1 // Copyright 2021, The Android Open Source Project
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 //! Microdroid Manager
16
17 mod dice;
18 mod instance;
19 mod ioutil;
20 mod payload;
21 mod swap;
22 mod verify;
23 mod vm_payload_service;
24 mod vm_secret;
25
26 use android_system_virtualizationcommon::aidl::android::system::virtualizationcommon::ErrorCode::ErrorCode;
27 use android_system_virtualmachineservice::aidl::android::system::virtualmachineservice::IVirtualMachineService::IVirtualMachineService;
28 use android_system_virtualization_payload::aidl::android::system::virtualization::payload::IVmPayloadService::{
29 VM_APK_CONTENTS_PATH,
30 VM_PAYLOAD_SERVICE_SOCKET_NAME,
31 ENCRYPTEDSTORE_MOUNTPOINT,
32 };
33
34 use crate::dice::dice_derivation;
35 use crate::instance::{InstanceDisk, MicrodroidData};
36 use crate::verify::verify_payload;
37 use crate::vm_payload_service::register_vm_payload_service;
38 use anyhow::{anyhow, bail, ensure, Context, Error, Result};
39 use binder::Strong;
40 use dice_driver::DiceDriver;
41 use keystore2_crypto::ZVec;
42 use libc::VMADDR_CID_HOST;
43 use log::{error, info};
44 use microdroid_metadata::{Metadata, PayloadMetadata};
45 use microdroid_payload_config::{ApkConfig, OsConfig, Task, TaskType, VmPayloadConfig};
46 use nix::mount::{umount2, MntFlags};
47 use nix::sys::signal::Signal;
48 use payload::load_metadata;
49 use rpcbinder::RpcSession;
50 use rustutils::sockets::android_get_control_socket;
51 use rustutils::system_properties;
52 use rustutils::system_properties::PropertyWatcher;
53 use secretkeeper_comm::data_types::ID_SIZE;
54 use std::borrow::Cow::{Borrowed, Owned};
55 use std::env;
56 use std::ffi::CString;
57 use std::fs::{self, create_dir, File, OpenOptions};
58 use std::io::{Read, Write};
59 use std::os::unix::io::OwnedFd;
60 use std::os::unix::process::CommandExt;
61 use std::os::unix::process::ExitStatusExt;
62 use std::path::Path;
63 use std::process::{Child, Command, Stdio};
64 use std::str;
65 use std::time::Duration;
66 use vm_secret::VmSecret;
67
68 const WAIT_TIMEOUT: Duration = Duration::from_secs(10);
69 const AVF_STRICT_BOOT: &str = "/proc/device-tree/chosen/avf,strict-boot";
70 const AVF_NEW_INSTANCE: &str = "/proc/device-tree/chosen/avf,new-instance";
71 const AVF_DEBUG_POLICY_RAMDUMP: &str = "/proc/device-tree/avf/guest/common/ramdump";
72 const DEBUG_MICRODROID_NO_VERIFIED_BOOT: &str =
73 "/proc/device-tree/virtualization/guest/debug-microdroid,no-verified-boot";
74 const SECRETKEEPER_KEY: &str = "/proc/device-tree/avf/secretkeeper_public_key";
75 const INSTANCE_ID_PATH: &str = "/proc/device-tree/avf/untrusted/instance-id";
76 const DEFER_ROLLBACK_PROTECTION: &str = "/proc/device-tree/avf/untrusted/defer-rollback-protection";
77
78 const ENCRYPTEDSTORE_BIN: &str = "/system/bin/encryptedstore";
79 const ZIPFUSE_BIN: &str = "/system/bin/zipfuse";
80
81 const APEX_CONFIG_DONE_PROP: &str = "apex_config.done";
82 const DEBUGGABLE_PROP: &str = "ro.boot.microdroid.debuggable";
83
84 // SYNC WITH virtualizationservice/src/crosvm.rs
85 const FAILURE_SERIAL_DEVICE: &str = "/dev/ttyS1";
86
87 const ENCRYPTEDSTORE_BACKING_DEVICE: &str = "/dev/block/by-name/encryptedstore";
88 const ENCRYPTEDSTORE_KEYSIZE: usize = 32;
89
90 const DICE_CHAIN_FILE: &str = "/microdroid_resources/dice_chain.raw";
91
92 #[derive(thiserror::Error, Debug)]
93 enum MicrodroidError {
