diff --git a/trusty/keymint/Android.bp b/trusty/keymint/Android.bp
index 1b87d806f..5cdd381e1 100644
--- a/trusty/keymint/Android.bp
+++ b/trusty/keymint/Android.bp
@@ -20,7 +20,6 @@ package {
 rust_defaults {
     name: "android.hardware.security.keymint-service.rust.trusty.default",
     relative_install_path: "hw",
-    vendor: true,
     srcs: [
         "src/keymint_hal_main.rs",
     ],
@@ -39,6 +38,7 @@ rust_defaults {
 
 rust_binary {
     name: "android.hardware.security.keymint-service.rust.trusty",
+    vendor: true,
     defaults: ["android.hardware.security.keymint-service.rust.trusty.default"],
     init_rc: ["android.hardware.security.keymint-service.rust.trusty.rc"],
     vintf_fragments: ["android.hardware.security.keymint-service.rust.trusty.xml"],
@@ -48,8 +48,10 @@ rust_binary {
 }
 
 rust_binary {
-    name: "android.hardware.security.keymint-service.rust.trusty.nonsecure",
+    name: "android.hardware.security.keymint-service.rust.trusty.system.nonsecure",
+    system_ext_specific: true,
     defaults: ["android.hardware.security.keymint-service.rust.trusty.default"],
+    init_rc: ["android.hardware.security.keymint-service.rust.trusty.system.nonsecure.rc"],
     features: ["nonsecure"],
     rustlibs: [
         "libkmr_hal_nonsecure",
diff --git a/trusty/keymint/android.hardware.security.keymint-service.rust.trusty.system.nonsecure.rc b/trusty/keymint/android.hardware.security.keymint-service.rust.trusty.system.nonsecure.rc
new file mode 100644
index 000000000..318c13b45
--- /dev/null
+++ b/trusty/keymint/android.hardware.security.keymint-service.rust.trusty.system.nonsecure.rc
@@ -0,0 +1,17 @@
+service system.keymint.rust-trusty.nonsecure \
+  /system_ext/bin/hw/android.hardware.security.keymint-service.rust.trusty.system.nonsecure \
+  --dev ${ro.hardware.trusty_ipc_dev.keymint:-/dev/trusty-ipc-dev0}
+    disabled
+    user nobody
+    group drmrpc
+    # The keymint service is not allowed to restart.
+    # If it crashes, a device restart is required.
+    oneshot
+
+# Only starts the non-secure KeyMint HALs when the KeyMint VM feature is enabled
+# TODO(b/357821690): Start the KeyMint HALs when the KeyMint VM is ready once the Trusty VM
+# has a mechanism to notify the host.
+on late-fs && property:ro.hardware.security.keymint.trusty.system=1 && \
+   property:ro.hardware.trusty_vm_cid=*
+    setprop ro.hardware.trusty_ipc_dev.keymint VSOCK:${ro.hardware.trusty_vm_cid}:1
+    start system.keymint.rust-trusty.nonsecure
diff --git a/trusty/keymint/trusty-keymint.mk b/trusty/keymint/trusty-keymint.mk
new file mode 100644
index 000000000..d5791eab2
--- /dev/null
+++ b/trusty/keymint/trusty-keymint.mk
@@ -0,0 +1,43 @@
+#
+# Copyright (C) 2024 The Android Open-Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+#
+# This makefile should be included by devices that use Trusty TEE
+# to pull in a set of Trusty KeyMint specific modules.
+#
+# Allow KeyMint HAL service implementation selection at build time. This must be
+# synchronized with the TA implementation included in Trusty. Possible values:
+#
+# - Rust implementation for Trusty VM (requires Trusty VM support):
+#   export TRUSTY_KEYMINT_IMPL=rust
+#   export TRUSTY_SYSTEM_VM=nonsecure
+# - Rust implementation for Trusty TEE (no Trusty VM support):
+#   export TRUSTY_KEYMINT_IMPL=rust
+# - C++ implementation (default): (any other value or unset TRUSTY_KEYMINT_IMPL)
+
+ifeq ($(TRUSTY_KEYMINT_IMPL),rust)
+    ifeq ($(TRUSTY_SYSTEM_VM),nonsecure)
+        LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.rust.trusty.system.nonsecure
+    else
+        LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.rust.trusty
+    endif
+else
+    # Default to the C++ implementation
+    LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.trusty
+endif
+
+PRODUCT_PACKAGES += \
+    $(LOCAL_KEYMINT_PRODUCT_PACKAGE) \
diff --git a/trusty/trusty-base.mk b/trusty/trusty-base.mk
index b21eca6df..9d810dcb7 100644
--- a/trusty/trusty-base.mk
+++ b/trusty/trusty-base.mk
@@ -22,18 +22,7 @@
 # For gatekeeper, we include the generic -service and -impl to use legacy
 # HAL loading of gatekeeper.trusty.
 
-# Allow the KeyMint HAL service implementation to be selected at build time.  This needs to be
-# done in sync with the TA implementation included in Trusty.  Possible values are:
-#
-# - Rust implementation:   export TRUSTY_KEYMINT_IMPL=rust
-# - C++ implementation:    (any other value of TRUSTY_KEYMINT_IMPL)
-
-ifeq ($(TRUSTY_KEYMINT_IMPL),rust)
-    LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.rust.trusty
-else
-    # Default to the C++ implementation
-    LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.trusty
-endif
+$(call inherit-product, system/core/trusty/keymint/trusty-keymint.mk)
 
 ifeq ($(SECRETKEEPER_ENABLED),true)
     LOCAL_SECRETKEEPER_PRODUCT_PACKAGE := android.hardware.security.secretkeeper.trusty
@@ -42,7 +31,6 @@ else
 endif
 
 PRODUCT_PACKAGES += \
-	$(LOCAL_KEYMINT_PRODUCT_PACKAGE) \
 	$(LOCAL_SECRETKEEPER_PRODUCT_PACKAGE) \
 	android.hardware.gatekeeper-service.trusty \
 	trusty_apploader \