Merge "Dice Policy Aware authentication: Rust library" into main
diff --git a/Android.bp b/Android.bp
index 1fae793..d1086ba 100644
--- a/Android.bp
+++ b/Android.bp
@@ -34,6 +34,7 @@
config_namespace: "ANDROID",
bool_variables: [
"release_avf_enable_multi_tenant_microdroid_vm",
+ "release_avf_enable_vendor_modules",
],
properties: [
"cfgs",
@@ -46,5 +47,8 @@
release_avf_enable_multi_tenant_microdroid_vm: {
cfgs: ["payload_not_root"],
},
+ release_avf_enable_vendor_modules: {
+ cfgs: ["vendor_modules"],
+ },
},
}
diff --git a/apex/product_packages.mk b/apex/product_packages.mk
index ef84551..4c03836 100644
--- a/apex/product_packages.mk
+++ b/apex/product_packages.mk
@@ -37,3 +37,10 @@
PRODUCT_FSVERITY_GENERATE_METADATA := true
PRODUCT_AVF_ENABLED := true
+
+# The cheap build flags dependency management system until there is a proper one.
+ifdef RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT
+ ifndef RELEASE_AVF_ENABLE_VENDOR_MODULES
+ $(error RELEASE_AVF_ENABLE_VENDOR_MODULES must also be enabled)
+ endif
+endif
diff --git a/javalib/api/test-current.txt b/javalib/api/test-current.txt
index 51c2223..bedb267 100644
--- a/javalib/api/test-current.txt
+++ b/javalib/api/test-current.txt
@@ -13,13 +13,14 @@
public static final class VirtualMachineConfig.Builder {
method @NonNull @RequiresPermission(android.system.virtualmachine.VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION) public android.system.virtualmachine.VirtualMachineConfig.Builder setPayloadConfigPath(@NonNull String);
- method @NonNull @RequiresPermission(android.system.virtualmachine.VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION) public android.system.virtualmachine.VirtualMachineConfig.Builder setVendorDiskImage(@NonNull java.io.File);
+ method @FlaggedApi("RELEASE_AVF_ENABLE_VENDOR_MODULES") @NonNull @RequiresPermission(android.system.virtualmachine.VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION) public android.system.virtualmachine.VirtualMachineConfig.Builder setVendorDiskImage(@NonNull java.io.File);
method @NonNull public android.system.virtualmachine.VirtualMachineConfig.Builder setVmConsoleInputSupported(boolean);
}
public class VirtualMachineManager {
method @RequiresPermission(android.system.virtualmachine.VirtualMachine.MANAGE_VIRTUAL_MACHINE_PERMISSION) public boolean isFeatureEnabled(String) throws android.system.virtualmachine.VirtualMachineException;
field public static final String FEATURE_PAYLOAD_NOT_ROOT = "com.android.kvm.PAYLOAD_NON_ROOT";
+ field public static final String FEATURE_VENDOR_MODULES = "com.android.kvm.VENDOR_MODULES";
}
}
diff --git a/javalib/src/android/system/virtualmachine/VirtualMachineConfig.java b/javalib/src/android/system/virtualmachine/VirtualMachineConfig.java
index b307854..cc8f65b 100644
--- a/javalib/src/android/system/virtualmachine/VirtualMachineConfig.java
+++ b/javalib/src/android/system/virtualmachine/VirtualMachineConfig.java
@@ -21,6 +21,7 @@
import static java.util.Objects.requireNonNull;
+import android.annotation.FlaggedApi;
import android.annotation.IntDef;
import android.annotation.IntRange;
import android.annotation.NonNull;
@@ -903,6 +904,7 @@
*/
@TestApi
@RequiresPermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION)
+ @FlaggedApi("RELEASE_AVF_ENABLE_VENDOR_MODULES")
@NonNull
public Builder setVendorDiskImage(@NonNull File vendorDiskImage) {
mVendorDiskImage = vendorDiskImage;
diff --git a/javalib/src/android/system/virtualmachine/VirtualMachineManager.java b/javalib/src/android/system/virtualmachine/VirtualMachineManager.java
index c4096da..0a79553 100644
--- a/javalib/src/android/system/virtualmachine/VirtualMachineManager.java
+++ b/javalib/src/android/system/virtualmachine/VirtualMachineManager.java
@@ -107,7 +107,7 @@
@Retention(RetentionPolicy.SOURCE)
@StringDef(
prefix = "FEATURE_",
- value = {FEATURE_PAYLOAD_NOT_ROOT})
+ value = {FEATURE_PAYLOAD_NOT_ROOT, FEATURE_VENDOR_MODULES})
public @interface Features {}
/**
@@ -120,6 +120,15 @@
IVirtualizationService.FEATURE_PAYLOAD_NON_ROOT;
/**
+ * Feature to run payload as non-root user.
