["test_device_assignment_dts_to_dtb"],
+ srcs: ["testdata/test_pvmfw_devices_with_dependency.dts"],
+ out: ["test_pvmfw_devices_with_dependency.dtb"],
+}
+
+genrule {
+ name: "test_pvmfw_devices_with_multiple_dependencies",
+ defaults: ["test_device_assignment_dts_to_dtb"],
+ srcs: ["testdata/test_pvmfw_devices_with_multiple_dependencies.dts"],
+ out: ["test_pvmfw_devices_with_multiple_dependencies.dtb"],
+}
+
+genrule {
+ name: "test_pvmfw_devices_with_dependency_loop",
+ defaults: ["test_device_assignment_dts_to_dtb"],
+ srcs: ["testdata/test_pvmfw_devices_with_dependency_loop.dts"],
+ out: ["test_pvmfw_devices_with_dependency_loop.dtb"],
+}
+
+// We can't use genrule because preprocessed platform DT is built with cc_object.
+// cc_genrule doesn't support default, so we'll build all expected DTs in
+// a single build rule.
+cc_genrule {
+ name: "test_pvmfw_devices_expected_dt",
+ srcs: [
+ ":pvmfw_platform.dts.preprocessed",
+ "testdata/expected_dt_with_dependency.dts",
+ "testdata/expected_dt_with_multiple_dependencies.dts",
+ "testdata/expected_dt_with_dependency_loop.dts",
+ ],
+ out: [
+ "expected_dt_with_dependency.dtb",
+ "expected_dt_with_multiple_dependencies.dtb",
+ "expected_dt_with_dependency_loop.dtb",
+ ],
+ tools: ["dtc"],
+ cmd: "FILES=($(in));" +
+ "cp $${FILES[0]} $(genDir)/platform_preprocessed.dts;" +
+ "for DTS in $${FILES[@]:1}; do" +
+ " DTB=$$(basename -s .dts $${DTS}).dtb;" +
+ " $(location dtc) -@ -i $(genDir) -I dts -O dtb $${DTS} -o $(genDir)/$${DTB};" +
+ "done",
+ visibility: ["//visibility:private"],
+}
+
cc_binary {
name: "pvmfw",
defaults: ["vmbase_elf_defaults"],
diff --git a/pvmfw/platform.dts b/pvmfw/platform.dts
index 275a1c9..8074188 100644
--- a/pvmfw/platform.dts
+++ b/pvmfw/platform.dts
@@ -706,6 +706,14 @@
timeout-sec = <8>;
};
+ cpufreq {
+ compatible = "virtual,android-v-only-cpufreq";
+ reg = <0x0 0x1040000 PLACEHOLDER2>;
+ };
+
+ // Keep pvIOMMUs at the last for making test happy.
+ // Otherwise, phandle of other nodes are changed when unused pvIOMMU nodes
+ // are removed, so hardcoded phandles in test data would mismatch.
pviommu_0: pviommu0 {
compatible = "pkvm,pviommu";
id = <PLACEHOLDER>;
@@ -766,8 +774,5 @@
#iommu-cells = <1>;
};
- cpufreq {
- compatible = "virtual,android-v-only-cpufreq";
- reg = <0x0 0x1040000 PLACEHOLDER2>;
- };
+ // Do not add new node below
};
diff --git a/pvmfw/src/device_assignment.rs b/pvmfw/src/device_assignment.rs
index c3ccf96..885cd22 100644
--- a/pvmfw/src/device_assignment.rs
+++ b/pvmfw/src/device_assignment.rs
@@ -29,8 +29,10 @@
use core::mem;
use core::ops::Range;
use hyp::DeviceAssigningHypervisor;
-use libfdt::{Fdt, FdtError, FdtNode, Phandle, Reg};
+use libfdt::{Fdt, FdtError, FdtNode, FdtNodeMut, Phandle, Reg};
use log::error;
+use zerocopy::byteorder::big_endian::U32;
+use zerocopy::FromBytes as _;
// TODO(b/308694211): Use cstr! from vmbase instead.
macro_rules! cstr {
@@ -214,6 +216,72 @@
}
}
+#[derive(Debug, Eq, PartialEq)]
+enum DeviceTreeChildrenMask {
+ Partial(Vec<DeviceTreeMask>),
+ All,
+}
+
+#[derive(Eq, PartialEq)]
+struct DeviceTreeMask {
+ name_bytes: Vec<u8>,
+ children: DeviceTreeChildrenMask,
+}
+
+impl fmt::Debug for DeviceTreeMask {
+ fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+ let name_bytes = [self.name_bytes.as_slice(), b"\0"].concat();
+
+ f.debug_struct("DeviceTreeMask")
+ .field("name", &CStr::from_bytes_with_nul(&name_bytes).unwrap())
+ .field("children", &self.children)
+ .finish()
+ }
+}
+
+impl DeviceTreeMask {
+ fn new() -> Self {
+ Self { name_bytes: b"/".to_vec(), children: DeviceTreeChildrenMask::Partial(Vec::new()) }
+ }
+
+ fn mask_internal(&mut self, path: &DtPathTokens, leaf_mask: DeviceTreeChildrenMask) -> bool {
+ let mut iter = self;
+ let mut newly_masked = false;
+ 'next_token: for path_token in &path.tokens {
+ let DeviceTreeChildrenMask::Partial(ref mut children) = &mut iter.children else {
+ return false;
+ };
+
+ // Note: Can't use iterator for 'get or insert'. (a.k.a. polonius Rust)
+ #[allow(clippy::needless_range_loop)]
+ for i in 0..children.len() {
+ if children[i].name_bytes.as_slice() == *path_token {
+ iter = &mut children[i];
+ newly_masked = false;
+ continue 'next_token;
+ }
+ }
+ let child = Self {
+ name_bytes: path_token.to_vec(),
+ children: DeviceTreeChildrenMask::Partial(Vec::new()),
+ };
+ children.push(child);
+ newly_masked = true;
+ iter = children.last_mut().unwrap()
+ }
+ iter.children = leaf_mask;
+ newly_masked
+ }
+
+ fn mask(&mut self, path: &DtPathTokens) -> bool {
+ self.mask_internal(path, DeviceTreeChildrenMask::Partial(Vec::new()))
+ }
+
+ fn mask_all(&mut self, path: &DtPathTokens) {
+ self.mask_internal(path, DeviceTreeChildrenMask::All);
+ }
+}
+
/// Represents VM DTBO
#[repr(transparent)]
pub struct VmDtbo(Fdt);
@@ -347,6 +415,114 @@
}
Ok(Some(node))
}
+
+ fn collect_overlayable_nodes_with_phandle(&self) -> Result<BTreeMap<Phandle, DtPathTokens>> {
+ let mut paths = BTreeMap::new();
+ let mut path: DtPathTokens = Default::default();
+ let root = self.as_ref().root();
+ for (node, depth) in root.descendants() {
+ path.tokens.truncate(depth - 1);
+ path.tokens.push(node.name()?.to_bytes());
+ if !path.is_overlayable_node() {
+ continue;
+ }
+ if let Some(phandle) = node.get_phandle()? {
+ paths.insert(phandle, path.clone());
+ }
+ }
+ Ok(paths)
+ }
+
+ fn collect_phandle_references_from_overlayable_nodes(
+ &self,
+ ) -> Result<BTreeMap<DtPathTokens, Vec<Phandle>>> {
+ const CELL_SIZE: usize = core::mem::size_of::<u32>();
+
+ let vm_dtbo = self.as_ref();
+
+ let mut phandle_map = BTreeMap::new();
+ let Some(local_fixups) = vm_dtbo.node(cstr!("/__local_fixups__"))? else {
+ return Ok(phandle_map);
+ };
+
+ let mut path: DtPathTokens = Default::default();
+ for (fixup_node, depth) in local_fixups.descendants() {
+ let node_name = fixup_node.name()?;
+ path.tokens.truncate(depth - 1);
+ path.tokens.push(node_name.to_bytes());
+ if path.tokens.len() != depth {
+ return Err(DeviceAssignmentError::Internal);
+ }
+ if !path.is_overlayable_node() {
+ continue;
+ }
+ let target_node = self.node(&path)?.ok_or(DeviceAssignmentError::InvalidDtbo)?;
+
+ let mut phandles = vec![];
+ for fixup_prop in fixup_node.properties()? {
+ let target_prop = target_node
+ .getprop(fixup_prop.name()?)
+ .or(Err(DeviceAssignmentError::InvalidDtbo))?
+ .ok_or(DeviceAssignmentError::InvalidDtbo)?;
+ let fixup_prop_values = fixup_prop.value()?;
+ if fixup_prop_values.is_empty() || fixup_prop_values.len() % CELL_SIZE != 0 {
+ return Err(DeviceAssignmentError::InvalidDtbo);
+ }
+
+ for fixup_prop_cell in fixup_prop_values.chunks(CELL_SIZE) {
+ let phandle_offset: usize = u32::from_be_bytes(
+ fixup_prop_cell.try_into().or(Err(DeviceAssignmentError::InvalidDtbo))?,
+ )
+ .try_into()
+ .or(Err(DeviceAssignmentError::InvalidDtbo))?;
+ if phandle_offset % CELL_SIZE != 0 {
+ return Err(DeviceAssignmentError::InvalidDtbo);
+ }
+ let phandle_value = target_prop
+ .get(phandle_offset..phandle_offset + CELL_SIZE)
+ .ok_or(DeviceAssignmentError::InvalidDtbo)?;
+ let phandle: Phandle = U32::ref_from(phandle_value)
+ .unwrap()
+ .get()
+ .try_into()
+ .or(Err(DeviceAssignmentError::InvalidDtbo))?;
+
+ phandles.push(phandle);
+ }
+ }
+ if !phandles.is_empty() {
+ phandle_map.insert(path.clone(), phandles);
+ }
+ }
+
+ Ok(phandle_map)
+ }
+
+ fn build_mask(&self, assigned_devices: Vec<DtPathTokens>) -> Result<DeviceTreeMask> {
+ if assigned_devices.is_empty() {
+ return Err(DeviceAssignmentError::Internal);
+ }
+
+ let dependencies = self.collect_phandle_references_from_overlayable_nodes()?;
+ let paths = self.collect_overlayable_nodes_with_phandle()?;
+
+ let mut mask = DeviceTreeMask::new();
+ let mut stack = assigned_devices;
+ while let Some(path) = stack.pop() {
+ if !mask.mask(&path) {
+ continue;
+ }
+ let Some(dst_phandles) = dependencies.get(&path) else {
+ continue;
+ };
+ for dst_phandle in dst_phandles {
+ let dst_path = paths.get(dst_phandle).ok_or(DeviceAssignmentError::Internal)?;
+ stack.push(dst_path.clone());
+ }
+ }
+
+ Ok(mask)
+ }
}
fn filter_dangling_symbols(fdt: &mut Fdt) -> Result<()> {
@@ -381,6 +557,38 @@
}
}
+// Filter any node that isn't masked by DeviceTreeMask.
+fn filter_with_mask(anchor: FdtNodeMut, mask: &DeviceTreeMask) -> Result<()> {
+ let mut stack = vec![mask];
+ let mut iter = anchor.next_node(0)?;
+ while let Some((node, depth)) = iter {
+ stack.truncate(depth);
+ let parent_mask = stack.last().unwrap();
+ let DeviceTreeChildrenMask::Partial(parent_mask_children) = &parent_mask.children else {
+ // Shouldn't happen. We only step-in if parent has DeviceTreeChildrenMask::Partial.
+ return Err(DeviceAssignmentError::Internal);
+ };
+
+ let name = node.as_node().name()?.to_bytes();
+ let mask = parent_mask_children.iter().find(|child_mask| child_mask.name_bytes == name);
+ if let Some(masked) = mask {
+ if let DeviceTreeChildrenMask::Partial(_) = &masked.children {
+ // This node is partially masked. Stepping-in.
+ stack.push(masked);
+ iter = node.next_node(depth)?;
+ } else {
+ // This node is fully masked. Stepping-out.
+ iter = node.next_node_skip_subnodes(depth)?;
+ }
+ } else {
+ // This node isn't masked.
+ iter = node.delete_and_next_node(depth)?;
+ }
+ }
+
+ Ok(())
+}
+
#[derive(Debug, Copy, Clone, Eq, PartialEq, Ord, PartialOrd)]
struct PvIommu {
// ID from pvIOMMU node
@@ -689,11 +897,11 @@
}
}
-#[derive(Debug, Default, Eq, PartialEq)]
+#[derive(Debug, Eq, PartialEq)]
pub struct DeviceAssignmentInfo {
pviommus: BTreeSet<PvIommu>,
assigned_devices: Vec<AssignedDeviceInfo>,
- filtered_dtbo_paths: Vec<CString>,
+ vm_dtbo_mask: DeviceTreeMask,
}
impl DeviceAssignmentInfo {
@@ -751,7 +959,7 @@
let physical_devices = vm_dtbo.parse_physical_devices()?;
let mut assigned_devices = vec![];
- let mut filtered_dtbo_paths = vec![];
+ let mut assigned_device_paths = vec![];
for symbol_prop in symbols_node.properties()? {
let symbol_prop_value = symbol_prop.value()?;
let dtbo_node_path = CStr::from_bytes_with_nul(symbol_prop_value)
@@ -770,8 +978,7 @@
)?;
if let Some(assigned_device) = assigned_device {
assigned_devices.push(assigned_device);
- } else {
- filtered_dtbo_paths.push(dtbo_node_path.to_cstring());
+ assigned_device_paths.push(dtbo_node_path);
}
}
if assigned_devices.is_empty() {
@@ -780,32 +987,29 @@
Self::validate_pviommu_topology(&assigned_devices)?;
- // Clean up any nodes that wouldn't be overlaid but may contain reference to filtered nodes.
- // Otherwise, `fdt_apply_overlay()` would fail because of missing phandle reference.
- // TODO(b/277993056): Also filter other unused nodes/props in __local_fixups__
- filtered_dtbo_paths.push(CString::new("/__local_fixups__/host").unwrap());
+ let mut vm_dtbo_mask = vm_dtbo.build_mask(assigned_device_paths)?;
+ vm_dtbo_mask.mask_all(&DtPathTokens::new(cstr!("/__local_fixups__"))?);
+ vm_dtbo_mask.mask_all(&DtPathTokens::new(cstr!("/__symbols__"))?);
// Note: Any node without __overlay__ will be ignored by fdt_apply_overlay,
// so doesn't need to be filtered.
- Ok(Some(Self { pviommus: unique_pviommus, assigned_devices, filtered_dtbo_paths }))
+ Ok(Some(Self { pviommus: unique_pviommus, assigned_devices, vm_dtbo_mask }))
}
/// Filters VM DTBO to only contain necessary information for booting pVM
- /// In detail, this will remove followings by setting nop node / nop property.
- /// - Removes unassigned devices
- // TODO(b/277993056): remove unused dependencies in VM DTBO.
- // TODO(b/277993056): remove supernodes' properties.
