Merge changes from topic "avf-b-support" into main
* changes:
pvmfw: fix device_info_assigned_info_without_iommus test
pvmfw: Handle absence of vcpu-stall-detector to avoid boot failure
libhypervisor_backends: gunyah: Implement device assigner
pvmfw: Do not return error when interrupts property is not present
pvmfw: Do iommus validation for pkvm-pviommu only
diff --git a/android/TerminalApp/java/com/android/virtualization/terminal/MainActivity.kt b/android/TerminalApp/java/com/android/virtualization/terminal/MainActivity.kt
index 33522c0..542265a 100644
--- a/android/TerminalApp/java/com/android/virtualization/terminal/MainActivity.kt
+++ b/android/TerminalApp/java/com/android/virtualization/terminal/MainActivity.kt
@@ -24,6 +24,7 @@
import android.content.res.Configuration
import android.graphics.drawable.Icon
import android.graphics.fonts.FontStyle
+import android.media.MediaScannerConnection
import android.net.Uri
import android.os.Build
import android.os.Bundle
@@ -78,6 +79,7 @@
private lateinit var terminalTabAdapter: TerminalTabAdapter
private val terminalInfo = CompletableFuture<TerminalInfo>()
private val terminalViewModel: TerminalViewModel by viewModels()
+ private var isVmRunning = false
override fun onCreate(savedInstanceState: Bundle?) {
super.onCreate(savedInstanceState)
@@ -234,6 +236,16 @@
activityResultLauncher.launch(intent)
}
+ override fun onPause() {
+ super.onPause()
+ MediaScannerConnection.scanFile(
+ this,
+ arrayOf("/storage/emulated/${userId}/Download"),
+ null /* mimeTypes */,
+ null, /* callback */
+ )
+ }
+
private fun getTerminalServiceUrl(ipAddress: String?, port: Int): URL? {
val config = resources.configuration
// TODO: Always enable screenReaderMode (b/395845063)
@@ -269,13 +281,16 @@
executorService.shutdown()
getSystemService<AccessibilityManager>(AccessibilityManager::class.java)
.removeAccessibilityStateChangeListener(this)
- val intent = VmLauncherService.getIntentForShutdown(this, this)
- startService(intent)
+ if (isVmRunning) {
+ val intent = VmLauncherService.getIntentForShutdown(this, this)
+ startService(intent)
+ }
super.onDestroy()
}
override fun onVmStart() {
Log.i(TAG, "onVmStart()")
+ isVmRunning = true
}
override fun onTerminalAvailable(info: TerminalInfo) {
@@ -284,11 +299,13 @@
override fun onVmStop() {
Log.i(TAG, "onVmStop()")
+ isVmRunning = false
finish()
}
override fun onVmError() {
Log.i(TAG, "onVmError()")
+ isVmRunning = false
// TODO: error cause is too simple.
ErrorActivity.start(this, Exception("onVmError"))
}
diff --git a/android/TerminalApp/java/com/android/virtualization/terminal/SettingsDiskResizeActivity.kt b/android/TerminalApp/java/com/android/virtualization/terminal/SettingsDiskResizeActivity.kt
index da07b19..00baeef 100644
--- a/android/TerminalApp/java/com/android/virtualization/terminal/SettingsDiskResizeActivity.kt
+++ b/android/TerminalApp/java/com/android/virtualization/terminal/SettingsDiskResizeActivity.kt
@@ -15,13 +15,15 @@
*/
package com.android.virtualization.terminal
+import android.content.Context
import android.content.Intent
import android.icu.text.MeasureFormat
import android.icu.text.NumberFormat
import android.icu.util.Measure
import android.icu.util.MeasureUnit
import android.os.Bundle
-import android.os.Environment
+import android.os.storage.StorageManager
+import android.os.storage.StorageManager.UUID_DEFAULT
import android.text.SpannableString
import android.text.Spanned
import android.text.TextUtils
@@ -39,7 +41,7 @@
class SettingsDiskResizeActivity : AppCompatActivity() {
private val numberPattern: Pattern = Pattern.compile("[\\d]*[\\٫.,]?[\\d]+")
- private val defaultMaxDiskSizeMb: Long = 16 shl 10
+ private val defaultHostReserveSizeMb: Long = 5 shl 10
private var diskSizeStepMb: Long = 0
private var diskSizeMb: Long = 0
@@ -59,10 +61,10 @@
}
private fun getAvailableSizeMb(): Long {
- val usableSpaceMb =
- bytesToMb(Environment.getDataDirectory().getUsableSpace()) and
- (diskSizeStepMb - 1).inv()
- return diskSizeMb + usableSpaceMb
+ var storageManager =
+ applicationContext.getSystemService(Context.STORAGE_SERVICE) as StorageManager
+ val hostAllocatableMb = bytesToMb(storageManager.getAllocatableBytes(UUID_DEFAULT))
+ return diskSizeMb + hostAllocatableMb
}
private fun mbToProgress(bytes: Long): Int {
@@ -82,7 +84,10 @@
val image = InstalledImage.getDefault(this)
diskSizeMb = bytesToMb(image.getApparentSize())
val minDiskSizeMb = bytesToMb(image.getSmallestSizePossible()).coerceAtMost(diskSizeMb)
- val maxDiskSizeMb = defaultMaxDiskSizeMb.coerceAtMost(getAvailableSizeMb())
+ var maxDiskSizeMb = getAvailableSizeMb()
+ if (maxDiskSizeMb > defaultHostReserveSizeMb) {
+ maxDiskSizeMb -= defaultHostReserveSizeMb
+ }
diskSizeText = findViewById<TextView>(R.id.settings_disk_resize_resize_gb_assigned)!!
