Merge "Convert vintf_fragments to vint_fragment_modules" into main
diff --git a/bluetooth/aidl/vts/VtsHalBluetoothTargetTest.cpp b/bluetooth/aidl/vts/VtsHalBluetoothTargetTest.cpp
index 4d90058..51931e7 100644
--- a/bluetooth/aidl/vts/VtsHalBluetoothTargetTest.cpp
+++ b/bluetooth/aidl/vts/VtsHalBluetoothTargetTest.cpp
@@ -397,12 +397,18 @@
while (!event_queue.empty()) {
std::vector<uint8_t> event;
event_queue.front(event);
- auto complete_view = ::bluetooth::hci::CommandCompleteView::Create(
+
+ auto event_view =
::bluetooth::hci::EventView::Create(::bluetooth::hci::PacketView<true>(
- std::make_shared<std::vector<uint8_t>>(event))));
- auto status_view = ::bluetooth::hci::CommandCompleteView::Create(
- ::bluetooth::hci::EventView::Create(::bluetooth::hci::PacketView<true>(
- std::make_shared<std::vector<uint8_t>>(event))));
+ std::make_shared<std::vector<uint8_t>>(event)));
+ if (!event_view.IsValid()) {
+ break;
+ }
+
+ auto status_view = ::bluetooth::hci::CommandStatusView::Create(event_view);
+ auto complete_view =
+ ::bluetooth::hci::CommandCompleteView::Create(event_view);
+
bool is_complete_no_op =
complete_view.IsValid() &&
complete_view.GetCommandOpCode() == ::bluetooth::hci::OpCode::NONE;
diff --git a/compatibility_matrices/exclude/fcm_exclude.cpp b/compatibility_matrices/exclude/fcm_exclude.cpp
index eec5a75..1d5b2bd 100644
--- a/compatibility_matrices/exclude/fcm_exclude.cpp
+++ b/compatibility_matrices/exclude/fcm_exclude.cpp
@@ -170,6 +170,7 @@
"android.hardware.audio.core.sounddose@3",
// This is only used by a trusty VM
"android.hardware.security.see.authmgr@1",
+ "android.hardware.security.see.hdcp@1",
// Deprecated HALs.
"android.hardware.audio.sounddose@3",
diff --git a/drm/Android.bp b/drm/Android.bp
new file mode 100644
index 0000000..35c1b03
--- /dev/null
+++ b/drm/Android.bp
@@ -0,0 +1,5 @@
+dirgroup {
+ name: "trusty_dirgroup_hardware_interfaces_drm",
+ dirs: ["."],
+ visibility: ["//trusty/vendor/google/aosp/scripts"],
+}
diff --git a/drm/aidl/Android.bp b/drm/aidl/Android.bp
index 827621c..7ee8c34 100644
--- a/drm/aidl/Android.bp
+++ b/drm/aidl/Android.bp
@@ -27,6 +27,9 @@
ndk: {
min_sdk_version: "34",
},
+ rust: {
+ enabled: true,
+ },
},
double_loadable: true,
versions_with_info: [
diff --git a/security/keymint/aidl/vts/functional/BootloaderStateTest.cpp b/security/keymint/aidl/vts/functional/BootloaderStateTest.cpp
index 62215f3..a799ab1 100644
--- a/security/keymint/aidl/vts/functional/BootloaderStateTest.cpp
+++ b/security/keymint/aidl/vts/functional/BootloaderStateTest.cpp
@@ -99,7 +99,7 @@
// Check that the attested Verified Boot key is 32 bytes of zeroes since the bootloader is unlocked.
TEST_P(BootloaderStateTest, VerifiedBootKeyAllZeroes) {
// Gate this test to avoid waiver issues.
- if (get_vsr_api_level() <= AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
+ if (get_vendor_api_level() <= AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
return;
}
@@ -142,13 +142,13 @@
avb_slot_verify_data_calculate_vbmeta_digest(avbSlotData, AVB_DIGEST_TYPE_SHA256,
sha256Digest.data());
- if (get_vsr_api_level() >= AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
+ if (get_vendor_api_level() >= AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
ASSERT_TRUE(attestedVbmetaDigest_ == sha256Digest)
<< "Attested VBMeta digest (" << bin2hex(attestedVbmetaDigest_)
<< ") does not match the expected SHA-256 digest (" << bin2hex(sha256Digest)
<< ").";
} else {
- // Prior to VSR-V, there was no MUST requirement for the algorithm used by the bootloader
+ // Prior to VSR-15, there was no MUST requirement for the algorithm used by the bootloader
// to calculate the VBMeta digest. However, the only two supported options are SHA-256 and
// SHA-512, so we expect the attested VBMeta digest to match one of these.
vector<uint8_t> sha512Digest(AVB_SHA512_DIGEST_SIZE);
diff --git a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
index 4429816..06e0f58 100644
--- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
+++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
@@ -1435,12 +1435,11 @@
}
bool KeyMintAidlTestBase::IsRkpSupportRequired() const {
- // This is technically not a match to the requirements for S chipsets,
- // however when S shipped there was a bug in the test that skipped the
- // tests if KeyMint 2 was not on the system. So we allowed many chipests
- // to ship without RKP support. In T we hardened the requirements around
- // support for RKP, so relax the test to match.
