Merge "Remove DisableMicrodroidDebugPolicyPreparer from MicrodroidHostTestCases"
diff --git a/authfs/service/authfs_service.rc b/authfs/service/authfs_service.rc
index 409e91c..bc67c83 100644
--- a/authfs/service/authfs_service.rc
+++ b/authfs/service/authfs_service.rc
@@ -3,3 +3,4 @@
socket authfs_service stream 0666 root system
# SYS_ADMIN capability allows to mount FUSE filesystem
capabilities SYS_ADMIN
+ user root
diff --git a/authfs/tests/benchmarks/Android.bp b/authfs/tests/benchmarks/Android.bp
index 38ece79..110d000 100644
--- a/authfs/tests/benchmarks/Android.bp
+++ b/authfs/tests/benchmarks/Android.bp
@@ -12,6 +12,7 @@
"AuthFsHostTestCommon",
"MicrodroidHostTestHelper",
"cts-host-utils",
+ "MicrodroidTestPreparer", // Workaround for sandboxed test environment to install this
],
test_suites: ["general-tests"],
data_device_bins_first: [
@@ -24,6 +25,7 @@
":CtsApkVerityTestPrebuiltFiles",
":MicrodroidTestApp",
],
+ required: ["MicrodroidTestPreparer"],
}
cc_binary {
diff --git a/compos/benchmark/Android.bp b/compos/benchmark/Android.bp
index 12b3ae8..dc0c01c 100644
--- a/compos/benchmark/Android.bp
+++ b/compos/benchmark/Android.bp
@@ -18,4 +18,6 @@
sdk_version: "test_current",
use_embedded_native_libs: true,
compile_multilib: "64",
+
+ host_required: ["MicrodroidTestPreparer"],
}
diff --git a/compos/common/compos_client.rs b/compos/common/compos_client.rs
index bf4c678..bc6ab25 100644
--- a/compos/common/compos_client.rs
+++ b/compos/common/compos_client.rs
@@ -53,6 +53,8 @@
/// Parameters to be used when creating a virtual machine instance.
#[derive(Default, Debug, Clone)]
pub struct VmParameters {
+ /// The name of VM for identifying.
+ pub name: String,
/// Whether the VM should be debuggable.
pub debug_mode: bool,
/// CPU topology of the VM. Defaults to 1 vCPU.
@@ -115,7 +117,7 @@
};
let config = VirtualMachineConfig::AppConfig(VirtualMachineAppConfig {
- name: String::from("Compos"),
+ name: parameters.name.clone(),
apk: Some(apk_fd),
idsig: Some(idsig_fd),
instanceImage: Some(instance_fd),
diff --git a/compos/composd/src/instance_manager.rs b/compos/composd/src/instance_manager.rs
index 2ce12f8..d7c0f9a 100644
--- a/compos/composd/src/instance_manager.rs
+++ b/compos/composd/src/instance_manager.rs
@@ -41,12 +41,14 @@
pub fn start_current_instance(&self) -> Result<CompOsInstance> {
let mut vm_parameters = new_vm_parameters()?;
+ vm_parameters.name = String::from("Composd");
vm_parameters.prefer_staged = true;
self.start_instance(CURRENT_INSTANCE_DIR, vm_parameters)
}
pub fn start_test_instance(&self, prefer_staged: bool) -> Result<CompOsInstance> {
let mut vm_parameters = new_vm_parameters()?;
+ vm_parameters.name = String::from("ComposdTest");
vm_parameters.debug_mode = true;
vm_parameters.prefer_staged = prefer_staged;
self.start_instance(TEST_INSTANCE_DIR, vm_parameters)
diff --git a/compos/verify/verify.rs b/compos/verify/verify.rs
index 13e9292..952e9c7 100644
--- a/compos/verify/verify.rs
+++ b/compos/verify/verify.rs
@@ -115,6 +115,7 @@
&idsig_manifest_apk,
&idsig_manifest_ext_apk,
&VmParameters {
+ name: String::from("ComposVerify"),
cpu_topology: VmCpuTopology::OneCpu, // This VM runs very little work at boot
debug_mode: args.debug,
..Default::default()
diff --git a/javalib/src/android/system/virtualmachine/VirtualMachine.java b/javalib/src/android/system/virtualmachine/VirtualMachine.java
index 7713faf..f96effa 100644
--- a/javalib/src/android/system/virtualmachine/VirtualMachine.java
+++ b/javalib/src/android/system/virtualmachine/VirtualMachine.java
@@ -23,8 +23,6 @@
import static android.system.virtualmachine.VirtualMachineCallback.ERROR_PAYLOAD_INVALID_CONFIG;
import static android.system.virtualmachine.VirtualMachineCallback.ERROR_PAYLOAD_VERIFICATION_FAILED;
import static android.system.virtualmachine.VirtualMachineCallback.ERROR_UNKNOWN;
-import static android.system.virtualmachine.VirtualMachineCallback.STOP_REASON_BOOTLOADER_INSTANCE_IMAGE_CHANGED;
-import static android.system.virtualmachine.VirtualMachineCallback.STOP_REASON_BOOTLOADER_PUBLIC_KEY_MISMATCH;
import static android.system.virtualmachine.VirtualMachineCallback.STOP_REASON_CRASH;
import static android.system.virtualmachine.VirtualMachineCallback.STOP_REASON_HANGUP;
import static android.system.virtualmachine.VirtualMachineCallback.STOP_REASON_INFRASTRUCTURE_ERROR;
@@ -1353,10 +1351,6 @@
return STOP_REASON_PVM_FIRMWARE_PUBLIC_KEY_MISMATCH;
case DeathReason.PVM_FIRMWARE_INSTANCE_IMAGE_CHANGED:
return STOP_REASON_PVM_FIRMWARE_INSTANCE_IMAGE_CHANGED;
- case DeathReason.BOOTLOADER_PUBLIC_KEY_MISMATCH:
- return STOP_REASON_BOOTLOADER_PUBLIC_KEY_MISMATCH;
- case DeathReason.BOOTLOADER_INSTANCE_IMAGE_CHANGED:
- return STOP_REASON_BOOTLOADER_INSTANCE_IMAGE_CHANGED;
case DeathReason.MICRODROID_FAILED_TO_CONNECT_TO_VIRTUALIZATION_SERVICE:
return STOP_REASON_MICRODROID_FAILED_TO_CONNECT_TO_VIRTUALIZATION_SERVICE;
case DeathReason.MICRODROID_PAYLOAD_HAS_CHANGED:
diff --git a/libs/hyp/Android.bp b/libs/hyp/Android.bp
new file mode 100644
index 0000000..bc66190
--- /dev/null
+++ b/libs/hyp/Android.bp
@@ -0,0 +1,18 @@
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+rust_library_rlib {
+ name: "libhyp",
+ crate_name: "hyp",
+ srcs: ["src/lib.rs"],
+ prefer_rlib: true,
+ rustlibs: [
+ "libsmccc",
+ ],
+ no_stdlibs: true,
+ stdlibs: [
+ "libcore.rust_sysroot",
+ ],
+ apex_available: ["com.android.virt"],
+}
diff --git a/libs/hyp/src/error.rs b/libs/hyp/src/error.rs
new file mode 100644
index 0000000..20a0cff
--- /dev/null
+++ b/libs/hyp/src/error.rs
@@ -0,0 +1,45 @@
+// Copyright 2023, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Error and Result types for hypervisor.
+
+use core::{fmt, result};
+
+/// Result type with hypervisor error.
+pub type Result<T> = result::Result<T, Error>;
+
+/// Hypervisor error.
+#[derive(Debug, Clone)]
+pub enum Error {
+ /// MMIO guard is not supported.
+ MmioGuardNotsupported,
+ /// Failed to invoke a certain HVC function.
+ HvcError(smccc::Error, u32),
+ /// The MMIO_GUARD granule used by the hypervisor is not supported.
+ UnsupportedMmioGuardGranule(usize),
+}
+
+impl fmt::Display for Error {
+ fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+ match self {
+ Self::MmioGuardNotsupported => write!(f, "MMIO guard is not supported"),
+ Self::HvcError(e, function_id) => {
+ write!(f, "Failed to invoke the HVC function with function ID {function_id}: {e}")
+ }
+ Self::UnsupportedMmioGuardGranule(g) => {
+ write!(f, "Unsupported MMIO guard granule: {g}")
+ }
+ }
+ }
+}
diff --git a/libs/hyp/src/hypervisor/common.rs b/libs/hyp/src/hypervisor/common.rs
new file mode 100644
index 0000000..550fb2e
--- /dev/null
+++ b/libs/hyp/src/hypervisor/common.rs
@@ -0,0 +1,44 @@
+// Copyright 2023, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! This module regroups some common traits shared by all the hypervisors.
+
+use crate::error::Result;
+
+/// Trait for the hypervisor.
+pub trait Hypervisor {
+ /// Initializes the hypervisor by enrolling a MMIO guard and checking the memory granule size.
+ /// By enrolling, all MMIO will be blocked unless allow-listed with `mmio_guard_map`.
+ /// Protected VMs are auto-enrolled.
+ fn mmio_guard_init(&self) -> Result<()>;
+
+ /// Maps a memory address to the hypervisor MMIO guard.
+ fn mmio_guard_map(&self, addr: usize) -> Result<()>;
+
+ /// Unmaps a memory address from the hypervisor MMIO guard.
+ fn mmio_guard_unmap(&self, addr: usize) -> Result<()>;
+
+ /// Shares a region of memory with host, granting it read, write and execute permissions.
+ /// The size of the region is equal to the memory protection granule returned by
+ /// [`hyp_meminfo`].
+ fn mem_share(&self, base_ipa: u64) -> Result<()>;
+
+ /// Revokes access permission from host to a memory region previously shared with
+ /// [`mem_share`]. The size of the region is equal to the memory protection granule returned by
+ /// [`hyp_meminfo`].
+ fn mem_unshare(&self, base_ipa: u64) -> Result<()>;
+
+ /// Returns the memory protection granule size in bytes.
+ fn memory_protection_granule(&self) -> Result<usize>;
+}
diff --git a/libs/hyp/src/hypervisor/kvm.rs b/libs/hyp/src/hypervisor/kvm.rs
new file mode 100644
index 0000000..615c75a
--- /dev/null
+++ b/libs/hyp/src/hypervisor/kvm.rs
@@ -0,0 +1,116 @@
+// Copyright 2022, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Wrappers around calls to the KVM hypervisor.
+
+use super::common::Hypervisor;
+use crate::error::{Error, Result};
+use crate::util::{page_address, SIZE_4KB};
+
+const ARM_SMCCC_KVM_FUNC_HYP_MEMINFO: u32 = 0xc6000002;
+const ARM_SMCCC_KVM_FUNC_MEM_SHARE: u32 = 0xc6000003;
+const ARM_SMCCC_KVM_FUNC_MEM_UNSHARE: u32 = 0xc6000004;
+
+const VENDOR_HYP_KVM_MMIO_GUARD_INFO_FUNC_ID: u32 = 0xc6000005;
+const VENDOR_HYP_KVM_MMIO_GUARD_ENROLL_FUNC_ID: u32 = 0xc6000006;
+const VENDOR_HYP_KVM_MMIO_GUARD_MAP_FUNC_ID: u32 = 0xc6000007;
+const VENDOR_HYP_KVM_MMIO_GUARD_UNMAP_FUNC_ID: u32 = 0xc6000008;
+
+pub(super) struct KvmHypervisor;
+
+impl Hypervisor for KvmHypervisor {
+ fn mmio_guard_init(&self) -> Result<()> {
+ mmio_guard_enroll()?;
+ let mmio_granule = mmio_guard_granule()?;
+ if mmio_granule != SIZE_4KB {
+ return Err(Error::UnsupportedMmioGuardGranule(mmio_granule));
+ }
+ Ok(())
+ }
+
+ fn mmio_guard_map(&self, addr: usize) -> Result<()> {
+ let mut args = [0u64; 17];
+ args[0] = page_address(addr);
+
+ // TODO(b/277859415): pKVM returns a i32 instead of a i64 in T.
+ // Drop this hack once T reaches EoL.
+ let is_i32_error_code = |n| u32::try_from(n).ok().filter(|v| (*v as i32) < 0).is_some();
+ match smccc::checked_hvc64_expect_zero(VENDOR_HYP_KVM_MMIO_GUARD_MAP_FUNC_ID, args) {
+ Err(smccc::Error::Unexpected(e)) if is_i32_error_code(e) => match e as u32 as i32 {
+ -1 => Err(smccc::Error::NotSupported),
+ -2 => Err(smccc::Error::NotRequired),
+ -3 => Err(smccc::Error::InvalidParameter),
+ ret => Err(smccc::Error::Unknown(ret as i64)),
+ },
+ res => res,
+ }
+ .map_err(|e| Error::HvcError(e, VENDOR_HYP_KVM_MMIO_GUARD_MAP_FUNC_ID))
+ }
+
+ fn mmio_guard_unmap(&self, addr: usize) -> Result<()> {
+ let mut args = [0u64; 17];
+ args[0] = page_address(addr);
+
+ // TODO(b/277860860): pKVM returns NOT_SUPPORTED for SUCCESS in T.
+ // Drop this hack once T reaches EoL.