diskMaxSizeText = findViewById<TextView>(R.id.settings_disk_resize_resize_gb_max)
diff --git a/android/TerminalApp/java/com/android/virtualization/terminal/TerminalTabFragment.kt b/android/TerminalApp/java/com/android/virtualization/terminal/TerminalTabFragment.kt
index 72dea5c..8106f6e 100644
--- a/android/TerminalApp/java/com/android/virtualization/terminal/TerminalTabFragment.kt
+++ b/android/TerminalApp/java/com/android/virtualization/terminal/TerminalTabFragment.kt
@@ -216,7 +216,7 @@
}
private fun updateMainActivity() {
- val mainActivity = (activity as MainActivity)
+ val mainActivity = activity as MainActivity ?: return
if (terminalGuiSupport()) {
mainActivity.displayMenu!!.visibility = View.VISIBLE
mainActivity.displayMenu!!.isEnabled = true
diff --git a/android/TerminalApp/java/com/android/virtualization/terminal/VmLauncherService.kt b/android/TerminalApp/java/com/android/virtualization/terminal/VmLauncherService.kt
index 0b34a8d..f1ad561 100644
--- a/android/TerminalApp/java/com/android/virtualization/terminal/VmLauncherService.kt
+++ b/android/TerminalApp/java/com/android/virtualization/terminal/VmLauncherService.kt
@@ -465,7 +465,6 @@
private fun doShutdown(resultReceiver: ResultReceiver?) {
runner?.exitStatus?.thenAcceptAsync { success: Boolean ->
resultReceiver?.send(if (success) RESULT_STOP else RESULT_ERROR, null)
- stopSelf()
}
if (debianService != null && debianService!!.shutdownDebian()) {
// During shutdown, change the notification content to indicate that it's closing
@@ -494,7 +493,6 @@
} else {
// If there is no Debian service or it fails to shutdown, just stop the service.
runner?.vm?.stop()
- stopSelf()
}
}
diff --git a/build/apex/Android.bp b/build/apex/Android.bp
index f0eba7f..7496f4d 100644
--- a/build/apex/Android.bp
+++ b/build/apex/Android.bp
@@ -69,10 +69,7 @@
default: [],
}),
- canned_fs_config: select(release_flag("RELEASE_AVF_ENABLE_VIRT_CPUFREQ"), {
- true: "canned_fs_config_sys_nice",
- default: "canned_fs_config",
- }),
+ canned_fs_config: "canned_fs_config",
}
vintf_fragment {
diff --git a/build/apex/canned_fs_config b/build/apex/canned_fs_config
index 5afd9d6..90c9747 100644
--- a/build/apex/canned_fs_config
+++ b/build/apex/canned_fs_config
@@ -1 +1,3 @@
/bin/virtualizationservice 0 2000 0755 capabilities=0x1000001 # CAP_CHOWN, CAP_SYS_RESOURCE
+/bin/crosvm 0 3013 0755 capabilities=0x800000 # CAP_SYS_NICE
+/bin/virtmgr 0 3013 0755 capabilities=0x800000 # CAP_SYS_NICE
diff --git a/build/apex/canned_fs_config_sys_nice b/build/apex/canned_fs_config_sys_nice
deleted file mode 100644
index 90c9747..0000000
--- a/build/apex/canned_fs_config_sys_nice
+++ /dev/null
@@ -1,3 +0,0 @@
-/bin/virtualizationservice 0 2000 0755 capabilities=0x1000001 # CAP_CHOWN, CAP_SYS_RESOURCE
-/bin/crosvm 0 3013 0755 capabilities=0x800000 # CAP_SYS_NICE
-/bin/virtmgr 0 3013 0755 capabilities=0x800000 # CAP_SYS_NICE
diff --git a/guest/pvmfw/src/arch/aarch64/payload.rs b/guest/pvmfw/src/arch/aarch64/payload.rs
index 9a7d864..77e9a31 100644
--- a/guest/pvmfw/src/arch/aarch64/payload.rs
+++ b/guest/pvmfw/src/arch/aarch64/payload.rs
@@ -23,13 +23,10 @@
/// Function boot payload after cleaning all secret from pvmfw memory
pub fn jump_to_payload(entrypoint: usize, slices: &MemorySlices) -> ! {
let fdt_address = slices.fdt.as_ptr() as usize;
- let dice_handover = slices
- .dice_handover
- .map(|slice| {
- let r = slice.as_ptr_range();
- (r.start as usize)..(r.end as usize)
- })
- .expect("Missing DICE handover");
+ let dice_handover = slices.dice_handover.map(|slice| {
+ let r = slice.as_ptr_range();
+ (r.start as usize)..(r.end as usize)
+ });
deactivate_dynamic_page_tables();
@@ -51,7 +48,9 @@
assert_eq!(scratch.end.0 % ASM_STP_ALIGN, 0, "scratch memory is misaligned.");
// A sub-region of the scratch memory might contain data for the next stage so skip zeroing it.