94 #[error("Cannot connect to virtualization service: {0}")]
95 FailedToConnectToVirtualizationService(String),
96 #[error("Payload has changed: {0}")]
97 PayloadChanged(String),
98 #[error("Payload verification has failed: {0}")]
99 PayloadVerificationFailed(String),
100 #[error("Payload config is invalid: {0}")]
101 PayloadInvalidConfig(String),
102 }
103
translate_error(err: &Error) -> (ErrorCode, String)104 fn translate_error(err: &Error) -> (ErrorCode, String) {
105 if let Some(e) = err.downcast_ref::<MicrodroidError>() {
106 match e {
107 MicrodroidError::PayloadChanged(msg) => (ErrorCode::PAYLOAD_CHANGED, msg.to_string()),
108 MicrodroidError::PayloadVerificationFailed(msg) => {
109 (ErrorCode::PAYLOAD_VERIFICATION_FAILED, msg.to_string())
110 }
111 MicrodroidError::PayloadInvalidConfig(msg) => {
112 (ErrorCode::PAYLOAD_INVALID_CONFIG, msg.to_string())
113 }
114 // Connection failure won't be reported to VS; return the default value
115 MicrodroidError::FailedToConnectToVirtualizationService(msg) => {
116 (ErrorCode::UNKNOWN, msg.to_string())
117 }
118 }
119 } else {
120 (ErrorCode::UNKNOWN, err.to_string())
121 }
122 }
123
write_death_reason_to_serial(err: &Error) -> Result<()>124 fn write_death_reason_to_serial(err: &Error) -> Result<()> {
125 let death_reason = if let Some(e) = err.downcast_ref::<MicrodroidError>() {
126 Borrowed(match e {
127 MicrodroidError::FailedToConnectToVirtualizationService(_) => {
128 "MICRODROID_FAILED_TO_CONNECT_TO_VIRTUALIZATION_SERVICE"
129 }
130 MicrodroidError::PayloadChanged(_) => "MICRODROID_PAYLOAD_HAS_CHANGED",
131 MicrodroidError::PayloadVerificationFailed(_) => {
132 "MICRODROID_PAYLOAD_VERIFICATION_FAILED"
133 }
134 MicrodroidError::PayloadInvalidConfig(_) => "MICRODROID_INVALID_PAYLOAD_CONFIG",
135 })
136 } else {
137 // Send context information back after a separator, to ease diagnosis.
138 // These errors occur before the payload runs, so this should not leak sensitive
139 // information.
140 Owned(format!("MICRODROID_UNKNOWN_RUNTIME_ERROR|{:?}", err))
141 };
142
143 let mut serial_file = OpenOptions::new().read(false).write(true).open(FAILURE_SERIAL_DEVICE)?;
144 serial_file.write_all(death_reason.as_bytes()).context("serial device write_all failed")?;
145 // Block until the serial port trasmits all the data to the host.
146 nix::sys::termios::tcdrain(&serial_file).context("tcdrain failed")?;
147
148 Ok(())
149 }
150
151 /// The (host allocated) instance_id can be found at node /avf/untrusted/ in the device tree.
get_instance_id() -> Result<Option<[u8; ID_SIZE]>>152 fn get_instance_id() -> Result<Option<[u8; ID_SIZE]>> {
153 let path = Path::new(INSTANCE_ID_PATH);
154 let instance_id = if path.exists() {
155 Some(
156 fs::read(path)?
157 .try_into()
158 .map_err(|x: Vec<_>| anyhow!("Expected {ID_SIZE} bytes, found {:?}", x.len()))?,
159 )
160 } else {
161 // TODO(b/325094712): x86 support for Device tree in nested guest is limited/broken/
162 // untested. So instance_id will not be present in cuttlefish.
163 None
164 };
165 Ok(instance_id)
166 }
167
should_defer_rollback_protection() -> bool168 fn should_defer_rollback_protection() -> bool {
169 Path::new(DEFER_ROLLBACK_PROTECTION).exists()
170 }
171
main() -> Result<()>172 fn main() -> Result<()> {
173 // SAFETY: This is very early in the process. Nobody has taken ownership of the inherited FDs
174 // yet.
