Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / f66c7e65d180d0b8686939091fe08736126bf918^2..f66c7e65d180d0b8686939091fe08736126bf918 / .
commitf66c7e65d180d0b8686939091fe08736126bf918[log] [tgz]
authorArd Biesheuvel <ardb@google.com>Thu Nov 09 16:46:42 2023 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Thu Nov 09 16:46:42 2023 +0000
tree2b9e6ee31a0b2732258f3cc1708764d7f54835ec
parent2c0561492e6c41d3525e8542180c69207d785a7f [diff]
parent28e439f40a0af608cd5efb521f172ea8dcc04edc [diff]
Merge changes from topic "aarch64-paging-0.5.0" into main

* changes:
  Use unsafe block to activate the ID map
  Map DBM data region down to pages
  Use statically typed callback function in modify_range
  Drop is_leaf() check now that modify_range() returns leaves only
  Use walk_range when traversing the page tables without modifying them
  Simplify lazy MMIO on-demand mapping

diff --git a/vm_payload/Android.bp b/vm_payload/Android.bp
index 7f2b9df..286612c 100644
--- a/vm_payload/Android.bp
+++ b/vm_payload/Android.bp

@@ -8,7 +8,7 @@
     crate_name: "vm_payload",
     defaults: ["avf_build_flags_rust"],
     visibility: ["//visibility:private"],
-    srcs: ["src/*.rs"],
+    srcs: ["src/lib.rs"],
     include_dirs: ["include"],
     prefer_rlib: true,
     rustlibs: [

diff --git a/vm_payload/include/vm_payload.h b/vm_payload/include/vm_payload.h
index 2dfa2cb..951b57f 100644
--- a/vm_payload/include/vm_payload.h
+++ b/vm_payload/include/vm_payload.h

@@ -43,11 +43,14 @@
     /** The remote attestation completes successfully. */
     ATTESTATION_OK = 0,
 
-    /** The remote attestation has failed due to an unspecified cause. */
-    ATTESTATION_UNKNOWN_ERROR = -10000,
-
     /** The challenge size is not between 0 and 64. */
     ATTESTATION_ERROR_INVALID_CHALLENGE = -10001,
+
+    /** Failed to attest the VM. Please retry at a later time. */
+    ATTESTATION_ERROR_ATTESTATION_FAILED = -10002,
+
+    /** Remote attestation is not supported in the current environment. */
+    ATTESTATION_ERROR_UNSUPPORTED = -10003,
 } attestation_status_t;
 
 /**

diff --git a/vm_payload/src/api.rs b/vm_payload/src/api.rs
index 64f8d6a..c76f2d3 100644
--- a/vm_payload/src/api.rs
+++ b/vm_payload/src/api.rs

@@ -21,7 +21,7 @@
 use anyhow::{bail, ensure, Context, Result};
 use binder::{
     unstable_api::{new_spibinder, AIBinder},
-    Strong,
+    Strong, ExceptionCode,
 };
 use lazy_static::lazy_static;
 use log::{error, info, Level};
@@ -296,15 +296,24 @@
         // `challenge_size` bytes and `challenge_size` is not zero.
         unsafe { std::slice::from_raw_parts(challenge, challenge_size) }
     };
-    let attestation_res = unwrap_or_abort(try_request_attestation(challenge));
-    *res = Box::into_raw(Box::new(attestation_res));
-    attestation_status_t::ATTESTATION_OK
+    let service = unwrap_or_abort(get_vm_payload_service());
+    match service.requestAttestation(challenge) {
+        Ok(attestation_res) => {
+            *res = Box::into_raw(Box::new(attestation_res));
+            attestation_status_t::ATTESTATION_OK
+        }
+        Err(e) => {
+            error!("Remote attestation failed: {e:?}");
+            binder_status_to_attestation_status(e)
+        }
+    }
 }
 
-fn try_request_attestation(public_key: &[u8]) -> Result<AttestationResult> {
-    get_vm_payload_service()?
-        .requestAttestation(public_key)
-        .context("Failed to request attestation")
+fn binder_status_to_attestation_status(status: binder::Status) -> attestation_status_t {
+    match status.exception_code() {
+        ExceptionCode::UNSUPPORTED_OPERATION => attestation_status_t::ATTESTATION_ERROR_UNSUPPORTED,
+        _ => attestation_status_t::ATTESTATION_ERROR_ATTESTATION_FAILED,
+    }
 }
 
 /// Converts the return value from `AVmPayload_requestAttestation` to a text string
@@ -320,8 +329,12 @@
         attestation_status_t::ATTESTATION_ERROR_INVALID_CHALLENGE => {
             CStr::from_bytes_with_nul(b"The challenge size is not between 0 and 64.\0").unwrap()
         }
-        _ => CStr::from_bytes_with_nul(
-            b"The remote attestation has failed due to an unspecified cause.\0",
+        attestation_status_t::ATTESTATION_ERROR_ATTESTATION_FAILED => {
+            CStr::from_bytes_with_nul(b"Failed to attest the VM. Please retry at a later time.\0")
+                .unwrap()
+        }
+        attestation_status_t::ATTESTATION_ERROR_UNSUPPORTED => CStr::from_bytes_with_nul(
+            b"Remote attestation is not supported in the current environment.\0",
         )
         .unwrap(),
     };

diff --git a/vm_payload/src/lib.rs b/vm_payload/src/lib.rs
index e305769..9e10895 100644
--- a/vm_payload/src/lib.rs
+++ b/vm_payload/src/lib.rs

@@ -18,7 +18,7 @@
 
 pub use api::{
     AVmAttestationResult_free, AVmAttestationResult_getCertificateAt,
-    AVmAttestationResult_getCertificatesCount, AVmAttestationResult_getPrivateKey,
+    AVmAttestationResult_getCertificateCount, AVmAttestationResult_getPrivateKey,
     AVmAttestationResult_resultToString, AVmAttestationResult_sign,
     AVmPayload_getDiceAttestationCdi, AVmPayload_getDiceAttestationChain,
     AVmPayload_getVmInstanceSecret, AVmPayload_notifyPayloadReady, AVmPayload_requestAttestation,