Merge "Enable GPU in crosvm" into main
diff --git a/README.md b/README.md
index 210f70e..827e55c 100644
--- a/README.md
+++ b/README.md
@@ -15,13 +15,14 @@
AVF components:
* [pVM firmware](pvmfw/README.md)
+* [Android Boot Loader (ABL)](docs/abl.md)
* [Microdroid](microdroid/README.md)
* [Microdroid kernel](microdroid/kernel/README.md)
* [Microdroid payload](microdroid/payload/README.md)
* [vmbase](vmbase/README.md)
AVF APIs:
-* [Java API](javalib/README.md)
+* [Java API](java/framework/README.md)
* [VM Payload API](vm_payload/README.md)
How-Tos:
@@ -29,4 +30,4 @@
* [Building and running a demo app in C++](demo_native/README.md)
* [Debugging](docs/debug)
* [Using custom VM](docs/custom_vm.md)
-* [Device assignment](docs/device_assignment.md)
\ No newline at end of file
+* [Device assignment](docs/device_assignment.md)
diff --git a/apex/Android.bp b/apex/Android.bp
index dbd1343..399ad97 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -138,6 +138,7 @@
"microdroid_initrd_normal",
"microdroid.json",
"microdroid_kernel",
+ "com.android.virt.init.rc",
],
host_required: [
"vm_shell",
@@ -171,13 +172,9 @@
],
},
release_avf_enable_remote_attestation: {
- prebuilts: ["com.android.virt.init_attestation_enabled.rc"],
vintf_fragments: [
"virtualizationservice.xml",
],
- conditions_default: {
- prebuilts: ["com.android.virt.init.rc"],
- },
},
},
}
@@ -199,16 +196,35 @@
certificate: "com.android.virt",
}
-prebuilt_etc {
- name: "com.android.virt.init.rc",
- src: "virtualizationservice.rc",
- filename: "virtualizationservice.rc",
- installable: false,
+soong_config_module_type {
+ name: "avf_flag_aware_genrule",
+ module_type: "genrule",
+ config_namespace: "ANDROID",
+ bool_variables: [
+ "release_avf_enable_llpvm_changes",
+ "release_avf_enable_remote_attestation",
+ ],
+ properties: ["srcs"],
+}
+
+avf_flag_aware_genrule {
+ name: "virtualizationservice_rc_combined",
+ srcs: ["virtualizationservice.rc.base"],
+ soong_config_variables: {
+ release_avf_enable_llpvm_changes: {
+ srcs: ["virtualizationservice.rc.llpvm"],
+ },
+ release_avf_enable_remote_attestation: {
+ srcs: ["virtualizationservice.rc.ra"],
+ },
+ },
+ out: ["virtualizationservice.rc"],
+ cmd: "cat $(in) > $(out)",
}
prebuilt_etc {
- name: "com.android.virt.init_attestation_enabled.rc",
- src: "virtualizationservice_attestation_enabled.rc",
+ name: "com.android.virt.init.rc",
+ src: ":virtualizationservice_rc_combined",
filename: "virtualizationservice.rc",
installable: false,
}
diff --git a/apex/virtualizationservice.rc b/apex/virtualizationservice.rc.base
similarity index 99%
rename from apex/virtualizationservice.rc
rename to apex/virtualizationservice.rc.base
index 02b2081..688db10 100644
--- a/apex/virtualizationservice.rc
+++ b/apex/virtualizationservice.rc.base
@@ -16,6 +16,6 @@
class main
user system
group system
- interface aidl android.system.virtualizationservice
disabled
oneshot
+ interface aidl android.system.virtualizationservice
diff --git a/apex/virtualizationservice.rc.llpvm b/apex/virtualizationservice.rc.llpvm
new file mode 100644
index 0000000..916d508
--- /dev/null
+++ b/apex/virtualizationservice.rc.llpvm
@@ -0,0 +1 @@
+ interface aidl android.system.virtualizationmaintenance
diff --git a/apex/virtualizationservice.rc.ra b/apex/virtualizationservice.rc.ra
new file mode 100644
index 0000000..3554259
--- /dev/null
+++ b/apex/virtualizationservice.rc.ra
@@ -0,0 +1 @@
+ interface aidl android.hardware.security.keymint.IRemotelyProvisionedComponent/avf
diff --git a/apex/virtualizationservice_attestation_enabled.rc b/apex/virtualizationservice_attestation_enabled.rc
deleted file mode 100644
index 8eaccae..0000000
--- a/apex/virtualizationservice_attestation_enabled.rc
+++ /dev/null
@@ -1,22 +0,0 @@
-# Copyright (C) 2021 The Android Open Source Project
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-service virtualizationservice /apex/com.android.virt/bin/virtualizationservice
- class main
- user system
- group system
- interface aidl android.system.virtualizationservice
- interface aidl android.hardware.security.keymint.IRemotelyProvisionedComponent/avf
- disabled
- oneshot
diff --git a/authfs/Android.bp b/authfs/Android.bp
index 8ac600d..e04d5e1 100644
--- a/authfs/Android.bp
+++ b/authfs/Android.bp
@@ -73,6 +73,7 @@
tools: [
"fsverity_manifest_generator",
"fsverity",
+ "soong_zip",
],
srcs: [
"testdata/input.4k",
@@ -85,13 +86,11 @@
* to load a generated fsverity manifest for the test input files into the
* test VM.
*/
- cmd: "out_dir=$$(dirname $(out))" +
- "&& assets_dir=\"assets\" " +
- "&& mkdir -p $$out_dir/$$assets_dir" +
+ cmd: "mkdir -p $(genDir)/assets" +
"&& $(location fsverity_manifest_generator) " +
" --fsverity-path $(location fsverity) " +
" --base-dir $$(dirname $(in) | head -1) " +
- " --output $$out_dir/$$assets_dir/input_manifest.pb " +
+ " --output $(genDir)/assets/input_manifest.pb " +
" $(in) " +
- "&& jar cf $(out) -C $$out_dir $$assets_dir",
+ "&& $(location soong_zip) -jar -o $(out) -C $(genDir) -D $(genDir)/assets",
}
diff --git a/authfs/tests/benchmarks/Android.bp b/authfs/tests/benchmarks/Android.bp
index 93ba41a..27a6af1 100644
--- a/authfs/tests/benchmarks/Android.bp
+++ b/authfs/tests/benchmarks/Android.bp
@@ -46,9 +46,8 @@
srcs: [
":measure_io",
],
- cmd: "out_dir=$$(dirname $(out))" +
- "&& bin_dir=\"bin\" " +
- "&& mkdir -p $$out_dir/$$bin_dir" +
- "&& cp $(in) $$out_dir/$$bin_dir" +
- "&& jar cf $(out) -C $$out_dir $$bin_dir",
+ tools: ["soong_zip"],
+ cmd: "mkdir -p $(genDir)/bin" +
+ "&& cp $(in) $(genDir)/bin" +
+ "&& $(location soong_zip) -jar -o $(out) -C $(genDir) -D $(genDir)/bin",
}
diff --git a/compos/common/compos_client.rs b/compos/common/compos_client.rs
index a8a176a..abaa74c 100644
--- a/compos/common/compos_client.rs
+++ b/compos/common/compos_client.rs
@@ -62,8 +62,6 @@
pub debug_mode: bool,
/// CPU topology of the VM. Defaults to 1 vCPU.
pub cpu_topology: VmCpuTopology,
- /// List of task profiles to apply to the VM
- pub task_profiles: Vec<String>,
/// If present, overrides the amount of RAM to give the VM
pub memory_mib: Option<i32>,
/// Whether the VM prefers staged APEXes or activated ones (false; default)
@@ -131,10 +129,7 @@
protectedVm: protected_vm,
memoryMib: parameters.memory_mib.unwrap_or(0), // 0 means use the default
cpuTopology: cpu_topology,
- customConfig: Some(CustomConfig {
- taskProfiles: parameters.task_profiles.clone(),
- ..Default::default()
- }),
+ customConfig: Some(CustomConfig { ..Default::default() }),
});
// Let logs go to logcat.
@@ -144,7 +139,7 @@
service,
&config,
console_fd,
- /*console_in_fd */ None,
+ /* console_in_fd */ None,
log_fd,
Some(callback),
)
diff --git a/compos/composd/Android.bp b/compos/composd/Android.bp
index b0294dd..75f0c4f 100644
--- a/compos/composd/Android.bp
+++ b/compos/composd/Android.bp
@@ -7,6 +7,7 @@
srcs: ["src/composd_main.rs"],
edition: "2021",
prefer_rlib: true,
+ defaults: ["avf_build_flags_rust"],
rustlibs: [
"android.system.composd-rust",
"android.system.virtualizationservice-rust",
diff --git a/compos/composd/src/instance_manager.rs b/compos/composd/src/instance_manager.rs
index 510ad11..9e94035 100644
--- a/compos/composd/src/instance_manager.rs
+++ b/compos/composd/src/instance_manager.rs
@@ -82,9 +82,8 @@
// a system property. Start the VM with all CPUs and assume the guest will start a suitable
// number of dex2oat threads.
let cpu_topology = VmCpuTopology::MatchHost;
- let task_profiles = vec!["SCHED_SP_COMPUTE".to_string()];
let memory_mib = Some(compos_memory_mib()?);
- Ok(VmParameters { cpu_topology, task_profiles, memory_mib, ..Default::default() })
+ Ok(VmParameters { cpu_topology, memory_mib, ..Default::default() })
}
fn compos_memory_mib() -> Result<i32> {
diff --git a/docs/abl.md b/docs/abl.md
new file mode 100644
index 0000000..b08464e
--- /dev/null
+++ b/docs/abl.md
@@ -0,0 +1,53 @@
+# Android Bootloader (ABL)
+
+[ABL](https://source.android.com/docs/core/architecture/bootloader) is not a component of AVF, but
+it plays a crucial role in loading the necessary AVF components and initializing them in a correct
+way. This doc explains the responsibilities of ABL from the perspective of AVF.
+
+## pVM firmware (pvmfw)
+
+ABL is responsible for the followings:
+
+* locating pvmfw binary from the pvmfw partition,
+* verifying it as part of the [verified
+ boot](https://source.android.com/docs/security/features/verifiedboot) process,
+* loading it into memory, and
+* describing the region where pvmfw is loaded using DT and passing it to hypervisor.
+
+See [ABL Support](../pvmfw/README.md#android-bootloader-abl_support) for more detail.
+
+ABL is also responsible for constructing the pvmfw configuration data. The data consists of the
+following info:
+
+* DICE chain (also known as BCC Handover)
+* DTBO describing [debug policy](debug/README.md#debug-policy) (if available)
+* DTBO describing [assignable devices](device_assignment.md) (if available)
+* Reference DT carrying extra information that needs to be passed to the guest VM
+
+See [Configuration Data](../pvmfw/README.md#configuration-data) for more detail.
+
+## Android
+
+ABL is responsible for setting the following bootconfigs describing the status and capabilities of
+the hypervisor.
+
+* `androidboot.hypervisor.version`: free-form description of the hypervisor
+* `androidboot.hypervisor.vm.supported`: whether traditional VMs (i.e. non-protected VMS) are
+ supported or not
+* `androidboot.hypervisor.protected_vm.supported`: whether protected VMs are supported or not
+
+Thee bootconfigs are converted into system properties by the init process.
+
+See
+[HypervisorProperties.prop](https://android.googlesource.com/platform/system/libsysprop/+/refs/heads/main/srcs/android/sysprop/HypervisorProperties.sysprop)
+for more detail.