+ match smccc::checked_hvc64_expect_zero(VENDOR_HYP_KVM_MMIO_GUARD_UNMAP_FUNC_ID, args) {
+ Err(smccc::Error::NotSupported) | Ok(_) => Ok(()),
+ Err(e) => Err(Error::HvcError(e, VENDOR_HYP_KVM_MMIO_GUARD_UNMAP_FUNC_ID)),
+ }
+ }
+
+ fn mem_share(&self, base_ipa: u64) -> Result<()> {
+ let mut args = [0u64; 17];
+ args[0] = base_ipa;
+
+ checked_hvc64_expect_zero(ARM_SMCCC_KVM_FUNC_MEM_SHARE, args)
+ }
+
+ fn mem_unshare(&self, base_ipa: u64) -> Result<()> {
+ let mut args = [0u64; 17];
+ args[0] = base_ipa;
+
+ checked_hvc64_expect_zero(ARM_SMCCC_KVM_FUNC_MEM_UNSHARE, args)
+ }
+
+ fn memory_protection_granule(&self) -> Result<usize> {
+ let args = [0u64; 17];
+ let granule = checked_hvc64(ARM_SMCCC_KVM_FUNC_HYP_MEMINFO, args)?;
+ Ok(granule.try_into().unwrap())
+ }
+}
+
+fn mmio_guard_granule() -> Result<usize> {
+ let args = [0u64; 17];
+
+ let granule = checked_hvc64(VENDOR_HYP_KVM_MMIO_GUARD_INFO_FUNC_ID, args)?;
+ Ok(granule.try_into().unwrap())
+}
+
+fn mmio_guard_enroll() -> Result<()> {
+ let args = [0u64; 17];
+ match smccc::checked_hvc64_expect_zero(VENDOR_HYP_KVM_MMIO_GUARD_ENROLL_FUNC_ID, args) {
+ Ok(_) => Ok(()),
+ Err(smccc::Error::NotSupported) => Err(Error::MmioGuardNotsupported),
+ Err(e) => Err(Error::HvcError(e, VENDOR_HYP_KVM_MMIO_GUARD_ENROLL_FUNC_ID)),
+ }
+}
+
+fn checked_hvc64_expect_zero(function: u32, args: [u64; 17]) -> Result<()> {
+ smccc::checked_hvc64_expect_zero(function, args).map_err(|e| Error::HvcError(e, function))
+}
+
+fn checked_hvc64(function: u32, args: [u64; 17]) -> Result<u64> {
+ smccc::checked_hvc64(function, args).map_err(|e| Error::HvcError(e, function))
+}
diff --git a/libs/hyp/src/hypervisor/mod.rs b/libs/hyp/src/hypervisor/mod.rs
new file mode 100644
index 0000000..87925d2
--- /dev/null
+++ b/libs/hyp/src/hypervisor/mod.rs
@@ -0,0 +1,40 @@
+// Copyright 2023, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Wrappers around hypervisor back-ends.
+
+mod common;
+mod kvm;
+
+pub use common::Hypervisor;
+use kvm::KvmHypervisor;
+
+static HYPERVISOR: HypervisorBackend = HypervisorBackend::Kvm;
+
+enum HypervisorBackend {
+ Kvm,
+}
+
+impl HypervisorBackend {
+ fn get_hypervisor(&self) -> &'static dyn Hypervisor {
+ match self {
+ Self::Kvm => &KvmHypervisor,
+ }
+ }
+}
+
+/// Gets the hypervisor singleton.
+pub fn get_hypervisor() -> &'static dyn Hypervisor {
+ HYPERVISOR.get_hypervisor()
+}
diff --git a/libs/hyp/src/lib.rs b/libs/hyp/src/lib.rs
new file mode 100644
index 0000000..66c78f4
--- /dev/null
+++ b/libs/hyp/src/lib.rs
@@ -0,0 +1,24 @@
+// Copyright 2023, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! This library provides wrappers around various hypervisor backends.
+
+#![no_std]
+
+mod error;
+mod hypervisor;
+mod util;
+
+pub use error::{Error, Result};
+pub use hypervisor::{get_hypervisor, Hypervisor};
diff --git a/libs/hyp/src/util.rs b/libs/hyp/src/util.rs
new file mode 100644
index 0000000..56f94fd
--- /dev/null
+++ b/libs/hyp/src/util.rs
@@ -0,0 +1,22 @@
+// Copyright 2023, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Utility functions.
+
+pub(crate) const SIZE_4KB: usize = 4 << 10;
+
+/// Computes the low memory page address of the 4KiB page containing a given address.
+pub(crate) fn page_address(addr: usize) -> u64 {
+ (addr & !(SIZE_4KB - 1)).try_into().unwrap()
+}
diff --git a/libs/libfdt/src/lib.rs b/libs/libfdt/src/lib.rs
index 7ddf680..61b69f5 100644
--- a/libs/libfdt/src/lib.rs
+++ b/libs/libfdt/src/lib.rs
@@ -606,6 +606,26 @@
Ok(fdt)
}
+ /// Creates an empty Flattened Device Tree with a mutable slice.
+ pub fn create_empty_tree(fdt: &mut [u8]) -> Result<&mut Self> {
+ // SAFETY - fdt_create_empty_tree() only write within the specified length,
+ // and returns error if buffer was insufficient.
+ // There will be no memory write outside of the given fdt.
+ let ret = unsafe {
+ libfdt_bindgen::fdt_create_empty_tree(
+ fdt.as_mut_ptr().cast::<c_void>(),
+ fdt.len() as i32,
+ )
+ };
+ fdt_err_expect_zero(ret)?;
+
+ // SAFETY - The FDT will be validated before it is returned.
+ let fdt = unsafe { Self::unchecked_from_mut_slice(fdt) };
+ fdt.check_full()?;
+
+ Ok(fdt)
+ }
+
/// Wraps a slice containing a Flattened Device Tree.
///
/// # Safety
diff --git a/libs/smccc/Android.bp b/libs/smccc/Android.bp
new file mode 100644
index 0000000..96943d8
--- /dev/null
+++ b/libs/smccc/Android.bp
@@ -0,0 +1,18 @@
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+rust_library_rlib {
+ name: "libsmccc",
+ crate_name: "smccc",
+ srcs: ["src/lib.rs"],
+ prefer_rlib: true,
+ rustlibs: [
+ "libpsci",
+ ],
+ no_stdlibs: true,
+ stdlibs: [
+ "libcore.rust_sysroot",
+ ],
+ apex_available: ["com.android.virt"],
+}
diff --git a/libs/smccc/src/lib.rs b/libs/smccc/src/lib.rs
new file mode 100644
index 0000000..2cd31dc
--- /dev/null
+++ b/libs/smccc/src/lib.rs
@@ -0,0 +1,22 @@
+// Copyright 2023, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Structs and functions for making SMCCC calls following the SMC Calling
+//! Convention version 1.4.
+
+#![no_std]
+
+mod smccc;
+
+pub use smccc::{checked_hvc64, checked_hvc64_expect_zero, hvc64, Error, Result};
diff --git a/pvmfw/src/smccc.rs b/libs/smccc/src/smccc.rs
similarity index 66%
rename from pvmfw/src/smccc.rs
rename to libs/smccc/src/smccc.rs
index ccf2680..c0070e0 100644
--- a/pvmfw/src/smccc.rs
+++ b/libs/smccc/src/smccc.rs
@@ -12,41 +12,13 @@
// See the License for the specific language governing permissions and
// limitations under the License.
+//! Structs and functions for making SMCCC calls.
+
use core::{fmt, result};
-
-// TODO(b/245889995): use psci-0.1.1 crate
-#[inline(always)]
-pub fn hvc64(function: u32, args: [u64; 17]) -> [u64; 18] {
- #[cfg(target_arch = "aarch64")]
- unsafe {
- let mut ret = [0; 18];
-
- core::arch::asm!(
- "hvc #0",
- inout("x0") function as u64 => ret[0],
- inout("x1") args[0] => ret[1],
- inout("x2") args[1] => ret[2],
- inout("x3") args[2] => ret[3],
- inout("x4") args[3] => ret[4],
- inout("x5") args[4] => ret[5],
- inout("x6") args[5] => ret[6],
- inout("x7") args[6] => ret[7],
- inout("x8") args[7] => ret[8],
- inout("x9") args[8] => ret[9],
- inout("x10") args[9] => ret[10],
- inout("x11") args[10] => ret[11],
- inout("x12") args[11] => ret[12],
- inout("x13") args[12] => ret[13],
- inout("x14") args[13] => ret[14],
- inout("x15") args[14] => ret[15],
- inout("x16") args[15] => ret[16],
- inout("x17") args[16] => ret[17],
- options(nomem, nostack)
- );
-
- ret
- }
-}
+// Ideally, smccc shouldn't depend on psci. Smccc isn't split as a separate
+// upstream crate currently mostly for maintenance consideration.
+// See b/245889995 for more context.
+pub use psci::smccc::hvc64;
/// Standard SMCCC error values as described in DEN 0028E.
#[derive(Debug, Clone)]
@@ -75,8 +47,11 @@
}
}
+/// Result type with smccc::Error.
pub type Result<T> = result::Result<T, Error>;
+/// Makes a checked HVC64 call to the hypervisor, following the SMC Calling Convention version 1.4.
+/// Returns Ok only when the return code is 0.
pub fn checked_hvc64_expect_zero(function: u32, args: [u64; 17]) -> Result<()> {
match checked_hvc64(function, args)? {
0 => Ok(()),
@@ -84,6 +59,8 @@
}
}
+/// Makes a checked HVC64 call to the hypervisor, following the SMC Calling Convention version 1.4.
+/// Returns Ok with the return code only when the return code >= 0.
pub fn checked_hvc64(function: u32, args: [u64; 17]) -> Result<u64> {
match hvc64(function, args)[0] as i64 {
ret if ret >= 0 => Ok(ret as u64),
diff --git a/microdroid/initrd/Android.bp b/microdroid/initrd/Android.bp
index ff6314b..22a06e1 100644
--- a/microdroid/initrd/Android.bp
+++ b/microdroid/initrd/Android.bp
@@ -107,7 +107,7 @@
prebuilt_etc {
name: "microdroid_initrd_debuggable",
// We don't have ramdisk for architectures other than x86_64 & arm64
- src: "empty_file",
+ src: ":empty_file",
arch: {
x86_64: {
src: ":microdroid_initrd_debuggable_x86_64",
@@ -122,7 +122,7 @@
prebuilt_etc {
name: "microdroid_initrd_normal",
// We don't have ramdisk for architectures other than x86_64 & arm64
- src: "empty_file",
+ src: ":empty_file",
arch: {
x86_64: {
src: ":microdroid_initrd_normal_x86_64",
diff --git a/microdroid/initrd/empty_file b/microdroid/initrd/empty_file
deleted file mode 100644
index e69de29..0000000
--- a/microdroid/initrd/empty_file
+++ /dev/null
diff --git a/microdroid_manager/microdroid_manager.rc b/microdroid_manager/microdroid_manager.rc
index 97d14b5..e257547 100644
--- a/microdroid_manager/microdroid_manager.rc
+++ b/microdroid_manager/microdroid_manager.rc
@@ -11,4 +11,5 @@
# CAP_SETCAP is required to allow microdroid_manager to drop capabilities
# before executing the payload
capabilities AUDIT_CONTROL SYS_ADMIN SYS_BOOT SETPCAP
+ user root
socket vm_payload_service stream 0666 system system
diff --git a/microdroid_manager/src/instance.rs b/microdroid_manager/src/instance.rs
index 6900ea5..b16a1e1 100644
--- a/microdroid_manager/src/instance.rs
+++ b/microdroid_manager/src/instance.rs
@@ -279,12 +279,24 @@
pub apex_data: Vec<ApexData>,
}
+impl MicrodroidData {
+ pub fn extra_apk_root_hash_eq(&self, i: usize, root_hash: &[u8]) -> bool {
+ self.extra_apks_data.get(i).map_or(false, |apk| apk.root_hash_eq(root_hash))
+ }
+}
+
#[derive(Debug, Serialize, Deserialize, PartialEq, Eq)]
pub struct ApkData {
pub root_hash: Box<RootHash>,
pub pubkey: Box<[u8]>,
}
+impl ApkData {
+ pub fn root_hash_eq(&self, root_hash: &[u8]) -> bool {
+ self.root_hash.as_ref() == root_hash
+ }
+}
+
pub type RootHash = [u8];
#[derive(Debug, Serialize, Deserialize, PartialEq, Eq)]
diff --git a/microdroid_manager/src/main.rs b/microdroid_manager/src/main.rs
index 8732be1..c78b20f 100644
--- a/microdroid_manager/src/main.rs
+++ b/microdroid_manager/src/main.rs
@@ -424,13 +424,12 @@
.as_ref()
.ok_or_else(|| MicrodroidError::InvalidConfig("No task in VM config".to_string()))?;
- if config.extra_apks.len() != verified_data.extra_apks_data.len() {
- return Err(anyhow!(
- "config expects {} extra apks, but found {}",
- config.extra_apks.len(),
- verified_data.extra_apks_data.len()
- ));
- }
+ ensure!(
+ config.extra_apks.len() == verified_data.extra_apks_data.len(),
+ "config expects {} extra apks, but found {}",
+ config.extra_apks.len(),
+ verified_data.extra_apks_data.len()
+ );
mount_extra_apks(&config, &mut zipfuse)?;
// Wait until apex config is done. (e.g. linker configuration for apexes)
@@ -567,9 +566,9 @@
let start_time = SystemTime::now();
// Verify main APK
- let root_hash = saved_data.map(|d| &d.apk_data.root_hash);
let root_hash_from_idsig = get_apk_root_hash_from_idsig(MAIN_APK_IDSIG_PATH)?;
- let root_hash_trustful = root_hash == Some(&root_hash_from_idsig);
+ let root_hash_trustful =
+ saved_data.map(|d| d.apk_data.root_hash_eq(root_hash_from_idsig.as_ref())).unwrap_or(false);
// If root_hash can be trusted, pass it to apkdmverity so that it uses the passed root_hash
// instead of the value read from the idsig file.
