Revert "Revert "Revert "[rkp] Expose RKP Hal implementation in v..."
Revert submission 2812456-revert-2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ-PAWNEHUQBT
Reason for revert: SELinux denials: b/310744536
Reverted changes: /q/submissionid:2812456-revert-2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ-PAWNEHUQBT
Change-Id: I84f496f51a8b4ce0590c1daf349353dc79bf5bc4
diff --git a/virtualizationservice/src/main.rs b/virtualizationservice/src/main.rs
index c2e55eb..fd668bc 100644
--- a/virtualizationservice/src/main.rs
+++ b/virtualizationservice/src/main.rs
@@ -33,8 +33,8 @@
use std::path::Path;
const LOG_TAG: &str = "VirtualizationService";
-const REMOTELY_PROVISIONED_COMPONENT_SERVICE_NAME: &str =
- "android.hardware.security.keymint.IRemotelyProvisionedComponent/avf";
+const _REMOTELY_PROVISIONED_COMPONENT_SERVICE_NAME: &str =
+ "android.system.virtualization.IRemotelyProvisionedComponent/avf";
fn get_calling_pid() -> pid_t {
ThreadState::get_calling_pid()
@@ -69,17 +69,10 @@
register_lazy_service(BINDER_SERVICE_IDENTIFIER, service.as_binder()).unwrap();
info!("Registered Binder service {}.", BINDER_SERVICE_IDENTIFIER);
- if cfg!(remote_attestation) {
- // The IRemotelyProvisionedComponent service is only supposed to be triggered by rkpd for
- // RKP VM attestation.
- let remote_provisioning_service = remote_provisioning::new_binder();
- register_lazy_service(
- REMOTELY_PROVISIONED_COMPONENT_SERVICE_NAME,
- remote_provisioning_service.as_binder(),
- )
- .unwrap();
- info!("Registered Binder service {}.", REMOTELY_PROVISIONED_COMPONENT_SERVICE_NAME);
- }
+ // The IRemotelyProvisionedComponent service is only supposed to be triggered by rkpd for
+ // RKP VM attestation.
+ let _remote_provisioning_service = remote_provisioning::new_binder();
+ // TODO(b/274881098): Register the RKP service when the implementation is ready.
ProcessState::join_thread_pool();
}
diff --git a/virtualizationservice/src/remote_provisioning.rs b/virtualizationservice/src/remote_provisioning.rs
index 40f54db..a9a07a5 100644
--- a/virtualizationservice/src/remote_provisioning.rs
+++ b/virtualizationservice/src/remote_provisioning.rs
@@ -27,11 +27,7 @@
};
use anyhow::Context;
use avflog::LogResult;
-use binder::{
- BinderFeatures, ExceptionCode, Interface, IntoBinderResult, Result as BinderResult, Status,
- Strong,
-};
-use hypervisor_props::is_protected_vm_supported;
+use binder::{BinderFeatures, Interface, IntoBinderResult, Result as BinderResult, Status, Strong};
use service_vm_comm::{RequestProcessingError, Response};
/// Constructs a binder object that implements `IRemotelyProvisionedComponent`.
@@ -49,13 +45,11 @@
#[allow(non_snake_case)]
impl IRemotelyProvisionedComponent for AvfRemotelyProvisionedComponent {
fn getHardwareInfo(&self) -> BinderResult<RpcHardwareInfo> {
- check_protected_vm_is_supported()?;
-
Ok(RpcHardwareInfo {
versionNumber: 3,
rpcAuthorName: String::from("Android Virtualization Framework"),
supportedEekCurve: CURVE_NONE,
- uniqueId: Some(String::from("AVF Remote Provisioning 1")),
+ uniqueId: Some(String::from("Android Virtualization Framework 1")),
supportedNumKeysInCsr: MIN_SUPPORTED_NUM_KEYS_IN_CSR,
})
}
@@ -65,8 +59,6 @@
testMode: bool,
macedPublicKey: &mut MacedPublicKey,
) -> BinderResult<Vec<u8>> {
- check_protected_vm_is_supported()?;
-
if testMode {
return Err(Status::new_service_specific_error_str(
STATUS_REMOVED,
@@ -109,8 +101,6 @@
keysToSign: &[MacedPublicKey],
challenge: &[u8],
) -> BinderResult<Vec<u8>> {
- check_protected_vm_is_supported()?;
-
const MAX_CHALLENGE_SIZE: usize = 64;
if challenge.len() > MAX_CHALLENGE_SIZE {
let message = format!(
@@ -133,18 +123,6 @@
}
}
-fn check_protected_vm_is_supported() -> BinderResult<()> {
- if is_protected_vm_supported().unwrap_or(false) {
- Ok(())
- } else {
- Err(Status::new_exception_str(
- ExceptionCode::UNSUPPORTED_OPERATION,
- Some("Protected VM support is missing for this operation"),
- ))
- .with_log()
- }
-}
-
fn to_service_specific_error(response: Response) -> Status {
match response {
Response::Err(e) => match e {