Merge "Add Ciborium to pvmfw"
diff --git a/apex/Android.bp b/apex/Android.bp
index e39b459..1c4d357 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -92,6 +92,8 @@
"microdroid_initrd_normal",
"microdroid.json",
"microdroid_kernel",
+ // rialto_bin is a prebuilt target wrapping the signed bare-metal service VM.
+ "rialto_bin",
],
host_required: [
"vm_shell",
diff --git a/microdroid/README.md b/microdroid/README.md
index 71be7d0..5e3f586 100644
--- a/microdroid/README.md
+++ b/microdroid/README.md
@@ -8,8 +8,7 @@
## Prerequisites
Any 64-bit target (either x86\_64 or arm64) is supported. 32-bit target is not
-supported. Note that we currently don't support user builds; only userdebug
-builds are supported.
+supported.
The only remaining requirement is that `com.android.virt` APEX has to be
pre-installed. To do this, add the following line in your product makefile.
@@ -18,10 +17,10 @@
$(call inherit-product, packages/modules/Virtualization/apex/product_packages.mk)
```
-Build the target after adding the line, and flash it. This step needs to be done
-only once for the target.
+Build the target product after adding the line, and flash it. This step needs
+to be done only once for the target.
-If you are using `aosp_oriole` (Pixel 6) or `aosp_cf_x86_64_phone` (Cuttlefish),
+If you are using Pixel 6 and beyond or Cuttlefish (`aosp_cf_x86_64_phone`)
adding above line is not necessary as it's already done.
## Building and installing microdroid
@@ -41,8 +40,11 @@
## Building an app
-An app in microdroid is a shared library file embedded in an APK. The shared
-library should have an entry point `AVmPayload_main` as shown below:
+A [vm
+payload](https://android.googlesource.com/platform/packages/modules/Virtualization/+/refs/heads/master/vm_payload/)
+is a shared library file that gets executed in microdroid. It is packaged as
+part of an Android application. The library should have an entry point
+`AVmPayload_main` as shown below:
```C++
extern "C" int AVmPayload_main() {
@@ -54,53 +56,22 @@
```
cc_library_shared {
- name: "MyMicrodroidApp",
+ name: "MyMicrodroidPayload",
srcs: ["**/*.cpp"],
sdk_version: "current",
}
```
-Then you need a configuration file in JSON format that defines what to load and
-execute in microdroid. The name of the file can be anything and you may have
-multiple configuration files if needed.
-
-```json
-{
- "os": { "name": "microdroid" },
- "task": {
- "type": "microdroid_launcher",
- "command": "MyMicrodroidApp.so"
- }
-}
-```
-
-The value of `task.command` should match with the name of the shared library
-defined above. If your app requires APEXes to be imported, you can declare the
-list in `apexes` key like following.
-
-```json
-{
- "os": ...,
- "task": ...,
- "apexes": [
- {"name": "com.android.awesome_apex"}
- ]
-}
-```
-
-Embed the shared library and the VM configuration file in an APK:
+Embed the shared library file in an APK:
```
android_app {
name: "MyApp",
- srcs: ["**/*.java"], // if there is any java code
- jni_libs: ["MyMicrodroidApp"],
+ srcs: ["**/*.java"],
+ jni_libs: ["MyMicrodroidPayload"],
use_embedded_native_libs: true,
sdk_version: "current",
}
-
-// The VM configuration file can be embedded by simply placing it at `./assets`
-// directory.
```
Finally, you build the APK.
@@ -109,7 +80,7 @@
TARGET_BUILD_APPS=MyApp m apps_only dist
```
-## Running the app on microdroid
+## Running the VM payload on microdroid
First of all, install the APK to the target device.
@@ -117,22 +88,16 @@
adb install out/dist/MyApp.apk
```
-`ALL_CAP`s below are placeholders. They need to be replaced with correct
-values:
+There are two ways start a VM and run the payload in it.
-* `VM_CONFIG_FILE`: the name of the VM config file that you embedded in the APK.
- (e.g. `vm_config.json`)
-* `PACKAGE_NAME_OF_YOUR_APP`: package name of your app (e.g. `com.acme.app`).
-* `PATH_TO_YOUR_APP`: path to the installed APK on the device. Can be obtained
- via the following command.
- ```sh
- adb shell pm path PACKAGE_NAME_OF_YOUR_APP
- ```
- It shall report a cryptic path similar to `/data/app/~~OgZq==/com.acme.app-HudMahQ==/base.apk`.
+* By manually invoking the `vm` tool via `adb shell`.
+* Calling APIs programmatically in the Java app.
+
+### Using `vm` tool
Execute the following commands to launch a VM. The VM will boot to microdroid
-and then automatically execute your app (the shared library
-`MyMicrodroidApp.so`).
+and then automatically execute your payload (the shared library
+`MyMicrodroidPayload.so`).
```sh
TEST_ROOT=/data/local/tmp/virt
@@ -142,23 +107,36 @@
PATH_TO_YOUR_APP \
$TEST_ROOT/MyApp.apk.idsig \
$TEST_ROOT/instance.img \
---config-path assets/VM_CONFIG_FILE
+--payload-binary-name MyMicrodroidPayload.so
```
-The last command lets you know the CID assigned to the VM. The console output
-from the VM is stored to `$TEST_ROOT/console.txt` and logcat is stored to
-`$TEST_ROOT/log.txt` file for debugging purpose. If you omit `--log` or
-`--console` option, they will be emitted to the current console.