175 unsafe { rustutils::inherited_fd::init_once()? };
176
177 // If debuggable, print full backtrace to console log with stdio_to_kmsg
178 if is_debuggable()? {
179 env::set_var("RUST_BACKTRACE", "full");
180 }
181
182 scopeguard::defer! {
183 info!("Shutting down...");
184 if let Err(e) = system_properties::write("sys.powerctl", "shutdown") {
185 error!("failed to shutdown {:?}", e);
186 }
187 }
188
189 try_main().map_err(|e| {
190 error!("Failed with {:?}.", e);
191 if let Err(e) = write_death_reason_to_serial(&e) {
192 error!("Failed to write death reason {:?}", e);
193 }
194 e
195 })
196 }
197
try_main() -> Result<()>198 fn try_main() -> Result<()> {
199 android_logger::init_once(
200 android_logger::Config::default()
201 .with_tag("microdroid_manager")
202 .with_max_level(log::LevelFilter::Info),
203 );
204 info!("started.");
205
206 let vm_payload_service_fd = android_get_control_socket(VM_PAYLOAD_SERVICE_SOCKET_NAME)?;
207
208 load_crashkernel_if_supported().context("Failed to load crashkernel")?;
209
210 swap::init_swap().context("Failed to initialize swap")?;
211 info!("swap enabled.");
212
213 let service = get_vms_rpc_binder()
214 .context("cannot connect to VirtualMachineService")
215 .map_err(|e| MicrodroidError::FailedToConnectToVirtualizationService(e.to_string()))?;
216
217 match try_run_payload(&service, vm_payload_service_fd) {
218 Ok(code) => {
219 if code == 0 {
220 info!("task successfully finished");
221 } else {
222 error!("task exited with exit code: {}", code);
223 }
224 if let Err(e) = post_payload_work() {
225 error!(
226 "Failed to run post payload work. It is possible that certain tasks
227 like syncing encrypted store might be incomplete. Error: {:?}",
228 e
229 );
230 };
231
232 info!("notifying payload finished");
233 service.notifyPayloadFinished(code)?;
234 Ok(())
235 }
236 Err(err) => {
237 let (error_code, message) = translate_error(&err);
238 service.notifyError(error_code, &message)?;
239 Err(err)
240 }
241 }
242 }
243
verify_payload_with_instance_img( metadata: &Metadata, dice: &DiceDriver, state: &mut VmInstanceState, ) -> Result<MicrodroidData>244 fn verify_payload_with_instance_img(
245 metadata: &Metadata,
246 dice: &DiceDriver,
247 state: &mut VmInstanceState,
248 ) -> Result<MicrodroidData> {
249 let mut instance = InstanceDisk::new().context("Failed to load instance.img")?;
250 let saved_data = instance.read_microdroid_data(dice).context("Failed to read identity data")?;
251
252 if is_strict_boot() {
253 // Provisioning must happen on the first boot and never again.
254 if Path::new(AVF_NEW_INSTANCE).exists() {
255 ensure!(
256 saved_data.is_none(),
257 MicrodroidError::PayloadInvalidConfig(
258 "Found instance data on first boot.".to_string()
259 )
260 );
261 } else {
262 ensure!(
263 saved_data.is_some(),
264 MicrodroidError::PayloadInvalidConfig("Instance data not found.".to_string())
265 );
266 };
267 }
268
269 // Verify the payload before using it.
270 let extracted_data = verify_payload(metadata, saved_data.as_ref())
271 .context("Payload verification failed")
272 .map_err(|e| MicrodroidError::PayloadVerificationFailed(format!("{:?}", e)))?;
273
274 // In case identity is ignored (by debug policy), we should reuse existing payload data, even
275 // when the payload is changed. This is to keep the derived secret same as before.
276 let instance_data = if let Some(saved_data) = saved_data {
277 if !is_verified_boot() {
278 if saved_data != extracted_data {
279 info!("Detected an update of the payload, but continue (regarding debug policy)")
280 }
281 } else {
282 ensure!(
283 saved_data == extracted_data,
284 MicrodroidError::PayloadChanged(String::from(
285 "Detected an update of the payload which isn't supported yet."