- // TODO(b/277993056): remove unused alises.
pub fn filter(&self, vm_dtbo: &mut VmDtbo) -> Result<()> {
let vm_dtbo = vm_dtbo.as_mut();
- // Filters unused node in assigned devices
- for filtered_dtbo_path in &self.filtered_dtbo_paths {
- let node = vm_dtbo.node_mut(filtered_dtbo_path).unwrap().unwrap();
- node.nop()?;
+ // Filter unused references in /__local_fixups__
+ if let Some(local_fixups) = vm_dtbo.node_mut(cstr!("/__local_fixups__"))? {
+ filter_with_mask(local_fixups, &self.vm_dtbo_mask)?;
}
+ // Filter unused nodes in rest of tree
+ let root = vm_dtbo.root_mut();
+ filter_with_mask(root, &self.vm_dtbo_mask)?;
+
filter_dangling_symbols(vm_dtbo)
}
@@ -860,13 +1064,17 @@
mod tests {
use super::*;
use alloc::collections::{BTreeMap, BTreeSet};
+ use dts::Dts;
use std::fs;
+ use std::path::Path;
const VM_DTBO_FILE_PATH: &str = "test_pvmfw_devices_vm_dtbo.dtbo";
const VM_DTBO_WITHOUT_SYMBOLS_FILE_PATH: &str =
"test_pvmfw_devices_vm_dtbo_without_symbols.dtbo";
const VM_DTBO_WITH_DUPLICATED_IOMMUS_FILE_PATH: &str =
"test_pvmfw_devices_vm_dtbo_with_duplicated_iommus.dtbo";
+ const VM_DTBO_WITH_DEPENDENCIES_FILE_PATH: &str =
+ "test_pvmfw_devices_vm_dtbo_with_dependencies.dtbo";
const FDT_WITHOUT_IOMMUS_FILE_PATH: &str = "test_pvmfw_devices_without_iommus.dtb";
const FDT_WITHOUT_DEVICE_FILE_PATH: &str = "test_pvmfw_devices_without_device.dtb";
const FDT_FILE_PATH: &str = "test_pvmfw_devices_with_rng.dtb";
@@ -879,6 +1087,16 @@
"test_pvmfw_devices_with_duplicated_pviommus.dtb";
const FDT_WITH_MULTIPLE_REG_IOMMU_FILE_PATH: &str =
"test_pvmfw_devices_with_multiple_reg_iommus.dtb";
+ const FDT_WITH_DEPENDENCY_FILE_PATH: &str = "test_pvmfw_devices_with_dependency.dtb";
+ const FDT_WITH_MULTIPLE_DEPENDENCIES_FILE_PATH: &str =
+ "test_pvmfw_devices_with_multiple_dependencies.dtb";
+ const FDT_WITH_DEPENDENCY_LOOP_FILE_PATH: &str = "test_pvmfw_devices_with_dependency_loop.dtb";
+
+ const EXPECTED_FDT_WITH_DEPENDENCY_FILE_PATH: &str = "expected_dt_with_dependency.dtb";
+ const EXPECTED_FDT_WITH_MULTIPLE_DEPENDENCIES_FILE_PATH: &str =
+ "expected_dt_with_multiple_dependencies.dtb";
+ const EXPECTED_FDT_WITH_DEPENDENCY_LOOP_FILE_PATH: &str =
+ "expected_dt_with_dependency_loop.dtb";
#[derive(Debug, Default)]
struct MockHypervisor {
@@ -1449,4 +1667,97 @@
let compatible = platform_dt.root().next_compatible(cstr!("pkvm,pviommu"));
assert_eq!(Ok(None), compatible);
}
+
+ #[test]
+ fn device_info_dependency() {
+ let mut fdt_data = fs::read(FDT_WITH_DEPENDENCY_FILE_PATH).unwrap();
+ let mut vm_dtbo_data = fs::read(VM_DTBO_WITH_DEPENDENCIES_FILE_PATH).unwrap();
+ let fdt = Fdt::from_mut_slice(&mut fdt_data).unwrap();
+ let vm_dtbo = VmDtbo::from_mut_slice(&mut vm_dtbo_data).unwrap();
+ let mut platform_dt_data = pvmfw_fdt_template::RAW.to_vec();
+ platform_dt_data.resize(pvmfw_fdt_template::RAW.len() * 2, 0);
+ let platform_dt = Fdt::from_mut_slice(&mut platform_dt_data).unwrap();
+ platform_dt.unpack().unwrap();
+
+ let hypervisor = MockHypervisor {
+ mmio_tokens: [((0xFF000, 0x1), 0xF000)].into(),
+ iommu_tokens: Default::default(),
+ };
+
+ let device_info = DeviceAssignmentInfo::parse(fdt, vm_dtbo, &hypervisor).unwrap().unwrap();
+ device_info.filter(vm_dtbo).unwrap();
+
+ // SAFETY: Damaged VM DTBO wouldn't be used after this unsafe block.
+ unsafe {
+ platform_dt.apply_overlay(vm_dtbo.as_mut()).unwrap();
+ }
+ device_info.patch(platform_dt).unwrap();
+
+ let expected = Dts::from_dtb(Path::new(EXPECTED_FDT_WITH_DEPENDENCY_FILE_PATH)).unwrap();
+ let platform_dt = Dts::from_fdt(platform_dt).unwrap();
+
+ assert_eq!(expected, platform_dt);
+ }
+
+ #[test]
+ fn device_info_multiple_dependencies() {
+ let mut fdt_data = fs::read(FDT_WITH_MULTIPLE_DEPENDENCIES_FILE_PATH).unwrap();
+ let mut vm_dtbo_data = fs::read(VM_DTBO_WITH_DEPENDENCIES_FILE_PATH).unwrap();
+ let fdt = Fdt::from_mut_slice(&mut fdt_data).unwrap();
+ let vm_dtbo = VmDtbo::from_mut_slice(&mut vm_dtbo_data).unwrap();
+ let mut platform_dt_data = pvmfw_fdt_template::RAW.to_vec();
+ platform_dt_data.resize(pvmfw_fdt_template::RAW.len() * 2, 0);
+ let platform_dt = Fdt::from_mut_slice(&mut platform_dt_data).unwrap();
+ platform_dt.unpack().unwrap();
+
+ let hypervisor = MockHypervisor {
+ mmio_tokens: [((0xFF000, 0x1), 0xF000), ((0xFF100, 0x1), 0xF100)].into(),
+ iommu_tokens: Default::default(),
+ };
+ let device_info = DeviceAssignmentInfo::parse(fdt, vm_dtbo, &hypervisor).unwrap().unwrap();
+ device_info.filter(vm_dtbo).unwrap();
+
+ // SAFETY: Damaged VM DTBO wouldn't be used after this unsafe block.
+ unsafe {
+ platform_dt.apply_overlay(vm_dtbo.as_mut()).unwrap();
+ }
+ device_info.patch(platform_dt).unwrap();
+
+ let expected =
+ Dts::from_dtb(Path::new(EXPECTED_FDT_WITH_MULTIPLE_DEPENDENCIES_FILE_PATH)).unwrap();
+ let platform_dt = Dts::from_fdt(platform_dt).unwrap();
+
+ assert_eq!(expected, platform_dt);
+ }
+
+ #[test]
+ fn device_info_dependency_loop() {
+ let mut fdt_data = fs::read(FDT_WITH_DEPENDENCY_LOOP_FILE_PATH).unwrap();
+ let mut vm_dtbo_data = fs::read(VM_DTBO_WITH_DEPENDENCIES_FILE_PATH).unwrap();
+ let fdt = Fdt::from_mut_slice(&mut fdt_data).unwrap();
+ let vm_dtbo = VmDtbo::from_mut_slice(&mut vm_dtbo_data).unwrap();
+ let mut platform_dt_data = pvmfw_fdt_template::RAW.to_vec();
+ platform_dt_data.resize(pvmfw_fdt_template::RAW.len() * 2, 0);
+ let platform_dt = Fdt::from_mut_slice(&mut platform_dt_data).unwrap();
+ platform_dt.unpack().unwrap();
+
+ let hypervisor = MockHypervisor {
+ mmio_tokens: [((0xFF200, 0x1), 0xF200)].into(),
+ iommu_tokens: Default::default(),
+ };
+ let device_info = DeviceAssignmentInfo::parse(fdt, vm_dtbo, &hypervisor).unwrap().unwrap();
+ device_info.filter(vm_dtbo).unwrap();
+
+ // SAFETY: Damaged VM DTBO wouldn't be used after this unsafe block.
+ unsafe {
+ platform_dt.apply_overlay(vm_dtbo.as_mut()).unwrap();
+ }
+ device_info.patch(platform_dt).unwrap();
+
+ let expected =
+ Dts::from_dtb(Path::new(EXPECTED_FDT_WITH_DEPENDENCY_LOOP_FILE_PATH)).unwrap();
+ let platform_dt = Dts::from_fdt(platform_dt).unwrap();
+
+ assert_eq!(expected, platform_dt);
+ }
}
diff --git a/pvmfw/src/instance.rs b/pvmfw/src/instance.rs
index 6daadd9..43c7442 100644
--- a/pvmfw/src/instance.rs
+++ b/pvmfw/src/instance.rs
@@ -27,7 +27,6 @@
use log::trace;
use uuid::Uuid;
use virtio_drivers::transport::{pci::bus::PciRoot, DeviceType, Transport};
-use vmbase::rand;
use vmbase::util::ceiling_div;
use vmbase::virtio::pci::{PciTransportIterator, VirtIOBlk};
use vmbase::virtio::HalImpl;
@@ -38,8 +37,6 @@
pub enum Error {
/// Unexpected I/O error while accessing the underlying disk.
FailedIo(gpt::Error),
- /// Failed to generate a random salt to be stored.
- FailedSaltGeneration(rand::Error),
/// Impossible to create a new instance.img entry.
InstanceImageFull,
/// Badly formatted instance.img header block.
@@ -66,7 +63,6 @@
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
match self {
Self::FailedIo(e) => write!(f, "Failed I/O to disk: {e}"),
- Self::FailedSaltGeneration(e) => write!(f, "Failed to generate salt: {e}"),
Self::InstanceImageFull => write!(f, "Failed to obtain a free instance.img partition"),
Self::InvalidInstanceImageHeader => write!(f, "instance.img header is invalid"),
Self::MissingInstanceImage => write!(f, "Failed to find the instance.img partition"),
@@ -93,27 +89,27 @@
pub type Result<T> = core::result::Result<T, Error>;
-pub fn get_or_generate_instance_salt(
+fn aead_ctx_from_secret(secret: &[u8]) -> Result<AeadContext> {
+ let key = hkdf::<32>(secret, /* salt= */ &[], b"vm-instance", Digester::sha512())?;
+ Ok(AeadContext::new(Aead::aes_256_gcm_randnonce(), key.as_slice(), /* tag_len */ None)?)
+}
+
+/// Get the entry from instance.img. This method additionally returns Partition corresponding to
+/// pvmfw in the instance.img as well as index corresponding to empty header which can be used to
+/// record instance data with `record_instance_entry`.
+pub(crate) fn get_recorded_entry(
pci_root: &mut PciRoot,
- dice_inputs: &PartialInputs,
secret: &[u8],
-) -> Result<(bool, Hidden)> {
+) -> Result<(Option<EntryBody>, Partition, usize)> {
let mut instance_img = find_instance_img(pci_root)?;
let entry = locate_entry(&mut instance_img)?;
trace!("Found pvmfw instance.img entry: {entry:?}");
- let key = hkdf::<32>(secret, /* salt= */ &[], b"vm-instance", Digester::sha512())?;
- let tag_len = None;
- let aead_ctx = AeadContext::new(Aead::aes_256_gcm_randnonce(), key.as_slice(), tag_len)?;
- let ad = &[];
- // The nonce is generated internally for `aes_256_gcm_randnonce`, so no additional
- // nonce is required.
- let nonce = &[];
-
- let mut blk = [0; BLK_SIZE];
match entry {
PvmfwEntry::Existing { header_index, payload_size } => {
+ let aead_ctx = aead_ctx_from_secret(secret)?;
+ let mut blk = [0; BLK_SIZE];
if payload_size > blk.len() {
// We currently only support single-blk entries.
return Err(Error::UnsupportedEntrySize(payload_size));
@@ -123,52 +119,41 @@
let payload = &blk[..payload_size];
let mut entry = [0; size_of::<EntryBody>()];
- let decrypted = aead_ctx.open(payload, nonce, ad, &mut entry)?;
-
+ // The nonce is generated internally for `aes_256_gcm_randnonce`, so no additional
+ // nonce is required.
+ let decrypted =
+ aead_ctx.open(payload, /* nonce */ &[], /* ad */ &[], &mut entry)?;
let body = EntryBody::read_from(decrypted).unwrap();
- if dice_inputs.rkp_vm_marker {
- // The RKP VM is allowed to run if it has passed the verified boot check and
- // contains the expected version in its AVB footer.
- // The comparison below with the previous boot information is skipped to enable the
- // simultaneous update of the pvmfw and RKP VM.
- // For instance, when both the pvmfw and RKP VM are updated, the code hash of the
- // RKP VM will differ from the one stored in the instance image. In this case, the
- // RKP VM is still allowed to run.
- // This ensures that the updated RKP VM will retain the same CDIs in the next stage.
- return Ok((false, body.salt));
- }
- if body.code_hash != dice_inputs.code_hash {
- Err(Error::RecordedCodeHashMismatch)
- } else if body.auth_hash != dice_inputs.auth_hash {
- Err(Error::RecordedAuthHashMismatch)
- } else if body.mode() != dice_inputs.mode {
- Err(Error::RecordedDiceModeMismatch)
- } else {
- Ok((false, body.salt))
- }
+ Ok((Some(body), instance_img, header_index))
}
- PvmfwEntry::New { header_index } => {
- let salt = rand::random_array().map_err(Error::FailedSaltGeneration)?;
- let body = EntryBody::new(dice_inputs, &salt);
-
- // We currently only support single-blk entries.
- let plaintext = body.as_bytes();
- assert!(plaintext.len() + aead_ctx.aead().max_overhead() < blk.len());
- let encrypted = aead_ctx.seal(plaintext, nonce, ad, &mut blk)?;
- let payload_size = encrypted.len();
- let payload_index = header_index + 1;
- instance_img.write_block(payload_index, &blk).map_err(Error::FailedIo)?;
-
- let header = EntryHeader::new(PvmfwEntry::UUID, payload_size);
- header.write_to_prefix(blk.as_mut_slice()).unwrap();
- blk[header.as_bytes().len()..].fill(0);
- instance_img.write_block(header_index, &blk).map_err(Error::FailedIo)?;
-
- Ok((true, salt))
- }
+ PvmfwEntry::New { header_index } => Ok((None, instance_img, header_index)),
}
}
+pub(crate) fn record_instance_entry(
+ body: &EntryBody,
+ secret: &[u8],
+ instance_img: &mut Partition,
+ header_index: usize,
+) -> Result<()> {
+ // We currently only support single-blk entries.