+`ALL_CAP`s below are placeholders. They need to be replaced with correct
+values:
-Stopping the VM can be done as follows:
+* `PACKAGE_NAME_OF_YOUR_APP`: package name of your app (e.g. `com.acme.app`).
+* `PATH_TO_YOUR_APP`: path to the installed APK on the device. Can be obtained
+ via the following command.
+ ```sh
+ adb shell pm path PACKAGE_NAME_OF_YOUR_APP
+ ```
+ It shall report a cryptic path similar to `/data/app/~~OgZq==/com.acme.app-HudMahQ==/base.apk`.
-```sh
-adb shell /apex/com.android.virt/bin/vm stop $CID
-```
+The console output from the VM is stored to `$TEST_ROOT/console.txt` and logcat
+is stored to `$TEST_ROOT/log.txt` file for debugging purpose. If you omit
+`--log` or `--console` option, the console output will be emitted to the
+current console and the logcat logs are sent to the main logcat in Android.
-, where `$CID` is the reported CID value. This works only when the `vm` was
-invoked with the `--daemonize` flag. If the flag was not used, press Ctrl+C on
-the console where the `vm run-app` command was invoked.
+Stopping the VM can be done by pressing `Ctrl+C`.
+
+### Using the APIs
+
+Use the [Android Virtualization Framework Java
+APIs](https://android.googlesource.com/platform/packages/modules/Virtualization/+/refs/heads/master/javalib/api/system-current.txt)
+in your app to create a microdroid VM and run payload in it. The APIs currently
+are @SystemApi, thus available only to privileged apps.
+
+If you are looking for an example usage of the APIs, you may refer to the [demo
+app](https://android.googlesource.com/platform/packages/modules/Virtualization/+/refs/heads/master/demo/).
## Debuggable microdroid
diff --git a/microdroid/payload/mk_payload.cc b/microdroid/payload/mk_payload.cc
deleted file mode 100644
index d31333f..0000000
--- a/microdroid/payload/mk_payload.cc
+++ /dev/null
@@ -1,305 +0,0 @@
-/*
- * Copyright (C) 2021 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <unistd.h>
-
-#include <fstream>
-#include <iostream>
-#include <optional>
-#include <string>
-#include <vector>
-
-#include <android-base/file.h>
-#include <android-base/result.h>
-#include <image_aggregator.h>
-#include <json/json.h>
-
-#include "microdroid/metadata.h"
-
-using android::base::Dirname;
-using android::base::ErrnoError;
-using android::base::Error;
-using android::base::Result;
-using android::base::unique_fd;
-using android::microdroid::ApexPayload;
-using android::microdroid::ApkPayload;
-using android::microdroid::Metadata;
-using android::microdroid::WriteMetadata;
-
-using cuttlefish::AlignToPartitionSize;
-using cuttlefish::CreateCompositeDisk;
-using cuttlefish::kLinuxFilesystem;
-using cuttlefish::MultipleImagePartition;
-
-Result<uint32_t> GetFileSize(const std::string& path) {
- struct stat st;
- if (lstat(path.c_str(), &st) == -1) {
- return ErrnoError() << "Can't lstat " << path;
- }
- return static_cast<uint32_t>(st.st_size);
-}
-
-std::string RelativeTo(const std::string& path, const std::string& dirname) {
- bool is_absolute = !path.empty() && path[0] == '/';
- if (is_absolute || dirname == ".") {
- return path;
- } else {
- return dirname + "/" + path;
- }
-}
-
-// Returns `append` is appended to the end of filename preserving the extension.
-std::string AppendFileName(const std::string& filename, const std::string& append) {
- size_t pos = filename.find_last_of('.');
- if (pos == std::string::npos) {
- return filename + append;
- } else {
- return filename.substr(0, pos) + append + filename.substr(pos);
- }
-}
-
-struct ApexConfig {
- std::string name; // the apex name
- std::string path; // the path to the apex file
- // absolute or relative to the config file
-};
-
-struct ApkConfig {
- std::string name;
- std::string path;
- std::string idsig_path;
-};
-
-struct Config {
- std::string dirname; // config file's direname to resolve relative paths in the config
-
- std::vector<ApexConfig> apexes;
- std::optional<ApkConfig> apk;
- // This is a path in the guest side
- std::optional<std::string> payload_config_path;
-};
-
-#define DO(expr) \
- if (auto res = (expr); !res.ok()) return res.error()
-
-Result<void> ParseJson(const Json::Value& value, std::string& s) {
- if (!value.isString()) {
- return Error() << "should be a string: " << value;
- }
- s = value.asString();
- return {};
-}
-
-template <typename T>
-Result<void> ParseJson(const Json::Value& value, std::optional<T>& s) {
- if (value.isNull()) {
- s.reset();
- return {};
- }
- s.emplace();
- return ParseJson(value, *s);
-}
-
-template <typename T>
-Result<void> ParseJson(const Json::Value& values, std::vector<T>& parsed) {
- for (const Json::Value& value : values) {
- T t;
- DO(ParseJson(value, t));
- parsed.push_back(std::move(t));
- }
- return {};
-}
-
-Result<void> ParseJson(const Json::Value& value, ApexConfig& apex_config) {
- DO(ParseJson(value["name"], apex_config.name));
- DO(ParseJson(value["path"], apex_config.path));
- return {};
-}
-
-Result<void> ParseJson(const Json::Value& value, ApkConfig& apk_config) {
- DO(ParseJson(value["name"], apk_config.name));
- DO(ParseJson(value["path"], apk_config.path));
- DO(ParseJson(value["idsig_path"], apk_config.idsig_path));
- return {};
-}
-
-Result<void> ParseJson(const Json::Value& value, Config& config) {
- DO(ParseJson(value["apexes"], config.apexes));
- DO(ParseJson(value["apk"], config.apk));
