commit 0dcab55bb3447c251d447fe82b6425c401bc8646
author Alice Wang <aliceywang@google.com> Wed Mar 20 14:42:30 2024 +0000
committer Alice Wang <aliceywang@google.com> Thu Mar 21 13:17:16 2024 +0000
tree 796e9431a66f4246df000e4eeee6b196e5fa0ca3
parent 7167e1a27e4d41e909466d1263a848f32caaa9e4

[attestation] Verify AVF RKP Hal presence in VM Attestation

This cl adds a verification step to check the presence of AVF RKP
Hal during the VM attestation. This step ensures that in cases
where a device lacks support for VM attestation, an
AVmAttestationStatus: ATTESTATION_ERROR_UNSUPPORTED will be
returned to the VM.

This return status will also be used in subsequent tests to skip
the test if pVM remote attestation is not supported on the device.

Bug: 329652894
Test: atest AvfRkpdVmAttestationTestApp
Change-Id: If2bffde34dcd2a8bb78b9aa06f7aefc073f427d6

virtualizationservice/src/aidl.rs

diff --git a/virtualizationservice/src/aidl.rs b/virtualizationservice/src/aidl.rs
index 2fe14c0..cda9636 100644
--- a/virtualizationservice/src/aidl.rs
+++ b/virtualizationservice/src/aidl.rs
@@ -299,6 +299,13 @@
             ))
             .with_log();
         }
+        if !remotely_provisioned_component_service_exists()? {
+            return Err(Status::new_exception_str(
+                ExceptionCode::UNSUPPORTED_OPERATION,
+                Some("AVF remotely provisioned component service is not declared"),
+            ))
+            .with_log();
+        }
         info!("Received csr. Requestting attestation...");
         let (key_blob, certificate_chain) = if test_mode {
             check_use_custom_virtual_machine()?;
@@ -763,6 +770,10 @@
     Ok(())
 }
 
+fn remotely_provisioned_component_service_exists() -> binder::Result<bool> {
+    Ok(binder::is_declared(REMOTELY_PROVISIONED_COMPONENT_SERVICE_NAME)?)
+}
+
 /// Checks whether the caller has a specific permission
 fn check_permission(perm: &str) -> binder::Result<()> {
     let calling_pid = get_calling_pid();