pvmfw: Don't abort boot for missing /avf/untrusted
pvmfw currently aborts the boot if the input DT is missing
/avf/untrusted or its <instance-id> property. However, a legacy payload
relying on the instance.img RBP solution doesn't necessarily require
either and there is therefore no reason for its boot to be affected by
their absence.
Note that this change doesn't affect RBP solutions which require
<instance-id> as those still panic when it's missing.
Bug: 291213394
Bug: 377276983
Test: m pvmfw_bin
Change-Id: Iea4560e532e3d03722713ee01aa481be95f8f264
diff --git a/guest/pvmfw/src/main.rs b/guest/pvmfw/src/main.rs
index 0a3dca6..51bd981 100644
--- a/guest/pvmfw/src/main.rs
+++ b/guest/pvmfw/src/main.rs
@@ -129,7 +129,7 @@
RebootReason::InternalError
})?;
- let instance_hash = Some(salt_from_instance_id(fdt)?);
+ let instance_hash = salt_from_instance_id(fdt)?;
let (new_instance, salt, defer_rollback_protection) = perform_rollback_protection(
fdt,
&verified_boot_data,
@@ -204,8 +204,8 @@
// Get the "salt" which is one of the input for DICE derivation.
// This provides differentiation of secrets for different VM instances with same payloads.
-fn salt_from_instance_id(fdt: &Fdt) -> Result<Hidden, RebootReason> {
- let id = instance_id(fdt)?;
+fn salt_from_instance_id(fdt: &Fdt) -> Result<Option<Hidden>, RebootReason> {
+ let Some(id) = instance_id(fdt)? else { return Ok(None) };
let salt = Digester::sha512()
.digest(&[&b"InstanceId:"[..], id].concat())
.map_err(|e| {
@@ -214,30 +214,24 @@
})?
.try_into()
.map_err(|_| RebootReason::InternalError)?;
- Ok(salt)
+ Ok(Some(salt))
}
-fn instance_id(fdt: &Fdt) -> Result<&[u8], RebootReason> {
- let node = avf_untrusted_node(fdt)?;
+fn instance_id(fdt: &Fdt) -> Result<Option<&[u8]>, RebootReason> {
+ let Some(node) = avf_untrusted_node(fdt)? else { return Ok(None) };
let id = node.getprop(c"instance-id").map_err(|e| {
error!("Failed to get instance-id in DT: {e}");
RebootReason::InvalidFdt
})?;
- id.ok_or_else(|| {
- error!("Missing instance-id");
- RebootReason::InvalidFdt
- })
+ Ok(id)
}
-fn avf_untrusted_node(fdt: &Fdt) -> Result<FdtNode, RebootReason> {
+fn avf_untrusted_node(fdt: &Fdt) -> Result<Option<FdtNode>, RebootReason> {
let node = fdt.node(c"/avf/untrusted").map_err(|e| {
error!("Failed to get /avf/untrusted node: {e}");
RebootReason::InvalidFdt
})?;
- node.ok_or_else(|| {
- error!("/avf/untrusted node is missing in DT");
- RebootReason::InvalidFdt
- })
+ Ok(node)
}
/// Logs the given PCI error and returns the appropriate `RebootReason`.
diff --git a/guest/pvmfw/src/rollback.rs b/guest/pvmfw/src/rollback.rs
index f7723d7..e79705f 100644
--- a/guest/pvmfw/src/rollback.rs
+++ b/guest/pvmfw/src/rollback.rs
@@ -155,7 +155,7 @@
}
fn should_defer_rollback_protection(fdt: &Fdt) -> Result<bool, RebootReason> {
- let node = avf_untrusted_node(fdt)?;
+ let Some(node) = avf_untrusted_node(fdt)? else { return Ok(false) };
let defer_rbp = node
.getprop(c"defer-rollback-protection")
.map_err(|e| {
@@ -166,13 +166,10 @@
Ok(defer_rbp)
}
-fn avf_untrusted_node(fdt: &Fdt) -> Result<FdtNode, RebootReason> {
+fn avf_untrusted_node(fdt: &Fdt) -> Result<Option<FdtNode>, RebootReason> {
let node = fdt.node(c"/avf/untrusted").map_err(|e| {
error!("Failed to get /avf/untrusted node: {e}");
RebootReason::InvalidFdt
})?;
- node.ok_or_else(|| {
- error!("/avf/untrusted node is missing in DT");
- RebootReason::InvalidFdt
- })
+ Ok(node)
}