@@ -597,42 +596,36 @@
sorted(glob(EXTRA_APK_PATH_PATTERN)?.collect::<Result<Vec<_>, _>>()?).collect::<Vec<_>>();
let extra_idsigs =
sorted(glob(EXTRA_IDSIG_PATH_PATTERN)?.collect::<Result<Vec<_>, _>>()?).collect::<Vec<_>>();
- if extra_apks.len() != extra_idsigs.len() {
- return Err(anyhow!(
- "Extra apks/idsigs mismatch: {} apks but {} idsigs",
- extra_apks.len(),
- extra_idsigs.len()
- ));
- }
- let extra_apks_count = extra_apks.len();
+ ensure!(
+ extra_apks.len() == extra_idsigs.len(),
+ "Extra apks/idsigs mismatch: {} apks but {} idsigs",
+ extra_apks.len(),
+ extra_idsigs.len()
+ );
- let (extra_apk_names, extra_root_hashes_from_idsig): (Vec<_>, Vec<_>) = extra_idsigs
+ let extra_root_hashes_from_idsig: Vec<_> = extra_idsigs
.iter()
- .enumerate()
- .map(|(i, extra_idsig)| {
- (
- format!("extra-apk-{}", i),
- get_apk_root_hash_from_idsig(extra_idsig)
- .expect("Can't find root hash from extra idsig"),
- )
- })
- .unzip();
-
- let saved_extra_root_hashes: Vec<_> = saved_data
- .map(|d| d.extra_apks_data.iter().map(|apk_data| &apk_data.root_hash).collect())
- .unwrap_or_else(Vec::new);
- let extra_root_hashes_trustful: Vec<_> = extra_root_hashes_from_idsig
- .iter()
- .enumerate()
- .map(|(i, root_hash_from_idsig)| {
- saved_extra_root_hashes.get(i).copied() == Some(root_hash_from_idsig)
+ .map(|idsig| {
+ get_apk_root_hash_from_idsig(idsig).expect("Can't find root hash from extra idsig")
})
.collect();
- for i in 0..extra_apks_count {
+ let extra_root_hashes_trustful: Vec<_> = if let Some(data) = saved_data {
+ extra_root_hashes_from_idsig
+ .iter()
+ .enumerate()
+ .map(|(i, root_hash)| data.extra_apk_root_hash_eq(i, root_hash))
+ .collect()
+ } else {
+ vec![false; extra_root_hashes_from_idsig.len()]
+ };
+ let extra_apk_names: Vec<_> =
+ (0..extra_apks.len()).map(|i| format!("extra-apk-{}", i)).collect();
+
+ for (i, extra_apk) in extra_apks.iter().enumerate() {
apkdmverity_arguments.push({
ApkDmverityArgument {
- apk: extra_apks[i].to_str().unwrap(),
+ apk: extra_apk.to_str().unwrap(),
idsig: extra_idsigs[i].to_str().unwrap(),
name: &extra_apk_names[i],
saved_root_hash: if extra_root_hashes_trustful[i] {
diff --git a/pvmfw/Android.bp b/pvmfw/Android.bp
index 0d845f9..0571c36 100644
--- a/pvmfw/Android.bp
+++ b/pvmfw/Android.bp
@@ -17,12 +17,14 @@
"libbuddy_system_allocator",
"libdiced_open_dice_nostd",
"libfdtpci",
+ "libhyp",
"liblibfdt",
"liblog_rust_nostd",
"libonce_cell_nostd",
"libpvmfw_avb_nostd",
"libpvmfw_embedded_key",
"libpvmfw_fdt_template",
+ "libsmccc",
"libstatic_assertions",
"libtinyvec_nostd",
"libuuid_nostd",
@@ -32,6 +34,27 @@
],
}
+// Generates an empty file.
+genrule {
+ name: "empty_file",
+ out: ["empty_file"],
+ cmd: "touch $(out)",
+}
+
+rust_test {
+ name: "libpvmfw.bootargs.test",
+ host_supported: true,
+ // For now, only bootargs.rs is written to be conditionally compiled with std.
+ srcs: ["src/bootargs.rs"],
+ test_suites: ["general-tests"],
+ test_options: {
+ unit_test: true,
+ },
+ rustlibs: [
+ "libzeroize",
+ ],
+}
+
cc_binary {
name: "pvmfw",
defaults: ["vmbase_elf_defaults"],
@@ -81,7 +104,7 @@
src: ":pvmfw_bin",
},
},
- src: "empty_file",
+ src: ":empty_file",
installable: false,
}
diff --git a/pvmfw/TEST_MAPPING b/pvmfw/TEST_MAPPING
index 5e58ebb..e4a80dc 100644
--- a/pvmfw/TEST_MAPPING
+++ b/pvmfw/TEST_MAPPING
@@ -2,6 +2,9 @@
"avf-presubmit" : [
{
"name" : "libpvmfw_avb.integration_test"
+ },
+ {
+ "name" : "libpvmfw.bootargs.test"
}
]
}
\ No newline at end of file
diff --git a/pvmfw/empty_file b/pvmfw/empty_file
deleted file mode 100644
index e69de29..0000000
--- a/pvmfw/empty_file
+++ /dev/null
diff --git a/pvmfw/src/bootargs.rs b/pvmfw/src/bootargs.rs
new file mode 100644
index 0000000..f9c8278
--- /dev/null
+++ b/pvmfw/src/bootargs.rs
@@ -0,0 +1,211 @@
+// Copyright 2023, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Routines for parsing bootargs
+
+#[cfg(not(test))]
+use alloc::format;
+#[cfg(not(test))]
+use alloc::string::String;
+use core::ffi::CStr;
+
+/// A single boot argument ex: "panic", "init=", or "foo=1,2,3".
+pub struct BootArg<'a> {
+ arg: &'a str,
+ equal_sign: Option<usize>,
+}
+
+impl AsRef<str> for BootArg<'_> {
+ fn as_ref(&self) -> &str {
+ self.arg
+ }
+}
+
+impl BootArg<'_> {
+ /// Name of the boot argument
+ pub fn name(&self) -> &str {
+ if let Some(n) = self.equal_sign {
+ &self.arg[..n]
+ } else {
+ self.arg
+ }
+ }
+
+ /// Optional value of the boot aragument. This includes the '=' prefix.
+ pub fn value(&self) -> Option<&str> {
+ Some(&self.arg[self.equal_sign?..])
+ }
+}
+
+/// Iterator that iteratos over bootargs
+pub struct BootArgsIterator<'a> {
+ arg: &'a str,
+}
+
+impl<'a> BootArgsIterator<'a> {
+ /// Creates a new iterator from the raw boot args. The input has to be encoded in ASCII
+ pub fn new(bootargs: &'a CStr) -> Result<Self, String> {
+ let arg = bootargs.to_str().map_err(|e| format!("{e}"))?;
+ if !arg.is_ascii() {
+ return Err(format!("{arg:?} is not ASCII"));
+ }
+
+ Ok(Self { arg })
+ }
+
+ // Finds the end of a value in the given string `s`, and returns the index of the end. A value
+ // can have spaces if quoted. The quote character can't be escaped.
+ fn find_value_end(s: &str) -> usize {
+ let mut in_quote = false;
+ for (i, c) in s.char_indices() {
+ if c == '"' {
+ in_quote = !in_quote;
+ } else if c.is_whitespace() && !in_quote {
+ return i;
+ }
+ }
+ s.len()
+ }
+}
+
+impl<'a> Iterator for BootArgsIterator<'a> {
+ type Item = BootArg<'a>;
+
+ fn next(&mut self) -> Option<Self::Item> {
+ // Skip spaces to find the start of a name. If there's nothing left, that's the end of the
+ // iterator.
+ let arg = self.arg.trim_start();
+ self.arg = arg; // advance before returning
+ if arg.is_empty() {
+ return None;
+ }
+ // Name ends with either whitespace or =. If it ends with =, the value comes immediately
+ // after.
+ let name_end = arg.find(|c: char| c.is_whitespace() || c == '=').unwrap_or(arg.len());
+ let (arg, equal_sign) = match arg.chars().nth(name_end) {
+ Some(c) if c == '=' => {
+ let value_end = name_end + Self::find_value_end(&arg[name_end..]);
+ (&arg[..value_end], Some(name_end))
+ }
+ _ => (&arg[..name_end], None),
+ };
+ self.arg = &self.arg[arg.len()..]; // advance before returning
+ Some(BootArg { arg, equal_sign })
+ }
+}
+
+#[cfg(test)]
+#[allow(dead_code)]
+mod helpers;
+
+#[cfg(test)]
+mod tests {
+
+ use super::*;
+ use crate::cstr;
+
+ fn check(raw: &CStr, expected: Result<&[(&str, Option<&str>)], ()>) {
+ let actual = BootArgsIterator::new(raw);
+ assert_eq!(actual.is_err(), expected.is_err(), "Unexpected result with {raw:?}");
+ if actual.is_err() {
+ return;
+ }
+ let mut actual = actual.unwrap();
+
+ for (name, value) in expected.unwrap() {
+ let actual = actual.next();
+ assert!(actual.is_some(), "Expected ({}, {:?}) from {raw:?}", name, value);
+ let actual = actual.unwrap();
+ assert_eq!(name, &actual.name(), "Unexpected name from {raw:?}");
+ assert_eq!(value, &actual.value(), "Unexpected value from {raw:?}");
+ }
+ let remaining = actual.next();
+ assert!(
+ remaining.is_none(),
+ "Unexpected extra item from {raw:?}. Got ({}, {:?})",
+ remaining.as_ref().unwrap().name(),
+ remaining.as_ref().unwrap().value()
+ );
+ }
+
+ #[test]
+ fn empty() {
+ check(cstr!(""), Ok(&[]));
+ check(cstr!(" "), Ok(&[]));
+ check(cstr!(" \n "), Ok(&[]));
+ }
+
+ #[test]
+ fn single() {
+ check(cstr!("foo"), Ok(&[("foo", None)]));
+ check(cstr!(" foo"), Ok(&[("foo", None)]));
+ check(cstr!("foo "), Ok(&[("foo", None)]));
+ check(cstr!(" foo "), Ok(&[("foo", None)]));
+ }
+
+ #[test]
+ fn single_with_value() {
+ check(cstr!("foo=bar"), Ok(&[("foo", Some("=bar"))]));
+ check(cstr!(" foo=bar"), Ok(&[("foo", Some("=bar"))]));
+ check(cstr!("foo=bar "), Ok(&[("foo", Some("=bar"))]));
+ check(cstr!(" foo=bar "), Ok(&[("foo", Some("=bar"))]));
+
+ check(cstr!("foo="), Ok(&[("foo", Some("="))]));
+ check(cstr!(" foo="), Ok(&[("foo", Some("="))]));
+ check(cstr!("foo= "), Ok(&[("foo", Some("="))]));
+ check(cstr!(" foo= "), Ok(&[("foo", Some("="))]));
+ }
+
+ #[test]
+ fn single_with_quote() {
+ check(cstr!("foo=hello\" \"world"), Ok(&[("foo", Some("=hello\" \"world"))]));
+ }
+
+ #[test]
+ fn invalid_encoding() {
+ check(CStr::from_bytes_with_nul(&[255, 255, 255, 0]).unwrap(), Err(()));
+ }
+
+ #[test]
+ fn multiple() {
+ check(
+ cstr!(" a=b c=d e= f g "),
+ Ok(&[("a", Some("=b")), ("c", Some("=d")), ("e", Some("=")), ("f", None), ("g", None)]),
+ );
+ check(
+ cstr!(" a=b \n c=d e= f g"),
+ Ok(&[("a", Some("=b")), ("c", Some("=d")), ("e", Some("=")), ("f", None), ("g", None)]),
+ );
+ }
+
+ #[test]
+ fn incomplete_quote() {
+ check(
+ cstr!("foo=incomplete\" quote bar=y"),
+ Ok(&[("foo", Some("=incomplete\" quote bar=y"))]),
+ );
+ }
+
+ #[test]
+ fn complex() {
+ check(cstr!(" a a1= b=c d=e,f,g x=\"value with quote\" y=val\"ue with \"multiple\" quo\"te "), Ok(&[
+ ("a", None),
+ ("a1", Some("=")),
+ ("b", Some("=c")),
+ ("d", Some("=e,f,g")),
+ ("x", Some("=\"value with quote\"")),
+ ("y", Some("=val\"ue with \"multiple\" quo\"te")),
+ ]));
+ }
+}
diff --git a/pvmfw/src/debug_policy.rs b/pvmfw/src/debug_policy.rs
deleted file mode 100644
index bbf7e04..0000000
--- a/pvmfw/src/debug_policy.rs
+++ /dev/null
@@ -1,78 +0,0 @@
-// Copyright 2023, The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-//! Support for the debug policy overlay in pvmfw
-
-use core::fmt;
-use libfdt::FdtError;
-
-#[derive(Debug, Clone)]
-pub enum DebugPolicyError {
- /// The provided baseline FDT was invalid or malformed, so cannot access certain node/prop
- Fdt(&'static str, FdtError),
- /// The provided debug policy FDT was invalid or malformed.
- DebugPolicyFdt(&'static str, FdtError),
- /// The overlaid result FDT is invalid or malformed, and may be corrupted.
- OverlaidFdt(&'static str, FdtError),
-}
-
-impl fmt::Display for DebugPolicyError {
- fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
- match self {
- Self::Fdt(s, e) => write!(f, "Invalid baseline FDT. {s}: {e}"),
- Self::DebugPolicyFdt(s, e) => write!(f, "Invalid overlay FDT. {s}: {e}"),
- Self::OverlaidFdt(s, e) => write!(f, "Invalid overlaid FDT. {s}: {e}"),
- }
- }
-}
-
-/// Applies the debug policy device tree overlay to the pVM DT.
-///
-/// # Safety
-///
-/// When an error is returned by this function, the input `Fdt` should be
-/// discarded as it may have have been partially corrupted during the overlay
-/// application process.
