Remove salt from MM's instance.img partition It was deprecated in Android 15 with llpvm_changes & replaced with instance-id based differentiation of secrets for Nonprotected VM. It was only around to support cases when llpvm_changes was not set. Now that we no longer need/depend on this flag, remove it from Microdroid Manager. Test: Builds Bug: 383553863 Change-Id: I2f8b966518b3b4b47718d18c2881eadea23c375e

commit: ad0e535c46fb270f9789d1297e243be8a3e6645b [log] [tgz]
author: Shikha Panwar <shikhapanwar@google.com> Wed Dec 11 17:36:43 2024 +0000
committer: Shikha Panwar <shikhapanwar@google.com> Thu Dec 12 09:00:20 2024 -0800
tree: 89c9d28ab6c7cbb1d20a3367e9c7b01ce9494440
parent: dc5f3113ce1d14c18d9c1851e498862e71a59c8b [diff]
diff --git a/guest/microdroid_manager/src/dice.rs b/guest/microdroid_manager/src/dice.rs
index 7cfeb21..edc4d63 100644
--- a/guest/microdroid_manager/src/dice.rs
+++ b/guest/microdroid_manager/src/dice.rs

@@ -53,11 +53,7 @@
     let debuggable = is_debuggable()?;
 
     // Send the details to diced
-    let hidden = if cfg!(llpvm_changes) {
-        hidden_input_from_instance_id()?
-    } else {
-        instance_data.salt.clone().try_into().unwrap()
-    };
+    let hidden = hidden_input_from_instance_id()?;
     dice.derive(code_hash, &config_descriptor, authority_hash, debuggable, hidden)
 }
 

diff --git a/guest/microdroid_manager/src/instance.rs b/guest/microdroid_manager/src/instance.rs
index 2d39cd8..d3a597a 100644
--- a/guest/microdroid_manager/src/instance.rs
+++ b/guest/microdroid_manager/src/instance.rs

@@ -273,9 +273,6 @@
 
 #[derive(Debug, Serialize, Deserialize, PartialEq, Eq)]
 pub struct MicrodroidData {
-    // `salt` is obsolete, it was used as a differentiator for non-protected VM instances running
-    // same payload. Instance-id (present in DT) is used for that now.
-    pub salt: Vec<u8>, // Should be [u8; 64] but that isn't serializable.
     pub apk_data: ApkData,
     pub extra_apks_data: Vec<ApkData>,
     pub apex_data: Vec<ApexData>,

diff --git a/guest/microdroid_manager/src/verify.rs b/guest/microdroid_manager/src/verify.rs
index 90671a6..e5d26fc 100644
--- a/guest/microdroid_manager/src/verify.rs
+++ b/guest/microdroid_manager/src/verify.rs

@@ -14,7 +14,7 @@
 
 use crate::instance::{ApexData, ApkData, MicrodroidData};
 use crate::payload::{get_apex_data_from_payload, to_metadata};
-use crate::{is_strict_boot, MicrodroidError};
+use crate::MicrodroidError;
 use anyhow::{anyhow, ensure, Context, Result};
 use apkmanifest::get_manifest_info;
 use apkverify::{extract_signed_data, verify, V4Signature};
@@ -23,7 +23,6 @@
 use log::{info, warn};
 use microdroid_metadata::{write_metadata, Metadata};
 use openssl::sha::sha512;
-use rand::Fill;
 use rustutils::system_properties;
 use std::fs::OpenOptions;
 use std::path::Path;
@@ -168,21 +167,7 @@
     // verified is consistent with the root hash) or because we have the saved APK data which will
     // be checked as identical to the data we have verified.
 
-    let salt = if cfg!(llpvm_changes) || is_strict_boot() {
-        // Salt is obsolete with llpvm_changes.
-        vec![0u8; 64]
-    } else if let Some(saved_data) = saved_data {
-        // Use the salt from a verified instance.
-        saved_data.salt.clone()
-    } else {
-        // Generate a salt for a new instance.
-        let mut salt = vec![0u8; 64];
-        salt.as_mut_slice().try_fill(&mut rand::thread_rng())?;
-        salt
-    };
-
     Ok(MicrodroidData {
-        salt,
         apk_data: main_apk_data,
         extra_apks_data,
         apex_data: apex_data_from_payload,
commit	ad0e535c46fb270f9789d1297e243be8a3e6645b	[log] [tgz]
author	Shikha Panwar <shikhapanwar@google.com>	Wed Dec 11 17:36:43 2024 +0000
committer	Shikha Panwar <shikhapanwar@google.com>	Thu Dec 12 09:00:20 2024 -0800
tree	89c9d28ab6c7cbb1d20a3367e9c7b01ce9494440
parent	dc5f3113ce1d14c18d9c1851e498862e71a59c8b [diff]