Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 52be0888 authored by Treehugger Robot's avatar Treehugger Robot Committed by Automerger Merge Worker
Browse files

Merge "Add a sysprop-as-API for Trusty Android properties" into main am: 9f697c7a am: 303bf014

parents 0b64cfe1 303bf014
Loading
Loading
Loading
Loading
+15 −0
Original line number Original line Diff line number Diff line
sysprop_library {
    name: "trusty-properties",
    srcs: ["android/sysprop/trusty/security_vm.sysprop"],
    property_owner: "Platform",
    api_packages: ["android.sysprop.trusty"],
    apex_available: [
        "//apex_available:platform",
    ],
}

rust_binary {
    name: "trusty-properties-example",
    srcs: ["example.rs"],
    rustlibs: ["libtrusty_properties_rust"],
}
+67 −0
Original line number Original line Diff line number Diff line
# Copyright (C) 2025 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# This module accesses properties regarding the Trusty VM that runs apps
# used to provide security for the system, such as Keymint or Gatekeeper.

module: "android.sysprop.trusty.security_vm"
owner: Platform

# The default Context Identifier to connect to Trusty over vsock.
prop {
    api_name: "vm_cid"
    prop_name: "trusty.security_vm.vm_cid"
    type: Integer
    scope: Internal
    access: Readonly
}

# Signals when a nonsecure VM is ready.
#
# This is used to launch dependent HALs.
#
# Trusty security VMs come in two flavors: non-secure and secure.
#
# 1. Non-secure VMs run on emulated environments like Cuttlefish, which lack
#    pVM firmware and TEE support. Consequently, KeyMint's root-of-trust data
#    is passed into the VM from the host's HAL, and an RPMB proxy provides
#    secure storage.
# 2. Secure VMs run on physical devices. Here, pVM firmware handles the
#    transfer of root-of-trust data via DeviceTree, and a TEE provides secure
#    storage.
prop {
    api_name: "nonsecure_vm_ready"
    prop_name: "trusty.security_vm.nonsecure_vm_ready"
    type: Boolean
    scope: Internal
    access: Readonly
}

# The Trusty Security VM is enabled.
prop {
    api_name: "enabled"
    prop_name: "trusty.security_vm.enabled"
    type: Boolean
    scope: Public
    access: Readonly
}

# KeyMint is enabled in the Trusty Security VM.
prop {
    api_name: "keymint_enabled"
    prop_name: "trusty.security_vm.keymint.enabled"
    type: Boolean
    scope: Public
    access: Readonly
}
+11 −0
Original line number Original line Diff line number Diff line
props {
  module: "android.sysprop.trusty.security_vm"
  prop {
    api_name: "enabled"
    prop_name: "trusty.security_vm.enabled"
  }
  prop {
    api_name: "keymint_enabled"
    prop_name: "trusty.security_vm.keymint.enabled"
  }
}
+11 −0
Original line number Original line Diff line number Diff line
props {
  module: "android.sysprop.trusty.security_vm"
  prop {
    api_name: "enabled"
    prop_name: "trusty.security_vm.enabled"
  }
  prop {
    api_name: "keymint_enabled"
    prop_name: "trusty.security_vm.keymint.enabled"
  }
}
+11 −0
Original line number Original line Diff line number Diff line
//! Example showing how to access the `trusty.security_vm.vm_cid` system property with Rust.

use trusty_properties::security_vm;

fn main() {
    match security_vm::vm_cid() {
        Ok(Some(cid)) => println!("CID: {cid}"),
        Ok(None) => println!("CID property not set"),
        Err(e) => println!("Error: {e:?}"),
    }
}