- DO(ParseJson(value["payload_config_path"], config.payload_config_path));
- return {};
-}
-
-Result<Config> LoadConfig(const std::string& config_file) {
- std::ifstream in(config_file);
- Json::CharReaderBuilder builder;
- Json::Value root;
- Json::String errs;
- if (!parseFromStream(builder, in, &root, &errs)) {
- return Error() << errs;
- }
-
- Config config;
- config.dirname = Dirname(config_file);
- DO(ParseJson(root, config));
- return config;
-}
-
-#undef DO
-
-Result<void> MakeMetadata(const Config& config, const std::string& filename) {
- Metadata metadata;
- metadata.set_version(1);
-
- for (const auto& apex_config : config.apexes) {
- auto* apex = metadata.add_apexes();
- apex->set_name(apex_config.name);
- apex->set_partition_name(apex_config.name);
- apex->set_is_factory(true);
- }
-
- if (config.apk.has_value()) {
- auto* apk = metadata.mutable_apk();
- apk->set_name(config.apk->name);
- apk->set_payload_partition_name("microdroid-apk");
- apk->set_idsig_partition_name("microdroid-apk-idsig");
- }
-
- if (config.payload_config_path.has_value()) {
- *metadata.mutable_config_path() = config.payload_config_path.value();
- }
-
- std::ofstream out(filename);
- return WriteMetadata(metadata, out);
-}
-
-// fill zeros to align |file_path|'s size to BLOCK_SIZE(4096) boundary.
-// return true when the filler is needed.
-Result<bool> ZeroFiller(const std::string& file_path, const std::string& filler_path) {
- auto file_size = GetFileSize(file_path);
- if (!file_size.ok()) {
- return file_size.error();
- }
- auto disk_size = AlignToPartitionSize(*file_size);
- if (disk_size <= *file_size) {
- return false;
- }
- unique_fd fd(TEMP_FAILURE_RETRY(open(filler_path.c_str(), O_CREAT | O_WRONLY | O_TRUNC, 0600)));
- if (fd.get() == -1) {
- return ErrnoError() << "open(" << filler_path << ") failed.";
- }
- if (ftruncate(fd.get(), disk_size - *file_size) == -1) {
- return ErrnoError() << "ftruncate(" << filler_path << ") failed.";
- }
- return true;
-}
-
-Result<void> MakePayload(const Config& config, const std::string& metadata_file,
- const std::string& output_file) {
- std::vector<MultipleImagePartition> partitions;
-
- int filler_count = 0;
- auto add_partition = [&](auto partition_name, auto file_path) -> Result<void> {
- std::vector<std::string> image_files{file_path};
-
- std::string filler_path =
- AppendFileName(output_file, "-filler-" + std::to_string(filler_count++));
- if (auto ret = ZeroFiller(file_path, filler_path); !ret.ok()) {
- return ret.error();
- } else if (*ret) {
- image_files.push_back(filler_path);
- }
- partitions.push_back(MultipleImagePartition{
- .label = partition_name,
- .image_file_paths = image_files,
- .type = kLinuxFilesystem,
- .read_only = true,
- });
- return {};
- };
-
- // put metadata at the first partition
- partitions.push_back(MultipleImagePartition{
- .label = "payload-metadata",
- .image_file_paths = {metadata_file},
- .type = kLinuxFilesystem,
- .read_only = true,
- });
- // put apexes at the subsequent partitions
- for (size_t i = 0; i < config.apexes.size(); i++) {
- const auto& apex_config = config.apexes[i];
- std::string apex_path = RelativeTo(apex_config.path, config.dirname);
- if (auto ret = add_partition("microdroid-apex-" + std::to_string(i), apex_path);
- !ret.ok()) {
- return ret.error();
- }
- }
- // put apk and its idsig
- if (config.apk.has_value()) {
- std::string apk_path = RelativeTo(config.apk->path, config.dirname);
- if (auto ret = add_partition("microdroid-apk", apk_path); !ret.ok()) {
- return ret.error();
- }
- std::string idsig_path = RelativeTo(config.apk->idsig_path, config.dirname);
- if (auto ret = add_partition("microdroid-apk-idsig", idsig_path); !ret.ok()) {
- return ret.error();
- }
- }
-
- const std::string gpt_header = AppendFileName(output_file, "-header");
- const std::string gpt_footer = AppendFileName(output_file, "-footer");
- CreateCompositeDisk(partitions, gpt_header, gpt_footer, output_file);
- return {};
-}
-
-int main(int argc, char** argv) {
- if (argc < 3 || argc > 4) {
- std::cerr << "Usage: " << argv[0] << " [--metadata-only] <config> <output>\n";
- return 1;
- }
- int arg_index = 1;
- bool metadata_only = false;
- if (strcmp(argv[arg_index], "--metadata-only") == 0) {
- metadata_only = true;
- arg_index++;
- }
-
- auto config = LoadConfig(argv[arg_index++]);
- if (!config.ok()) {
- std::cerr << "bad config: " << config.error() << '\n';
- return 1;
- }
-
- const std::string output_file(argv[arg_index++]);
- const std::string metadata_file =
- metadata_only ? output_file : AppendFileName(output_file, "-metadata");
-
- if (const auto res = MakeMetadata(*config, metadata_file); !res.ok()) {
- std::cerr << res.error() << '\n';
- return 1;
- }
- if (metadata_only) {
- return 0;
- }
- if (const auto res = MakePayload(*config, metadata_file, output_file); !res.ok()) {
- std::cerr << res.error() << '\n';
- return 1;
- }
-
- return 0;
-}
diff --git a/microdroid_manager/aidl/android/system/virtualization/payload/IVmPayloadService.aidl b/microdroid_manager/aidl/android/system/virtualization/payload/IVmPayloadService.aidl
index 3859785..50d437f 100644
--- a/microdroid_manager/aidl/android/system/virtualization/payload/IVmPayloadService.aidl
+++ b/microdroid_manager/aidl/android/system/virtualization/payload/IVmPayloadService.aidl
@@ -67,4 +67,13 @@
* @throws SecurityException if the use of test APIs is not permitted.
