Merge "[Trusty] Enable verified boot for Trusty VM on top of pvmfw" into main am: 508091dcd7
Original change: https://android-review.googlesource.com/c/platform/packages/modules/Virtualization/+/3452514
Change-Id: I7cf7c8023ffa084a7bc11e77f62c72c2e45af85a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/guest/trusty/security_vm/vm/Android.bp b/guest/trusty/security_vm/vm/Android.bp
index f23385b..ee64095 100644
--- a/guest/trusty/security_vm/vm/Android.bp
+++ b/guest/trusty/security_vm/vm/Android.bp
@@ -12,12 +12,79 @@
src: ":trusty_security_vm_signed",
},
arm64: {
- src: ":trusty_security_vm_signed",
+ src: ":security_vm_elf",
},
},
src: ":empty_file",
}
+cc_binary {
+ name: "security_vm_elf",
+ srcs: [
+ ":security_vm_signed_obj",
+ ],
+ linker_scripts: [
+ "security_vm_sections.ld",
+ ],
+ ldflags: [
+ // Prevent the `trusty_security_vm_signed` segment from being garbage collected.
+ "-Wl,--no-gc-sections",
+ // Prevent the build ID segments from being added, as it would corrupt the integrity
+ // of the original signed image.
+ "-Wl,--build-id=none",
+ // Use a standard page size of 4096, smaller than the default 16384, to avoid padding
+ // with extra bytes.
+ "-Wl,-z,max-page-size=4096",
+ ],
+ nocrt: true,
+ no_libcrt: true,
+ static_executable: true,
+ system_shared_libs: [],
+ enabled: false,
+ target: {
+ android_arm64: {
+ enabled: true,
+ },
+ },
+ strip: {
+ none: true,
+ },
+}
+
+cc_genrule {
+ name: "security_vm.S",
+ arch: {
+ arm64: {
+ srcs: [":trusty_security_vm_signed"],
+ },
+ },
+ out: ["security_vm.S"],
+ cmd: "(" +
+ " echo '.section .security_vm_signed.bin';" +
+ " echo '.globl security_vm_signed';" +
+ " echo 'security_vm_signed:';" +
+ " echo '.incbin \"'$(in)'\"';" +
+ ") > $(out)",
+ visibility: ["//visibility:private"],
+}
+
+cc_object {
+ name: "security_vm_signed_obj",
+ srcs: [
+ ":security_vm.S",
+ ],
+ static_libs: ["trusty_security_vm_signed"],
+ crt: false,
+ system_shared_libs: [],
+ enabled: false,
+ target: {
+ android_arm64: {
+ enabled: true,
+ },
+ },
+ visibility: ["//visibility:private"],
+}
+
filegroup {
name: "trusty_vm_sign_key",
srcs: [":avb_testkey_rsa4096"],
@@ -49,7 +116,20 @@
enabled: true,
},
arm64: {
- src: ":trusty-test-lk.elf",
+ src: ":trusty_security_vm_unsigned",
+ enabled: true,
+ },
+ },
+}
+
+// TODO(b/379646659): Take the binary generated by trusty instead of extracting
+// it from ELF here.
+raw_binary {
+ name: "trusty_security_vm_unsigned",
+ src: ":trusty-test-lk.elf",
+ enabled: false,
+ arch: {
+ arm64: {
enabled: true,
},
},
diff --git a/guest/trusty/security_vm/vm/security_vm_sections.ld b/guest/trusty/security_vm/vm/security_vm_sections.ld
new file mode 100644
index 0000000..63e5f5d
--- /dev/null
+++ b/guest/trusty/security_vm/vm/security_vm_sections.ld
@@ -0,0 +1,25 @@
+/*
+ * Copyright 2025 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+ENTRY(security_vm_signed)
+
+SECTIONS
+{
+ . = 0x0;
+ .text : {
+ *(.security_vm_signed.bin)
+ }
+}