-unsafe fn apply_debug_policy(
- fdt: &mut libfdt::Fdt,
- debug_policy: &mut [u8],
-) -> Result<(), DebugPolicyError> {
- let overlay = libfdt::Fdt::from_mut_slice(debug_policy)
- .map_err(|e| DebugPolicyError::DebugPolicyFdt("Failed to load debug policy overlay", e))?;
-
- fdt.unpack().map_err(|e| DebugPolicyError::Fdt("Failed to unpack", e))?;
-
- let fdt = fdt
- .apply_overlay(overlay)
- .map_err(|e| DebugPolicyError::DebugPolicyFdt("Failed to apply overlay", e))?;
-
- fdt.pack().map_err(|e| DebugPolicyError::OverlaidFdt("Failed to re-pack", e))
-}
-
-/// Handles debug policies.
-///
-/// # Safety
-///
-/// This may corrupt the input `Fdt` when overlaying debug policy or applying
-/// ramdump configuration.
-pub unsafe fn handle_debug_policy(
- fdt: &mut libfdt::Fdt,
- debug_policy: Option<&mut [u8]>,
-) -> Result<(), DebugPolicyError> {
- if let Some(dp) = debug_policy {
- apply_debug_policy(fdt, dp)?;
- }
-
- Ok(())
-}
diff --git a/pvmfw/src/entry.rs b/pvmfw/src/entry.rs
index ffbc4a8..1309d73 100644
--- a/pvmfw/src/entry.rs
+++ b/pvmfw/src/entry.rs
@@ -16,17 +16,16 @@
use crate::config;
use crate::crypto;
-use crate::debug_policy::{handle_debug_policy, DebugPolicyError};
use crate::fdt;
use crate::heap;
use crate::helpers;
use crate::memory::MemoryTracker;
-use crate::mmio_guard;
use crate::mmu;
use crate::rand;
use core::arch::asm;
use core::num::NonZeroUsize;
use core::slice;
+use hyp::get_hypervisor;
use log::debug;
use log::error;
use log::info;
@@ -54,16 +53,6 @@
SecretDerivationError,
}
-impl From<DebugPolicyError> for RebootReason {
- fn from(error: DebugPolicyError) -> Self {
- match error {
- DebugPolicyError::Fdt(_, _) => RebootReason::InvalidFdt,
- DebugPolicyError::DebugPolicyFdt(_, _) => RebootReason::InvalidConfig,
- DebugPolicyError::OverlaidFdt(_, _) => RebootReason::InternalError,
- }
- }
-}
-
main!(start);
/// Entry point for pVM firmware.
@@ -183,12 +172,12 @@
// Use debug!() to avoid printing to the UART if we failed to configure it as only local
// builds that have tweaked the logger::init() call will actually attempt to log the message.
- mmio_guard::init().map_err(|e| {
+ get_hypervisor().mmio_guard_init().map_err(|e| {
debug!("{e}");
RebootReason::InternalError
})?;
- mmio_guard::map(console::BASE_ADDRESS).map_err(|e| {
+ get_hypervisor().mmio_guard_map(console::BASE_ADDRESS).map_err(|e| {
debug!("Failed to configure the UART: {e}");
RebootReason::InternalError
})?;
@@ -237,25 +226,17 @@
})?;
// This wrapper allows main() to be blissfully ignorant of platform details.
- crate::main(slices.fdt, slices.kernel, slices.ramdisk, bcc_slice, &mut memory)?;
+ crate::main(slices.fdt, slices.kernel, slices.ramdisk, bcc_slice, debug_policy, &mut memory)?;
helpers::flushed_zeroize(bcc_slice);
helpers::flush(slices.fdt.as_slice());
- // SAFETY - As we `?` the result, there is no risk of using a bad `slices.fdt`.
- unsafe {
- handle_debug_policy(slices.fdt, debug_policy).map_err(|e| {
- error!("Unexpected error when handling debug policy: {e:?}");
- RebootReason::from(e)
- })?;
- }
-
info!("Expecting a bug making MMIO_GUARD_UNMAP return NOT_SUPPORTED on success");
memory.mmio_unmap_all().map_err(|e| {
error!("Failed to unshare MMIO ranges: {e}");
RebootReason::InternalError
})?;
- mmio_guard::unmap(console::BASE_ADDRESS).map_err(|e| {
+ get_hypervisor().mmio_guard_unmap(console::BASE_ADDRESS).map_err(|e| {
error!("Failed to unshare the UART: {e}");
RebootReason::InternalError
})?;
diff --git a/pvmfw/src/fdt.rs b/pvmfw/src/fdt.rs
index 7d88455..c68fc6d 100644
--- a/pvmfw/src/fdt.rs
+++ b/pvmfw/src/fdt.rs
@@ -14,14 +14,17 @@
//! High-level FDT functions.
+use crate::bootargs::BootArgsIterator;
use crate::cstr;
use crate::helpers::flatten;
use crate::helpers::GUEST_PAGE_SIZE;
use crate::helpers::SIZE_4KB;
use crate::memory::BASE_ADDR;
use crate::memory::MAX_ADDR;
+use crate::Box;
use crate::RebootReason;
use alloc::ffi::CString;
+use alloc::vec::Vec;
use core::cmp::max;
use core::cmp::min;
use core::ffi::CStr;
@@ -36,6 +39,7 @@
use libfdt::FdtNode;
use log::debug;
use log::error;
+use log::info;
use tinyvec::ArrayVec;
/// Extract from /config the address range containing the pre-loaded kernel. Absence of /config is
@@ -95,7 +99,9 @@
fn patch_bootargs(fdt: &mut Fdt, bootargs: &CStr) -> libfdt::Result<()> {
let mut node = fdt.chosen_mut()?.ok_or(FdtError::NotFound)?;
- // TODO(b/275306568) filter out dangerous options
+ // This function is called before the verification is done. So, we just copy the bootargs to
+ // the new FDT unmodified. This will be filtered again in the modify_for_next_stage function
+ // if the VM is not debuggable.
node.setprop(cstr!("bootargs"), bootargs.to_bytes_with_nul())
}
@@ -672,6 +678,8 @@
bcc: &[u8],
new_instance: bool,
strict_boot: bool,
+ debug_policy: Option<&mut [u8]>,
+ debuggable: bool,
) -> libfdt::Result<()> {
fdt.unpack()?;
@@ -680,6 +688,19 @@
set_or_clear_chosen_flag(fdt, cstr!("avf,strict-boot"), strict_boot)?;
set_or_clear_chosen_flag(fdt, cstr!("avf,new-instance"), new_instance)?;
+ if let Some(debug_policy) = debug_policy {
+ apply_debug_policy(fdt, debug_policy)?;
+ info!("Debug policy applied.");
+ } else {
+ info!("No debug policy found.");
+ }
+
+ if debuggable {
+ if let Some(bootargs) = read_bootargs_from(fdt)? {
+ filter_out_dangerous_bootargs(fdt, &bootargs)?;
+ }
+ }
+
fdt.pack()?;
Ok(())
@@ -712,3 +733,71 @@
Ok(())
}
+
+fn apply_debug_policy(fdt: &mut Fdt, debug_policy: &mut [u8]) -> libfdt::Result<()> {
+ let backup_fdt = Vec::from(fdt.as_slice());
+
+ let overlay = match Fdt::from_mut_slice(debug_policy) {
+ Ok(overlay) => overlay,
+ Err(e) => {
+ info!("Corrupted debug policy found: {e}. Not applying.");
+ return Ok(());
+ }
+ };
+ let backup_overlay = Vec::from(overlay.as_slice());
+
+ // SAFETY - on failure, the corrupted fdts are discarded and are restored using the backups.
+ if let Err(e) = unsafe { fdt.apply_overlay(overlay) } {
+ error!("Failed to apply debug policy: {e}. Recovering...");
+ fdt.copy_from_slice(backup_fdt.as_slice())?;
+ overlay.copy_from_slice(backup_overlay.as_slice())?;
+ // A successful restoration is considered success because an invalid debug policy
+ // shouldn't DOS the pvmfw
+ }
+ Ok(())
+}
+
+fn read_common_debug_policy(fdt: &Fdt, debug_feature_name: &CStr) -> libfdt::Result<bool> {
+ if let Some(node) = fdt.node(cstr!("/avf/guest/common"))? {
+ if let Some(value) = node.getprop_u32(debug_feature_name)? {
+ return Ok(value == 1);
+ }
+ }
+ Ok(false) // if the policy doesn't exist or not 1, don't enable the debug feature
+}
+
+fn filter_out_dangerous_bootargs(fdt: &mut Fdt, bootargs: &CStr) -> libfdt::Result<()> {
+ let has_crashkernel = read_common_debug_policy(fdt, cstr!("ramdump"))?;
+ let has_console = read_common_debug_policy(fdt, cstr!("log"))?;
+
+ let accepted: &[(&str, Box<dyn Fn(Option<&str>) -> bool>)] = &[
+ ("panic", Box::new(|v| if let Some(v) = v { v == "=-1" } else { false })),
+ ("crashkernel", Box::new(|_| has_crashkernel)),
+ ("console", Box::new(|_| has_console)),
+ ];
+
+ // parse and filter out unwanted
+ let mut filtered = Vec::new();
+ for arg in BootArgsIterator::new(bootargs).map_err(|e| {
+ info!("Invalid bootarg: {e}");
+ FdtError::BadValue
+ })? {
+ match accepted.iter().find(|&t| t.0 == arg.name()) {
+ Some((_, pred)) if pred(arg.value()) => filtered.push(arg),
+ _ => debug!("Rejected bootarg {}", arg.as_ref()),
+ }
+ }
+
+ // flatten into a new C-string
+ let mut new_bootargs = Vec::new();
+ for (i, arg) in filtered.iter().enumerate() {
+ if i != 0 {
+ new_bootargs.push(b' '); // separator
+ }
+ new_bootargs.extend_from_slice(arg.as_ref().as_bytes());
+ }
+ new_bootargs.push(b'\0');
+
+ let mut node = fdt.chosen_mut()?.ok_or(FdtError::NotFound)?;
+ node.setprop(cstr!("bootargs"), new_bootargs.as_slice())
+}
diff --git a/pvmfw/src/helpers.rs b/pvmfw/src/helpers.rs
index 6310826..9c739d1 100644
--- a/pvmfw/src/helpers.rs
+++ b/pvmfw/src/helpers.rs
@@ -40,18 +40,19 @@
}
/// Write a value to a system register.
+///
+/// # Safety
+///
+/// Callers must ensure that side effects of updating the system register are properly handled.
#[macro_export]
macro_rules! write_sysreg {
($sysreg:literal, $val:expr) => {{
let value: usize = $val;
- // Safe because it writes a system register and does not affect Rust.
- unsafe {
- core::arch::asm!(
- concat!("msr ", $sysreg, ", {}"),
- in(reg) value,
- options(nomem, nostack, preserves_flags),
- )
- }
+ core::arch::asm!(
+ concat!("msr ", $sysreg, ", {}"),
+ in(reg) value,
+ options(nomem, nostack, preserves_flags),
+ )
}};
}
diff --git a/pvmfw/src/hvc.rs b/pvmfw/src/hvc.rs
index 08edd86..6c5017f 100644
--- a/pvmfw/src/hvc.rs
+++ b/pvmfw/src/hvc.rs
@@ -16,9 +16,7 @@
pub mod trng;
-use crate::smccc::{self, checked_hvc64, checked_hvc64_expect_zero};
-use log::info;
-
+// TODO(b/272226230): Move all the trng functions to trng module
const ARM_SMCCC_TRNG_VERSION: u32 = 0x8400_0050;
#[allow(dead_code)]
const ARM_SMCCC_TRNG_FEATURES: u32 = 0x8400_0051;
@@ -27,83 +25,6 @@
#[allow(dead_code)]
const ARM_SMCCC_TRNG_RND32: u32 = 0x8400_0053;
const ARM_SMCCC_TRNG_RND64: u32 = 0xc400_0053;
-const ARM_SMCCC_KVM_FUNC_HYP_MEMINFO: u32 = 0xc6000002;
-const ARM_SMCCC_KVM_FUNC_MEM_SHARE: u32 = 0xc6000003;
-const ARM_SMCCC_KVM_FUNC_MEM_UNSHARE: u32 = 0xc6000004;
-const VENDOR_HYP_KVM_MMIO_GUARD_INFO_FUNC_ID: u32 = 0xc6000005;
-const VENDOR_HYP_KVM_MMIO_GUARD_ENROLL_FUNC_ID: u32 = 0xc6000006;
-const VENDOR_HYP_KVM_MMIO_GUARD_MAP_FUNC_ID: u32 = 0xc6000007;
-const VENDOR_HYP_KVM_MMIO_GUARD_UNMAP_FUNC_ID: u32 = 0xc6000008;
-
-/// Queries the memory protection parameters for a protected virtual machine.
-///
-/// Returns the memory protection granule size in bytes.
-pub fn kvm_hyp_meminfo() -> smccc::Result<u64> {
- let args = [0u64; 17];
- checked_hvc64(ARM_SMCCC_KVM_FUNC_HYP_MEMINFO, args)
-}
-
-/// Shares a region of memory with the KVM host, granting it read, write and execute permissions.
-/// The size of the region is equal to the memory protection granule returned by [`hyp_meminfo`].
-pub fn kvm_mem_share(base_ipa: u64) -> smccc::Result<()> {
- let mut args = [0u64; 17];
- args[0] = base_ipa;
-
- checked_hvc64_expect_zero(ARM_SMCCC_KVM_FUNC_MEM_SHARE, args)
-}
-
-/// Revokes access permission from the KVM host to a memory region previously shared with
-/// [`mem_share`]. The size of the region is equal to the memory protection granule returned by
-/// [`hyp_meminfo`].