- return get_vsr_api_level() >= __ANDROID_API_T__;
+ // This is technically weaker than the VSR-12 requirements, but when
+ // Android 12 shipped, there was a bug that skipped the tests if KeyMint
+ // 2 was not present. As a result, many chipsets were allowed to ship
+ // without RKP support. The RKP requirements were hardened in VSR-13.
+ return get_vendor_api_level() >= __ANDROID_API_T__;
}
vector<uint32_t> KeyMintAidlTestBase::ValidKeySizes(Algorithm algorithm) {
@@ -1691,11 +1690,11 @@
vector<uint8_t>* key_blob,
vector<KeyCharacteristics>* key_characteristics,
vector<Certificate>* cert_chain) {
- // The original specification for KeyMint v1 required ATTEST_KEY not be combined
- // with any other key purpose, but the original VTS tests incorrectly did exactly that.
- // This means that a device that launched prior to Android T (API level 33) may
- // accept or even require KeyPurpose::SIGN too.
- if (get_vsr_api_level() < __ANDROID_API_T__) {
+ // The original specification for KeyMint v1 (introduced in Android 12) required ATTEST_KEY not
+ // be combined with any other key purpose, but the original VTS-12 tests incorrectly did exactly
+ // that. The tests were fixed in VTS-13 (vendor API level 33). This means that devices with
+ // vendor API level < 33 may accept or even require KeyPurpose::SIGN too.
+ if (get_vendor_api_level() < __ANDROID_API_T__) {
AuthorizationSet key_desc_plus_sign = key_desc;
key_desc_plus_sign.push_back(TAG_PURPOSE, KeyPurpose::SIGN);
@@ -1820,13 +1819,19 @@
OPENSSL_free(cert_issuer);
}
-int get_vsr_api_level() {
+int get_vendor_api_level() {
+ // Android 13+ builds have the `ro.vendor.api_level` system property. See
+ // https://source.android.com/docs/core/architecture/api-flags#determine_vendor_api_level_android_13.
int vendor_api_level = ::android::base::GetIntProperty("ro.vendor.api_level", -1);
if (vendor_api_level != -1) {
return vendor_api_level;
}
- // Android S and older devices do not define ro.vendor.api_level
+ // Android 12 builds have the `ro.board.api_level` and `ro.board.first_api_level` system
+ // properties, which are only expected to be populated for GRF SoCs on Android 12 builds. Note
+ // that they are populated automatically by the build system starting in Android 15, but we use
+ // `ro.vendor.api_level` on such builds (see above). For details, see
+ // https://docs.partner.android.com/gms/building/integrating/extending-os-upgrade-support-windows#new-system-properties.
vendor_api_level = ::android::base::GetIntProperty("ro.board.api_level", -1);
if (vendor_api_level == -1) {
vendor_api_level = ::android::base::GetIntProperty("ro.board.first_api_level", -1);
@@ -1838,11 +1843,12 @@
EXPECT_NE(product_api_level, -1) << "Could not find ro.build.version.sdk";
}
- // VSR API level is the minimum of vendor_api_level and product_api_level.
- if (vendor_api_level == -1 || vendor_api_level > product_api_level) {
+ // If the `ro.board.api_level` and `ro.board.first_api_level` properties aren't populated, it
+ // means the build doesn't have a GRF SoC, so the product API level should be used.
+ if (vendor_api_level == -1) {
return product_api_level;
}
- return vendor_api_level;
+ return std::min(product_api_level, vendor_api_level);
}
bool is_gsi_image() {
@@ -1909,13 +1915,13 @@
}
}
- if (get_vsr_api_level() > AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
+ if (get_vendor_api_level() > AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
// The Verified Boot key field should be exactly 32 bytes since it
// contains the SHA-256 hash of the key on locked devices or 32 bytes
// of zeroes on unlocked devices. This wasn't checked for earlier
- // versions of the KeyMint HAL, so only only be strict for VSR-16+.
+ // versions of the KeyMint HAL, so we version-gate the strict check.
EXPECT_EQ(verified_boot_key.size(), 32);
- } else if (get_vsr_api_level() == AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
+ } else if (get_vendor_api_level() == AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
// The Verified Boot key field should be:
// - Exactly 32 bytes on locked devices since it should contain
// the SHA-256 hash of the key, or
@@ -1924,7 +1930,7 @@
// specification).
// Thus, we can't check for strict equality in case unlocked devices
// report values with less than 32 bytes. This wasn't checked for
- // earlier versions of the KeyMint HAL, so only check on VSR-15.
