Merge "trusty: keymint: add rules for deploying keymint in vendor apex" into main am: babce93c

    vintf_fragments: ["4.0/android.hardware.keymaster@4.0-service.trusty.xml"],

}

cc_binary {

    name: "android.hardware.security.keymint-service.trusty",

cc_defaults {

    name: "android.hardware.security.keymint-service.trusty.defaults",

    relative_install_path: "hw",

    init_rc: ["keymint/android.hardware.security.keymint-service.trusty.rc"],

    vintf_fragments: [

        "keymint/android.hardware.security.keymint-service.trusty.xml",

    ],

    vendor: true,

    cflags: [

        "-Wall",

        "libtrusty",

        "libutils",

    ],

    required: [

        "android.hardware.hardware_keystore.xml",

}

// keymint hal binary for keymint in Trusty TEE prebuilt

cc_binary {

    name: "android.hardware.security.keymint-service.trusty",

    defaults: ["android.hardware.security.keymint-service.trusty.defaults"],

    init_rc: ["keymint/android.hardware.security.keymint-service.trusty.rc"],

    vintf_fragments: [

        "keymint/android.hardware.security.keymint-service.trusty.xml",

    ],

    required: ["android.hardware.hardware_keystore.xml"],

}

// Keymint hal service in vendor, enabled by vendor apex.

// This service is disabled by default and does not package a VINTF fragment.

// This service can be enabled at boot via vendor apex:

// - at boot, mount a vendor apex for module `com.android.hardware.keymint`

// - have the vendor init.rc file enable the service when the associated

//   apex is selected

// - have the vendor apex package the vintf fragment and the required permissions

cc_binary {

    name: "android.hardware.security.keymint-service.trusty_tee.cpp",

    defaults: ["android.hardware.security.keymint-service.trusty.defaults"],

    init_rc: ["keymint/android.hardware.security.keymint-service.trusty_tee.cpp.rc"],

}

// vintf fragment packaged in vendor apex

prebuilt_etc {

    name: "android.hardware.security.keymint-service.trusty.xml",

    sub_dir: "vintf",

    vendor: true,

    src: "keymint/android.hardware.security.keymint-service.trusty.xml",

}

prebuilt_etc {

# service started when selecting `com.android.hardware.keymint.trusty_tee.cpp` vendor apex

service vendor.keymint-service.trusty_tee.cpp \

  /vendor/bin/hw/android.hardware.security.keymint-service.trusty_tee.cpp \

    --dev ${ro.hardware.trusty_ipc_dev.keymint:-/dev/trusty-ipc-dev0}

    disabled

    class early_hal

    user nobody

    group drmrpc

    # The keymint service is not allowed to restart.

    # If it crashes, a device restart is required.

    oneshot

    prefer_rlib: true,

}

// keymint hal binary for keymint in Trusty TEE (legacy approach not using apex)

rust_binary {

    name: "android.hardware.security.keymint-service.rust.trusty",

    vendor: true,

    required: ["android.hardware.hardware_keystore.xml"],

}

// Keymint hal service in vendor, enabled by vendor apex.

// This service is disabled by default and does not package a VINTF fragment.

// This service can be enabled at boot via vendor apex:

// - at boot, mount a vendor apex for module `com.android.hardware.keymint`

// - have the vendor apex init.rc file to start the service when the apex is selected

// - have the vendor apex package the vintf fragment

rust_binary {

    name: "android.hardware.security.keymint-service.rust.trusty.system.nonsecure",

    name: "android.hardware.security.keymint-service.trusty_tee",

    vendor: true,

    defaults: ["android.hardware.security.keymint-service.rust.trusty.default"],

    init_rc: ["android.hardware.security.keymint-service.trusty_tee.rc"],

}

// Keymint hal service in system_ext, interacting with the Trusty Security VM.

// This service is disabled by default and does not package a VINTF fragment.

// This service can be enabled at boot via vendor apex:

// - at boot, mount a vendor apex for module `com.android.hardware.keymint`

// - have the vendor apex init.rc file to start the service when the apex is selected

// - have the vendor apex package the vintf fragment

rust_binary {

    name: "android.hardware.security.keymint-service.trusty_system_vm",

    system_ext_specific: true,

    defaults: ["android.hardware.security.keymint-service.rust.trusty.default"],

    init_rc: ["android.hardware.security.keymint-service.rust.trusty.system.nonsecure.rc"],

    features: ["nonsecure"],

    init_rc: ["android.hardware.security.keymint-service.trusty_system_vm.rc"],

    features: select(soong_config_variable("trusty_system_vm", "placeholder_trusted_hal"), {

        true: ["nonsecure"],

        default: [],

    }),

    rustlibs: [

        "libkmr_hal_nonsecure",

    ],

}

// vintf fragment packaged in vendor apex

prebuilt_etc {

    name: "android.hardware.security.keymint-service.rust.trusty.xml",

    sub_dir: "vintf",

    vendor: true,

    src: "android.hardware.security.keymint-service.rust.trusty.xml",

}

prebuilt_etc {

    name: "android.hardware.security.keymint-service.trusty_system_vm.xml",

    sub_dir: "vintf",

    vendor: true,

    src: "android.hardware.security.keymint-service.trusty_system_vm.xml",

}

<?xml version="1.0" encoding="utf-8"?>

<!-- Copyright 2021 The Android Open Source Project

    Licensed under the Apache License, Version 2.0 (the "License");

    you may not use this file except in compliance with the License.

    You may obtain a copy of the License at

        http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing, software

    distributed under the License is distributed on an "AS IS" BASIS,

    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

    See the License for the specific language governing permissions and

    limitations under the License.

-->

<permissions>

  <feature name="android.hardware.hardware_keystore" version="300" />

</permissions>

service system.keymint.rust-trusty.nonsecure \

  /system_ext/bin/hw/android.hardware.security.keymint-service.rust.trusty.system.nonsecure \

  --dev ${system.keymint.trusty_ipc_dev:-/dev/trusty-ipc-dev0}

# service started when selecting `com.android.hardware.keymint.trusty_system_vm` vendor apex

service system.keymint-service.trusty_system_vm \

  /system_ext/bin/hw/android.hardware.security.keymint-service.trusty_system_vm \

  --dev ${system.keymint.trusty_ipc_dev}

    disabled

    user nobody

    group drmrpc

    # If it crashes, a device restart is required.

    oneshot

# Only starts the non-secure KeyMint HALs when the KeyMint VM feature is enabled

# TODO(b/357821690): Start the KeyMint HALs when the KeyMint VM is ready once the Trusty VM

# has a mechanism to notify the host.

on late-fs && property:trusty.security_vm.keymint.enabled=1 && \

on post-fs && property:trusty.security_vm.keymint.enabled=1 && \

   property:trusty.security_vm.vm_cid=*

    setprop system.keymint.trusty_ipc_dev VSOCK:${trusty.security_vm.vm_cid}:1

    start system.keymint.rust-trusty.nonsecure

    start system.keymint-service.trusty_system_vm