pa-fazil
/
android_packages_modules_Virtualization
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Split out restricted header 

Remove the "restricted" functions from vm_payload.h and move them into
vm_payload_restricted.h. Update build rules so that we use
vm_payload_restricted.h in the places we need to.

The restricted APIs will not be made available for priv apps, so they
don't need to be in the headers made available to priv apps.

Add a test to make sure the restricted APIs are in fact restricted.

Bug: 243512108
Test: atest MicrodroidTests ComposTestCase
Change-Id: I0bf0618b1fb572075ba7fb55644300ae1784cada
This commit is contained in:
Alan Stokes 2022-11-10 12:17:42 +00:00
parent 8737672c39
commit d4ea5a867e
8 changed files with 98 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
compos/compos_key_helper/Android.bp
View File

@ -24,6 +24,7 @@ cc_binary {
defaults: ["compos_key_defaults"],
srcs: ["compos_key_main.cpp"],
header_libs: ["vm_payload_restricted_headers"],
static_libs: [
"libcompos_key",
],

2
compos/compos_key_helper/compos_key_main.cpp
View File

@ -17,7 +17,7 @@
#include <android-base/file.h>
#include <android-base/logging.h>
#include <unistd.h>
#include <vm_payload.h>
#include <vm_payload_restricted.h>
#include <string_view>
#include <vector>

12
microdroid/vm_payload/Android.bp
View File

@ -29,7 +29,7 @@ rust_ffi_shared {
rust_bindgen {
name: "libvm_payload_bindgen",
wrapper_src: "include/vm_payload.h",
wrapper_src: "include-restricted/vm_payload_restricted.h",
crate_name: "vm_payload_bindgen",
source_stem: "bindings",
apex_available: ["com.android.compos"],
@ -41,5 +41,15 @@ rust_bindgen {
cc_library_headers {
name: "vm_payload_headers",
apex_available: ["com.android.compos"],
export_include_dirs: ["include"],
}
cc_library_headers {
name: "vm_payload_restricted_headers",
header_libs: ["vm_payload_headers"],
export_header_lib_headers: ["vm_payload_headers"],
export_include_dirs: ["include-restricted"],
apex_available: ["com.android.compos"],
visibility: ["//packages/modules/Virtualization:__subpackages__"],
}

56
microdroid/vm_payload/include-restricted/vm_payload_restricted.h Normal file
View File

@ -0,0 +1,56 @@
/*
* Copyright (C) 2022 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#pragma once
#include <stdbool.h>
#include <stddef.h>
#include <sys/cdefs.h>
#include "vm_payload.h"
// The functions declared here are restricted to VMs created with a config file;
// they will fail if called in other VMs. The ability to create such VMs
// requires the android.permission.USE_CUSTOM_VIRTUAL_MACHINE permission, and is
// therefore not available to privileged or third party apps.
// These functions can be used by tests, if the permission is granted via shell.
__BEGIN_DECLS
/**
* Get the VM's DICE attestation chain.
*
* \param data pointer to size bytes where the chain is written.
* \param size number of bytes that can be written to data.
* \param total outputs the total size of the chain if the function succeeds
*
* \return true on success and false on failure.
*/
bool AVmPayload_getDiceAttestationChain(void *data, size_t size, size_t *total);
/**
* Get the VM's DICE attestation CDI.
*
* \param data pointer to size bytes where the CDI is written.
* \param size number of bytes that can be written to data.
* \param total outputs the total size of the CDI if the function succeeds
*
* \return true on success and false on failure.
*/
bool AVmPayload_getDiceAttestationCdi(void *data, size_t size, size_t *total);
__END_DECLS