*/
byte[] getDiceAttestationCdi();
+
+ /**
+ * Requests a certificate using the provided certificate signing request (CSR).
+ *
+ * TODO(b/271275206): Define the format of the CSR properly.
+ * @param csr the certificate signing request.
+ * @return the X.509 encoded certificate.
+ */
+ byte[] requestCertificate(in byte[] csr);
}
diff --git a/microdroid_manager/src/vm_payload_service.rs b/microdroid_manager/src/vm_payload_service.rs
index 96f51f0..11e6967 100644
--- a/microdroid_manager/src/vm_payload_service.rs
+++ b/microdroid_manager/src/vm_payload_service.rs
@@ -67,6 +67,11 @@
self.check_restricted_apis_allowed()?;
Ok(self.dice.cdi_attest().to_vec())
}
+
+ fn requestCertificate(&self, csr: &[u8]) -> binder::Result<Vec<u8>> {
+ self.check_restricted_apis_allowed()?;
+ self.virtual_machine_service.requestCertificate(csr)
+ }
}
impl Interface for VmPayloadService {}
diff --git a/pvmfw/src/virtio/hal.rs b/pvmfw/src/virtio/hal.rs
index 5f70b33..7598a55 100644
--- a/pvmfw/src/virtio/hal.rs
+++ b/pvmfw/src/virtio/hal.rs
@@ -9,7 +9,21 @@
pub struct HalImpl;
-impl Hal for HalImpl {
+/// Implements the `Hal` trait for `HalImpl`.
+///
+/// # Safety
+///
+/// Callers of this implementatation must follow the safety requirements documented for the unsafe
+/// methods.
+unsafe impl Hal for HalImpl {
+ /// Allocates the given number of contiguous physical pages of DMA memory for VirtIO use.
+ ///
+ /// # Implementation Safety
+ ///
+ /// `dma_alloc` ensures the returned DMA buffer is not aliased with any other allocation or
+ /// reference in the program until it is deallocated by `dma_dealloc` by allocating a unique
+ /// block of memory using `alloc_shared` and returning a non-null pointer to it that is
+ /// aligned to `PAGE_SIZE`.
fn dma_alloc(pages: usize, _direction: BufferDirection) -> (PhysAddr, NonNull<u8>) {
debug!("dma_alloc: pages={}", pages);
let size = pages * PAGE_SIZE;
@@ -19,7 +33,7 @@
(paddr, vaddr)
}
- fn dma_dealloc(paddr: PhysAddr, vaddr: NonNull<u8>, pages: usize) -> i32 {
+ unsafe fn dma_dealloc(paddr: PhysAddr, vaddr: NonNull<u8>, pages: usize) -> i32 {
debug!("dma_dealloc: paddr={:#x}, pages={}", paddr, pages);
let size = pages * PAGE_SIZE;
// Safe because the memory was allocated by `dma_alloc` above using the same allocator, and
@@ -30,7 +44,13 @@
0
}
- fn mmio_phys_to_virt(paddr: PhysAddr, size: usize) -> NonNull<u8> {
+ /// Converts a physical address used for MMIO to a virtual address which the driver can access.
+ ///
+ /// # Implementation Safety
+ ///
+ /// `mmio_phys_to_virt` satisfies the requirement by checking that the mapped memory region
+ /// is within the PCI MMIO range.
+ unsafe fn mmio_phys_to_virt(paddr: PhysAddr, size: usize) -> NonNull<u8> {
let pci_info = PCI_INFO.get().expect("VirtIO HAL used before PCI_INFO was initialised");
// Check that the region is within the PCI MMIO range that we read from the device tree. If
// not, the host is probably trying to do something malicious.
@@ -48,7 +68,7 @@
phys_to_virt(paddr)
}
- fn share(buffer: NonNull<[u8]>, direction: BufferDirection) -> PhysAddr {
+ unsafe fn share(buffer: NonNull<[u8]>, direction: BufferDirection) -> PhysAddr {
let size = buffer.len();
// TODO: Copy to a pre-shared region rather than allocating and sharing each time.