- let skipped = dice_handover;
+ // Alternatively, an empty region at the start of the scratch region is compatible with the ASM
+ // implementation and results in the whole scratch region being zeroed.
+ let skipped = dice_handover.unwrap_or(scratch.start.0..scratch.start.0);
assert!(skipped.is_within(&(scratch.start.0..scratch.end.0)));
assert_eq!(skipped.start % ASM_STP_ALIGN, 0, "Misaligned skipped region.");
diff --git a/guest/pvmfw/src/config.rs b/guest/pvmfw/src/config.rs
index 1f9eacf..a16da35 100644
--- a/guest/pvmfw/src/config.rs
+++ b/guest/pvmfw/src/config.rs
@@ -141,7 +141,7 @@
#[derive(Default)]
pub struct Entries<'a> {
- pub dice_handover: &'a mut [u8],
+ pub dice_handover: Option<&'a mut [u8]>,
pub debug_policy: Option<&'a [u8]>,
pub vm_dtbo: Option<&'a mut [u8]>,
pub vm_ref_dt: Option<&'a [u8]>,
@@ -295,9 +295,6 @@
}
let [dice_handover, debug_policy, vm_dtbo, vm_ref_dt] = entries;
- // The platform DICE handover has always been required.
- let dice_handover = dice_handover.unwrap();
-
// We have no reason to mutate so drop the `mut`.
let debug_policy = debug_policy.map(|x| &*x);
let vm_ref_dt = vm_ref_dt.map(|x| &*x);
diff --git a/guest/pvmfw/src/dice/mod.rs b/guest/pvmfw/src/dice/mod.rs
index 8317e48..dc7b64e 100644
--- a/guest/pvmfw/src/dice/mod.rs
+++ b/guest/pvmfw/src/dice/mod.rs
@@ -87,11 +87,12 @@
pub mode: DiceMode,
pub security_version: u64,
pub rkp_vm_marker: bool,
+ pub instance_hash: Option<Hash>,
component_name: String,
}
impl PartialInputs {
- pub fn new(data: &VerifiedBootData) -> Result<Self> {
+ pub fn new(data: &VerifiedBootData, instance_hash: Option<Hash>) -> Result<Self> {
let code_hash = to_dice_hash(data)?;
let auth_hash = hash(data.public_key)?;
let mode = to_dice_mode(data.debug_level);
@@ -101,20 +102,27 @@
let rkp_vm_marker = data.has_capability(Capability::RemoteAttest)
|| data.has_capability(Capability::TrustySecurityVm);
- Ok(Self { code_hash, auth_hash, mode, security_version, rkp_vm_marker, component_name })
+ Ok(Self {
+ code_hash,
+ auth_hash,
+ mode,
+ security_version,
+ rkp_vm_marker,
+ instance_hash,
+ component_name,
+ })
}
pub fn write_next_handover(
self,
current_handover: &[u8],
salt: &[u8; HIDDEN_SIZE],
- instance_hash: Option<Hash>,
deferred_rollback_protection: bool,
next_handover: &mut [u8],
context: DiceContext,
) -> Result<()> {
let config = self
- .generate_config_descriptor(instance_hash)
+ .generate_config_descriptor()
.map_err(|_| diced_open_dice::DiceError::InvalidInput)?;
let dice_inputs = InputValues::new(
@@ -160,14 +168,14 @@
)
}
- fn generate_config_descriptor(&self, instance_hash: Option<Hash>) -> Result<Vec<u8>> {
+ fn generate_config_descriptor(&self) -> Result<Vec<u8>> {
let mut config = Vec::with_capacity(4);
config.push((cbor!(COMPONENT_NAME_KEY)?, cbor!(self.component_name.as_str())?));
config.push((cbor!(SECURITY_VERSION_KEY)?, cbor!(self.security_version)?));
if self.rkp_vm_marker {
config.push((cbor!(RKP_VM_MARKER_KEY)?, Value::Null))
}
- if let Some(instance_hash) = instance_hash {
+ if let Some(instance_hash) = self.instance_hash {
config.push((cbor!(INSTANCE_HASH_KEY)?, Value::from(instance_hash.as_slice())));
}
let config = Value::Map(config);
@@ -217,7 +225,7 @@
#[test]
fn base_data_conversion() {
let vb_data = BASE_VB_DATA;
- let inputs = PartialInputs::new(&vb_data).unwrap();
+ let inputs = PartialInputs::new(&vb_data, None).unwrap();
assert_eq!(inputs.mode, DiceMode::kDiceModeNormal);
assert_eq!(inputs.security_version, 42);
@@ -229,7 +237,7 @@
#[test]
fn debuggable_conversion() {
