diff --git a/trusty/keymint/Android.bp b/trusty/keymint/Android.bp index 92d9c6fbb..1b87d806f 100644 --- a/trusty/keymint/Android.bp +++ b/trusty/keymint/Android.bp @@ -17,12 +17,10 @@ package { default_applicable_licenses: ["Android-Apache-2.0"], } -rust_binary { - name: "android.hardware.security.keymint-service.rust.trusty", +rust_defaults { + name: "android.hardware.security.keymint-service.rust.trusty.default", relative_install_path: "hw", vendor: true, - init_rc: ["android.hardware.security.keymint-service.rust.trusty.rc"], - vintf_fragments: ["android.hardware.security.keymint-service.rust.trusty.xml"], srcs: [ "src/keymint_hal_main.rs", ], @@ -37,7 +35,23 @@ rust_binary { "liblog_rust", ], prefer_rlib: true, +} + +rust_binary { + name: "android.hardware.security.keymint-service.rust.trusty", + defaults: ["android.hardware.security.keymint-service.rust.trusty.default"], + init_rc: ["android.hardware.security.keymint-service.rust.trusty.rc"], + vintf_fragments: ["android.hardware.security.keymint-service.rust.trusty.xml"], required: [ "android.hardware.hardware_keystore.xml", ], } + +rust_binary { + name: "android.hardware.security.keymint-service.rust.trusty.nonsecure", + defaults: ["android.hardware.security.keymint-service.rust.trusty.default"], + features: ["nonsecure"], + rustlibs: [ + "libkmr_hal_nonsecure", + ], +} diff --git a/trusty/keymint/src/keymint_hal_main.rs b/trusty/keymint/src/keymint_hal_main.rs index 3c5627bd1..a0b1d792c 100644 --- a/trusty/keymint/src/keymint_hal_main.rs +++ b/trusty/keymint/src/keymint_hal_main.rs @@ -18,7 +18,7 @@ use clap::Parser; use kmr_hal::{ extract_rsp, keymint, rpc, secureclock, send_hal_info, sharedsecret, SerializedChannel, }; -use log::{error, info}; +use log::{error, info, warn}; use std::{ ffi::CString, ops::DerefMut, @@ -109,7 +109,11 @@ fn inner_main() -> Result<(), HalServiceError> { error!("{}", panic_info); })); - info!("Trusty KM HAL service is starting."); + if cfg!(feature = "nonsecure") { + warn!("Non-secure Trusty KM HAL service is starting."); + } else { + info!("Trusty KM HAL service is starting."); + } info!("Starting thread pool now."); binder::ProcessState::start_thread_pool(); @@ -126,6 +130,29 @@ fn inner_main() -> Result<(), HalServiceError> { )?; let tipc_channel = Arc::new(Mutex::new(TipcChannel(connection))); + #[cfg(feature = "nonsecure")] + { + // When the non-secure feature is enabled, retrieve root-of-trust information + // (with the exception of the verified boot key hash) from Android properties, and + // populate the TA with this information. On a real device, the bootloader should + // provide this data to the TA directly. + let boot_req = kmr_hal_nonsecure::get_boot_info(); + info!("boot/HAL->TA: boot info is {:?}", boot_req); + kmr_hal::send_boot_info(tipc_channel.lock().unwrap().deref_mut(), boot_req) + .map_err(|e| HalServiceError(format!("Failed to send boot info: {:?}", e)))?; + // When the non-secure feature is enabled, also retrieve device ID information + // (except for IMEI/MEID values) from Android properties and populate the TA with + // this information. On a real device, a factory provisioning process would populate + // this information. + let attest_ids = kmr_hal_nonsecure::attestation_id_info(); + if let Err(e) = + kmr_hal::send_attest_ids(tipc_channel.lock().unwrap().deref_mut(), attest_ids) + { + error!("Failed to send attestation ID info: {:?}", e); + } + info!("Successfully sent non-secure boot info and attestation IDs to the TA."); + } + // Register the Keymint service let km_service = keymint::Device::new_as_binder(tipc_channel.clone()); let km_service_name = format!("{}/{}", KM_SERVICE_NAME, SERVICE_INSTANCE);