+
+
+
+
+
+
+
+
+
+
diff --git a/docs/updatable_vm.md b/docs/updatable_vm.md
new file mode 100644
index 0000000..de5552e
--- /dev/null
+++ b/docs/updatable_vm.md
@@ -0,0 +1,3 @@
+# Updatable VM
+
+(To be filled)
diff --git a/docs/vm_remote_attestation.md b/docs/vm_remote_attestation.md
new file mode 100644
index 0000000..093418b
--- /dev/null
+++ b/docs/vm_remote_attestation.md
@@ -0,0 +1,3 @@
+# VM Remote Attestation
+
+(To be filled)
diff --git a/java/Android.bp b/java/Android.bp
new file mode 100644
index 0000000..1c55f78
--- /dev/null
+++ b/java/Android.bp
@@ -0,0 +1,24 @@
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+soong_config_module_type {
+ name: "avf_flag_aware_android_app",
+ module_type: "android_app",
+ config_namespace: "ANDROID",
+ bool_variables: ["release_avf_allow_preinstalled_apps"],
+ properties: ["manifest"],
+}
+
+// Defines our permissions
+avf_flag_aware_android_app {
+ name: "android.system.virtualmachine.res",
+ installable: true,
+ apex_available: ["com.android.virt"],
+ platform_apis: true,
+ soong_config_variables: {
+ release_avf_allow_preinstalled_apps: {
+ manifest: "AndroidManifestNext.xml",
+ },
+ },
+}
diff --git a/javalib/AndroidManifest.xml b/java/AndroidManifest.xml
similarity index 100%
rename from javalib/AndroidManifest.xml
rename to java/AndroidManifest.xml
diff --git a/javalib/AndroidManifestNext.xml b/java/AndroidManifestNext.xml
similarity index 100%
rename from javalib/AndroidManifestNext.xml
rename to java/AndroidManifestNext.xml
diff --git a/javalib/Android.bp b/java/framework/Android.bp
similarity index 67%
rename from javalib/Android.bp
rename to java/framework/Android.bp
index a7c531e..32b2aee 100644
--- a/javalib/Android.bp
+++ b/java/framework/Android.bp
@@ -2,27 +2,6 @@
default_applicable_licenses: ["Android-Apache-2.0"],
}
-soong_config_module_type {
- name: "avf_flag_aware_android_app",
- module_type: "android_app",
- config_namespace: "ANDROID",
- bool_variables: ["release_avf_allow_preinstalled_apps"],
- properties: ["manifest"],
-}
-
-// Defines our permissions
-avf_flag_aware_android_app {
- name: "android.system.virtualmachine.res",
- installable: true,
- apex_available: ["com.android.virt"],
- platform_apis: true,
- soong_config_variables: {
- release_avf_allow_preinstalled_apps: {
- manifest: "AndroidManifestNext.xml",
- },
- },
-}
-
java_sdk_library {
name: "framework-virtualization",
diff --git a/javalib/README.md b/java/framework/README.md
similarity index 100%
rename from javalib/README.md
rename to java/framework/README.md
diff --git a/javalib/api/current.txt b/java/framework/api/current.txt
similarity index 100%
rename from javalib/api/current.txt
rename to java/framework/api/current.txt
diff --git a/javalib/api/module-lib-current.txt b/java/framework/api/module-lib-current.txt
similarity index 100%
rename from javalib/api/module-lib-current.txt
rename to java/framework/api/module-lib-current.txt
diff --git a/javalib/api/module-lib-removed.txt b/java/framework/api/module-lib-removed.txt
similarity index 100%
rename from javalib/api/module-lib-removed.txt
rename to java/framework/api/module-lib-removed.txt
diff --git a/javalib/api/removed.txt b/java/framework/api/removed.txt
similarity index 100%
rename from javalib/api/removed.txt
rename to java/framework/api/removed.txt
diff --git a/javalib/api/system-current.txt b/java/framework/api/system-current.txt
similarity index 100%
rename from javalib/api/system-current.txt
rename to java/framework/api/system-current.txt
diff --git a/javalib/api/system-removed.txt b/java/framework/api/system-removed.txt
similarity index 100%
rename from javalib/api/system-removed.txt
rename to java/framework/api/system-removed.txt
diff --git a/javalib/api/test-current.txt b/java/framework/api/test-current.txt
similarity index 89%
rename from javalib/api/test-current.txt
rename to java/framework/api/test-current.txt
index 0a988d8..3cd8e42 100644
--- a/javalib/api/test-current.txt
+++ b/java/framework/api/test-current.txt
@@ -16,7 +16,7 @@
public static final class VirtualMachineConfig.Builder {
method @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") @NonNull public android.system.virtualmachine.VirtualMachineConfig.Builder addExtraApk(@NonNull String);
- method @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") @NonNull public android.system.virtualmachine.VirtualMachineConfig.Builder setOs(@NonNull String);
+ method @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") @NonNull @RequiresPermission(android.system.virtualmachine.VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION) public android.system.virtualmachine.VirtualMachineConfig.Builder setOs(@NonNull String);
method @NonNull @RequiresPermission(android.system.virtualmachine.VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION) public android.system.virtualmachine.VirtualMachineConfig.Builder setPayloadConfigPath(@NonNull String);
method @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") @NonNull @RequiresPermission(android.system.virtualmachine.VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION) public android.system.virtualmachine.VirtualMachineConfig.Builder setVendorDiskImage(@NonNull java.io.File);
method @NonNull public android.system.virtualmachine.VirtualMachineConfig.Builder setVmConsoleInputSupported(boolean);
@@ -26,6 +26,7 @@
method @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") @NonNull public java.util.List<java.lang.String> getSupportedOSList() throws android.system.virtualmachine.VirtualMachineException;
method @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") @RequiresPermission(android.system.virtualmachine.VirtualMachine.MANAGE_VIRTUAL_MACHINE_PERMISSION) public boolean isFeatureEnabled(String) throws android.system.virtualmachine.VirtualMachineException;
field @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") public static final String FEATURE_DICE_CHANGES = "com.android.kvm.DICE_CHANGES";
+ field @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") public static final String FEATURE_LLPVM_CHANGES = "com.android.kvm.LLPVM_CHANGES";
field @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") public static final String FEATURE_MULTI_TENANT = "com.android.kvm.MULTI_TENANT";
field @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") public static final String FEATURE_REMOTE_ATTESTATION = "com.android.kvm.REMOTE_ATTESTATION";
field @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") public static final String FEATURE_VENDOR_MODULES = "com.android.kvm.VENDOR_MODULES";
diff --git a/javalib/api/test-removed.txt b/java/framework/api/test-removed.txt
similarity index 100%
rename from javalib/api/test-removed.txt
rename to java/framework/api/test-removed.txt
diff --git a/javalib/jarjar-rules.txt b/java/framework/jarjar-rules.txt
similarity index 100%
rename from javalib/jarjar-rules.txt
rename to java/framework/jarjar-rules.txt
diff --git a/javalib/src/android/system/virtualmachine/VirtualMachine.java b/java/framework/src/android/system/virtualmachine/VirtualMachine.java
similarity index 100%
rename from javalib/src/android/system/virtualmachine/VirtualMachine.java
rename to java/framework/src/android/system/virtualmachine/VirtualMachine.java
diff --git a/javalib/src/android/system/virtualmachine/VirtualMachineCallback.java b/java/framework/src/android/system/virtualmachine/VirtualMachineCallback.java
similarity index 100%
rename from javalib/src/android/system/virtualmachine/VirtualMachineCallback.java
rename to java/framework/src/android/system/virtualmachine/VirtualMachineCallback.java
diff --git a/javalib/src/android/system/virtualmachine/VirtualMachineConfig.java b/java/framework/src/android/system/virtualmachine/VirtualMachineConfig.java
similarity index 99%
rename from javalib/src/android/system/virtualmachine/VirtualMachineConfig.java
rename to java/framework/src/android/system/virtualmachine/VirtualMachineConfig.java
index 19e663f..693a7d7 100644
--- a/javalib/src/android/system/virtualmachine/VirtualMachineConfig.java
+++ b/java/framework/src/android/system/virtualmachine/VirtualMachineConfig.java
@@ -530,6 +530,7 @@
&& this.mEncryptedStorageBytes == other.mEncryptedStorageBytes
&& this.mVmOutputCaptured == other.mVmOutputCaptured
&& this.mVmConsoleInputSupported == other.mVmConsoleInputSupported
+ && (this.mVendorDiskImage == null) == (other.mVendorDiskImage == null)
&& Objects.equals(this.mPayloadConfigPath, other.mPayloadConfigPath)
&& Objects.equals(this.mPayloadBinaryName, other.mPayloadBinaryName)
&& Objects.equals(this.mPackageName, other.mPackageName)
@@ -587,7 +588,6 @@
if (mVendorDiskImage != null) {
VirtualMachineAppConfig.CustomConfig customConfig =
new VirtualMachineAppConfig.CustomConfig();
- customConfig.taskProfiles = EMPTY_STRING_ARRAY;
customConfig.devices = EMPTY_STRING_ARRAY;
try {
customConfig.vendorImage =
@@ -1023,6 +1023,7 @@
*/
@TestApi
@FlaggedApi(Flags.FLAG_AVF_V_TEST_APIS)
+ @RequiresPermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION)
@NonNull
public Builder setOs(@NonNull String os) {
mOs = requireNonNull(os, "os must not be null");
diff --git a/javalib/src/android/system/virtualmachine/VirtualMachineDescriptor.java b/java/framework/src/android/system/virtualmachine/VirtualMachineDescriptor.java
similarity index 100%
rename from javalib/src/android/system/virtualmachine/VirtualMachineDescriptor.java
rename to java/framework/src/android/system/virtualmachine/VirtualMachineDescriptor.java
diff --git a/javalib/src/android/system/virtualmachine/VirtualMachineException.java b/java/framework/src/android/system/virtualmachine/VirtualMachineException.java
similarity index 100%
rename from javalib/src/android/system/virtualmachine/VirtualMachineException.java
rename to java/framework/src/android/system/virtualmachine/VirtualMachineException.java
diff --git a/javalib/src/android/system/virtualmachine/VirtualMachineManager.java b/java/framework/src/android/system/virtualmachine/VirtualMachineManager.java
similarity index 97%
rename from javalib/src/android/system/virtualmachine/VirtualMachineManager.java
rename to java/framework/src/android/system/virtualmachine/VirtualMachineManager.java
index f263b32..5020ff0 100644
--- a/javalib/src/android/system/virtualmachine/VirtualMachineManager.java
+++ b/java/framework/src/android/system/virtualmachine/VirtualMachineManager.java
@@ -119,9 +119,10 @@
prefix = "FEATURE_",
value = {
FEATURE_DICE_CHANGES,
+ FEATURE_LLPVM_CHANGES,
FEATURE_MULTI_TENANT,
FEATURE_REMOTE_ATTESTATION,
- FEATURE_VENDOR_MODULES
+ FEATURE_VENDOR_MODULES,
})
public @interface Features {}
@@ -164,6 +165,15 @@
IVirtualizationService.FEATURE_VENDOR_MODULES;
/**
+ * Feature to enable Secretkeeper protected secrets in Microdroid based pVMs.
+ *
+ * @hide
+ */
+ @TestApi
+ @FlaggedApi(Flags.FLAG_AVF_V_TEST_APIS)
+ public static final String FEATURE_LLPVM_CHANGES = IVirtualizationService.FEATURE_LLPVM_CHANGES;
+
+ /**
* Returns a set of flags indicating what this implementation of virtualization is capable of.
*
* @see #CAPABILITY_PROTECTED_VM
diff --git a/javalib/src/android/system/virtualmachine/VirtualizationFrameworkInitializer.java b/java/framework/src/android/system/virtualmachine/VirtualizationFrameworkInitializer.java
similarity index 100%
rename from javalib/src/android/system/virtualmachine/VirtualizationFrameworkInitializer.java
rename to java/framework/src/android/system/virtualmachine/VirtualizationFrameworkInitializer.java
diff --git a/javalib/src/android/system/virtualmachine/VirtualizationService.java b/java/framework/src/android/system/virtualmachine/VirtualizationService.java
similarity index 100%
rename from javalib/src/android/system/virtualmachine/VirtualizationService.java
rename to java/framework/src/android/system/virtualmachine/VirtualizationService.java
diff --git a/javalib/jni/Android.bp b/java/jni/Android.bp
similarity index 100%
rename from javalib/jni/Android.bp
rename to java/jni/Android.bp
diff --git a/javalib/jni/android_system_virtualmachine_VirtualMachine.cpp b/java/jni/android_system_virtualmachine_VirtualMachine.cpp
similarity index 100%
rename from javalib/jni/android_system_virtualmachine_VirtualMachine.cpp
rename to java/jni/android_system_virtualmachine_VirtualMachine.cpp
diff --git a/javalib/jni/android_system_virtualmachine_VirtualizationService.cpp b/java/jni/android_system_virtualmachine_VirtualizationService.cpp
similarity index 100%
rename from javalib/jni/android_system_virtualmachine_VirtualizationService.cpp
rename to java/jni/android_system_virtualmachine_VirtualizationService.cpp
diff --git a/javalib/jni/common.h b/java/jni/common.h
similarity index 100%
rename from javalib/jni/common.h
rename to java/jni/common.h
diff --git a/javalib/service/Android.bp b/java/service/Android.bp
similarity index 86%
rename from javalib/service/Android.bp
rename to java/service/Android.bp
index 9c1fa01..fdfb203 100644
--- a/javalib/service/Android.bp
+++ b/java/service/Android.bp
@@ -23,8 +23,13 @@
],
defaults: [
"framework-system-server-module-defaults",
+ "platform_service_defaults",
],
- sdk_version: "system_server_current",
+ libs: [
+ "framework",
+ "services.core",
+ ],
+ sdk_version: "core_platform",
apex_available: ["com.android.virt"],
installable: true,
}
diff --git a/javalib/service/src/com/android/system/virtualmachine/VirtualizationSystemService.java b/java/service/src/com/android/system/virtualmachine/VirtualizationSystemService.java
similarity index 100%
rename from javalib/service/src/com/android/system/virtualmachine/VirtualizationSystemService.java
rename to java/service/src/com/android/system/virtualmachine/VirtualizationSystemService.java
diff --git a/libs/avf_features/Android.bp b/libs/avf_features/Android.bp
new file mode 100644
index 0000000..71f33db
--- /dev/null
+++ b/libs/avf_features/Android.bp
@@ -0,0 +1,26 @@
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+rust_defaults {
+ name: "libavf_features.defaults",
+ crate_name: "avf_features",
+ defaults: ["avf_build_flags_rust"],
+ srcs: ["src/lib.rs"],
+ edition: "2021",
+ prefer_rlib: true,
+ rustlibs: [
+ "android.system.virtualizationservice-rust",
+ "libanyhow",
+ "liblog_rust",
+ ],
+}
+
+rust_library {
+ name: "libavf_features",
+ defaults: ["libavf_features.defaults"],
+ apex_available: [
+ "//apex_available:platform",
+ "com.android.virt",
+ ],
+}
diff --git a/libs/avf_features/src/lib.rs b/libs/avf_features/src/lib.rs
new file mode 100644
index 0000000..c0faab0
--- /dev/null
+++ b/libs/avf_features/src/lib.rs
@@ -0,0 +1,38 @@
+// Copyright 2024, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Provide functionality for handling AVF build-time feature flags.
+
+use android_system_virtualizationservice::aidl::android::system::virtualizationservice::{
+ IVirtualizationService::FEATURE_DICE_CHANGES, IVirtualizationService::FEATURE_LLPVM_CHANGES,
+ IVirtualizationService::FEATURE_MULTI_TENANT,
+ IVirtualizationService::FEATURE_REMOTE_ATTESTATION,
+ IVirtualizationService::FEATURE_VENDOR_MODULES,
+};
+use log::warn;
+
+/// Check if an AVF feature is enabled.
+pub fn is_feature_enabled(feature: &str) -> bool {
+ match feature {
+ FEATURE_DICE_CHANGES => cfg!(dice_changes),
+ FEATURE_LLPVM_CHANGES => cfg!(llpvm_changes),
+ FEATURE_MULTI_TENANT => cfg!(multi_tenant),
+ FEATURE_REMOTE_ATTESTATION => cfg!(remote_attestation),
+ FEATURE_VENDOR_MODULES => cfg!(vendor_modules),
+ _ => {
+ warn!("unknown feature {feature}");
+ false
+ }
+ }
+}
diff --git a/libs/libfdt/src/iterators.rs b/libs/libfdt/src/iterators.rs
index cb7afda..743c52b 100644
--- a/libs/libfdt/src/iterators.rs
+++ b/libs/libfdt/src/iterators.rs
@@ -33,7 +33,7 @@
impl<'a> CompatibleIterator<'a> {
pub(crate) fn new(fdt: &'a Fdt, compatible: &'a CStr) -> Result<Self, FdtError> {
- let node = fdt.root()?;
+ let node = fdt.root();
Ok(Self { node, compatible })
}
}
diff --git a/libs/libfdt/src/lib.rs b/libs/libfdt/src/lib.rs
index 3339262..8ea9cd9 100644
--- a/libs/libfdt/src/lib.rs
+++ b/libs/libfdt/src/lib.rs
@@ -478,14 +478,38 @@
self.delete_and_next(next_offset)
}
- /// Returns the next node
+ /// Returns the next node. Use this API to travel descendant of a node.
+ ///
+ /// Returned depth is relative to the initial node that had called with any of next node APIs.
+ /// Returns None if end of FDT reached or depth becomes negative.
+ ///
+ /// See also: [`next_node_skip_subnodes`], and [`delete_and_next_node`]
pub fn next_node(self, depth: usize) -> Result<Option<(Self, usize)>> {
let next = self.fdt.next_node(self.offset, depth)?;
Ok(next.map(|(offset, depth)| (Self { fdt: self.fdt, offset }, depth)))
}
- /// Deletes this and returns the next node
+ /// Returns the next node skipping subnodes. Use this API to travel descendants of a node while
+ /// ignoring certain node.
+ ///
+ /// Returned depth is relative to the initial node that had called with any of next node APIs.
+ /// Returns None if end of FDT reached or depth becomes negative.
+ ///
+ /// See also: [`next_node`], and [`delete_and_next_node`]
+ pub fn next_node_skip_subnodes(self, depth: usize) -> Result<Option<(Self, usize)>> {
+ let next = self.fdt.next_node_skip_subnodes(self.offset, depth)?;
+
+ Ok(next.map(|(offset, depth)| (Self { fdt: self.fdt, offset }, depth)))
+ }
+
+ /// Deletes this and returns the next node. Use this API to travel descendants of a node while
+ /// removing certain node.