+ // earlier versions of the KeyMint HAL, so we version-gate the check.
EXPECT_LE(verified_boot_key.size(), 32);
}
@@ -2416,7 +2422,7 @@
} else if (result == ErrorCode::INVALID_TAG) {
// Depending on the situation, other error codes may be acceptable. First, allow older
// implementations to use INVALID_TAG.
- ASSERT_FALSE(get_vsr_api_level() > __ANDROID_API_T__)
+ ASSERT_FALSE(get_vendor_api_level() > __ANDROID_API_T__)
<< "It is a specification violation for INVALID_TAG to be returned due to ID "
<< "mismatch in a Device ID Attestation call. INVALID_TAG is only intended to "
<< "be used for a case where updateAad() is called after update(). As of "
diff --git a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h
index 1c12136..6c327bb 100644
--- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h
+++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h
@@ -406,8 +406,8 @@
add_tag(tags, ttag, ::android::base::GetProperty(prop, /* default= */ ""));
}
-// Return the VSR API level for this device.
-int get_vsr_api_level();
+// Return the vendor API level for this device.
+int get_vendor_api_level();
// Indicate whether the test is running on a GSI image.
bool is_gsi_image();
diff --git a/security/keymint/aidl/vts/functional/KeyMintTest.cpp b/security/keymint/aidl/vts/functional/KeyMintTest.cpp
index e8a767b..743928e 100644
--- a/security/keymint/aidl/vts/functional/KeyMintTest.cpp
+++ b/security/keymint/aidl/vts/functional/KeyMintTest.cpp
@@ -4158,13 +4158,15 @@
* when the EC_CURVE is not explicitly specified.
*/
TEST_P(ImportKeyTest, EcdsaSuccessCurveNotSpecified) {
- if (get_vsr_api_level() < AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
+ int vendor_api_level = get_vendor_api_level();
+ if (vendor_api_level < AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
/*
* The KeyMint spec was previously not clear as to whether EC_CURVE was optional on import
- * of EC keys. However, this was not checked at the time so we can only be strict about
- * checking this for implementations at VSR-V or later.
+ * of EC keys. However, this was not checked at the time, so we version-gate the strict
+ * check.
*/
- GTEST_SKIP() << "Skipping EC_CURVE on import only strict >= VSR-V";
+ GTEST_SKIP() << "Applies only to vendor API level >= 202404, but this device is: "
+ << vendor_api_level;
}
ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
@@ -5316,15 +5318,15 @@
"8564");
TEST_P(ImportWrappedKeyTest, RsaKey) {
- int vsr_api_level = get_vsr_api_level();
- if (vsr_api_level < AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
+ int vendor_api_level = get_vendor_api_level();
+ if (vendor_api_level < AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
/*
* The Keymaster v4 spec introduced `importWrappedKey()` and did not restrict it to
* just symmetric keys. However, the import of asymmetric wrapped keys was not tested
- * at the time, so we can only be strict about checking this for implementations claiming
- * support for VSR API level 35 and above.
+ * at the time, so we version-gate the strict check.
*/
- GTEST_SKIP() << "Applies only to VSR API level 35, this device is: " << vsr_api_level;
+ GTEST_SKIP() << "Applies only to vendor API level >= 202404, but this device is: "
+ << vendor_api_level;
}
auto wrapping_key_desc = AuthorizationSetBuilder()
@@ -5347,15 +5349,15 @@
}
TEST_P(ImportWrappedKeyTest, EcKey) {
- int vsr_api_level = get_vsr_api_level();
- if (vsr_api_level < AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
+ int vendor_api_level = get_vendor_api_level();
+ if (vendor_api_level < AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
/*
* The Keymaster v4 spec introduced `importWrappedKey()` and did not restrict it to
* just symmetric keys. However, the import of asymmetric wrapped keys was not tested
- * at the time, so we can only be strict about checking this for implementations claiming
- * support for VSR API level 35 and above.
+ * at the time, so we version-gate the strict check.
