Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / fe0b976b683f2b83a9c6a49159ece8a575d5c06e^! / . / guest / pvmfw / avb / tests
commitfe0b976b683f2b83a9c6a49159ece8a575d5c06e[log] [tgz]
authorAlice Wang <aliceywang@google.com>Thu Nov 21 14:47:54 2024 +0000
committerAlice Wang <aliceywang@google.com>Thu Nov 21 16:14:13 2024 +0000
treedd7bfb47b1cf24f20d63e3a29eac70ddee5eb871
parent5ab9e58e840b199682636eb6fdfe4cb9b7b7b8c5 [diff]
Skip rollback protection in pvmfw for Trusty Security VM

This cl introduces a new capability for the Trusty Security VM. It
allows pvmfw to identify it and skips the existing rollback
protection mechanism.

Bug: 379868478
Test: atest libpvmfw_avb.integration_test
Change-Id: Ice2118b940bd50d064617a3e99eba993ee9db6c8

diff --git a/guest/pvmfw/avb/tests/api_test.rs b/guest/pvmfw/avb/tests/api_test.rs
index 72c795c..430c4b3 100644
--- a/guest/pvmfw/avb/tests/api_test.rs
+++ b/guest/pvmfw/avb/tests/api_test.rs

@@ -62,6 +62,7 @@
         &load_latest_trusty_security_vm_signed_kernel()?,
         salt,
         expected_rollback_index,
+        vec![Capability::TrustySecurityVm],
     )
 }
 
@@ -442,10 +443,11 @@
     .map_err(|e| anyhow!("Verification failed. Error: {}", e))?;
 
     assert!(verified_boot_data.has_capability(Capability::RemoteAttest));
+    assert!(verified_boot_data.has_capability(Capability::TrustySecurityVm));
     assert!(verified_boot_data.has_capability(Capability::SecretkeeperProtection));
     assert!(verified_boot_data.has_capability(Capability::SupportsUefiBoot));
     // Fail if this test doesn't actually cover all supported capabilities.
-    assert_eq!(Capability::COUNT, 3);
+    assert_eq!(Capability::COUNT, 4);
 
     Ok(())
 }

diff --git a/guest/pvmfw/avb/tests/utils.rs b/guest/pvmfw/avb/tests/utils.rs
index 0e836d5..61bfbf2 100644
--- a/guest/pvmfw/avb/tests/utils.rs
+++ b/guest/pvmfw/avb/tests/utils.rs

@@ -143,6 +143,7 @@
     kernel: &[u8],
     salt: &[u8],
     expected_rollback_index: u64,
+    capabilities: Vec<Capability>,
 ) -> Result<()> {
     let public_key = load_trusted_public_key()?;
     let verified_boot_data = verify_payload(
@@ -160,7 +161,7 @@
         kernel_digest,
         initrd_digest: None,
         public_key: &public_key,
-        capabilities: vec![],
+        capabilities,
         rollback_index: expected_rollback_index,
     };
     assert_eq!(expected_boot_data, verified_boot_data);