let vb_data = VerifiedBootData { debug_level: DebugLevel::Full, ..BASE_VB_DATA };
- let inputs = PartialInputs::new(&vb_data).unwrap();
+ let inputs = PartialInputs::new(&vb_data, None).unwrap();
assert_eq!(inputs.mode, DiceMode::kDiceModeDebug);
}
@@ -238,7 +246,7 @@
fn rkp_vm_conversion() {
let vb_data =
VerifiedBootData { capabilities: vec![Capability::RemoteAttest], ..BASE_VB_DATA };
- let inputs = PartialInputs::new(&vb_data).unwrap();
+ let inputs = PartialInputs::new(&vb_data, None).unwrap();
assert!(inputs.rkp_vm_marker);
}
@@ -246,22 +254,23 @@
#[test]
fn base_config_descriptor() {
let vb_data = BASE_VB_DATA;
- let inputs = PartialInputs::new(&vb_data).unwrap();
- let config_map = decode_config_descriptor(&inputs, None);
+ let inputs = PartialInputs::new(&vb_data, None).unwrap();
+ let config_map = decode_config_descriptor(&inputs);
assert_eq!(config_map.get(&COMPONENT_NAME_KEY).unwrap().as_text().unwrap(), "vm_entry");
assert_eq!(config_map.get(&COMPONENT_VERSION_KEY), None);
assert_eq!(config_map.get(&RESETTABLE_KEY), None);
assert_eq!(config_map.get(&SECURITY_VERSION_KEY).unwrap().as_integer().unwrap(), 42.into());
assert_eq!(config_map.get(&RKP_VM_MARKER_KEY), None);
+ assert_eq!(config_map.get(&INSTANCE_HASH_KEY), None);
}
#[test]
fn rkp_vm_config_descriptor_has_rkp_vm_marker_and_component_name() {
let vb_data =
VerifiedBootData { capabilities: vec![Capability::RemoteAttest], ..BASE_VB_DATA };
- let inputs = PartialInputs::new(&vb_data).unwrap();
- let config_map = decode_config_descriptor(&inputs, Some(HASH));
+ let inputs = PartialInputs::new(&vb_data, Some(HASH)).unwrap();
+ let config_map = decode_config_descriptor(&inputs);
assert_eq!(config_map.get(&COMPONENT_NAME_KEY).unwrap().as_text().unwrap(), "vm_entry");
assert!(config_map.get(&RKP_VM_MARKER_KEY).unwrap().is_null());
@@ -271,8 +280,8 @@
fn security_vm_config_descriptor_has_rkp_vm_marker() {
let vb_data =
VerifiedBootData { capabilities: vec![Capability::TrustySecurityVm], ..BASE_VB_DATA };
- let inputs = PartialInputs::new(&vb_data).unwrap();
- let config_map = decode_config_descriptor(&inputs, Some(HASH));
+ let inputs = PartialInputs::new(&vb_data, Some(HASH)).unwrap();
+ let config_map = decode_config_descriptor(&inputs);
assert!(config_map.get(&RKP_VM_MARKER_KEY).unwrap().is_null());
}
@@ -281,8 +290,8 @@
fn config_descriptor_with_instance_hash() {
let vb_data =
VerifiedBootData { capabilities: vec![Capability::RemoteAttest], ..BASE_VB_DATA };
- let inputs = PartialInputs::new(&vb_data).unwrap();
- let config_map = decode_config_descriptor(&inputs, Some(HASH));
+ let inputs = PartialInputs::new(&vb_data, Some(HASH)).unwrap();
+ let config_map = decode_config_descriptor(&inputs);
assert_eq!(*config_map.get(&INSTANCE_HASH_KEY).unwrap(), Value::from(HASH.as_slice()));
}
@@ -290,16 +299,13 @@
fn config_descriptor_without_instance_hash() {
let vb_data =
VerifiedBootData { capabilities: vec![Capability::RemoteAttest], ..BASE_VB_DATA };
- let inputs = PartialInputs::new(&vb_data).unwrap();
- let config_map = decode_config_descriptor(&inputs, None);
+ let inputs = PartialInputs::new(&vb_data, None).unwrap();
+ let config_map = decode_config_descriptor(&inputs);
assert!(!config_map.contains_key(&INSTANCE_HASH_KEY));
}
- fn decode_config_descriptor(
- inputs: &PartialInputs,
- instance_hash: Option<Hash>,
- ) -> HashMap<i64, Value> {
- let config_descriptor = inputs.generate_config_descriptor(instance_hash).unwrap();
+ fn decode_config_descriptor(inputs: &PartialInputs) -> HashMap<i64, Value> {
+ let config_descriptor = inputs.generate_config_descriptor().unwrap();
let cbor_map =
cbor_util::deserialize::<Value>(&config_descriptor).unwrap().into_map().unwrap();
@@ -313,7 +319,7 @@
#[test]
fn changing_deferred_rpb_changes_secrets() {
let vb_data = VerifiedBootData { debug_level: DebugLevel::Full, ..BASE_VB_DATA };
- let inputs = PartialInputs::new(&vb_data).unwrap();
+ let inputs = PartialInputs::new(&vb_data, Some([0u8; 64])).unwrap();
let mut buffer_without_defer = [0; 4096];
let mut buffer_with_defer = [0; 4096];
let mut buffer_without_defer_retry = [0; 4096];
@@ -341,7 +347,6 @@
.write_next_handover(
sample_dice_input,
&[0u8; HIDDEN_SIZE],
- Some([0u8; 64]),
false,
&mut buffer_without_defer,
context.clone(),
@@ -354,7 +359,6 @@
.write_next_handover(
sample_dice_input,
&[0u8; HIDDEN_SIZE],
- Some([0u8; 64]),
true,
&mut buffer_with_defer,
context.clone(),
@@ -367,7 +371,6 @@
.write_next_handover(
sample_dice_input,
&[0u8; HIDDEN_SIZE],
- Some([0u8; 64]),
false,
&mut buffer_without_defer_retry,
context.clone(),
@@ -384,7 +387,7 @@
let dice_artifacts = make_sample_bcc_and_cdis().unwrap();
let handover0_bytes = to_serialized_handover(&dice_artifacts);
let vb_data = VerifiedBootData { debug_level: DebugLevel::Full, ..BASE_VB_DATA };
- let inputs = PartialInputs::new(&vb_data).unwrap();
+ let inputs = PartialInputs::new(&vb_data, Some([0u8; 64])).unwrap();
let mut buffer = [0; 4096];
inputs
@@ -392,7 +395,6 @@
.write_next_handover(
&handover0_bytes,
&[0u8; HIDDEN_SIZE],
- Some([0u8; 64]),
true,
&mut buffer,
DiceContext {
@@ -410,7 +412,6 @@
.write_next_handover(
&handover1_bytes,
&[0u8; HIDDEN_SIZE],
- Some([0u8; 64]),
true,
&mut buffer,
DiceContext {
@@ -428,7 +429,6 @@
.write_next_handover(
&handover2_bytes,
&[0u8; HIDDEN_SIZE],
- Some([0u8; 64]),
true,
&mut buffer,
DiceContext {
diff --git a/guest/pvmfw/src/entry.rs b/guest/pvmfw/src/entry.rs
index 46b1971..cb6c64e 100644
--- a/guest/pvmfw/src/entry.rs
+++ b/guest/pvmfw/src/entry.rs
@@ -139,17 +139,22 @@
slices.fdt,
slices.kernel,
slices.ramdisk,
- config_entries.dice_handover,
+ config_entries.dice_handover.as_deref(),
config_entries.debug_policy,
config_entries.vm_dtbo,
config_entries.vm_ref_dt,
)?;
- slices.add_dice_handover(next_dice_handover);
+ if let Some(r) = next_dice_handover {
+ slices.add_dice_handover(r);
+ }
+
// Keep UART MMIO_GUARD-ed for debuggable payloads, to enable earlycon.
let keep_uart = cfg!(debuggable_vms_improvements) && debuggable_payload;
// Writable-dirty regions will be flushed when MemoryTracker is dropped.
- config_entries.dice_handover.zeroize();
+ if let Some(r) = config_entries.dice_handover {
+ r.zeroize();
+ }
unshare_all_mmio_except_uart().map_err(|e| {
error!("Failed to unshare MMIO ranges: {e}");
@@ -218,8 +223,8 @@
fn get_entries(self) -> config::Entries<'a> {
match self {
Self::Config(cfg) => cfg.get_entries(),
- Self::LegacyDiceHandover(dice_handover) => {
- config::Entries { dice_handover, ..Default::default() }
+ Self::LegacyDiceHandover(d) => {
+ config::Entries { dice_handover: Some(d), ..Default::default() }
}
}
}
diff --git a/guest/pvmfw/src/fdt.rs b/guest/pvmfw/src/fdt.rs
index 4853e85..b5d3b28 100644
--- a/guest/pvmfw/src/fdt.rs
+++ b/guest/pvmfw/src/fdt.rs
@@ -1375,7 +1375,7 @@
/// Modifies the input DT according to the fields of the configuration.
pub fn modify_for_next_stage(
fdt: &mut Fdt,
- dice_handover: &[u8],
+ dice_handover: Option<&[u8]>,
new_instance: bool,
strict_boot: bool,
debug_policy: Option<&[u8]>,
@@ -1416,14 +1416,18 @@
}
/// Patch the "google,open-dice"-compatible reserved-memory node to point to the DICE handover.