+ let mut blk = [0; BLK_SIZE];
+ let plaintext = body.as_bytes();
+ let aead_ctx = aead_ctx_from_secret(secret)?;
+ assert!(plaintext.len() + aead_ctx.aead().max_overhead() < blk.len());
+ let encrypted = aead_ctx.seal(plaintext, /* nonce */ &[], /* ad */ &[], &mut blk)?;
+ let payload_size = encrypted.len();
+ let payload_index = header_index + 1;
+ instance_img.write_block(payload_index, &blk).map_err(Error::FailedIo)?;
+
+ let header = EntryHeader::new(PvmfwEntry::UUID, payload_size);
+ header.write_to_prefix(blk.as_mut_slice()).unwrap();
+ blk[header.as_bytes().len()..].fill(0);
+ instance_img.write_block(header_index, &blk).map_err(Error::FailedIo)?;
+
+ Ok(())
+}
+
#[derive(FromZeroes, FromBytes)]
#[repr(C, packed)]
struct Header {
@@ -276,15 +261,15 @@
#[derive(AsBytes, FromZeroes, FromBytes)]
#[repr(C)]
-struct EntryBody {
- code_hash: Hash,
- auth_hash: Hash,
- salt: Hidden,
+pub(crate) struct EntryBody {
+ pub code_hash: Hash,
+ pub auth_hash: Hash,
+ pub salt: Hidden,
mode: u8,
}
impl EntryBody {
- fn new(dice_inputs: &PartialInputs, salt: &Hidden) -> Self {
+ pub(crate) fn new(dice_inputs: &PartialInputs, salt: &Hidden) -> Self {
let mode = match dice_inputs.mode {
DiceMode::kDiceModeNotInitialized => 0,
DiceMode::kDiceModeNormal => 1,
@@ -300,7 +285,7 @@
}
}
- fn mode(&self) -> DiceMode {
+ pub(crate) fn mode(&self) -> DiceMode {
match self.mode {
1 => DiceMode::kDiceModeNormal,
2 => DiceMode::kDiceModeDebug,
diff --git a/pvmfw/src/main.rs b/pvmfw/src/main.rs
index f80bae1..12d63d5 100644
--- a/pvmfw/src/main.rs
+++ b/pvmfw/src/main.rs
@@ -37,7 +37,9 @@
use crate::entry::RebootReason;
use crate::fdt::modify_for_next_stage;
use crate::helpers::GUEST_PAGE_SIZE;
-use crate::instance::get_or_generate_instance_salt;
+use crate::instance::EntryBody;
+use crate::instance::Error as InstanceError;
+use crate::instance::{get_recorded_entry, record_instance_entry};
use alloc::borrow::Cow;
use alloc::boxed::Box;
use core::ops::Range;
@@ -150,11 +152,43 @@
error!("Failed to compute partial DICE inputs: {e:?}");
RebootReason::InternalError
})?;
- let (new_instance, salt) = get_or_generate_instance_salt(&mut pci_root, &dice_inputs, cdi_seal)
- .map_err(|e| {
- error!("Failed to get instance.img salt: {e}");
+
+ let (recorded_entry, mut instance_img, header_index) =
+ get_recorded_entry(&mut pci_root, cdi_seal).map_err(|e| {
+ error!("Failed to get entry from instance.img: {e}");
RebootReason::InternalError
})?;
+ let (new_instance, salt) = if let Some(entry) = recorded_entry {
+ // The RKP VM is allowed to run if it has passed the verified boot check and
+ // contains the expected version in its AVB footer.
+ // The comparison below with the previous boot information is skipped to enable the
+ // simultaneous update of the pvmfw and RKP VM.
+ // For instance, when both the pvmfw and RKP VM are updated, the code hash of the
+ // RKP VM will differ from the one stored in the instance image. In this case, the
+ // RKP VM is still allowed to run.
+ // This ensures that the updated RKP VM will retain the same CDIs in the next stage.
+ if !dice_inputs.rkp_vm_marker {
+ ensure_dice_measurements_match_entry(&dice_inputs, &entry).map_err(|e| {
+ error!(
+ "Dice measurements do not match recorded entry.
+ This may be because of update: {e}"
+ );
+ RebootReason::InternalError
+ })?;
+ }
+ (false, entry.salt)
+ } else {
+ let salt = rand::random_array().map_err(|e| {
+ error!("Failed to generated instance.img salt: {e}");
+ RebootReason::InternalError
+ })?;
+ let entry = EntryBody::new(&dice_inputs, &salt);
+ record_instance_entry(&entry, cdi_seal, &mut instance_img, header_index).map_err(|e| {
+ error!("Failed to get recorded entry in instance.img: {e}");
+ RebootReason::InternalError
+ })?;
+ (true, salt)
+ };
trace!("Got salt from instance.img: {salt:x?}");
let new_bcc_handover = if cfg!(dice_changes) {
@@ -207,6 +241,21 @@
Ok(bcc_range)
}
+fn ensure_dice_measurements_match_entry(
+ dice_inputs: &PartialInputs,
+ entry: &EntryBody,
+) -> Result<(), InstanceError> {
+ if entry.code_hash != dice_inputs.code_hash {
+ Err(InstanceError::RecordedCodeHashMismatch)
+ } else if entry.auth_hash != dice_inputs.auth_hash {
+ Err(InstanceError::RecordedAuthHashMismatch)
+ } else if entry.mode() != dice_inputs.mode {
+ Err(InstanceError::RecordedDiceModeMismatch)
+ } else {
+ Ok(())
+ }
+}
+
/// Logs the given PCI error and returns the appropriate `RebootReason`.
fn handle_pci_error(e: PciError) -> RebootReason {
error!("{}", e);
diff --git a/pvmfw/testdata/expected_dt_with_dependency.dts b/pvmfw/testdata/expected_dt_with_dependency.dts
new file mode 100644
index 0000000..7e0ad20
--- /dev/null
+++ b/pvmfw/testdata/expected_dt_with_dependency.dts
@@ -0,0 +1,47 @@
+/dts-v1/;
+
+/include/ "platform_preprocessed.dts"
+
+// Note: This uses manually written __symbols__ so we don't
+
+/ {
+ node_a: node_a {
+ phandle = <0x2E>;
+ val = <0x6>;
+ dep = <&node_a_dep &common>;
+ reg = <0x0 0xFF000 0x0 0x1>;
+ interrupts = <0x0 0xF 0x4>;
+ iommus;
+ };
+
+ node_a_dep: node_a_dep {
+ phandle = <0x31>;
+ val = <0xFF>;
+ dep = <&node_aa_nested_dep>;
+ };
+
+ node_aa {
+ should_be_preserved = <0xFF>;
+
+ node_aa_nested_dep: node_aa_nested_dep {
+ phandle = <0x33>;
+ tag = <0x9>;
+ };
+ };
+
+ common: common {
+ phandle = <0x32>;
+ id = <0x9>;
+ };
+
+ /delete-node/ pviommu0;
+ /delete-node/ pviommu1;
+ /delete-node/ pviommu2;
+ /delete-node/ pviommu3;
+ /delete-node/ pviommu4;
+ /delete-node/ pviommu5;
+ /delete-node/ pviommu6;
+ /delete-node/ pviommu7;
+ /delete-node/ pviommu8;
+ /delete-node/ pviommu9;
+};
diff --git a/pvmfw/testdata/expected_dt_with_dependency_loop.dts b/pvmfw/testdata/expected_dt_with_dependency_loop.dts
new file mode 100644
index 0000000..61031ab
--- /dev/null
+++ b/pvmfw/testdata/expected_dt_with_dependency_loop.dts
@@ -0,0 +1,29 @@
+/dts-v1/;
+
+/include/ "platform_preprocessed.dts"
+
+/ {
+ node_c: node_c {
+ phandle = <0x30>;
+ loop_dep = <&node_c_loop>;
+ reg = <0x0 0xFF200 0x0 0x1>;
+ interrupts = <0x0 0xF 0x4>;
+ iommus;
+ };
+
+ node_c_loop: node_c_loop {
+ phandle = <0x36>;
+ loop_dep = <&node_c>;
+ };
+
+ /delete-node/ pviommu0;
+ /delete-node/ pviommu1;
+ /delete-node/ pviommu2;
+ /delete-node/ pviommu3;
+ /delete-node/ pviommu4;
+ /delete-node/ pviommu5;
+ /delete-node/ pviommu6;
+ /delete-node/ pviommu7;
+ /delete-node/ pviommu8;
+ /delete-node/ pviommu9;
+};
diff --git a/pvmfw/testdata/expected_dt_with_multiple_dependencies.dts b/pvmfw/testdata/expected_dt_with_multiple_dependencies.dts
new file mode 100644
index 0000000..dc8c357
--- /dev/null
+++ b/pvmfw/testdata/expected_dt_with_multiple_dependencies.dts
@@ -0,0 +1,70 @@
+/dts-v1/;
+
+// Note: We can't use label syntax here.
+// Implementation applies overlay after removing /__symbols__,
+// so using label syntax here wouldn't match with the actual reasult.
+
+/include/ "platform_preprocessed.dts"
+
+/ {
+ node_a: node_a {
+ phandle = <0x2E>;
+ val = <0x6>;
+ dep = <&node_a_dep &common>;
+ reg = <0x0 0xFF000 0x0 0x1>;
+ interrupts = <0x0 0xF 0x4>;
+ iommus;
+ };
+
+ node_a_dep: node_a_dep {
+ phandle = <0x31>;
+ val = <0xFF>;
+ dep = <&node_aa_nested_dep>;
+ };
+
+ node_aa {
+ should_be_preserved = <0xFF>;
+
+ node_aa_nested_dep: node_aa_nested_dep {
+ phandle = <0x33>;
+ tag = <0x9>;
+ };
+ };
+
+ node_b: node_b {
+ phandle = <0x2F>;
+ tag = <0x33>;
+ version = <0x1 0x2>;
+ dep = <&node_b_dep1 &node_b_dep2>;
+ reg = <0x00 0xFF100 0x00 0x01>;
+ interrupts = <0x00 0x0F 0x04>;
+ iommus;
+ };
+
+ node_b_dep1: node_b_dep1 {
+ phandle = <0x34>;
+ placeholder;
+ };
+
+ node_b_dep2: node_b_dep2 {
+ phandle = <0x35>;
+ placeholder;
+ dep = <&common>;
+ };
+
+ common: common {
+ phandle = <0x32>;
+ id = <0x9>;
+ };
+
+ /delete-node/ pviommu0;
+ /delete-node/ pviommu1;
+ /delete-node/ pviommu2;
+ /delete-node/ pviommu3;
+ /delete-node/ pviommu4;
+ /delete-node/ pviommu5;
+ /delete-node/ pviommu6;
+ /delete-node/ pviommu7;
+ /delete-node/ pviommu8;
+ /delete-node/ pviommu9;
+};
diff --git a/pvmfw/testdata/test_pvmfw_devices_vm_dtbo_with_dependencies.dts b/pvmfw/testdata/test_pvmfw_devices_vm_dtbo_with_dependencies.dts
new file mode 100644
index 0000000..21075e7
--- /dev/null
+++ b/pvmfw/testdata/test_pvmfw_devices_vm_dtbo_with_dependencies.dts
@@ -0,0 +1,77 @@
+/dts-v1/;
+/plugin/;
+
+/ {
+ host {
+ #address-cells = <0x2>;
+ #size-cells = <0x1>;
+ node_a {
+ reg = <0x0 0xF000 0x1>;
+ android,pvmfw,target = <&node_a>;
+ };
+ node_b {
+ reg = <0x0 0xF100 0x1>;
+ android,pvmfw,target = <&node_b>;
+ };
+ node_c {
+ reg = <0x0 0xF200 0x1>;
+ android,pvmfw,target = <&node_c>;
+ };
+ };
+};
+
+&{/} {
+ node_a: node_a {
+ val = <0x6>;
+ dep = <&node_a_dep &common>;
+ };
+
+ node_a_dep: node_a_dep {
+ val = <0xFF>;
+ dep = <&node_aa_nested_dep>;
+
+ node_a_internal {
+ val;
+ };
+ };
+
+ node_aa {
+ should_be_preserved = <0xFF>;
+ node_aa_nested_dep: node_aa_nested_dep {
+ tag = <0x9>;
+ };
+ };
+};
+
+&{/} {
+ node_b: node_b {
+ tag = <0x33>;
+ version = <0x1 0x2>;
+ dep = <&node_b_dep1 &node_b_dep2>;
+ };
+
+ node_b_dep1: node_b_dep1 {
+ placeholder;
+ };
+
+ node_b_dep2: node_b_dep2 {
+ placeholder;
+ dep = <&common>;
+ };
+};
+
+&{/} {
+ node_c: node_c {
+ loop_dep = <&node_c_loop>;
+ };
+
+ node_c_loop: node_c_loop {
+ loop_dep = <&node_c>;
+ };
+};
+
+&{/} {
+ common: common {
+ id = <0x9>;
+ };
+};
diff --git a/pvmfw/testdata/test_pvmfw_devices_with_dependency.dts b/pvmfw/testdata/test_pvmfw_devices_with_dependency.dts
new file mode 100644
index 0000000..b1cf6c7
--- /dev/null
+++ b/pvmfw/testdata/test_pvmfw_devices_with_dependency.dts
@@ -0,0 +1,36 @@
+/dts-v1/;
+
+/include/ "test_crosvm_dt_base.dtsi"
+
+/ {
+ node_a: node_a {
+ reg = <0x0 0xFF000 0x0 0x1>;
+ interrupts = <0x0 0xF 0x4>;
+ val = <0x6>;
+ dep = <&node_a_dep &common>;
+
+ node_a_internal {
+ parent = <&node_a>;
+ };
+ };
+
+ node_a_dep: node_a_dep {
+ val = <0xFF>;
+ dep = <&node_aa_nested_dep>;
+
+ node_a_dep_internal {
+ val;
+ };
+ };
+
+ node_aa {
+ should_be_preserved = <0xFF>;
+ node_aa_nested_dep: node_aa_nested_dep {
+ tag = <0x9>;
+ };
+ };
+
+ common: common {
+ id = <0x9>;
+ };
+};
diff --git a/pvmfw/testdata/test_pvmfw_devices_with_dependency_loop.dts b/pvmfw/testdata/test_pvmfw_devices_with_dependency_loop.dts
new file mode 100644
index 0000000..9a62cb5
--- /dev/null
+++ b/pvmfw/testdata/test_pvmfw_devices_with_dependency_loop.dts
@@ -0,0 +1,15 @@
+/dts-v1/;
+
+/include/ "test_crosvm_dt_base.dtsi"
+
+/ {
+ node_c: node_c {
+ reg = <0x0 0xFF200 0x0 0x1>;
+ interrupts = <0x0 0xF 0x4>;
+ loop_dep = <&node_c_loop>;
+ };
+
+ node_c_loop: node_c_loop {
+ loop_dep = <&node_c>;
+ };
+};
diff --git a/pvmfw/testdata/test_pvmfw_devices_with_multiple_dependencies.dts b/pvmfw/testdata/test_pvmfw_devices_with_multiple_dependencies.dts
new file mode 100644
index 0000000..573bdcf
--- /dev/null
+++ b/pvmfw/testdata/test_pvmfw_devices_with_multiple_dependencies.dts
@@ -0,0 +1,50 @@
+/dts-v1/;
+
+/include/ "test_crosvm_dt_base.dtsi"
+
+/ {
+ node_a: node_a {
+ reg = <0x0 0xFF000 0x0 0x1>;
+ interrupts = <0x0 0xF 0x4>;
+ val = <0x6>;
+ dep = <&node_a_dep &common>;
+ };
+
+ node_a_dep: node_a_dep {
+ val = <0xFF>;
+ dep = <&node_nested_dep>;
+
+ node_a_internal {
+ val;
+ };
+ };
+
+ node_aa {
+ should_be_preserved = <0xFF>;
+ node_nested_dep: node_aa_nested_dep {
+ tag = <0x9>;
+ };
+ };
+
+ node_b: node_b {
+ reg = <0x0 0xFF100 0x0 0x1>;
+ interrupts = <0x0 0xF 0x4>;
+ tag = <0x33>;
+ version = <0x1 0x2>;
+ phandle = <0x5>;
+ dep = <&node_b_dep1 &node_b_dep2>;
+ };
+
+ node_b_dep1: node_b_dep1 {
+ placeholder;
+ };
+
+ node_b_dep2: node_b_dep2 {
+ placeholder;
+ dep = <&common>;
+ };
+
+ common: common {
+ id = <0x9>;
+ };
+};
diff --git a/service_vm/test_apk/Android.bp b/service_vm/test_apk/Android.bp
index 8f5fb41..cd992db 100644
--- a/service_vm/test_apk/Android.bp
+++ b/service_vm/test_apk/Android.bp
@@ -2,12 +2,11 @@
default_applicable_licenses: ["Android-Apache-2.0"],
}
-android_test {
- name: "VmAttestationTestApp",
+java_defaults {
+ name: "vm_attestation_testapp_defaults",
test_suites: [
"general-tests",
],
- srcs: ["src/java/**/*.java"],
static_libs: [
"MicrodroidDeviceTestHelper",
"androidx.test.runner",
@@ -19,7 +18,12 @@
jni_uses_platform_apis: true,
use_embedded_native_libs: true,
sdk_version: "test_current",
- compile_multilib: "first",
+}
+
+android_test {
+ name: "VmAttestationTestApp",
+ srcs: ["src/java/com/android/virt/vm_attestation/testapp/*.java"],
+ defaults: ["vm_attestation_testapp_defaults"],
}
rust_defaults {
@@ -41,4 +45,22 @@
rust_ffi {
name: "libvm_attestation_test_payload",
defaults: ["vm_attestation_test_payload_defaults"],
+ visibility: [":__subpackages__"],
+}
+
+android_test {
+ name: "AvfRkpdVmAttestationTestApp",
+ srcs: ["src/java/com/android/virt/rkpd/vm_attestation/testapp/*.java"],
+ defaults: ["vm_attestation_testapp_defaults"],
+ manifest: "AndroidManifest.rkpd.xml",
+ test_config: "AndroidTest.rkpd.xml",
+ static_libs: [
+ "RkpdAppTestUtil",
+ "androidx.work_work-testing",
+ "bouncycastle-unbundled",
+ ],
+ instrumentation_for: "rkpdapp",
+ // This app is a variation of rkpdapp, with additional permissions to run
+ // a VM. It is defined in packages/modules/RemoteKeyProvisioning.