+ ///
+ /// Returned depth is relative to the initial node that had called with any of next node APIs.
+ /// Returns None if end of FDT reached or depth becomes negative.
+ ///
+ /// See also: [`next_node`], and [`next_node_skip_subnodes`]
pub fn delete_and_next_node(self, depth: usize) -> Result<Option<(Self, usize)>> {
let next_node = self.fdt.next_node_skip_subnodes(self.offset, depth)?;
if let Some((offset, depth)) = next_node {
@@ -669,7 +693,7 @@
///
/// NOTE: This does not support individual "/memory@XXXX" banks.
pub fn memory(&self) -> Result<MemRegIterator> {
- let node = self.root()?.subnode(cstr!("memory"))?.ok_or(FdtError::NotFound)?;
+ let node = self.root().subnode(cstr!("memory"))?.ok_or(FdtError::NotFound)?;
if node.device_type()? != Some(cstr!("memory")) {
return Err(FdtError::BadValue);
}
@@ -683,7 +707,7 @@
/// Returns the standard /chosen node.
pub fn chosen(&self) -> Result<Option<FdtNode>> {
- self.root()?.subnode(cstr!("chosen"))
+ self.root().subnode(cstr!("chosen"))
}
/// Returns the standard /chosen node as mutable.
@@ -692,13 +716,13 @@
}
/// Returns the root node of the tree.
- pub fn root(&self) -> Result<FdtNode> {
- Ok(FdtNode { fdt: self, offset: NodeOffset::ROOT })
+ pub fn root(&self) -> FdtNode {
+ FdtNode { fdt: self, offset: NodeOffset::ROOT }
}
/// Returns the standard /__symbols__ node.
pub fn symbols(&self) -> Result<Option<FdtNode>> {
- self.root()?.subnode(cstr!("__symbols__"))
+ self.root().subnode(cstr!("__symbols__"))
}
/// Returns the standard /__symbols__ node as mutable
@@ -738,8 +762,8 @@
}
/// Returns the mutable root node of the tree.
- pub fn root_mut(&mut self) -> Result<FdtNodeMut> {
- Ok(FdtNodeMut { fdt: self, offset: NodeOffset::ROOT })
+ pub fn root_mut(&mut self) -> FdtNodeMut {
+ FdtNodeMut { fdt: self, offset: NodeOffset::ROOT }
}
/// Returns a mutable tree node by its full path.
diff --git a/libs/libfdt/tests/api_test.rs b/libs/libfdt/tests/api_test.rs
index 8f5b76d..f521a00 100644
--- a/libs/libfdt/tests/api_test.rs
+++ b/libs/libfdt/tests/api_test.rs
@@ -81,7 +81,7 @@
let data = fs::read(TEST_TREE_WITH_NO_MEMORY_NODE_PATH).unwrap();
let fdt = Fdt::from_slice(&data).unwrap();
- let root = fdt.root().unwrap();
+ let root = fdt.root();
assert_eq!(root.name(), Ok(cstr!("")));
let chosen = fdt.chosen().unwrap().unwrap();
@@ -96,7 +96,7 @@
fn node_subnodes() {
let data = fs::read(TEST_TREE_WITH_NO_MEMORY_NODE_PATH).unwrap();
let fdt = Fdt::from_slice(&data).unwrap();
- let root = fdt.root().unwrap();
+ let root = fdt.root();
let expected = [Ok(cstr!("cpus")), Ok(cstr!("randomnode")), Ok(cstr!("chosen"))];
let root_subnodes = root.subnodes().unwrap();
@@ -108,7 +108,7 @@
fn node_properties() {
let data = fs::read(TEST_TREE_WITH_NO_MEMORY_NODE_PATH).unwrap();
let fdt = Fdt::from_slice(&data).unwrap();
- let root = fdt.root().unwrap();
+ let root = fdt.root();
let one_be = 0x1_u32.to_be_bytes();
type Result<T> = core::result::Result<T, FdtError>;
let expected: Vec<(Result<&CStr>, Result<&[u8]>)> = vec![
@@ -290,7 +290,7 @@
let fdt = Fdt::from_slice(&data).unwrap();
let name = cstr!("node_a");
- let root = fdt.root().unwrap();
+ let root = fdt.root();
let node = root.subnode(name).unwrap();
assert_ne!(None, node);
let node = node.unwrap();
@@ -304,7 +304,7 @@
let fdt = Fdt::from_slice(&data).unwrap();
let name = b"node_aaaaa";
- let root = fdt.root().unwrap();
+ let root = fdt.root();
let node = root.subnode_with_name_bytes(&name[0..6]).unwrap();
assert_ne!(None, node);
let node = node.unwrap();
@@ -319,7 +319,7 @@
let name = cstr!("node_a");
let node = {
- let root = fdt.root().unwrap();
+ let root = fdt.root();
root.subnode(name).unwrap().unwrap()
};
@@ -378,7 +378,7 @@
let mut data = fs::read(TEST_TREE_PHANDLE_PATH).unwrap();
let fdt = Fdt::from_mut_slice(&mut data).unwrap();
- let root = fdt.root_mut().unwrap();
+ let root = fdt.root_mut();
let mut subnode_iter = root.first_subnode().unwrap();
while let Some(subnode) = subnode_iter {
@@ -389,7 +389,7 @@
}
}
- let root = fdt.root().unwrap();
+ let root = fdt.root();
let expected_names = vec![
Ok(cstr!("node_a")),
Ok(cstr!("node_b")),
@@ -416,7 +416,7 @@
];
let mut expected_nodes_iter = expected_nodes.iter();
- let mut iter = fdt.root_mut().unwrap().next_node(0).unwrap();
+ let mut iter = fdt.root_mut().next_node(0).unwrap();
while let Some((node, depth)) = iter {
let node_name = node.as_node().name();
if node_name == Ok(cstr!("node_a")) || node_name == Ok(cstr!("node_zz")) {
@@ -431,7 +431,7 @@
}
assert_eq!(None, expected_nodes_iter.next());
- let root = fdt.root().unwrap();
+ let root = fdt.root();
let all_descendants: Vec<_> =
root.descendants().map(|(node, depth)| (node.name(), depth)).collect();
assert_eq!(expected_nodes, all_descendants);
@@ -442,12 +442,12 @@
let mut data = fs::read(TEST_TREE_WITH_EMPTY_MEMORY_RANGE_PATH).unwrap();
let fdt = Fdt::from_mut_slice(&mut data).unwrap();
- let mut iter = fdt.root_mut().unwrap().next_node(0).unwrap();
+ let mut iter = fdt.root_mut().next_node(0).unwrap();
while let Some((node, depth)) = iter {
iter = node.delete_and_next_node(depth).unwrap();
}
- let root = fdt.root().unwrap();
+ let root = fdt.root();
let all_descendants: Vec<_> =
root.descendants().map(|(node, depth)| (node.name(), depth)).collect();
assert!(all_descendants.is_empty(), "{all_descendants:?}");
@@ -460,7 +460,7 @@
let fdt = Fdt::from_slice(&data).unwrap();
let name = {
- let root = fdt.root().unwrap();
+ let root = fdt.root();
root.name()
// Make root to be dropped
};
@@ -472,12 +472,12 @@
let mut data = vec![0_u8; 1000];
let fdt = Fdt::create_empty_tree(&mut data).unwrap();
- let root = fdt.root_mut().unwrap();
+ let root = fdt.root_mut();
let names = [cstr!("a"), cstr!("b")];
root.add_subnodes(&names).unwrap();
let expected: HashSet<_> = names.into_iter().collect();
- let subnodes = fdt.root().unwrap().subnodes().unwrap();
+ let subnodes = fdt.root().subnodes().unwrap();
let names: HashSet<_> = subnodes.map(|node| node.name().unwrap()).collect();
assert_eq!(expected, names);
@@ -491,7 +491,7 @@
let name = {
let node_a = {
- let root = fdt.root().unwrap();
+ let root = fdt.root();
root.subnode(cstr!("node_a")).unwrap()
// Make root to be dropped
};
@@ -511,7 +511,7 @@
let first_subnode_name = {
let first_subnode = {
let mut subnodes_iter = {
- let root = fdt.root().unwrap();
+ let root = fdt.root();
root.subnodes().unwrap()
// Make root to be dropped
};
@@ -533,7 +533,7 @@
let first_descendant_name = {
let (first_descendant, _) = {
let mut descendants_iter = {
- let root = fdt.root().unwrap();
+ let root = fdt.root();
root.descendants()
// Make root to be dropped
};
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index 4aaa793..36688fc 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -599,3 +599,37 @@
defaults: ["microdroid_initrd_debug_defaults"],
src: ":microdroid_gki-android14-6.1_initrd_debuggable",
}
+
+python_binary_host {
+ name: "extract_microdroid_kernel_hashes",
+ srcs: ["extract_microdroid_kernel_hashes.py"],
+}
+
+genrule {
+ name: "microdroid_kernel_hashes_rs",
+ srcs: [
+ ":microdroid_kernel",
+ ":microdroid_gki-android14-6.1_kernel",
+ ],
+ out: ["lib.rs"],
+ tools: [
+ "extract_microdroid_kernel_hashes",
+ "avbtool",
+ ],
+ cmd: "$(location extract_microdroid_kernel_hashes) --avbtool $(location avbtool) " +
+ "--kernel $(location :microdroid_kernel) " +
+ "$(location :microdroid_gki-android14-6.1_kernel) " +
+ "> $(out)",
+}
+
+rust_library_rlib {
+ name: "libmicrodroid_kernel_hashes",
+ srcs: [":microdroid_kernel_hashes_rs"],
+ crate_name: "microdroid_kernel_hashes",
+ prefer_rlib: true,
+ no_stdlibs: true,
+ stdlibs: [
+ "libcompiler_builtins.rust_sysroot",
+ "libcore.rust_sysroot",
+ ],
+}
diff --git a/microdroid/extract_microdroid_kernel_hashes.py b/microdroid/extract_microdroid_kernel_hashes.py
new file mode 100644
index 0000000..f2c6ae7
--- /dev/null
+++ b/microdroid/extract_microdroid_kernel_hashes.py
@@ -0,0 +1,104 @@
+"""Extracts the following hashes from the AVB footer of Microdroid's kernel:
+
+- kernel hash
+- initrd_normal hash
+- initrd_debug hash
+
+The hashes are written to stdout as a Rust file.
+
+In unsupportive environments such as x86, when the kernel is just an empty file,
+the output Rust file has the same hash constant fields for compatibility
+reasons, but all of them are empty.
+"""
+#!/usr/bin/env python3
+
+import argparse
+from collections import defaultdict
+import subprocess
+from typing import Dict
+
+PARTITION_NAME_BOOT = 'boot'
+PARTITION_NAME_INITRD_NORMAL = 'initrd_normal'
+PARTITION_NAME_INITRD_DEBUG = 'initrd_debug'
+HASH_SIZE = 32
+
+def main(args):
+ """Main function."""
+ avbtool = args.avbtool
+ num_kernel_images = len(args.kernel)
+
+ print("//! This file is generated by extract_microdroid_kernel_hashes.py.")
+ print("//! It contains the hashes of the kernel and initrds.\n")
+ print("#![no_std]\n#![allow(missing_docs)]\n")
+
+ print("pub const HASH_SIZE: usize = " + str(HASH_SIZE) + ";\n")
+ print("pub struct OsHashes {")
+ print(" pub kernel: [u8; HASH_SIZE],")
+ print(" pub initrd_normal: [u8; HASH_SIZE],")
+ print(" pub initrd_debug: [u8; HASH_SIZE],")
+ print("}\n")
+
+ hashes = defaultdict(list)
+ for kernel_image_path in args.kernel:
+ collected_hashes = collect_hashes(avbtool, kernel_image_path)
+
+ if collected_hashes.keys() == {PARTITION_NAME_BOOT,
+ PARTITION_NAME_INITRD_NORMAL,
+ PARTITION_NAME_INITRD_DEBUG}:
+ for partition_name, v in collected_hashes.items():
+ hashes[partition_name].append(v)
+ else:
+ # Microdroid's kernel is just an empty file in unsupportive
+ # environments such as x86, in this case the hashes should be empty.
+ print("/// The kernel is empty, no hashes are available.")
+ hashes[PARTITION_NAME_BOOT].append("")
+ hashes[PARTITION_NAME_INITRD_NORMAL].append("")
+ hashes[PARTITION_NAME_INITRD_DEBUG].append("")
+
+ print("pub const OS_HASHES: [OsHashes; " + str(num_kernel_images) + "] = [")
+ for i in range(num_kernel_images):
+ print("OsHashes {")
+ print(" kernel: [" +
+ format_hex_string(hashes[PARTITION_NAME_BOOT][i]) + "],")
+ print(" initrd_normal: [" +
+ format_hex_string(hashes[PARTITION_NAME_INITRD_NORMAL][i]) + "],")
+ print(" initrd_debug: [" +
+ format_hex_string(hashes[PARTITION_NAME_INITRD_DEBUG][i]) + "],")
+ print("},")
+ print("];")
+
+def collect_hashes(avbtool: str, kernel_image_path: str) -> Dict[str, str]:
+ """Collects the hashes from the AVB footer of the kernel image."""
+ hashes = {}
+ with subprocess.Popen(
+ [avbtool, 'print_partition_digests', '--image', kernel_image_path],
+ stdout=subprocess.PIPE, stderr=subprocess.STDOUT) as proc:
+ stdout, _ = proc.communicate()
+ for line in stdout.decode("utf-8").split("\n"):
+ line = line.replace(" ", "").split(":")
+ if len(line) == 2:
+ partition_name, hash_ = line
+ hashes[partition_name] = hash_
+ return hashes
+
+def format_hex_string(hex_string: str) -> str:
+ """Formats a hex string into a Rust array."""
+ if not hex_string:
+ return "0x00, " * HASH_SIZE
+ assert len(hex_string) == HASH_SIZE * 2, \
+ "Hex string must have length " + str(HASH_SIZE * 2) + ": " + \
+ hex_string
+ return ", ".join(["\n0x" + hex_string[i:i+2] if i % 32 == 0
+ else "0x" + hex_string[i:i+2]
+ for i in range(0, len(hex_string), 2)])
+
+def parse_args():
+ """Parses the command line arguments."""
