Merge "Revert "Add libinherited_fd crate"" into main
diff --git a/docs/img/rkpvm-dice-chain.png b/docs/img/rkpvm-dice-chain.png
new file mode 100644
index 0000000..6847f7f
--- /dev/null
+++ b/docs/img/rkpvm-dice-chain.png
Binary files differ
diff --git a/docs/vm_remote_attestation.md b/docs/vm_remote_attestation.md
index 79f44b9..ee20591 100644
--- a/docs/vm_remote_attestation.md
+++ b/docs/vm_remote_attestation.md
@@ -46,17 +46,17 @@
spec.
[open-dice]: https://android.googlesource.com/platform/external/open-dice/+/main/docs/android.md
-[rkpvm-marker]: https://android.googlesource.com/platform/external/open-dice/+/main/docs/android.md#Configuration-descriptor
-[rkp-hal]: https://android.googlesource.com/platform/hardware/interfaces/+/main/security/rkp/README.md
### pVM attestation
Once the RKP VM is successfully attested, it acts as a trusted platform to
attest pVMs. Leveraging its trusted status, the RKP VM validates the integrity
-of each pVM's DICE chain by comparing it against its own DICE chain. This
-validation process ensures that the pVMs are running in the expected VM
-environment and certifies the payload executed within each pVM. Currently, only
-Microdroid VMs are supported.
+of each [pVM DICE chain][pvm-dice-chain] by comparing it against its own DICE
+chain. This validation process ensures that the pVMs are running in the expected
+VM environment and certifies the payload executed within each pVM. Currently,
+only Microdroid VMs are supported.
+
+[pvm-dice-chain]: ./pvm_dice_chain.md
## API
@@ -113,13 +113,37 @@
## To Support It
-VM remote attestation is a strongly recommended feature from Android V. To support
-it, you only need to provide a valid VM DICE chain satisfying the following
-requirements:
+VM remote attestation is a strongly recommended feature from Android V. To
+support it, you only need to provide a valid VM DICE chain satisfying the
+following requirements:
-- The DICE chain must have a UDS-rooted public key registered at the RKP factory.
-- The DICE chain should have RKP VM markers that help identify RKP VM as required
- by the [remote provisioning HAL][rkp-hal-markers].
+- The DICE chain must have a UDS-rooted public key registered at the RKP
+ factory.
+- The DICE chain must use [RKP VM markers][rkpvm-marker] to help identify the
+ RKP VM as required by the [remote provisioning HAL][rkp-hal].
+
+### RKP VM marker
+
+To support VM remote attestation, vendors must include an RKP VM marker in their
+DICE certificates. This marker should be present from the early boot stage
+within the TEE and continue through to the last DICE certificate before
+[pvmfw][pvmfw] takes over.
+
+![RKP VM DICE chain][rkpvm-dice-chain]
+
+Pvmfw will add an RKP VM marker when it's launching an RKP VM. The __continuous
+presence__ of this marker throughout the chain allows the RKP server to clearly
+identify legitimate RKP VM DICE chains.
+
+This mechanism also serves as a security measure. If an attacker tries to launch
+a malicious guest OS or payload, their DICE chain will be rejected by the RKP
+server because it will lack the RKP VM marker that pvmfw would have added in a
+genuine RKP VM boot process.
+
+[pvmfw]: ../guest/pvmfw/README.md
+[rkpvm-dice-chain]: img/rkpvm-dice-chain.png
+
+## To Disable It
The feature is enabled by default. To disable it, you have two options:
@@ -133,4 +157,5 @@
If you don't set any of these variables, VM remote attestation will be enabled
by default.