+ data: [":avf-rkpdapp"],
}
diff --git a/service_vm/test_apk/AndroidManifest.rkpd.xml b/service_vm/test_apk/AndroidManifest.rkpd.xml
new file mode 100644
index 0000000..6ecc5a9
--- /dev/null
+++ b/service_vm/test_apk/AndroidManifest.rkpd.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2024 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ package="com.android.virt.rkpd.vm_attestation.testapp">
+
+ <instrumentation
+ android:name="androidx.test.runner.AndroidJUnitRunner"
+ android:targetPackage="com.android.rkpdapp"
+ android:label="AVF rkpd app integration tests" />
+</manifest>
diff --git a/service_vm/test_apk/AndroidTest.rkpd.xml b/service_vm/test_apk/AndroidTest.rkpd.xml
new file mode 100644
index 0000000..39eca32
--- /dev/null
+++ b/service_vm/test_apk/AndroidTest.rkpd.xml
@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2024 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<configuration description="VM attestation integration tests with the rkpd app.">
+ <option name="test-suite-tag" value="apct" />
+ <option name="test-suite-tag" value="apct-instrumentation" />
+
+ <!-- Need to disable SELinux policy to allow com.android.rkpdapp to run a VM. -->
+ <target_preparer class="com.android.tradefed.targetprep.DisableSELinuxTargetPreparer"/>
+
+ <target_preparer class="com.android.tradefed.targetprep.suite.SuiteApkInstaller">
+ <option name="test-file-name" value="AvfRkpdVmAttestationTestApp.apk" />
+ <option name="test-file-name" value="avf-rkpdapp.apk" />
+ </target_preparer>
+
+ <test class="com.android.tradefed.testtype.AndroidJUnitTest" >
+ <option name="package" value="com.android.virt.rkpd.vm_attestation.testapp" />
+ </test>
+
+ <!-- Only run if RKPD mainline module is installed -->
+ <object type="module_controller"
+ class="com.android.tradefed.testtype.suite.module.MainlineTestModuleController">
+ <option name="enable" value="true" />
+ <option name="mainline-module-package-name" value="com.android.rkpd" />
+ </object>
+</configuration>
diff --git a/service_vm/test_apk/aidl/com/android/virt/vm_attestation/testservice/IAttestationService.aidl b/service_vm/test_apk/aidl/com/android/virt/vm_attestation/testservice/IAttestationService.aidl
index 94a7b8d..34c8549 100644
--- a/service_vm/test_apk/aidl/com/android/virt/vm_attestation/testservice/IAttestationService.aidl
+++ b/service_vm/test_apk/aidl/com/android/virt/vm_attestation/testservice/IAttestationService.aidl
@@ -21,7 +21,31 @@
const int PORT = 5679;
/**
- * Requests attestation for testing.
+ * The result of signing a message with the attested key.
+ */
+ parcelable SigningResult {
+ /** The DER-encoded ECDSA signature of the message. */
+ byte[] signature;
+
+ /** The DER-encoded attestation X509 certificate chain. */
+ byte[] certificateChain;
+ }
+
+ /**
+ * Requests attestation with {@link AVmPayload_requestAttestation} API and signs the
+ * given message with the attested key.
+ *
+ * The remotely provisioned keys are retrieved from RKPD and are provisioned from the
+ * real RKP server.
+ *
+ * @param challenge the challenge to include in the attestation output.
+ * @param message the message to sign.
+ * @return the result of signing the message with the attested key.
+ */
+ SigningResult signWithAttestationKey(in byte[] challenge, in byte[] message);
+
+ /**
+ * Requests attestation for testing with {@link AVmPayload_requestAttestationForTesting} API.
*
* A fake key pair should be provisioned with the call to
* {@link VirtualMachine#enableTestAttestation()} before calling this method.
diff --git a/service_vm/test_apk/src/java/com/android/virt/rkpd/vm_attestation/testapp/RkpdVmAttestationTest.java b/service_vm/test_apk/src/java/com/android/virt/rkpd/vm_attestation/testapp/RkpdVmAttestationTest.java
new file mode 100644
index 0000000..2a771f3
--- /dev/null
+++ b/service_vm/test_apk/src/java/com/android/virt/rkpd/vm_attestation/testapp/RkpdVmAttestationTest.java
@@ -0,0 +1,266 @@
+/*
+ * Copyright (C) 2024 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.virt.rkpd.vm_attestation.testapp;
+
+import static android.system.virtualmachine.VirtualMachineConfig.DEBUG_LEVEL_FULL;
+
+import static com.google.common.truth.Truth.assertThat;
+import static com.google.common.truth.Truth.assertWithMessage;
+import static com.google.common.truth.TruthJUnit.assume;
+
+import android.content.Context;
+import android.hardware.security.keymint.IRemotelyProvisionedComponent;
+import android.os.SystemProperties;
+import android.system.virtualmachine.VirtualMachine;
+import android.system.virtualmachine.VirtualMachineConfig;
+
+import androidx.work.ListenableWorker;
+import androidx.work.testing.TestWorkerBuilder;
+
+import com.android.microdroid.test.device.MicrodroidDeviceTestBase;
+import com.android.rkpdapp.database.ProvisionedKeyDao;
+import com.android.rkpdapp.database.RkpdDatabase;
+import com.android.rkpdapp.interfaces.ServerInterface;
+import com.android.rkpdapp.interfaces.ServiceManagerInterface;
+import com.android.rkpdapp.interfaces.SystemInterface;
+import com.android.rkpdapp.provisioner.PeriodicProvisioner;
+import com.android.rkpdapp.testutil.SystemInterfaceSelector;
+import com.android.rkpdapp.utils.Settings;
+import com.android.rkpdapp.utils.X509Utils;
+import com.android.virt.vm_attestation.testservice.IAttestationService;
+import com.android.virt.vm_attestation.testservice.IAttestationService.SigningResult;
+
+import org.bouncycastle.asn1.ASN1Boolean;
+import org.bouncycastle.asn1.ASN1Encodable;
+import org.bouncycastle.asn1.ASN1OctetString;
+import org.bouncycastle.asn1.ASN1Sequence;
+import org.bouncycastle.asn1.DEROctetString;
+import org.bouncycastle.asn1.DERUTF8String;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+
+import java.security.Signature;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.List;
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.Executors;
+
+/**
+ * End-to-end test for the pVM remote attestation.
+ *
+ * <p>The test checks the two major steps of the pVM remote attestation:
+ *
+ * <p>1. Key provisioning: The test provisions AVF keys from the RKP server and verifies that the
+ * keys are for AVF.
+ *
+ * <p>2. VM attestation: The test creates a VM with a payload binary that requests to attest the VM,
+ * and then signs a message with the attestation key.
+ *
+ * <p>To run this test, you need to:
+ *
+ * <p>- Have an arm64 device supporting protected VMs.
+ *
+ * <p>- Have a stable network connection on the device.
+ *
+ * <p>- Have the RKP server hostname configured in the device. If not, you can set it using: $ adb
+ * shell setprop remote_provisioning.hostname remoteprovisioning.googleapis.com
+ */
+@RunWith(Parameterized.class)
+public class RkpdVmAttestationTest extends MicrodroidDeviceTestBase {
+ private static final String TAG = "RkpdVmAttestationTest";
+ private static final String AVF_ATTESTATION_EXTENSION_OID = "1.3.6.1.4.1.11129.2.1.29.1";
+ private static final String SERVICE_NAME = IRemotelyProvisionedComponent.DESCRIPTOR + "/avf";
+ private static final String VM_PAYLOAD_PATH = "libvm_attestation_test_payload.so";
+ private static final String MESSAGE = "Hello RKP from AVF!";
+ private static final String TEST_APP_PACKAGE_NAME =
+ "com.android.virt.rkpd.vm_attestation.testapp";
+
+ private ProvisionedKeyDao mKeyDao;
+ private PeriodicProvisioner mProvisioner;
+
+ @Parameterized.Parameter(0)
+ public String mGki;
+
+ @Parameterized.Parameters(name = "gki={0}")
+ public static Collection<Object[]> params() {
+ List<Object[]> ret = new ArrayList<>();
+ ret.add(new Object[] {null /* use microdroid kernel */});
+ for (String gki : SUPPORTED_GKI_VERSIONS) {
+ ret.add(new Object[] {gki});
+ }
+ return ret;
+ }
+
+ @Before
+ public void setUp() throws Exception {
+ assume().withMessage("The RKP server hostname is not configured -- assume RKP disabled.")
+ .that(SystemProperties.get("remote_provisioning.hostname"))
+ .isNotEmpty();
+ assume().withMessage("RKP Integration tests rely on network availability.")
+ .that(ServerInterface.isNetworkConnected(getContext()))
+ .isTrue();
+ // TODO(b/329652894): Assume that pVM remote attestation feature is supported.
+
+ prepareTestSetup(true /* protectedVm */, mGki);
+
+ Settings.clearPreferences(getContext());
+ mKeyDao = RkpdDatabase.getDatabase(getContext()).provisionedKeyDao();
+ mKeyDao.deleteAllKeys();
+
+ mProvisioner =
+ TestWorkerBuilder.from(
+ getContext(),
+ PeriodicProvisioner.class,
+ Executors.newSingleThreadExecutor())
+ .build();
+
+ SystemInterface systemInterface =
+ SystemInterfaceSelector.getSystemInterfaceForServiceName(SERVICE_NAME);
+ ServiceManagerInterface.setInstances(new SystemInterface[] {systemInterface});
+
+ setMaxPerformanceTaskProfile();
+ }
+
+ @After
+ public void tearDown() throws Exception {
+ ServiceManagerInterface.setInstances(null);
+ if (mKeyDao != null) {
+ mKeyDao.deleteAllKeys();
+ }
+ Settings.clearPreferences(getContext());
+ }
+
+ @Test
+ public void usingProvisionedKeyForVmAttestationSucceeds() throws Exception {
+ // Provision keys.
+ assertThat(mProvisioner.doWork()).isEqualTo(ListenableWorker.Result.success());
+ assertThat(mKeyDao.getTotalUnassignedKeysForIrpc(SERVICE_NAME)).isGreaterThan(0);
+
+ // Arrange.
+ Context ctx = getContext();
+ Context otherAppCtx = ctx.createPackageContext(TEST_APP_PACKAGE_NAME, 0);
+ VirtualMachineConfig config =
+ new VirtualMachineConfig.Builder(otherAppCtx)
+ .setProtectedVm(true)
+ .setDebugLevel(DEBUG_LEVEL_FULL)
+ .setPayloadBinaryName(VM_PAYLOAD_PATH)
+ .setVmOutputCaptured(true)
+ .build();
+ VirtualMachine vm = forceCreateNewVirtualMachine("attestation_with_rkpd_client", config);
+ byte[] challenge = new byte[32];
+ Arrays.fill(challenge, (byte) 0xab);
+
+ // Act.
+ CompletableFuture<Exception> exception = new CompletableFuture<>();
+ CompletableFuture<Boolean> payloadReady = new CompletableFuture<>();
+ CompletableFuture<SigningResult> signingResultFuture = new CompletableFuture<>();
+ VmEventListener listener =
+ new VmEventListener() {
+ @Override
+ public void onPayloadReady(VirtualMachine vm) {
+ payloadReady.complete(true);
+ try {
+ IAttestationService service =
+ IAttestationService.Stub.asInterface(
+ vm.connectToVsockServer(IAttestationService.PORT));
+ signingResultFuture.complete(
+ service.signWithAttestationKey(challenge, MESSAGE.getBytes()));
+ } catch (Exception e) {
+ exception.complete(e);
+ } finally {
+ forceStop(vm);
+ }
+ }
+ };
+ listener.runToFinish(TAG, vm);
+
+ // Assert.
+ assertThat(payloadReady.getNow(false)).isTrue();
+ assertThat(exception.getNow(null)).isNull();
+ SigningResult signingResult = signingResultFuture.getNow(null);
+ assertThat(signingResult).isNotNull();
+
+ // Parsing the certificate chain successfully indicates that the certificate
+ // chain is valid, that each certificate is signed by the next one and the last
+ // one is self-signed.
+ X509Certificate[] certs = X509Utils.formatX509Certs(signingResult.certificateChain);
+ assertThat(certs.length).isGreaterThan(2);
+ assertWithMessage("The first certificate should be generated in the RKP VM")
+ .that(certs[0].getSubjectX500Principal().getName())
+ .isEqualTo("CN=Android Protected Virtual Machine Key");
+ checkAvfAttestationExtension(certs[0], challenge);
+ assertWithMessage("The second certificate should contain AVF in the subject")
+ .that(certs[1].getSubjectX500Principal().getName())
+ .contains("O=AVF");
+
+ // Verify the signature using the public key from the leaf certificate generated
+ // in the RKP VM.
+ Signature sig = Signature.getInstance("SHA256withECDSA");
+ sig.initVerify(certs[0].getPublicKey());
+ sig.update(MESSAGE.getBytes());
+ assertThat(sig.verify(signingResult.signature)).isTrue();
+ }
+
+ private void checkAvfAttestationExtension(X509Certificate cert, byte[] challenge)
+ throws Exception {
+ byte[] extensionValue = cert.getExtensionValue(AVF_ATTESTATION_EXTENSION_OID);
+ ASN1OctetString extString = ASN1OctetString.getInstance(extensionValue);
+ ASN1Sequence seq = ASN1Sequence.getInstance(extString.getOctets());
+ // AVF attestation extension should contain 3 elements in the following format:
+ //
+ // AttestationExtension ::= SEQUENCE {
+ // attestationChallenge OCTET_STRING,
+ // isVmSecure BOOLEAN,
+ // vmComponents SEQUENCE OF VmComponent,
+ // }
+ // VmComponent ::= SEQUENCE {
+ // name UTF8String,
+ // securityVersion INTEGER,
+ // codeHash OCTET STRING,
+ // authorityHash OCTET STRING,
+ // }
+ assertThat(seq).hasSize(3);
+
+ ASN1OctetString expectedChallenge = new DEROctetString(challenge);
+ assertThat(seq.getObjectAt(0)).isEqualTo(expectedChallenge);
+ assertWithMessage("The VM should be unsecure as it is debuggable.")
