commit e1d9e8fdd7e37670bcb844dbfbf76305dd90ff50
author Pierre-Clément Tosi <ptosi@google.com> Mon Jan 27 20:51:12 2025 +0000
committer Pierre-Clément Tosi <ptosi@google.com> Thu Jul 24 10:48:31 2025 +0000
tree 76e8cd6ce71fcead61913e57a87648411efda834
parent 7f8332c1070bf73dd71bfe1cce5d008c6a03bb06

pvmfw: Add fixed-digest RBP for desktop TEE VM

Define a reserved com.android.virt.name for the TEE VM and detect it in
pvmfw to perform fixed-digest rollback protection on platforms that ship
the VM or reject payloads with the name on platforms that don't.

Distinguish between the 2 by only enabling "platform_has_desktop_trusty"
for pvmfw_trusty, for now.

Bug: 392628867
Bug: 402505709
Test: m libpvmfw libpvmfw_desktop
Test: mmm packages/modules/Virtualization/guest/pvmfw
Flag: EXEMPT b/406977494
Change-Id: I5dc574c163041b09338d73b2f9d3fbbfee0114ef

guest/pvmfw/Android.bp

diff --git a/guest/pvmfw/Android.bp b/guest/pvmfw/Android.bp
index 91972c9..500a0b5 100644
--- a/guest/pvmfw/Android.bp
+++ b/guest/pvmfw/Android.bp
@@ -552,6 +552,10 @@
     defaults: ["libpvmfw.defaults"],
     // This enables pvmfw_desktop to be built with a different set of features.
     features: [
+        "platform_has_desktop_trusty",
+    ],
+    srcs: [
+        ":desktop_trusty_vbmeta_digest",
     ],
 }
 

guest/pvmfw/README.md

diff --git a/guest/pvmfw/README.md b/guest/pvmfw/README.md
index b064d15..3198d0c 100644
--- a/guest/pvmfw/README.md
+++ b/guest/pvmfw/README.md
@@ -510,6 +510,7 @@
   [`component_name`][dice-comp-name] (defaults to `"vm_entry"`) in the guest
   DICE certificate and to identify special VMs such as
   - `"rkp_vm"` is reserved for the [RKP VM][rkp-vm] for Remote Key Provisioning
+  - `"desktop-trusty"` is reserved for the Trusty-based desktop TEE VM
 
 [dice-comp-name]: https://cs.android.com/android/platform/superproject/main/+/main:external/open-dice/docs/android.md;l=81;drc=6d511e9533eac05d64d47fcd78ac5d881e72c3de
 [rkp-vm]: https://cs.android.com/android/platform/superproject/main/+/main:packages/modules/Virtualization/docs/service_vm.md;l=45;drc=1afff42ab507ea58579d4b3801fad5157e6663bb

guest/pvmfw/avb/src/verify.rs

diff --git a/guest/pvmfw/avb/src/verify.rs b/guest/pvmfw/avb/src/verify.rs
index 6d4ff7d..e81c379 100644
--- a/guest/pvmfw/avb/src/verify.rs
+++ b/guest/pvmfw/avb/src/verify.rs
@@ -56,6 +56,8 @@
 impl VerifiedBootData<'_> {
     /// Name of the Remote Key Provisioning VM.
     pub const RKP_VM_NAME: &'static str = "rkp_vm";
+    /// Name of the Trusty-based TEE VM for desktop platforms.
+    pub const DESKTOP_TRUSTY_VM_NAME: &'static str = "desktop-trusty";
 
     /// Returns whether the kernel have the given capability
     pub fn has_capability(&self, cap: Capability) -> bool {

guest/pvmfw/src/rollback.rs

diff --git a/guest/pvmfw/src/rollback.rs b/guest/pvmfw/src/rollback.rs
index 76571f8..973ca51 100644
--- a/guest/pvmfw/src/rollback.rs
+++ b/guest/pvmfw/src/rollback.rs
@@ -34,12 +34,12 @@
 
 /// Criteria hard-coded into pvmfw, to perform fixed image verification.
 enum FixedRollbackCriterion {
-    #[allow(dead_code)] // TODO(b/402505709): Use this.
+    #[cfg_attr(not(platform_has_desktop_trusty), allow(dead_code))]
     /// Image must match the exact AVB digest (incl. image hash, rollback index, or public key).
     AvbDigest { digest: Digest },
     /// Image must match the exact rollback index and have been signed with the given public key.
     RollbackIndexPublicKey { index: u64, public_key: &'static [u8] },
-    #[allow(dead_code)] // TODO(b/402505709): Use this.
+    #[cfg_attr(platform_has_desktop_trusty, allow(dead_code))]
     /// Image identifier is reserved but not supported on this platform so must be rejected.
     Reserved { name: &'static str },
 }
@@ -96,6 +96,19 @@
             index: service_vm_version::VERSION,
             public_key: pvmfw_embedded_key::PUBLIC_KEY,
         }),
+        VerifiedBootData::DESKTOP_TRUSTY_VM_NAME => {
+            cfg_if::cfg_if! {
+                if #[cfg(platform_has_desktop_trusty)] {
+                    let digest = include_bytes!(
+                        concat!(env!("OUT_DIR"), "/desktop_trusty.vbmetadigest")
+                    ).try_into().unwrap();
+                    Some(FixedRollbackCriterion::AvbDigest { digest })
+                } else {
+                    let name = VerifiedBootData::DESKTOP_TRUSTY_VM_NAME;
+                    Some(FixedRollbackCriterion::Reserved { name })
+                }
+            }
+        }
         _ => None,
     }
 }