-fn patch_dice_node(fdt: &mut Fdt, handover: &[u8]) -> libfdt::Result<()> {
+fn patch_dice_node(fdt: &mut Fdt, handover: Option<&[u8]>) -> libfdt::Result<()> {
// The node is assumed to be present in the template DT.
let node = fdt.node_mut(c"/reserved-memory")?.ok_or(FdtError::NotFound)?;
let mut node = node.next_compatible(c"google,open-dice")?.ok_or(FdtError::NotFound)?;
- let addr = (handover.as_ptr() as usize).try_into().unwrap();
- let size = handover.len().try_into().unwrap();
- node.setprop_addrrange_inplace(c"reg", addr, size)
+ if let Some(r) = handover {
+ let addr = (r.as_ptr() as usize).try_into().unwrap();
+ let size = r.len().try_into().unwrap();
+ node.setprop_addrrange_inplace(c"reg", addr, size)
+ } else {
+ node.nop()
+ }
}
fn empty_or_delete_prop(
diff --git a/guest/pvmfw/src/main.rs b/guest/pvmfw/src/main.rs
index 9f1b5e6..db60849 100644
--- a/guest/pvmfw/src/main.rs
+++ b/guest/pvmfw/src/main.rs
@@ -37,12 +37,16 @@
use crate::rollback::perform_rollback_protection;
use alloc::borrow::Cow;
use alloc::boxed::Box;
+use alloc::vec::Vec;
use bssl_avf::Digester;
-use diced_open_dice::{bcc_handover_parse, DiceArtifacts, DiceContext, Hidden, VM_KEY_ALGORITHM};
+use diced_open_dice::{
+ bcc_handover_parse, DiceArtifacts, DiceContext, Hidden, HIDDEN_SIZE, VM_KEY_ALGORITHM,
+};
use libfdt::Fdt;
use log::{debug, error, info, trace, warn};
use pvmfw_avb::verify_payload;
use pvmfw_avb::DebugLevel;
+use pvmfw_avb::VerifiedBootData;
use pvmfw_embedded_key::PUBLIC_KEY;
use vmbase::heap;
use vmbase::memory::{flush, SIZE_4KB};
@@ -52,11 +56,11 @@
untrusted_fdt: &mut Fdt,
signed_kernel: &[u8],
ramdisk: Option<&[u8]>,
- current_dice_handover: &[u8],
+ current_dice_handover: Option<&[u8]>,
mut debug_policy: Option<&[u8]>,
vm_dtbo: Option<&mut [u8]>,
vm_ref_dt: Option<&[u8]>,
-) -> Result<(&'a [u8], bool), RebootReason> {
+) -> Result<(Option<&'a [u8]>, bool), RebootReason> {
info!("pVM firmware");
debug!("FDT: {:?}", untrusted_fdt.as_ptr());
debug!("Signed kernel: {:?} ({:#x} bytes)", signed_kernel.as_ptr(), signed_kernel.len());
@@ -67,103 +71,57 @@
debug!("Ramdisk: None");
}
- let dice_handover = bcc_handover_parse(current_dice_handover).map_err(|e| {
- error!("Invalid DICE Handover: {e:?}");
- RebootReason::InvalidDiceHandover
- })?;
- trace!("DICE handover: {dice_handover:x?}");
-
- let dice_chain_info = DiceChainInfo::new(dice_handover.bcc()).map_err(|e| {
- error!("{e}");
- RebootReason::InvalidDiceHandover
- })?;
+ let (parsed_dice, dice_debug_mode) = parse_dice_handover(current_dice_handover)?;
// The bootloader should never pass us a debug policy when the boot is secure (the bootloader
// is locked). If it gets it wrong, disregard it & log it, to avoid it causing problems.
- if debug_policy.is_some() && !dice_chain_info.is_debug_mode() {
+ if debug_policy.is_some() && !dice_debug_mode {
warn!("Ignoring debug policy, DICE handover does not indicate Debug mode");
debug_policy = None;
}
- let verified_boot_data = verify_payload(signed_kernel, ramdisk, PUBLIC_KEY).map_err(|e| {
- error!("Failed to verify the payload: {e}");
- RebootReason::PayloadVerificationError
- })?;
- let debuggable = verified_boot_data.debug_level != DebugLevel::None;
- if debuggable {
- info!("Successfully verified a debuggable payload.");
- info!("Please disregard any previous libavb ERROR about initrd_normal.");
- }
+ // Policy/Hidden ABI: If the pvmfw loader (typically ABL) didn't pass a DICE handover (which is
+ // technically still mandatory, as per the config data specification), skip DICE, AVB, and RBP.