286 ))
287 );
288 info!("Saved data is verified.");
289 }
290 *state = VmInstanceState::PreviouslySeen;
291 saved_data
292 } else {
293 info!("Saving verified data.");
294 instance
295 .write_microdroid_data(&extracted_data, dice)
296 .context("Failed to write identity data")?;
297 *state = VmInstanceState::NewlyCreated;
298 extracted_data
299 };
300 Ok(instance_data)
301 }
302
303 // The VM instance run can be
304 // 1. Either Newly created - which can happen if this is really a new VM instance (or a malicious
305 // Android has deleted relevant secrets)
306 // 2. Or Re-run from an already seen VM instance.
307 #[derive(PartialEq, Eq)]
308 enum VmInstanceState {
309 Unknown,
310 NewlyCreated,
311 PreviouslySeen,
312 }
313
try_run_payload( service: &Strong<dyn IVirtualMachineService>, vm_payload_service_fd: OwnedFd, ) -> Result<i32>314 fn try_run_payload(
315 service: &Strong<dyn IVirtualMachineService>,
316 vm_payload_service_fd: OwnedFd,
317 ) -> Result<i32> {
318 let metadata = load_metadata().context("Failed to load payload metadata")?;
319 let dice = if Path::new(DICE_CHAIN_FILE).exists() {
320 DiceDriver::from_file(Path::new(DICE_CHAIN_FILE))
321 .context("Failed to load DICE from file")?
322 } else {
323 DiceDriver::new(Path::new("/dev/open-dice0"), is_strict_boot())
324 .context("Failed to load DICE from driver")?
325 };
326
327 let mut state = VmInstanceState::Unknown;
328 // Microdroid skips checking payload against instance image iff the device supports
329 // secretkeeper. In that case Microdroid use VmSecret::V2, which provides instance state
330 // and protection against rollback of boot images and packages.
331 let instance_data = if should_defer_rollback_protection() {
332 verify_payload(&metadata, None)?
333 } else {
334 verify_payload_with_instance_img(&metadata, &dice, &mut state)?
335 };
336
337 let payload_metadata = metadata.payload.ok_or_else(|| {
338 MicrodroidError::PayloadInvalidConfig("No payload config in metadata".to_string())
339 })?;
340
341 // To minimize the exposure to untrusted data, derive dice profile as soon as possible.
342 info!("DICE derivation for payload");
343 let dice_artifacts = dice_derivation(dice, &instance_data, &payload_metadata)?;
344 let vm_secret = VmSecret::new(dice_artifacts, service, &mut state)
345 .context("Failed to create VM secrets")?;
346
347 let is_new_instance = match state {
348 VmInstanceState::NewlyCreated => true,
349 VmInstanceState::PreviouslySeen => false,
350 VmInstanceState::Unknown => {
351 bail!("Vm instance state is still unknown, this should not have happened");
352 }
353 };
354
355 if cfg!(dice_changes) {
356 // Now that the DICE derivation is done, it's ok to allow payload code to run.
357
358 // Start apexd to activate APEXes. This may allow code within them to run.
359 system_properties::write("ctl.start", "apexd-vm")?;
360
361 // Unmounting /microdroid_resources is a defence-in-depth effort to ensure that payload
362 // can't get hold of dice chain stored there.
363 umount2("/microdroid_resources", MntFlags::MNT_DETACH)?;
364 }
365
366 let mut zipfuse = Zipfuse::default();
367
368 // Before reading a file from the APK, start zipfuse
369 zipfuse.mount(
370 MountForExec::Allowed,
371 "fscontext=u:object_r:zipfusefs:s0,context=u:object_r:system_file:s0",
372 Path::new(verify::DM_MOUNTED_APK_PATH),
373 Path::new(VM_APK_CONTENTS_PATH),
374 "microdroid_manager.apk.mounted".to_owned(),
375 )?;
376
377 // Restricted APIs are only allowed to be used by platform or test components. Infer this from
378 // the use of a VM config file since those can only be used by platform and test components.