-[rkp-hal-markers]: https://android.googlesource.com/platform/hardware/interfaces/+/main/security/rkp/README.md#hal
+[rkpvm-marker]: https://pigweed.googlesource.com/open-dice/+/HEAD/docs/android.md#configuration-descriptor
+[rkp-hal]: https://android.googlesource.com/platform/hardware/interfaces/+/main/security/rkp/README.md#hal
diff --git a/guest/microdroid_manager/src/main.rs b/guest/microdroid_manager/src/main.rs
index 7352a2c..8186e9d 100644
--- a/guest/microdroid_manager/src/main.rs
+++ b/guest/microdroid_manager/src/main.rs
@@ -654,7 +654,7 @@
if requested {
let status = Command::new("/system/bin/kexec_load").status()?;
if !status.success() {
- return Err(anyhow!("Failed to load crashkernel: {:?}", status));
+ return Err(anyhow!("Failed to load crashkernel: {status}"));
}
info!("ramdump is loaded: debuggable={debuggable}, ramdump={ramdump}");
}
diff --git a/tests/hostside/helper/java/com/android/microdroid/test/host/KvmHypTracer.java b/tests/hostside/helper/java/com/android/microdroid/test/host/KvmHypTracer.java
index 3814cdd..8604553 100644
--- a/tests/hostside/helper/java/com/android/microdroid/test/host/KvmHypTracer.java
+++ b/tests/hostside/helper/java/com/android/microdroid/test/host/KvmHypTracer.java
@@ -78,9 +78,9 @@
/** This class provides utilities to interact with the hyp tracing subsystem */
public final class KvmHypTracer {
- private static final String HYP_TRACING_ROOT = "/sys/kernel/tracing/hyp/";
private static final int DEFAULT_BUF_SIZE_KB = 4 * 1024;
+ private final String mHypTracingRoot;
private final CommandRunner mRunner;
private final ITestDevice mDevice;
private final int mNrCpus;
@@ -88,17 +88,41 @@
private final ArrayList<File> mTraces;
- private void setNode(String node, int val) throws Exception {
- mRunner.run("echo " + val + " > " + HYP_TRACING_ROOT + node);
+ private static String getHypTracingRoot(ITestDevice device) throws Exception {
+ String legacy = "/sys/kernel/tracing/hyp/";
+ String path = "/sys/kernel/tracing/hypervisor/";
+
+ if (device.doesFileExist(path)) {
+ return path;
+ }
+
+ if (device.doesFileExist(legacy)) {
+ return legacy;
+ }
+
+ throw new Exception("Hypervisor tracing not found");
}
- private static String eventDir(String event) {
- return "events/hyp/" + event + "/";
+ private static String getHypEventsDir(String root) {
+ if (root.endsWith("/hypervisor/"))
+ return "events/hypervisor/";
+
+ return "events/hyp/";
}
public static boolean isSupported(ITestDevice device, String[] events) throws Exception {
- for (String event : events) {
- if (!device.doesFileExist(HYP_TRACING_ROOT + eventDir(event) + "/enable")) return false;
+ String dir;
+
+ try {
+ dir = getHypTracingRoot(device);
+ dir += getHypEventsDir(dir);
+ } catch (Exception e) {
+ return false;
+ }
+
+ for (String event: events) {
+ if (!device.doesFileExist(dir + event + "/enable"))
+ return false;
}
return true;
}
@@ -108,6 +132,7 @@
.that(isSupported(device, events))
.isTrue();
+ mHypTracingRoot = getHypTracingRoot(device);
mDevice = device;
mRunner = new CommandRunner(mDevice);
mTraces = new ArrayList<File>();
@@ -115,17 +140,25 @@
mHypEvents = events;
}
+ private void setNode(String node, int val) throws Exception {
+ mRunner.run("echo " + val + " > " + mHypTracingRoot + node);
+ }
+
public String run(String payload_cmd) throws Exception {
mTraces.clear();
setNode("tracing_on", 0);
- mRunner.run("echo 0 | tee " + HYP_TRACING_ROOT + "events/*/*/enable");
+ mRunner.run("echo 0 | tee " + mHypTracingRoot + "events/*/*/enable");
setNode("buffer_size_kb", DEFAULT_BUF_SIZE_KB);
- for (String event : mHypEvents) setNode(eventDir(event) + "/enable", 1);
+
+ for (String event: mHypEvents) {
+ setNode(getHypEventsDir(mHypTracingRoot) + event + "/enable", 1);
+ }
+
setNode("trace", 0);
/* Cat each per-cpu trace_pipe in its own tmp file in the background */
- String cmd = "cd " + HYP_TRACING_ROOT + ";";
+ String cmd = "cd " + mHypTracingRoot + ";";
String trace_pipes[] = new String[mNrCpus];
for (int i = 0; i < mNrCpus; i++) {
trace_pipes[i] = mRunner.run("mktemp -t trace_pipe.cpu" + i + ".XXXXXXXXXX");