-pub fn kvm_mem_unshare(base_ipa: u64) -> smccc::Result<()> {
- let mut args = [0u64; 17];
- args[0] = base_ipa;
-
- checked_hvc64_expect_zero(ARM_SMCCC_KVM_FUNC_MEM_UNSHARE, args)
-}
-
-pub fn kvm_mmio_guard_info() -> smccc::Result<u64> {
- let args = [0u64; 17];
-
- checked_hvc64(VENDOR_HYP_KVM_MMIO_GUARD_INFO_FUNC_ID, args)
-}
-
-pub fn kvm_mmio_guard_enroll() -> smccc::Result<()> {
- let args = [0u64; 17];
-
- checked_hvc64_expect_zero(VENDOR_HYP_KVM_MMIO_GUARD_ENROLL_FUNC_ID, args)
-}
-
-pub fn kvm_mmio_guard_map(ipa: u64) -> smccc::Result<()> {
- let mut args = [0u64; 17];
- args[0] = ipa;
-
- // TODO(b/253586500): pKVM currently returns a i32 instead of a i64.
- let is_i32_error_code = |n| u32::try_from(n).ok().filter(|v| (*v as i32) < 0).is_some();
- match checked_hvc64_expect_zero(VENDOR_HYP_KVM_MMIO_GUARD_MAP_FUNC_ID, args) {
- Err(smccc::Error::Unexpected(e)) if is_i32_error_code(e) => {
- info!("Handled a pKVM bug by interpreting the MMIO_GUARD_MAP return value as i32");
- match e as u32 as i32 {
- -1 => Err(smccc::Error::NotSupported),
- -2 => Err(smccc::Error::NotRequired),
- -3 => Err(smccc::Error::InvalidParameter),
- ret => Err(smccc::Error::Unknown(ret as i64)),
- }
- }
- res => res,
- }
-}
-
-pub fn kvm_mmio_guard_unmap(ipa: u64) -> smccc::Result<()> {
- let mut args = [0u64; 17];
- args[0] = ipa;
-
- // TODO(b/251426790): pKVM currently returns NOT_SUPPORTED for SUCCESS.
- match checked_hvc64_expect_zero(VENDOR_HYP_KVM_MMIO_GUARD_UNMAP_FUNC_ID, args) {
- Err(smccc::Error::NotSupported) | Ok(_) => Ok(()),
- x => x,
- }
-}
/// Returns the (major, minor) version tuple, as defined by the SMCCC TRNG.
pub fn trng_version() -> trng::Result<(u16, u16)> {
diff --git a/pvmfw/src/hvc/trng.rs b/pvmfw/src/hvc/trng.rs
index d347693..05ecc6b 100644
--- a/pvmfw/src/hvc/trng.rs
+++ b/pvmfw/src/hvc/trng.rs
@@ -12,7 +12,6 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-use crate::smccc;
use core::fmt;
use core::result;
diff --git a/pvmfw/src/hypervisor.rs b/pvmfw/src/hypervisor.rs
deleted file mode 100644
index e06d809..0000000
--- a/pvmfw/src/hypervisor.rs
+++ /dev/null
@@ -1,46 +0,0 @@
-// Copyright 2023, The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-//! Wrappers around hypervisor back-ends.
-
-use crate::hvc;
-use crate::smccc;
-
-pub fn hyp_meminfo() -> smccc::Result<u64> {
- hvc::kvm_hyp_meminfo()
-}
-
-pub fn mem_share(base_ipa: u64) -> smccc::Result<()> {
- hvc::kvm_mem_share(base_ipa)
-}
-
-pub fn mem_unshare(base_ipa: u64) -> smccc::Result<()> {
- hvc::kvm_mem_unshare(base_ipa)
-}
-
-pub fn mmio_guard_info() -> smccc::Result<u64> {
- hvc::kvm_mmio_guard_info()
-}
-
-pub fn mmio_guard_enroll() -> smccc::Result<()> {
- hvc::kvm_mmio_guard_enroll()
-}
-
-pub fn mmio_guard_map(ipa: u64) -> smccc::Result<()> {
- hvc::kvm_mmio_guard_map(ipa)
-}
-
-pub fn mmio_guard_unmap(ipa: u64) -> smccc::Result<()> {
- hvc::kvm_mmio_guard_unmap(ipa)
-}
diff --git a/pvmfw/src/main.rs b/pvmfw/src/main.rs
index 00ff61f..a773f1a 100644
--- a/pvmfw/src/main.rs
+++ b/pvmfw/src/main.rs
@@ -19,9 +19,9 @@
extern crate alloc;
+mod bootargs;
mod config;
mod crypto;
-mod debug_policy;
mod dice;
mod entry;
mod exceptions;
@@ -30,13 +30,10 @@
mod heap;
mod helpers;
mod hvc;
-mod hypervisor;
mod instance;
mod memory;
-mod mmio_guard;
mod mmu;
mod rand;
-mod smccc;
mod virtio;
use alloc::boxed::Box;
@@ -56,6 +53,7 @@
use libfdt::Fdt;
use log::{debug, error, info, trace};
use pvmfw_avb::verify_payload;
+use pvmfw_avb::DebugLevel;
use pvmfw_embedded_key::PUBLIC_KEY;
const NEXT_BCC_SIZE: usize = GUEST_PAGE_SIZE;
@@ -65,6 +63,7 @@
signed_kernel: &[u8],
ramdisk: Option<&[u8]>,
current_bcc_handover: &[u8],
+ debug_policy: Option<&mut [u8]>,
memory: &mut MemoryTracker,
) -> Result<(), RebootReason> {
info!("pVM firmware");
@@ -122,10 +121,12 @@
flush(next_bcc);
let strict_boot = true;
- modify_for_next_stage(fdt, next_bcc, new_instance, strict_boot).map_err(|e| {
- error!("Failed to configure device tree: {e}");
- RebootReason::InternalError
- })?;
+ let debuggable = verified_boot_data.debug_level != DebugLevel::None;
+ modify_for_next_stage(fdt, next_bcc, new_instance, strict_boot, debug_policy, debuggable)
+ .map_err(|e| {
+ error!("Failed to configure device tree: {e}");
+ RebootReason::InternalError
+ })?;
info!("Starting payload...");
Ok(())
diff --git a/pvmfw/src/memory.rs b/pvmfw/src/memory.rs
index b223f82..2d5eb5c 100644
--- a/pvmfw/src/memory.rs
+++ b/pvmfw/src/memory.rs
@@ -17,10 +17,7 @@
#![deny(unsafe_op_in_unsafe_fn)]
use crate::helpers::{self, align_down, align_up, page_4kb_of, SIZE_4KB};
-use crate::hypervisor::{hyp_meminfo, mem_share, mem_unshare};
-use crate::mmio_guard;
use crate::mmu;
-use crate::smccc;
use alloc::alloc::alloc_zeroed;
use alloc::alloc::dealloc;
use alloc::alloc::handle_alloc_error;
@@ -32,6 +29,7 @@
use core::ops::Range;
use core::ptr::NonNull;
use core::result;
+use hyp::get_hypervisor;
use log::error;
use tinyvec::ArrayVec;
@@ -104,8 +102,8 @@
Overlaps,
/// Region couldn't be mapped.
FailedToMap,
- /// Error from an MMIO guard call.
- MmioGuard(mmio_guard::Error),
+ /// Error from the interaction with the hypervisor.
+ Hypervisor(hyp::Error),
}
impl fmt::Display for MemoryTrackerError {
@@ -118,14 +116,14 @@
Self::OutOfRange => write!(f, "Region is out of the tracked memory address space"),
Self::Overlaps => write!(f, "New region overlaps with tracked regions"),
Self::FailedToMap => write!(f, "Failed to map the new region"),
- Self::MmioGuard(e) => e.fmt(f),
+ Self::Hypervisor(e) => e.fmt(f),
}
}
}
-impl From<mmio_guard::Error> for MemoryTrackerError {
- fn from(e: mmio_guard::Error) -> Self {
- Self::MmioGuard(e)
+impl From<hyp::Error> for MemoryTrackerError {
+ fn from(e: hyp::Error) -> Self {
+ Self::Hypervisor(e)
}
}
@@ -215,7 +213,7 @@
})?;
for page_base in page_iterator(&range) {
- mmio_guard::map(page_base)?;
+ get_hypervisor().mmio_guard_map(page_base)?;
}
if self.mmio_regions.try_push(range).is_some() {
@@ -255,7 +253,7 @@
pub fn mmio_unmap_all(&self) -> Result<()> {
for region in &self.mmio_regions {
for page_base in page_iterator(region) {
- mmio_guard::unmap(page_base)?;
+ get_hypervisor().mmio_guard_unmap(page_base)?;
}
}
@@ -280,12 +278,12 @@
/// Gives the KVM host read, write and execute permissions on the given memory range. If the range
/// is not aligned with the memory protection granule then it will be extended on either end to
/// align.
-fn share_range(range: &MemoryRange, granule: usize) -> smccc::Result<()> {
+fn share_range(range: &MemoryRange, granule: usize) -> hyp::Result<()> {
for base in (align_down(range.start, granule)
.expect("Memory protection granule was not a power of two")..range.end)
.step_by(granule)
{
- mem_share(base as u64)?;
+ get_hypervisor().mem_share(base as u64)?;
}
Ok(())
}
@@ -293,12 +291,12 @@
/// Removes permission from the KVM host to access the given memory range which was previously
/// shared. If the range is not aligned with the memory protection granule then it will be extended
/// on either end to align.
-fn unshare_range(range: &MemoryRange, granule: usize) -> smccc::Result<()> {
+fn unshare_range(range: &MemoryRange, granule: usize) -> hyp::Result<()> {
for base in (align_down(range.start, granule)
.expect("Memory protection granule was not a power of two")..range.end)
.step_by(granule)
{
- mem_unshare(base as u64)?;
+ get_hypervisor().mem_unshare(base as u64)?;
}
Ok(())
}
@@ -307,7 +305,7 @@
/// with the host. Returns a pointer to the buffer.
///
/// It will be aligned to the memory sharing granule size supported by the hypervisor.
-pub fn alloc_shared(size: usize) -> smccc::Result<NonNull<u8>> {
+pub fn alloc_shared(size: usize) -> hyp::Result<NonNull<u8>> {
let layout = shared_buffer_layout(size)?;
let granule = layout.align();
@@ -335,7 +333,7 @@
///
/// The memory must have been allocated by `alloc_shared` with the same size, and not yet
/// deallocated.
-pub unsafe fn dealloc_shared(vaddr: NonNull<u8>, size: usize) -> smccc::Result<()> {
+pub unsafe fn dealloc_shared(vaddr: NonNull<u8>, size: usize) -> hyp::Result<()> {
let layout = shared_buffer_layout(size)?;
let granule = layout.align();
@@ -354,9 +352,9 @@
/// It will be aligned to the memory sharing granule size supported by the hypervisor.
///
/// Panics if `size` is 0.
-fn shared_buffer_layout(size: usize) -> smccc::Result<Layout> {
+fn shared_buffer_layout(size: usize) -> hyp::Result<Layout> {
assert_ne!(size, 0);
- let granule = hyp_meminfo()? as usize;
+ let granule = get_hypervisor().memory_protection_granule()?;
let allocated_size =
align_up(size, granule).expect("Memory protection granule was not a power of two");
Ok(Layout::from_size_align(allocated_size, granule).unwrap())
diff --git a/pvmfw/src/mmio_guard.rs b/pvmfw/src/mmio_guard.rs
deleted file mode 100644
index dac26e0..0000000
--- a/pvmfw/src/mmio_guard.rs
+++ /dev/null
@@ -1,65 +0,0 @@
-// Copyright 2022, The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-//! Safe MMIO_GUARD support.
-
-use crate::helpers;
-use crate::hypervisor::{mmio_guard_enroll, mmio_guard_info, mmio_guard_map, mmio_guard_unmap};
-use crate::smccc;
-use core::{fmt, result};
-
-#[derive(Debug, Clone)]
-pub enum Error {
- /// Failed the necessary MMIO_GUARD_ENROLL call.
- EnrollFailed(smccc::Error),
- /// Failed to obtain the MMIO_GUARD granule size.
- InfoFailed(smccc::Error),
- /// Failed to MMIO_GUARD_MAP a page.
- MapFailed(smccc::Error),
- /// Failed to MMIO_GUARD_UNMAP a page.
- UnmapFailed(smccc::Error),
- /// The MMIO_GUARD granule used by the hypervisor is not supported.
- UnsupportedGranule(usize),
-}
-
-type Result<T> = result::Result<T, Error>;
-
-impl fmt::Display for Error {
- fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
- match self {
- Self::EnrollFailed(e) => write!(f, "Failed to enroll into MMIO_GUARD: {e}"),
- Self::InfoFailed(e) => write!(f, "Failed to get the MMIO_GUARD granule: {e}"),
- Self::MapFailed(e) => write!(f, "Failed to MMIO_GUARD map: {e}"),
- Self::UnmapFailed(e) => write!(f, "Failed to MMIO_GUARD unmap: {e}"),
- Self::UnsupportedGranule(g) => write!(f, "Unsupported MMIO_GUARD granule: {g}"),
- }
- }
-}
-
-pub fn init() -> Result<()> {
- mmio_guard_enroll().map_err(Error::EnrollFailed)?;
- let mmio_granule = mmio_guard_info().map_err(Error::InfoFailed)? as usize;
- if mmio_granule != helpers::SIZE_4KB {
- return Err(Error::UnsupportedGranule(mmio_granule));
- }
- Ok(())
-}
-
-pub fn map(addr: usize) -> Result<()> {
- mmio_guard_map(helpers::page_4kb_of(addr) as u64).map_err(Error::MapFailed)
-}
-
-pub fn unmap(addr: usize) -> Result<()> {
- mmio_guard_unmap(helpers::page_4kb_of(addr) as u64).map_err(Error::UnmapFailed)
-}
diff --git a/rialto/Android.bp b/rialto/Android.bp
index c2a19f3..cf81563 100644
--- a/rialto/Android.bp
+++ b/rialto/Android.bp
@@ -11,6 +11,7 @@
rustlibs: [
"libaarch64_paging",
"libbuddy_system_allocator",
+ "libhyp",
"liblog_rust_nostd",
"libvmbase",
],
@@ -36,7 +37,7 @@
}
raw_binary {
- name: "rialto",
+ name: "rialto_unsigned",
src: ":rialto_elf",
enabled: false,
target: {
@@ -46,6 +47,42 @@
},
}
+// python -c "import hashlib; print(hashlib.sha256(b'rialto_salt').hexdigest())"
+rialto_salt = "ea9d8c3ae1785396884d0c16c7652921874e2b8703f336ff23760f2049ee9e29"
+
+filegroup {
+ name: "rialto_sign_key",
+ srcs: [":avb_testkey_rsa4096"],
+}
+
+avb_add_hash_footer {
+ name: "rialto_signed",
+ src: ":empty_file",
+ filename: "rialto",
+ partition_name: "boot",
+ private_key: ":rialto_sign_key",
+ salt: rialto_salt,
+ enabled: false,
+ arch: {
+ arm64: {
+ src: ":rialto_unsigned",
+ enabled: true,
+ },
+ },
+}
+
+prebuilt_etc {
+ name: "rialto_bin",
+ filename: "rialto.bin",
+ target: {
+ android_arm64: {
+ src: ":rialto_signed",
+ },
+ },
+ src: ":empty_file",
+ installable: false,
+}
+
rust_test {
name: "rialto_test",
crate_name: "rialto_test",
@@ -62,7 +99,8 @@
"libvmclient",
],
data: [
- ":rialto",
+ ":rialto_bin",
+ ":rialto_unsigned",
],
test_suites: ["general-tests"],
enabled: false,
diff --git a/rialto/src/error.rs b/rialto/src/error.rs
new file mode 100644
index 0000000..754e554
--- /dev/null
+++ b/rialto/src/error.rs
@@ -0,0 +1,55 @@
+// Copyright 2022, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! This module contains the error thrown by Rialto.
