guest: trusty: enable pvmfw-verified pVM for security and test VMs
- rules that use unsigned images for x86, signed images for arm64
- system_ext artifacts enabled only on devices enabling
`trusty_system_vm` via a soong config variable:
- VM payload configuration:
support a `placeholder_trusted_hal` soong bool variable allowing
to enable placeholder hals on devices that don't support
the Trusted HALs (Cuttlefish on x86_64 for example)
(placeholder_trusted_hal shall not be enabled in production)
- security_vm: update launcher build rules to also support arm64
and define .rc prebuilts to be reused by any device
(not just cuttlefish)
- test_vm: enable pvmfw-verified pVM by adding image signing rules
Bug: 391719387
Bug: 391210895
Test: qemu_trusty_arm64-trunk_staging-userdebug
Change-Id: I82dc911e482538e3f22dde6246a64e712bd0f1d0
diff --git a/guest/pvmfw/avb/Android.bp b/guest/pvmfw/avb/Android.bp
index 0294322..141c1d2 100644
--- a/guest/pvmfw/avb/Android.bp
+++ b/guest/pvmfw/avb/Android.bp
@@ -33,7 +33,7 @@
":microdroid_kernel_signed",
":microdroid_initrd_normal",
":microdroid_initrd_debuggable",
- ":trusty_security_vm_signed",
+ ":trusty_test_vm_signed_bin",
":test_image_with_one_hashdesc",
":test_image_with_non_initrd_hashdesc",
":test_image_with_initrd_and_non_initrd_desc",
diff --git a/guest/pvmfw/avb/tests/api_test.rs b/guest/pvmfw/avb/tests/api_test.rs
index df33830..3027c47 100644
--- a/guest/pvmfw/avb/tests/api_test.rs
+++ b/guest/pvmfw/avb/tests/api_test.rs
@@ -61,11 +61,11 @@
}
#[test]
-fn latest_trusty_security_vm_kernel_passes_verification() -> Result<()> {
- let salt = b"trusty_security_vm_salt";
+fn latest_trusty_test_vm_kernel_passes_verification() -> Result<()> {
+ let salt = b"trusty_test_vm_salt";
let expected_rollback_index = 1;
assert_payload_without_initrd_passes_verification(
- &load_latest_trusty_security_vm_signed_kernel()?,
+ &load_latest_trusty_test_vm_signed_kernel()?,
salt,
expected_rollback_index,
vec![Capability::TrustySecurityVm],
diff --git a/guest/pvmfw/avb/tests/utils.rs b/guest/pvmfw/avb/tests/utils.rs
index e8590ac..7282f3e 100644
--- a/guest/pvmfw/avb/tests/utils.rs
+++ b/guest/pvmfw/avb/tests/utils.rs
@@ -33,7 +33,7 @@
const MICRODROID_KERNEL_IMG_PATH: &str = "microdroid_kernel";
const INITRD_NORMAL_IMG_PATH: &str = "microdroid_initrd_normal.img";
const INITRD_DEBUG_IMG_PATH: &str = "microdroid_initrd_debuggable.img";
-const TRUSTY_SECURITY_VM_KERNEL_IMG_PATH: &str = "trusty_security_vm_signed";
+const TRUSTY_TEST_VM_KERNEL_IMG_PATH: &str = "trusty_test_vm_signed.bin";
const PUBLIC_KEY_RSA4096_PATH: &str = "data/testkey_rsa4096_pub.bin";
pub const PUBLIC_KEY_RSA2048_PATH: &str = "data/testkey_rsa2048_pub.bin";
@@ -61,8 +61,8 @@
Ok(fs::read(MICRODROID_KERNEL_IMG_PATH)?)
}
-pub fn load_latest_trusty_security_vm_signed_kernel() -> Result<Vec<u8>> {
- Ok(fs::read(TRUSTY_SECURITY_VM_KERNEL_IMG_PATH)?)
+pub fn load_latest_trusty_test_vm_signed_kernel() -> Result<Vec<u8>> {
+ Ok(fs::read(TRUSTY_TEST_VM_KERNEL_IMG_PATH)?)
}
pub fn load_latest_initrd_normal() -> Result<Vec<u8>> {