virtmgr: also support non-vendor tee services
We are going to reuse the teeServices field of the
VirtualMachineRawConfig to also handle cases of generic "system" tee
services. First such case (guest-ffa-proxy) will be added in the
follow-up patch.
This patch simply splits teeServices into "vendor" (name has vendor.
prefix) and "system" (the rest). The handling of the "vendor" tee
services will be partially delegated to the IVmCapabilitiesService HAL
in one of the follow-up patches, while handling of the "system" tee
services will be entirely done between virtmgr & crosvm.
Bug: 391774181
Bug: 360102915
Test: presubmit
Change-Id: I9ef85475204ed53a56dbf2c25661a7c0b0da3cb0
diff --git a/android/virtmgr/src/aidl.rs b/android/virtmgr/src/aidl.rs
index eefaa65..a47aa23 100644
--- a/android/virtmgr/src/aidl.rs
+++ b/android/virtmgr/src/aidl.rs
@@ -151,6 +151,17 @@
}
});
+// TODO(ioffe): add service for guest-ffa.
+const KNOWN_TEE_SERVICES: [&str; 0] = [];
+
+fn check_known_tee_service(tee_service: &str) -> binder::Result<()> {
+ if !KNOWN_TEE_SERVICES.contains(&tee_service) {
+ return Err(anyhow!("unknown tee_service {tee_service}"))
+ .or_binder_exception(ExceptionCode::UNSUPPORTED_OPERATION);
+ }
+ Ok(())
+}
+
fn create_or_update_idsig_file(
input_fd: &ParcelFileDescriptor,
idsig_fd: &ParcelFileDescriptor,
@@ -716,11 +727,35 @@
*is_protected = config.protectedVm;
if !config.teeServices.is_empty() {
+ // TODO(ioffe): only pVMs should be able to request access to teeServices.
check_tee_service_permission(&caller_secontext, &config.teeServices)
.with_log()
.or_binder_exception(ExceptionCode::SECURITY)?;
}
+ let mut system_tee_services = Vec::new();
+ let mut vendor_tee_services = Vec::new();
+ for tee_service in config.teeServices.clone() {
+ if !tee_service.starts_with("vendor.") {
+ check_known_tee_service(&tee_service)?;
+ system_tee_services.push(tee_service);
+ } else {
+ vendor_tee_services.push(tee_service);
+ }
+ }
+
+ // TODO(b/391774181): handle vendor tee services (which require talking to HAL) as well.
+ if !vendor_tee_services.is_empty() {
+ return Err(anyhow!("support for vendor tee services is coming soon!"))
+ .or_binder_exception(ExceptionCode::UNSUPPORTED_OPERATION);
+ }
+
+ // TODO(ioffe): remove this check in a follow-up patch.
+ if !system_tee_services.is_empty() {
+ return Err(anyhow!("support for system tee services is coming soon!"))
+ .or_binder_exception(ExceptionCode::UNSUPPORTED_OPERATION);
+ }
+
let kernel = maybe_clone_file(&config.kernel)?;
let initrd = maybe_clone_file(&config.initrd)?;