+
+use aarch64_paging::MapError;
+use core::{fmt, result};
+use hyp::Error as HypervisorError;
+
+pub type Result<T> = result::Result<T, Error>;
+
+#[derive(Clone, Debug)]
+pub enum Error {
+ /// Hypervisor error.
+ Hypervisor(HypervisorError),
+ /// Failed when attempting to map some range in the page table.
+ PageTableMapping(MapError),
+ /// Failed to initialize the logger.
+ LoggerInit,
+}
+
+impl fmt::Display for Error {
+ fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+ match self {
+ Self::Hypervisor(e) => write!(f, "MMIO guard failed: {e}."),
+ Self::PageTableMapping(e) => {
+ write!(f, "Failed when attempting to map some range in the page table: {e}.")
+ }
+ Self::LoggerInit => write!(f, "Failed to initialize the logger."),
+ }
+ }
+}
+
+impl From<HypervisorError> for Error {
+ fn from(e: HypervisorError) -> Self {
+ Self::Hypervisor(e)
+ }
+}
+
+impl From<MapError> for Error {
+ fn from(e: MapError) -> Self {
+ Self::PageTableMapping(e)
+ }
+}
diff --git a/rialto/src/main.rs b/rialto/src/main.rs
index 59ee0b6..99e07b6 100644
--- a/rialto/src/main.rs
+++ b/rialto/src/main.rs
@@ -17,18 +17,20 @@
#![no_main]
#![no_std]
+mod error;
mod exceptions;
extern crate alloc;
+use crate::error::{Error, Result};
use aarch64_paging::{
idmap::IdMap,
paging::{Attributes, MemoryRegion},
- MapError,
};
use buddy_system_allocator::LockedHeap;
-use log::{debug, info};
-use vmbase::main;
+use hyp::get_hypervisor;
+use log::{debug, error, info};
+use vmbase::{main, power::reboot};
const SZ_1K: usize = 1024;
const SZ_64K: usize = 64 * SZ_1K;
@@ -81,7 +83,7 @@
info!("Initialized heap.");
}
-fn init_kernel_pgt(pgt: &mut IdMap) -> Result<(), MapError> {
+fn init_kernel_pgt(pgt: &mut IdMap) -> Result<()> {
// The first 1 GiB of address space is used by crosvm for MMIO.
let reg_dev = MemoryRegion::new(0, SZ_1G);
// SAFETY: Taking addresses of kernel image sections to set up page table
@@ -106,15 +108,39 @@
Ok(())
}
-/// Entry point for Rialto.
-pub fn main(_a0: u64, _a1: u64, _a2: u64, _a3: u64) {
- vmbase::logger::init(log::LevelFilter::Debug).unwrap();
+fn try_init_logger() -> Result<()> {
+ match get_hypervisor().mmio_guard_init() {
+ // pKVM blocks MMIO by default, we need to enable MMIO guard to support logging.
+ Ok(()) => get_hypervisor().mmio_guard_map(vmbase::console::BASE_ADDRESS)?,
+ // MMIO guard enroll is not supported in unprotected VM.
+ Err(hyp::Error::MmioGuardNotsupported) => {}
+ Err(e) => return Err(e.into()),
+ };
+ vmbase::logger::init(log::LevelFilter::Debug).map_err(|_| Error::LoggerInit)
+}
+fn try_main() -> Result<()> {
info!("Welcome to Rialto!");
init_heap();
let mut pgt = IdMap::new(PT_ASID, PT_ROOT_LEVEL);
- init_kernel_pgt(&mut pgt).unwrap();
+ init_kernel_pgt(&mut pgt)?;
+ Ok(())
+}
+
+/// Entry point for Rialto.
+pub fn main(_a0: u64, _a1: u64, _a2: u64, _a3: u64) {
+ if try_init_logger().is_err() {
+ // Don't log anything if the logger initialization fails.
+ reboot();
+ }
+ match try_main() {
+ Ok(()) => info!("Rialto ends successfully."),
+ Err(e) => {
+ error!("Rialto failed with {e}");
+ reboot()
+ }
+ }
}
extern "C" {
diff --git a/rialto/tests/test.rs b/rialto/tests/test.rs
index be5f118..7048b44 100644
--- a/rialto/tests/test.rs
+++ b/rialto/tests/test.rs
@@ -16,7 +16,8 @@
use android_system_virtualizationservice::{
aidl::android::system::virtualizationservice::{
- CpuTopology::CpuTopology, VirtualMachineConfig::VirtualMachineConfig,
+ CpuTopology::CpuTopology, DiskImage::DiskImage, Partition::Partition,
+ PartitionType::PartitionType, VirtualMachineConfig::VirtualMachineConfig,
VirtualMachineRawConfig::VirtualMachineRawConfig,
},
binder::{ParcelFileDescriptor, ProcessState},
@@ -31,11 +32,28 @@
use std::time::Duration;
use vmclient::{DeathReason, VmInstance};
-const RIALTO_PATH: &str = "/data/local/tmp/rialto_test/arm64/rialto.bin";
+const SIGNED_RIALTO_PATH: &str = "/data/local/tmp/rialto_test/arm64/rialto.bin";
+const UNSIGNED_RIALTO_PATH: &str = "/data/local/tmp/rialto_test/arm64/rialto_unsigned.bin";
+const INSTANCE_IMG_PATH: &str = "/data/local/tmp/rialto_test/arm64/instance.img";
+const INSTANCE_IMG_SIZE: i64 = 1024 * 1024; // 1MB
-/// Runs the Rialto VM as a non-protected VM via VirtualizationService.
#[test]
-fn test_boots() -> Result<(), Error> {
+fn boot_rialto_in_protected_vm_successfully() -> Result<(), Error> {
+ boot_rialto_successfully(
+ SIGNED_RIALTO_PATH,
+ true, // protected_vm
+ )
+}
+
+#[test]
+fn boot_rialto_in_unprotected_vm_successfully() -> Result<(), Error> {
+ boot_rialto_successfully(
+ UNSIGNED_RIALTO_PATH,
+ false, // protected_vm
+ )
+}
+
+fn boot_rialto_successfully(rialto_path: &str, protected_vm: bool) -> Result<(), Error> {
android_logger::init_once(
android_logger::Config::default().with_tag("rialto").with_min_level(log::Level::Debug),
);
@@ -52,18 +70,44 @@
vmclient::VirtualizationService::new().context("Failed to spawn VirtualizationService")?;
let service = virtmgr.connect().context("Failed to connect to VirtualizationService")?;
- let rialto = File::open(RIALTO_PATH).context("Failed to open Rialto kernel binary")?;
+ let rialto = File::open(rialto_path).context("Failed to open Rialto kernel binary")?;
let console = android_log_fd()?;
let log = android_log_fd()?;
+ let disks = if protected_vm {
+ let instance_img = File::options()
+ .create(true)
+ .read(true)
+ .write(true)
+ .truncate(true)
+ .open(INSTANCE_IMG_PATH)?;
+ let instance_img = ParcelFileDescriptor::new(instance_img);
+
+ service
+ .initializeWritablePartition(
+ &instance_img,
+ INSTANCE_IMG_SIZE,
+ PartitionType::ANDROID_VM_INSTANCE,
+ )
+ .context("Failed to initialize instange.img")?;
+ let writable_partitions = vec![Partition {
+ label: "vm-instance".to_owned(),
+ image: Some(instance_img),
+ writable: true,
+ }];
+ vec![DiskImage { image: None, partitions: writable_partitions, writable: true }]
+ } else {
+ vec![]
+ };
+
let config = VirtualMachineConfig::RawConfig(VirtualMachineRawConfig {
name: String::from("RialtoTest"),
kernel: None,
initrd: None,
params: None,
bootloader: Some(ParcelFileDescriptor::new(rialto)),
- disks: vec![],
- protectedVm: false,
+ disks,
+ protectedVm: protected_vm,
memoryMib: 300,
cpuTopology: CpuTopology::ONE_CPU,
platformVersion: "~1.0".to_string(),
diff --git a/tests/benchmark/Android.bp b/tests/benchmark/Android.bp
index dac4993..9c512bf 100644
--- a/tests/benchmark/Android.bp
+++ b/tests/benchmark/Android.bp
@@ -26,6 +26,7 @@
sdk_version: "test_current",
use_embedded_native_libs: true,
compile_multilib: "64",
+ host_required: ["MicrodroidTestPreparer"],
}
cc_library_shared {
diff --git a/tests/hostside/Android.bp b/tests/hostside/Android.bp
index 248755f..873cc38 100644
--- a/tests/hostside/Android.bp
+++ b/tests/hostside/Android.bp
@@ -38,6 +38,7 @@
"compatibility-host-util",
"cts-statsd-atom-host-test-utils",
"microdroid_payload_metadata",
+ "MicrodroidTestPreparer", // Workaround for sandboxed test environment to install this
],
per_testcase_directory: true,
data: [
@@ -75,4 +76,5 @@
"libsparse",
"libz",
],
+ required: ["MicrodroidTestPreparer"],
}
diff --git a/tests/hostside/java/com/android/microdroid/test/PvmfwDebugPolicyHostTests.java b/tests/hostside/java/com/android/microdroid/test/DebugPolicyHostTests.java
similarity index 81%
rename from tests/hostside/java/com/android/microdroid/test/PvmfwDebugPolicyHostTests.java
rename to tests/hostside/java/com/android/microdroid/test/DebugPolicyHostTests.java
index 0f6d095..014f9f0 100644
--- a/tests/hostside/java/com/android/microdroid/test/PvmfwDebugPolicyHostTests.java
+++ b/tests/hostside/java/com/android/microdroid/test/DebugPolicyHostTests.java
@@ -48,11 +48,10 @@
import java.io.File;
import java.util.Objects;
import java.util.concurrent.TimeUnit;
-import java.io.FileNotFoundException;
-/** Tests debug policy of pvmfw.bin with custom debug policy */
+/** Tests debug policy */
@RunWith(DeviceJUnit4ClassRunner.class)
-public class PvmfwDebugPolicyHostTests extends MicrodroidHostTestCaseBase {
+public class DebugPolicyHostTests extends MicrodroidHostTestCaseBase {
@NonNull private static final String PVMFW_FILE_NAME = "pvmfw_test.bin";
@NonNull private static final String BCC_FILE_NAME = "bcc.dat";
@NonNull private static final String PACKAGE_FILE_NAME = "MicrodroidTestApp.apk";
@@ -70,6 +69,16 @@
@NonNull private static final String CUSTOM_PVMFW_IMG_PATH = TEST_ROOT + PVMFW_FILE_NAME;
@NonNull private static final String CUSTOM_PVMFW_IMG_PATH_PROP = "hypervisor.pvmfw.path";
+ @NonNull private static final String CUSTOM_DEBUG_POLICY_FILE_NAME = "debug_policy.dtb";
+
+ @NonNull
+ private static final String CUSTOM_DEBUG_POLICY_PATH =
+ TEST_ROOT + CUSTOM_DEBUG_POLICY_FILE_NAME;
+
+ @NonNull
+ private static final String CUSTOM_DEBUG_POLICY_PATH_PROP =
+ "hypervisor.virtualizationmanager.debug_policy.path";
+
@NonNull
private static final String AVF_DEBUG_POLICY_ADB_DT_PROP_PATH = "/avf/guest/microdroid/adb";
@@ -93,6 +102,7 @@
@Nullable private TestDevice mAndroidDevice;
@Nullable private ITestDevice mMicrodroidDevice;
@Nullable private File mCustomPvmfwBinFileOnHost;
+ @Nullable private File mCustomDebugPolicyFileOnHost;
@Before
public void setUp() throws Exception {
@@ -114,12 +124,14 @@
mBccFileOnHost =
getTestInformation().getDependencyFile(BCC_FILE_NAME, /* targetFirst= */ false);
- // Prepare for loading pvmfw.bin
- // File will be setup in individual test,
- // and then pushed to device in launchProtectedVmAndWaitForBootCompleted.
+ // Prepare for system properties for custom debug policy.