+ *
+ * @hide
+ */
+ @TestApi
+ public static final String FEATURE_VENDOR_MODULES =
+ IVirtualizationService.FEATURE_VENDOR_MODULES;
+
+ /**
* Returns a set of flags indicating what this implementation of virtualization is capable of.
*
* @see #CAPABILITY_PROTECTED_VM
diff --git a/libs/service_vm_comm/src/lib.rs b/libs/service_vm_comm/src/lib.rs
index ef5e8bb..3b53b63 100644
--- a/libs/service_vm_comm/src/lib.rs
+++ b/libs/service_vm_comm/src/lib.rs
@@ -22,5 +22,5 @@
mod message;
mod vsock;
-pub use message::{Request, Response};
-pub use vsock::host_port;
+pub use message::{EcdsaP256KeyPair, GenerateCertificateRequestParams, Request, Response};
+pub use vsock::VmType;
diff --git a/libs/service_vm_comm/src/message.rs b/libs/service_vm_comm/src/message.rs
index ebbefcb..0eddcfb 100644
--- a/libs/service_vm_comm/src/message.rs
+++ b/libs/service_vm_comm/src/message.rs
@@ -19,6 +19,8 @@
use serde::{Deserialize, Serialize};
+type MacedPublicKey = Vec<u8>;
+
/// Represents a request to be sent to the service VM.
///
/// Each request has a corresponding response item.
@@ -27,6 +29,14 @@
/// Reverse the order of the bytes in the provided byte array.
/// Currently this is only used for testing.
Reverse(Vec<u8>),
+
+ /// Generates a new ECDSA P-256 key pair that can be attested by the remote
+ /// server.
+ GenerateEcdsaP256KeyPair,
+
+ /// Creates a certificate signing request to be sent to the
+ /// provisioning server.
+ GenerateCertificateRequest(GenerateCertificateRequestParams),
}
/// Represents a response to a request sent to the service VM.
@@ -36,4 +46,34 @@
pub enum Response {
/// Reverse the order of the bytes in the provided byte array.
Reverse(Vec<u8>),
+
+ /// Returns the new ECDSA P-256 key pair.
+ GenerateEcdsaP256KeyPair(EcdsaP256KeyPair),
+
+ /// Returns a CBOR Certificate Signing Request (Csr) serialized into a byte array.
+ GenerateCertificateRequest(Vec<u8>),
+}
+
+/// Represents the params passed to GenerateCertificateRequest
+#[derive(Clone, Debug, Serialize, Deserialize)]
+pub struct GenerateCertificateRequestParams {
+ /// Contains the set of keys to certify.
+ pub keys_to_sign: Vec<MacedPublicKey>,
+
+ /// challenge contains a byte strong from the provisioning server which will be
+ /// included in the signed data of the CSR structure.
+ /// The supported sizes is between 0 and 64 bytes, inclusive.
+ pub challenge: Vec<u8>,
+}
+
+/// Represents an ECDSA P-256 key pair.
+#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
+pub struct EcdsaP256KeyPair {
+ /// Contains a CBOR-encoded public key specified in:
+ ///
+ /// hardware/interfaces/security/rkp/aidl/android/hardware/security/keymint/MacedPublicKey.aidl
+ pub maced_public_key: MacedPublicKey,
+
+ /// Contains a handle to the private key.