+ // This is to support Qualcomm QTVMs, which perform guest image verification in TrustZone.
+ let (verified_boot_data, debuggable, guest_page_size) = if current_dice_handover.is_none() {
+ warn!("Verified boot is disabled!");
+ (None, false, SIZE_4KB)
+ } else {
+ let (dat, debug, sz) = perform_verified_boot(signed_kernel, ramdisk)?;
+ (Some(dat), debug, sz)
+ };
- let guest_page_size = verified_boot_data.page_size.unwrap_or(SIZE_4KB);
let hyp_page_size = hypervisor_backends::get_granule_size();
let _ =
sanitize_device_tree(untrusted_fdt, vm_dtbo, vm_ref_dt, guest_page_size, hyp_page_size)?;
let fdt = untrusted_fdt; // DT has now been sanitized.
- let next_dice_handover_size = guest_page_size;
- let next_dice_handover = heap::aligned_boxed_slice(next_dice_handover_size, guest_page_size)
- .ok_or_else(|| {
- error!("Failed to allocate the next-stage DICE handover");
+ let (next_dice_handover, new_instance) = if let Some(ref data) = verified_boot_data {
+ let instance_hash = salt_from_instance_id(fdt)?;
+ let dice_inputs = PartialInputs::new(data, instance_hash).map_err(|e| {
+ error!("Failed to compute partial DICE inputs: {e:?}");
RebootReason::InternalError
})?;
- // By leaking the slice, its content will be left behind for the next stage.
- let next_dice_handover = Box::leak(next_dice_handover);
+ let (dice_handover_bytes, dice_cdi_seal, dice_context) =
+ parsed_dice.expect("Missing DICE values with VB data");
+ let (new_instance, salt, defer_rollback_protection) =
+ perform_rollback_protection(fdt, data, &dice_inputs, &dice_cdi_seal)?;
+ trace!("Got salt for instance: {salt:x?}");
- let dice_inputs = PartialInputs::new(&verified_boot_data).map_err(|e| {
- error!("Failed to compute partial DICE inputs: {e:?}");
- RebootReason::InternalError
- })?;
-
- let instance_hash = salt_from_instance_id(fdt)?;
- let (new_instance, salt, defer_rollback_protection) = perform_rollback_protection(
- fdt,
- &verified_boot_data,
- &dice_inputs,
- dice_handover.cdi_seal(),
- instance_hash,
- )?;
- trace!("Got salt for instance: {salt:x?}");
-
- let new_dice_handover = if cfg!(dice_changes) {
- Cow::Borrowed(current_dice_handover)
- } else {
- // It is possible that the DICE chain we were given is rooted in the UDS. We do not want to
- // give such a chain to the payload, or even the associated CDIs. So remove the
- // entire chain we were given and taint the CDIs. Note that the resulting CDIs are
- // still deterministically derived from those we received, so will vary iff they do.
- // TODO(b/280405545): Remove this post Android 14.
- let truncated_dice_handover = dice::chain::truncate(dice_handover).map_err(|e| {
- error!("{e}");
- RebootReason::InternalError
- })?;
- Cow::Owned(truncated_dice_handover)
- };
-
- let cose_alg = dice_chain_info.leaf_subject_pubkey().cose_alg;
- trace!("DICE chain leaf subject public key algorithm: {:?}", cose_alg);
-
- let dice_context = DiceContext {
- authority_algorithm: cose_alg.try_into().map_err(|e| {
- error!("{e}");
- RebootReason::InternalError
- })?,
- subject_algorithm: VM_KEY_ALGORITHM,
- };
- dice_inputs
- .write_next_handover(
- new_dice_handover.as_ref(),
- &salt,
- instance_hash,
- defer_rollback_protection,
- next_dice_handover,
+ let next_dice_handover = perform_dice_derivation(
+ dice_handover_bytes.as_ref(),
dice_context,
- )
- .map_err(|e| {
- error!("Failed to derive next-stage DICE secrets: {e:?}");
- RebootReason::SecretDerivationError
- })?;
- flush(next_dice_handover);
+ dice_inputs,
+ &salt,
+ defer_rollback_protection,
+ guest_page_size,
+ guest_page_size,
+ )?;
+
+ (Some(next_dice_handover), new_instance)
+ } else {
+ (None, true)
+ };
let kaslr_seed = u64::from_ne_bytes(rand::random_array().map_err(|e| {
error!("Failed to generated guest KASLR seed: {e}");
@@ -188,6 +146,105 @@
Ok((next_dice_handover, debuggable))
}
+fn parse_dice_handover(
+ bytes: Option<&[u8]>,
+) -> Result<(Option<(Cow<'_, [u8]>, Vec<u8>, DiceContext)>, bool), RebootReason> {
+ let Some(bytes) = bytes else {
+ return Ok((None, false));
+ };
+ let dice_handover = bcc_handover_parse(bytes).map_err(|e| {
+ error!("Invalid DICE Handover: {e:?}");
+ RebootReason::InvalidDiceHandover
+ })?;
+ trace!("DICE handover: {dice_handover:x?}");
+
+ let dice_chain_info = DiceChainInfo::new(dice_handover.bcc()).map_err(|e| {
+ error!("{e}");
+ RebootReason::InvalidDiceHandover
+ })?;
+ let is_debug_mode = dice_chain_info.is_debug_mode();
+ let cose_alg = dice_chain_info.leaf_subject_pubkey().cose_alg;
+ trace!("DICE chain leaf subject public key algorithm: {:?}", cose_alg);
+
+ let dice_context = DiceContext {
+ authority_algorithm: cose_alg.try_into().map_err(|e| {
+ error!("{e}");
+ RebootReason::InternalError
+ })?,
+ subject_algorithm: VM_KEY_ALGORITHM,
+ };
+
+ let cdi_seal = dice_handover.cdi_seal().to_vec();
+
+ let bytes_for_next = if cfg!(dice_changes) {
+ Cow::Borrowed(bytes)
+ } else {
+ // It is possible that the DICE chain we were given is rooted in the UDS. We do not want to
+ // give such a chain to the payload, or even the associated CDIs. So remove the
+ // entire chain we were given and taint the CDIs. Note that the resulting CDIs are
+ // still deterministically derived from those we received, so will vary iff they do.