+ .that(seq.getObjectAt(1))
+ .isEqualTo(ASN1Boolean.FALSE);
+ ASN1Sequence vmComponents = ASN1Sequence.getInstance(seq.getObjectAt(2));
+ assertExtensionContainsPayloadApk(vmComponents);
+ }
+
+ private void assertExtensionContainsPayloadApk(ASN1Sequence vmComponents) throws Exception {
+ DERUTF8String payloadApkName = new DERUTF8String("apk:" + TEST_APP_PACKAGE_NAME);
+ boolean found = false;
+ for (ASN1Encodable encodable : vmComponents) {
+ ASN1Sequence vmComponent = ASN1Sequence.getInstance(encodable);
+ assertThat(vmComponent).hasSize(4);
+ if (payloadApkName.equals(vmComponent.getObjectAt(0))) {
+ assertWithMessage("Payload APK should not be found twice.").that(found).isFalse();
+ found = true;
+ }
+ }
+ assertWithMessage("vmComponents should contain the payload APK.").that(found).isTrue();
+ }
+}
diff --git a/service_vm/test_apk/src/native/main.rs b/service_vm/test_apk/src/native/main.rs
index 199b45c..a04fb1f 100644
--- a/service_vm/test_apk/src/native/main.rs
+++ b/service_vm/test_apk/src/native/main.rs
@@ -18,7 +18,7 @@
use avflog::LogResult;
use com_android_virt_vm_attestation_testservice::{
aidl::com::android::virt::vm_attestation::testservice::IAttestationService::{
- BnAttestationService, IAttestationService, PORT,
+ BnAttestationService, IAttestationService, SigningResult::SigningResult, PORT,
},
binder::{self, unstable_api::AsNative, BinderFeatures, Interface, IntoBinderResult, Strong},
};
@@ -34,7 +34,7 @@
AIBinder, AVmAttestationResult, AVmAttestationResult_free,
AVmAttestationResult_getCertificateAt, AVmAttestationResult_getCertificateCount,
AVmAttestationResult_getPrivateKey, AVmAttestationResult_sign, AVmAttestationStatus,
- AVmAttestationStatus_toString, AVmPayload_notifyPayloadReady,
+ AVmAttestationStatus_toString, AVmPayload_notifyPayloadReady, AVmPayload_requestAttestation,
AVmPayload_requestAttestationForTesting, AVmPayload_runVsockRpcServer,
};
@@ -89,13 +89,8 @@
impl IAttestationService for AttestationService {
fn requestAttestationForTesting(&self) -> binder::Result<()> {
- // The data below is only a placeholder generated randomly with urandom
- let challenge = &[
- 0x6c, 0xad, 0x52, 0x50, 0x15, 0xe7, 0xf4, 0x1d, 0xa5, 0x60, 0x7e, 0xd2, 0x7d, 0xf1,
- 0x51, 0x67, 0xc3, 0x3e, 0x73, 0x9b, 0x30, 0xbd, 0x04, 0x20, 0x2e, 0xde, 0x3b, 0x1d,
- 0xc8, 0x07, 0x11, 0x7b,
- ];
- let res = AttestationResult::request_attestation(challenge)
+ const CHALLENGE: &[u8] = &[0xaa; 32];
+ let res = AttestationResult::request_attestation_for_testing(CHALLENGE)
.map_err(|e| anyhow!("Unexpected status: {:?}", status_to_cstr(e)))
.with_log()
.or_service_specific_exception(-1)?;
@@ -103,6 +98,21 @@
Ok(())
}
+ fn signWithAttestationKey(
+ &self,
+ challenge: &[u8],
+ message: &[u8],
+ ) -> binder::Result<SigningResult> {
+ let res = AttestationResult::request_attestation(challenge)
+ .map_err(|e| anyhow!("Unexpected status: {:?}", status_to_cstr(e)))
+ .with_log()
+ .or_service_specific_exception(-1)?;
+ let certificate_chain =
+ res.certificate_chain().with_log().or_service_specific_exception(-1)?;
+ let signature = res.sign(message).with_log().or_service_specific_exception(-1)?;
+ Ok(SigningResult { certificateChain: certificate_chain, signature })
+ }
+
fn validateAttestationResult(&self) -> binder::Result<()> {
// TODO(b/191073073): Returns the attestation result to the host for validation.
self.res.lock().unwrap().as_ref().unwrap().log().or_service_specific_exception(-1)
@@ -116,7 +126,9 @@
unsafe impl Send for AttestationResult {}
impl AttestationResult {
- fn request_attestation(challenge: &[u8]) -> result::Result<Self, AVmAttestationStatus> {
+ fn request_attestation_for_testing(
+ challenge: &[u8],
+ ) -> result::Result<Self, AVmAttestationStatus> {
let mut res: *mut AVmAttestationResult = ptr::null_mut();
// SAFETY: It is safe as we only read the challenge within its bounds and the
// function does not retain any reference to it.
@@ -136,11 +148,31 @@
}
}
- fn certificate_chain(&self) -> Result<Vec<Box<[u8]>>> {
+ fn request_attestation(challenge: &[u8]) -> result::Result<Self, AVmAttestationStatus> {
+ let mut res: *mut AVmAttestationResult = ptr::null_mut();
+ // SAFETY: It is safe as we only read the challenge within its bounds and the
+ // function does not retain any reference to it.
+ let status = unsafe {
+ AVmPayload_requestAttestation(
+ challenge.as_ptr() as *const c_void,
+ challenge.len(),
+ &mut res,
+ )
+ };
+ if status == AVmAttestationStatus::ATTESTATION_OK {
+ info!("Attestation succeeds. Status: {:?}", status_to_cstr(status));
+ let res = NonNull::new(res).expect("The attestation result is null");
+ Ok(Self(res))
+ } else {
+ Err(status)
+ }
+ }
+
+ fn certificate_chain(&self) -> Result<Vec<u8>> {
let num_certs = get_certificate_count(self.as_ref());
- let mut certs = Vec::with_capacity(num_certs);
+ let mut certs = Vec::new();
for i in 0..num_certs {
- certs.push(get_certificate_at(self.as_ref(), i)?);
+ certs.extend(get_certificate_at(self.as_ref(), i)?.iter());
}
Ok(certs)
}
@@ -149,7 +181,7 @@
get_private_key(self.as_ref())
}
- fn sign(&self, message: &[u8]) -> Result<Box<[u8]>> {
+ fn sign(&self, message: &[u8]) -> Result<Vec<u8>> {
sign_with_attested_key(self.as_ref(), message)
}
@@ -231,7 +263,7 @@
Ok(private_key.into_boxed_slice())
}
-fn sign_with_attested_key(res: &AVmAttestationResult, message: &[u8]) -> Result<Box<[u8]>> {
+fn sign_with_attested_key(res: &AVmAttestationResult, message: &[u8]) -> Result<Vec<u8>> {
// SAFETY: The result is returned by `AVmPayload_requestAttestation` and should be valid
// before getting freed.
let size = unsafe {
@@ -258,7 +290,7 @@
};
ensure!(size <= signature.len());
signature.truncate(size);
- Ok(signature.into_boxed_slice())
+ Ok(signature)
}
fn status_to_cstr(status: AVmAttestationStatus) -> &'static CStr {
diff --git a/tests/pvmfw/Android.bp b/tests/pvmfw/Android.bp
index c12f67a..0483066 100644
--- a/tests/pvmfw/Android.bp
+++ b/tests/pvmfw/Android.bp
@@ -53,4 +53,5 @@
":test_avf_debug_policy_without_adb",
"assets/bcc.dat",
],
+ data_device_bins_first: ["dtc_static"],
}
diff --git a/tests/pvmfw/AndroidTest.xml b/tests/pvmfw/AndroidTest.xml
index 6ff7b6f..5784f26 100644
--- a/tests/pvmfw/AndroidTest.xml
+++ b/tests/pvmfw/AndroidTest.xml
@@ -22,6 +22,24 @@
<option name="force-root" value="true"/>
</target_preparer>
+ <target_preparer class="com.android.tradefed.targetprep.RunCommandTargetPreparer">
+ <option name="throw-if-cmd-fail" value="true" />
+ <!-- Prepare test directories. -->
+ <option name="run-command" value="mkdir -p /data/local/tmp/pvmfw" />
+ <option name="teardown-command" value="rm -rf /data/local/tmp/pvmfw" />
+ </target_preparer>
+
+ <target_preparer class="com.android.tradefed.targetprep.PushFilePreparer">
+ <option name="cleanup" value="true" />
+ <option name="abort-on-push-failure" value="true" />
+ <option name="push-file" key="dtc_static" value="/data/local/tmp/pvmfw/dtc_static" />
+ </target_preparer>
+
+ <target_preparer class="com.android.tradefed.targetprep.RunCommandTargetPreparer">
+ <option name="throw-if-cmd-fail" value="true" />
+ <option name="run-command" value="[ ! -d /proc/device-tree/avf/reference ] || /data/local/tmp/pvmfw/dtc_static -f -qqq /proc/device-tree/avf/reference -o /data/local/tmp/pvmfw/reference_dt.dtb" />
+ </target_preparer>
+
<test class="com.android.compatibility.common.tradefed.testtype.JarHostTest" >
<option name="jar" value="CustomPvmfwHostTestCases.jar" />
</test>
diff --git a/tests/pvmfw/helper/Android.bp b/tests/pvmfw/helper/Android.bp
index 1b96842..90ca03e 100644
--- a/tests/pvmfw/helper/Android.bp
+++ b/tests/pvmfw/helper/Android.bp
@@ -5,5 +5,8 @@
java_library_host {
name: "PvmfwHostTestHelper",
srcs: ["java/**/*.java"],
- libs: ["androidx.annotation_annotation"],
+ libs: [
+ "androidx.annotation_annotation",
+ "truth",
+ ],
}
diff --git a/tests/pvmfw/helper/java/com/android/pvmfw/test/host/Pvmfw.java b/tests/pvmfw/helper/java/com/android/pvmfw/test/host/Pvmfw.java
index b0c1207..a77ba40 100644
--- a/tests/pvmfw/helper/java/com/android/pvmfw/test/host/Pvmfw.java
+++ b/tests/pvmfw/helper/java/com/android/pvmfw/test/host/Pvmfw.java
@@ -16,6 +16,8 @@
package com.android.pvmfw.test.host;
+import static com.google.common.truth.Truth.assertThat;
+
import static java.nio.ByteOrder.LITTLE_ENDIAN;
import androidx.annotation.NonNull;
@@ -34,22 +36,52 @@
private static final int SIZE_4K = 4 << 10; // 4 KiB, PAGE_SIZE
private static final int BUFFER_SIZE = 1024;
private static final int HEADER_MAGIC = 0x666d7670;
- private static final int HEADER_DEFAULT_VERSION = getVersion(1, 0);
+ private static final int HEADER_DEFAULT_VERSION = makeVersion(1, 2);
private static final int HEADER_FLAGS = 0;
+ private static final int PVMFW_ENTRY_BCC = 0;
+ private static final int PVMFW_ENTRY_DP = 1;
+ private static final int PVMFW_ENTRY_VM_DTBO = 2;
+ private static final int PVMFW_ENTRY_VM_REFERENCE_DT = 3;
+ private static final int PVMFW_ENTRY_MAX = 4;
+
@NonNull private final File mPvmfwBinFile;
- @NonNull private final File mBccFile;
- @Nullable private final File mDebugPolicyFile;
+ private final File[] mEntries;
+ private final int mEntryCnt;
private final int mVersion;
+ public static int makeVersion(int major, int minor) {
+ return ((major & 0xFFFF) << 16) | (minor & 0xFFFF);
+ }
+
private Pvmfw(
@NonNull File pvmfwBinFile,
@NonNull File bccFile,
@Nullable File debugPolicyFile,
+ @Nullable File vmDtboFile,
+ @Nullable File vmReferenceDtFile,
int version) {
mPvmfwBinFile = Objects.requireNonNull(pvmfwBinFile);
- mBccFile = Objects.requireNonNull(bccFile);
- mDebugPolicyFile = debugPolicyFile;
+
+ if (version >= makeVersion(1, 2)) {
+ mEntryCnt = PVMFW_ENTRY_VM_REFERENCE_DT + 1;
+ } else if (version >= makeVersion(1, 1)) {
+ mEntryCnt = PVMFW_ENTRY_VM_DTBO + 1;
+ } else {
+ mEntryCnt = PVMFW_ENTRY_DP + 1;
+ }
+
+ mEntries = new File[PVMFW_ENTRY_MAX];
+ mEntries[PVMFW_ENTRY_BCC] = Objects.requireNonNull(bccFile);
+ mEntries[PVMFW_ENTRY_DP] = debugPolicyFile;
+
+ if (PVMFW_ENTRY_VM_DTBO < mEntryCnt) {
+ mEntries[PVMFW_ENTRY_VM_DTBO] = vmDtboFile;
+ }
+ if (PVMFW_ENTRY_VM_REFERENCE_DT < mEntryCnt) {
+ mEntries[PVMFW_ENTRY_VM_REFERENCE_DT] = Objects.requireNonNull(vmReferenceDtFile);
+ }
+
mVersion = version;
}
@@ -60,62 +92,54 @@
public void serialize(@NonNull File outFile) throws IOException {
Objects.requireNonNull(outFile);
- int headerSize = alignTo(getHeaderSize(mVersion), SIZE_8B);
- int bccOffset = headerSize;
- int bccSize = (int) mBccFile.length();
+ int headerSize = alignTo(getHeaderSize(), SIZE_8B);
+ int[] entryOffsets = new int[mEntryCnt];
+ int[] entrySizes = new int[mEntryCnt];
- int debugPolicyOffset = alignTo(bccOffset + bccSize, SIZE_8B);
- int debugPolicySize = mDebugPolicyFile == null ? 0 : (int) mDebugPolicyFile.length();
+ entryOffsets[PVMFW_ENTRY_BCC] = headerSize;
+ entrySizes[PVMFW_ENTRY_BCC] = (int) mEntries[PVMFW_ENTRY_BCC].length();
- int totalSize = debugPolicyOffset + debugPolicySize;
- if (hasVmDtbo(mVersion)) {
- // Add VM DTBO size as well.
- totalSize += Integer.BYTES * 2;
+ for (int i = 1; i < mEntryCnt; i++) {
+ entryOffsets[i] = alignTo(entryOffsets[i - 1] + entrySizes[i - 1], SIZE_8B);
+ entrySizes[i] = mEntries[i] == null ? 0 : (int) mEntries[i].length();
}
+ int totalSize = alignTo(entryOffsets[mEntryCnt - 1] + entrySizes[mEntryCnt - 1], SIZE_8B);
+
ByteBuffer header = ByteBuffer.allocate(headerSize).order(LITTLE_ENDIAN);
header.putInt(HEADER_MAGIC);
header.putInt(mVersion);
header.putInt(totalSize);
header.putInt(HEADER_FLAGS);
- header.putInt(bccOffset);
- header.putInt(bccSize);
- header.putInt(debugPolicyOffset);
- header.putInt(debugPolicySize);
-
- if (hasVmDtbo(mVersion)) {
- // Add placeholder entry for VM DTBO.
- // TODO(b/291191157): Add a real DTBO and test.
- header.putInt(0);
- header.putInt(0);
+ for (int i = 0; i < mEntryCnt; i++) {
+ header.putInt(entryOffsets[i]);
+ header.putInt(entrySizes[i]);
}
try (FileOutputStream pvmfw = new FileOutputStream(outFile)) {
appendFile(pvmfw, mPvmfwBinFile);
padTo(pvmfw, SIZE_4K);
+
+ int baseOffset = (int) pvmfw.getChannel().size();
pvmfw.write(header.array());
- padTo(pvmfw, SIZE_8B);
- appendFile(pvmfw, mBccFile);
- if (mDebugPolicyFile != null) {
+
+ for (int i = 0; i < mEntryCnt; i++) {
padTo(pvmfw, SIZE_8B);
- appendFile(pvmfw, mDebugPolicyFile);
+ if (mEntries[i] != null) {
+ assertThat((int) pvmfw.getChannel().size() - baseOffset)
+ .isEqualTo(entryOffsets[i]);
+ appendFile(pvmfw, mEntries[i]);
+ }
}
+
padTo(pvmfw, SIZE_4K);
}
}
private void appendFile(@NonNull FileOutputStream out, @NonNull File inFile)
throws IOException {
- byte buffer[] = new byte[BUFFER_SIZE];
try (FileInputStream in = new FileInputStream(inFile)) {
- int size;
- while (true) {
- size = in.read(buffer);
- if (size < 0) {
- return;
- }
- out.write(buffer, /* offset= */ 0, size);
- }
+ in.transferTo(out);
}
}
@@ -126,27 +150,15 @@
}
}
- private static int getHeaderSize(int version) {
- if (version == getVersion(1, 0)) {
- return Integer.BYTES * 8; // Header has 8 integers.
