commit 3e735b0706c5bd19ead5662bc98e0663af9bd516
author Nikita Ioffe <ioffe@google.com> Tue Dec 03 13:07:50 2024 +0000
committer Nikita Ioffe <ioffe@google.com> Wed Dec 04 17:08:35 2024 +0000
tree 33de3b5694e5cbd3f38875669ae951f6d78a4b51
parent d34cb3bbe66ef18350e313cf997d1d4bb3a8ab14

Introduce IVmCapabilitiesService HAL

This HAL can be used to provide vendor-specific extensions to VMs. First
use case for this HAL is custom smc filtering project, which provides a
way for some vendor-owner VMs to allow issue vendor-specific smcs. See
go/pkvm-pvm-allow-vendor-tz-services-access for more details

Bug: 360102915
Test: presubmit
Change-Id: Iaf8e3e066f5bda9eae079252720860d362d14426

compatibility_matrices/compatibility_matrix.202504.xml

diff --git a/compatibility_matrices/compatibility_matrix.202504.xml b/compatibility_matrices/compatibility_matrix.202504.xml
index 4b762ca..2c90f6b 100644
--- a/compatibility_matrices/compatibility_matrix.202504.xml
+++ b/compatibility_matrices/compatibility_matrix.202504.xml
@@ -653,6 +653,15 @@
         </interface>
     </hal>
     <hal format="aidl">
+      <name>android.hardware.virtualization.capabilities</name>
+        <version>1</version>
+        <interface>
+            <name>IVmCapabilitiesService</name>
+            <instance>default</instance>
+            <instance>noop</instance>
+        </interface>
+    </hal>
+    <hal format="aidl">
         <name>android.hardware.weaver</name>
         <version>2</version>
         <interface>

virtualization/capabilities_service/aidl/Android.bp

diff --git a/virtualization/capabilities_service/aidl/Android.bp b/virtualization/capabilities_service/aidl/Android.bp
new file mode 100644
index 0000000..b0bbbdd
--- /dev/null
+++ b/virtualization/capabilities_service/aidl/Android.bp
@@ -0,0 +1,35 @@
+// Copyright (C) 2024 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+    default_team: "trendy_team_virtualization",
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+aidl_interface {
+    name: "android.hardware.virtualization.capabilities.capabilities_service",
+    vendor_available: true,
+    srcs: ["android/**/*.aidl"],
+    stability: "vintf",
+    backend: {
+        rust: {
+            enabled: true,
+            apex_available: [
+                "//apex_available:platform",
+                "com.android.virt",
+            ],
+        },
+    },
+    frozen: false,
+}

virtualization/capabilities_service/aidl/aidl_api/android.hardware.virtualization.capabilities.capabilities_service/current/android/hardware/virtualization/capabilities/IVmCapabilitiesService.aidl

diff --git a/virtualization/capabilities_service/aidl/aidl_api/android.hardware.virtualization.capabilities.capabilities_service/current/android/hardware/virtualization/capabilities/IVmCapabilitiesService.aidl b/virtualization/capabilities_service/aidl/aidl_api/android.hardware.virtualization.capabilities.capabilities_service/current/android/hardware/virtualization/capabilities/IVmCapabilitiesService.aidl
new file mode 100644
index 0000000..68ff021
--- /dev/null
+++ b/virtualization/capabilities_service/aidl/aidl_api/android.hardware.virtualization.capabilities.capabilities_service/current/android/hardware/virtualization/capabilities/IVmCapabilitiesService.aidl
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2024 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+///////////////////////////////////////////////////////////////////////////////
+// THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE.                          //
+///////////////////////////////////////////////////////////////////////////////
+
+// This file is a snapshot of an AIDL file. Do not edit it manually. There are
+// two cases:
+// 1). this is a frozen version file - do not edit this in any case.
+// 2). this is a 'current' file. If you make a backwards compatible change to
+//     the interface (from the latest frozen version), the build system will
+//     prompt you to update this file with `m <name>-update-api`.
+//
+// You must not make a backward incompatible change to any AIDL file built
+// with the aidl_interface module type with versions property set. The module
+// type is used to build AIDL files in a way that they can be used across
+// independently updatable components of the system. If a device is shipped
+// with such a backward incompatible change, it has a high risk of breaking
+// later when a module using the interface is updated, e.g., Mainline modules.
+
+package android.hardware.virtualization.capabilities;
+@VintfStability
+interface IVmCapabilitiesService {
+  void grantAccessToVendorTeeServices(in ParcelFileDescriptor vmFd, in String[] vendorTeeServices);
+}

virtualization/capabilities_service/aidl/android/hardware/virtualization/capabilities/IVmCapabilitiesService.aidl

diff --git a/virtualization/capabilities_service/aidl/android/hardware/virtualization/capabilities/IVmCapabilitiesService.aidl b/virtualization/capabilities_service/aidl/android/hardware/virtualization/capabilities/IVmCapabilitiesService.aidl
new file mode 100644
index 0000000..0d09ecb
--- /dev/null
+++ b/virtualization/capabilities_service/aidl/android/hardware/virtualization/capabilities/IVmCapabilitiesService.aidl
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2024 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.hardware.virtualization.capabilities;
+
+/**
+ * Encapsulates vendor-specific capabilities that can be granted to VMs.
+ */
+@VintfStability
+interface IVmCapabilitiesService {
+    /**
+     * Grant access for the VM represented by the given vm_fd to the given vendor-owned tee
+     * services. The names in |vendorTeeServices| must match the ones defined in the
+     * tee_service_contexts files.
+     * TODO(ioffe): link to the integration doc for custom smc filtering feature once
+     * it's ready.
+     */
+    void grantAccessToVendorTeeServices(
+            in ParcelFileDescriptor vmFd, in String[] vendorTeeServices);
+}