+ // File will be prepared later in individual test by setupCustomDebugPolicy()
+ // and then pushed to device when launching with launchProtectedVmAndWaitForBootCompleted()
+ // or tryLaunchProtectedNonDebuggableVm().
mCustomPvmfwBinFileOnHost =
FileUtil.createTempFile(CUSTOM_PVMFW_FILE_PREFIX, CUSTOM_PVMFW_FILE_SUFFIX);
mAndroidDevice.setProperty(CUSTOM_PVMFW_IMG_PATH_PROP, CUSTOM_PVMFW_IMG_PATH);
+ mAndroidDevice.setProperty(CUSTOM_DEBUG_POLICY_PATH_PROP, CUSTOM_DEBUG_POLICY_PATH);
// Prepare for launching microdroid
mAndroidDevice.installPackage(findTestFile(PACKAGE_FILE_NAME), /* reinstall */ false);
@@ -138,7 +150,8 @@
}
mAndroidDevice.uninstallPackage(PACKAGE_NAME);
- // Cleanup for custom pvmfw.bin
+ // Cleanup for custom debug policies
+ mAndroidDevice.setProperty(CUSTOM_DEBUG_POLICY_PATH_PROP, "");
mAndroidDevice.setProperty(CUSTOM_PVMFW_IMG_PATH_PROP, "");
FileUtil.deleteFile(mCustomPvmfwBinFileOnHost);
@@ -148,21 +161,15 @@
}
@Test
- public void testAdb_boots() throws Exception {
- assumeTrue(
- "Skip if host wouldn't install adbd",
- isDebugPolicyEnabled(AVF_DEBUG_POLICY_ADB_DT_PROP_PATH));
-
- Pvmfw pvmfw = createPvmfw("avf_debug_policy_with_adb.dtbo");
- pvmfw.serialize(mCustomPvmfwBinFileOnHost);
+ public void testAdbInDebugPolicy_withDebugLevelNone_bootWithAdbConnection() throws Exception {
+ prepareCustomDebugPolicy("avf_debug_policy_with_adb.dtbo");
launchProtectedVmAndWaitForBootCompleted(MICRODROID_DEBUG_NONE);
}
@Test
- public void testNoAdb_boots() throws Exception {
- Pvmfw pvmfw = createPvmfw("avf_debug_policy_without_adb.dtbo");
- pvmfw.serialize(mCustomPvmfwBinFileOnHost);
+ public void testNoAdbInDebugPolicy_withDebugLevelNone_boots() throws Exception {
+ prepareCustomDebugPolicy("avf_debug_policy_without_adb.dtbo");
// VM would boot, but cannot verify directly because of no adbd in the VM.
CommandResult result = tryLaunchProtectedNonDebuggableVm();
@@ -173,9 +180,8 @@
}
@Test
- public void testNoAdb_noConnection() throws Exception {
- Pvmfw pvmfw = createPvmfw("avf_debug_policy_without_adb.dtbo");
- pvmfw.serialize(mCustomPvmfwBinFileOnHost);
+ public void testNoAdbInDebugPolicy_withDebugLevelNone_noConnection() throws Exception {
+ prepareCustomDebugPolicy("avf_debug_policy_without_adb.dtbo");
assertThrows(
"Microdroid shouldn't be recognized because of missing adb connection",
@@ -185,6 +191,13 @@
MICRODROID_DEBUG_NONE, BOOT_FAILURE_WAIT_TIME_MS));
}
+ @Test
+ public void testNoAdbInDebugPolicy_withDebugLevelFull_bootWithAdbConnection() throws Exception {
+ prepareCustomDebugPolicy("avf_debug_policy_without_adb.dtbo");
+
+ launchProtectedVmAndWaitForBootCompleted(MICRODROID_DEBUG_FULL);
+ }
+
private boolean isDebugPolicyEnabled(@NonNull String dtPropertyPath)
throws DeviceNotAvailableException {
CommandRunner runner = new CommandRunner(mAndroidDevice);
@@ -208,14 +221,16 @@
return new CommandRunner(mMicrodroidDevice).run("xxd", "-p", path);
}
- @NonNull
- private Pvmfw createPvmfw(@NonNull String debugPolicyFileName) throws FileNotFoundException {
- File file =
+ private void prepareCustomDebugPolicy(@NonNull String debugPolicyFileName) throws Exception {
+ mCustomDebugPolicyFileOnHost =
getTestInformation()
.getDependencyFile(debugPolicyFileName, /* targetFirst= */ false);
- return new Pvmfw.Builder(mPvmfwBinFileOnHost, mBccFileOnHost)
- .setDebugPolicyOverlay(file)
- .build();
+
+ Pvmfw pvmfw =
+ new Pvmfw.Builder(mPvmfwBinFileOnHost, mBccFileOnHost)
+ .setDebugPolicyOverlay(mCustomDebugPolicyFileOnHost)
+ .build();
+ pvmfw.serialize(mCustomPvmfwBinFileOnHost);
}
private boolean hasConsoleOutput(@NonNull CommandResult result)
@@ -242,6 +257,7 @@
.debugLevel(debugLevel)
.protectedVm(/* protectedVm= */ true)
.addBootFile(mCustomPvmfwBinFileOnHost, PVMFW_FILE_NAME)
+ .addBootFile(mCustomDebugPolicyFileOnHost, CUSTOM_DEBUG_POLICY_FILE_NAME)
.setAdbConnectTimeoutMs(adbTimeoutMs)
.build(mAndroidDevice);
assertThat(mMicrodroidDevice.waitForBootComplete(BOOT_COMPLETE_TIMEOUT_MS)).isTrue();
@@ -256,7 +272,8 @@
// but non-debuggable VM may not enable adb.
CommandRunner runner = new CommandRunner(mAndroidDevice);
runner.run("mkdir", "-p", TEST_ROOT);
- mAndroidDevice.pushFile(mCustomPvmfwBinFileOnHost, TEST_ROOT + PVMFW_FILE_NAME);
+ mAndroidDevice.pushFile(mCustomPvmfwBinFileOnHost, CUSTOM_PVMFW_IMG_PATH);
+ mAndroidDevice.pushFile(mCustomDebugPolicyFileOnHost, CUSTOM_DEBUG_POLICY_PATH);
// This will fail because app wouldn't finish itself.
// But let's run the app once and get logs.
diff --git a/virtualizationmanager/Android.bp b/virtualizationmanager/Android.bp
index c913d02..59e507f 100644
--- a/virtualizationmanager/Android.bp
+++ b/virtualizationmanager/Android.bp
@@ -56,6 +56,7 @@
"libvmconfig",
"libzip",
"libvsock",
+ "liblibfdt",
// TODO(b/202115393) stabilize the interface
"packagemanager_aidl-rust",
],
@@ -78,5 +79,9 @@
rustlibs: [
"libtempfile",
],
+ data: [
+ ":test_avf_debug_policy_with_adb",
+ ":test_avf_debug_policy_without_adb",
+ ],
test_suites: ["general-tests"],
}
diff --git a/virtualizationmanager/src/atom.rs b/virtualizationmanager/src/atom.rs
index 02d46ec..d6eb141 100644
--- a/virtualizationmanager/src/atom.rs
+++ b/virtualizationmanager/src/atom.rs
@@ -93,6 +93,7 @@
}
/// Write the stats of VMCreation to statsd
+/// The function creates a separate thread which waits for statsd to start to push atom
pub fn write_vm_creation_stats(
config: &VirtualMachineConfig,
is_protected: bool,
@@ -158,7 +159,7 @@
}
/// Write the stats of VM boot to statsd
-/// The function creates a separate thread which waits fro statsd to start to push atom
+/// The function creates a separate thread which waits for statsd to start to push atom
pub fn write_vm_booted_stats(
uid: i32,
vm_identifier: &str,
@@ -182,8 +183,7 @@
}
/// Write the stats of VM exit to statsd
-/// The function creates a separate thread which waits fro statsd to start to push atom
-pub fn write_vm_exited_stats(
+pub fn write_vm_exited_stats_sync(
uid: i32,
vm_identifier: &str,
reason: DeathReason,
@@ -207,9 +207,7 @@
};
info!("Writing VmExited atom into statsd.");
- thread::spawn(move || {
- GLOBAL_SERVICE.atomVmExited(&atom).unwrap_or_else(|e| {
- warn!("Failed to write VmExited atom: {e}");
- });
+ GLOBAL_SERVICE.atomVmExited(&atom).unwrap_or_else(|e| {
+ warn!("Failed to write VmExited atom: {e}");
});
}
diff --git a/virtualizationmanager/src/crosvm.rs b/virtualizationmanager/src/crosvm.rs
index a8cad94..856ff1e 100644
--- a/virtualizationmanager/src/crosvm.rs
+++ b/virtualizationmanager/src/crosvm.rs
@@ -15,7 +15,7 @@
//! Functions for running instances of `crosvm`.
use crate::aidl::{remove_temporary_files, Cid, VirtualMachineCallbacks};
-use crate::atom::{get_num_cpus, write_vm_exited_stats};
+use crate::atom::{get_num_cpus, write_vm_exited_stats_sync};
use crate::debug_config::DebugConfig;
use anyhow::{anyhow, bail, Context, Error, Result};
use command_fds::CommandFdExt;
@@ -381,7 +381,7 @@
self.callbacks.callback_on_died(self.cid, death_reason);
let vm_metric = self.vm_metric.lock().unwrap();
- write_vm_exited_stats(
+ write_vm_exited_stats_sync(
self.requester_uid as i32,
&self.name,
death_reason,
@@ -639,10 +639,6 @@
"PVM_FIRMWARE_INSTANCE_IMAGE_CHANGED" => {
return DeathReason::PVM_FIRMWARE_INSTANCE_IMAGE_CHANGED
}
- "BOOTLOADER_PUBLIC_KEY_MISMATCH" => return DeathReason::BOOTLOADER_PUBLIC_KEY_MISMATCH,
- "BOOTLOADER_INSTANCE_IMAGE_CHANGED" => {
- return DeathReason::BOOTLOADER_INSTANCE_IMAGE_CHANGED
- }
"MICRODROID_FAILED_TO_CONNECT_TO_VIRTUALIZATION_SERVICE" => {
return DeathReason::MICRODROID_FAILED_TO_CONNECT_TO_VIRTUALIZATION_SERVICE
}
diff --git a/virtualizationmanager/src/debug_config.rs b/virtualizationmanager/src/debug_config.rs
index e8863c7..7172e7d 100644
--- a/virtualizationmanager/src/debug_config.rs
+++ b/virtualizationmanager/src/debug_config.rs
@@ -17,16 +17,134 @@
use android_system_virtualizationservice::aidl::android::system::virtualizationservice::{
VirtualMachineAppConfig::DebugLevel::DebugLevel,
};
-use std::fs::File;
-use std::io::Read;
-use log::info;
+use anyhow::{anyhow, Context, Error, Result};
+use std::fs;
+use std::io::ErrorKind;
+use std::path::{Path, PathBuf};
+use std::ffi::{CString, NulError};
+use log::{warn, info};
use rustutils::system_properties;
+use libfdt::{Fdt, FdtError};
+use lazy_static::lazy_static;
-const DEBUG_POLICY_LOG_PATH: &str = "/proc/device-tree/avf/guest/common/log";
-const DEBUG_POLICY_RAMDUMP_PATH: &str = "/proc/device-tree/avf/guest/common/ramdump";
-const DEBUG_POLICY_ADB_PATH: &str = "/proc/device-tree/avf/guest/microdroid/adb";
+const CUSTOM_DEBUG_POLICY_OVERLAY_SYSPROP: &str =
+ "hypervisor.virtualizationmanager.debug_policy.path";
+const DEVICE_TREE_EMPTY_TREE_SIZE_BYTES: usize = 100; // rough estimation.
-const SYSPROP_CUSTOM_DEBUG_POLICY_PATH: &str = "hypervisor.virtualizationmanager.debug_policy.path";
+struct DPPath {
+ node_path: CString,
+ prop_name: CString,
+}
+
+impl DPPath {
+ fn new(node_path: &str, prop_name: &str) -> Result<Self, NulError> {
+ Ok(Self { node_path: CString::new(node_path)?, prop_name: CString::new(prop_name)? })
+ }
+
+ fn to_path(&self) -> PathBuf {
+ // SAFETY -- unwrap() is safe for to_str() because node_path and prop_name were &str.
+ PathBuf::from(
+ [
+ "/sys/firmware/devicetree/base",
+ self.node_path.to_str().unwrap(),
+ "/",
+ self.prop_name.to_str().unwrap(),
+ ]
+ .concat(),
+ )
+ }
+}
+
+lazy_static! {
+ static ref DP_LOG_PATH: DPPath = DPPath::new("/avf/guest/common", "log").unwrap();
+ static ref DP_RAMDUMP_PATH: DPPath = DPPath::new("/avf/guest/common", "ramdump").unwrap();
+ static ref DP_ADB_PATH: DPPath = DPPath::new("/avf/guest/microdroid", "adb").unwrap();
+}
+
+/// Get debug policy value in bool. It's true iff the value is explicitly set to <1>.
+fn get_debug_policy_bool(path: &Path) -> Result<bool> {
+ let value = match fs::read(path) {
+ Ok(value) => value,
+ Err(error) if error.kind() == ErrorKind::NotFound => return Ok(false),
+ Err(error) => Err(error).with_context(|| format!("Failed to read {path:?}"))?,
+ };
+
+ // DT spec uses big endian although Android is always little endian.
+ match u32::from_be_bytes(value.try_into().map_err(|_| anyhow!("Malformed value in {path:?}"))?)
+ {
+ 0 => Ok(false),
+ 1 => Ok(true),
+ value => Err(anyhow!("Invalid value {value} in {path:?}")),
+ }
+}
+
+/// Get property value in bool. It's true iff the value is explicitly set to <1>.
+/// It takes path as &str instead of &Path, because we don't want OsStr.