- }
- return Integer.BYTES * 10; // Default + VM DTBO (offset, size)
- }
-
- private static boolean hasVmDtbo(int version) {
- int major = getMajorVersion(version);
- int minor = getMinorVersion(version);
- return major > 1 || (major == 1 && minor >= 1);
+ private int getHeaderSize() {
+ // Header + (entry offset, entry, size) * mEntryCnt
+ return Integer.BYTES * (4 + mEntryCnt * 2);
}
private static int alignTo(int x, int size) {
return (x + size - 1) & ~(size - 1);
}
- private static int getVersion(int major, int minor) {
- return ((major & 0xFFFF) << 16) | (minor & 0xFFFF);
- }
-
private static int getMajorVersion(int version) {
return (version >> 16) & 0xFFFF;
}
@@ -160,6 +172,8 @@
@NonNull private final File mPvmfwBinFile;
@NonNull private final File mBccFile;
@Nullable private File mDebugPolicyFile;
+ @Nullable private File mVmDtboFile;
+ @Nullable private File mVmReferenceDtFile;
private int mVersion;
public Builder(@NonNull File pvmfwBinFile, @NonNull File bccFile) {
@@ -175,14 +189,32 @@
}
@NonNull
+ public Builder setVmDtbo(@Nullable File vmDtboFile) {
+ mVmDtboFile = vmDtboFile;
+ return this;
+ }
+
+ @NonNull
+ public Builder setVmReferenceDt(@Nullable File vmReferenceDtFile) {
+ mVmReferenceDtFile = vmReferenceDtFile;
+ return this;
+ }
+
+ @NonNull
public Builder setVersion(int major, int minor) {
- mVersion = getVersion(major, minor);
+ mVersion = makeVersion(major, minor);
return this;
}
@NonNull
public Pvmfw build() {
- return new Pvmfw(mPvmfwBinFile, mBccFile, mDebugPolicyFile, mVersion);
+ return new Pvmfw(
+ mPvmfwBinFile,
+ mBccFile,
+ mDebugPolicyFile,
+ mVmDtboFile,
+ mVmReferenceDtFile,
+ mVersion);
}
}
}
diff --git a/tests/pvmfw/java/com/android/pvmfw/test/CustomPvmfwHostTestCaseBase.java b/tests/pvmfw/java/com/android/pvmfw/test/CustomPvmfwHostTestCaseBase.java
new file mode 100644
index 0000000..a3216c2
--- /dev/null
+++ b/tests/pvmfw/java/com/android/pvmfw/test/CustomPvmfwHostTestCaseBase.java
@@ -0,0 +1,229 @@
+/*
+ * Copyright 2024 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.pvmfw.test;
+
+import static com.android.tradefed.device.TestDevice.MicrodroidBuilder;
+
+import static com.google.common.truth.Truth.assertThat;
+import static com.google.common.truth.Truth.assertWithMessage;
+
+import static org.junit.Assume.assumeTrue;
+
+import androidx.annotation.NonNull;
+import androidx.annotation.Nullable;
+
+import com.android.microdroid.test.host.MicrodroidHostTestCaseBase;
+import com.android.microdroid.test.host.CommandRunner;
+import com.android.tradefed.device.DeviceNotAvailableException;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.device.TestDevice;
+import com.android.tradefed.util.CommandResult;
+import com.android.tradefed.util.CommandStatus;
+import com.android.tradefed.util.FileUtil;
+
+import org.junit.After;
+import org.junit.Before;
+
+import java.io.File;
+import java.util.Map;
+
+/** Base class for testing custom pvmfw */
+public class CustomPvmfwHostTestCaseBase extends MicrodroidHostTestCaseBase {
+ @NonNull public static final String PVMFW_FILE_NAME = "pvmfw_test.bin";
+ @NonNull public static final String BCC_FILE_NAME = "bcc.dat";
+ @NonNull public static final String PACKAGE_FILE_NAME = "MicrodroidTestApp.apk";
+ @NonNull public static final String PACKAGE_NAME = "com.android.microdroid.test";
+ @NonNull public static final String MICRODROID_DEBUG_FULL = "full";
+ @NonNull public static final String MICRODROID_DEBUG_NONE = "none";
+
+ @NonNull
+ public static final String MICRODROID_CONFIG_PATH = "assets/microdroid/vm_config_apex.json";
+
+ @NonNull
+ public static final String VM_REFERENCE_DT_PATH = "/data/local/tmp/pvmfw/reference_dt.dtb";
+
+ @NonNull public static final String MICRODROID_LOG_PATH = TEST_ROOT + "log.txt";
+ public static final int BOOT_COMPLETE_TIMEOUT_MS = 30000; // 30 seconds
+ public static final int BOOT_FAILURE_WAIT_TIME_MS = 10000; // 10 seconds
+ public static final int CONSOLE_OUTPUT_WAIT_MS = 5000; // 5 seconds
+
+ @NonNull public static final String CUSTOM_PVMFW_FILE_PREFIX = "pvmfw";
+ @NonNull public static final String CUSTOM_PVMFW_FILE_SUFFIX = ".bin";
+ @NonNull public static final String CUSTOM_PVMFW_IMG_PATH = TEST_ROOT + PVMFW_FILE_NAME;
+ @NonNull public static final String CUSTOM_PVMFW_IMG_PATH_PROP = "hypervisor.pvmfw.path";
+
+ @NonNull private static final String DUMPSYS = "dumpsys";
+
+ @NonNull
+ private static final String DUMPSYS_MISSING_SERVICE_MSG_PREFIX = "Can't find service: ";
+
+ @NonNull
+ private static final String SECRET_KEEPER_AIDL =
+ "android.hardware.security.secretkeeper.ISecretkeeper/default";
+
+ @Nullable private File mPvmfwBinFileOnHost;
+ @Nullable private File mBccFileOnHost;
+ @Nullable private File mVmReferenceDtFile;
+ private boolean mSecretKeeperSupported;
+
+ @NonNull private TestDevice mAndroidDevice;
+ @Nullable private ITestDevice mMicrodroidDevice;
+
+ @Nullable private File mCustomPvmfwFileOnHost;
+
+ @Before
+ public void setUp() throws Exception {
+ mAndroidDevice = (TestDevice) getDevice();
+
+ // Check device capabilities
+ assumeDeviceIsCapable(mAndroidDevice);
+ assumeTrue(
+ "Skip if protected VMs are not supported",
+ mAndroidDevice.supportsMicrodroid(/* protectedVm= */ true));
+
+ mPvmfwBinFileOnHost = findTestFile(PVMFW_FILE_NAME);
+ mBccFileOnHost = findTestFile(BCC_FILE_NAME);
+
+ // This is prepared by AndroidTest.xml
+ mVmReferenceDtFile = mAndroidDevice.pullFile(VM_REFERENCE_DT_PATH);
+
+ CommandRunner runner = new CommandRunner(mAndroidDevice);
+ CommandResult result = runner.runForResult(DUMPSYS, SECRET_KEEPER_AIDL);
+
+ // dumpsys prints 'Can't find service: ~' to stderr if secret keeper HAL is missing,
+ // but it doesn't return any error code for it.
+ // Read stderr to know whether secret keeper is supported, and stop test for any other case.
+ assertWithMessage("Failed to run " + DUMPSYS + ", result=" + result)
+ .that(result.getStatus() == CommandStatus.SUCCESS && result.getExitCode() == 0)
+ .isTrue();
+ if (result.getStderr() != null && !result.getStderr().trim().isEmpty()) {
+ assertWithMessage(
+ "Unexpected stderr from " + DUMPSYS + ", stderr=" + result.getStderr())
+ .that(result.getStderr().trim().startsWith(DUMPSYS_MISSING_SERVICE_MSG_PREFIX))
+ .isTrue();
+ } else {
+ mSecretKeeperSupported = true;
+ }
+
+ // Prepare for system properties for custom pvmfw.img.
+ // File will be prepared later in individual test and then pushed to device
+ // when launching with launchProtectedVmAndWaitForBootCompleted().
+ mCustomPvmfwFileOnHost =
+ FileUtil.createTempFile(CUSTOM_PVMFW_FILE_PREFIX, CUSTOM_PVMFW_FILE_SUFFIX);
+ setPropertyOrThrow(mAndroidDevice, CUSTOM_PVMFW_IMG_PATH_PROP, CUSTOM_PVMFW_IMG_PATH);
+
+ // Prepare for launching microdroid
+ mAndroidDevice.installPackage(findTestFile(PACKAGE_FILE_NAME), /* reinstall */ false);
+ prepareVirtualizationTestSetup(mAndroidDevice);
+ mMicrodroidDevice = null;
+ }
+
+ @After
+ public void shutdown() throws Exception {
+ shutdownMicrodroid();
+
+ mAndroidDevice.uninstallPackage(PACKAGE_NAME);
+
+ FileUtil.deleteFile(mVmReferenceDtFile);
+
+ // Cleanup for custom pvmfw.img
+ setPropertyOrThrow(mAndroidDevice, CUSTOM_PVMFW_IMG_PATH_PROP, "");
+ FileUtil.deleteFile(mCustomPvmfwFileOnHost);
+
+ cleanUpVirtualizationTestSetup(mAndroidDevice);
+ }
+
+ /** Returns android device */
+ @NonNull
+ public TestDevice getAndroidDevice() {
+ return mAndroidDevice;
+ }
+
+ /** Returns pvmfw.bin file on host for building custom pvmfw with */
+ @NonNull
+ public File getPvmfwBinFile() {
+ return mPvmfwBinFileOnHost;
+ }
+
+ /** Returns BCC file on host for building custom pvmfw with */
+ @NonNull
+ public File getBccFile() {
+ return mBccFileOnHost;
+ }
+
+ /** Returns VM reference DT, generated from DUT, on host for building custom pvmfw with. */
+ @Nullable
+ public File getVmReferenceDtFile() {
+ return mVmReferenceDtFile;
+ }
+
+ /**
+ * Returns a custom pvmfw file.
+ *
+ * <p>This is a temporary file on host. The file should been prepared as a custom pvmfw because
+ * calling {@link #launchProtectedVmAndWaitForBootCompleted}, so virtualization manager can read
+ * the file path from sysprop and boot pVM with it.
+ */
+ @NonNull
+ public File getCustomPvmfwFile() {
+ return mCustomPvmfwFileOnHost;
+ }
+
+ /**
+ * Returns whether a secretkeeper is supported.
+ *
+ * <p>If {@code true}, then VM reference DT must exist. (i.e. {@link #getVmReferenceDtFile} must
+ * exist {@code null}).
+ */
+ public boolean isSecretKeeperSupported() {
+ return mSecretKeeperSupported;
+ }
+
+ /**
+ * Launches protected VM with custom pvmfw ({@link #getCustomPvmfwFile}) and wait for boot
+ * completed. Throws exception when boot failed.
+ */
+ public ITestDevice launchProtectedVmAndWaitForBootCompleted(
+ String debugLevel, long adbTimeoutMs, @NonNull Map<String, File> bootFiles)
+ throws DeviceNotAvailableException {
+ MicrodroidBuilder builder =
+ MicrodroidBuilder.fromDevicePath(
+ getPathForPackage(PACKAGE_NAME), MICRODROID_CONFIG_PATH)
+ .debugLevel(debugLevel)
+ .protectedVm(/* protectedVm= */ true)
+ .addBootFile(mCustomPvmfwFileOnHost, PVMFW_FILE_NAME)
+ .setAdbConnectTimeoutMs(adbTimeoutMs);
+ for (String name : bootFiles.keySet()) {
+ File file = bootFiles.get(name);
+ builder.addBootFile(file, name);
+ }
+
+ mMicrodroidDevice = builder.build(mAndroidDevice);
+
+ assertThat(mMicrodroidDevice.waitForBootComplete(BOOT_COMPLETE_TIMEOUT_MS)).isTrue();
+ assertThat(mMicrodroidDevice.enableAdbRoot()).isTrue();
+ return mMicrodroidDevice;
+ }
+
+ /** Shuts down microdroid if it's running */
+ public void shutdownMicrodroid() throws Exception {
+ if (mMicrodroidDevice != null) {
+ mAndroidDevice.shutdownMicrodroid(mMicrodroidDevice);
+ mMicrodroidDevice = null;
+ }
+ }
+}
diff --git a/tests/pvmfw/java/com/android/pvmfw/test/DebugPolicyHostTests.java b/tests/pvmfw/java/com/android/pvmfw/test/DebugPolicyHostTests.java
index 26f5993..223f93f 100644
--- a/tests/pvmfw/java/com/android/pvmfw/test/DebugPolicyHostTests.java
+++ b/tests/pvmfw/java/com/android/pvmfw/test/DebugPolicyHostTests.java
@@ -16,28 +16,22 @@
package com.android.pvmfw.test;
-import static com.android.tradefed.device.TestDevice.MicrodroidBuilder;
-
import static com.google.common.truth.Truth.assertThat;
import static com.google.common.truth.Truth.assertWithMessage;
-import static org.junit.Assume.assumeTrue;
import static org.junit.Assert.assertThrows;
import androidx.annotation.NonNull;
import androidx.annotation.Nullable;
import com.android.microdroid.test.host.CommandRunner;
-import com.android.microdroid.test.host.MicrodroidHostTestCaseBase;
import com.android.pvmfw.test.host.Pvmfw;
import com.android.tradefed.device.DeviceNotAvailableException;
import com.android.tradefed.device.DeviceRuntimeException;
import com.android.tradefed.device.ITestDevice;
-import com.android.tradefed.device.TestDevice;
import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
import com.android.tradefed.util.CommandStatus;
import com.android.tradefed.util.CommandResult;
-import com.android.tradefed.util.FileUtil;
import org.junit.After;
import org.junit.Before;
@@ -45,32 +39,13 @@
import org.junit.runner.RunWith;
import java.io.File;
-import java.util.Objects;
+import java.util.Collections;
+import java.util.Map;
import java.util.concurrent.TimeUnit;
/** Tests debug policy */
@RunWith(DeviceJUnit4ClassRunner.class)
-public class DebugPolicyHostTests extends MicrodroidHostTestCaseBase {
- @NonNull private static final String PVMFW_FILE_NAME = "pvmfw_test.bin";
- @NonNull private static final String BCC_FILE_NAME = "bcc.dat";
- @NonNull private static final String PACKAGE_FILE_NAME = "MicrodroidTestApp.apk";
- @NonNull private static final String PACKAGE_NAME = "com.android.microdroid.test";
- @NonNull private static final String MICRODROID_DEBUG_FULL = "full";
- @NonNull private static final String MICRODROID_DEBUG_NONE = "none";
-
- @NonNull
- private static final String MICRODROID_CONFIG_PATH = "assets/microdroid/vm_config_apex.json";
-
- @NonNull private static final String MICRODROID_LOG_PATH = TEST_ROOT + "log.txt";
- private static final int BOOT_COMPLETE_TIMEOUT_MS = 30000; // 30 seconds
- private static final int BOOT_FAILURE_WAIT_TIME_MS = 10000; // 10 seconds
- private static final int CONSOLE_OUTPUT_WAIT_MS = 5000; // 5 seconds
-
- @NonNull private static final String CUSTOM_PVMFW_FILE_PREFIX = "pvmfw";
- @NonNull private static final String CUSTOM_PVMFW_FILE_SUFFIX = ".bin";
- @NonNull private static final String CUSTOM_PVMFW_IMG_PATH = TEST_ROOT + PVMFW_FILE_NAME;
- @NonNull private static final String CUSTOM_PVMFW_IMG_PATH_PROP = "hypervisor.pvmfw.path";
-
+public class DebugPolicyHostTests extends CustomPvmfwHostTestCaseBase {
@NonNull private static final String CUSTOM_DEBUG_POLICY_FILE_NAME = "debug_policy.dtb";
@NonNull
@@ -98,63 +73,22 @@
@NonNull private static final String HEX_STRING_ZERO = "00000000";
@NonNull private static final String HEX_STRING_ONE = "00000001";
- @Nullable private static File mPvmfwBinFileOnHost;
- @Nullable private static File mBccFileOnHost;
-
- @Nullable private TestDevice mAndroidDevice;
- @Nullable private ITestDevice mMicrodroidDevice;
- @Nullable private File mCustomPvmfwBinFileOnHost;
@Nullable private File mCustomDebugPolicyFileOnHost;
@Before
public void setUp() throws Exception {
- mAndroidDevice = (TestDevice) Objects.requireNonNull(getDevice());
+ super.setUp();
- // Check device capabilities
- assumeDeviceIsCapable(mAndroidDevice);
- assumeTrue(
- "Skip if protected VMs are not supported",
- mAndroidDevice.supportsMicrodroid(/* protectedVm= */ true));
-
- // tradefed copies the test artfacts under /tmp when running tests,
- // so we should *find* the artifacts with the file name.
