Allow AVF remote attestation to be disabled
This CL adds a variable in makefile that allows the
AVF remote attestation feature to be disabled easily.
The remote attestation feature is opt-in by default, as it
is a strongly recommended feature from Android V. It will
be disabled if PRODUCT_AVF_REMOTE_ATTESTATION_DISABLED is
set to true in the Makefile, otherwise it will be enabled
when the feature flag
RELEASE_AVF_ENABLE_REMOTE_ATTESTATION is on.
Bug: 331269709
Bug: 341292601
Test: run VM remote attestation on Pixel 6 and check it is
disabled
Change-Id: Id48ebd0eacf0d7a6c69b9100aee5ab6e4f112fe5
diff --git a/core/android_soong_config_vars.mk b/core/android_soong_config_vars.mk
index c43081e..127731f 100644
--- a/core/android_soong_config_vars.mk
+++ b/core/android_soong_config_vars.mk
@@ -77,6 +77,12 @@
$(call add_soong_config_var_value,ANDROID,avf_enabled,$(PRODUCT_AVF_ENABLED))
endif
+# Enable AVF remote attestation according to the flag value if PRODUCT_AVF_REMOTE_ATTESTATION_DISABLED is not
+# set to true explicitly.
+ifneq (true,$(PRODUCT_AVF_REMOTE_ATTESTATION_DISABLED))
+ $(call add_soong_config_var_value,ANDROID,avf_remote_attestation_enabled,$(RELEASE_AVF_ENABLE_REMOTE_ATTESTATION))
+endif
+
ifdef PRODUCT_AVF_MICRODROID_GUEST_GKI_VERSION
$(call add_soong_config_var_value,ANDROID,avf_microdroid_guest_gki_version,$(PRODUCT_AVF_MICRODROID_GUEST_GKI_VERSION))
endif
@@ -95,6 +101,8 @@
$(call add_soong_config_var_value,ANDROID,release_avf_enable_llpvm_changes,$(RELEASE_AVF_ENABLE_LLPVM_CHANGES))
$(call add_soong_config_var_value,ANDROID,release_avf_enable_multi_tenant_microdroid_vm,$(RELEASE_AVF_ENABLE_MULTI_TENANT_MICRODROID_VM))
$(call add_soong_config_var_value,ANDROID,release_avf_enable_network,$(RELEASE_AVF_ENABLE_NETWORK))
+# TODO(b/341292601): This flag is needed until the V release. We with clean it up after V together
+# with most of the release_avf_ flags here.
$(call add_soong_config_var_value,ANDROID,release_avf_enable_remote_attestation,$(RELEASE_AVF_ENABLE_REMOTE_ATTESTATION))
$(call add_soong_config_var_value,ANDROID,release_avf_enable_vendor_modules,$(RELEASE_AVF_ENABLE_VENDOR_MODULES))
$(call add_soong_config_var_value,ANDROID,release_avf_enable_virt_cpufreq,$(RELEASE_AVF_ENABLE_VIRT_CPUFREQ))
diff --git a/core/product.mk b/core/product.mk
index 15faf7d..9a49927 100644
--- a/core/product.mk
+++ b/core/product.mk
@@ -426,6 +426,9 @@
# If true, installs a full version of com.android.virt APEX.
_product_single_value_vars += PRODUCT_AVF_ENABLED
+# If false, disable the AVF remote attestaton feature.
+_product_single_value_vars += PRODUCT_AVF_REMOTE_ATTESTATION_DISABLED
+
# If true, kernel with modules will be used for Microdroid VMs.
_product_single_value_vars += PRODUCT_AVF_KERNEL_MODULES_ENABLED