*/
- GTEST_SKIP() << "Applies only to VSR API level 35, this device is: " << vsr_api_level;
+ GTEST_SKIP() << "Applies only to vendor API level >= 202404, but this device is: "
+ << vendor_api_level;
}
auto wrapping_key_desc = AuthorizationSetBuilder()
@@ -8945,27 +8947,30 @@
// @VsrTest = VSR-3.10-008
TEST_P(VsrRequirementTest, Vsr13Test) {
- int vsr_api_level = get_vsr_api_level();
- if (vsr_api_level < __ANDROID_API_T__) {
- GTEST_SKIP() << "Applies only to VSR API level 33, this device is: " << vsr_api_level;
+ int vendor_api_level = get_vendor_api_level();
+ if (vendor_api_level < __ANDROID_API_T__) {
+ GTEST_SKIP() << "Applies only to vendor API level >= 33, but this device is: "
+ << vendor_api_level;
}
EXPECT_GE(AidlVersion(), 2) << "VSR 13+ requires KeyMint version 2";
}
// @VsrTest = VSR-3.10-013.001
TEST_P(VsrRequirementTest, Vsr14Test) {
- int vsr_api_level = get_vsr_api_level();
- if (vsr_api_level < __ANDROID_API_U__) {
- GTEST_SKIP() << "Applies only to VSR API level 34, this device is: " << vsr_api_level;
+ int vendor_api_level = get_vendor_api_level();
+ if (vendor_api_level < __ANDROID_API_U__) {
+ GTEST_SKIP() << "Applies only to vendor API level >= 34, but this device is: "
+ << vendor_api_level;
}
EXPECT_GE(AidlVersion(), 3) << "VSR 14+ requires KeyMint version 3";
}
// @VsrTest = GMS-VSR-3.10-019
TEST_P(VsrRequirementTest, Vsr16Test) {
- int vsr_api_level = get_vsr_api_level();
- if (vsr_api_level <= AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
- GTEST_SKIP() << "Applies only to VSR API level > 35, this device is: " << vsr_api_level;
+ int vendor_api_level = get_vendor_api_level();
+ if (vendor_api_level <= AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
+ GTEST_SKIP() << "Applies only to vendor API level > 202404, but this device is: "
+ << vendor_api_level;
}
if (SecLevel() == SecurityLevel::STRONGBOX) {
GTEST_SKIP() << "Applies only to TEE KeyMint, not StrongBox KeyMint";
diff --git a/security/keymint/aidl/vts/functional/SecureElementProvisioningTest.cpp b/security/keymint/aidl/vts/functional/SecureElementProvisioningTest.cpp
index 1f09328..5888644 100644
--- a/security/keymint/aidl/vts/functional/SecureElementProvisioningTest.cpp
+++ b/security/keymint/aidl/vts/functional/SecureElementProvisioningTest.cpp
@@ -115,13 +115,14 @@
const auto& vbKey = rot->asArray()->get(pos++);
ASSERT_TRUE(vbKey);
ASSERT_TRUE(vbKey->asBstr());
- if (get_vsr_api_level() > AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
+ if (get_vendor_api_level() > AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
// The Verified Boot key field should be exactly 32 bytes since it
// contains the SHA-256 hash of the key on locked devices or 32 bytes
// of zeroes on unlocked devices. This wasn't checked for earlier
- // versions of the KeyMint HAL, so only only be strict for VSR-16+.
+ // versions of the KeyMint HAL, so we version-gate the strict check.
ASSERT_EQ(vbKey->asBstr()->value().size(), 32);
- } else if (get_vsr_api_level() == AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
+ } else if (get_vendor_api_level() ==
+ AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
// The Verified Boot key field should be:
// - Exactly 32 bytes on locked devices since it should contain
// the SHA-256 hash of the key, or
@@ -130,7 +131,7 @@
// specification).
// Thus, we can't check for strict equality in case unlocked devices
// report values with less than 32 bytes. This wasn't checked for
- // earlier versions of the KeyMint HAL, so only check on VSR-15.
+ // earlier versions of the KeyMint HAL, so we version-gate the check.
ASSERT_LE(vbKey->asBstr()->value().size(), 32);
}
diff --git a/security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp b/security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
index f40a752..810cc38 100644
--- a/security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
+++ b/security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
@@ -186,10 +186,10 @@
if (status.getExceptionCode() == EX_UNSUPPORTED_OPERATION) {
GTEST_SKIP() << "The RKP VM is not supported on this system.";
}
- int apiLevel = get_vsr_api_level();
- if (apiLevel < __ANDROID_API_V__) {
- GTEST_SKIP() << "The RKP VM is supported only on V+ devices. Vendor API level: "
- << apiLevel;
+ int vendorApiLevel = get_vendor_api_level();
+ if (vendorApiLevel < __ANDROID_API_V__) {
+ GTEST_SKIP() << "The RKP VM is supported only on vendor API level >= 202404. This "
+ << "device has vendor API level: " << vendorApiLevel;
}
}
ASSERT_TRUE(status.isOk());
@@ -240,10 +240,10 @@
// @VsrTest = 3.10-015
// @VsrTest = 3.10-018.001
TEST(NonParameterizedTests, requireDiceOnDefaultInstanceIfStrongboxPresent) {