+ parser = argparse.ArgumentParser(
+ "Extracts the hashes from the kernels' AVB footer")
+ parser.add_argument('--avbtool', help='Path to the avbtool binary')
+ parser.add_argument('--kernel', help='Path to the kernel image', nargs='+')
+ return parser.parse_args()
+
+if __name__ == '__main__':
+ main(parse_args())
diff --git a/microdroid_manager/src/vm_payload_service.rs b/microdroid_manager/src/vm_payload_service.rs
index 959197a..7f4317b 100644
--- a/microdroid_manager/src/vm_payload_service.rs
+++ b/microdroid_manager/src/vm_payload_service.rs
@@ -73,7 +73,6 @@
challenge: &[u8],
test_mode: bool,
) -> binder::Result<AttestationResult> {
- self.check_restricted_apis_allowed()?;
let ClientVmAttestationData { private_key, csr } =
generate_attestation_key_and_csr(challenge, self.secret.dice_artifacts())
.map_err(|e| {
diff --git a/pvmfw/src/device_assignment.rs b/pvmfw/src/device_assignment.rs
index 54b5a47..2c47f9e 100644
--- a/pvmfw/src/device_assignment.rs
+++ b/pvmfw/src/device_assignment.rs
@@ -294,6 +294,26 @@
.map_or(false, |name| name == b"__overlay__")
}
+fn filter_dangling_symbols(fdt: &mut Fdt) -> Result<()> {
+ if let Some(symbols) = fdt.symbols()? {
+ let mut removed = vec![];
+ for prop in symbols.properties()? {
+ let path = CStr::from_bytes_with_nul(prop.value()?)
+ .map_err(|_| DeviceAssignmentError::Internal)?;
+ if fdt.node(path)?.is_none() {
+ let name = prop.name()?;
+ removed.push(CString::from(name));
+ }
+ }
+
+ let mut symbols = fdt.symbols_mut()?.unwrap();
+ for name in removed {
+ symbols.nop_property(&name)?;
+ }
+ }
+ Ok(())
+}
+
impl AsRef<Fdt> for VmDtbo {
fn as_ref(&self) -> &Fdt {
&self.0
@@ -715,7 +735,7 @@
}
fn patch_pviommus(&self, fdt: &mut Fdt) -> Result<BTreeMap<PvIommu, Phandle>> {
- let mut compatible = fdt.root_mut()?.next_compatible(Self::PVIOMMU_COMPATIBLE)?;
+ let mut compatible = fdt.root_mut().next_compatible(Self::PVIOMMU_COMPATIBLE)?;
let mut pviommu_phandles = BTreeMap::new();
for pviommu in &self.pviommus {
@@ -744,7 +764,8 @@
device.patch(fdt, &pviommu_phandles)?;
}
- Ok(())
+ // Removes any dangling references in __symbols__ (e.g. removed pvIOMMUs)
+ filter_dangling_symbols(fdt)
}
}
@@ -1020,6 +1041,39 @@
}
#[test]
+ fn device_info_patch_no_pviommus() {
+ let mut fdt_data = fs::read(FDT_WITHOUT_IOMMUS_FILE_PATH).unwrap();
+ let mut vm_dtbo_data = fs::read(VM_DTBO_FILE_PATH).unwrap();
+ let mut data = vec![0_u8; fdt_data.len() + vm_dtbo_data.len()];
+ let fdt = Fdt::from_mut_slice(&mut fdt_data).unwrap();
+ let vm_dtbo = VmDtbo::from_mut_slice(&mut vm_dtbo_data).unwrap();
+ let platform_dt = Fdt::create_empty_tree(data.as_mut_slice()).unwrap();
+
+ let hypervisor = MockHypervisor {
+ mmio_tokens: [((0x9, 0xFF), 0x300)].into(),
+ iommu_tokens: BTreeMap::new(),
+ };
+ let device_info = DeviceAssignmentInfo::parse(fdt, vm_dtbo, &hypervisor).unwrap().unwrap();
+ device_info.filter(vm_dtbo).unwrap();
+
+ // SAFETY: Damaged VM DTBO wouldn't be used after this unsafe block.
+ unsafe {
+ platform_dt.apply_overlay(vm_dtbo.as_mut()).unwrap();
+ }
+ device_info.patch(platform_dt).unwrap();
+
+ let compatible = platform_dt.root().next_compatible(cstr!("pkvm,pviommu")).unwrap();
+ assert_eq!(None, compatible);
+
+ if let Some(symbols) = platform_dt.symbols().unwrap() {
+ for prop in symbols.properties().unwrap() {
+ let path = CStr::from_bytes_with_nul(prop.value().unwrap()).unwrap();
+ assert_ne!(None, platform_dt.node(path).unwrap());
+ }
+ }
+ }
+
+ #[test]
fn device_info_overlay_iommu() {
let mut fdt_data = fs::read(FDT_FILE_PATH).unwrap();
let mut vm_dtbo_data = fs::read(VM_DTBO_FILE_PATH).unwrap();
diff --git a/pvmfw/src/fdt.rs b/pvmfw/src/fdt.rs
index 146d012..51ba112 100644
--- a/pvmfw/src/fdt.rs
+++ b/pvmfw/src/fdt.rs
@@ -368,7 +368,7 @@
n: usize,
compat: &CStr,
) -> libfdt::Result<Option<FdtNodeMut<'a>>> {
- let mut node = fdt.root_mut()?.next_compatible(compat)?;
+ let mut node = fdt.root_mut().next_compatible(compat)?;
for _ in 0..n {
node = node.ok_or(FdtError::NoSpace)?.next_compatible(compat)?;
}
@@ -479,7 +479,7 @@
vm_ref_dt: &Fdt,
props_info: &BTreeMap<CString, Vec<u8>>,
) -> libfdt::Result<()> {
- let root_vm_dt = vm_dt.root_mut()?;
+ let root_vm_dt = vm_dt.root_mut();
let mut avf_vm_dt = root_vm_dt.add_subnode(cstr!("avf"))?;
// TODO(b/318431677): Validate nodes beyond /avf.
let avf_node = vm_ref_dt.node(cstr!("/avf"))?.ok_or(FdtError::NotFound)?;
@@ -714,10 +714,8 @@
}
fn patch_pci_info(fdt: &mut Fdt, pci_info: &PciInfo) -> libfdt::Result<()> {
- let mut node = fdt
- .root_mut()?
- .next_compatible(cstr!("pci-host-cam-generic"))?
- .ok_or(FdtError::NotFound)?;
+ let mut node =
+ fdt.root_mut().next_compatible(cstr!("pci-host-cam-generic"))?.ok_or(FdtError::NotFound)?;
let irq_masks_size = pci_info.irq_masks.len() * size_of::<PciIrqMask>();
node.trimprop(cstr!("interrupt-map-mask"), irq_masks_size)?;
@@ -758,7 +756,7 @@
/// Patch the DT by deleting the ns16550a compatible nodes whose address are unknown
fn patch_serial_info(fdt: &mut Fdt, serial_info: &SerialInfo) -> libfdt::Result<()> {
let name = cstr!("ns16550a");
- let mut next = fdt.root_mut()?.next_compatible(name);
+ let mut next = fdt.root_mut().next_compatible(name);
while let Some(current) = next? {
let reg =
current.as_node().reg()?.ok_or(FdtError::NotFound)?.next().ok_or(FdtError::NotFound)?;
@@ -806,7 +804,7 @@
fn patch_swiotlb_info(fdt: &mut Fdt, swiotlb_info: &SwiotlbInfo) -> libfdt::Result<()> {
let mut node =
- fdt.root_mut()?.next_compatible(cstr!("restricted-dma-pool"))?.ok_or(FdtError::NotFound)?;
+ fdt.root_mut().next_compatible(cstr!("restricted-dma-pool"))?.ok_or(FdtError::NotFound)?;
if let Some(range) = swiotlb_info.fixed_range() {
node.setprop_addrrange_inplace(
@@ -845,7 +843,7 @@
let value = [addr0, size0.unwrap(), addr1, size1.unwrap()];
let mut node =
- fdt.root_mut()?.next_compatible(cstr!("arm,gic-v3"))?.ok_or(FdtError::NotFound)?;
+ fdt.root_mut().next_compatible(cstr!("arm,gic-v3"))?.ok_or(FdtError::NotFound)?;
node.setprop_inplace(cstr!("reg"), flatten(&value))
}
@@ -869,7 +867,7 @@
let value = value.into_inner();
let mut node =
- fdt.root_mut()?.next_compatible(cstr!("arm,armv8-timer"))?.ok_or(FdtError::NotFound)?;
+ fdt.root_mut().next_compatible(cstr!("arm,armv8-timer"))?.ok_or(FdtError::NotFound)?;
node.setprop_inplace(cstr!("interrupts"), value.as_bytes())
}
@@ -877,7 +875,7 @@
let avf_node = if let Some(node) = fdt.node_mut(cstr!("/avf"))? {
node
} else {
- fdt.root_mut()?.add_subnode(cstr!("avf"))?
+ fdt.root_mut().add_subnode(cstr!("avf"))?
};
// The node shouldn't already be present; if it is, return the error.
diff --git a/service_vm/fake_chain/src/client_vm.rs b/service_vm/fake_chain/src/client_vm.rs
index 44ea898..6f956a7 100644
--- a/service_vm/fake_chain/src/client_vm.rs
+++ b/service_vm/fake_chain/src/client_vm.rs
@@ -29,7 +29,7 @@
HIDDEN_SIZE,
};
use log::error;
-use microdroid_kernel_hashes::{INITRD_DEBUG_HASH, KERNEL_HASH};
+use microdroid_kernel_hashes::OS_HASHES;
type CborResult<T> = result::Result<T, ciborium::value::Error>;
@@ -176,6 +176,7 @@
}
fn kernel_code_hash() -> Result<[u8; HASH_SIZE]> {
- let code_hash = [KERNEL_HASH, INITRD_DEBUG_HASH].concat();
+ let os_hashes = &OS_HASHES[0];
+ let code_hash = [os_hashes.kernel, os_hashes.initrd_debug].concat();
hash(&code_hash)
}
diff --git a/service_vm/kernel/Android.bp b/service_vm/kernel/Android.bp
deleted file mode 100644
index 79158e6..0000000
--- a/service_vm/kernel/Android.bp
+++ /dev/null
@@ -1,31 +0,0 @@
-package {
- default_applicable_licenses: ["Android-Apache-2.0"],
-}
-
-python_binary_host {
- name: "extract_microdroid_kernel_hashes",
- srcs: ["extract_microdroid_kernel_hashes.py"],
-}
-
-genrule {
- name: "microdroid_kernel_hashes_rs",
- srcs: [":microdroid_kernel"],
- out: ["lib.rs"],
- tools: [
- "extract_microdroid_kernel_hashes",
- "avbtool",
- ],
- cmd: "$(location extract_microdroid_kernel_hashes) $(location avbtool) $(in) > $(out)",
-}
-
-rust_library_rlib {
- name: "libmicrodroid_kernel_hashes",
- srcs: [":microdroid_kernel_hashes_rs"],
- crate_name: "microdroid_kernel_hashes",
- prefer_rlib: true,
- no_stdlibs: true,
- stdlibs: [
- "libcompiler_builtins.rust_sysroot",
- "libcore.rust_sysroot",
- ],
-}
diff --git a/service_vm/kernel/extract_microdroid_kernel_hashes.py b/service_vm/kernel/extract_microdroid_kernel_hashes.py
deleted file mode 100644
index 148e8be..0000000
--- a/service_vm/kernel/extract_microdroid_kernel_hashes.py
+++ /dev/null
@@ -1,73 +0,0 @@
-"""Extracts the following hashes from the AVB footer of Microdroid's kernel:
-
-- kernel hash
-- initrd_normal hash
-- initrd_debug hash
-
-The hashes are written to stdout as a Rust file.
-
-In unsupportive environments such as x86, when the kernel is just an empty file,
-the output Rust file has the same hash constant fields for compatibility
-reasons, but all of them are empty.
-"""
-#!/usr/bin/env python3
-
-import sys
-import subprocess
-from typing import Dict
-
-PARTITION_NAME_BOOT = 'boot'
-PARTITION_NAME_INITRD_NORMAL = 'initrd_normal'
-PARTITION_NAME_INITRD_DEBUG = 'initrd_debug'
-
-def main(args):
- """Main function."""
- avbtool = args[0]
- kernel_image_path = args[1]
- hashes = collect_hashes(avbtool, kernel_image_path)
-
- print("//! This file is generated by extract_microdroid_kernel_hashes.py.")
- print("//! It contains the hashes of the kernel and initrds.\n")
- print("#![no_std]\n#![allow(missing_docs)]\n")
-
- # Microdroid's kernel is just an empty file in unsupportive environments
- # such as x86, in this case the hashes should be empty.
- if hashes.keys() != {PARTITION_NAME_BOOT,
- PARTITION_NAME_INITRD_NORMAL,
- PARTITION_NAME_INITRD_DEBUG}:
- print("/// The kernel is empty, no hashes are available.")
- hashes[PARTITION_NAME_BOOT] = ""
- hashes[PARTITION_NAME_INITRD_NORMAL] = ""
- hashes[PARTITION_NAME_INITRD_DEBUG] = ""
-
- print("pub const KERNEL_HASH: &[u8] = &["
- f"{format_hex_string(hashes[PARTITION_NAME_BOOT])}];\n")
- print("pub const INITRD_NORMAL_HASH: &[u8] = &["
- f"{format_hex_string(hashes[PARTITION_NAME_INITRD_NORMAL])}];\n")
- print("pub const INITRD_DEBUG_HASH: &[u8] = &["
- f"{format_hex_string(hashes[PARTITION_NAME_INITRD_DEBUG])}];")
-
-def collect_hashes(avbtool: str, kernel_image_path: str) -> Dict[str, str]:
- """Collects the hashes from the AVB footer of the kernel image."""
- hashes = {}
- with subprocess.Popen(
- [avbtool, 'print_partition_digests', '--image', kernel_image_path],
- stdout=subprocess.PIPE, stderr=subprocess.STDOUT) as proc:
- stdout, _ = proc.communicate()
- for line in stdout.decode("utf-8").split("\n"):
- line = line.replace(" ", "").split(":")
- if len(line) == 2:
- partition_name, hash_ = line
- hashes[partition_name] = hash_
- return hashes
-
-def format_hex_string(hex_string: str) -> str:
- """Formats a hex string into a Rust array."""
