commit a41535be80a04e983e31e13b0617e0256cc4c963
author Jiyong Park <jiyong@google.com> Fri Sep 10 19:31:48 2021 +0900
committer Jiyong Park <jiyong@google.com> Mon Sep 13 15:38:30 2021 +0900
tree 954abc07eba43fccd1a1af20e3cf17617eff8f96
parent 64d96fb60240eebfcac8baa62d8776257465f7ff

Store public key of APK to instance disk

Once a VM is started with an APK, we shouldn't accept any update of the
APK if its signer has changed.

For now, this CL can be considered a no-op because we don't accept any
update by comparing the root hash. However, in the future, when rollback
protection is supported, this change will make it possible to accept APK
updates if the public key remains the same.

Bug: 199143508
Test: atest MicrodroidHostTestCases

Change-Id: I2448faf4a8b9637571ebcc4bc49d3619129496d5

microdroid_manager/src/instance.rs

diff --git a/microdroid_manager/src/instance.rs b/microdroid_manager/src/instance.rs
index 73983a7..e431f51 100644
--- a/microdroid_manager/src/instance.rs
+++ b/microdroid_manager/src/instance.rs
@@ -320,7 +320,7 @@
 #[derive(Debug, Serialize, Deserialize, PartialEq)]
 pub struct ApkData {
     pub root_hash: Box<RootHash>,
-    // TODO(b/199143508) add cert
+    pub pubkey: Box<[u8]>,
 }
 
 pub type RootHash = [u8];

microdroid_manager/src/main.rs

diff --git a/microdroid_manager/src/main.rs b/microdroid_manager/src/main.rs
index 204feab..ac7adc9 100644
--- a/microdroid_manager/src/main.rs
+++ b/microdroid_manager/src/main.rs
@@ -20,7 +20,7 @@
 
 use crate::instance::{ApkData, InstanceDisk, MicrodroidData, RootHash};
 use anyhow::{anyhow, bail, ensure, Context, Result};
-use apkverify::verify;
+use apkverify::{get_public_key_der, verify};
 use binder::unstable_api::{new_spibinder, AIBinder};
 use binder::{FromIBinder, Strong};
 use idsig::V4Signature;
@@ -187,16 +187,18 @@
     // taken only when the root_hash is un-trustful which can be either when this is the first boot
     // of the VM or APK was updated in the host.
     // TODO(jooyung): consider multithreading to make this faster
-    if !root_hash_trustful {
-        verify(DM_MOUNTED_APK_PATH).context(format!("failed to verify {}", DM_MOUNTED_APK_PATH))?;
-    }
+    let apk_pubkey = if !root_hash_trustful {
+        verify(DM_MOUNTED_APK_PATH).context(format!("failed to verify {}", DM_MOUNTED_APK_PATH))?
+    } else {
+        get_public_key_der(DM_MOUNTED_APK_PATH)?
+    };
 
     info!("payload verification successful. took {:#?}", start_time.elapsed().unwrap());
 
     // At this point, we can ensure that the root_hash from the idsig file is trusted, either by
     // fully verifying the APK or by comparing it with the saved root_hash.
     Ok(MicrodroidData {
-        apk_data: ApkData { root_hash: root_hash_from_idsig },
+        apk_data: ApkData { root_hash: root_hash_from_idsig, pubkey: apk_pubkey },
         apex_data: apex_data_from_payload,
     })
 }