pvmfw: Delay panicking when DICE chain missing
Replace the low-level assertions during config data parsing about the
DICE handover being present with a high-level panic in main(), to
prepare for a change adding support for a missing input DICE handover.
Note: No functional change intended.
Test: m pvmfw
Bug: 393977894
Change-Id: I382e42c1eac8280a49aeca76d329bb8f5a10d07d
diff --git a/guest/pvmfw/src/config.rs b/guest/pvmfw/src/config.rs
index 1f9eacf..a16da35 100644
--- a/guest/pvmfw/src/config.rs
+++ b/guest/pvmfw/src/config.rs
@@ -141,7 +141,7 @@
#[derive(Default)]
pub struct Entries<'a> {
- pub dice_handover: &'a mut [u8],
+ pub dice_handover: Option<&'a mut [u8]>,
pub debug_policy: Option<&'a [u8]>,
pub vm_dtbo: Option<&'a mut [u8]>,
pub vm_ref_dt: Option<&'a [u8]>,
@@ -295,9 +295,6 @@
}
let [dice_handover, debug_policy, vm_dtbo, vm_ref_dt] = entries;
- // The platform DICE handover has always been required.
- let dice_handover = dice_handover.unwrap();
-
// We have no reason to mutate so drop the `mut`.
let debug_policy = debug_policy.map(|x| &*x);
let vm_ref_dt = vm_ref_dt.map(|x| &*x);
diff --git a/guest/pvmfw/src/entry.rs b/guest/pvmfw/src/entry.rs
index 8bbbce1..cb6c64e 100644
--- a/guest/pvmfw/src/entry.rs
+++ b/guest/pvmfw/src/entry.rs
@@ -139,7 +139,7 @@
slices.fdt,
slices.kernel,
slices.ramdisk,
- config_entries.dice_handover,
+ config_entries.dice_handover.as_deref(),
config_entries.debug_policy,
config_entries.vm_dtbo,
config_entries.vm_ref_dt,
@@ -147,11 +147,14 @@
if let Some(r) = next_dice_handover {
slices.add_dice_handover(r);
}
+
// Keep UART MMIO_GUARD-ed for debuggable payloads, to enable earlycon.
let keep_uart = cfg!(debuggable_vms_improvements) && debuggable_payload;
// Writable-dirty regions will be flushed when MemoryTracker is dropped.
- config_entries.dice_handover.zeroize();
+ if let Some(r) = config_entries.dice_handover {
+ r.zeroize();
+ }
unshare_all_mmio_except_uart().map_err(|e| {
error!("Failed to unshare MMIO ranges: {e}");
@@ -220,8 +223,8 @@
fn get_entries(self) -> config::Entries<'a> {
match self {
Self::Config(cfg) => cfg.get_entries(),
- Self::LegacyDiceHandover(dice_handover) => {
- config::Entries { dice_handover, ..Default::default() }
+ Self::LegacyDiceHandover(d) => {
+ config::Entries { dice_handover: Some(d), ..Default::default() }
}
}
}
diff --git a/guest/pvmfw/src/main.rs b/guest/pvmfw/src/main.rs
index 7bf68b8..d83df5c 100644
--- a/guest/pvmfw/src/main.rs
+++ b/guest/pvmfw/src/main.rs
@@ -56,7 +56,7 @@
untrusted_fdt: &mut Fdt,
signed_kernel: &[u8],
ramdisk: Option<&[u8]>,
- current_dice_handover: &[u8],
+ current_dice_handover: Option<&[u8]>,
mut debug_policy: Option<&[u8]>,
vm_dtbo: Option<&mut [u8]>,
vm_ref_dt: Option<&[u8]>,
@@ -71,8 +71,7 @@
debug!("Ramdisk: None");
}
- let (dice_handover_bytes, dice_cdi_seal, dice_context, dice_debug_mode) =
- parse_dice_handover(current_dice_handover)?;
+ let (parsed_dice, dice_debug_mode) = parse_dice_handover(current_dice_handover)?;
// The bootloader should never pass us a debug policy when the boot is secure (the bootloader
// is locked). If it gets it wrong, disregard it & log it, to avoid it causing problems.
@@ -97,6 +96,8 @@
error!("Failed to compute partial DICE inputs: {e:?}");
RebootReason::InternalError
})?;
+ let (dice_handover_bytes, dice_cdi_seal, dice_context) =
+ parsed_dice.expect("Missing DICE values with VB data");
let (new_instance, salt, defer_rollback_protection) =
perform_rollback_protection(fdt, data, &dice_inputs, &dice_cdi_seal)?;
trace!("Got salt for instance: {salt:x?}");
@@ -140,8 +141,11 @@
}
fn parse_dice_handover(
- bytes: &[u8],
-) -> Result<(Cow<'_, [u8]>, Vec<u8>, DiceContext, bool), RebootReason> {
+ bytes: Option<&[u8]>,
+) -> Result<(Option<(Cow<'_, [u8]>, Vec<u8>, DiceContext)>, bool), RebootReason> {
+ let Some(bytes) = bytes else {
+ return Ok((None, false));
+ };
let dice_handover = bcc_handover_parse(bytes).map_err(|e| {
error!("Invalid DICE Handover: {e:?}");
RebootReason::InvalidDiceHandover
@@ -181,7 +185,7 @@
Cow::Owned(truncated_bytes)
};
- Ok((bytes_for_next, cdi_seal, dice_context, is_debug_mode))
+ Ok((Some((bytes_for_next, cdi_seal, dice_context)), is_debug_mode))
}
fn perform_dice_derivation<'a>(