Skip rollback protection in pvmfw for Trusty Security VM
This cl introduces a new capability for the Trusty Security VM. It
allows pvmfw to identify it and skips the existing rollback
protection mechanism.
Bug: 379868478
Test: atest libpvmfw_avb.integration_test
Change-Id: Ice2118b940bd50d064617a3e99eba993ee9db6c8
diff --git a/guest/pvmfw/avb/src/verify.rs b/guest/pvmfw/avb/src/verify.rs
index bd700ce..a073502 100644
--- a/guest/pvmfw/avb/src/verify.rs
+++ b/guest/pvmfw/avb/src/verify.rs
@@ -70,6 +70,8 @@
RemoteAttest,
/// Secretkeeper protected secrets.
SecretkeeperProtection,
+ /// Trusty security VM.
+ TrustySecurityVm,
/// UEFI support for booting guest kernel.
SupportsUefiBoot,
/// (internal)
@@ -80,6 +82,7 @@
impl Capability {
const KEY: &'static str = "com.android.virt.cap";
const REMOTE_ATTEST: &'static [u8] = b"remote_attest";
+ const TRUSTY_SECURITY_VM: &'static [u8] = b"trusty_security_vm";
const SECRETKEEPER_PROTECTION: &'static [u8] = b"secretkeeper_protection";
const SEPARATOR: u8 = b'|';
const SUPPORTS_UEFI_BOOT: &'static [u8] = b"supports_uefi_boot";
@@ -98,6 +101,7 @@
for v in descriptor.value.split(|b| *b == Self::SEPARATOR) {
let cap = match v {
Self::REMOTE_ATTEST => Self::RemoteAttest,
+ Self::TRUSTY_SECURITY_VM => Self::TrustySecurityVm,
Self::SECRETKEEPER_PROTECTION => Self::SecretkeeperProtection,
Self::SUPPORTS_UEFI_BOOT => Self::SupportsUefiBoot,
_ => return Err(PvmfwVerifyError::UnknownVbmetaProperty),