Start apexd later
Only start apexd, which activates APEXes and might allow code from
them to execute, after we have created the payload DICE node, so
Microdroid's CDIs are gone.
This may slow down VM startup slightly.
Bug: 308759880
Test: atest MicrodroidTests
Change-Id: I0d736955660ee70f04ede288415c2aa362db996a
diff --git a/microdroid_manager/src/main.rs b/microdroid_manager/src/main.rs
index 3d12daa..1b41e58 100644
--- a/microdroid_manager/src/main.rs
+++ b/microdroid_manager/src/main.rs
@@ -284,6 +284,13 @@
let dice_artifacts = dice_derivation(dice, &verified_data, &payload_metadata)?;
let vm_secret = VmSecret::new(dice_artifacts).context("Failed to create VM secrets")?;
+ if cfg!(dice_changes) {
+ // Now that the DICE derivation is done, it's ok to allow payload code to run.
+
+ // Start apexd to activate APEXes. This may allow code within them to run.
+ system_properties::write("ctl.start", "apexd-vm")?;
+ }
+
// Run encryptedstore binary to prepare the storage
let encryptedstore_child = if Path::new(ENCRYPTEDSTORE_BACKING_DEVICE).exists() {
info!("Preparing encryptedstore ...");
diff --git a/microdroid_manager/src/verify.rs b/microdroid_manager/src/verify.rs
index 78951f7..e63530b 100644
--- a/microdroid_manager/src/verify.rs
+++ b/microdroid_manager/src/verify.rs
@@ -135,8 +135,10 @@
write_apex_payload_data(saved_data, &apex_data_from_payload)?;
}
- // Start apexd to activate APEXes
- system_properties::write("ctl.start", "apexd-vm")?;
+ if cfg!(not(dice_changes)) {
+ // Start apexd to activate APEXes
+ system_properties::write("ctl.start", "apexd-vm")?;
+ }
// TODO(inseob): add timeout
apkdmverity_child.wait()?;