pvmfw: Clear cache lines in DiceClearMemory
Instead of using the default implementation, which simply overwrites its
secret input with zeroes, re-implement the function to ensure that the
relevant cache lines are flushed, preventing a malicious guest from
potentially gaining access to the intact secrets by disabling the cache
(holding the unflushed zeroes).
Bug: 256827715
Test: atest MicrodroidHostTests
Change-Id: Ice9ac47ceaf78f9a1aad111db49426387f2b3735
diff --git a/pvmfw/src/dice.rs b/pvmfw/src/dice.rs
index f6a1f3d..e354666 100644
--- a/pvmfw/src/dice.rs
+++ b/pvmfw/src/dice.rs
@@ -14,8 +14,11 @@
//! Support for DICE derivation and BCC generation.
+use crate::helpers::flushed_zeroize;
+use core::ffi::c_void;
use core::ffi::CStr;
use core::mem::size_of;
+use core::slice;
use dice::bcc::Handover;
use dice::Config;
use dice::DiceMode;
@@ -69,3 +72,16 @@
bcc.main_flow(&input_values, next_bcc)
}
+
+/// Flushes data caches over the provided address range.
+///
+/// # Safety
+///
+/// The provided address and size must be to a valid address range (typically on the stack, .bss,
+/// .data, or provided BCC).
+#[no_mangle]
+unsafe extern "C" fn DiceClearMemory(_ctx: *mut c_void, size: usize, addr: *mut c_void) {
+ // SAFETY - We must trust that the slice will be valid arrays/variables on the C code stack.
+ let region = unsafe { slice::from_raw_parts_mut(addr as *mut u8, size) };
+ flushed_zeroize(region)
+}