- assert len(hex_string) % 2 == 0, \
- "Hex string must have even length: " + hex_string
- return ", ".join(["\n0x" + hex_string[i:i+2] if i % 32 == 0
- else "0x" + hex_string[i:i+2]
- for i in range(0, len(hex_string), 2)])
-
-if __name__ == '__main__':
- main(sys.argv[1:])
diff --git a/service_vm/requests/src/client_vm.rs b/service_vm/requests/src/client_vm.rs
index d4474cf..15a3bd0 100644
--- a/service_vm/requests/src/client_vm.rs
+++ b/service_vm/requests/src/client_vm.rs
@@ -29,7 +29,7 @@
use der::{Decode, Encode};
use diced_open_dice::{DiceArtifacts, HASH_SIZE};
use log::{error, info};
-use microdroid_kernel_hashes::{INITRD_DEBUG_HASH, INITRD_NORMAL_HASH, KERNEL_HASH};
+use microdroid_kernel_hashes::{HASH_SIZE as KERNEL_HASH_SIZE, OS_HASHES};
use service_vm_comm::{ClientVmAttestationParams, Csr, CsrPayload, RequestProcessingError};
use x509_cert::{certificate::Certificate, name::Name};
@@ -159,10 +159,10 @@
/// embedded during the build time.
fn validate_kernel_code_hash(dice_chain: &ClientVmDiceChain) -> Result<()> {
let kernel = dice_chain.microdroid_kernel();
- if expected_kernel_code_hash_normal()? == kernel.code_hash {
+ if matches_any_kernel_code_hash(&kernel.code_hash, /* is_debug= */ false)? {
return Ok(());
}
- if expected_kernel_code_hash_debug()? == kernel.code_hash {
+ if matches_any_kernel_code_hash(&kernel.code_hash, /* is_debug= */ true)? {
if dice_chain.all_entries_are_secure() {
error!("The Microdroid kernel has debug initrd but the DICE chain is secure");
return Err(RequestProcessingError::InvalidDiceChain);
@@ -173,18 +173,20 @@
Err(RequestProcessingError::InvalidDiceChain)
}
-fn expected_kernel_code_hash_normal() -> bssl_avf::Result<Vec<u8>> {
- let mut code_hash = [0u8; 64];
- code_hash[0..32].copy_from_slice(KERNEL_HASH);
- code_hash[32..].copy_from_slice(INITRD_NORMAL_HASH);
- Digester::sha512().digest(&code_hash)
-}
-
-fn expected_kernel_code_hash_debug() -> bssl_avf::Result<Vec<u8>> {
- let mut code_hash = [0u8; 64];
- code_hash[0..32].copy_from_slice(KERNEL_HASH);
- code_hash[32..].copy_from_slice(INITRD_DEBUG_HASH);
- Digester::sha512().digest(&code_hash)
+fn matches_any_kernel_code_hash(actual_code_hash: &[u8], is_debug: bool) -> bssl_avf::Result<bool> {
+ for os_hash in OS_HASHES {
+ let mut code_hash = [0u8; KERNEL_HASH_SIZE * 2];
+ code_hash[0..KERNEL_HASH_SIZE].copy_from_slice(&os_hash.kernel);
+ if is_debug {
+ code_hash[KERNEL_HASH_SIZE..].copy_from_slice(&os_hash.initrd_debug);
+ } else {
+ code_hash[KERNEL_HASH_SIZE..].copy_from_slice(&os_hash.initrd_normal);
+ }
+ if Digester::sha512().digest(&code_hash)? == actual_code_hash {
+ return Ok(true);
+ }
+ }
+ Ok(false)
}
fn expected_kernel_authority_hash(service_vm_entry: &Value) -> Result<[u8; HASH_SIZE]> {
diff --git a/service_vm/test_apk/assets/config.json b/service_vm/test_apk/assets/config.json
deleted file mode 100644
index caae3ce..0000000
--- a/service_vm/test_apk/assets/config.json
+++ /dev/null
@@ -1,10 +0,0 @@
-{
- "os": {
- "name": "microdroid"
- },
- "task": {
- "type": "microdroid_launcher",
- "command": "libvm_attestation_test_payload.so"
- },
- "export_tombstones": true
- }
\ No newline at end of file
diff --git a/service_vm/test_apk/src/java/com/android/virt/vm_attestation/testapp/VmAttestationTests.java b/service_vm/test_apk/src/java/com/android/virt/vm_attestation/testapp/VmAttestationTests.java
index 7771e83..af99711 100644
--- a/service_vm/test_apk/src/java/com/android/virt/vm_attestation/testapp/VmAttestationTests.java
+++ b/service_vm/test_apk/src/java/com/android/virt/vm_attestation/testapp/VmAttestationTests.java
@@ -40,7 +40,7 @@
@RunWith(Parameterized.class)
public class VmAttestationTests extends MicrodroidDeviceTestBase {
private static final String TAG = "VmAttestationTest";
- private static final String DEFAULT_CONFIG = "assets/config.json";
+ private static final String VM_PAYLOAD_PATH = "libvm_attestation_test_payload.so";
@Parameterized.Parameter(0)
public String mGki;
@@ -71,7 +71,7 @@
assumeFeatureEnabled(VirtualMachineManager.FEATURE_REMOTE_ATTESTATION);
VirtualMachineConfig.Builder builder =
- newVmConfigBuilderWithPayloadConfig(DEFAULT_CONFIG)
+ newVmConfigBuilderWithPayloadBinary(VM_PAYLOAD_PATH)
.setDebugLevel(DEBUG_LEVEL_FULL)
.setVmOutputCaptured(true);
VirtualMachineConfig config = builder.build();
diff --git a/tests/benchmark/src/java/com/android/microdroid/benchmark/MicrodroidBenchmarks.java b/tests/benchmark/src/java/com/android/microdroid/benchmark/MicrodroidBenchmarks.java
index 77cae32..ba02067 100644
--- a/tests/benchmark/src/java/com/android/microdroid/benchmark/MicrodroidBenchmarks.java
+++ b/tests/benchmark/src/java/com/android/microdroid/benchmark/MicrodroidBenchmarks.java
@@ -276,9 +276,9 @@
(builder) -> builder);
}
- @Test
- public void testMicrodroidDebugBootTime_withVendorPartition() throws Exception {
- assume().withMessage("Cuttlefish doesn't support device tree under" + " /proc/device-tree")
+ private void testMicrodroidDebugBootTime_withVendorBase(File vendorDiskImage) throws Exception {
+ // TODO(b/325094712): Boot fails with vendor partition in Cuttlefish.
+ assume().withMessage("Cuttlefish doesn't support device tree under /proc/device-tree")
.that(isCuttlefish())
.isFalse();
// TODO(b/317567210): Boots fails with vendor partition in HWASAN enabled microdroid
@@ -287,11 +287,6 @@
.that(isHwasan())
.isFalse();
assumeFeatureEnabled(VirtualMachineManager.FEATURE_VENDOR_MODULES);
-
- File vendorDiskImage = new File("/vendor/etc/avf/microdroid/microdroid_vendor.img");
- assume().withMessage("Microdroid vendor image doesn't exist, skip")
- .that(vendorDiskImage.exists())
- .isTrue();
runBootTimeTest(
"test_vm_boot_time_debug_with_vendor_partition",
"assets/" + os() + "/vm_config.json",
@@ -300,6 +295,27 @@
}
@Test
+ public void testMicrodroidDebugBootTime_withVendorPartition() throws Exception {
+ File vendorDiskImage = new File("/vendor/etc/avf/microdroid/microdroid_vendor.img");
+ assume().withMessage("Microdroid vendor image doesn't exist, skip")
+ .that(vendorDiskImage.exists())
+ .isTrue();
+ testMicrodroidDebugBootTime_withVendorBase(vendorDiskImage);
+ }
+
+ @Test
+ public void testMicrodroidDebugBootTime_withCustomVendorPartition() throws Exception {
+ assume().withMessage(
+ "Skip test for protected VM, pvmfw config data doesn't contain any"
+ + " information of test images, such as root digest.")
+ .that(mProtectedVm)
+ .isFalse();
+ File vendorDiskImage =
+ new File("/data/local/tmp/microdroid-bench/microdroid_vendor_image.img");
+ testMicrodroidDebugBootTime_withVendorBase(vendorDiskImage);
+ }
+
+ @Test
public void testMicrodroidImageSize() throws IOException {
Bundle bundle = new Bundle();
for (File file : new File(APEX_ETC_FS).listFiles()) {
diff --git a/tests/helper/src/java/com/android/microdroid/test/device/MicrodroidDeviceTestBase.java b/tests/helper/src/java/com/android/microdroid/test/device/MicrodroidDeviceTestBase.java
index 2c72561..2c92f04 100644
--- a/tests/helper/src/java/com/android/microdroid/test/device/MicrodroidDeviceTestBase.java
+++ b/tests/helper/src/java/com/android/microdroid/test/device/MicrodroidDeviceTestBase.java
@@ -21,6 +21,7 @@
import static com.google.common.truth.TruthJUnit.assume;
import static org.junit.Assume.assumeTrue;
+import static org.junit.Assume.assumeFalse;
import android.app.Instrumentation;
import android.app.UiAutomation;
@@ -611,4 +612,8 @@
protected void assumeProtectedVM() {
assumeTrue("Skip on non-protected VM", mProtectedVm);
}
+
+ protected void assumeNonProtectedVM() {
+ assumeFalse("Skip on protected VM", mProtectedVm);
+ }
}
diff --git a/tests/hostside/java/com/android/microdroid/test/MicrodroidHostTests.java b/tests/hostside/java/com/android/microdroid/test/MicrodroidHostTests.java
index 20b5a50..0901fd4 100644
--- a/tests/hostside/java/com/android/microdroid/test/MicrodroidHostTests.java
+++ b/tests/hostside/java/com/android/microdroid/test/MicrodroidHostTests.java
@@ -553,7 +553,8 @@
mMicrodroidDevice.enableAdbRoot();
CommandRunner microdroid = new CommandRunner(mMicrodroidDevice);
- microdroid.run(crashCommand);
+ // can crash in the middle of crashCommand; fail is ok
+ microdroid.tryRun(crashCommand);
// check until microdroid is shut down
waitForCrosvmExit(android, testStartTime);
@@ -1084,6 +1085,13 @@
}
mOs = (mGki != null) ? "microdroid_gki-" + mGki : "microdroid";
+
+ new CommandRunner(getDevice())
+ .tryRun(
+ "pm",
+ "grant",
+ SHELL_PACKAGE_NAME,
+ "android.permission.USE_CUSTOM_VIRTUAL_MACHINE");
}
@After
@@ -1098,21 +1106,13 @@
mTestLogs, getDevice(), LOG_PATH, "vm.log-" + mTestName.getMethodName());
getDevice().uninstallPackage(PACKAGE_NAME);
-
- // testCustomVirtualMachinePermission revokes this permission. Grant it again as cleanup
- new CommandRunner(getDevice())
- .tryRun(
- "pm",
- "grant",
- SHELL_PACKAGE_NAME,
- "android.permission.USE_CUSTOM_VIRTUAL_MACHINE");
}
- private void assumeProtectedVm() throws Exception {
+ private void assumeProtectedVm() {
assumeTrue("This test is only for protected VM.", mProtectedVm);
}
- private void assumeNonProtectedVm() throws Exception {
+ private void assumeNonProtectedVm() {
assumeFalse("This test is only for non-protected VM.", mProtectedVm);
}
diff --git a/tests/libs/libdts/Android.bp b/tests/libs/libdts/Android.bp
new file mode 100644
index 0000000..512c50b
--- /dev/null
+++ b/tests/libs/libdts/Android.bp
@@ -0,0 +1,17 @@
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+rust_library_rlib {
+ name: "libdts",
+ crate_name: "dts",
+ defaults: ["avf_build_flags_rust"],
+ srcs: ["src/lib.rs"],
+ edition: "2021",
+ prefer_rlib: true,
+ rustlibs: [
+ "libanyhow",
+ "liblibfdt",
+ ],
+ apex_available: ["com.android.virt"],
+}
diff --git a/tests/libs/libdts/README.md b/tests/libs/libdts/README.md
new file mode 100644
index 0000000..ed63bd0
--- /dev/null
+++ b/tests/libs/libdts/README.md
@@ -0,0 +1,16 @@
+Device tree source (DTS) decompiler on Android device.
+
+This is alternative to dtdiff, which only support bash.
+
+How to use for rust_test
+========================
+
+Following dependencies are needed in addition to libdts.
+
+```
+rust_test {
+ ...
+ data_bins: ["dtc_static"],
+ compile_multilib: "first",
+}
+```
diff --git a/tests/libs/libdts/src/lib.rs b/tests/libs/libdts/src/lib.rs
new file mode 100644
index 0000000..0ee9b66
--- /dev/null
+++ b/tests/libs/libdts/src/lib.rs
@@ -0,0 +1,75 @@
+// Copyright 2024 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Device tree source (dts) for comparing device tree contents
+//! i.e. sorted dts decompiled by `dtc -s -O dts`.
+
+use anyhow::{anyhow, Result};
+use libfdt::Fdt;
+use std::io::Write;
+use std::path::Path;
+use std::process::{Command, Stdio};
+
+/// Device tree source (dts)
+#[derive(Debug, Eq, PartialEq, Ord, PartialOrd)]
+pub struct Dts {
+ dts: String,
+}
+
+impl Dts {
+ /// Creates a device tree source from /proc/device-tree style directory
+ pub fn from_fs(path: &Path) -> Result<Self> {
+ let path = path.to_str().unwrap();
+ let res = Command::new("./dtc_static")
+ .args(["-f", "-s", "-I", "fs", "-O", "dts", path])
+ .output()?;
+ if !res.status.success() {
+ return Err(anyhow!("Failed to run dtc_static, res={res:?}"));
+ }
+ Ok(Self { dts: String::from_utf8(res.stdout)? })
+ }
+
+ /// Creates a device tree source from dtb
+ pub fn from_dtb(path: &Path) -> Result<Self> {
+ let path = path.to_str().unwrap();
+ let res = Command::new("./dtc_static")
+ .args(["-f", "-s", "-I", "dtb", "-O", "dts", path])
+ .output()?;
+ if !res.status.success() {
+ return Err(anyhow!("Failed to run dtc_static, res={res:?}"));
+ }
+ Ok(Self { dts: String::from_utf8(res.stdout)? })
+ }
+
+ /// Creates a device tree source from Fdt
+ pub fn from_fdt(fdt: &Fdt) -> Result<Self> {
+ let mut dtc = Command::new("./dtc_static")
+ .args(["-f", "-s", "-I", "dtb", "-O", "dts"])
+ .stdin(Stdio::piped())
+ .stdout(Stdio::piped())
+ .spawn()?;
+
+ {
+ let mut stdin = dtc.stdin.take().unwrap();
+ stdin.write_all(fdt.as_slice())?;
+ // Explicitly drop stdin to avoid indefinite blocking
+ }
+
+ let res = dtc.wait_with_output()?;
+ if !res.status.success() {
+ return Err(anyhow!("Failed to run dtc_static, res={res:?}"));
+ }
+ Ok(Self { dts: String::from_utf8(res.stdout)? })
+ }
+}
diff --git a/tests/testapk/src/java/com/android/microdroid/test/MicrodroidCapabilitiesTest.java b/tests/testapk/src/java/com/android/microdroid/test/MicrodroidCapabilitiesTest.java
index a0826c9..eb23e21 100644
--- a/tests/testapk/src/java/com/android/microdroid/test/MicrodroidCapabilitiesTest.java
+++ b/tests/testapk/src/java/com/android/microdroid/test/MicrodroidCapabilitiesTest.java
@@ -22,6 +22,7 @@
import com.android.compatibility.common.util.CddTest;
import com.android.microdroid.test.device.MicrodroidDeviceTestBase;
+import org.junit.Ignore;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.JUnit4;
@@ -37,6 +38,7 @@
public class MicrodroidCapabilitiesTest extends MicrodroidDeviceTestBase {
@Test
@CddTest(requirements = {"9.17/C-1-1", "9.17/C-2-1"})
+ @Ignore("b/326092480")
public void supportForProtectedOrNonProtectedVms() {
assumeSupportedDevice();
diff --git a/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java b/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
index 070478e..3b8b4ac 100644
--- a/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
+++ b/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
@@ -140,13 +140,17 @@
@Before
public void setup() {
prepareTestSetup(mProtectedVm, mGki);
- // USE_CUSTOM_VIRTUAL_MACHINE permission has protection level signature|development, meaning
- // that it will be automatically granted when test apk is installed. We have some tests
- // checking the behavior when caller doesn't have this permission (e.g.