@@ -63,7 +83,7 @@
virt_to_phys(copy)
}
- fn unshare(paddr: PhysAddr, buffer: NonNull<[u8]>, direction: BufferDirection) {
+ unsafe fn unshare(paddr: PhysAddr, buffer: NonNull<[u8]>, direction: BufferDirection) {
let vaddr = phys_to_virt(paddr);
let size = buffer.len();
if direction == BufferDirection::DeviceToDriver {
diff --git a/service_vm/client_apk/Android.bp b/service_vm/client_apk/Android.bp
new file mode 100644
index 0000000..e5084d4
--- /dev/null
+++ b/service_vm/client_apk/Android.bp
@@ -0,0 +1,37 @@
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+android_app {
+ name: "ServiceVmClientApp",
+ installable: true,
+ jni_libs: ["libservice_vm_client"],
+ jni_uses_platform_apis: true,
+ use_embedded_native_libs: true,
+ sdk_version: "system_current",
+ compile_multilib: "first",
+ apex_available: ["com.android.virt"],
+}
+
+rust_defaults {
+ name: "service_vm_client_defaults",
+ crate_name: "service_vm_client",
+ srcs: ["src/main.rs"],
+ prefer_rlib: true,
+ rustlibs: [
+ "libandroid_logger",
+ "libanyhow",
+ "liblog_rust",
+ "libvm_payload_bindgen",
+ ],
+}
+
+rust_ffi {
+ name: "libservice_vm_client",
+ defaults: ["service_vm_client_defaults"],
+ // TODO(b/250854486): Remove the sanitize section once the bug is fixed.
+ sanitize: {
+ address: false,
+ hwaddress: false,
+ },
+}
diff --git a/service_vm/client_apk/AndroidManifest.xml b/service_vm/client_apk/AndroidManifest.xml
new file mode 100644
index 0000000..b3598fc
--- /dev/null
+++ b/service_vm/client_apk/AndroidManifest.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2023 The Android Open Source Project
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ package="com.android.virt.service_vm.client">
+ <uses-permission android:name="android.permission.MANAGE_VIRTUAL_MACHINE" />
+ <uses-permission android:name="android.permission.USE_CUSTOM_VIRTUAL_MACHINE" />
+
+ <application android:hasCode="false"/>
+</manifest>
diff --git a/service_vm/client_apk/assets/config.json b/service_vm/client_apk/assets/config.json
new file mode 100644
index 0000000..02749fe
--- /dev/null
+++ b/service_vm/client_apk/assets/config.json
@@ -0,0 +1,10 @@
+{
+ "os": {
+ "name": "microdroid"
+ },
+ "task": {
+ "type": "microdroid_launcher",
+ "command": "libservice_vm_client.so"
+ },
+ "export_tombstones": true
+ }
\ No newline at end of file
diff --git a/service_vm/client_apk/src/main.rs b/service_vm/client_apk/src/main.rs
new file mode 100644
index 0000000..1f8db96
--- /dev/null
+++ b/service_vm/client_apk/src/main.rs
@@ -0,0 +1,71 @@
+// Copyright 2023, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Main executable of Service VM client.
+
+use anyhow::Result;
+use log::{error, info};
+use std::{ffi::c_void, panic};
+use vm_payload_bindgen::AVmPayload_requestCertificate;
+
+/// Entry point of the Service VM client.
+#[allow(non_snake_case)]
+#[no_mangle]
+pub extern "C" fn AVmPayload_main() {
+ android_logger::init_once(
+ android_logger::Config::default()
+ .with_tag("service_vm_client")
+ .with_min_level(log::Level::Debug),
+ );
+ // Redirect panic messages to logcat.
+ panic::set_hook(Box::new(|panic_info| {
+ error!("{}", panic_info);
+ }));
+ if let Err(e) = try_main() {
+ error!("failed with {:?}", e);
+ std::process::exit(1);
+ }
+}
+
+fn try_main() -> Result<()> {
+ info!("Welcome to Service VM Client!");
+ let csr = b"Hello from Service VM";
+ let certificate = request_certificate(csr);
+ info!("Certificate: {:?}", certificate);
+ Ok(())
+}
+
+fn request_certificate(csr: &[u8]) -> Vec<u8> {
+ // SAFETY: It is safe as we only request the size of the certificate in this call.
+ let certificate_size = unsafe {
+ AVmPayload_requestCertificate(
+ csr.as_ptr() as *const c_void,
+ csr.len(),
+ [].as_mut_ptr() as *mut c_void,
+ 0,
+ )
+ };
+ let mut certificate = vec![0u8; certificate_size];
+ // SAFETY: It is safe as we only write the data into the given buffer within the buffer
+ // size in this call.
+ unsafe {
+ AVmPayload_requestCertificate(
+ csr.as_ptr() as *const c_void,
+ csr.len(),
+ certificate.as_mut_ptr() as *mut c_void,
+ certificate.len(),
+ );
+ };
+ certificate
+}
diff --git a/virtualizationmanager/src/aidl.rs b/virtualizationmanager/src/aidl.rs
index 468ee19..f57cb59 100644
--- a/virtualizationmanager/src/aidl.rs
+++ b/virtualizationmanager/src/aidl.rs
@@ -1184,6 +1184,31 @@
))
}
}
+
+ fn requestCertificate(&self, csr: &[u8]) -> binder::Result<Vec<u8>> {
+ let cid = self.cid;
+ let Some(vm) = self.state.lock().unwrap().get_vm(cid) else {
+ error!("requestCertificate is called from an unknown CID {cid}");
+ return Err(Status::new_service_specific_error_str(
+ -1,
+ Some(format!("cannot find a VM with CID {}", cid)),
+ ))
+ };
+ let instance_img_path = vm.temporary_directory.join("rkpvm_instance.img");
+ let instance_img = OpenOptions::new()
+ .create(true)
+ .read(true)
+ .write(true)
+ .open(instance_img_path)
+ .map_err(|e| {
+ error!("Failed to create rkpvm_instance.img file: {:?}", e);
+ Status::new_service_specific_error_str(
+ -1,
+ Some(format!("Failed to create rkpvm_instance.img file: {:?}", e)),
+ )
+ })?;
+ GLOBAL_SERVICE.requestCertificate(csr, &ParcelFileDescriptor::new(instance_img))
+ }
}
impl VirtualMachineService {
diff --git a/virtualizationservice/Android.bp b/virtualizationservice/Android.bp
index f7202da..6b39ff9 100644
--- a/virtualizationservice/Android.bp
+++ b/virtualizationservice/Android.bp
@@ -28,6 +28,7 @@
"libandroid_logger",
"libanyhow",
"libbinder_rs",
+ "libvmclient",
"liblibc",
"liblog_rust",
"libnix",
diff --git a/virtualizationservice/aidl/android/system/virtualizationservice_internal/IVirtualizationServiceInternal.aidl b/virtualizationservice/aidl/android/system/virtualizationservice_internal/IVirtualizationServiceInternal.aidl
index 5422a48..cc59b3f 100644
--- a/virtualizationservice/aidl/android/system/virtualizationservice_internal/IVirtualizationServiceInternal.aidl
+++ b/virtualizationservice/aidl/android/system/virtualizationservice_internal/IVirtualizationServiceInternal.aidl
@@ -49,4 +49,14 @@
/** Get a list of all currently running VMs. */
VirtualMachineDebugInfo[] debugListVms();
+
+ /**
+ * Requests a certificate using the provided certificate signing request (CSR).