+ pub key_blob: Vec<u8>,
}
diff --git a/libs/service_vm_comm/src/vsock.rs b/libs/service_vm_comm/src/vsock.rs
index fd6f088..aa7166d 100644
--- a/libs/service_vm_comm/src/vsock.rs
+++ b/libs/service_vm_comm/src/vsock.rs
@@ -14,14 +14,34 @@
//! Vsock setup shared between the host and the service VM.
-/// Returns the host port number for the given VM protection state.
-pub fn host_port(is_protected_vm: bool) -> u32 {
- const PROTECTED_VM_PORT: u32 = 5679;
- const NON_PROTECTED_VM_PORT: u32 = 5680;
+const PROTECTED_VM_PORT: u32 = 5679;
+const NON_PROTECTED_VM_PORT: u32 = 5680;
- if is_protected_vm {
- PROTECTED_VM_PORT
- } else {
- NON_PROTECTED_VM_PORT
+/// VM Type.
+#[derive(Clone, Copy, Debug)]
+pub enum VmType {
+ /// Protected VM.
+ ProtectedVm,
+
+ /// NonProtectev VM.
+ NonProtectedVm,
+}
+
+impl VmType {
+ /// Returns the port number used for the vsock communication between
+ /// the host and the service VM.
+ pub fn port(&self) -> u32 {
+ match self {
+ Self::ProtectedVm => PROTECTED_VM_PORT,
+ Self::NonProtectedVm => NON_PROTECTED_VM_PORT,
+ }
+ }
+
+ /// Returns whether it is a protected VM.
+ pub fn is_protected(&self) -> bool {
+ match self {
+ Self::ProtectedVm => true,
+ Self::NonProtectedVm => false,
+ }
}
}
diff --git a/rialto/src/main.rs b/rialto/src/main.rs
index b34b9de..d777b2d 100644
--- a/rialto/src/main.rs
+++ b/rialto/src/main.rs
@@ -33,6 +33,7 @@
use hyp::{get_mem_sharer, get_mmio_guard};
use libfdt::FdtError;
use log::{debug, error, info};
+use service_vm_comm::VmType;
use virtio_drivers::{
device::socket::{VsockAddr, VMADDR_CID_HOST},
transport::{pci::bus::PciRoot, DeviceType, Transport},
@@ -52,12 +53,16 @@
};
fn host_addr() -> VsockAddr {
- VsockAddr { cid: VMADDR_CID_HOST, port: service_vm_comm::host_port(is_protected_vm()) }
+ VsockAddr { cid: VMADDR_CID_HOST, port: vm_type().port() }
}
-fn is_protected_vm() -> bool {
+fn vm_type() -> VmType {
// Use MMIO support to determine whether the VM is protected.
- get_mmio_guard().is_some()
+ if get_mmio_guard().is_some() {
+ VmType::ProtectedVm
+ } else {
+ VmType::NonProtectedVm
+ }
}
fn new_page_table() -> Result<PageTable> {
@@ -135,7 +140,7 @@
debug!("Found socket device: guest cid = {:?}", socket_device.guest_cid());
let mut vsock_stream = VsockStream::new(socket_device, host_addr())?;
- let response = requests::process_request(vsock_stream.read_request()?);
+ let response = requests::process_request(vsock_stream.read_request()?)?;
vsock_stream.write_response(&response)?;
vsock_stream.flush()?;
vsock_stream.shutdown()?;
diff --git a/rialto/src/requests/api.rs b/rialto/src/requests/api.rs
index 11fdde4..c4b2d8e 100644
--- a/rialto/src/requests/api.rs
+++ b/rialto/src/requests/api.rs
@@ -14,16 +14,27 @@
//! This module contains the main API for the request processing module.
+use super::rkp;
+use crate::error::Result;
use alloc::vec::Vec;
use service_vm_comm::{Request, Response};
/// Processes a request and returns the corresponding response.
/// This function serves as the entry point for the request processing
/// module.
