Merge "Export tombstones by default for debuggable VMs"
diff --git a/TEST_MAPPING b/TEST_MAPPING
index ea3ab74..14452a3 100644
--- a/TEST_MAPPING
+++ b/TEST_MAPPING
@@ -34,9 +34,7 @@
},
{
"name": "ComposBenchmarkApp"
- }
- ],
- "avf-postsubmit-userdebug": [
+ },
{
"name": "AVFHostTestCases"
}
diff --git a/encryptedstore/src/main.rs b/encryptedstore/src/main.rs
index 2f54534..96c80db 100644
--- a/encryptedstore/src/main.rs
+++ b/encryptedstore/src/main.rs
@@ -46,6 +46,7 @@
let blkdevice = Path::new(matches.get_one::<String>("blkdevice").unwrap());
let key = matches.get_one::<String>("key").unwrap();
let mountpoint = Path::new(matches.get_one::<String>("mountpoint").unwrap());
+ // Note this error context is used in MicrodroidTests.
encryptedstore_init(blkdevice, key, mountpoint).context(format!(
"Unable to initialize encryptedstore on {:?} & mount at {:?}",
blkdevice, mountpoint
diff --git a/libs/dice/src/lib.rs b/libs/dice/src/lib.rs
index 58575eb..6870eeb 100644
--- a/libs/dice/src/lib.rs
+++ b/libs/dice/src/lib.rs
@@ -23,18 +23,4 @@
InputValues, Result, CDI_SIZE, HASH_SIZE, HIDDEN_SIZE,
};
-use open_dice_cbor_bindgen::DiceHash;
-
pub mod bcc;
-
-fn ctx() -> *mut core::ffi::c_void {
- core::ptr::null_mut()
-}
-
-/// Hash the provided input using DICE's default hash function.
-pub fn hash(bytes: &[u8]) -> Result<Hash> {
- let mut output: Hash = [0; HASH_SIZE];
- // SAFETY - DiceHash takes a sized input buffer and writes to a constant-sized output buffer.
- check_result(unsafe { DiceHash(ctx(), bytes.as_ptr(), bytes.len(), output.as_mut_ptr()) })?;
- Ok(output)
-}
diff --git a/microdroid_manager/src/main.rs b/microdroid_manager/src/main.rs
index 4f6b4a7..777a42c 100644
--- a/microdroid_manager/src/main.rs
+++ b/microdroid_manager/src/main.rs
@@ -70,13 +70,15 @@
const EXTRA_APK_PATH_PATTERN: &str = "/dev/block/by-name/extra-apk-*";
const EXTRA_IDSIG_PATH_PATTERN: &str = "/dev/block/by-name/extra-idsig-*";
const DM_MOUNTED_APK_PATH: &str = "/dev/block/mapper/microdroid-apk";
-const APKDMVERITY_BIN: &str = "/system/bin/apkdmverity";
-const ZIPFUSE_BIN: &str = "/system/bin/zipfuse";
const AVF_STRICT_BOOT: &str = "/sys/firmware/devicetree/base/chosen/avf,strict-boot";
const AVF_NEW_INSTANCE: &str = "/sys/firmware/devicetree/base/chosen/avf,new-instance";
const DEBUG_MICRODROID_NO_VERIFIED_BOOT: &str =
"/sys/firmware/devicetree/base/virtualization/guest/debug-microdroid,no-verified-boot";
+const APKDMVERITY_BIN: &str = "/system/bin/apkdmverity";
+const ENCRYPTEDSTORE_BIN: &str = "/system/bin/encryptedstore";
+const ZIPFUSE_BIN: &str = "/system/bin/zipfuse";
+
const APEX_CONFIG_DONE_PROP: &str = "apex_config.done";
const TOMBSTONE_TRANSMIT_DONE_PROP: &str = "tombstone_transmit.init_done";
const DEBUGGABLE_PROP: &str = "ro.boot.microdroid.debuggable";
@@ -84,9 +86,7 @@
// SYNC WITH virtualizationservice/src/crosvm.rs
const FAILURE_SERIAL_DEVICE: &str = "/dev/ttyS1";
-/// Identifier for the key used for encrypted store.
const ENCRYPTEDSTORE_BACKING_DEVICE: &str = "/dev/block/by-name/encryptedstore";
-const ENCRYPTEDSTORE_BIN: &str = "/system/bin/encryptedstore";
const ENCRYPTEDSTORE_KEY_IDENTIFIER: &str = "encryptedstore_key";
const ENCRYPTEDSTORE_KEYSIZE: u32 = 32;
diff --git a/pvmfw/Android.bp b/pvmfw/Android.bp
index 21f84a5..0d6a9a4 100644
--- a/pvmfw/Android.bp
+++ b/pvmfw/Android.bp
@@ -14,7 +14,8 @@
rustlibs: [
"libaarch64_paging",
"libbuddy_system_allocator",
- "libdice_nostd",
+ "libdice_nostd", // TODO(b/267575445): Remove this library once the migration is done.