35
microdroid/vm_payload/include/vm_payload.h
View File

@ -18,12 +18,11 @@
#include <stdbool.h>
#include <stddef.h>
#include <sys/cdefs.h>
#include "vm_main.h"
#ifdef __cplusplus
extern "C" {
#endif
__BEGIN_DECLS
struct AIBinder;
typedef struct AIBinder AIBinder;
@ -70,32 +69,6 @@ bool AVmPayload_runVsockRpcServer(AIBinder *service, unsigned int port,
bool AVmPayload_getVmInstanceSecret(const void *identifier, size_t identifier_size, void *secret,
size_t size);
/**
* Get the VM's DICE attestation chain.
*
* This function will fail if the use of restricted APIs is not permitted.
*
* \param data pointer to size bytes where the chain is written.
* \param size number of bytes that can be written to data.
* \param total outputs the total size of the chain if the function succeeds
*
* \return true on success and false on failure.
*/
bool AVmPayload_getDiceAttestationChain(void *data, size_t size, size_t *total);
/**
* Get the VM's DICE attestation CDI.
*
* This function will fail if the use of restricted APIs is not permitted.
*
* \param data pointer to size bytes where the CDI is written.
* \param size number of bytes that can be written to data.
* \param total outputs the total size of the CDI if the function succeeds
*
* \return true on success and false on failure.
*/
bool AVmPayload_getDiceAttestationCdi(void *data, size_t size, size_t *total);
/**
* Gets the path to the APK contents. It is a directory, under which are
* the unzipped contents of the APK containing the payload, all read-only
@ -107,6 +80,4 @@ bool AVmPayload_getDiceAttestationCdi(void *data, size_t size, size_t *total);
*/
const char *AVmPayload_getApkContentsPath(void);
#ifdef __cplusplus
} // extern "C"
#endif
__END_DECLS

1
tests/testapk/Android.bp
View File

@ -35,6 +35,7 @@ cc_library_shared {
name: "MicrodroidTestNativeLib",
srcs: ["src/native/testbinary.cpp"],
stl: "libc++_static",
header_libs: ["vm_payload_restricted_headers"],
shared_libs: [
"libbinder_ndk",
"MicrodroidTestNativeLibSub",

24
tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
View File

@ -28,6 +28,7 @@ import static java.nio.file.StandardCopyOption.REPLACE_EXISTING;
import android.content.Context;
import android.os.Build;
import android.os.ParcelFileDescriptor;
import android.os.ServiceSpecificException;
import android.os.SystemProperties;
import android.system.virtualmachine.ParcelVirtualMachine;
import android.system.virtualmachine.VirtualMachine;
@ -337,7 +338,10 @@ public class MicrodroidTests extends MicrodroidDeviceTestBase {
}
};
listener.runToFinish(TAG, vm);
assertThat(exception.getNow(null)).isNull();
Exception e = exception.getNow(null);
if (e != null) {
throw e;
}
return vmCdis;
}
@ -438,6 +442,24 @@ public class MicrodroidTests extends MicrodroidDeviceTestBase {
}
}
@Test
@CddTest(requirements = {
"9.17/C-1-1",
"9.17/C-1-2"
})
public void accessToCdisIsRestricted() throws Exception {
assumeSupportedKernel();
VirtualMachineConfig config = mInner.newVmConfigBuilder()
.setPayloadBinaryPath("MicrodroidTestNativeLib.so")
.setDebugLevel(DEBUG_LEVEL_FULL)
.build();
mInner.forceCreateNewVirtualMachine("test_vm", config);
assertThrows(ServiceSpecificException.class, () -> launchVmAndGetCdis("test_vm"));
}
private static final UUID MICRODROID_PARTITION_UUID =
UUID.fromString("cf9afe9a-0662-11ec-a329-c32663a09d75");
private static final UUID U_BOOT_AVB_PARTITION_UUID =

4
tests/testapk/src/native/testbinary.cpp
View File

@ -28,7 +28,7 @@
#include <sys/system_properties.h>
#include <unistd.h>
#include <vm_main.h>
#include <vm_payload.h>
#include <vm_payload_restricted.h>
#include <string>
@ -79,7 +79,7 @@ Result<void> start_test_service() {
if (!AVmPayload_getVmInstanceSecret(identifier, sizeof(identifier), out->data(),
out->size())) {
return ndk::ScopedAStatus::
fromServiceSpecificErrorWithMessage(0, "Failed to VM instance secret");
fromServiceSpecificErrorWithMessage(0, "Failed to get VM instance secret");
}
return ndk::ScopedAStatus::ok();
}