- // createVmWithConfigRequiresPermission). Proactively revoke the permission so that such
- // tests can pass when ran by itself, e.g.:
- // atest com.android.microdroid.test.MicrodroidTests#createVmWithConfigRequiresPermission
- revokePermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION);
+ if (mGki != null) {
+ // Using a non-default VM always needs the custom permission.
+ grantPermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION);
+ } else {
+ // USE_CUSTOM_VIRTUAL_MACHINE permission has protection level signature|development,
+ // meaning that it will be automatically granted when test apk is installed.
+ // But most callers shouldn't need this permission, so by default we run tests with it
+ // revoked.
+ // Tests that rely on the state of the permission should explicitly grant or revoke it.
+ revokePermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION);
+ }
}
@After
@@ -588,6 +592,9 @@
.isFalse();
assertConfigCompatible(baseline, newBaselineBuilder().setPayloadBinaryName("different"))
.isFalse();
+ assertConfigCompatible(
+ baseline, newBaselineBuilder().setVendorDiskImage(new File("/foo/bar")))
+ .isFalse();
int capabilities = getVirtualMachineManager().getCapabilities();
if ((capabilities & CAPABILITY_PROTECTED_VM) != 0
&& (capabilities & CAPABILITY_NON_PROTECTED_VM) != 0) {
@@ -637,6 +644,7 @@
VirtualMachineConfig.Builder otherOsBuilder =
newBaselineBuilder().setOs("microdroid_gki-android14-6.1");
assertConfigCompatible(microdroidOsConfig, otherOsBuilder).isFalse();
+
}
private VirtualMachineConfig.Builder newBaselineBuilder() {
@@ -776,6 +784,7 @@
})
public void createVmWithConfigRequiresPermission() throws Exception {
assumeSupportedDevice();
+ revokePermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION);
VirtualMachineConfig config =
newVmConfigBuilderWithPayloadConfig("assets/" + os() + "/vm_config.json")
@@ -2124,28 +2133,34 @@
}
}
- @Test
- public void configuringVendorDiskImageRequiresCustomPermission() throws Exception {
+ private VirtualMachineConfig buildVmConfigWithVendor(File vendorDiskImage) throws Exception {
assumeSupportedDevice();
+ // TODO(b/325094712): Boot fails with vendor partition in Cuttlefish.
assumeFalse(
"Cuttlefish doesn't support device tree under /proc/device-tree", isCuttlefish());
- // TODO(b/317567210): Boots fails with vendor partition in HWASAN enabled microdroid
+ // TODO(b/317567210): Boot fails with vendor partition in HWASAN enabled microdroid
// after introducing verification based on DT and fstab in microdroid vendor partition.
assumeFalse(
"boot with vendor partition is failing in HWASAN enabled Microdroid.", isHwasan());
assumeFeatureEnabled(VirtualMachineManager.FEATURE_VENDOR_MODULES);
-
- File vendorDiskImage =
- new File("/data/local/tmp/cts/microdroid/test_microdroid_vendor_image.img");
VirtualMachineConfig config =
newVmConfigBuilderWithPayloadBinary("MicrodroidTestNativeLib.so")
.setVendorDiskImage(vendorDiskImage)
.setDebugLevel(DEBUG_LEVEL_FULL)
.build();
+ grantPermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION);
+ return config;
+ }
+
+ @Test
+ public void configuringVendorDiskImageRequiresCustomPermission() throws Exception {
+ File vendorDiskImage =
+ new File("/data/local/tmp/cts/microdroid/test_microdroid_vendor_image.img");
+ VirtualMachineConfig config = buildVmConfigWithVendor(vendorDiskImage);
+ revokePermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION);
VirtualMachine vm =
forceCreateNewVirtualMachine("test_vendor_image_req_custom_permission", config);
-
SecurityException e =
assertThrows(
SecurityException.class, () -> runVmTestService(TAG, vm, (ts, tr) -> {}));
@@ -2156,27 +2171,11 @@
@Test
public void bootsWithVendorPartition() throws Exception {
- assumeSupportedDevice();
- assumeFalse(
- "Cuttlefish doesn't support device tree under /proc/device-tree", isCuttlefish());
- // TODO(b/317567210): Boots fails with vendor partition in HWASAN enabled microdroid
- // after introducing verification based on DT and fstab in microdroid vendor partition.
- assumeFalse(
- "Boot with vendor partition is failing in HWASAN enabled Microdroid.", isHwasan());
- assumeFeatureEnabled(VirtualMachineManager.FEATURE_VENDOR_MODULES);
-
- grantPermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION);
-
File vendorDiskImage = new File("/vendor/etc/avf/microdroid/microdroid_vendor.img");
assumeTrue("Microdroid vendor image doesn't exist, skip", vendorDiskImage.exists());
- VirtualMachineConfig config =
- newVmConfigBuilderWithPayloadBinary("MicrodroidTestNativeLib.so")
- .setVendorDiskImage(vendorDiskImage)
- .setDebugLevel(DEBUG_LEVEL_FULL)
- .build();
+ VirtualMachineConfig config = buildVmConfigWithVendor(vendorDiskImage);
VirtualMachine vm = forceCreateNewVirtualMachine("test_boot_with_vendor", config);
-
TestResults testResults =
runVmTestService(
TAG,
@@ -2184,40 +2183,57 @@
(ts, tr) -> {
tr.mMountFlags = ts.getMountFlags("/vendor");
});
-
assertThat(testResults.mException).isNull();
int expectedFlags = MS_NOATIME | MS_RDONLY;
assertThat(testResults.mMountFlags & expectedFlags).isEqualTo(expectedFlags);
}
@Test
- public void creationFailsWithUnsignedVendorPartition() throws Exception {
- assumeSupportedDevice();
- assumeFalse(
- "Cuttlefish doesn't support device tree under /proc/device-tree", isCuttlefish());
- // TODO(b/317567210): Boots fails with vendor partition in HWASAN enabled microdroid
- // after introducing verification based on DT and fstab in microdroid vendor partition.
- assumeFalse(
- "boot with vendor partition is failing in HWASAN enabled Microdroid.", isHwasan());
- assumeFeatureEnabled(VirtualMachineManager.FEATURE_VENDOR_MODULES);
+ public void bootsWithCustomVendorPartitionForNonPvm() throws Exception {
+ assumeNonProtectedVM();
+ File vendorDiskImage =
+ new File("/data/local/tmp/cts/microdroid/test_microdroid_vendor_image.img");
+ VirtualMachineConfig config = buildVmConfigWithVendor(vendorDiskImage);
- grantPermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION);
+ VirtualMachine vm =
+ forceCreateNewVirtualMachine("test_boot_with_custom_vendor_non_pvm", config);
+ TestResults testResults =
+ runVmTestService(
+ TAG,
+ vm,
+ (ts, tr) -> {
+ tr.mMountFlags = ts.getMountFlags("/vendor");
+ });
+ assertThat(testResults.mException).isNull();
+ int expectedFlags = MS_NOATIME | MS_RDONLY;
+ assertThat(testResults.mMountFlags & expectedFlags).isEqualTo(expectedFlags);
+ }
- File unsignedVendorDiskImage =
- new File(
- "/data/local/tmp/cts/microdroid/test_microdroid_vendor_image_unsigned.img");
- VirtualMachineConfig config =
- newVmConfigBuilderWithPayloadBinary("MicrodroidTestNativeLib.so")
- .setVendorDiskImage(unsignedVendorDiskImage)
- .setDebugLevel(DEBUG_LEVEL_FULL)
- .build();
+ @Test
+ public void bootFailsWithCustomVendorPartitionForPvm() throws Exception {
+ assumeProtectedVM();
+ File vendorDiskImage =
+ new File("/data/local/tmp/cts/microdroid/test_microdroid_vendor_image.img");
+ VirtualMachineConfig config = buildVmConfigWithVendor(vendorDiskImage);
- BootResult bootResult = tryBootVmWithConfig(config, "test_boot_with_unsigned_vendor");
+ BootResult bootResult = tryBootVmWithConfig(config, "test_boot_with_custom_vendor_pvm");
assertThat(bootResult.payloadStarted).isFalse();
assertThat(bootResult.deathReason).isEqualTo(VirtualMachineCallback.STOP_REASON_REBOOT);
}
@Test
+ public void creationFailsWithUnsignedVendorPartition() throws Exception {
+ File vendorDiskImage =
+ new File(
+ "/data/local/tmp/cts/microdroid/test_microdroid_vendor_image_unsigned.img");
+ VirtualMachineConfig config = buildVmConfigWithVendor(vendorDiskImage);
+
+ VirtualMachine vm = forceCreateNewVirtualMachine("test_boot_with_unsigned_vendor", config);
+ assertThrowsVmExceptionContaining(
+ () -> vm.run(), "Failed to extract vendor hashtree digest");
+ }
+
+ @Test
public void systemPartitionMountFlags() throws Exception {
assumeSupportedDevice();
diff --git a/virtualizationmanager/Android.bp b/virtualizationmanager/Android.bp
index c46385c..d8f8209 100644
--- a/virtualizationmanager/Android.bp
+++ b/virtualizationmanager/Android.bp
@@ -32,6 +32,7 @@
"libandroid_logger",
"libanyhow",
"libapkverify",
+ "libavf_features",
"libavflog",
"libbase_rust",
"libbinder_rs",
@@ -41,6 +42,7 @@
"libcommand_fds",
"libdisk",
"libglob",
+ "libhex",
"libhypervisor_props",
"liblazy_static",
"liblibc",
@@ -61,6 +63,7 @@
"libshared_child",
"libstatslog_virtualization_rust",
"libtombstoned_client_rust",
+ "libvbmeta_rust",
"libvm_control",
"libvmconfig",
"libzip",
diff --git a/virtualizationmanager/fsfdt/Android.bp b/virtualizationmanager/fsfdt/Android.bp
index 7a1e5ed..1d03522 100644
--- a/virtualizationmanager/fsfdt/Android.bp
+++ b/virtualizationmanager/fsfdt/Android.bp
@@ -41,6 +41,7 @@
defaults: ["libfsfdt_default"],
data: ["testdata/**/*"],
data_bins: ["dtc_static"],
- rustlibs: ["libtempfile"],
+ prefer_rlib: true,
+ rustlibs: ["libdts"],
compile_multilib: "first",
}
diff --git a/virtualizationmanager/fsfdt/src/lib.rs b/virtualizationmanager/fsfdt/src/lib.rs
index 84e50c1..e176b7b 100644
--- a/virtualizationmanager/fsfdt/src/lib.rs
+++ b/virtualizationmanager/fsfdt/src/lib.rs
@@ -114,51 +114,20 @@
#[cfg(test)]
mod test {
use super::*;
- use std::io::Write;
- use std::process::Command;
- use tempfile::NamedTempFile;
+ use dts::Dts;
const TEST_FS_FDT_ROOT_PATH: &str = "testdata/fs";
const BUF_SIZE_MAX: usize = 1024;
- fn dts_from_fs(path: &Path) -> String {
- let path = path.to_str().unwrap();
- let res = Command::new("./dtc_static")
- .args(["-f", "-s", "-I", "fs", "-O", "dts", path])
- .output()
- .unwrap();
- assert!(res.status.success(), "{res:?}");
- String::from_utf8(res.stdout).unwrap()
- }
-
- fn dts_from_dtb(path: &Path) -> String {
- let path = path.to_str().unwrap();
- let res = Command::new("./dtc_static")
- .args(["-f", "-s", "-I", "dtb", "-O", "dts", path])
- .output()
- .unwrap();
- assert!(res.status.success(), "{res:?}");
- String::from_utf8(res.stdout).unwrap()
- }
-
- fn to_temp_file(fdt: &Fdt) -> Result<NamedTempFile> {
- let mut file = NamedTempFile::new()?;
- file.as_file_mut().write_all(fdt.as_slice())?;
- file.as_file_mut().sync_all()?;
-
- Ok(file)
- }
-
#[test]
fn test_from_fs() {
let fs_path = Path::new(TEST_FS_FDT_ROOT_PATH);
let mut data = vec![0_u8; BUF_SIZE_MAX];
let fdt = Fdt::from_fs(fs_path, &mut data).unwrap();
- let file = to_temp_file(fdt).unwrap();
- let expected = dts_from_fs(fs_path);
- let actual = dts_from_dtb(file.path());
+ let expected = Dts::from_fs(fs_path).unwrap();
+ let actual = Dts::from_fdt(fdt).unwrap();
assert_eq!(&expected, &actual);
// Again append fdt from TEST_FS_FDT_ROOT_PATH at root & ensure it succeeds when some
diff --git a/virtualizationmanager/src/aidl.rs b/virtualizationmanager/src/aidl.rs
index a2194cc..0655e5f 100644
--- a/virtualizationmanager/src/aidl.rs
+++ b/virtualizationmanager/src/aidl.rs
@@ -35,10 +35,6 @@
IVirtualMachine::{BnVirtualMachine, IVirtualMachine},
IVirtualMachineCallback::IVirtualMachineCallback,
IVirtualizationService::IVirtualizationService,
- IVirtualizationService::FEATURE_MULTI_TENANT,
- IVirtualizationService::FEATURE_VENDOR_MODULES,
- IVirtualizationService::FEATURE_DICE_CHANGES,
- IVirtualizationService::FEATURE_REMOTE_ATTESTATION,
MemoryTrimLevel::MemoryTrimLevel,
Partition::Partition,
PartitionType::PartitionType,
@@ -91,6 +87,7 @@
use std::os::unix::raw::pid_t;
use std::path::{Path, PathBuf};
use std::sync::{Arc, Mutex, Weak};
+use vbmeta::VbMetaImage;
use vmconfig::VmConfig;
use vsock::VsockStream;
use zip::ZipArchive;
@@ -306,19 +303,7 @@
/// Returns whether given feature is enabled
fn isFeatureEnabled(&self, feature: &str) -> binder::Result<bool> {
check_manage_access()?;
-
- // This approach is quite cumbersome, but will do the work for the short term.
- // TODO(b/298012279): make this scalable.
