Merge "[km] Include non-secure KM HAL with Trusty VM in /system_ext" into main

2024-09-05 20:19:43 +00:00 · 2024-09-05 20:19:43 +00:00 · 5b6fbdea70
commit 5b6fbdea70
parent 33a742028e d694b61591
4 changed files with 65 additions and 15 deletions
--- a/trusty/keymint/Android.bp
+++ b/trusty/keymint/Android.bp
@ -20,7 +20,6 @@ package {
 rust_defaults {
    name: "android.hardware.security.keymint-service.rust.trusty.default",
    relative_install_path: "hw",
-    vendor: true,
    srcs: [
        "src/keymint_hal_main.rs",
    ],
@ -39,6 +38,7 @@ rust_defaults {

 rust_binary {
    name: "android.hardware.security.keymint-service.rust.trusty",
+    vendor: true,
    defaults: ["android.hardware.security.keymint-service.rust.trusty.default"],
    init_rc: ["android.hardware.security.keymint-service.rust.trusty.rc"],
    vintf_fragments: ["android.hardware.security.keymint-service.rust.trusty.xml"],
@ -48,8 +48,10 @@ rust_binary {
 }

 rust_binary {
-    name: "android.hardware.security.keymint-service.rust.trusty.nonsecure",
+    name: "android.hardware.security.keymint-service.rust.trusty.system.nonsecure",
+    system_ext_specific: true,
    defaults: ["android.hardware.security.keymint-service.rust.trusty.default"],
+    init_rc: ["android.hardware.security.keymint-service.rust.trusty.system.nonsecure.rc"],
    features: ["nonsecure"],
    rustlibs: [
        "libkmr_hal_nonsecure",
--- a/trusty/keymint/android.hardware.security.keymint-service.rust.trusty.system.nonsecure.rc
+++ b/trusty/keymint/android.hardware.security.keymint-service.rust.trusty.system.nonsecure.rc
@ -0,0 +1,17 @@
+service system.keymint.rust-trusty.nonsecure \
+  /system_ext/bin/hw/android.hardware.security.keymint-service.rust.trusty.system.nonsecure \
+  --dev ${ro.hardware.trusty_ipc_dev.keymint:-/dev/trusty-ipc-dev0}
+    disabled
+    user nobody
+    group drmrpc
+    # The keymint service is not allowed to restart.
+    # If it crashes, a device restart is required.
+    oneshot
+
+# Only starts the non-secure KeyMint HALs when the KeyMint VM feature is enabled
+# TODO(b/357821690): Start the KeyMint HALs when the KeyMint VM is ready once the Trusty VM
+# has a mechanism to notify the host.
+on late-fs && property:ro.hardware.security.keymint.trusty.system=1 && \
+   property:ro.hardware.trusty_vm_cid=*
+    setprop ro.hardware.trusty_ipc_dev.keymint VSOCK:${ro.hardware.trusty_vm_cid}:1
+    start system.keymint.rust-trusty.nonsecure
--- a/trusty/keymint/trusty-keymint.mk
+++ b/trusty/keymint/trusty-keymint.mk
@ -0,0 +1,43 @@
+#
+# Copyright (C) 2024 The Android Open-Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+#
+# This makefile should be included by devices that use Trusty TEE
+# to pull in a set of Trusty KeyMint specific modules.
+#
+# Allow KeyMint HAL service implementation selection at build time. This must be
+# synchronized with the TA implementation included in Trusty. Possible values:
+#
+# - Rust implementation for Trusty VM (requires Trusty VM support):
+#   export TRUSTY_KEYMINT_IMPL=rust
+#   export TRUSTY_SYSTEM_VM=nonsecure
+# - Rust implementation for Trusty TEE (no Trusty VM support):
+#   export TRUSTY_KEYMINT_IMPL=rust
+# - C++ implementation (default): (any other value or unset TRUSTY_KEYMINT_IMPL)
+
+ifeq ($(TRUSTY_KEYMINT_IMPL),rust)
+    ifeq ($(TRUSTY_SYSTEM_VM),nonsecure)
+        LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.rust.trusty.system.nonsecure
+    else
+        LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.rust.trusty
+    endif
+else
+    # Default to the C++ implementation
+    LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.trusty
+endif
+
+PRODUCT_PACKAGES += \
+    $(LOCAL_KEYMINT_PRODUCT_PACKAGE) \
--- a/trusty/trusty-base.mk
+++ b/trusty/trusty-base.mk
@ -22,18 +22,7 @@
 # For gatekeeper, we include the generic -service and -impl to use legacy
 # HAL loading of gatekeeper.trusty.

-# Allow the KeyMint HAL service implementation to be selected at build time.  This needs to be
-# done in sync with the TA implementation included in Trusty.  Possible values are:
-#
-# - Rust implementation:   export TRUSTY_KEYMINT_IMPL=rust
-# - C++ implementation:    (any other value of TRUSTY_KEYMINT_IMPL)
-
-ifeq ($(TRUSTY_KEYMINT_IMPL),rust)
-    LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.rust.trusty
-else
-    # Default to the C++ implementation
-    LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.trusty
-endif
+$(call inherit-product, system/core/trusty/keymint/trusty-keymint.mk)

 ifeq ($(SECRETKEEPER_ENABLED),true)
    LOCAL_SECRETKEEPER_PRODUCT_PACKAGE := android.hardware.security.secretkeeper.trusty
@ -42,7 +31,6 @@ else
 endif

 PRODUCT_PACKAGES += \
-	$(LOCAL_KEYMINT_PRODUCT_PACKAGE) \
 	$(LOCAL_SECRETKEEPER_PRODUCT_PACKAGE) \
 	android.hardware.gatekeeper-service.trusty \
 	trusty_apploader \