+ *
+ * @param csr the certificate signing request.
+ * @param instanceImgFd The file descriptor of the instance image. The file should be open for
+ * both reading and writing.
+ * @return the X.509 encoded certificate.
+ */
+ byte[] requestCertificate(in byte[] csr, in ParcelFileDescriptor instanceImgFd);
}
diff --git a/virtualizationservice/aidl/android/system/virtualmachineservice/IVirtualMachineService.aidl b/virtualizationservice/aidl/android/system/virtualmachineservice/IVirtualMachineService.aidl
index 3fdb48a..7b90714 100644
--- a/virtualizationservice/aidl/android/system/virtualmachineservice/IVirtualMachineService.aidl
+++ b/virtualizationservice/aidl/android/system/virtualmachineservice/IVirtualMachineService.aidl
@@ -44,4 +44,12 @@
* Notifies that an error has occurred inside the VM.
*/
void notifyError(ErrorCode errorCode, in String message);
+
+ /**
+ * Requests a certificate using the provided certificate signing request (CSR).
+ *
+ * @param csr the certificate signing request.
+ * @return the X.509 encoded certificate.
+ */
+ byte[] requestCertificate(in byte[] csr);
}
diff --git a/virtualizationservice/src/aidl.rs b/virtualizationservice/src/aidl.rs
index 3888df2..5c5a7e4 100644
--- a/virtualizationservice/src/aidl.rs
+++ b/virtualizationservice/src/aidl.rs
@@ -16,8 +16,12 @@
use crate::{get_calling_pid, get_calling_uid};
use crate::atom::{forward_vm_booted_atom, forward_vm_creation_atom, forward_vm_exited_atom};
+use crate::rkpvm::request_certificate;
use android_os_permissions_aidl::aidl::android::os::IPermissionController;
-use android_system_virtualizationservice::aidl::android::system::virtualizationservice::VirtualMachineDebugInfo::VirtualMachineDebugInfo;
+use android_system_virtualizationservice::{
+ aidl::android::system::virtualizationservice::VirtualMachineDebugInfo::VirtualMachineDebugInfo,
+ binder::ParcelFileDescriptor,
+};
use android_system_virtualizationservice_internal::aidl::android::system::virtualizationservice_internal::{
AtomVmBooted::AtomVmBooted,
AtomVmCreationRequested::AtomVmCreationRequested,
@@ -153,6 +157,19 @@
.collect();
Ok(cids)
}
+
+ fn requestCertificate(
+ &self,
+ csr: &[u8],
+ instance_img_fd: &ParcelFileDescriptor,
+ ) -> binder::Result<Vec<u8>> {
+ check_manage_access()?;
+ info!("Received csr. Getting certificate...");
+ request_certificate(csr, instance_img_fd).map_err(|e| {
+ error!("Failed to get certificate. Error: {e:?}");
+ Status::new_exception_str(ExceptionCode::SERVICE_SPECIFIC, Some(e.to_string()))
+ })
+ }
}
#[derive(Debug, Default)]
diff --git a/virtualizationservice/src/main.rs b/virtualizationservice/src/main.rs
index 64ccb13..bf8b944 100644
--- a/virtualizationservice/src/main.rs
+++ b/virtualizationservice/src/main.rs
@@ -16,6 +16,7 @@
mod aidl;
mod atom;
+mod rkpvm;
use crate::aidl::{
remove_temporary_dir, BINDER_SERVICE_IDENTIFIER, TEMPORARY_DIRECTORY,
diff --git a/virtualizationservice/src/rkpvm.rs b/virtualizationservice/src/rkpvm.rs
new file mode 100644
index 0000000..a4649f6
--- /dev/null
+++ b/virtualizationservice/src/rkpvm.rs
@@ -0,0 +1,95 @@
+// Copyright 2023, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Handles the RKP (Remote Key Provisioning) VM and host communication.
+//! The RKP VM will be recognized and attested by the RKP server periodically and
+//! serves as a trusted platform to attest a client VM.