- mPvmfwBinFileOnHost =
- getTestInformation().getDependencyFile(PVMFW_FILE_NAME, /* targetFirst= */ false);
- mBccFileOnHost =
- getTestInformation().getDependencyFile(BCC_FILE_NAME, /* targetFirst= */ false);
-
- // Prepare for system properties for custom debug policy.
- // File will be prepared later in individual test by setupCustomDebugPolicy()
- // and then pushed to device when launching with launchProtectedVmAndWaitForBootCompleted()
- // or tryLaunchProtectedNonDebuggableVm().
- mCustomPvmfwBinFileOnHost =
- FileUtil.createTempFile(CUSTOM_PVMFW_FILE_PREFIX, CUSTOM_PVMFW_FILE_SUFFIX);
- setPropertyOrThrow(mAndroidDevice, CUSTOM_PVMFW_IMG_PATH_PROP, CUSTOM_PVMFW_IMG_PATH);
- setPropertyOrThrow(mAndroidDevice, CUSTOM_DEBUG_POLICY_PATH_PROP, CUSTOM_DEBUG_POLICY_PATH);
-
- // Prepare for launching microdroid
- mAndroidDevice.installPackage(findTestFile(PACKAGE_FILE_NAME), /* reinstall */ false);
- prepareVirtualizationTestSetup(mAndroidDevice);
- mMicrodroidDevice = null;
+ // Prepare system properties for custom debug policy.
+ setPropertyOrThrow(getDevice(), CUSTOM_DEBUG_POLICY_PATH_PROP, CUSTOM_DEBUG_POLICY_PATH);
}
@After
public void shutdown() throws Exception {
- if (!mAndroidDevice.supportsMicrodroid(/* protectedVm= */ true)) {
- return;
- }
- if (mMicrodroidDevice != null) {
- mAndroidDevice.shutdownMicrodroid(mMicrodroidDevice);
- mMicrodroidDevice = null;
- }
- mAndroidDevice.uninstallPackage(PACKAGE_NAME);
+ super.shutdown();
// Cleanup for custom debug policies
- setPropertyOrThrow(mAndroidDevice, CUSTOM_DEBUG_POLICY_PATH_PROP, "");
- setPropertyOrThrow(mAndroidDevice, CUSTOM_PVMFW_IMG_PATH_PROP, "");
- FileUtil.deleteFile(mCustomPvmfwBinFileOnHost);
-
- cleanUpVirtualizationTestSetup(mAndroidDevice);
+ setPropertyOrThrow(getDevice(), CUSTOM_DEBUG_POLICY_PATH_PROP, "");
}
@Test
@@ -198,43 +132,41 @@
@Test
public void testRamdumpInDebugPolicy_withDebugLevelNone_hasRamdumpArgs() throws Exception {
prepareCustomDebugPolicy("avf_debug_policy_with_ramdump.dtbo");
- mMicrodroidDevice = launchProtectedVmAndWaitForBootCompleted(MICRODROID_DEBUG_NONE);
+ ITestDevice device = launchProtectedVmAndWaitForBootCompleted(MICRODROID_DEBUG_NONE);
- assertThat(readMicrodroidFileAsString(MICRODROID_CMDLINE_PATH)).contains("crashkernel=");
- assertThat(readMicrodroidFileAsString(MICRODROID_DT_BOOTARGS_PATH))
- .contains("crashkernel=");
- assertThat(readMicrodroidFileAsHexString(MICRODROID_DT_RAMDUMP_PATH))
+ assertThat(readFileAsString(device, MICRODROID_CMDLINE_PATH)).contains("crashkernel=");
+ assertThat(readFileAsString(device, MICRODROID_DT_BOOTARGS_PATH)).contains("crashkernel=");
+ assertThat(readFileAsHexString(device, MICRODROID_DT_RAMDUMP_PATH))
.isEqualTo(HEX_STRING_ONE);
}
@Test
public void testNoRamdumpInDebugPolicy_withDebugLevelNone_noRamdumpArgs() throws Exception {
prepareCustomDebugPolicy("avf_debug_policy_without_ramdump.dtbo");
- mMicrodroidDevice = launchProtectedVmAndWaitForBootCompleted(MICRODROID_DEBUG_NONE);
+ ITestDevice device = launchProtectedVmAndWaitForBootCompleted(MICRODROID_DEBUG_NONE);
- assertThat(readMicrodroidFileAsString(MICRODROID_CMDLINE_PATH))
+ assertThat(readFileAsString(device, MICRODROID_CMDLINE_PATH))
.doesNotContain("crashkernel=");
- assertThat(readMicrodroidFileAsString(MICRODROID_DT_BOOTARGS_PATH))
+ assertThat(readFileAsString(device, MICRODROID_DT_BOOTARGS_PATH))
.doesNotContain("crashkernel=");
- assertThat(readMicrodroidFileAsHexString(MICRODROID_DT_RAMDUMP_PATH))
+ assertThat(readFileAsHexString(device, MICRODROID_DT_RAMDUMP_PATH))
.isEqualTo(HEX_STRING_ZERO);
}
@Test
public void testNoRamdumpInDebugPolicy_withDebugLevelFull_hasRamdumpArgs() throws Exception {
prepareCustomDebugPolicy("avf_debug_policy_without_ramdump.dtbo");
- mMicrodroidDevice = launchProtectedVmAndWaitForBootCompleted(MICRODROID_DEBUG_FULL);
+ ITestDevice device = launchProtectedVmAndWaitForBootCompleted(MICRODROID_DEBUG_FULL);
- assertThat(readMicrodroidFileAsString(MICRODROID_CMDLINE_PATH)).contains("crashkernel=");
- assertThat(readMicrodroidFileAsString(MICRODROID_DT_BOOTARGS_PATH))
- .contains("crashkernel=");
- assertThat(readMicrodroidFileAsHexString(MICRODROID_DT_RAMDUMP_PATH))
+ assertThat(readFileAsString(device, MICRODROID_CMDLINE_PATH)).contains("crashkernel=");
+ assertThat(readFileAsString(device, MICRODROID_DT_BOOTARGS_PATH)).contains("crashkernel=");
+ assertThat(readFileAsHexString(device, MICRODROID_DT_RAMDUMP_PATH))
.isEqualTo(HEX_STRING_ZERO);
}
private boolean isDebugPolicyEnabled(@NonNull String dtPropertyPath)
throws DeviceNotAvailableException {
- CommandRunner runner = new CommandRunner(mAndroidDevice);
+ CommandRunner runner = new CommandRunner(getDevice());
CommandResult result =
runner.runForResult("xxd", "-p", "/proc/device-tree" + dtPropertyPath);
if (result.getStatus() == CommandStatus.SUCCESS) {
@@ -244,15 +176,15 @@
}
@NonNull
- private String readMicrodroidFileAsString(@NonNull String path)
+ private String readFileAsString(@NonNull ITestDevice device, @NonNull String path)
throws DeviceNotAvailableException {
- return new CommandRunner(mMicrodroidDevice).run("cat", path);
+ return new CommandRunner(device).run("cat", path);
}
@NonNull
- private String readMicrodroidFileAsHexString(@NonNull String path)
+ private String readFileAsHexString(@NonNull ITestDevice device, @NonNull String path)
throws DeviceNotAvailableException {
- return new CommandRunner(mMicrodroidDevice).run("xxd", "-p", path);
+ return new CommandRunner(device).run("xxd", "-p", path);
}
private void prepareCustomDebugPolicy(@NonNull String debugPolicyFileName) throws Exception {
@@ -260,11 +192,16 @@
getTestInformation()
.getDependencyFile(debugPolicyFileName, /* targetFirst= */ false);
- Pvmfw pvmfw =
- new Pvmfw.Builder(mPvmfwBinFileOnHost, mBccFileOnHost)
- .setDebugPolicyOverlay(mCustomDebugPolicyFileOnHost)
- .build();
- pvmfw.serialize(mCustomPvmfwBinFileOnHost);
+ Pvmfw.Builder builder =
+ new Pvmfw.Builder(getPvmfwBinFile(), getBccFile())
+ .setDebugPolicyOverlay(mCustomDebugPolicyFileOnHost);
+ if (isSecretKeeperSupported()) {
+ builder.setVmReferenceDt(getVmReferenceDtFile());
+ } else {
+ builder.setVersion(1, 1);
+ }
+ Pvmfw pvmfw = builder.build();
+ pvmfw.serialize(getCustomPvmfwFile());
}
private boolean hasConsoleOutput(@NonNull CommandResult result)
@@ -274,29 +211,22 @@
private boolean hasMicrodroidLogcatOutput() throws DeviceNotAvailableException {
CommandResult result =
- new CommandRunner(mAndroidDevice).runForResult("test", "-s", MICRODROID_LOG_PATH);
+ new CommandRunner(getDevice()).runForResult("test", "-s", MICRODROID_LOG_PATH);
return result.getExitCode() == 0;
}
- private ITestDevice launchProtectedVmAndWaitForBootCompleted(String debugLevel)
+ public ITestDevice launchProtectedVmAndWaitForBootCompleted(String debugLevel)
throws DeviceNotAvailableException {
return launchProtectedVmAndWaitForBootCompleted(debugLevel, BOOT_COMPLETE_TIMEOUT_MS);
}
- private ITestDevice launchProtectedVmAndWaitForBootCompleted(
+ public ITestDevice launchProtectedVmAndWaitForBootCompleted(
String debugLevel, long adbTimeoutMs) throws DeviceNotAvailableException {
- mMicrodroidDevice =
- MicrodroidBuilder.fromDevicePath(
- getPathForPackage(PACKAGE_NAME), MICRODROID_CONFIG_PATH)
- .debugLevel(debugLevel)
- .protectedVm(/* protectedVm= */ true)
- .addBootFile(mCustomPvmfwBinFileOnHost, PVMFW_FILE_NAME)
- .addBootFile(mCustomDebugPolicyFileOnHost, CUSTOM_DEBUG_POLICY_FILE_NAME)
- .setAdbConnectTimeoutMs(adbTimeoutMs)
- .build(mAndroidDevice);
- assertThat(mMicrodroidDevice.waitForBootComplete(BOOT_COMPLETE_TIMEOUT_MS)).isTrue();
- assertThat(mMicrodroidDevice.enableAdbRoot()).isTrue();
- return mMicrodroidDevice;
+ Map<String, File> bootFiles =
+ Collections.singletonMap(
+ CUSTOM_DEBUG_POLICY_FILE_NAME, mCustomDebugPolicyFileOnHost);
+
+ return launchProtectedVmAndWaitForBootCompleted(debugLevel, adbTimeoutMs, bootFiles);
}
// Try to launch protected non-debuggable VM for a while and quit.
@@ -304,10 +234,10 @@
private CommandResult tryLaunchProtectedNonDebuggableVm() throws Exception {
// Can't use MicrodroidBuilder because it expects adb connection
// but non-debuggable VM may not enable adb.
- CommandRunner runner = new CommandRunner(mAndroidDevice);
+ CommandRunner runner = new CommandRunner(getDevice());
runner.run("mkdir", "-p", TEST_ROOT);
- mAndroidDevice.pushFile(mCustomPvmfwBinFileOnHost, CUSTOM_PVMFW_IMG_PATH);
- mAndroidDevice.pushFile(mCustomDebugPolicyFileOnHost, CUSTOM_DEBUG_POLICY_PATH);
+ getDevice().pushFile(getCustomPvmfwFile(), CUSTOM_PVMFW_IMG_PATH);
+ getDevice().pushFile(mCustomDebugPolicyFileOnHost, CUSTOM_DEBUG_POLICY_PATH);
// This will fail because app wouldn't finish itself.
// But let's run the app once and get logs.
@@ -327,7 +257,11 @@
if (isFeatureEnabled("com.android.kvm.LLPVM_CHANGES")) {
command = String.join(" ", command, "--instance-id-file", TEST_ROOT + "instance_id");
}
- return mAndroidDevice.executeShellV2Command(
- command, CONSOLE_OUTPUT_WAIT_MS, TimeUnit.MILLISECONDS, /* retryAttempts= */ 0);
+ return getDevice()
+ .executeShellV2Command(
+ command,
+ CONSOLE_OUTPUT_WAIT_MS,
+ TimeUnit.MILLISECONDS,
+ /* retryAttempts= */ 0);
}
}
diff --git a/tests/pvmfw/java/com/android/pvmfw/test/PvmfwImgTest.java b/tests/pvmfw/java/com/android/pvmfw/test/PvmfwImgTest.java
index 9fbbd87..19334d6 100644
--- a/tests/pvmfw/java/com/android/pvmfw/test/PvmfwImgTest.java
+++ b/tests/pvmfw/java/com/android/pvmfw/test/PvmfwImgTest.java
@@ -16,126 +16,50 @@
package com.android.pvmfw.test;
-import static com.android.tradefed.device.TestDevice.MicrodroidBuilder;
-
-import static com.google.common.truth.Truth.assertThat;
-
-import static org.junit.Assume.assumeTrue;
import static org.junit.Assert.assertThrows;
-import androidx.annotation.NonNull;
-import androidx.annotation.Nullable;
-
-import com.android.microdroid.test.host.MicrodroidHostTestCaseBase;
import com.android.pvmfw.test.host.Pvmfw;
import com.android.tradefed.device.DeviceNotAvailableException;
import com.android.tradefed.device.DeviceRuntimeException;
import com.android.tradefed.device.ITestDevice;
-import com.android.tradefed.device.TestDevice;
import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
-import com.android.tradefed.util.FileUtil;
-import org.junit.After;
-import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
-import java.io.File;
import java.util.Arrays;
+import java.util.Collections;
import java.util.List;
-import java.util.Objects;
/** Tests pvmfw.img and pvmfw */
@RunWith(DeviceJUnit4ClassRunner.class)
-public class PvmfwImgTest extends MicrodroidHostTestCaseBase {
- @NonNull private static final String PVMFW_FILE_NAME = "pvmfw_test.bin";
- @NonNull private static final String BCC_FILE_NAME = "bcc.dat";
- @NonNull private static final String PACKAGE_FILE_NAME = "MicrodroidTestApp.apk";
- @NonNull private static final String PACKAGE_NAME = "com.android.microdroid.test";
- @NonNull private static final String MICRODROID_DEBUG_FULL = "full";
-
- @NonNull
- private static final String MICRODROID_CONFIG_PATH = "assets/microdroid/vm_config_apex.json";
-
- private static final int BOOT_COMPLETE_TIMEOUT_MS = 30000; // 30 seconds
- private static final int BOOT_FAILURE_WAIT_TIME_MS = 10000; // 10 seconds
-
- @NonNull private static final String CUSTOM_PVMFW_FILE_PREFIX = "pvmfw";
- @NonNull private static final String CUSTOM_PVMFW_FILE_SUFFIX = ".bin";
- @NonNull private static final String CUSTOM_PVMFW_IMG_PATH = TEST_ROOT + PVMFW_FILE_NAME;
- @NonNull private static final String CUSTOM_PVMFW_IMG_PATH_PROP = "hypervisor.pvmfw.path";
-
- @Nullable private static File mPvmfwBinFileOnHost;
- @Nullable private static File mBccFileOnHost;
-
- @Nullable private TestDevice mAndroidDevice;
- @Nullable private ITestDevice mMicrodroidDevice;
- @Nullable private File mCustomPvmfwBinFileOnHost;
-
- @Before
- public void setUp() throws Exception {
- mAndroidDevice = (TestDevice) Objects.requireNonNull(getDevice());
-
- // Check device capabilities
- assumeDeviceIsCapable(mAndroidDevice);
- assumeTrue(
- "Skip if protected VMs are not supported",
- mAndroidDevice.supportsMicrodroid(/* protectedVm= */ true));
-
- // tradefed copies the test artfacts under /tmp when running tests,
- // so we should *find* the artifacts with the file name.
