Merge changes I74d90cc6,I4ebc76b8 into main
* changes:
Disable Secretkeeper for CompOS
Allow marking a VM non-updatable
diff --git a/compos/common/compos_client.rs b/compos/common/compos_client.rs
index d0ca026..6914380 100644
--- a/compos/common/compos_client.rs
+++ b/compos/common/compos_client.rs
@@ -24,7 +24,10 @@
use android_system_virtualizationservice::aidl::android::system::virtualizationservice::{
CpuTopology::CpuTopology,
IVirtualizationService::IVirtualizationService,
- VirtualMachineAppConfig::{DebugLevel::DebugLevel, Payload::Payload, VirtualMachineAppConfig},
+ VirtualMachineAppConfig::{
+ CustomConfig::CustomConfig, DebugLevel::DebugLevel, Payload::Payload,
+ VirtualMachineAppConfig,
+ },
VirtualMachineConfig::VirtualMachineConfig,
};
use anyhow::{anyhow, bail, Context, Result};
@@ -116,6 +119,11 @@
VmCpuTopology::MatchHost => CpuTopology::MATCH_HOST,
};
+ // The CompOS VM doesn't need to be updatable (by design it should run exactly twice,
+ // with the same APKs and APEXes each time). And having it so causes some interesting
+ // circular dependencies when run at boot time by odsign: b/331417880.
+ let custom_config = Some(CustomConfig { wantUpdatable: false, ..Default::default() });
+
let config = VirtualMachineConfig::AppConfig(VirtualMachineAppConfig {
name: parameters.name.clone(),
apk: Some(apk_fd),
@@ -128,6 +136,7 @@
protectedVm: protected_vm,
memoryMib: parameters.memory_mib.unwrap_or(0), // 0 means use the default
cpuTopology: cpu_topology,
+ customConfig: custom_config,
..Default::default()
});
diff --git a/virtualizationmanager/src/aidl.rs b/virtualizationmanager/src/aidl.rs
index 0c4aa7c..73d69b9 100644
--- a/virtualizationmanager/src/aidl.rs
+++ b/virtualizationmanager/src/aidl.rs
@@ -434,7 +434,8 @@
if cfg!(llpvm_changes) {
instance_id = extract_instance_id(config);
untrusted_props.push((cstr!("instance-id"), &instance_id[..]));
- if is_secretkeeper_supported() {
+ let want_updatable = extract_want_updatable(config);
+ if want_updatable && is_secretkeeper_supported() {
// Let guest know that it can defer rollback protection to Secretkeeper by setting
// an empty property in untrusted node in DT. This enables Updatable VMs.
untrusted_props.push((cstr!("defer-rollback-protection"), &[]))
@@ -1374,6 +1375,16 @@
}
}
+fn extract_want_updatable(config: &VirtualMachineConfig) -> bool {
+ match config {
+ VirtualMachineConfig::RawConfig(_) => true,
+ VirtualMachineConfig::AppConfig(config) => {
+ let Some(custom) = &config.customConfig else { return true };
+ custom.wantUpdatable
+ }
+ }
+}
+
fn extract_gdb_port(config: &VirtualMachineConfig) -> Option<NonZeroU16> {
match config {
VirtualMachineConfig::RawConfig(config) => NonZeroU16::new(config.gdbPort as u16),
diff --git a/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineAppConfig.aidl b/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineAppConfig.aidl
index 890535b..417d5d3 100644
--- a/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineAppConfig.aidl
+++ b/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineAppConfig.aidl
@@ -118,6 +118,12 @@
/** List of SysFS nodes of devices to be assigned */
String[] devices;
+
+ /**
+ * Whether the VM should be able to keep its secret when updated, if possible. This
+ * should rarely need to be set false.
+ */
+ boolean wantUpdatable = true;
}
/** Configuration parameters guarded by android.permission.USE_CUSTOM_VIRTUAL_MACHINE */
diff --git a/vm/src/run.rs b/vm/src/run.rs
index ca3e857..f3a5987 100644
--- a/vm/src/run.rs
+++ b/vm/src/run.rs
@@ -149,7 +149,6 @@
let payload_config_str = format!("{:?}!{:?}", config.apk, payload);
let custom_config = CustomConfig {
- customKernelImage: None,
gdbPort: config.debug.gdb.map(u16::from).unwrap_or(0) as i32, // 0 means no gdb
vendorImage: vendor,
devices: config
@@ -160,6 +159,7 @@
x.to_str().map(String::from).ok_or(anyhow!("Failed to convert {x:?} to String"))
})
.collect::<Result<_, _>>()?,
+ ..Default::default()
};
let vm_config = VirtualMachineConfig::AppConfig(VirtualMachineAppConfig {