Merge "trusty: keymint: add rules for deploying keymint in vendor apex" into main (babce93c) · Commits · e / os / android_system_core

trusty/keymaster/Android.bp

+33 −8

Original line number	Diff line number	Diff line
		@@ -80,13 +80,9 @@ cc_binary {
		vintf_fragments: ["4.0/android.hardware.keymaster@4.0-service.trusty.xml"],
		}

		cc_binary {
		name: "android.hardware.security.keymint-service.trusty",
		cc_defaults {
		name: "android.hardware.security.keymint-service.trusty.defaults",
		relative_install_path: "hw",
		init_rc: ["keymint/android.hardware.security.keymint-service.trusty.rc"],
		vintf_fragments: [
		"keymint/android.hardware.security.keymint-service.trusty.xml",
		],
		vendor: true,
		cflags: [
		"-Wall",
		@@ -120,9 +116,38 @@ cc_binary {
		"libtrusty",
		"libutils",
		],
		required: [
		"android.hardware.hardware_keystore.xml",
		}

		// keymint hal binary for keymint in Trusty TEE prebuilt
		cc_binary {
		name: "android.hardware.security.keymint-service.trusty",
		defaults: ["android.hardware.security.keymint-service.trusty.defaults"],
		init_rc: ["keymint/android.hardware.security.keymint-service.trusty.rc"],
		vintf_fragments: [
		"keymint/android.hardware.security.keymint-service.trusty.xml",
		],
		required: ["android.hardware.hardware_keystore.xml"],
		}

		// Keymint hal service in vendor, enabled by vendor apex.
		// This service is disabled by default and does not package a VINTF fragment.
		// This service can be enabled at boot via vendor apex:
		// - at boot, mount a vendor apex for module `com.android.hardware.keymint`
		// - have the vendor init.rc file enable the service when the associated
		// apex is selected
		// - have the vendor apex package the vintf fragment and the required permissions
		cc_binary {
		name: "android.hardware.security.keymint-service.trusty_tee.cpp",
		defaults: ["android.hardware.security.keymint-service.trusty.defaults"],
		init_rc: ["keymint/android.hardware.security.keymint-service.trusty_tee.cpp.rc"],
		}

		// vintf fragment packaged in vendor apex
		prebuilt_etc {
		name: "android.hardware.security.keymint-service.trusty.xml",
		sub_dir: "vintf",
		vendor: true,
		src: "keymint/android.hardware.security.keymint-service.trusty.xml",
		}

		prebuilt_etc {

trusty/keymaster/keymint/android.hardware.security.keymint-service.trusty_tee.cpp.rc

0 → 100644

+11 −0

Original line number	Diff line number	Diff line
		# service started when selecting `com.android.hardware.keymint.trusty_tee.cpp` vendor apex
		service vendor.keymint-service.trusty_tee.cpp \
		/vendor/bin/hw/android.hardware.security.keymint-service.trusty_tee.cpp \
		--dev ${ro.hardware.trusty_ipc_dev.keymint:-/dev/trusty-ipc-dev0}
		disabled
		class early_hal
		user nobody
		group drmrpc
		# The keymint service is not allowed to restart.
		# If it crashes, a device restart is required.
		oneshot

trusty/keymint/Android.bp

+41 −3

Original line number	Diff line number	Diff line
		@@ -36,6 +36,7 @@ rust_defaults {
		prefer_rlib: true,
		}

		// keymint hal binary for keymint in Trusty TEE (legacy approach not using apex)
		rust_binary {
		name: "android.hardware.security.keymint-service.rust.trusty",
		vendor: true,
		@@ -45,13 +46,50 @@ rust_binary {
		required: ["android.hardware.hardware_keystore.xml"],
		}

		// Keymint hal service in vendor, enabled by vendor apex.
		// This service is disabled by default and does not package a VINTF fragment.
		// This service can be enabled at boot via vendor apex:
		// - at boot, mount a vendor apex for module `com.android.hardware.keymint`
		// - have the vendor apex init.rc file to start the service when the apex is selected
		// - have the vendor apex package the vintf fragment
		rust_binary {
		name: "android.hardware.security.keymint-service.rust.trusty.system.nonsecure",
		name: "android.hardware.security.keymint-service.trusty_tee",
		vendor: true,
		defaults: ["android.hardware.security.keymint-service.rust.trusty.default"],
		init_rc: ["android.hardware.security.keymint-service.trusty_tee.rc"],
		}

