[rkp] Add IRemotelyProvisionedComponent skeleton impl in host
This cl adds the skeleton code of IRemotelyProvisionedComponent
in the host. The implementation of each method of this HAL will
be added in subsequent cls.
Bug: 274881098
Test: atest MicrodroidHostTests
Change-Id: I782180ff6e5100b5ab53c49f5ac91ef9c9076111
diff --git a/virtualizationservice/Android.bp b/virtualizationservice/Android.bp
index 67890e2..ff7e7d3 100644
--- a/virtualizationservice/Android.bp
+++ b/virtualizationservice/Android.bp
@@ -20,6 +20,7 @@
},
prefer_rlib: true,
rustlibs: [
+ "android.hardware.security.rkp-V3-rust",
"android.system.virtualizationcommon-rust",
"android.system.virtualizationservice-rust",
"android.system.virtualizationservice_internal-rust",
diff --git a/virtualizationservice/src/main.rs b/virtualizationservice/src/main.rs
index bf8b944..cfca885 100644
--- a/virtualizationservice/src/main.rs
+++ b/virtualizationservice/src/main.rs
@@ -16,6 +16,7 @@
mod aidl;
mod atom;
+mod remote_provisioning;
mod rkpvm;
use crate::aidl::{
@@ -31,6 +32,8 @@
use std::os::unix::raw::{pid_t, uid_t};
const LOG_TAG: &str = "VirtualizationService";
+const _REMOTELY_PROVISIONED_COMPONENT_SERVICE_NAME: &str =
+ "android.system.virtualization.IRemotelyProvisionedComponent/avf";
fn get_calling_pid() -> pid_t {
ThreadState::get_calling_pid()
@@ -58,7 +61,13 @@
let service = VirtualizationServiceInternal::init();
let service = BnVirtualizationServiceInternal::new_binder(service, BinderFeatures::default());
register_lazy_service(BINDER_SERVICE_IDENTIFIER, service.as_binder()).unwrap();
- info!("Registered Binder service, joining threadpool.");
+ info!("Registered Binder service {}.", BINDER_SERVICE_IDENTIFIER);
+
+ // The IRemotelyProvisionedComponent service is only supposed to be triggered by rkpd for
+ // RKP VM attestation.
+ let _remote_provisioning_service = remote_provisioning::new_binder();
+ // TODO(b/274881098): Register the RKP service when the implementation is ready.
+
ProcessState::join_thread_pool();
}
diff --git a/virtualizationservice/src/remote_provisioning.rs b/virtualizationservice/src/remote_provisioning.rs
new file mode 100644
index 0000000..1acbcee
--- /dev/null
+++ b/virtualizationservice/src/remote_provisioning.rs
@@ -0,0 +1,86 @@
+// Copyright 2023, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! IRemotelyProvisionedComponent HAL implementation.
+
+use android_hardware_security_rkp::aidl::android::hardware::security::keymint::{
+ DeviceInfo::DeviceInfo,
+ IRemotelyProvisionedComponent::{
+ BnRemotelyProvisionedComponent, IRemotelyProvisionedComponent, STATUS_REMOVED,
+ },
+ MacedPublicKey::MacedPublicKey,
+ ProtectedData::ProtectedData,
+ RpcHardwareInfo::{RpcHardwareInfo, CURVE_NONE, MIN_SUPPORTED_NUM_KEYS_IN_CSR},
+};
+use avflog::LogResult;
+use binder::{BinderFeatures, ExceptionCode, Interface, Result as BinderResult, Status, Strong};
+
+/// Constructs a binder object that implements `IRemotelyProvisionedComponent`.
+pub(crate) fn new_binder() -> Strong<dyn IRemotelyProvisionedComponent> {
+ BnRemotelyProvisionedComponent::new_binder(
+ AvfRemotelyProvisionedComponent {},
+ BinderFeatures::default(),
+ )
+}
+
+struct AvfRemotelyProvisionedComponent {}
+
+impl Interface for AvfRemotelyProvisionedComponent {}
+
+#[allow(non_snake_case)]
+impl IRemotelyProvisionedComponent for AvfRemotelyProvisionedComponent {
+ fn getHardwareInfo(&self) -> BinderResult<RpcHardwareInfo> {
+ Ok(RpcHardwareInfo {
+ versionNumber: 3,
+ rpcAuthorName: String::from("Android Virtualization Framework"),
+ supportedEekCurve: CURVE_NONE,
+ uniqueId: Some(String::from("Android Virtualization Framework 1")),
+ supportedNumKeysInCsr: MIN_SUPPORTED_NUM_KEYS_IN_CSR,
+ })
+ }
+
+ fn generateEcdsaP256KeyPair(
+ &self,
+ _testMode: bool,
+ _macedPublicKey: &mut MacedPublicKey,
+ ) -> BinderResult<Vec<u8>> {
+ // TODO(b/274881098): Implement this.
+ Err(Status::new_exception(ExceptionCode::UNSUPPORTED_OPERATION, None)).with_log()
+ }
+
+ fn generateCertificateRequest(
+ &self,
+ _testMode: bool,
+ _keysToSign: &[MacedPublicKey],
+ _endpointEncryptionCertChain: &[u8],
+ _challenge: &[u8],
+ _deviceInfo: &mut DeviceInfo,
+ _protectedData: &mut ProtectedData,
+ ) -> BinderResult<Vec<u8>> {
+ Err(Status::new_service_specific_error_str(
+ STATUS_REMOVED,
+ Some("This method was deprecated in v3 of the interface."),
+ ))
+ .with_log()
+ }
+
+ fn generateCertificateRequestV2(
+ &self,
+ _keysToSign: &[MacedPublicKey],
+ _challenge: &[u8],
+ ) -> BinderResult<Vec<u8>> {
+ // TODO(b/274881098): Implement this.
+ Err(Status::new_exception(ExceptionCode::UNSUPPORTED_OPERATION, None)).with_log()
+ }
+}