- match feature {
- FEATURE_DICE_CHANGES => Ok(cfg!(dice_changes)),
- FEATURE_MULTI_TENANT => Ok(cfg!(multi_tenant)),
- FEATURE_REMOTE_ATTESTATION => Ok(cfg!(remote_attestation)),
- FEATURE_VENDOR_MODULES => Ok(cfg!(vendor_modules)),
- _ => {
- warn!("unknown feature {feature}");
- Ok(false)
- }
- }
+ Ok(avf_features::is_feature_enabled(feature))
}
fn enableTestAttestation(&self) -> binder::Result<()> {
@@ -397,6 +382,23 @@
None
};
+ let vendor_hashtree_digest = extract_vendor_hashtree_digest(config)
+ .context("Failed to extract vendor hashtree digest")
+ .or_service_specific_exception(-1)?;
+
+ let trusted_props = if let Some(ref vendor_hashtree_digest) = vendor_hashtree_digest {
+ info!(
+ "Passing vendor hashtree digest to pvmfw. This will be rejected if it doesn't \
+ match the trusted digest in the pvmfw config, causing the VM to fail to start."
+ );
+ vec![(
+ cstr!("vendor_hashtree_descriptor_root_digest"),
+ vendor_hashtree_digest.as_slice(),
+ )]
+ } else {
+ vec![]
+ };
+
let untrusted_props = if cfg!(llpvm_changes) {
// TODO(b/291213394): Replace this with a per-VM instance Id.
let instance_id = b"sixtyfourbyteslonghardcoded_indeed_sixtyfourbyteslonghardcoded_h";
@@ -405,17 +407,23 @@
vec![]
};
- let device_tree_overlay = if host_ref_dt.is_some() || !untrusted_props.is_empty() {
- let dt_output = temporary_directory.join(VM_DT_OVERLAY_PATH);
- let mut data = [0_u8; VM_DT_OVERLAY_MAX_SIZE];
- let fdt = create_device_tree_overlay(&mut data, host_ref_dt, &untrusted_props)
+ let device_tree_overlay =
+ if host_ref_dt.is_some() || !untrusted_props.is_empty() || !trusted_props.is_empty() {
+ let dt_output = temporary_directory.join(VM_DT_OVERLAY_PATH);
+ let mut data = [0_u8; VM_DT_OVERLAY_MAX_SIZE];
+ let fdt = create_device_tree_overlay(
+ &mut data,
+ host_ref_dt,
+ &untrusted_props,
+ &trusted_props,
+ )
.map_err(|e| anyhow!("Failed to create DT overlay, {e:?}"))
.or_service_specific_exception(-1)?;
- fs::write(&dt_output, fdt.as_slice()).or_service_specific_exception(-1)?;
- Some(File::open(dt_output).or_service_specific_exception(-1)?)
- } else {
- None
- };
+ fs::write(&dt_output, fdt.as_slice()).or_service_specific_exception(-1)?;
+ Some(File::open(dt_output).or_service_specific_exception(-1)?)
+ } else {
+ None
+ };
let debug_level = match config {
VirtualMachineConfig::AppConfig(config) => config.debugLevel,
@@ -554,7 +562,6 @@
memory_mib: config.memoryMib.try_into().ok().and_then(NonZeroU32::new),
cpus,
host_cpu_topology,
- task_profiles: config.taskProfiles.clone(),
console_out_fd,
console_in_fd,
log_fd,
@@ -603,16 +610,46 @@
} else {
// Additional custom features not included in CustomConfig:
// - specifying a config file;
- // - specifying extra APKs.
+ // - specifying extra APKs;
+ // - specifying an OS other than Microdroid.
match &config.payload {
Payload::ConfigPath(_) => true,
- Payload::PayloadConfig(payload_config) => !payload_config.extraApks.is_empty(),
+ Payload::PayloadConfig(payload_config) => {
+ !payload_config.extraApks.is_empty()
+ || payload_config.osName != MICRODROID_OS_NAME
+ }
}
}
}
}
}
+fn extract_vendor_hashtree_digest(config: &VirtualMachineConfig) -> Result<Option<Vec<u8>>> {
+ let VirtualMachineConfig::AppConfig(config) = config else {
+ return Ok(None);
+ };
+ let Some(custom_config) = &config.customConfig else {
+ return Ok(None);
+ };
+ let Some(file) = custom_config.vendorImage.as_ref() else {
+ return Ok(None);
+ };
+
+ let file = clone_file(file)?;
+ let size =
+ file.metadata().context("Failed to get metadata from microdroid vendor image")?.len();
+ let vbmeta = VbMetaImage::verify_reader_region(&file, 0, size)
+ .context("Failed to get vbmeta from microdroid-vendor.img")?;
+
+ for descriptor in vbmeta.descriptors()?.iter() {
+ if let vbmeta::Descriptor::Hashtree(_) = descriptor {
+ let root_digest = hex::encode(descriptor.to_hashtree()?.root_digest());
+ return Ok(Some(root_digest.as_bytes().to_vec()));
+ }
+ }
+ Err(anyhow!("No hashtree digest is extracted from microdroid vendor image"))
+}
+
fn write_zero_filler(zero_filler_path: &Path) -> Result<()> {
let file = OpenOptions::new()
.create_new(true)
@@ -782,7 +819,6 @@
if let Some(file) = custom_config.customKernelImage.as_ref() {
vm_config.kernel = Some(ParcelFileDescriptor::new(clone_file(file)?))
}
- vm_config.taskProfiles = custom_config.taskProfiles.clone();
vm_config.gdbPort = custom_config.gdbPort;
if let Some(file) = custom_config.vendorImage.as_ref() {
diff --git a/virtualizationmanager/src/crosvm.rs b/virtualizationmanager/src/crosvm.rs
index 3380df3..97a27e0 100644
--- a/virtualizationmanager/src/crosvm.rs
+++ b/virtualizationmanager/src/crosvm.rs
@@ -107,7 +107,6 @@
pub memory_mib: Option<NonZeroU32>,
pub cpus: Option<NonZeroU32>,
pub host_cpu_topology: bool,
- pub task_profiles: Vec<String>,
pub console_out_fd: Option<File>,
pub console_in_fd: Option<File>,
pub log_fd: Option<File>,
@@ -596,6 +595,35 @@
}
}
+// Get Cpus_allowed mask
+fn check_if_all_cpus_allowed() -> Result<bool> {
+ let file = read_to_string("/proc/self/status")?;
+ let lines: Vec<_> = file.split('\n').collect();
+
+ for line in lines {
+ if line.contains("Cpus_allowed_list") {
+ let prop: Vec<_> = line.split_whitespace().collect();
+ if prop.len() != 2 {
+ return Ok(false);
+ }
+ let cpu_list: Vec<_> = prop[1].split('-').collect();
+ //Only contiguous Cpu list allowed
+ if cpu_list.len() != 2 {
+ return Ok(false);
+ }
+ if let Some(cpus) = get_num_cpus() {
+ let max_cpu = cpu_list[1].parse::<usize>()?;
+ if max_cpu == cpus - 1 {
+ return Ok(true);
+ } else {
+ return Ok(false);
+ }
+ }
+ }
+ }
+ Ok(false)
+}
+
// Get guest time from /proc/[crosvm pid]/stat
fn get_guest_time(pid: u32) -> Result<i64> {
let file = read_to_string(format!("/proc/{}/stat", pid))?;
@@ -810,7 +838,7 @@
}
if config.host_cpu_topology {
- if cfg!(virt_cpufreq) {
+ if cfg!(virt_cpufreq) && check_if_all_cpus_allowed()? {
command.arg("--host-cpu-topology");
cfg_if::cfg_if! {
if #[cfg(any(target_arch = "aarch64"))] {
@@ -824,10 +852,6 @@
}
}
- if !config.task_profiles.is_empty() {
- command.arg("--task-profiles").arg(config.task_profiles.join(","));
- }
-
if let Some(gdb_port) = config.gdb_port {
command.arg("--gdb").arg(gdb_port.to_string());
}
diff --git a/virtualizationmanager/src/dt_overlay.rs b/virtualizationmanager/src/dt_overlay.rs
index 71d3a26..108ed61 100644
--- a/virtualizationmanager/src/dt_overlay.rs
+++ b/virtualizationmanager/src/dt_overlay.rs
@@ -31,15 +31,18 @@
/// * `dt_path` - (Optional) Path to (proc style) device tree to be included in the overlay.
/// * `untrusted_props` - Include a property in /avf/untrusted node. This node is used to specify
/// host provided properties such as `instance-id`.
+/// * `trusted_props` - Include a property in /avf node. This overwrites nodes included with
+/// `dt_path`. In pVM, pvmfw will reject if it doesn't match the value in pvmfw config.
///
-/// Example: with `create_device_tree_overlay(_, _, [("instance-id", _),])`
+/// Example: with `create_device_tree_overlay(_, _, [("instance-id", _),], [("digest", _),])`
/// ```
/// {
/// fragment@0 {
/// target-path = "/";
/// __overlay__ {
/// avf {
-/// untrusted { instance-id = [0x01 0x23 .. ] }
+/// digest = [ 0xaa 0xbb .. ]
+/// untrusted { instance-id = [ 0x01 0x23 .. ] }
/// }
/// };
/// };
@@ -50,36 +53,54 @@
buffer: &'a mut [u8],
dt_path: Option<&'a Path>,
untrusted_props: &[(&'a CStr, &'a [u8])],
+ trusted_props: &[(&'a CStr, &'a [u8])],
) -> Result<&'a mut Fdt> {
- if dt_path.is_none() && untrusted_props.is_empty() {
+ if dt_path.is_none() && untrusted_props.is_empty() && trusted_props.is_empty() {
return Err(anyhow!("Expected at least one device tree addition"));
}
let fdt =
Fdt::create_empty_tree(buffer).map_err(|e| anyhow!("Failed to create empty Fdt: {e:?}"))?;
- let root = fdt.root_mut().map_err(|e| anyhow!("Failed to get root: {e:?}"))?;
- let mut node =
- root.add_subnode(cstr!("fragment@0")).map_err(|e| anyhow!("Failed to fragment: {e:?}"))?;
- node.setprop(cstr!("target-path"), b"/\0")
- .map_err(|e| anyhow!("Failed to set target-path: {e:?}"))?;
- let node = node
+ let mut fragment = fdt
+ .root_mut()
+ .add_subnode(cstr!("fragment@0"))
+ .map_err(|e| anyhow!("Failed to add fragment node: {e:?}"))?;
+ fragment
+ .setprop(cstr!("target-path"), b"/\0")
+ .map_err(|e| anyhow!("Failed to set target-path property: {e:?}"))?;
+ let overlay = fragment
.add_subnode(cstr!("__overlay__"))
- .map_err(|e| anyhow!("Failed to __overlay__ node: {e:?}"))?;
+ .map_err(|e| anyhow!("Failed to add __overlay__ node: {e:?}"))?;
+ let avf =
+ overlay.add_subnode(AVF_NODE_NAME).map_err(|e| anyhow!("Failed to add avf node: {e:?}"))?;
if !untrusted_props.is_empty() {
- let mut node = node
- .add_subnode(AVF_NODE_NAME)
- .map_err(|e| anyhow!("Failed to add avf node: {e:?}"))?
+ let mut untrusted = avf
.add_subnode(UNTRUSTED_NODE_NAME)
- .map_err(|e| anyhow!("Failed to add /avf/untrusted node: {e:?}"))?;
+ .map_err(|e| anyhow!("Failed to add untrusted node: {e:?}"))?;
for (name, value) in untrusted_props {
- node.setprop(name, value).map_err(|e| anyhow!("Failed to set property: {e:?}"))?;
+ untrusted
+ .setprop(name, value)
+ .map_err(|e| anyhow!("Failed to set untrusted property: {e:?}"))?;
}
}
+ // Read dt_path from host DT and overlay onto fdt.
if let Some(path) = dt_path {
fdt.overlay_onto(cstr!("/fragment@0/__overlay__"), path)?;
}
+
+ if !trusted_props.is_empty() {
+ let mut avf = fdt
+ .node_mut(cstr!("/fragment@0/__overlay__/avf"))
+ .map_err(|e| anyhow!("Failed to search avf node: {e:?}"))?
+ .ok_or(anyhow!("Failed to get avf node"))?;
+ for (name, value) in trusted_props {
+ avf.setprop(name, value)
+ .map_err(|e| anyhow!("Failed to set trusted property: {e:?}"))?;
+ }
+ }
+
fdt.pack().map_err(|e| anyhow!("Failed to pack DT overlay, {e:?}"))?;
Ok(fdt)
@@ -92,7 +113,7 @@
#[test]
fn empty_overlays_not_allowed() {
let mut buffer = vec![0_u8; VM_DT_OVERLAY_MAX_SIZE];
- let res = create_device_tree_overlay(&mut buffer, None, &[]);
+ let res = create_device_tree_overlay(&mut buffer, None, &[], &[]);
assert!(res.is_err());
}
@@ -102,7 +123,8 @@
let prop_name = cstr!("XOXO");
let prop_val_input = b"OXOX";
let fdt =
- create_device_tree_overlay(&mut buffer, None, &[(prop_name, prop_val_input)]).unwrap();
+ create_device_tree_overlay(&mut buffer, None, &[(prop_name, prop_val_input)], &[])
+ .unwrap();
let prop_value_dt = fdt
.node(cstr!("/fragment@0/__overlay__/avf/untrusted"))
@@ -113,4 +135,23 @@
.expect("Prop not found!");
assert_eq!(prop_value_dt, prop_val_input, "Unexpected property value");
}
+
+ #[test]
+ fn trusted_prop_test() {
+ let mut buffer = vec![0_u8; VM_DT_OVERLAY_MAX_SIZE];
+ let prop_name = cstr!("XOXOXO");
+ let prop_val_input = b"OXOXOX";
+ let fdt =
+ create_device_tree_overlay(&mut buffer, None, &[], &[(prop_name, prop_val_input)])
+ .unwrap();
+
+ let prop_value_dt = fdt
+ .node(cstr!("/fragment@0/__overlay__/avf"))
+ .unwrap()
+ .expect("/avf node doesn't exist")
+ .getprop(prop_name)
+ .unwrap()
+ .expect("Prop not found!");
+ assert_eq!(prop_value_dt, prop_val_input, "Unexpected property value");
+ }
}
diff --git a/virtualizationservice/Android.bp b/virtualizationservice/Android.bp
index e0bb97f..38a9ec5 100644
--- a/virtualizationservice/Android.bp
+++ b/virtualizationservice/Android.bp
@@ -23,6 +23,7 @@
rustlibs: [
"android.hardware.security.rkp-V3-rust",
"android.system.virtualizationcommon-rust",
+ "android.system.virtualizationmaintenance-rust",
"android.system.virtualizationservice-rust",
"android.system.virtualizationservice_internal-rust",
"android.system.virtualmachineservice-rust",
@@ -39,7 +40,6 @@
"libopenssl",
"librkpd_client",
"librustutils",
- "libvmclient",
"libstatslog_virtualization_rust",
"libtombstoned_client_rust",
"libvsock",
diff --git a/virtualizationservice/aidl/Android.bp b/virtualizationservice/aidl/Android.bp
index 8ca375a..66de092 100644
--- a/virtualizationservice/aidl/Android.bp
+++ b/virtualizationservice/aidl/Android.bp
@@ -55,6 +55,23 @@
}
aidl_interface {
+ name: "android.system.virtualizationmaintenance",
+ srcs: ["android/system/virtualizationmaintenance/**/*.aidl"],
+ unstable: true,
+ backend: {
+ java: {
+ sdk_version: "module_current",
+ },
+ rust: {
+ enabled: true,
+ apex_available: [
+ "com.android.virt",
+ ],
+ },
+ },
+}
+
+aidl_interface {
name: "android.system.virtualmachineservice",
srcs: ["android/system/virtualmachineservice/**/*.aidl"],
imports: [
diff --git a/virtualizationservice/aidl/android/system/virtualizationmaintenance/IVirtualizationMaintenance.aidl b/virtualizationservice/aidl/android/system/virtualizationmaintenance/IVirtualizationMaintenance.aidl
new file mode 100644
index 0000000..161673a
--- /dev/null
+++ b/virtualizationservice/aidl/android/system/virtualizationmaintenance/IVirtualizationMaintenance.aidl
@@ -0,0 +1,25 @@
+/*
+ * Copyright 2024 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.system.virtualizationmaintenance;
+
+interface IVirtualizationMaintenance {
+ void appRemoved(int userId, int appId);
+
+ void userRemoved(int userId);
+
+ // TODO: Something for daily reconciliation
+}
diff --git a/virtualizationservice/aidl/android/system/virtualizationservice/IVirtualizationService.aidl b/virtualizationservice/aidl/android/system/virtualizationservice/IVirtualizationService.aidl
index 7962bc3..f7bbf55 100644
--- a/virtualizationservice/aidl/android/system/virtualizationservice/IVirtualizationService.aidl
+++ b/virtualizationservice/aidl/android/system/virtualizationservice/IVirtualizationService.aidl
@@ -23,6 +23,7 @@
interface IVirtualizationService {
const String FEATURE_DICE_CHANGES = "com.android.kvm.DICE_CHANGES";
+ const String FEATURE_LLPVM_CHANGES = "com.android.kvm.LLPVM_CHANGES";
const String FEATURE_MULTI_TENANT = "com.android.kvm.MULTI_TENANT";
const String FEATURE_REMOTE_ATTESTATION = "com.android.kvm.REMOTE_ATTESTATION";
const String FEATURE_VENDOR_MODULES = "com.android.kvm.VENDOR_MODULES";
diff --git a/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineAppConfig.aidl b/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineAppConfig.aidl
index 9021055..8302a2f 100644
--- a/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineAppConfig.aidl
+++ b/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineAppConfig.aidl
@@ -101,11 +101,6 @@
*/
int gdbPort = 0;
- /**
- * List of task profile names to apply for the VM
- */
- String[] taskProfiles;
-
/** A disk image containing vendor specific modules. */
@nullable ParcelFileDescriptor vendorImage;
diff --git a/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineRawConfig.aidl b/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineRawConfig.aidl
index 7c0ed0c..6be2833 100644
--- a/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineRawConfig.aidl
+++ b/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineRawConfig.aidl
@@ -60,11 +60,6 @@
@utf8InCpp String platformVersion;
/**
- * List of task profile names to apply for the VM
- */
- String[] taskProfiles;
-
- /**
* Port at which crosvm will start a gdb server to debug guest kernel.
