Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / a26f16aee1e340449c05fc52dfe143f5f6927fa4^! / . / pvmfw / avb / Android.bp
commita26f16aee1e340449c05fc52dfe143f5f6927fa4[log] [tgz]
authorShikha Panwar <shikhapanwar@google.com>Wed Sep 27 09:39:00 2023 +0000
committerShikha Panwar <shikhapanwar@google.com>Fri Sep 29 11:01:48 2023 +0000
tree2d84b7ae82e99a4e6227ab9c867a17f4265c7115
parent2174d411d3735e03e00bfa4650db4795cc595545 [diff] [blame]
pvmfw: Rollback index of kernel & security_version

Capture rollback_index of guest kernel. Rollback indexes are available
in AvbSlotVerifyData returned from avb_slot_verify(). This is a slice of
uint64 where the position of the rollback_index is determined by
rollback_index_location (which defaults to 0).

This is then used as the 'security_version' in the dice config, that
can be used by guests OS to provide AntiRollback protection to secrets.

Note on TrunkStableFlagging - This is guarded by flag llpvm_changes,
based on which security_version is added to  dice.

Test: #payload_with_rollback_index
Test: flash pvmfw => get dice chain from Compos => verify-dice-chain
contaisn security version = 1 for guest OS
Bug: 296830692

Change-Id: I0d6d993d8b2d1b98dcc39fb90895a59c7a699d7d

diff --git a/pvmfw/avb/Android.bp b/pvmfw/avb/Android.bp
index 73d188b..f7362d8 100644
--- a/pvmfw/avb/Android.bp
+++ b/pvmfw/avb/Android.bp

@@ -42,6 +42,7 @@
         ":test_image_with_unknown_vm_type_prop",
         ":test_image_with_multiple_props",
         ":test_image_with_duplicated_capability",
+        ":test_image_with_rollback_index_5",
         ":unsigned_test_image",
     ],
     prefer_rlib: true,
@@ -194,3 +195,12 @@
     private_key: ":pvmfw_sign_key",
     salt: "1111",
 }
+
+avb_add_hash_footer {
+    name: "test_image_with_rollback_index_5",
+    src: ":unsigned_test_image",
+    partition_name: "boot",
+    private_key: ":pvmfw_sign_key",
+    salt: "1211",
+    rollback_index: 5,
+}