pvmfw: Log clarification about initrd_normal error
As pvmfw_avb::verify_payload() checks if the payload is debuggable by
first trying to verify a payload named 'initrd_normal' then an
'initrd_debug', debuggable payloads will fail to verify the former while
still being valid. As libavb logs any verification failure, this will
result in the confusing log:
avb_slot_verify.c:443: ERROR: initrd_normal: Hash of data does not match digest in descriptor.
To avoid any confusion, detect a successfully verified payload and log a
message to clarify the above in pvmfw. This is prefered over logging at
the libavb call site so that we don't introduce logging in pvmfw_avb.
Bug: 284443878
Bug: 289173497
Test: TH
Change-Id: Icca19ebcb021e4280b6b80715045b0239adb52ab
diff --git a/pvmfw/src/main.rs b/pvmfw/src/main.rs
index c826cd8..1b2b769 100644
--- a/pvmfw/src/main.rs
+++ b/pvmfw/src/main.rs
@@ -106,6 +106,11 @@
error!("Failed to verify the payload: {e}");
RebootReason::PayloadVerificationError
})?;
+ let debuggable = verified_boot_data.debug_level != DebugLevel::None;
+ if debuggable {
+ info!("Successfully verified a debuggable payload.");
+ info!("Please disregard any previous libavb ERROR about initrd_normal.");
+ }
if verified_boot_data.capabilities.contains(&Capability::RemoteAttest) {
info!("Service VM capable of remote attestation detected");
@@ -148,7 +153,6 @@
flush(next_bcc);
let strict_boot = true;
- let debuggable = verified_boot_data.debug_level != DebugLevel::None;
modify_for_next_stage(fdt, next_bcc, new_instance, strict_boot, debug_policy, debuggable)
.map_err(|e| {
error!("Failed to configure device tree: {e}");