379 let allow_restricted_apis = match payload_metadata {
380 PayloadMetadata::ConfigPath(_) => true,
381 PayloadMetadata::Config(_) => false,
382 _ => false, // default is false for safety
383 };
384
385 let config = load_config(payload_metadata).context("Failed to load payload metadata")?;
386
387 let task = config
388 .task
389 .as_ref()
390 .ok_or_else(|| MicrodroidError::PayloadInvalidConfig("No task in VM config".to_string()))?;
391
392 ensure!(
393 config.extra_apks.len() == instance_data.extra_apks_data.len(),
394 "config expects {} extra apks, but found {}",
395 config.extra_apks.len(),
396 instance_data.extra_apks_data.len()
397 );
398 mount_extra_apks(&config, &mut zipfuse)?;
399
400 // Wait until apex config is done. (e.g. linker configuration for apexes)
401 wait_for_property_true(APEX_CONFIG_DONE_PROP).context("Failed waiting for apex config done")?;
402
403 // Run encryptedstore binary to prepare the storage
404 // Postpone initialization until apex mount completes to ensure e2fsck and resize2fs binaries
405 // are accessible.
406 let encryptedstore_child = if Path::new(ENCRYPTEDSTORE_BACKING_DEVICE).exists() {
407 info!("Preparing encryptedstore ...");
408 Some(prepare_encryptedstore(&vm_secret).context("encryptedstore run")?)
409 } else {
410 None
411 };
412
413 register_vm_payload_service(
414 allow_restricted_apis,
415 service.clone(),
416 vm_secret,
417 vm_payload_service_fd,
418 is_new_instance,
419 )?;
420
421 // Set export_tombstones if enabled
422 if should_export_tombstones(&config) {
423 // This property is read by tombstone_handler.
424 system_properties::write("microdroid_manager.export_tombstones.enabled", "1")
425 .context("set microdroid_manager.export_tombstones.enabled")?;
426 }
427
428 // Trigger init post-fs-data. This will start authfs if we wask it to.
429 if config.enable_authfs {
430 system_properties::write("microdroid_manager.authfs.enabled", "1")
431 .context("failed to write microdroid_manager.authfs.enabled")?;
432 }
433 system_properties::write("microdroid_manager.config_done", "1")
434 .context("failed to write microdroid_manager.config_done")?;
435
436 // Wait until zipfuse has mounted the APKs so we can access the payload
437 zipfuse.wait_until_done()?;
438
439 // Wait for encryptedstore to finish mounting the storage (if enabled) before setting
440 // microdroid_manager.init_done. Reason is init stops uneventd after that.
441 // Encryptedstore, however requires ueventd
442 if let Some(mut child) = encryptedstore_child {
443 let exitcode = child.wait().context("Wait for encryptedstore child")?;
444 ensure!(exitcode.success(), "Unable to prepare encrypted storage. Exitcode={}", exitcode);
445 }
446
447 // Wait for init to have finished booting.
448 wait_for_property_true("dev.bootcomplete").context("failed waiting for dev.bootcomplete")?;
449
450 // And then tell it we're done so unnecessary services can be shut down.
451 system_properties::write("microdroid_manager.init_done", "1")
452 .context("set microdroid_manager.init_done")?;
453
454 info!("boot completed, time to run payload");
455 exec_task(task, service).context("Failed to run payload")
456 }
457
post_payload_work() -> Result<()>458 fn post_payload_work() -> Result<()> {
459 // Sync the encrypted storage filesystem (flushes the filesystem caches).
460 if Path::new(ENCRYPTEDSTORE_BACKING_DEVICE).exists() {
461 let mountpoint = CString::new(ENCRYPTEDSTORE_MOUNTPOINT).unwrap();
462
463 // SAFETY: `mountpoint` is a valid C string. `syncfs` and `close` are safe for any parameter
464 // values.