- int vsr_api_level = get_vsr_api_level();
- if (vsr_api_level < 35) {
- GTEST_SKIP() << "Applies only to VSR API level 35 or newer, this device is: "
- << vsr_api_level;
+ int vendor_api_level = get_vendor_api_level();
+ if (vendor_api_level < __ANDROID_API_V__) {
+ GTEST_SKIP() << "Applies only to vendor API level >= 202404, but this device is: "
+ << vendor_api_level;
}
if (!AServiceManager_isDeclared(KEYMINT_STRONGBOX_INSTANCE_NAME.c_str())) {
@@ -270,11 +270,11 @@
*/
// @VsrTest = 7.1-003.001
TEST(NonParameterizedTests, equalUdsPubInDiceCertChainForRkpVmAndPrimaryKeyMintInstances) {
- int apiLevel = get_vsr_api_level();
- if (apiLevel < 202504 && !AServiceManager_isDeclared(RKPVM_INSTANCE_NAME.c_str())) {
+ int vendorApiLevel = get_vendor_api_level();
+ if (vendorApiLevel < 202504 && !AServiceManager_isDeclared(RKPVM_INSTANCE_NAME.c_str())) {
GTEST_SKIP() << "The RKP VM (" << RKPVM_INSTANCE_NAME << ") is not present on this device.";
}
- if (apiLevel >= 202504) {
+ if (vendorApiLevel >= 202504) {
ASSERT_TRUE(AServiceManager_isDeclared(RKPVM_INSTANCE_NAME.c_str()));
}
@@ -319,10 +319,10 @@
*/
// @VsrTest = 3.10-018.003
TEST(NonParameterizedTests, componentNameInConfigurationDescriptorForPrimaryKeyMintInstance) {
- int vsr_api_level = get_vsr_api_level();
- if (vsr_api_level < 202504) {
- GTEST_SKIP() << "Applies only to VSR API level 202504 or newer, this device is: "
- << vsr_api_level;
+ int vendor_api_level = get_vendor_api_level();
+ if (vendor_api_level < 202504) {
+ GTEST_SKIP() << "Applies only to vendor API level >= 202504, but this device is: "
+ << vendor_api_level;
}
if (!AServiceManager_isDeclared(KEYMINT_STRONGBOX_INSTANCE_NAME.c_str())) {
@@ -1155,10 +1155,10 @@
TEST_P(VsrRequirementTest, VsrEnforcementTest) {
RpcHardwareInfo hwInfo;
ASSERT_TRUE(provisionable_->getHardwareInfo(&hwInfo).isOk());
- int vsr_api_level = get_vsr_api_level();
- if (vsr_api_level < 34) {
- GTEST_SKIP() << "Applies only to VSR API level 34 or newer, this device is: "
- << vsr_api_level;
+ int vendor_api_level = get_vendor_api_level();
+ if (vendor_api_level < __ANDROID_API_U__) {
+ GTEST_SKIP() << "Applies only to vendor API level >= 34, but this device is: "
+ << vendor_api_level;
}
EXPECT_GE(hwInfo.versionNumber, 3)
<< "VSR 14+ requires IRemotelyProvisionedComponent v3 or newer.";
diff --git a/security/see/hdcp/README.md b/security/see/hdcp/README.md
new file mode 100644
index 0000000..76b8670
--- /dev/null
+++ b/security/see/hdcp/README.md
@@ -0,0 +1,65 @@
+# IHDCPAuthControl as a Trusted HAL service
+
+IHDCPAuthControl is expected to be a service implemented in a TEE.
+We provide a default reference implementation and its integration in Trusty
+as an example.
+
+The VTS test for a Trusted HAL service ought to run in the VM.
+We provide an integration of the VTS test in a Trusty VM,
+and later in a Microdroid VM (b/380632474).
+
+This interface shall not be exposed to the host and thus shall be part of
+the list of excluded interfaces from
+[compatibility_matrices/exclude/fcm_exclude.cpp](../../../compatibility_matrices/exclude/fcm_exclude.cpp)
+
+## 1. Mock Implementation
+
+The mock implementation under default/src/lib.rs is expected to be integrated in a
+TEE. For AOSP testing we offer two virtual device testing options:
+
+- Cuttlefish AVD, where the reference implementation is integrated in an AVF VM, emulating a TEE.
+- Trusty QEMU AVD, where the reference implementation is integrated in a Trusty TEE image (executed in secure world)
+
+### 1.1. Cuttlefish: Integrate in an AVF HAL pVM (Trusty)
+
+In Cuttlefish, we emulate a TEE with an AVF Trusty pVM.
+The VM2TZ IPC is emulated with a vsock port forward utility (b/379582767).
+
+Until vsock port forwarding is supported, the trusty_test_vm is used temporarily.
+(VTS tests and HAL implementation will be in same pVM).
+
+TODO: complete when trusty_hal_vm is created
+
+In order to add the mock HdcpAuthControlService to the trusty_test_vm, make sure
+that `hardware/interfaces/security/see/hdcp/default` is added to the
+trusty_test_vm makefile, by adding it to
+[trusty/device/x86/generic-x86_64/project/generic-x86_64-inc.mk](../../../../../trusty/device/x86/generic-x86_64/project/generic-x86_64-inc.mk)
+
+### 1.2. Trusty QEMU AVD: Integrate as a TA in Trusty TEE
+
+In order to add the mock HdcpAuthControlService to the Trusty TEE, make sure
+that `hardware/interfaces/security/see/hdcp/default` is added to
+[trusty/device/arm/generic-arm64/project/generic-arm-inc.mk](../../../../../trusty/device/arm/generic-arm64/project/generic-arm-inc.mk)
+
+
+## 2. VTS Tests
+
+IHdcpAuthControl service is expected to only be exposed to AVF pVM.