- mPvmfwBinFileOnHost =
- getTestInformation().getDependencyFile(PVMFW_FILE_NAME, /* targetFirst= */ false);
- mBccFileOnHost =
- getTestInformation().getDependencyFile(BCC_FILE_NAME, /* targetFirst= */ false);
-
- // Prepare for system properties for custom pvmfw.img.
- // File will be prepared later in individual test and then pushed to device
- // when launching with launchProtectedVmAndWaitForBootCompleted().
- mCustomPvmfwBinFileOnHost =
- FileUtil.createTempFile(CUSTOM_PVMFW_FILE_PREFIX, CUSTOM_PVMFW_FILE_SUFFIX);
- setPropertyOrThrow(mAndroidDevice, CUSTOM_PVMFW_IMG_PATH_PROP, CUSTOM_PVMFW_IMG_PATH);
-
- // Prepare for launching microdroid
- mAndroidDevice.installPackage(findTestFile(PACKAGE_FILE_NAME), /* reinstall */ false);
- prepareVirtualizationTestSetup(mAndroidDevice);
- mMicrodroidDevice = null;
- }
-
- @After
- public void shutdown() throws Exception {
- if (!mAndroidDevice.supportsMicrodroid(/* protectedVm= */ true)) {
- return;
- }
- if (mMicrodroidDevice != null) {
- mAndroidDevice.shutdownMicrodroid(mMicrodroidDevice);
- mMicrodroidDevice = null;
- }
- mAndroidDevice.uninstallPackage(PACKAGE_NAME);
-
- // Cleanup for custom pvmfw.img
- setPropertyOrThrow(mAndroidDevice, CUSTOM_PVMFW_IMG_PATH_PROP, "");
- FileUtil.deleteFile(mCustomPvmfwBinFileOnHost);
-
- cleanUpVirtualizationTestSetup(mAndroidDevice);
- }
-
+public class PvmfwImgTest extends CustomPvmfwHostTestCaseBase {
@Test
- public void testConfigVersion1_0_boots() throws Exception {
- Pvmfw pvmfw =
- new Pvmfw.Builder(mPvmfwBinFileOnHost, mBccFileOnHost).setVersion(1, 0).build();
- pvmfw.serialize(mCustomPvmfwBinFileOnHost);
+ public void testPvmfw_beforeVmReferenceDt_whenSecretKeeperExists() throws Exception {
+ // VM reference DT is added since version 1.2
+ List<int[]> earlyVersions = Arrays.asList(new int[] {1, 0}, new int[] {1, 1});
+ Pvmfw.Builder builder = new Pvmfw.Builder(getPvmfwBinFile(), getBccFile());
- launchProtectedVmAndWaitForBootCompleted(BOOT_COMPLETE_TIMEOUT_MS);
- }
+ for (int[] pair : earlyVersions) {
+ int major = pair[0];
+ int minor = pair[1];
+ String version = "v" + major + "." + minor;
- @Test
- public void testConfigVersion1_1_boots() throws Exception {
- Pvmfw pvmfw =
- new Pvmfw.Builder(mPvmfwBinFileOnHost, mBccFileOnHost).setVersion(1, 1).build();
- pvmfw.serialize(mCustomPvmfwBinFileOnHost);
+ // Pvmfw config before v1.2 can't have secret keeper key in VM reference DT.
+ Pvmfw pvmfw = builder.setVersion(major, minor).build();
+ pvmfw.serialize(getCustomPvmfwFile());
- launchProtectedVmAndWaitForBootCompleted(BOOT_COMPLETE_TIMEOUT_MS);
+ if (isSecretKeeperSupported()) {
+ // If secret keeper is supported, we can't boot with early version
+ assertThrows(
+ "pvmfw shouldn't boot without VM reference DT, version=" + version,
+ DeviceRuntimeException.class,
+ () -> launchProtectedVmAndWaitForBootCompleted(BOOT_FAILURE_WAIT_TIME_MS));
+ } else {
+ launchProtectedVmAndWaitForBootCompleted(BOOT_COMPLETE_TIMEOUT_MS);
+ shutdownMicrodroid();
+ }
+ }
}
@Test
@@ -153,15 +77,23 @@
new int[] {0xFFFF, 1},
new int[] {0xFFFF, 0xFFFF});
- Pvmfw.Builder builder = new Pvmfw.Builder(mPvmfwBinFileOnHost, mBccFileOnHost);
+ Pvmfw.Builder builder =
+ new Pvmfw.Builder(getPvmfwBinFile(), getBccFile())
+ .setVmReferenceDt(getVmReferenceDtFile());
for (int[] pair : invalid_versions) {
int major = pair[0];
int minor = pair[1];
String version = "v" + major + "." + minor;
+ if (Pvmfw.makeVersion(major, minor) >= Pvmfw.makeVersion(1, 2)
+ && getVmReferenceDtFile() == null) {
+ // VM reference DT is unavailable, so we can't even build Pvmfw.
+ continue;
+ }
+
Pvmfw pvmfw = builder.setVersion(major, minor).build();
- pvmfw.serialize(mCustomPvmfwBinFileOnHost);
+ pvmfw.serialize(getCustomPvmfwFile());
assertThrows(
"pvmfw shouldn't boot with invalid version " + version,
@@ -170,17 +102,9 @@
}
}
- private ITestDevice launchProtectedVmAndWaitForBootCompleted(long adbTimeoutMs)
+ public ITestDevice launchProtectedVmAndWaitForBootCompleted(long adbTimeoutMs)
throws DeviceNotAvailableException {
- mMicrodroidDevice =
- MicrodroidBuilder.fromDevicePath(
- getPathForPackage(PACKAGE_NAME), MICRODROID_CONFIG_PATH)
- .debugLevel(MICRODROID_DEBUG_FULL)
- .protectedVm(true)
- .addBootFile(mCustomPvmfwBinFileOnHost, PVMFW_FILE_NAME)
- .setAdbConnectTimeoutMs(adbTimeoutMs)
- .build(mAndroidDevice);
- assertThat(mMicrodroidDevice.waitForBootComplete(BOOT_COMPLETE_TIMEOUT_MS)).isTrue();
- return mMicrodroidDevice;
+ return launchProtectedVmAndWaitForBootCompleted(
+ MICRODROID_DEBUG_FULL, adbTimeoutMs, Collections.emptyMap());
}
}
diff --git a/tests/pvmfw/java/com/android/pvmfw/test/PvmfwTest.java b/tests/pvmfw/java/com/android/pvmfw/test/PvmfwTest.java
new file mode 100644
index 0000000..bea72eb
--- /dev/null
+++ b/tests/pvmfw/java/com/android/pvmfw/test/PvmfwTest.java
@@ -0,0 +1,44 @@
+/*
+ * Copyright 2024 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.pvmfw.test;
+
+import static org.junit.Assert.assertThrows;
+
+import com.android.pvmfw.test.host.Pvmfw;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+/** Test test helper */
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class PvmfwTest extends CustomPvmfwHostTestCaseBase {
+ @Test
+ public void testPvmfw_withConfig1_2_requiresReferenceDt() {
+ assertThrows(
+ "pvmfw config 1.2 must require VM reference DT",
+ NullPointerException.class,
+ () -> {
+ new Pvmfw.Builder(getPvmfwBinFile(), getBccFile()).setVersion(1, 2).build();
+ });
+ }
+
+ @Test
+ public void testPvmfw_before1_2_doesNotRequiresReferenceDt() {
+ new Pvmfw.Builder(getPvmfwBinFile(), getBccFile()).setVersion(1, 1).build();
+ }
+}
diff --git a/tests/pvmfw/tools/PvmfwTool.java b/tests/pvmfw/tools/PvmfwTool.java
index 62c641b..e150ec4 100644
--- a/tests/pvmfw/tools/PvmfwTool.java
+++ b/tests/pvmfw/tools/PvmfwTool.java
@@ -25,28 +25,41 @@
public class PvmfwTool {
public static void printUsage() {
System.out.println("pvmfw-tool: Appends pvmfw.bin and config payloads.");
- System.out.println("Requires BCC and optional debug policy dtbo files");
- System.out.println("");
- System.out.println("Usage: pvmfw-tool <out> <pvmfw.bin> <bcc.dat> [<dp.dtbo>]");
+ System.out.println(" Requires BCC and VM reference DT.");
+ System.out.println(" VM DTBO and Debug policy can optionally be specified");
+ System.out.println(
+ "Usage: pvmfw-tool <out> <pvmfw.bin> <bcc.dat> <VM reference DT> [VM DTBO] [debug"
+ + " policy]");
}
public static void main(String[] args) {
- if (args.length != 4 && args.length != 3) {
+ if (args.length < 3 || args.length > 6) {
printUsage();
System.exit(1);
}
File out = new File(args[0]);
- File pvmfw_bin = new File(args[1]);
- File bcc_dat = new File(args[2]);
+ File pvmfwBin = new File(args[1]);
+ File bccData = new File(args[2]);
+ File vmReferenceDt = new File(args[3]);
+
+ File vmDtbo = null;
+ File dp = null;
+ if (args.length > 4) {
+ vmDtbo = new File(args[4]);
+ }
+ if (args.length > 5) {
+ dp = new File(args[5]);
+ }
try {
- Pvmfw.Builder builder = new Pvmfw.Builder(pvmfw_bin, bcc_dat);
- if (args.length == 4) {
- File dtbo = new File(args[3]);
- builder.setDebugPolicyOverlay(dtbo);
- }
- builder.build().serialize(out);
+ Pvmfw pvmfw =
+ new Pvmfw.Builder(pvmfwBin, bccData)
+ .setVmReferenceDt(vmReferenceDt)
+ .setDebugPolicyOverlay(dp)
+ .setVmDtbo(vmDtbo)
+ .build();
+ pvmfw.serialize(out);
} catch (IOException e) {
e.printStackTrace();
printUsage();
diff --git a/tests/testapk/Android.bp b/tests/testapk/Android.bp
index 2a04103..732be94 100644
--- a/tests/testapk/Android.bp
+++ b/tests/testapk/Android.bp
@@ -17,6 +17,7 @@
name: "MicrodroidTestAppsDefaults",
test_suites: [
"cts",
+ "vts",
"general-tests",
],
static_libs: [
diff --git a/tests/testapk/AndroidTest.xml b/tests/testapk/AndroidTest.xml
index 8a4c367..22cd0dc 100644
--- a/tests/testapk/AndroidTest.xml
+++ b/tests/testapk/AndroidTest.xml
@@ -15,6 +15,7 @@
-->
<configuration description="Runs Microdroid device-side tests.">
<option name="test-suite-tag" value="cts" />
+ <option name="test-suite-tag" value="vts" />
<option name="config-descriptor:metadata" key="component" value="security" />
<option name="config-descriptor:metadata" key="parameter" value="not_instant_app" />
<option name="config-descriptor:metadata" key="parameter" value="not_multi_abi" />
diff --git a/virtualizationmanager/src/aidl.rs b/virtualizationmanager/src/aidl.rs
index 22bea58..6be219e 100644
--- a/virtualizationmanager/src/aidl.rs
+++ b/virtualizationmanager/src/aidl.rs
@@ -49,7 +49,7 @@
use android_system_virtualmachineservice::aidl::android::system::virtualmachineservice::IVirtualMachineService::{
BnVirtualMachineService, IVirtualMachineService,
};
-use android_hardware_security_secretkeeper::aidl::android::hardware::security::secretkeeper::ISecretkeeper::ISecretkeeper;
+use android_hardware_security_secretkeeper::aidl::android::hardware::security::secretkeeper::ISecretkeeper::{BnSecretkeeper, ISecretkeeper};
use android_hardware_security_secretkeeper::aidl::android::hardware::security::secretkeeper::SecretId::SecretId;
use android_hardware_security_authgraph::aidl::android::hardware::security::authgraph::{
Arc::Arc as AuthgraphArc, IAuthGraphKeyExchange::IAuthGraphKeyExchange,
@@ -1501,11 +1501,12 @@
}
}
- fn getSecretkeeper(&self) -> binder::Result<Option<Strong<dyn ISecretkeeper>>> {
- // TODO(b/327526008): Session establishment wth secretkeeper is failing.
- // Re-enable this when fixed.
- let _sk_supported = is_secretkeeper_supported();
- Ok(None)
+ fn getSecretkeeper(&self) -> binder::Result<Strong<dyn ISecretkeeper>> {
+ if !is_secretkeeper_supported() {
+ return Err(StatusCode::NAME_NOT_FOUND)?;
+ }
+ let sk = binder::wait_for_interface(SECRETKEEPER_IDENTIFIER)?;
+ Ok(BnSecretkeeper::new_binder(SecretkeeperProxy(sk), BinderFeatures::default()))
}
fn requestAttestation(&self, csr: &[u8], test_mode: bool) -> binder::Result<Vec<Certificate>> {
@@ -1514,8 +1515,11 @@
}
fn is_secretkeeper_supported() -> bool {
- binder::is_declared(SECRETKEEPER_IDENTIFIER)
- .expect("Could not check for declared Secretkeeper interface")
+ // TODO(b/327526008): Session establishment wth secretkeeper is failing.
+ // Re-enable this when fixed.
+ let _sk_supported = binder::is_declared(SECRETKEEPER_IDENTIFIER)
+ .expect("Could not check for declared Secretkeeper interface");
+ false
}
impl VirtualMachineService {
diff --git a/virtualizationservice/aidl/android/system/virtualmachineservice/IVirtualMachineService.aidl b/virtualizationservice/aidl/android/system/virtualmachineservice/IVirtualMachineService.aidl
index 6806a5c..662c8f1 100644
--- a/virtualizationservice/aidl/android/system/virtualmachineservice/IVirtualMachineService.aidl
+++ b/virtualizationservice/aidl/android/system/virtualmachineservice/IVirtualMachineService.aidl
@@ -58,9 +58,9 @@
Certificate[] requestAttestation(in byte[] csr, in boolean testMode);
/**
- * Request connection to Secretkeeper. This is used by pVM to store Anti-Rollback protected
- * secrets. Note that the return value is nullable to reflect that Secretkeeper HAL may not be
- * present.
+ * Request connection to Secretkeeper. This is used by pVM to store rollback protected secrets.
+ * Note that this returns error if Secretkeeper is not supported on device. Guest should check
+ * that Secretkeeper is supported from Linux device tree before calling this.
*/
- @nullable ISecretkeeper getSecretkeeper();
+ ISecretkeeper getSecretkeeper();
}