Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / fe0b976b683f2b83a9c6a49159ece8a575d5c06e^! / .
commitfe0b976b683f2b83a9c6a49159ece8a575d5c06e[log] [tgz]
authorAlice Wang <aliceywang@google.com>Thu Nov 21 14:47:54 2024 +0000
committerAlice Wang <aliceywang@google.com>Thu Nov 21 16:14:13 2024 +0000
treedd7bfb47b1cf24f20d63e3a29eac70ddee5eb871
parent5ab9e58e840b199682636eb6fdfe4cb9b7b7b8c5 [diff]
Skip rollback protection in pvmfw for Trusty Security VM

This cl introduces a new capability for the Trusty Security VM. It
allows pvmfw to identify it and skips the existing rollback
protection mechanism.

Bug: 379868478
Test: atest libpvmfw_avb.integration_test
Change-Id: Ice2118b940bd50d064617a3e99eba993ee9db6c8

diff --git a/guest/pvmfw/avb/Android.bp b/guest/pvmfw/avb/Android.bp
index bc5cbfe..a1ee626 100644
--- a/guest/pvmfw/avb/Android.bp
+++ b/guest/pvmfw/avb/Android.bp

@@ -230,7 +230,7 @@
     props: [
         {
             name: "com.android.virt.cap",
-            value: "remote_attest|secretkeeper_protection|supports_uefi_boot",
+            value: "remote_attest|trusty_security_vm|secretkeeper_protection|supports_uefi_boot",
         },
     ],
 }

diff --git a/guest/pvmfw/avb/src/verify.rs b/guest/pvmfw/avb/src/verify.rs
index bd700ce..a073502 100644
--- a/guest/pvmfw/avb/src/verify.rs
+++ b/guest/pvmfw/avb/src/verify.rs

@@ -70,6 +70,8 @@
     RemoteAttest,
     /// Secretkeeper protected secrets.
     SecretkeeperProtection,
+    /// Trusty security VM.
+    TrustySecurityVm,
     /// UEFI support for booting guest kernel.
     SupportsUefiBoot,
     /// (internal)
@@ -80,6 +82,7 @@
 impl Capability {
     const KEY: &'static str = "com.android.virt.cap";
     const REMOTE_ATTEST: &'static [u8] = b"remote_attest";
+    const TRUSTY_SECURITY_VM: &'static [u8] = b"trusty_security_vm";
     const SECRETKEEPER_PROTECTION: &'static [u8] = b"secretkeeper_protection";
     const SEPARATOR: u8 = b'|';
     const SUPPORTS_UEFI_BOOT: &'static [u8] = b"supports_uefi_boot";
@@ -98,6 +101,7 @@
         for v in descriptor.value.split(|b| *b == Self::SEPARATOR) {
             let cap = match v {
                 Self::REMOTE_ATTEST => Self::RemoteAttest,
+                Self::TRUSTY_SECURITY_VM => Self::TrustySecurityVm,
                 Self::SECRETKEEPER_PROTECTION => Self::SecretkeeperProtection,
                 Self::SUPPORTS_UEFI_BOOT => Self::SupportsUefiBoot,
                 _ => return Err(PvmfwVerifyError::UnknownVbmetaProperty),

diff --git a/guest/pvmfw/avb/tests/api_test.rs b/guest/pvmfw/avb/tests/api_test.rs
index 72c795c..430c4b3 100644
--- a/guest/pvmfw/avb/tests/api_test.rs
+++ b/guest/pvmfw/avb/tests/api_test.rs

@@ -62,6 +62,7 @@
         &load_latest_trusty_security_vm_signed_kernel()?,
         salt,
         expected_rollback_index,
+        vec![Capability::TrustySecurityVm],
     )
 }
 
@@ -442,10 +443,11 @@
     .map_err(|e| anyhow!("Verification failed. Error: {}", e))?;
 
     assert!(verified_boot_data.has_capability(Capability::RemoteAttest));
+    assert!(verified_boot_data.has_capability(Capability::TrustySecurityVm));
     assert!(verified_boot_data.has_capability(Capability::SecretkeeperProtection));
     assert!(verified_boot_data.has_capability(Capability::SupportsUefiBoot));
     // Fail if this test doesn't actually cover all supported capabilities.
-    assert_eq!(Capability::COUNT, 3);
+    assert_eq!(Capability::COUNT, 4);
 
     Ok(())
 }

diff --git a/guest/pvmfw/avb/tests/utils.rs b/guest/pvmfw/avb/tests/utils.rs
index 0e836d5..61bfbf2 100644
--- a/guest/pvmfw/avb/tests/utils.rs
+++ b/guest/pvmfw/avb/tests/utils.rs

@@ -143,6 +143,7 @@
     kernel: &[u8],
     salt: &[u8],
     expected_rollback_index: u64,
+    capabilities: Vec<Capability>,
 ) -> Result<()> {
     let public_key = load_trusted_public_key()?;
     let verified_boot_data = verify_payload(
@@ -160,7 +161,7 @@
         kernel_digest,
         initrd_digest: None,
         public_key: &public_key,
-        capabilities: vec![],
+        capabilities,
         rollback_index: expected_rollback_index,
     };
     assert_eq!(expected_boot_data, verified_boot_data);

diff --git a/guest/pvmfw/src/main.rs b/guest/pvmfw/src/main.rs
index aeced51..b9794c6 100644
--- a/guest/pvmfw/src/main.rs
+++ b/guest/pvmfw/src/main.rs

@@ -154,6 +154,11 @@
             return Err(RebootReason::InvalidPayload);
         }
         (false, instance_hash.unwrap())
+    } else if verified_boot_data.has_capability(Capability::TrustySecurityVm) {
+        // The rollback protection of Trusty VMs are handled by AuthMgr, so we don't need to
+        // handle it here.
+        info!("Trusty Security VM detected");
+        (false, instance_hash.unwrap())
     } else {
         info!("Fallback to instance.img based rollback checks");
         let (recorded_entry, mut instance_img, header_index) =

diff --git a/guest/trusty/security_vm/launcher/Android.bp b/guest/trusty/security_vm/launcher/Android.bp
index 38e3e42..286772a 100644
--- a/guest/trusty/security_vm/launcher/Android.bp
+++ b/guest/trusty/security_vm/launcher/Android.bp

@@ -53,6 +53,12 @@
     private_key: ":trusty_vm_sign_key",
     salt: trusty_security_vm_salt,
     rollback_index: TRUSTY_SECURITY_VM_VERSION,
+    props: [
+        {
+            name: "com.android.virt.cap",
+            value: "trusty_security_vm",
+        },
+    ],
     src: ":empty_file",
     enabled: false,
     arch: {