Merge "pvmfw: rollback: Remove special RBP for Trusty VM" into main
diff --git a/guest/pvmfw/src/rollback.rs b/guest/pvmfw/src/rollback.rs
index 1d84c5b..004acdb 100644
--- a/guest/pvmfw/src/rollback.rs
+++ b/guest/pvmfw/src/rollback.rs
@@ -44,17 +44,15 @@
cdi_seal: &[u8],
instance_hash: Option<Hidden>,
) -> Result<(bool, Hidden, bool), RebootReason> {
- if should_defer_rollback_protection(fdt)?
- && verified_boot_data.has_capability(Capability::SecretkeeperProtection)
+ if (should_defer_rollback_protection(fdt)?
+ && verified_boot_data.has_capability(Capability::SecretkeeperProtection))
+ || verified_boot_data.has_capability(Capability::TrustySecurityVm)
{
perform_deferred_rollback_protection(verified_boot_data)?;
Ok((false, instance_hash.unwrap(), true))
} else if verified_boot_data.has_capability(Capability::RemoteAttest) {
perform_fixed_index_rollback_protection(verified_boot_data)?;
Ok((false, instance_hash.unwrap(), false))
- } else if verified_boot_data.has_capability(Capability::TrustySecurityVm) {
- skip_rollback_protection()?;
- Ok((false, instance_hash.unwrap(), false))
} else {
perform_legacy_rollback_protection(fdt, dice_inputs, cdi_seal, instance_hash)
}
@@ -88,11 +86,6 @@
}
}
-fn skip_rollback_protection() -> Result<(), RebootReason> {
- info!("Skipping rollback protection");
- Ok(())
-}
-
/// Performs RBP using instance.img where updates require clearing old entries, causing new CDIs.
fn perform_legacy_rollback_protection(
fdt: &Fdt,