Merge "pvmfw: rollback: Force fixed RBP for RemoteAttest" into main
diff --git a/guest/pvmfw/src/rollback.rs b/guest/pvmfw/src/rollback.rs
index 004acdb..e51b6d5 100644
--- a/guest/pvmfw/src/rollback.rs
+++ b/guest/pvmfw/src/rollback.rs
@@ -44,15 +44,16 @@
cdi_seal: &[u8],
instance_hash: Option<Hidden>,
) -> Result<(bool, Hidden, bool), RebootReason> {
- if (should_defer_rollback_protection(fdt)?
+ if let Some(fixed) = get_fixed_rollback_protection(verified_boot_data) {
+ // Prevent attackers from impersonating well-known images.
+ perform_fixed_index_rollback_protection(verified_boot_data, fixed)?;
+ Ok((false, instance_hash.unwrap(), false))
+ } else if (should_defer_rollback_protection(fdt)?
&& verified_boot_data.has_capability(Capability::SecretkeeperProtection))
|| verified_boot_data.has_capability(Capability::TrustySecurityVm)
{
perform_deferred_rollback_protection(verified_boot_data)?;
Ok((false, instance_hash.unwrap(), true))
- } else if verified_boot_data.has_capability(Capability::RemoteAttest) {
- perform_fixed_index_rollback_protection(verified_boot_data)?;
- Ok((false, instance_hash.unwrap(), false))
} else {
perform_legacy_rollback_protection(fdt, dice_inputs, cdi_seal, instance_hash)
}
@@ -72,11 +73,19 @@
}
}
+fn get_fixed_rollback_protection(verified_boot_data: &VerifiedBootData) -> Option<u64> {
+ if verified_boot_data.has_capability(Capability::RemoteAttest) {
+ Some(service_vm_version::VERSION)
+ } else {
+ None
+ }
+}
+
fn perform_fixed_index_rollback_protection(
verified_boot_data: &VerifiedBootData,
+ fixed_index: u64,
) -> Result<(), RebootReason> {
info!("Performing fixed-index rollback protection");
- let fixed_index = service_vm_version::VERSION;
let index = verified_boot_data.rollback_index;
if index != fixed_index {
error!("Rollback index mismatch: expected {fixed_index}, found {index}");