465 let ret = unsafe {
466 let dirfd = libc::open(
467 mountpoint.as_ptr(),
468 libc::O_DIRECTORY | libc::O_RDONLY | libc::O_CLOEXEC,
469 );
470 ensure!(dirfd >= 0, "Unable to open {:?}", mountpoint);
471 let ret = libc::syncfs(dirfd);
472 libc::close(dirfd);
473 ret
474 };
475 if ret != 0 {
476 error!("failed to sync encrypted storage.");
477 return Err(anyhow!(std::io::Error::last_os_error()));
478 }
479 }
480 Ok(())
481 }
482
mount_extra_apks(config: &VmPayloadConfig, zipfuse: &mut Zipfuse) -> Result<()>483 fn mount_extra_apks(config: &VmPayloadConfig, zipfuse: &mut Zipfuse) -> Result<()> {
484 // For now, only the number of apks is important, as the mount point and dm-verity name is fixed
485 for i in 0..config.extra_apks.len() {
486 let mount_dir = format!("/mnt/extra-apk/{i}");
487 create_dir(Path::new(&mount_dir)).context("Failed to create mount dir for extra apks")?;
488
489 let mount_for_exec =
490 if cfg!(multi_tenant) { MountForExec::Allowed } else { MountForExec::Disallowed };
491 // These run asynchronously in parallel - we wait later for them to complete.
492 zipfuse.mount(
493 mount_for_exec,
494 "fscontext=u:object_r:zipfusefs:s0,context=u:object_r:extra_apk_file:s0",
495 Path::new(&format!("/dev/block/mapper/extra-apk-{i}")),
496 Path::new(&mount_dir),
497 format!("microdroid_manager.extra_apk.mounted.{i}"),
498 )?;
499 }
500
501 Ok(())
502 }
503
get_vms_rpc_binder() -> Result<Strong<dyn IVirtualMachineService>>504 fn get_vms_rpc_binder() -> Result<Strong<dyn IVirtualMachineService>> {
505 // The host is running a VirtualMachineService for this VM on a port equal
506 // to the CID of this VM.
507 let port = vsock::get_local_cid().context("Could not determine local CID")?;
508 RpcSession::new()
509 .setup_vsock_client(VMADDR_CID_HOST, port)
510 .context("Could not connect to IVirtualMachineService")
511 }
512
is_strict_boot() -> bool513 fn is_strict_boot() -> bool {
514 Path::new(AVF_STRICT_BOOT).exists()
515 }
516
is_verified_boot() -> bool517 fn is_verified_boot() -> bool {
518 !Path::new(DEBUG_MICRODROID_NO_VERIFIED_BOOT).exists()
519 }
520
is_debuggable() -> Result<bool>521 fn is_debuggable() -> Result<bool> {
522 Ok(system_properties::read_bool(DEBUGGABLE_PROP, true)?)
523 }
524
should_export_tombstones(config: &VmPayloadConfig) -> bool525 fn should_export_tombstones(config: &VmPayloadConfig) -> bool {
526 match config.export_tombstones {
527 Some(b) => b,
528 None => is_debuggable().unwrap_or(false),
529 }
530 }
531
532 /// Get debug policy value in bool. It's true iff the value is explicitly set to <1>.
get_debug_policy_bool(path: &'static str) -> Result<Option<bool>>533 fn get_debug_policy_bool(path: &'static str) -> Result<Option<bool>> {
534 let mut file = match File::open(path) {
535 Ok(dp) => dp,
536 Err(e) => {
537 info!(
538 "Assumes that debug policy is disabled because failed to read debug policy ({e:?})"
539 );
540 return Ok(Some(false));
541 }
542 };
543 let mut log: [u8; 4] = Default::default();
544 file.read_exact(&mut log).context("Malformed data in {path}")?;
545 // DT spec uses big endian although Android is always little endian.
546 Ok(Some(u32::from_be_bytes(log) == 1))
547 }
548
549 enum MountForExec {
550 Allowed,
551 Disallowed,
552 }
553
554 #[derive(Default)]
555 struct Zipfuse {
556 ready_properties: Vec<String>,
557 }
558
559 impl Zipfuse {
mount( &mut self, noexec: MountForExec, option: &str, zip_path: &Path, mount_dir: &Path, ready_prop: String, ) -> Result<Child>560 fn mount(
561 &mut self,
562 noexec: MountForExec,
563 option: &str,
564 zip_path: &Path,
565 mount_dir: &Path,
566 ready_prop: String,
567 ) -> Result<Child> {
568 let mut cmd = Command::new(ZIPFUSE_BIN);
569 if let MountForExec::Disallowed = noexec {
570 cmd.arg("--noexec");
571 }
572 // Let root own the files in APK, so we can access them, but set the group to
573 // allow all payloads to have access too.
