diff --git a/security/keymint/aidl/default/Android.bp b/security/keymint/aidl/default/Android.bp
index c707845..1d23a34 100644
--- a/security/keymint/aidl/default/Android.bp
+++ b/security/keymint/aidl/default/Android.bp
@@ -115,5 +115,47 @@
         "libkmr_wire",
     ],
     srcs: ["ta/lib.rs"],
+}
 
+apex {
+    name: "com.android.hardware.keymint.rust_nonsecure",
+    manifest: "manifest.json",
+    file_contexts: "file_contexts",
+    key: "com.google.cf.apex.key",
+    certificate: ":com.android.hardware.certificate",
+    soc_specific: true,
+    updatable: false,
+    binaries: [
+        "android.hardware.security.keymint-service.nonsecure",
+    ],
+    prebuilts: [
+        "keymint_aidl_nonsecure_init_rc",
+        "keymint_aidl_nonsecure_vintf",
+        "android.hardware.hardware_keystore.xml", // permissions
+    ],
+}
+
+prebuilt_etc {
+    name: "keymint_aidl_nonsecure_init_rc",
+    filename_from_src: true,
+    vendor: true,
+    src: ":gen-keymint_aidl_nonsecure_init_rc",
+}
+
+genrule {
+    name: "gen-keymint_aidl_nonsecure_init_rc",
+    srcs: ["android.hardware.security.keymint-service.nonsecure.rc"],
+    out: ["android.hardware.security.keymint-service.nonsecure.apex.rc"],
+    cmd: "sed -E 's%/vendor/bin/%/apex/com.android.hardware.keymint/bin/%' $(in) > $(out)",
+}
+
+prebuilt_etc {
+    name: "keymint_aidl_nonsecure_vintf",
+    sub_dir: "vintf",
+    vendor: true,
+    srcs: [
+        "android.hardware.security.keymint-service.xml",
+        "android.hardware.security.sharedsecret-service.xml",
+        "android.hardware.security.secureclock-service.xml",
+    ],
 }
diff --git a/security/keymint/aidl/default/file_contexts b/security/keymint/aidl/default/file_contexts
new file mode 100644
index 0000000..dce7e3c
--- /dev/null
+++ b/security/keymint/aidl/default/file_contexts
@@ -0,0 +1,3 @@
+(/.*)?                                                           u:object_r:vendor_file:s0
+/etc(/.*)?                                                       u:object_r:vendor_configs_file:s0
+/bin/hw/android\.hardware\.security\.keymint-service\.nonsecure  u:object_r:hal_keymint_rust_exec:s0
diff --git a/security/keymint/aidl/default/manifest.json b/security/keymint/aidl/default/manifest.json
new file mode 100644
index 0000000..289943e
--- /dev/null
+++ b/security/keymint/aidl/default/manifest.json
@@ -0,0 +1,5 @@
+{
+    "name": "com.android.hardware.keymint",
+    "version": 1,
+    "vendorBootstrap": true
+}