Merge "[km] Include non-secure KM HAL with Trusty VM in /system_ext" into main am: 5b6fbdea

rust_defaults {

    name: "android.hardware.security.keymint-service.rust.trusty.default",

    relative_install_path: "hw",

    vendor: true,

    srcs: [

        "src/keymint_hal_main.rs",

    ],

rust_binary {

    name: "android.hardware.security.keymint-service.rust.trusty",

    vendor: true,

    defaults: ["android.hardware.security.keymint-service.rust.trusty.default"],

    init_rc: ["android.hardware.security.keymint-service.rust.trusty.rc"],

    vintf_fragments: ["android.hardware.security.keymint-service.rust.trusty.xml"],

}

rust_binary {

    name: "android.hardware.security.keymint-service.rust.trusty.nonsecure",

    name: "android.hardware.security.keymint-service.rust.trusty.system.nonsecure",

    system_ext_specific: true,

    defaults: ["android.hardware.security.keymint-service.rust.trusty.default"],

    init_rc: ["android.hardware.security.keymint-service.rust.trusty.system.nonsecure.rc"],

    features: ["nonsecure"],

    rustlibs: [

        "libkmr_hal_nonsecure",

service system.keymint.rust-trusty.nonsecure \

  /system_ext/bin/hw/android.hardware.security.keymint-service.rust.trusty.system.nonsecure \

  --dev ${ro.hardware.trusty_ipc_dev.keymint:-/dev/trusty-ipc-dev0}

    disabled

    user nobody

    group drmrpc

    # The keymint service is not allowed to restart.

    # If it crashes, a device restart is required.

    oneshot

# Only starts the non-secure KeyMint HALs when the KeyMint VM feature is enabled

# TODO(b/357821690): Start the KeyMint HALs when the KeyMint VM is ready once the Trusty VM

# has a mechanism to notify the host.

on late-fs && property:ro.hardware.security.keymint.trusty.system=1 && \

   property:ro.hardware.trusty_vm_cid=*

    setprop ro.hardware.trusty_ipc_dev.keymint VSOCK:${ro.hardware.trusty_vm_cid}:1

    start system.keymint.rust-trusty.nonsecure

#

# Copyright (C) 2024 The Android Open-Source Project

#

# Licensed under the Apache License, Version 2.0 (the "License");

# you may not use this file except in compliance with the License.

# You may obtain a copy of the License at

#

#      http://www.apache.org/licenses/LICENSE-2.0

#

# Unless required by applicable law or agreed to in writing, software

# distributed under the License is distributed on an "AS IS" BASIS,

# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

# See the License for the specific language governing permissions and

# limitations under the License.

#

#

# This makefile should be included by devices that use Trusty TEE

# to pull in a set of Trusty KeyMint specific modules.

#

# Allow KeyMint HAL service implementation selection at build time. This must be

# synchronized with the TA implementation included in Trusty. Possible values:

#

# - Rust implementation for Trusty VM (requires Trusty VM support):

#   export TRUSTY_KEYMINT_IMPL=rust

#   export TRUSTY_SYSTEM_VM=nonsecure

# - Rust implementation for Trusty TEE (no Trusty VM support):

#   export TRUSTY_KEYMINT_IMPL=rust

# - C++ implementation (default): (any other value or unset TRUSTY_KEYMINT_IMPL)

ifeq ($(TRUSTY_KEYMINT_IMPL),rust)

    ifeq ($(TRUSTY_SYSTEM_VM),nonsecure)

        LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.rust.trusty.system.nonsecure

    else

        LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.rust.trusty

    endif

else

    # Default to the C++ implementation

    LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.trusty

endif

PRODUCT_PACKAGES += \

    $(LOCAL_KEYMINT_PRODUCT_PACKAGE) \

# For gatekeeper, we include the generic -service and -impl to use legacy

# HAL loading of gatekeeper.trusty.

# Allow the KeyMint HAL service implementation to be selected at build time.  This needs to be

# done in sync with the TA implementation included in Trusty.  Possible values are:

#

# - Rust implementation:   export TRUSTY_KEYMINT_IMPL=rust

# - C++ implementation:    (any other value of TRUSTY_KEYMINT_IMPL)

ifeq ($(TRUSTY_KEYMINT_IMPL),rust)

    LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.rust.trusty

else

    # Default to the C++ implementation

    LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.trusty

endif

$(call inherit-product, system/core/trusty/keymint/trusty-keymint.mk)

ifeq ($(SECRETKEEPER_ENABLED),true)

    LOCAL_SECRETKEEPER_PRODUCT_PACKAGE := android.hardware.security.secretkeeper.trusty

endif

PRODUCT_PACKAGES += \

	$(LOCAL_KEYMINT_PRODUCT_PACKAGE) \

	$(LOCAL_SECRETKEEPER_PRODUCT_PACKAGE) \

	android.hardware.gatekeeper-service.trusty \

	trusty_apploader \