574 let (uid, gid) = (microdroid_uids::ROOT_UID, microdroid_uids::MICRODROID_PAYLOAD_GID);
575
576 cmd.args(["-p", &ready_prop, "-o", option]);
577 cmd.args(["-u", &uid.to_string()]);
578 cmd.args(["-g", &gid.to_string()]);
579 cmd.arg(zip_path).arg(mount_dir);
580 self.ready_properties.push(ready_prop);
581 cmd.spawn().with_context(|| format!("Failed to run zipfuse for {mount_dir:?}"))
582 }
583
wait_until_done(self) -> Result<()>584 fn wait_until_done(self) -> Result<()> {
585 // We check the last-started check first in the hope that by the time it is done
586 // all or most of the others will also be done, minimising the number of times we
587 // block on a property.
588 for property in self.ready_properties.into_iter().rev() {
589 wait_for_property_true(&property)
590 .with_context(|| format!("Failed waiting for {property}"))?;
591 }
592 Ok(())
593 }
594 }
595
wait_for_property_true(property_name: &str) -> Result<()>596 fn wait_for_property_true(property_name: &str) -> Result<()> {
597 let mut prop = PropertyWatcher::new(property_name)?;
598 loop {
599 prop.wait(None)?;
600 if system_properties::read_bool(property_name, false)? {
601 break;
602 }
603 }
604 Ok(())
605 }
606
load_config(payload_metadata: PayloadMetadata) -> Result<VmPayloadConfig>607 fn load_config(payload_metadata: PayloadMetadata) -> Result<VmPayloadConfig> {
608 match payload_metadata {
609 PayloadMetadata::ConfigPath(path) => {
610 let path = Path::new(&path);
611 info!("loading config from {:?}...", path);
612 let file = ioutil::wait_for_file(path, WAIT_TIMEOUT)
613 .with_context(|| format!("Failed to read {:?}", path))?;
614 Ok(serde_json::from_reader(file)?)
615 }
616 PayloadMetadata::Config(payload_config) => {
617 let task = Task {
618 type_: TaskType::MicrodroidLauncher,
619 command: payload_config.payload_binary_name,
620 };
621 // We don't care about the paths, only the number of extra APKs really matters.
622 let extra_apks = (0..payload_config.extra_apk_count)
623 .map(|i| ApkConfig { path: format!("extra-apk-{i}") })
624 .collect();
625 Ok(VmPayloadConfig {
626 os: OsConfig { name: "microdroid".to_owned() },
627 task: Some(task),
628 apexes: vec![],
629 extra_apks,
630 prefer_staged: false,
631 export_tombstones: None,
632 enable_authfs: false,
633 hugepages: false,
634 })
635 }
636 _ => bail!("Failed to match config against a config type."),
637 }
638 }
639
640 /// Loads the crashkernel into memory using kexec if debuggable or debug policy says so.
641 /// The VM should be loaded with `crashkernel=' parameter in the cmdline to allocate memory
642 /// for crashkernel.
load_crashkernel_if_supported() -> Result<()>643 fn load_crashkernel_if_supported() -> Result<()> {
644 let supported = std::fs::read_to_string("/proc/cmdline")?.contains(" crashkernel=");
645 info!("ramdump supported: {}", supported);
646
647 if !supported {
648 return Ok(());
649 }
650
651 let debuggable = is_debuggable()?;
652 let ramdump = get_debug_policy_bool(AVF_DEBUG_POLICY_RAMDUMP)?.unwrap_or_default();
653 let requested = debuggable | ramdump;
654
655 if requested {
656 let status = Command::new("/system/bin/kexec_load").status()?;
657 if !status.success() {
658 return Err(anyhow!("Failed to load crashkernel: {status}"));
659 }
660 info!("ramdump is loaded: debuggable={debuggable}, ramdump={ramdump}");
661 }
662 Ok(())
663 }
664
665 /// Executes the given task.
exec_task(task: &Task, service: &Strong<dyn IVirtualMachineService>) -> Result<i32>666 fn exec_task(task: &Task, service: &Strong<dyn IVirtualMachineService>) -> Result<i32> {
667 info!("executing main task {:?}...", task);
668 let mut command = match task.type_ {
669 TaskType::Executable => {
670 // TODO(b/297501338): Figure out how to handle non-root for system payloads.