-pub fn process_request(request: Request) -> Response {
- match request {
+pub fn process_request(request: Request) -> Result<Response> {
+ let response = match request {
Request::Reverse(v) => Response::Reverse(reverse(v)),
- }
+ Request::GenerateEcdsaP256KeyPair => {
+ let res = rkp::generate_ecdsa_p256_key_pair()?;
+ Response::GenerateEcdsaP256KeyPair(res)
+ }
+ Request::GenerateCertificateRequest(p) => {
+ let res = rkp::generate_certificate_request(p)?;
+ Response::GenerateCertificateRequest(res)
+ }
+ };
+ Ok(response)
}
fn reverse(payload: Vec<u8>) -> Vec<u8> {
diff --git a/rialto/src/requests/mod.rs b/rialto/src/requests/mod.rs
index ca22777..2ed568c 100644
--- a/rialto/src/requests/mod.rs
+++ b/rialto/src/requests/mod.rs
@@ -15,5 +15,6 @@
//! This module contains functions for the request processing.
mod api;
+mod rkp;
pub use api::process_request;
diff --git a/rialto/src/requests/rkp.rs b/rialto/src/requests/rkp.rs
new file mode 100644
index 0000000..5977bfb
--- /dev/null
+++ b/rialto/src/requests/rkp.rs
@@ -0,0 +1,33 @@
+// Copyright 2023, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! This module contains functions related to the attestation of the
+//! service VM via the RKP (Remote Key Provisionning) server.
+
+use crate::error::Result;
+use alloc::vec::Vec;
+use service_vm_comm::{EcdsaP256KeyPair, GenerateCertificateRequestParams};
+
+pub(super) fn generate_ecdsa_p256_key_pair() -> Result<EcdsaP256KeyPair> {
+ // TODO(b/299055662): Generate the key pair.
+ let key_pair = EcdsaP256KeyPair { maced_public_key: Vec::new(), key_blob: Vec::new() };
+ Ok(key_pair)
+}
+
+pub(super) fn generate_certificate_request(
+ _params: GenerateCertificateRequestParams,
+) -> Result<Vec<u8>> {
+ // TODO(b/299256925): Generate the certificate request
+ Ok(Vec::new())
+}
diff --git a/rialto/tests/test.rs b/rialto/tests/test.rs
index e9bdab6..f7df217 100644
--- a/rialto/tests/test.rs
+++ b/rialto/tests/test.rs
@@ -24,7 +24,7 @@
};
use anyhow::{anyhow, bail, Context, Result};
use log::info;
-use service_vm_comm::{host_port, Request, Response};
+use service_vm_comm::{Request, Response, VmType};
use std::fs::File;
use std::io::{self, BufRead, BufReader, BufWriter, Write};
use std::os::unix::io::FromRawFd;
@@ -41,21 +41,15 @@
#[test]
fn boot_rialto_in_protected_vm_successfully() -> Result<()> {
- boot_rialto_successfully(
- SIGNED_RIALTO_PATH,
- true, // protected_vm
- )
+ boot_rialto_successfully(SIGNED_RIALTO_PATH, VmType::ProtectedVm)
}
#[test]
fn boot_rialto_in_unprotected_vm_successfully() -> Result<()> {
- boot_rialto_successfully(
- UNSIGNED_RIALTO_PATH,
- false, // protected_vm
- )
+ boot_rialto_successfully(UNSIGNED_RIALTO_PATH, VmType::NonProtectedVm)
}
-fn boot_rialto_successfully(rialto_path: &str, protected_vm: bool) -> Result<()> {
+fn boot_rialto_successfully(rialto_path: &str, vm_type: VmType) -> Result<()> {
android_logger::init_once(
android_logger::Config::default().with_tag("rialto").with_min_level(log::Level::Debug),
);
@@ -76,30 +70,31 @@
let console = android_log_fd()?;
let log = android_log_fd()?;
- let disks = if protected_vm {
- let instance_img = File::options()
- .create(true)
- .read(true)
- .write(true)
- .truncate(true)
- .open(INSTANCE_IMG_PATH)?;
- let instance_img = ParcelFileDescriptor::new(instance_img);
+ let disks = match vm_type {
+ VmType::ProtectedVm => {
+ let instance_img = File::options()
+ .create(true)
+ .read(true)
+ .write(true)
+ .truncate(true)
+ .open(INSTANCE_IMG_PATH)?;
+ let instance_img = ParcelFileDescriptor::new(instance_img);
- service
- .initializeWritablePartition(
- &instance_img,