* If set to zero, then gdb server won't be started.
*/
diff --git a/virtualizationservice/src/aidl.rs b/virtualizationservice/src/aidl.rs
index c7ae5f0..c7a33ba 100644
--- a/virtualizationservice/src/aidl.rs
+++ b/virtualizationservice/src/aidl.rs
@@ -59,7 +59,9 @@
IGlobalVmContext::{BnGlobalVmContext, IGlobalVmContext},
IVfioHandler::VfioDev::VfioDev,
IVfioHandler::{BpVfioHandler, IVfioHandler},
- IVirtualizationServiceInternal::IVirtualizationServiceInternal,
+ IVirtualizationServiceInternal::{
+ BnVirtualizationServiceInternal, IVirtualizationServiceInternal,
+ },
};
use virtualmachineservice::IVirtualMachineService::VM_TOMBSTONES_SERVICE_PORT;
use vsock::{VsockListener, VsockStream};
@@ -67,8 +69,6 @@
/// The unique ID of a VM used (together with a port number) for vsock communication.
pub type Cid = u32;
-pub const BINDER_SERVICE_IDENTIFIER: &str = "android.system.virtualizationservice";
-
/// Directory in which to write disk image files used while running VMs.
pub const TEMPORARY_DIRECTORY: &str = "/data/misc/virtualizationservice";
@@ -165,7 +165,7 @@
}
impl VirtualizationServiceInternal {
- pub fn init() -> VirtualizationServiceInternal {
+ pub fn init() -> Strong<dyn IVirtualizationServiceInternal> {
let service = VirtualizationServiceInternal::default();
std::thread::spawn(|| {
@@ -174,7 +174,7 @@
}
});
- service
+ BnVirtualizationServiceInternal::new_binder(service, BinderFeatures::default())
}
}
diff --git a/virtualizationservice/src/atom.rs b/virtualizationservice/src/atom.rs
index 862646b..6e0064f 100644
--- a/virtualizationservice/src/atom.rs
+++ b/virtualizationservice/src/atom.rs
@@ -47,7 +47,6 @@
cpu_affinity: "", // deprecated
memory_mib: atom.memoryMib,
apexes: &atom.apexes,
- // TODO(seungjaeyoo) Fill information about task_profile
// TODO(seungjaeyoo) Fill information about disk_image for raw config
};
diff --git a/virtualizationservice/src/main.rs b/virtualizationservice/src/main.rs
index ad21e89..97bb38f 100644
--- a/virtualizationservice/src/main.rs
+++ b/virtualizationservice/src/main.rs
@@ -16,18 +16,15 @@
mod aidl;
mod atom;
+mod maintenance;
mod remote_provisioning;
mod rkpvm;
-use crate::aidl::{
- remove_temporary_dir, BINDER_SERVICE_IDENTIFIER, TEMPORARY_DIRECTORY,
- VirtualizationServiceInternal
-};
+use crate::aidl::{remove_temporary_dir, VirtualizationServiceInternal, TEMPORARY_DIRECTORY};
use android_logger::{Config, FilterBuilder};
-use android_system_virtualizationservice_internal::aidl::android::system::virtualizationservice_internal::IVirtualizationServiceInternal::BnVirtualizationServiceInternal;
-use anyhow::Error;
-use binder::{register_lazy_service, BinderFeatures, ProcessState, ThreadState};
-use log::{info, LevelFilter};
+use anyhow::{bail, Context, Error, Result};
+use binder::{register_lazy_service, ProcessState, ThreadState};
+use log::{error, info, LevelFilter};
use std::fs::{create_dir, read_dir};
use std::os::unix::raw::{pid_t, uid_t};
use std::path::Path;
@@ -35,6 +32,8 @@
const LOG_TAG: &str = "VirtualizationService";
pub(crate) const REMOTELY_PROVISIONED_COMPONENT_SERVICE_NAME: &str =
"android.hardware.security.keymint.IRemotelyProvisionedComponent/avf";
+const INTERNAL_SERVICE_NAME: &str = "android.system.virtualizationservice";
+const MAINTENANCE_SERVICE_NAME: &str = "android.system.virtualizationmaintenance";
fn get_calling_pid() -> pid_t {
ThreadState::get_calling_pid()
@@ -45,6 +44,13 @@
}
fn main() {
+ if let Err(e) = try_main() {
+ error!("failed with {e:?}");
+ std::process::exit(1);
+ }
+}
+
+fn try_main() -> Result<()> {
android_logger::init_once(
Config::default()
.with_tag(LOG_TAG)
@@ -57,31 +63,33 @@
),
);
- clear_temporary_files().expect("Failed to delete old temporary files");
+ clear_temporary_files().context("Failed to delete old temporary files")?;
let common_dir_path = Path::new(TEMPORARY_DIRECTORY).join("common");
- create_dir(common_dir_path).expect("Failed to create common directory");
+ create_dir(common_dir_path).context("Failed to create common directory")?;
ProcessState::start_thread_pool();
-
- let service = VirtualizationServiceInternal::init();
- let service = BnVirtualizationServiceInternal::new_binder(service, BinderFeatures::default());
- register_lazy_service(BINDER_SERVICE_IDENTIFIER, service.as_binder()).unwrap();
- info!("Registered Binder service {}.", BINDER_SERVICE_IDENTIFIER);
+ register(INTERNAL_SERVICE_NAME, VirtualizationServiceInternal::init())?;
if cfg!(remote_attestation) {
// The IRemotelyProvisionedComponent service is only supposed to be triggered by rkpd for
// RKP VM attestation.
- let remote_provisioning_service = remote_provisioning::new_binder();
- register_lazy_service(
- REMOTELY_PROVISIONED_COMPONENT_SERVICE_NAME,
- remote_provisioning_service.as_binder(),
- )
- .unwrap();
- info!("Registered Binder service {}.", REMOTELY_PROVISIONED_COMPONENT_SERVICE_NAME);
+ register(REMOTELY_PROVISIONED_COMPONENT_SERVICE_NAME, remote_provisioning::new_binder())?;
+ }
+
+ if cfg!(llpvm_changes) {
+ register(MAINTENANCE_SERVICE_NAME, maintenance::new_binder())?;
}
ProcessState::join_thread_pool();
+ bail!("Thread pool unexpectedly ended");
+}
+
+fn register<T: binder::FromIBinder + ?Sized>(name: &str, service: binder::Strong<T>) -> Result<()> {
+ register_lazy_service(name, service.as_binder())
+ .with_context(|| format!("Failed to register {name}"))?;
+ info!("Registered Binder service {name}.");
+ Ok(())
}
/// Remove any files under `TEMPORARY_DIRECTORY`.
diff --git a/virtualizationservice/src/maintenance.rs b/virtualizationservice/src/maintenance.rs
new file mode 100644
index 0000000..191d39a
--- /dev/null
+++ b/virtualizationservice/src/maintenance.rs
@@ -0,0 +1,44 @@
+// Copyright 2024 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+use android_system_virtualizationmaintenance::aidl::android::system::virtualizationmaintenance;
+use anyhow::anyhow;
+use binder::{BinderFeatures, ExceptionCode, Interface, IntoBinderResult, Strong};
+use virtualizationmaintenance::IVirtualizationMaintenance::{
+ BnVirtualizationMaintenance, IVirtualizationMaintenance,
+};
+
+pub(crate) fn new_binder() -> Strong<dyn IVirtualizationMaintenance> {
+ BnVirtualizationMaintenance::new_binder(
+ VirtualizationMaintenanceService {},
+ BinderFeatures::default(),
+ )
+}
+
+pub struct VirtualizationMaintenanceService;
+
+impl Interface for VirtualizationMaintenanceService {}
+
+#[allow(non_snake_case)]
+impl IVirtualizationMaintenance for VirtualizationMaintenanceService {
+ fn appRemoved(&self, _user_id: i32, _app_id: i32) -> binder::Result<()> {
+ Err(anyhow!("appRemoved not supported"))
+ .or_binder_exception(ExceptionCode::UNSUPPORTED_OPERATION)
+ }
+
+ fn userRemoved(&self, _user_id: i32) -> binder::Result<()> {
+ Err(anyhow!("userRemoved not supported"))
+ .or_binder_exception(ExceptionCode::UNSUPPORTED_OPERATION)
+ }
+}
diff --git a/virtualizationservice/src/rkpvm.rs b/virtualizationservice/src/rkpvm.rs
index 79e09b0..67ba740 100644
--- a/virtualizationservice/src/rkpvm.rs
+++ b/virtualizationservice/src/rkpvm.rs
@@ -35,7 +35,7 @@
let request = Request::RequestClientVmAttestation(params);
match vm.process_request(request).context("Failed to process request")? {
Response::RequestClientVmAttestation(cert) => Ok(cert),
- _ => bail!("Incorrect response type"),
+ other => bail!("Incorrect response type {other:?}"),
}
}
diff --git a/vm/Android.bp b/vm/Android.bp
index 04aff5e..c1d9b6b 100644
--- a/vm/Android.bp
+++ b/vm/Android.bp
@@ -12,6 +12,7 @@
rustlibs: [
"android.system.virtualizationservice-rust",
"libanyhow",
+ "libavf_features",
"libbinder_rs",
"libclap",
"libenv_logger",
diff --git a/vm/src/main.rs b/vm/src/main.rs
index de9291c..355e193 100644
--- a/vm/src/main.rs
+++ b/vm/src/main.rs
@@ -45,10 +45,6 @@
#[arg(long, default_value = "one_cpu", value_parser = parse_cpu_topology)]
cpu_topology: CpuTopology,
- /// Comma separated list of task profile names to apply to the VM
- #[arg(long)]
- task_profiles: Vec<String>,
-
/// Memory size (in MiB) of the VM. If unspecified, defaults to the value of `memory_mib`
/// in the VM config file.
#[arg(short, long)]
@@ -232,6 +228,8 @@
#[derive(Parser)]
enum Opt {
+ /// Check if the feature is enabled on device.
+ CheckFeatureEnabled { feature: String },
/// Run a virtual machine with a config in APK
RunApp {
#[command(flatten)]
@@ -304,6 +302,13 @@
virtmgr.connect().context("Failed to connect to VirtualizationService")
}
+fn command_check_feature_enabled(feature: &str) {
+ println!(
+ "Feature {feature} is {}",
+ if avf_features::is_feature_enabled(feature) { "enabled" } else { "disabled" }
+ );
+}
+
fn main() -> Result<(), Error> {
env_logger::init();
let opt = Opt::parse();
@@ -312,6 +317,10 @@
ProcessState::start_thread_pool();
match opt {
+ Opt::CheckFeatureEnabled { feature } => {
+ command_check_feature_enabled(&feature);
+ Ok(())
+ }
Opt::RunApp { config } => command_run_app(config),
Opt::RunMicrodroid { config } => command_run_microdroid(config),
Opt::Run { config } => command_run(config),
diff --git a/vm/src/run.rs b/vm/src/run.rs
index 1d2f48b..5a4a459 100644
--- a/vm/src/run.rs
+++ b/vm/src/run.rs
@@ -136,7 +136,6 @@
let custom_config = CustomConfig {
customKernelImage: None,
gdbPort: config.debug.gdb.map(u16::from).unwrap_or(0) as i32, // 0 means no gdb
- taskProfiles: config.common.task_profiles,
vendorImage: vendor,
devices: config
.microdroid
@@ -235,7 +234,6 @@
vm_config.gdbPort = gdb.get() as i32;
}
vm_config.cpuTopology = config.common.cpu_topology;
- vm_config.taskProfiles = config.common.task_profiles;
run(
get_service()?.as_ref(),
&VirtualMachineConfig::RawConfig(vm_config),
diff --git a/vm_payload/README.md b/vm_payload/README.md
index ec4dc59..419d854 100644
--- a/vm_payload/README.md
+++ b/vm_payload/README.md
@@ -9,7 +9,7 @@
available in the VM, and only 64 bit code is supported.
To create a VM and run the payload from Android see the [AVF Java
-APIs](../javalib/README.md).
+APIs](../java/framework/README.md).
## Entry point