671 Command::new(&task.command)
672 }
673 TaskType::MicrodroidLauncher => {
674 let mut command = Command::new("/system/bin/microdroid_launcher");
675 command.arg(find_library_path(&task.command)?);
676 command.uid(microdroid_uids::MICRODROID_PAYLOAD_UID);
677 command.gid(microdroid_uids::MICRODROID_PAYLOAD_GID);
678 command
679 }
680 };
681
682 // SAFETY: We are not accessing any resource of the parent process. This means we can't make any
683 // log calls inside the closure.
684 unsafe {
685 command.pre_exec(|| {
686 // It is OK to continue with payload execution even if the calls below fail, since
687 // whether process can use a capability is controlled by the SELinux. Dropping the
688 // capabilities here is just another defense-in-depth layer.
689 let _ = cap::drop_inheritable_caps();
690 let _ = cap::drop_bounding_set();
691 Ok(())
692 });
693 }
694
695 // Never accept input from outside
696 command.stdin(Stdio::null());
697
698 // If the VM is debuggable, let stdout/stderr go outside via /dev/kmsg to ease the debugging
699 let (stdout, stderr) = if is_debuggable()? {
700 use std::os::fd::FromRawFd;
701 let kmsg_fd = env::var("ANDROID_FILE__dev_kmsg").unwrap().parse::<i32>().unwrap();
702 // SAFETY: no one closes kmsg_fd
703 unsafe { (Stdio::from_raw_fd(kmsg_fd), Stdio::from_raw_fd(kmsg_fd)) }
704 } else {
705 (Stdio::null(), Stdio::null())
706 };
707 command.stdout(stdout);
708 command.stderr(stderr);
709
710 info!("notifying payload started");
711 service.notifyPayloadStarted()?;
712
713 let mut payload_process = command.spawn().context("failed to spawn payload process")?;
714 info!("payload pid = {:?}", payload_process.id());
715
716 // SAFETY: setpriority doesn't take any pointers
717 unsafe {
718 let ret = libc::setpriority(libc::PRIO_PROCESS, payload_process.id(), -20);
719 if ret != 0 {
720 error!(
721 "failed to adjust priority of the payload: {:#?}",
722 std::io::Error::last_os_error()
723 );
724 }
725 }
726
727 let exit_status = payload_process.wait()?;
728 match exit_status.code() {
729 Some(exit_code) => Ok(exit_code),
730 None => Err(match exit_status.signal() {
731 Some(signal) => anyhow!(
732 "Payload exited due to signal: {} ({})",
733 signal,
734 Signal::try_from(signal).map_or("unknown", |s| s.as_str())
735 ),
736 None => anyhow!("Payload has neither exit code nor signal"),
737 }),
738 }
739 }
740
find_library_path(name: &str) -> Result<String>741 fn find_library_path(name: &str) -> Result<String> {
742 let mut watcher = PropertyWatcher::new("ro.product.cpu.abilist")?;
743 let value = watcher.read(|_name, value| Ok(value.trim().to_string()))?;
744 let abi = value.split(',').next().ok_or_else(|| anyhow!("no abilist"))?;
745 let path = format!("{}/lib/{}/{}", VM_APK_CONTENTS_PATH, abi, name);
746
747 let metadata = fs::metadata(&path).with_context(|| format!("Unable to access {}", path))?;
748 if !metadata.is_file() {
749 bail!("{} is not a file", &path);
750 }
751
752 Ok(path)
753 }
754
prepare_encryptedstore(vm_secret: &VmSecret) -> Result<Child>755 fn prepare_encryptedstore(vm_secret: &VmSecret) -> Result<Child> {
756 let mut key = ZVec::new(ENCRYPTEDSTORE_KEYSIZE)?;
757 vm_secret.derive_encryptedstore_key(&mut key)?;
758 let mut cmd = Command::new(ENCRYPTEDSTORE_BIN);
759 cmd.arg("--blkdevice")
760 .arg(ENCRYPTEDSTORE_BACKING_DEVICE)
761 .arg("--key")
762 .arg(hex::encode(&*key))
763 .args(["--mountpoint", ENCRYPTEDSTORE_MOUNTPOINT])
764 .spawn()
765 .context("encryptedstore failed")
766 }
767