+ "libdiced_open_dice_nostd",
"libfdtpci",
"liblibfdt",
"liblog_rust_nostd",
diff --git a/pvmfw/src/dice.rs b/pvmfw/src/dice.rs
index c5241c4..f6a1f3d 100644
--- a/pvmfw/src/dice.rs
+++ b/pvmfw/src/dice.rs
@@ -17,12 +17,10 @@
use core::ffi::CStr;
use core::mem::size_of;
use dice::bcc::Handover;
-use dice::bcc_format_config_descriptor;
-use dice::hash;
use dice::Config;
use dice::DiceMode;
use dice::InputValues;
-use dice::HIDDEN_SIZE;
+use diced_open_dice::{bcc_format_config_descriptor, hash, HIDDEN_SIZE};
use pvmfw_avb::{DebugLevel, Digest, VerifiedBootData};
fn to_dice_mode(debug_level: DebugLevel) -> DiceMode {
diff --git a/tests/helper/src/java/com/android/microdroid/test/device/MicrodroidDeviceTestBase.java b/tests/helper/src/java/com/android/microdroid/test/device/MicrodroidDeviceTestBase.java
index 419b250..9ec36b3 100644
--- a/tests/helper/src/java/com/android/microdroid/test/device/MicrodroidDeviceTestBase.java
+++ b/tests/helper/src/java/com/android/microdroid/test/device/MicrodroidDeviceTestBase.java
@@ -172,7 +172,7 @@
String name,
StringBuilder result,
boolean monitorEvents) {
- mProcessedBootTimeMetrics = monitorEvents;
+ mProcessedBootTimeMetrics |= monitorEvents;
new Thread(
() -> {
try {
@@ -354,10 +354,6 @@
return getPayloadStartedNanoTime() - getInitStartedNanoTime();
}
- public boolean hasProcessedBootTimeMetrics() {
- return processedBootTimeMetrics;
- }
-
public OptionalLong getBootTimeMetricNanoTime(BootTimeMetric metric) {
if (metric == BootTimeMetric.TOTAL) {
return OptionalLong.of(endToEndNanoTime);
diff --git a/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java b/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
index 9cafd68..984b10b 100644
--- a/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
+++ b/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
@@ -1303,6 +1303,65 @@
@Test
@CddTest(requirements = {"9.17/C-1-1", "9.17/C-2-1"})
+ public void encryptedStorageIsInaccessibleToDifferentVm() throws Exception {
+ assumeSupportedKernel();
+
+ VirtualMachineConfig config =
+ newVmConfigBuilder()
+ .setPayloadBinaryName("MicrodroidTestNativeLib.so")
+ .setMemoryBytes(minMemoryRequired())
+ .setEncryptedStorageBytes(4_000_000)
+ .setDebugLevel(DEBUG_LEVEL_FULL)
+ .setVmOutputCaptured(true)
+ .build();
+
+ VirtualMachine vm = forceCreateNewVirtualMachine("test_vm", config);
+
+ TestResults testResults =
+ runVmTestService(
+ vm,
+ (ts, tr) -> {
+ ts.writeToFile(
+ /* content= */ EXAMPLE_STRING,
+ /* path= */ "/mnt/encryptedstore/test_file");
+ });
+ assertThat(testResults.mException).isNull();
+
+ // Start a different vm (this changes the vm identity)
+ VirtualMachine diff_test_vm = forceCreateNewVirtualMachine("diff_test_vm", config);
+
+ // Replace the backing storage image to the original one
+ File storageImgOrig = getVmFile("test_vm", "storage.img");
+ File storageImgNew = getVmFile("diff_test_vm", "storage.img");
+ Files.copy(storageImgOrig.toPath(), storageImgNew.toPath(), REPLACE_EXISTING);
+ assertFileContentsAreEqualInTwoVms("storage.img", "test_vm", "diff_test_vm");
+
+ CompletableFuture<Boolean> onPayloadReadyExecuted = new CompletableFuture<>();
+ CompletableFuture<Boolean> onStoppedExecuted = new CompletableFuture<>();
+ VmEventListener listener =
+ new VmEventListener() {
+ @Override
+ public void onPayloadReady(VirtualMachine vm) {
+ onPayloadReadyExecuted.complete(true);
+ super.onPayloadReady(vm);
+ }
+
+ @Override
+ public void onStopped(VirtualMachine vm, int reason) {
+ onStoppedExecuted.complete(true);
+ super.onStopped(vm, reason);
+ }
+ };
+ listener.runToFinish(TAG, diff_test_vm);
+
+ // Assert that payload never started & logs contains encryptedstore initialization error
+ assertThat(onStoppedExecuted.getNow(false)).isTrue();
+ assertThat(onPayloadReadyExecuted.getNow(false)).isFalse();
+ assertThat(listener.getConsoleOutput()).contains("Unable to initialize encryptedstore");
+ }
+
+ @Test
+ @CddTest(requirements = {"9.17/C-1-1", "9.17/C-2-1"})
public void microdroidLauncherHasEmptyCapabilities() throws Exception {
assumeSupportedKernel();
diff --git a/vmbase/example/Android.bp b/vmbase/example/Android.bp
index 94eb21a..26be51b 100644
--- a/vmbase/example/Android.bp
+++ b/vmbase/example/Android.bp
@@ -11,7 +11,7 @@
rustlibs: [
"libaarch64_paging",
"libbuddy_system_allocator",
- "libdice_nostd",
+ "libdiced_open_dice_nostd",
"libfdtpci",
"liblibfdt",
"liblog_rust_nostd",
diff --git a/vmbase/example/src/main.rs b/vmbase/example/src/main.rs
index ec28a11..3b0e9db 100644
--- a/vmbase/example/src/main.rs
+++ b/vmbase/example/src/main.rs
@@ -225,7 +225,7 @@
fn check_dice() {
info!("Testing DICE integration...");
- let hash = dice::hash("hello world".as_bytes()).expect("DiceHash failed");
+ let hash = diced_open_dice::hash("hello world".as_bytes()).expect("DiceHash failed");
assert_eq!(
hash,
[