Add BCC truncating
"Truncate" the received BCC by removing the entire chain we receive
and peforming a non-DICE derivation on the CDIs. This is to ensure
that we don't provide access to a UDS-rooted BCC, since that might be
what we received. This needs to be removed once we have a reliable way
to distinguish a VM BCC from a non-VM one.
Fixed a test whose assumption is no longer true.
Bug: 266172411
Test: atest ComposHostTestCases (this validates the CompOS BCC)
Test: atest MicrodroidTests
Change-Id: I288f4ed8e108c81ab46f8ce2c94a9336855422c8
diff --git a/pvmfw/src/main.rs b/pvmfw/src/main.rs
index abe6a25..21521da 100644
--- a/pvmfw/src/main.rs
+++ b/pvmfw/src/main.rs
@@ -131,10 +131,21 @@
RebootReason::InternalError
})?;
- let _ = bcc_handover_main_flow(current_bcc_handover, &dice_inputs, next_bcc).map_err(|e| {
- error!("Failed to derive next-stage DICE secrets: {e:?}");
- RebootReason::SecretDerivationError
+ // It is possible that the DICE chain we were given is rooted in the UDS. We do not want to give
+ // such a chain to the payload, or even the associated CDIs. So remove the entire chain we
+ // were given and taint the CDIs. Note that the resulting CDIs are still deterministically
+ // derived from those we received, so will vary iff they do.
+ // TODO(b/280405545): Remove this post Android 14.
+ let truncated_bcc_handover = bcc::truncate(bcc_handover).map_err(|e| {
+ error!("{e}");
+ RebootReason::InternalError
})?;
+
+ let _ = bcc_handover_main_flow(truncated_bcc_handover.as_slice(), &dice_inputs, next_bcc)
+ .map_err(|e| {
+ error!("Failed to derive next-stage DICE secrets: {e:?}");
+ RebootReason::SecretDerivationError
+ })?;
flush(next_bcc);
let strict_boot = true;