+
+The VTS tests shall verify:
+
+- IHdcpAuthControl cannot be accessed from the Android Host:
+
+ see [aidl/vts/src/host_test.rs](aidl/vts/host_test.rs)
+
+- IHdcpAuthControl can be accessed from an AVF pVM:
+
+ see [aidl/vts/src/vm_test.rs](aidl/vts/src/vm_test.rs)
+ see [aidl/vts/AndroidTest.xml](aidl/vts/AndroidTest.xml)
+
+
+To integrate the VTS test in the trusty_test_vm:
+
+1.
+1. add the test to [hardware/interfaces/security/see/usertests-rust-inc.mk](../usertests-rust-inc.mk)
+
diff --git a/security/see/hdcp/aidl/Android.bp b/security/see/hdcp/aidl/Android.bp
new file mode 100644
index 0000000..ad1db37
--- /dev/null
+++ b/security/see/hdcp/aidl/Android.bp
@@ -0,0 +1,57 @@
+// Copyright (C) 2024 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+ default_team: "trendy_team_trusty",
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+aidl_interface {
+ name: "android.hardware.security.see.hdcp",
+ vendor_available: true,
+ srcs: ["android/hardware/security/see/hdcp/*.aidl"],
+ imports: [
+ "android.hardware.drm.common-V1",
+ ],
+ stability: "vintf",
+ frozen: false,
+ backend: {
+ java: {
+ enabled: false,
+ },
+ cpp: {
+ enabled: false,
+ },
+ ndk: {
+ min_sdk_version: "34",
+ },
+ rust: {
+ enabled: true,
+ gen_mockall: true,
+ additional_rustlibs: [
+ "libmockall",
+ ],
+ },
+ },
+}
+
+// A rust_defaults that includes the latest hdcp AIDL library.
+// Modules that depend on hdcp directly can include this rust_defaults to avoid
+// managing dependency versions explicitly.
+rust_defaults {
+ name: "hdcp_use_latest_hal_aidl_rust",
+ rustlibs: [
+ "android.hardware.security.see.hdcp-V1-rust",
+ ],
+}
diff --git a/security/see/hdcp/aidl/aidl_api/android.hardware.security.see.hdcp/current/android/hardware/security/see/hdcp/IHdcpAuthControl.aidl b/security/see/hdcp/aidl/aidl_api/android.hardware.security.see.hdcp/current/android/hardware/security/see/hdcp/IHdcpAuthControl.aidl
new file mode 100644
index 0000000..b73d554
--- /dev/null
+++ b/security/see/hdcp/aidl/aidl_api/android.hardware.security.see.hdcp/current/android/hardware/security/see/hdcp/IHdcpAuthControl.aidl
@@ -0,0 +1,58 @@
+/*
+ * Copyright 2024 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+///////////////////////////////////////////////////////////////////////////////
+// THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE. //
+///////////////////////////////////////////////////////////////////////////////
+
+// This file is a snapshot of an AIDL file. Do not edit it manually. There are
+// two cases:
+// 1). this is a frozen version file - do not edit this in any case.
+// 2). this is a 'current' file. If you make a backwards compatible change to
+// the interface (from the latest frozen version), the build system will
+// prompt you to update this file with `m <name>-update-api`.
+//
+// You must not make a backward incompatible change to any AIDL file built
+// with the aidl_interface module type with versions property set. The module
+// type is used to build AIDL files in a way that they can be used across
+// independently updatable components of the system. If a device is shipped
+// with such a backward incompatible change, it has a high risk of breaking
+// later when a module using the interface is updated, e.g., Mainline modules.
