Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / 9eebbab9ca0765dec4216fb221401e6ebbab7ddc^! / . / rialto / src / main.rs
commit9eebbab9ca0765dec4216fb221401e6ebbab7ddc[log] [tgz]
authorAlice Wang <aliceywang@google.com>Wed Apr 10 14:57:27 2024 +0000
committerAlice Wang <aliceywang@google.com>Thu Apr 25 16:46:47 2024 +0000
tree8745eb9a179ff628a90314707482d4892b841ee4
parenta93fea919a5d18b358e896b74cda1d6675c9348c [diff] [blame]
[attestation] Validate vendor module loaded by client VM in RKP VM

This cl added the following tasks to the RKP VM:

- Parses a client VM DICE chain containing an additional vendor
module entry.
- Validates the code hash in the vendor module DICE entry against
the code hash read from the device tree.

The cl also adds a CTS test that triggers the VM attestation from
a VM with vendor module.

Bug: 330678211
Test: atest MicrodroidTests
Change-Id: Id56c6edd8baa32bae6a8ad7b5bca7b18ce167022

diff --git a/rialto/src/main.rs b/rialto/src/main.rs
index 48b69b3..025edff 100644
--- a/rialto/src/main.rs
+++ b/rialto/src/main.rs

@@ -26,7 +26,7 @@
 
 use crate::communication::VsockStream;
 use crate::error::{Error, Result};
-use crate::fdt::read_dice_range_from;
+use crate::fdt::{read_dice_range_from, read_vendor_hashtree_root_digest};
 use alloc::boxed::Box;
 use bssl_sys::CRYPTO_library_init;
 use ciborium_io::Write;
@@ -39,7 +39,7 @@
 use log::{debug, error, info};
 use service_vm_comm::{ServiceVmRequest, VmType};
 use service_vm_fake_chain::service_vm;
-use service_vm_requests::process_request;
+use service_vm_requests::{process_request, RequestContext};
 use virtio_drivers::{
     device::socket::{VsockAddr, VMADDR_CID_HOST},
     transport::{pci::bus::PciRoot, DeviceType, Transport},
@@ -174,11 +174,14 @@
     debug!("PCI root: {pci_root:#x?}");
     let socket_device = find_socket_device::<HalImpl>(&mut pci_root)?;
     debug!("Found socket device: guest cid = {:?}", socket_device.guest_cid());
+    let vendor_hashtree_root_digest = read_vendor_hashtree_root_digest(fdt)?;
+    let request_context =
+        RequestContext { dice_artifacts: bcc_handover.as_ref(), vendor_hashtree_root_digest };
 
     let mut vsock_stream = VsockStream::new(socket_device, host_addr())?;
     while let ServiceVmRequest::Process(req) = vsock_stream.read_request()? {
         info!("Received request: {}", req.name());
-        let response = process_request(req, bcc_handover.as_ref());
+        let response = process_request(req, &request_context);
         info!("Sending response: {}", response.name());
         vsock_stream.write_response(&response)?;
         vsock_stream.flush()?;