- INSTANCE_IMG_SIZE,
- PartitionType::ANDROID_VM_INSTANCE,
- )
- .context("Failed to initialize instange.img")?;
- let writable_partitions = vec![Partition {
- label: "vm-instance".to_owned(),
- image: Some(instance_img),
- writable: true,
- }];
- vec![DiskImage { image: None, partitions: writable_partitions, writable: true }]
- } else {
- vec![]
+ service
+ .initializeWritablePartition(
+ &instance_img,
+ INSTANCE_IMG_SIZE,
+ PartitionType::ANDROID_VM_INSTANCE,
+ )
+ .context("Failed to initialize instange.img")?;
+ let writable_partitions = vec![Partition {
+ label: "vm-instance".to_owned(),
+ image: Some(instance_img),
+ writable: true,
+ }];
+ vec![DiskImage { image: None, partitions: writable_partitions, writable: true }]
+ }
+ VmType::NonProtectedVm => vec![],
};
let config = VirtualMachineConfig::RawConfig(VirtualMachineRawConfig {
@@ -109,7 +104,7 @@
params: None,
bootloader: Some(ParcelFileDescriptor::new(rialto)),
disks,
- protectedVm: protected_vm,
+ protectedVm: vm_type.is_protected(),
memoryMib: 300,
cpuTopology: CpuTopology::ONE_CPU,
platformVersion: "~1.0".to_string(),
@@ -126,8 +121,8 @@
)
.context("Failed to create VM")?;
- let port = host_port(protected_vm);
- let check_socket_handle = thread::spawn(move || try_check_socket_connection(port).unwrap());
+ let check_socket_handle =
+ thread::spawn(move || try_check_socket_connection(vm_type.port()).unwrap());
vm.start().context("Failed to start VM")?;
diff --git a/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java b/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
index d6183cf..473a560 100644
--- a/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
+++ b/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
@@ -1537,11 +1537,7 @@
@CddTest(requirements = {"9.17/C-1-1"})
public void payloadIsNotRoot() throws Exception {
assumeSupportedDevice();
-
- VirtualMachineManager vmm = getVirtualMachineManager();
- assumeTrue(
- VirtualMachineManager.FEATURE_PAYLOAD_NOT_ROOT + " not enabled",
- vmm.isFeatureEnabled(VirtualMachineManager.FEATURE_PAYLOAD_NOT_ROOT));
+ assumeFeatureEnabled(VirtualMachineManager.FEATURE_PAYLOAD_NOT_ROOT);
VirtualMachineConfig config =
newVmConfigBuilder()
@@ -2098,6 +2094,7 @@
@Test
public void configuringVendorDiskImageRequiresCustomPermission() throws Exception {
assumeSupportedDevice();
+ assumeFeatureEnabled(VirtualMachineManager.FEATURE_VENDOR_MODULES);
File vendorDiskImage =
new File("/data/local/tmp/cts/microdroid/test_microdroid_vendor_image.img");
@@ -2122,6 +2119,7 @@
@Test
public void bootsWithVendorPartition() throws Exception {
assumeSupportedDevice();
+ assumeFeatureEnabled(VirtualMachineManager.FEATURE_VENDOR_MODULES);
grantPermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION);
@@ -2249,4 +2247,9 @@
.that(KERNEL_VERSION)
.isNotEqualTo("5.4");
}
+
+ private void assumeFeatureEnabled(String featureName) throws Exception {
+ VirtualMachineManager vmm = getVirtualMachineManager();
+ assumeTrue(featureName + " not enabled", vmm.isFeatureEnabled(featureName));
+ }
}
diff --git a/virtualizationmanager/src/aidl.rs b/virtualizationmanager/src/aidl.rs
index 164977c..781d83f 100644
--- a/virtualizationmanager/src/aidl.rs
+++ b/virtualizationmanager/src/aidl.rs
@@ -35,6 +35,7 @@
IVirtualMachineCallback::IVirtualMachineCallback,
IVirtualizationService::IVirtualizationService,
IVirtualizationService::FEATURE_PAYLOAD_NON_ROOT,
+ IVirtualizationService::FEATURE_VENDOR_MODULES,
MemoryTrimLevel::MemoryTrimLevel,
Partition::Partition,
PartitionType::PartitionType,
@@ -274,6 +275,7 @@
// TODO(b/298012279): make this scalable.
