Loading trusty/keymint/Android.bp +4 −2 Original line number Diff line number Diff line Loading @@ -20,7 +20,6 @@ package { rust_defaults { name: "android.hardware.security.keymint-service.rust.trusty.default", relative_install_path: "hw", vendor: true, srcs: [ "src/keymint_hal_main.rs", ], Loading @@ -39,6 +38,7 @@ rust_defaults { rust_binary { name: "android.hardware.security.keymint-service.rust.trusty", vendor: true, defaults: ["android.hardware.security.keymint-service.rust.trusty.default"], init_rc: ["android.hardware.security.keymint-service.rust.trusty.rc"], vintf_fragments: ["android.hardware.security.keymint-service.rust.trusty.xml"], Loading @@ -48,8 +48,10 @@ rust_binary { } rust_binary { name: "android.hardware.security.keymint-service.rust.trusty.nonsecure", name: "android.hardware.security.keymint-service.rust.trusty.system.nonsecure", system_ext_specific: true, defaults: ["android.hardware.security.keymint-service.rust.trusty.default"], init_rc: ["android.hardware.security.keymint-service.rust.trusty.system.nonsecure.rc"], features: ["nonsecure"], rustlibs: [ "libkmr_hal_nonsecure", Loading trusty/keymint/android.hardware.security.keymint-service.rust.trusty.system.nonsecure.rc 0 → 100644 +17 −0 Original line number Diff line number Diff line service system.keymint.rust-trusty.nonsecure \ /system_ext/bin/hw/android.hardware.security.keymint-service.rust.trusty.system.nonsecure \ --dev ${ro.hardware.trusty_ipc_dev.keymint:-/dev/trusty-ipc-dev0} disabled user nobody group drmrpc # The keymint service is not allowed to restart. # If it crashes, a device restart is required. oneshot # Only starts the non-secure KeyMint HALs when the KeyMint VM feature is enabled # TODO(b/357821690): Start the KeyMint HALs when the KeyMint VM is ready once the Trusty VM # has a mechanism to notify the host. on late-fs && property:ro.hardware.security.keymint.trusty.system=1 && \ property:ro.hardware.trusty_vm_cid=* setprop ro.hardware.trusty_ipc_dev.keymint VSOCK:${ro.hardware.trusty_vm_cid}:1 start system.keymint.rust-trusty.nonsecure trusty/keymint/trusty-keymint.mk 0 → 100644 +43 −0 Original line number Diff line number Diff line # # Copyright (C) 2024 The Android Open-Source Project # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # # This makefile should be included by devices that use Trusty TEE # to pull in a set of Trusty KeyMint specific modules. # # Allow KeyMint HAL service implementation selection at build time. This must be # synchronized with the TA implementation included in Trusty. Possible values: # # - Rust implementation for Trusty VM (requires Trusty VM support): # export TRUSTY_KEYMINT_IMPL=rust # export TRUSTY_SYSTEM_VM=nonsecure # - Rust implementation for Trusty TEE (no Trusty VM support): # export TRUSTY_KEYMINT_IMPL=rust # - C++ implementation (default): (any other value or unset TRUSTY_KEYMINT_IMPL) ifeq ($(TRUSTY_KEYMINT_IMPL),rust) ifeq ($(TRUSTY_SYSTEM_VM),nonsecure) LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.rust.trusty.system.nonsecure else LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.rust.trusty endif else # Default to the C++ implementation LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.trusty endif PRODUCT_PACKAGES += \ $(LOCAL_KEYMINT_PRODUCT_PACKAGE) \ trusty/trusty-base.mk +1 −13 Original line number Diff line number Diff line Loading @@ -22,18 +22,7 @@ # For gatekeeper, we include the generic -service and -impl to use legacy # HAL loading of gatekeeper.trusty. # Allow the KeyMint HAL service implementation to be selected at build time. This needs to be # done in sync with the TA implementation included in Trusty. Possible values are: # # - Rust implementation: export TRUSTY_KEYMINT_IMPL=rust # - C++ implementation: (any other value of TRUSTY_KEYMINT_IMPL) ifeq ($(TRUSTY_KEYMINT_IMPL),rust) LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.rust.trusty else # Default to the C++ implementation LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.trusty endif $(call inherit-product, system/core/trusty/keymint/trusty-keymint.mk) ifeq ($(SECRETKEEPER_ENABLED),true) LOCAL_SECRETKEEPER_PRODUCT_PACKAGE := android.hardware.security.secretkeeper.trusty Loading @@ -42,7 +31,6 @@ else endif PRODUCT_PACKAGES += \ $(LOCAL_KEYMINT_PRODUCT_PACKAGE) \ $(LOCAL_SECRETKEEPER_PRODUCT_PACKAGE) \ android.hardware.gatekeeper-service.trusty \ trusty_apploader \ Loading Loading
trusty/keymint/Android.bp +4 −2 Original line number Diff line number Diff line Loading @@ -20,7 +20,6 @@ package { rust_defaults { name: "android.hardware.security.keymint-service.rust.trusty.default", relative_install_path: "hw", vendor: true, srcs: [ "src/keymint_hal_main.rs", ], Loading @@ -39,6 +38,7 @@ rust_defaults { rust_binary { name: "android.hardware.security.keymint-service.rust.trusty", vendor: true, defaults: ["android.hardware.security.keymint-service.rust.trusty.default"], init_rc: ["android.hardware.security.keymint-service.rust.trusty.rc"], vintf_fragments: ["android.hardware.security.keymint-service.rust.trusty.xml"], Loading @@ -48,8 +48,10 @@ rust_binary { } rust_binary { name: "android.hardware.security.keymint-service.rust.trusty.nonsecure", name: "android.hardware.security.keymint-service.rust.trusty.system.nonsecure", system_ext_specific: true, defaults: ["android.hardware.security.keymint-service.rust.trusty.default"], init_rc: ["android.hardware.security.keymint-service.rust.trusty.system.nonsecure.rc"], features: ["nonsecure"], rustlibs: [ "libkmr_hal_nonsecure", Loading
trusty/keymint/android.hardware.security.keymint-service.rust.trusty.system.nonsecure.rc 0 → 100644 +17 −0 Original line number Diff line number Diff line service system.keymint.rust-trusty.nonsecure \ /system_ext/bin/hw/android.hardware.security.keymint-service.rust.trusty.system.nonsecure \ --dev ${ro.hardware.trusty_ipc_dev.keymint:-/dev/trusty-ipc-dev0} disabled user nobody group drmrpc # The keymint service is not allowed to restart. # If it crashes, a device restart is required. oneshot # Only starts the non-secure KeyMint HALs when the KeyMint VM feature is enabled # TODO(b/357821690): Start the KeyMint HALs when the KeyMint VM is ready once the Trusty VM # has a mechanism to notify the host. on late-fs && property:ro.hardware.security.keymint.trusty.system=1 && \ property:ro.hardware.trusty_vm_cid=* setprop ro.hardware.trusty_ipc_dev.keymint VSOCK:${ro.hardware.trusty_vm_cid}:1 start system.keymint.rust-trusty.nonsecure
trusty/keymint/trusty-keymint.mk 0 → 100644 +43 −0 Original line number Diff line number Diff line # # Copyright (C) 2024 The Android Open-Source Project # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # # This makefile should be included by devices that use Trusty TEE # to pull in a set of Trusty KeyMint specific modules. # # Allow KeyMint HAL service implementation selection at build time. This must be # synchronized with the TA implementation included in Trusty. Possible values: # # - Rust implementation for Trusty VM (requires Trusty VM support): # export TRUSTY_KEYMINT_IMPL=rust # export TRUSTY_SYSTEM_VM=nonsecure # - Rust implementation for Trusty TEE (no Trusty VM support): # export TRUSTY_KEYMINT_IMPL=rust # - C++ implementation (default): (any other value or unset TRUSTY_KEYMINT_IMPL) ifeq ($(TRUSTY_KEYMINT_IMPL),rust) ifeq ($(TRUSTY_SYSTEM_VM),nonsecure) LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.rust.trusty.system.nonsecure else LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.rust.trusty endif else # Default to the C++ implementation LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.trusty endif PRODUCT_PACKAGES += \ $(LOCAL_KEYMINT_PRODUCT_PACKAGE) \
trusty/trusty-base.mk +1 −13 Original line number Diff line number Diff line Loading @@ -22,18 +22,7 @@ # For gatekeeper, we include the generic -service and -impl to use legacy # HAL loading of gatekeeper.trusty. # Allow the KeyMint HAL service implementation to be selected at build time. This needs to be # done in sync with the TA implementation included in Trusty. Possible values are: # # - Rust implementation: export TRUSTY_KEYMINT_IMPL=rust # - C++ implementation: (any other value of TRUSTY_KEYMINT_IMPL) ifeq ($(TRUSTY_KEYMINT_IMPL),rust) LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.rust.trusty else # Default to the C++ implementation LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.trusty endif $(call inherit-product, system/core/trusty/keymint/trusty-keymint.mk) ifeq ($(SECRETKEEPER_ENABLED),true) LOCAL_SECRETKEEPER_PRODUCT_PACKAGE := android.hardware.security.secretkeeper.trusty Loading @@ -42,7 +31,6 @@ else endif PRODUCT_PACKAGES += \ $(LOCAL_KEYMINT_PRODUCT_PACKAGE) \ $(LOCAL_SECRETKEEPER_PRODUCT_PACKAGE) \ android.hardware.gatekeeper-service.trusty \ trusty_apploader \ Loading