+ // TODO(b/280405545): Remove this post Android 14.
+ let truncated_bytes = dice::chain::truncate(dice_handover).map_err(|e| {
+ error!("{e}");
+ RebootReason::InternalError
+ })?;
+ Cow::Owned(truncated_bytes)
+ };
+
+ Ok((Some((bytes_for_next, cdi_seal, dice_context)), is_debug_mode))
+}
+
+fn perform_dice_derivation<'a>(
+ dice_handover_bytes: &[u8],
+ dice_context: DiceContext,
+ dice_inputs: PartialInputs,
+ salt: &[u8; HIDDEN_SIZE],
+ defer_rollback_protection: bool,
+ next_handover_size: usize,
+ next_handover_align: usize,
+) -> Result<&'a [u8], RebootReason> {
+ let next_dice_handover = heap::aligned_boxed_slice(next_handover_size, next_handover_align)
+ .ok_or_else(|| {
+ error!("Failed to allocate the next-stage DICE handover");
+ RebootReason::InternalError
+ })?;
+ // By leaking the slice, its content will be left behind for the next stage.
+ let next_dice_handover = Box::leak(next_dice_handover);
+
+ dice_inputs
+ .write_next_handover(
+ dice_handover_bytes.as_ref(),
+ salt,
+ defer_rollback_protection,
+ next_dice_handover,
+ dice_context,
+ )
+ .map_err(|e| {
+ error!("Failed to derive next-stage DICE secrets: {e:?}");
+ RebootReason::SecretDerivationError
+ })?;
+ flush(next_dice_handover);
+ Ok(next_dice_handover)
+}
+
+fn perform_verified_boot<'a>(
+ signed_kernel: &[u8],
+ ramdisk: Option<&[u8]>,
+) -> Result<(VerifiedBootData<'a>, bool, usize), RebootReason> {
+ let verified_boot_data = verify_payload(signed_kernel, ramdisk, PUBLIC_KEY).map_err(|e| {
+ error!("Failed to verify the payload: {e}");
+ RebootReason::PayloadVerificationError
+ })?;
+ let debuggable = verified_boot_data.debug_level != DebugLevel::None;
+ if debuggable {
+ info!("Successfully verified a debuggable payload.");
+ info!("Please disregard any previous libavb ERROR about initrd_normal.");
+ }
+ let guest_page_size = verified_boot_data.page_size.unwrap_or(SIZE_4KB);
+
+ Ok((verified_boot_data, debuggable, guest_page_size))
+}
+
// Get the "salt" which is one of the input for DICE derivation.
// This provides differentiation of secrets for different VM instances with same payloads.
fn salt_from_instance_id(fdt: &Fdt) -> Result<Option<Hidden>, RebootReason> {
diff --git a/guest/pvmfw/src/rollback.rs b/guest/pvmfw/src/rollback.rs
index e51b6d5..c2848a2 100644
--- a/guest/pvmfw/src/rollback.rs
+++ b/guest/pvmfw/src/rollback.rs
@@ -42,8 +42,8 @@
verified_boot_data: &VerifiedBootData,
dice_inputs: &PartialInputs,
cdi_seal: &[u8],
- instance_hash: Option<Hidden>,
) -> Result<(bool, Hidden, bool), RebootReason> {
+ let instance_hash = dice_inputs.instance_hash;
if let Some(fixed) = get_fixed_rollback_protection(verified_boot_data) {
// Prevent attackers from impersonating well-known images.
perform_fixed_index_rollback_protection(verified_boot_data, fixed)?;