+
+package android.hardware.security.see.hdcp;
+@VintfStability
+interface IHdcpAuthControl {
+ android.hardware.drm.HdcpLevels getHdcpLevels();
+ void trySetHdcpLevel(in android.hardware.drm.HdcpLevel level);
+ android.hardware.security.see.hdcp.IHdcpAuthControl.PendingHdcpLevelResult getPendingHdcpLevel();
+ parcelable HalErrorCode {
+ const int NO_ERROR = 0;
+ const int GENERIC_ERROR = (-1) /* -1 */;
+ const int BAD_STATE = (-2) /* -2 */;
+ const int UNSUPPORTED = (-3) /* -3 */;
+ const int SERIALIZATION_ERROR = (-4) /* -4 */;
+ const int ALLOCATION_ERROR = (-5) /* -5 */;
+ const int BAD_PARAMETER = (-7) /* -7 */;
+ const int UNAUTHORIZED = (-8) /* -8 */;
+ }
+ parcelable PendingHdcpLevelResult {
+ android.hardware.security.see.hdcp.IHdcpAuthControl.PendingHdcpLevelResult.Status status;
+ android.hardware.drm.HdcpLevel level;
+ enum Status {
+ NONE,
+ PENDING,
+ }
+ }
+}
diff --git a/security/see/hdcp/aidl/android/hardware/security/see/hdcp/IHdcpAuthControl.aidl b/security/see/hdcp/aidl/android/hardware/security/see/hdcp/IHdcpAuthControl.aidl
new file mode 100644
index 0000000..b9a1fe5
--- /dev/null
+++ b/security/see/hdcp/aidl/android/hardware/security/see/hdcp/IHdcpAuthControl.aidl
@@ -0,0 +1,125 @@
+/*
+ * Copyright 2024 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package android.hardware.security.see.hdcp;
+
+/**
+ * IHdcpAuthControl is used by the OEMCrypto Trusted Application to interact
+ * with a HDCP Encryption Trusted Application in order to control the
+ * HDCP Authentication Levels.
+ */
+@VintfStability
+interface IHdcpAuthControl {
+ /*
+ * Service error codes. Will be returned as service specific errors.
+ */
+ parcelable HalErrorCode {
+ /* Success */
+ const int NO_ERROR = 0;
+
+ /* Generic error */
+ const int GENERIC_ERROR = -1;
+
+ /* Desired operation cannot be performed because of the server current state */
+ const int BAD_STATE = -2;
+
+ /* Operation or parameters are not supported by the server */
+ const int UNSUPPORTED = -3;
+
+ /* Error encountered when parsing parameters */
+ const int SERIALIZATION_ERROR = -4;
+
+ /* Server ran out of memory when performing operation */
+ const int ALLOCATION_ERROR = -5;
+
+ /* Bad parameter supplied for the desired operation */
+ const int BAD_PARAMETER = -7;
+
+ /* Caller is not authorized to make this call */
+ const int UNAUTHORIZED = -8;
+ }
+ /**
+ * Result returned from the getPendingHdcpLevelResult API.
+ */
+ parcelable PendingHdcpLevelResult {
+ enum Status {
+ /**
+ * No pending HdcpLevel request
+ */
+ NONE,
+ /**
+ * a HdcpLevel request is pending, its level is provided in the
+ * |level| attribute
+ */
+ PENDING,
+ }
+ Status status;
+ android.hardware.drm.HdcpLevel level;
+ }
+
+ /**
+ * Return the currently negotiated and max supported HDCP levels.
+ *
+ * The current level is based on the display(s) the device is connected to.
+ * If multiple HDCP-capable displays are simultaneously connected to
+ * separate interfaces, this method returns the lowest negotiated HDCP level
+ * of all interfaces.
+ *
+ * The maximum HDCP level is the highest level that can potentially be
+ * negotiated. It is a constant for any device, i.e. it does not depend on
+ * downstream receiving devices that could be connected. For example, if
+ * the device has HDCP 1.x keys and is capable of negotiating HDCP 1.x, but
+ * does not have HDCP 2.x keys, then the maximum HDCP capability would be
+ * reported as 1.x. If multiple HDCP-capable interfaces are present, it
+ * indicates the highest of the maximum HDCP levels of all interfaces.
+ *
+ * This method should only be used for informational purposes, not for
+ * enforcing compliance with HDCP requirements. Trusted enforcement of HDCP
+ * policies must be handled by the DRM system.
+ *
+ * @return HdcpLevels parcelable
+ */
+ android.hardware.drm.HdcpLevels getHdcpLevels();
+
+ /**
+ * Attempts to set the device's HDCP auth level to |level|.
+ *
+ * @param level: desired HDCP level
+ *
+ * @return:
+ * a service specific error based on <code>HalErrorCode</code>,
+ * specifically:
+ * + BAD_PARAMETER: when HDCP_UNKNOWN is requested
+ * + UNSUPPORTED: when |level| is greater than the MaxLevel supported
+ * + BAD_STATE: when the HDCP's service currentLevel is HDCP_NO_OUTPUT
+ *
+ */
+ void trySetHdcpLevel(in android.hardware.drm.HdcpLevel level);
+
+ /**
+ * Retrieve the pending level currently being processed by the HDCP service.
+ * The pending HDCP protection level might be higher than the level initially
+ * requested. This can occur when multiple applications or services are
+ * using HDCP concurrently, and a higher level is needed to satisfy
+ * all requirements.
+ *
+ * @return:
+ * PendingHdcpLevelResult on success, which contains a status
+ * and an optional level; on error a service specific error based on
+ * <code>HalErrorCode</code> otherwise.
