virtmgr: drop support for qcow2 and composite as partition images

We'll now throw an error if qcow2 or composite disks are passed as
partition images. The code for detecting the image type and calculating
the partition size has been forked from crosvm and significantly
simplified.

We still depend on crosvm's library for generating composite disk files
and GUID Partition Tables.

=== Why? ===

The real motivation for this change is that the `disk` crate APIs have
changed in crosvm and it doesn't seem possible to use the new API
correctly from virtmgr. The main issue is that the `disk` crate now
wants to open the file itself from a path (so that it can ensure
consistent file locking and use of features like O_DIRECT and overlapped
IO). virtmgr only has an FD for the partition images, so it would need
to give the crosvm library a "/proc/self/fd/..." path. However, crosvm
code only allows those paths if they've come from a parent process and
it attempts to validate that by checking for the absense of the CLOEXEC
flag. We can't safely clear the CLOEXEC flag on a file in virtmgr
without introducing a race condition with exec calls on other threads.

You might think "the real problem is the crosvm API change, it should be
reverted", but these are crosvm internal APIs and we aren't supposed to
be using them to begin with. I'm the author the API changes and I can't
think of a good alternative that doesn't meaningfully make the crosvm
code worse and possibly reintroduce some of the bugs that are being
fixed.

=== Are we losing something useful? ===

I think these two image formats aren't actually useful as partition
images in the current AVF design.

If a VM is requested with a DiskImage containing a list of partition
images, virtmgr generates a composite disk image from those partitions.
The individual partition images are passed as FDs, at least in part
because virtmgr and crosvm processes are unlikely to have permissions to
open them from a filesystem path.

When one of the partition images themselves is a composite image things
get tricky. The crosvm process would need to open the files specified
within that image using their paths (which it doesn't have permissions
to do, as mentioned above). One might try working around that using a
"/proc/self/fd/..." path, however, there is no way to pass those FDs the
virtmgr process and virtmgr doesn't have any logic to pass them along to
the crosvm process.

QCOW2 has similar issues for its "backing file" feature. Given the
subset of QCOW2 features supported by crosvm right now, I believe the
only good reason to use it is for the "backing file" functionality.

Note that these two formats will continue to work (to the limited degree
they did before) when passed directly as the root of a DiskImage.

=== Is there a better long term solution? ===

The virtmgr code for creating a composite file looks like it has been
forked from the `crosvm create_composite` CLI command. One idea is to
de-fork by having virtmgr invoke that command. At least one hurdle in
that direction is that we'll probably want that invocation of crosvm to
use a different SELinux domain so that we don't have to give the main
VMM instance permissions to create files and such.

Another idea is to push the complexity onto the caller. Make them pass
the partition size explicitly instead of inferring it from the image
file.

Bug: 364645148, 330911976, 269356487
Test: launch microdroid
Change-Id: Ibb686b51b646c52993c3c02f5738bcb2356f7432
3 files changed
tree: cdff084ee98f6ae6f4c565093b032e750da34c67
  1. android/
  2. build/
  3. docs/
  4. guest/
  5. libs/
  6. microfuchsia/
  7. tests/
  8. .clang-format
  9. .gitignore
  10. Android.bp
  11. dice_for_avf_guest.cddl
  12. OWNERS
  13. PREUPLOAD.cfg
  14. README.md
  15. rustfmt.toml
  16. TEST_MAPPING
README.md

Android Virtualization Framework (AVF)

Android Virtualization Framework (AVF) provides secure and private execution environments for executing code. AVF is ideal for security-oriented use cases that require stronger isolation assurances over those offered by Android’s app sandbox.

Visit our public doc site to learn more about what AVF is, what it is for, and how it is structured. This repository contains source code for userspace components of AVF.

If you want a quick start, see the getting started guideline and follow the steps there.

For in-depth explanations about individual topics and components, visit the following links.

AVF components:

AVF APIs:

How-Tos: