Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b699da62 authored by Treehugger Robot's avatar Treehugger Robot Committed by Automerger Merge Worker
Browse files

Merge "[km] Include non-secure KM HAL with Trusty VM in /system_ext" into main am: 5b6fbdea

parents 473aa1de 5b6fbdea
Loading
Loading
Loading
Loading
+4 −2
Original line number Diff line number Diff line
@@ -20,7 +20,6 @@ package {
rust_defaults {
    name: "android.hardware.security.keymint-service.rust.trusty.default",
    relative_install_path: "hw",
    vendor: true,
    srcs: [
        "src/keymint_hal_main.rs",
    ],
@@ -39,6 +38,7 @@ rust_defaults {

rust_binary {
    name: "android.hardware.security.keymint-service.rust.trusty",
    vendor: true,
    defaults: ["android.hardware.security.keymint-service.rust.trusty.default"],
    init_rc: ["android.hardware.security.keymint-service.rust.trusty.rc"],
    vintf_fragments: ["android.hardware.security.keymint-service.rust.trusty.xml"],
@@ -48,8 +48,10 @@ rust_binary {
}

rust_binary {
    name: "android.hardware.security.keymint-service.rust.trusty.nonsecure",
    name: "android.hardware.security.keymint-service.rust.trusty.system.nonsecure",
    system_ext_specific: true,
    defaults: ["android.hardware.security.keymint-service.rust.trusty.default"],
    init_rc: ["android.hardware.security.keymint-service.rust.trusty.system.nonsecure.rc"],
    features: ["nonsecure"],
    rustlibs: [
        "libkmr_hal_nonsecure",
+17 −0
Original line number Diff line number Diff line
service system.keymint.rust-trusty.nonsecure \
  /system_ext/bin/hw/android.hardware.security.keymint-service.rust.trusty.system.nonsecure \
  --dev ${ro.hardware.trusty_ipc_dev.keymint:-/dev/trusty-ipc-dev0}
    disabled
    user nobody
    group drmrpc
    # The keymint service is not allowed to restart.
    # If it crashes, a device restart is required.
    oneshot

# Only starts the non-secure KeyMint HALs when the KeyMint VM feature is enabled
# TODO(b/357821690): Start the KeyMint HALs when the KeyMint VM is ready once the Trusty VM
# has a mechanism to notify the host.
on late-fs && property:ro.hardware.security.keymint.trusty.system=1 && \
   property:ro.hardware.trusty_vm_cid=*
    setprop ro.hardware.trusty_ipc_dev.keymint VSOCK:${ro.hardware.trusty_vm_cid}:1
    start system.keymint.rust-trusty.nonsecure
+43 −0
Original line number Diff line number Diff line
#
# Copyright (C) 2024 The Android Open-Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

#
# This makefile should be included by devices that use Trusty TEE
# to pull in a set of Trusty KeyMint specific modules.
#
# Allow KeyMint HAL service implementation selection at build time. This must be
# synchronized with the TA implementation included in Trusty. Possible values:
#
# - Rust implementation for Trusty VM (requires Trusty VM support):
#   export TRUSTY_KEYMINT_IMPL=rust
#   export TRUSTY_SYSTEM_VM=nonsecure
# - Rust implementation for Trusty TEE (no Trusty VM support):
#   export TRUSTY_KEYMINT_IMPL=rust
# - C++ implementation (default): (any other value or unset TRUSTY_KEYMINT_IMPL)

ifeq ($(TRUSTY_KEYMINT_IMPL),rust)
    ifeq ($(TRUSTY_SYSTEM_VM),nonsecure)
        LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.rust.trusty.system.nonsecure
    else
        LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.rust.trusty
    endif
else
    # Default to the C++ implementation
    LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.trusty
endif

PRODUCT_PACKAGES += \
    $(LOCAL_KEYMINT_PRODUCT_PACKAGE) \
+1 −13
Original line number Diff line number Diff line
@@ -22,18 +22,7 @@
# For gatekeeper, we include the generic -service and -impl to use legacy
# HAL loading of gatekeeper.trusty.

# Allow the KeyMint HAL service implementation to be selected at build time.  This needs to be
# done in sync with the TA implementation included in Trusty.  Possible values are:
#
# - Rust implementation:   export TRUSTY_KEYMINT_IMPL=rust
# - C++ implementation:    (any other value of TRUSTY_KEYMINT_IMPL)

ifeq ($(TRUSTY_KEYMINT_IMPL),rust)
    LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.rust.trusty
else
    # Default to the C++ implementation
    LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.trusty
endif
$(call inherit-product, system/core/trusty/keymint/trusty-keymint.mk)

ifeq ($(SECRETKEEPER_ENABLED),true)
    LOCAL_SECRETKEEPER_PRODUCT_PACKAGE := android.hardware.security.secretkeeper.trusty
@@ -42,7 +31,6 @@ else
endif

PRODUCT_PACKAGES += \
	$(LOCAL_KEYMINT_PRODUCT_PACKAGE) \
	$(LOCAL_SECRETKEEPER_PRODUCT_PACKAGE) \
	android.hardware.gatekeeper-service.trusty \
	trusty_apploader \