+ *
+ */
+ PendingHdcpLevelResult getPendingHdcpLevel();
+}
diff --git a/security/see/hdcp/aidl/trusty/drm/rust/rules.mk b/security/see/hdcp/aidl/trusty/drm/rust/rules.mk
new file mode 100644
index 0000000..742b6ab
--- /dev/null
+++ b/security/see/hdcp/aidl/trusty/drm/rust/rules.mk
@@ -0,0 +1,39 @@
+# Copyright (C) 2024 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+LOCAL_DIR := $(GET_LOCAL_DIR)
+
+MODULE := $(LOCAL_DIR)
+
+AIDL_DIR := hardware/interfaces/drm/aidl
+
+MODULE_AIDL_FLAGS := \
+ --stability=vintf \
+ --version=1 \
+
+MODULE_CRATE_NAME := android_hardware_drm
+
+MODULE_AIDL_LANGUAGE := rust
+
+MODULE_AIDL_PACKAGE := android/hardware/drm
+
+MODULE_AIDL_INCLUDES := \
+ -I $(AIDL_DIR) \
+
+MODULE_AIDLS := \
+ $(AIDL_DIR)/$(MODULE_AIDL_PACKAGE)/HdcpLevel.aidl \
+ $(AIDL_DIR)/$(MODULE_AIDL_PACKAGE)/HdcpLevels.aidl \
+
+include make/aidl.mk
diff --git a/security/see/hdcp/aidl/trusty/hdcp/rust/rules.mk b/security/see/hdcp/aidl/trusty/hdcp/rust/rules.mk
new file mode 100644
index 0000000..beab655
--- /dev/null
+++ b/security/see/hdcp/aidl/trusty/hdcp/rust/rules.mk
@@ -0,0 +1,47 @@
+# Copyright (C) 2024 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+LOCAL_DIR := $(GET_LOCAL_DIR)
+
+MODULE := $(LOCAL_DIR)
+
+AIDL_DIR := hardware/interfaces/security/see/hdcp/aidl
+DRM_AIDL_DIR := hardware/interfaces/drm/aidl
+
+MODULE_AIDL_FLAGS := \
+ --mockall \
+ --version=1 \
+
+MODULE_CRATE_NAME := android_hardware_security_see_hdcp
+
+MODULE_AIDL_LANGUAGE := rust
+
+MODULE_AIDL_PACKAGE := android/hardware/security/see/hdcp
+
+MODULE_AIDL_INCLUDES := \
+ -I $(AIDL_DIR) \
+ -I $(DRM_AIDL_DIR) \
+
+MODULE_AIDLS := \
+ $(AIDL_DIR)/$(MODULE_AIDL_PACKAGE)/IHdcpAuthControl.aidl \
+
+MODULE_AIDL_RUST_DEPS := \
+ android_hardware_drm
+
+MODULE_LIBRARY_DEPS := \
+ hardware/interfaces/security/see/hdcp/aidl/trusty/drm/rust \
+ $(call FIND_CRATE,mockall) \
+
+include make/aidl.mk
diff --git a/security/see/hdcp/aidl/vts/Android.bp b/security/see/hdcp/aidl/vts/Android.bp
new file mode 100644
index 0000000..eadb9cd
--- /dev/null
+++ b/security/see/hdcp/aidl/vts/Android.bp
@@ -0,0 +1,36 @@
+// Copyright (C) 2024 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+ // See: http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // all of the 'license_kinds' from "hardware_interfaces_license"
+ // to get the below license kinds:
+ // SPDX-license-identifier-Apache-2.0
+ default_applicable_licenses: ["Android-Apache-2.0"],
+ default_team: "trendy_team_trusty",
+}
+
+rust_test {
+ name: "VtsAidlHdcpNonExistentTest",
+ srcs: ["src/host_test.rs"],
+ require_root: true,
+ test_suites: [
+ "general-tests",
+ "vts",
+ ],
+ rustlibs: [
+ "libbinder_rs",
+ ],
+}
diff --git a/security/see/hdcp/aidl/vts/src/host_test.rs b/security/see/hdcp/aidl/vts/src/host_test.rs
new file mode 100644
index 0000000..f64de20
--- /dev/null
+++ b/security/see/hdcp/aidl/vts/src/host_test.rs
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2024 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//! Test for asserting the non-existence of an IHdcpAuthControl.aidl
+
+#![cfg(test)]
+
+use binder;
+
+const HDCP_INTERFACE_NAME: &str = "android.hardware.security.see.hdcp.IHdcpAuthControl";
+
+#[test]
+fn test_hdcp_auth_control_non_existence() {
+ let hdcp_instances = match binder::get_declared_instances(HDCP_INTERFACE_NAME) {
+ Ok(vec) => vec,
+ Err(e) => {
+ panic!("failed to retrieve the declared interfaces for HdcpAuthControl: {:?}", e);
+ }
+ };
+ assert!(hdcp_instances.is_empty());
+}