+
+use android_system_virtualizationservice::{
+ aidl::android::system::virtualizationservice::{
+ CpuTopology::CpuTopology, DiskImage::DiskImage, Partition::Partition,
+ PartitionType::PartitionType, VirtualMachineConfig::VirtualMachineConfig,
+ VirtualMachineRawConfig::VirtualMachineRawConfig,
+ },
+ binder::{ParcelFileDescriptor, ProcessState},
+};
+use anyhow::{anyhow, Context, Result};
+use log::info;
+use std::fs::File;
+use std::time::Duration;
+use vmclient::VmInstance;
+
+const RIALTO_PATH: &str = "/apex/com.android.virt/etc/rialto.bin";
+
+pub(crate) fn request_certificate(
+ csr: &[u8],
+ instance_img_fd: &ParcelFileDescriptor,
+) -> Result<Vec<u8>> {
+ // We need to start the thread pool for Binder to work properly, especially link_to_death.
+ ProcessState::start_thread_pool();
+
+ let virtmgr = vmclient::VirtualizationService::new().context("Failed to spawn virtmgr")?;
+ let service = virtmgr.connect().context("virtmgr failed to connect")?;
+ info!("service_vm: Connected to VirtualizationService");
+ // TODO(b/272226230): Either turn rialto into the service VM or use an empty payload here.
+ // If using an empty payload, the service code will be part of pvmfw.
+ let rialto = File::open(RIALTO_PATH).context("Failed to open Rialto kernel binary")?;
+
+ // TODO(b/272226230): Initialize the partition from virtualization manager.
+ const INSTANCE_IMG_SIZE_BYTES: i64 = 1 << 20; // 1MB
+ service
+ .initializeWritablePartition(
+ instance_img_fd,
+ INSTANCE_IMG_SIZE_BYTES,
+ PartitionType::ANDROID_VM_INSTANCE,
+ )
+ .context("Failed to initialize instange.img")?;
+ let instance_img =
+ instance_img_fd.as_ref().try_clone().context("Failed to clone instance.img")?;
+ let instance_img = ParcelFileDescriptor::new(instance_img);
+ let writable_partitions = vec![Partition {
+ label: "vm-instance".to_owned(),
+ image: Some(instance_img),
+ writable: true,
+ }];
+ info!("service_vm: Finished initializing instance.img...");
+
+ let config = VirtualMachineConfig::RawConfig(VirtualMachineRawConfig {
+ name: String::from("Service VM"),
+ kernel: None,
+ initrd: None,
+ params: None,
+ bootloader: Some(ParcelFileDescriptor::new(rialto)),
+ disks: vec![DiskImage { image: None, partitions: writable_partitions, writable: true }],
+ protectedVm: true,
+ memoryMib: 300,
+ cpuTopology: CpuTopology::ONE_CPU,
+ platformVersion: "~1.0".to_string(),
+ taskProfiles: vec![],
+ gdbPort: 0, // No gdb
+ });
+ let vm = VmInstance::create(service.as_ref(), &config, None, None, None)
+ .context("Failed to create service VM")?;
+
+ info!("service_vm: Starting Service VM...");
+ vm.start().context("Failed to start service VM")?;
+
+ // TODO(b/274441673): The host can send the CSR to the RKP VM for attestation.
+ // Wait for VM to finish.
+ vm.wait_for_death_with_timeout(Duration::from_secs(10))
+ .ok_or_else(|| anyhow!("Timed out waiting for VM exit"))?;
+
+ info!("service_vm: Finished getting the certificate");
+ Ok([b"Return: ", csr].concat())
+}
diff --git a/vm_payload/Android.bp b/vm_payload/Android.bp
index 7862702..77dbb6b 100644
--- a/vm_payload/Android.bp
+++ b/vm_payload/Android.bp
@@ -38,7 +38,10 @@
crate_name: "vm_payload_bindgen",
source_stem: "bindings",
apex_available: ["com.android.compos"],
- visibility: ["//packages/modules/Virtualization/compos"],
+ visibility: [
+ "//packages/modules/Virtualization/compos",
+ "//packages/modules/Virtualization/service_vm/client_apk",
+ ],
shared_libs: [
"libvm_payload#current",
],
diff --git a/vm_payload/include-restricted/vm_payload_restricted.h b/vm_payload/include-restricted/vm_payload_restricted.h
index 7f17cde..1e0c3cc 100644
--- a/vm_payload/include-restricted/vm_payload_restricted.h
+++ b/vm_payload/include-restricted/vm_payload_restricted.h
@@ -22,6 +22,10 @@
#include "vm_payload.h"
+#if !defined(__INTRODUCED_IN)
+#define __INTRODUCED_IN(__api_level) /* nothing */
+#endif
+
// The functions declared here are restricted to VMs created with a config file;
// they will fail if called in other VMs. The ability to create such VMs
// requires the android.permission.USE_CUSTOM_VIRTUAL_MACHINE permission, and is
@@ -51,4 +55,18 @@
*/
size_t AVmPayload_getDiceAttestationCdi(void* _Nullable data, size_t size);
+/**
+ * Requests a certificate using the provided certificate signing request (CSR).
+ *
+ * \param csr A pointer to the CSR buffer.
+ * \param csr_size The size of the CSR buffer.
+ * \param buffer A pointer to the certificate buffer.
+ * \param size number of bytes that can be written to the certificate buffer.
