KeyMint: default to Rust reference implementation
Copy code that can be re-used from the Cuttlefish KeyMint
implementation, specifically from the following directories
under device/google/cuttlefish:
- HAL-side code from guest/hals/keymint/rust/
- TA-side code from host/commands/secure_env/rust/
Create a corresponding pair of libkmr_{hal,ta}_nonsecure libraries here.
The only changes to the copied code are:
- Convert `pub(crate)` to `pub` in `attest.rs`.
- Add some missing doc comments.
- Add comment noting need for SELinux permission to read ro.serialno.
- Add comment noting need for clock to be in sync with Gatekeeper.
(A subsequent CL aosp/2852598 adjusts Cuttlefish so that it uses the
copied modules here, and can remove the original copies.)
In addition to the moved code, the default implementation also needs
a new implementation of a monotonic clock, added here in clock.rs
using `std::time::Instant`.
With the new nonsecure HAL and TA libraries in place, implement the
default KeyMint HAL service using the former, and spin up a single
thread running a nonsecure TA using the latter. Communicate between
the two via a pair of mpsc::channel()s.
Test: VtsAidlKeyMintTargetTest with normal Cuttlefish (all pass)
Test: VtsAidlKeyMintTargetTest with default/nonsecure impl (auth
tests fail, but this is expected as Gatekeeper hasn't moved)
Bug: 314513765
Change-Id: Ia450e9a8f2dc530f79e8d74d7ce65f7d67ea129f
diff --git a/security/keymint/aidl/default/Android.bp b/security/keymint/aidl/default/Android.bp
index 953630b..d815ff7 100644
--- a/security/keymint/aidl/default/Android.bp
+++ b/security/keymint/aidl/default/Android.bp
@@ -7,39 +7,29 @@
default_applicable_licenses: ["hardware_interfaces_license"],
}
-cc_binary {
+rust_binary {
name: "android.hardware.security.keymint-service",
relative_install_path: "hw",
+ vendor: true,
init_rc: ["android.hardware.security.keymint-service.rc"],
vintf_fragments: [
"android.hardware.security.keymint-service.xml",
"android.hardware.security.sharedsecret-service.xml",
"android.hardware.security.secureclock-service.xml",
],
- vendor: true,
- cflags: [
- "-Wall",
- "-Wextra",
- ],
defaults: [
- "keymint_use_latest_hal_aidl_ndk_shared",
- ],
- shared_libs: [
- "android.hardware.security.rkp-V3-ndk",
- "android.hardware.security.sharedsecret-V1-ndk",
- "android.hardware.security.secureclock-V1-ndk",
- "libbase",
- "libbinder_ndk",
- "libcppbor_external",
- "libcrypto",
- "libkeymaster_portable",
- "libkeymint",
- "liblog",
- "libpuresoftkeymasterdevice",
- "libutils",
+ "keymint_use_latest_hal_aidl_rust",
],
srcs: [
- "service.cpp",
+ "main.rs",
+ ],
+ rustlibs: [
+ "libandroid_logger",
+ "libbinder_rs",
+ "liblog_rust",
+ "libkmr_hal",
+ "libkmr_hal_nonsecure",
+ "libkmr_ta_nonsecure",
],
required: [
"android.hardware.hardware_keystore.xml",
@@ -52,3 +42,39 @@
vendor: true,
src: "android.hardware.hardware_keystore.xml",
}
+
+rust_library {
+ name: "libkmr_hal_nonsecure",
+ crate_name: "kmr_hal_nonsecure",
+ vendor_available: true,
+ lints: "android",
+ rustlibs: [
+ "libbinder_rs",
+ "libhex",
+ "liblibc",
+ "liblog_rust",
+ "libkmr_hal",
+ "libkmr_wire",
+ ],
+ srcs: ["hal/lib.rs"],
+
+}
+
+rust_library {
+ name: "libkmr_ta_nonsecure",
+ crate_name: "kmr_ta_nonsecure",
+ vendor_available: true,
+ host_supported: true,
+ lints: "android",
+ rustlibs: [
+ "libhex",
+ "liblibc",
+ "liblog_rust",
+ "libkmr_common",
+ "libkmr_crypto_boring",
+ "libkmr_ta",
+ "libkmr_wire",
+ ],
+ srcs: ["ta/lib.rs"],
+
+}