Stop checking for /dev/kvm
Determine the hypervisor's VM capabilities from system properties
instead of checking for /dev/kvm.
Also unify the way we test for a debuggable build around
ro.debuggable.
Bug: 218276733
Test: adb shell cmd jobscheduler get-job-state android 5132250
Test: atest CompOsSigningHostTest
Change-Id: I2e9c6f406717b7a86c44cc399d322878fbdb97f7
diff --git a/compos/common/compos_client.rs b/compos/common/compos_client.rs
index 69f095a..b754ba7 100644
--- a/compos/common/compos_client.rs
+++ b/compos/common/compos_client.rs
@@ -206,8 +206,7 @@
return Ok(true);
}
- let build_type = system_properties::read("ro.build.type")?.context("ro.build.type not set")?;
- let is_debug_build = matches!(build_type.as_str(), "userdebug" | "eng");
+ let is_debug_build = system_properties::read("ro.debuggable")?.as_deref().unwrap_or("0") == "1";
if !is_debug_build {
bail!("Protected VM not supported, unable to start VM");
}
@@ -215,7 +214,7 @@
let have_unprotected_vm =
system_properties::read_bool("ro.boot.hypervisor.vm.supported", false)?;
if have_unprotected_vm {
- warn!("Protected VM not supported, falling back to unprotected on {} build", build_type);
+ warn!("Protected VM not supported, falling back to unprotected on debuggable build");
return Ok(false);
}
diff --git a/compos/service/java/com/android/server/compos/IsolatedCompilationService.java b/compos/service/java/com/android/server/compos/IsolatedCompilationService.java
index bd272a0..11e3743 100644
--- a/compos/service/java/com/android/server/compos/IsolatedCompilationService.java
+++ b/compos/service/java/com/android/server/compos/IsolatedCompilationService.java
@@ -16,6 +16,8 @@
package com.android.server.compos;
+import static android.os.Build.isDebuggable;
+
import android.annotation.NonNull;
import android.app.job.JobScheduler;
import android.content.Context;
@@ -25,12 +27,11 @@
import android.content.pm.StagedApexInfo;
import android.os.RemoteException;
import android.os.ServiceManager;
+import android.sysprop.HypervisorProperties;
import android.util.Log;
import com.android.server.SystemService;
-import java.io.File;
-
/**
* A system service responsible for performing Isolated Compilation (compiling boot & system server
* classpath JARs in a protected VM) when appropriate.
@@ -71,12 +72,20 @@
}
private static boolean isIsolatedCompilationSupported() {
- // Check that KVM is enabled on the device
- if (!new File("/dev/kvm").exists()) {
- return false;
+ // The CompOS APEX is present or we wouldn't be here. So just check that the device
+ // has a suitably capable hypervisor.
+
+ // We really want a protected VM
+ if (HypervisorProperties.hypervisor_protected_vm_supported().orElse(false)) {
+ return true;
}
- return true;
+ // But can use a non-protected VM on a debug build
+ if (isDebuggable()) {
+ return HypervisorProperties.hypervisor_vm_supported().orElse(false);
+ }
+
+ return false;
}
private static class StagedApexObserver extends IStagedApexObserver.Stub {