+ *
+ * \return the total size of the certificate
+ */
+size_t AVmPayload_requestCertificate(const void* _Nonnull csr, size_t csr_size,
+ void* _Nullable buffer, size_t size)
+ __INTRODUCED_IN(__ANDROID_API_V__);
+
__END_DECLS
diff --git a/vm_payload/libvm_payload.map.txt b/vm_payload/libvm_payload.map.txt
index a2402d1..f0d867e 100644
--- a/vm_payload/libvm_payload.map.txt
+++ b/vm_payload/libvm_payload.map.txt
@@ -7,6 +7,7 @@
AVmPayload_getDiceAttestationCdi; # systemapi
AVmPayload_getApkContentsPath; # systemapi
AVmPayload_getEncryptedStoragePath; # systemapi
+ AVmPayload_requestCertificate; # systemapi introduced=35
local:
*;
};
diff --git a/vm_payload/src/api.rs b/vm_payload/src/api.rs
index 87e29a6..00d7299 100644
--- a/vm_payload/src/api.rs
+++ b/vm_payload/src/api.rs
@@ -253,6 +253,52 @@
get_vm_payload_service()?.getDiceAttestationCdi().context("Cannot get attestation CDI")
}
+/// Requests a certificate using the provided certificate signing request (CSR).
+/// Panics on failure.
+///
+/// # Safety
+///
+/// Behavior is undefined if any of the following conditions are violated:
+///
+/// * `csr` must be [valid] for reads of `csr_size` bytes.
+/// * `buffer` must be [valid] for writes of `size` bytes. `buffer` can be null if `size` is 0.
+///
+/// [valid]: ptr#safety
+#[no_mangle]
+pub unsafe extern "C" fn AVmPayload_requestCertificate(
+ csr: *const u8,
+ csr_size: usize,
+ buffer: *mut u8,
+ size: usize,
+) -> usize {
+ initialize_logging();
+
+ // SAFETY: See the requirements on `csr` above.
+ let csr = unsafe { std::slice::from_raw_parts(csr, csr_size) };
+ let certificate = unwrap_or_abort(try_request_certificate(csr));
+
+ if size != 0 || buffer.is_null() {
+ // SAFETY: See the requirements on `buffer` above. The number of bytes copied doesn't exceed
+ // the length of either buffer, and `certificate` cannot overlap `buffer` because we just
+ // allocated it.
+ unsafe {
+ ptr::copy_nonoverlapping(
+ certificate.as_ptr(),
+ buffer,
+ std::cmp::min(certificate.len(), size),
+ );
+ }
+ }
+ certificate.len()
+}
+
+fn try_request_certificate(csr: &[u8]) -> Result<Vec<u8>> {
+ let certificate = get_vm_payload_service()?
+ .requestCertificate(csr)
+ .context("Failed to request certificate")?;
+ Ok(certificate)
+}
+
/// Gets the path to the APK contents.
#[no_mangle]
pub extern "C" fn AVmPayload_getApkContentsPath() -> *const c_char {
diff --git a/vm_payload/src/lib.rs b/vm_payload/src/lib.rs
index 5c3ee31..4d059d1 100644
--- a/vm_payload/src/lib.rs
+++ b/vm_payload/src/lib.rs
@@ -17,6 +17,7 @@
mod api;
pub use api::{
- AVmPayload_getDiceAttestationCdi, AVmPayload_getDiceAttestationChain,
- AVmPayload_getVmInstanceSecret, AVmPayload_notifyPayloadReady,
+ AVmPayload_getCertificate, AVmPayload_getDiceAttestationCdi,
+ AVmPayload_getDiceAttestationChain, AVmPayload_getVmInstanceSecret,
+ AVmPayload_notifyPayloadReady,
};
diff --git a/vmbase/example/src/pci.rs b/vmbase/example/src/pci.rs
index 117cbc8..41a3ff4 100644
--- a/vmbase/example/src/pci.rs
+++ b/vmbase/example/src/pci.rs
@@ -98,7 +98,7 @@
struct HalImpl;
-impl Hal for HalImpl {
+unsafe impl Hal for HalImpl {
fn dma_alloc(pages: usize, _direction: BufferDirection) -> (PhysAddr, NonNull<u8>) {
debug!("dma_alloc: pages={}", pages);
let layout = Layout::from_size_align(pages * PAGE_SIZE, PAGE_SIZE).unwrap();
@@ -110,7 +110,7 @@
(paddr, vaddr)
}
- fn dma_dealloc(paddr: PhysAddr, vaddr: NonNull<u8>, pages: usize) -> i32 {
+ unsafe fn dma_dealloc(paddr: PhysAddr, vaddr: NonNull<u8>, pages: usize) -> i32 {
debug!("dma_dealloc: paddr={:#x}, pages={}", paddr, pages);
let layout = Layout::from_size_align(pages * PAGE_SIZE, PAGE_SIZE).unwrap();
// Safe because the memory was allocated by `dma_alloc` above using the same allocator, and
@@ -121,17 +121,17 @@
0
}
- fn mmio_phys_to_virt(paddr: PhysAddr, _size: usize) -> NonNull<u8> {
+ unsafe fn mmio_phys_to_virt(paddr: PhysAddr, _size: usize) -> NonNull<u8> {
NonNull::new(paddr as _).unwrap()
}
- fn share(buffer: NonNull<[u8]>, _direction: BufferDirection) -> PhysAddr {
+ unsafe fn share(buffer: NonNull<[u8]>, _direction: BufferDirection) -> PhysAddr {
let vaddr = buffer.cast();
// Nothing to do, as the host already has access to all memory.
virt_to_phys(vaddr)
}
- fn unshare(_paddr: PhysAddr, _buffer: NonNull<[u8]>, _direction: BufferDirection) {
+ unsafe fn unshare(_paddr: PhysAddr, _buffer: NonNull<[u8]>, _direction: BufferDirection) {
// Nothing to do, as the host already has access to all memory and we didn't copy the buffer
// anywhere else.
}