		// Keymint hal service in system_ext, interacting with the Trusty Security VM.
		// This service is disabled by default and does not package a VINTF fragment.
		// This service can be enabled at boot via vendor apex:
		// - at boot, mount a vendor apex for module `com.android.hardware.keymint`
		// - have the vendor apex init.rc file to start the service when the apex is selected
		// - have the vendor apex package the vintf fragment
		rust_binary {
		name: "android.hardware.security.keymint-service.trusty_system_vm",
		system_ext_specific: true,
		defaults: ["android.hardware.security.keymint-service.rust.trusty.default"],
		init_rc: ["android.hardware.security.keymint-service.rust.trusty.system.nonsecure.rc"],
		features: ["nonsecure"],
		init_rc: ["android.hardware.security.keymint-service.trusty_system_vm.rc"],
		features: select(soong_config_variable("trusty_system_vm", "placeholder_trusted_hal"), {
		true: ["nonsecure"],
		default: [],
		}),
		rustlibs: [
		"libkmr_hal_nonsecure",
		],
		}

		// vintf fragment packaged in vendor apex
		prebuilt_etc {
		name: "android.hardware.security.keymint-service.rust.trusty.xml",
		sub_dir: "vintf",
		vendor: true,
		src: "android.hardware.security.keymint-service.rust.trusty.xml",
		}

		prebuilt_etc {
		name: "android.hardware.security.keymint-service.trusty_system_vm.xml",
		sub_dir: "vintf",
		vendor: true,
		src: "android.hardware.security.keymint-service.trusty_system_vm.xml",
		}

trusty/keymint/android.hardware.hardware_keystore.rust.trusty-keymint.xml

deleted100644 → 0

+0 −18

Original line number	Diff line number	Diff line
		<?xml version="1.0" encoding="utf-8"?>
		<!-- Copyright 2021 The Android Open Source Project

		Licensed under the Apache License, Version 2.0 (the "License");
		you may not use this file except in compliance with the License.
		You may obtain a copy of the License at

		http://www.apache.org/licenses/LICENSE-2.0

		Unless required by applicable law or agreed to in writing, software
		distributed under the License is distributed on an "AS IS" BASIS,
		WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
		See the License for the specific language governing permissions and
		limitations under the License.
		-->
		<permissions>
		<feature name="android.hardware.hardware_keystore" version="300" />
		</permissions>

trusty/keymint/android.hardware.security.keymint-service.rust.trusty.system.nonsecure.rc→trusty/keymint/android.hardware.security.keymint-service.trusty_system_vm.rc

+6 −6

Original line number	Diff line number	Diff line
		service system.keymint.rust-trusty.nonsecure \
		/system_ext/bin/hw/android.hardware.security.keymint-service.rust.trusty.system.nonsecure \
		--dev ${system.keymint.trusty_ipc_dev:-/dev/trusty-ipc-dev0}
		# service started when selecting `com.android.hardware.keymint.trusty_system_vm` vendor apex
		service system.keymint-service.trusty_system_vm \
		/system_ext/bin/hw/android.hardware.security.keymint-service.trusty_system_vm \
		--dev ${system.keymint.trusty_ipc_dev}
		disabled
		user nobody
		group drmrpc
		@@ -8,10 +9,9 @@ service system.keymint.rust-trusty.nonsecure \
		# If it crashes, a device restart is required.
		oneshot

		# Only starts the non-secure KeyMint HALs when the KeyMint VM feature is enabled
		# TODO(b/357821690): Start the KeyMint HALs when the KeyMint VM is ready once the Trusty VM
		# has a mechanism to notify the host.
		on late-fs && property:trusty.security_vm.keymint.enabled=1 && \
		on post-fs && property:trusty.security_vm.keymint.enabled=1 && \
		property:trusty.security_vm.vm_cid=*
		setprop system.keymint.trusty_ipc_dev VSOCK:${trusty.security_vm.vm_cid}:1
		start system.keymint.rust-trusty.nonsecure
		start system.keymint-service.trusty_system_vm