+fn get_fdt_prop_bool(fdt: &Fdt, path: &DPPath) -> Result<bool> {
+ let (node_path, prop_name) = (&path.node_path, &path.prop_name);
+ let node = match fdt.node(node_path) {
+ Ok(Some(node)) => node,
+ Err(error) if error != FdtError::NotFound => Err(error)
+ .map_err(Error::msg)
+ .with_context(|| format!("Failed to get node {node_path:?}"))?,
+ _ => return Ok(false),
+ };
+
+ match node.getprop_u32(prop_name) {
+ Ok(Some(0)) => Ok(false),
+ Ok(Some(1)) => Ok(true),
+ Ok(Some(_)) => Err(anyhow!("Invalid prop value {prop_name:?} in node {node_path:?}")),
+ Err(error) if error != FdtError::NotFound => Err(error)
+ .map_err(Error::msg)
+ .with_context(|| format!("Failed to get prop {prop_name:?}")),
+ _ => Ok(false),
+ }
+}
+
+/// Fdt with owned vector.
+struct OwnedFdt {
+ buffer: Vec<u8>,
+}
+
+impl OwnedFdt {
+ fn from_overlay_onto_new_fdt(overlay_file_path: &Path) -> Result<Self> {
+ let mut overlay_buf = match fs::read(overlay_file_path) {
+ Ok(fdt) => fdt,
+ Err(error) if error.kind() == ErrorKind::NotFound => Default::default(),
+ Err(error) => {
+ Err(error).with_context(|| format!("Failed to read {overlay_file_path:?}"))?
+ }
+ };
+
+ let overlay_buf_size = overlay_buf.len();
+
+ let fdt_estimated_size = overlay_buf_size + DEVICE_TREE_EMPTY_TREE_SIZE_BYTES;
+ let mut fdt_buf = vec![0_u8; fdt_estimated_size];
+ let fdt = Fdt::create_empty_tree(fdt_buf.as_mut_slice())
+ .map_err(Error::msg)
+ .context("Failed to create an empty device tree")?;
+
+ if !overlay_buf.is_empty() {
+ let overlay_fdt = Fdt::from_mut_slice(overlay_buf.as_mut_slice())
+ .map_err(Error::msg)
+ .with_context(|| "Malformed {overlay_file_path:?}")?;
+
+ // SAFETY - Return immediately if error happens. Damaged fdt_buf and fdt are discarded.
+ unsafe {
+ fdt.apply_overlay(overlay_fdt).map_err(Error::msg).with_context(|| {
+ "Failed to overlay {overlay_file_path:?} onto empty device tree"
+ })?;
+ }
+ }
+
+ Ok(Self { buffer: fdt_buf })
+ }
+
+ fn as_fdt(&self) -> &Fdt {
+ // SAFETY - Checked validity of buffer when instantiate.
+ unsafe { Fdt::unchecked_from_slice(&self.buffer) }
+ }
+}
/// Debug configurations for both debug level and debug policy
#[derive(Debug)]
@@ -37,43 +155,36 @@
debug_policy_adb: bool,
}
-/// Get debug policy value in bool. It's true iff the value is explicitly set to <1>.
-fn get_debug_policy_bool(path: &'static str) -> Option<bool> {
- let mut file = File::open(path).ok()?;
- let mut log: [u8; 4] = Default::default();
- file.read_exact(&mut log).ok()?;
- // DT spec uses big endian although Android is always little endian.
- Some(u32::from_be_bytes(log) == 1)
-}
-
impl DebugConfig {
pub fn new(debug_level: DebugLevel) -> Self {
- match system_properties::read(SYSPROP_CUSTOM_DEBUG_POLICY_PATH).unwrap_or_default() {
- Some(debug_policy_path) if !debug_policy_path.is_empty() => {
- // TODO: Read debug policy file and override log, adb, ramdump for testing.
- info!("Debug policy is disabled by sysprop");
- Self {
- debug_level,
- debug_policy_log: false,
- debug_policy_ramdump: false,
- debug_policy_adb: false,
- }
+ match system_properties::read(CUSTOM_DEBUG_POLICY_OVERLAY_SYSPROP).unwrap_or_default() {
+ Some(path) if !path.is_empty() => {
+ match Self::from_custom_debug_overlay_policy(debug_level, Path::new(&path)) {
+ Ok(debug_config) => {
+ info!("Loaded custom debug policy overlay {path}: {debug_config:?}");
+ return debug_config;
+ }
+ Err(err) => warn!("Failed to load custom debug policy overlay {path}: {err:?}"),
+ };
}
_ => {
- let debug_config = Self {
- debug_level,
- debug_policy_log: get_debug_policy_bool(DEBUG_POLICY_LOG_PATH)
- .unwrap_or_default(),
- debug_policy_ramdump: get_debug_policy_bool(DEBUG_POLICY_RAMDUMP_PATH)
- .unwrap_or_default(),
- debug_policy_adb: get_debug_policy_bool(DEBUG_POLICY_ADB_PATH)
- .unwrap_or_default(),
+ match Self::from_host(debug_level) {
+ Ok(debug_config) => {
+ info!("Loaded debug policy from host OS: {debug_config:?}");
+ return debug_config;
+ }
+ Err(err) => warn!("Failed to load debug policy from host OS: {err:?}"),
};
- info!("Loaded debug policy from host OS: {:?}", debug_config);
-
- debug_config
}
}
+
+ info!("Debug policy is disabled");
+ Self {
+ debug_level,
+ debug_policy_log: false,
+ debug_policy_ramdump: false,
+ debug_policy_adb: false,
+ }
}
/// Get whether console output should be configred for VM to leave console and adb log.
@@ -91,4 +202,123 @@
pub fn is_ramdump_needed(&self) -> bool {
self.debug_level != DebugLevel::NONE || self.debug_policy_ramdump
}
+
+ // TODO: Remove this code path in user build for removing libfdt depenency.
+ fn from_custom_debug_overlay_policy(debug_level: DebugLevel, path: &Path) -> Result<Self> {
+ match OwnedFdt::from_overlay_onto_new_fdt(path) {
+ Ok(fdt) => Ok(Self {
+ debug_level,
+ debug_policy_log: get_fdt_prop_bool(fdt.as_fdt(), &DP_LOG_PATH)?,
+ debug_policy_ramdump: get_fdt_prop_bool(fdt.as_fdt(), &DP_RAMDUMP_PATH)?,
+ debug_policy_adb: get_fdt_prop_bool(fdt.as_fdt(), &DP_ADB_PATH)?,
+ }),
+ Err(err) => Err(err),
+ }
+ }
+
+ fn from_host(debug_level: DebugLevel) -> Result<Self> {
+ Ok(Self {
+ debug_level,
+ debug_policy_log: get_debug_policy_bool(&DP_LOG_PATH.to_path())?,
+ debug_policy_ramdump: get_debug_policy_bool(&DP_RAMDUMP_PATH.to_path())?,
+ debug_policy_adb: get_debug_policy_bool(&DP_ADB_PATH.to_path())?,
+ })
+ }
+}
+
+#[cfg(test)]
+mod tests {
+ use super::*;
+ use anyhow::ensure;
+
+ fn can_set_sysprop() -> bool {
+ if let Ok(Some(value)) = system_properties::read("ro.build.type") {
+ return "user".eq(&value);
+ }
+ false // if we're in doubt, skip test.
+ }
+
+ #[test]
+ fn test_read_avf_debug_policy_with_adb() -> Result<()> {
+ let debug_config = DebugConfig::from_custom_debug_overlay_policy(
+ DebugLevel::FULL,
+ "avf_debug_policy_with_adb.dtbo".as_ref(),
+ )
+ .unwrap();
+
+ assert_eq!(DebugLevel::FULL, debug_config.debug_level);
+ assert!(!debug_config.debug_policy_log);
+ assert!(!debug_config.debug_policy_ramdump);
+ assert!(debug_config.debug_policy_adb);
+
+ Ok(())
+ }
+
+ #[test]
+ fn test_read_avf_debug_policy_without_adb() -> Result<()> {
+ let debug_config = DebugConfig::from_custom_debug_overlay_policy(
+ DebugLevel::FULL,
+ "avf_debug_policy_without_adb.dtbo".as_ref(),
+ )
+ .unwrap();
+
+ assert_eq!(DebugLevel::FULL, debug_config.debug_level);
+ assert!(!debug_config.debug_policy_log);
+ assert!(!debug_config.debug_policy_ramdump);
+ assert!(!debug_config.debug_policy_adb);
+
+ Ok(())
+ }
+
+ #[test]
+ fn test_invalid_sysprop_disables_debug_policy() -> Result<()> {
+ let debug_config = DebugConfig::from_custom_debug_overlay_policy(
+ DebugLevel::NONE,
+ "/a/does/not/exist/path.dtbo".as_ref(),
+ )
+ .unwrap();
+
+ assert_eq!(DebugLevel::NONE, debug_config.debug_level);
+ assert!(!debug_config.debug_policy_log);
+ assert!(!debug_config.debug_policy_ramdump);
+ assert!(!debug_config.debug_policy_adb);
+
+ Ok(())
+ }
+
+ fn test_new_with_custom_policy_internal() -> Result<()> {
+ let debug_config = DebugConfig::new(DebugLevel::NONE);
+
+ ensure!(debug_config.debug_level == DebugLevel::NONE);
+ ensure!(!debug_config.debug_policy_log);
+ ensure!(!debug_config.debug_policy_ramdump);
+ ensure!(debug_config.debug_policy_adb);
+
+ Ok(())
+ }
+
+ #[test]
+ fn test_new_with_custom_policy() -> Result<()> {
+ if !can_set_sysprop() {
+ // Skip test if we can't override sysprop.
+ return Ok(());
+ }
+
+ // Setup
+ let old_sysprop = system_properties::read(CUSTOM_DEBUG_POLICY_OVERLAY_SYSPROP)
+ .context("Failed to read existing sysprop")?
+ .unwrap_or_default();
+ let file_name = "avf_debug_policy_with_adb.dtbo";
+ system_properties::write(CUSTOM_DEBUG_POLICY_OVERLAY_SYSPROP, file_name)
+ .context("Failed to set sysprop")?;
+
+ // Run test
+ let test_result = test_new_with_custom_policy_internal();
+
+ // Clean up.
+ system_properties::write(CUSTOM_DEBUG_POLICY_OVERLAY_SYSPROP, &old_sysprop)
+ .context("Failed to restore sysprop")?;
+
+ test_result
+ }
}
diff --git a/virtualizationservice/aidl/android/system/virtualizationcommon/DeathReason.aidl b/virtualizationservice/aidl/android/system/virtualizationcommon/DeathReason.aidl
index 3f47002..0164de4 100644
--- a/virtualizationservice/aidl/android/system/virtualizationcommon/DeathReason.aidl
+++ b/virtualizationservice/aidl/android/system/virtualizationcommon/DeathReason.aidl
@@ -38,10 +38,7 @@
PVM_FIRMWARE_PUBLIC_KEY_MISMATCH = 7,
/** The pVM firmware failed to verify the VM because the instance image changed. */
PVM_FIRMWARE_INSTANCE_IMAGE_CHANGED = 8,
- /** The bootloader failed to verify the VM because the public key doesn't match. */
- BOOTLOADER_PUBLIC_KEY_MISMATCH = 9,
- /** The bootloader failed to verify the VM because the instance image changed. */
- BOOTLOADER_INSTANCE_IMAGE_CHANGED = 10,
+ // 9 & 10 intentionally removed.
/** The microdroid failed to connect to VirtualizationService's RPC server. */
MICRODROID_FAILED_TO_CONNECT_TO_VIRTUALIZATION_SERVICE = 11,
/** The payload for microdroid is changed. */
diff --git a/virtualizationservice/src/atom.rs b/virtualizationservice/src/atom.rs
index 47a1603..4aa3550 100644
--- a/virtualizationservice/src/atom.rs
+++ b/virtualizationservice/src/atom.rs
@@ -87,12 +87,6 @@
DeathReason::PVM_FIRMWARE_INSTANCE_IMAGE_CHANGED => {
vm_exited::DeathReason::PvmFirmwareInstanceImageChanged
}
- DeathReason::BOOTLOADER_PUBLIC_KEY_MISMATCH => {
- vm_exited::DeathReason::BootloaderPublicKeyMismatch
- }
- DeathReason::BOOTLOADER_INSTANCE_IMAGE_CHANGED => {
- vm_exited::DeathReason::BootloaderInstanceImageChanged
- }
DeathReason::MICRODROID_FAILED_TO_CONNECT_TO_VIRTUALIZATION_SERVICE => {
vm_exited::DeathReason::MicrodroidFailedToConnectToVirtualizationService
}
diff --git a/vmclient/src/death_reason.rs b/vmclient/src/death_reason.rs
index c417a7c..0610c1a 100644
--- a/vmclient/src/death_reason.rs
+++ b/vmclient/src/death_reason.rs
@@ -37,10 +37,6 @@
PvmFirmwarePublicKeyMismatch,
/// The pVM firmware failed to verify the VM because the instance image changed.
PvmFirmwareInstanceImageChanged,
- /// The bootloader failed to verify the VM because the public key doesn't match.
- BootloaderPublicKeyMismatch,
- /// The bootloader failed to verify the VM because the instance image changed.
- BootloaderInstanceImageChanged,
/// The microdroid failed to connect to VirtualizationService's RPC server.
MicrodroidFailedToConnectToVirtualizationService,
/// The payload for microdroid is changed.
@@ -71,10 +67,6 @@
AidlDeathReason::PVM_FIRMWARE_INSTANCE_IMAGE_CHANGED => {
Self::PvmFirmwareInstanceImageChanged
}
- AidlDeathReason::BOOTLOADER_PUBLIC_KEY_MISMATCH => Self::BootloaderPublicKeyMismatch,
- AidlDeathReason::BOOTLOADER_INSTANCE_IMAGE_CHANGED => {
- Self::BootloaderInstanceImageChanged
- }
AidlDeathReason::MICRODROID_FAILED_TO_CONNECT_TO_VIRTUALIZATION_SERVICE => {
Self::MicrodroidFailedToConnectToVirtualizationService
}