match feature {
FEATURE_PAYLOAD_NON_ROOT => Ok(cfg!(payload_not_root)),
+ FEATURE_VENDOR_MODULES => Ok(cfg!(vendor_modules)),
_ => {
warn!("unknown feature {}", feature);
Ok(false)
@@ -326,6 +328,8 @@
let requester_uid = get_calling_uid();
let requester_debug_pid = get_calling_pid();
+ check_config_features(config)?;
+
// Allocating VM context checks the MANAGE_VIRTUAL_MACHINE permission.
let (vm_context, cid, temporary_directory) = self.create_vm_context(requester_debug_pid)?;
@@ -1105,6 +1109,24 @@
}
}
+fn check_no_vendor_modules(config: &VirtualMachineConfig) -> binder::Result<()> {
+ let VirtualMachineConfig::AppConfig(config) = config else { return Ok(()) };
+ if let Some(custom_config) = &config.customConfig {
+ if custom_config.vendorImage.is_some() || custom_config.customKernelImage.is_some() {
+ return Err(anyhow!("vendor modules feature is disabled"))
+ .or_binder_exception(ExceptionCode::UNSUPPORTED_OPERATION);
+ }
+ }
+ Ok(())
+}
+
+fn check_config_features(config: &VirtualMachineConfig) -> binder::Result<()> {
+ if !cfg!(vendor_modules) {
+ check_no_vendor_modules(config)?;
+ }
+ Ok(())
+}
+
fn clone_or_prepare_logger_fd(
debug_config: &DebugConfig,
fd: Option<&ParcelFileDescriptor>,
diff --git a/virtualizationservice/aidl/android/system/virtualizationservice/IVirtualizationService.aidl b/virtualizationservice/aidl/android/system/virtualizationservice/IVirtualizationService.aidl
index 0ee958d..fa50d54 100644
--- a/virtualizationservice/aidl/android/system/virtualizationservice/IVirtualizationService.aidl
+++ b/virtualizationservice/aidl/android/system/virtualizationservice/IVirtualizationService.aidl
@@ -23,6 +23,7 @@
interface IVirtualizationService {
const String FEATURE_PAYLOAD_NON_ROOT = "com.android.kvm.PAYLOAD_NON_ROOT";
+ const String FEATURE_VENDOR_MODULES = "com.android.kvm.VENDOR_MODULES";
/**
* Create the VM with the given config file, and return a handle to it ready to start it. If
diff --git a/vm/src/main.rs b/vm/src/main.rs
index 4c44496..0af9791 100644
--- a/vm/src/main.rs
+++ b/vm/src/main.rs
@@ -98,10 +98,12 @@
storage_size: Option<u64>,
/// Path to custom kernel image to use when booting Microdroid.
+ #[cfg(vendor_modules)]
#[arg(long)]
kernel: Option<PathBuf>,
/// Path to disk image containing vendor-specific modules.
+ #[cfg(vendor_modules)]
#[arg(long)]
vendor: Option<PathBuf>,
@@ -110,6 +112,28 @@
devices: Vec<PathBuf>,
}
+impl MicrodroidConfig {
+ #[cfg(vendor_modules)]
+ fn kernel(&self) -> &Option<PathBuf> {
+ &self.kernel
+ }
+
+ #[cfg(not(vendor_modules))]
+ fn kernel(&self) -> Option<PathBuf> {
+ None
+ }
+
+ #[cfg(vendor_modules)]
+ fn vendor(&self) -> &Option<PathBuf> {
+ &self.vendor
+ }
+
+ #[cfg(not(vendor_modules))]
+ fn vendor(&self) -> Option<PathBuf> {
+ None
+ }
+}
+
#[derive(Args)]
/// Flags for the run_app subcommand
pub struct RunAppConfig {
diff --git a/vm/src/run.rs b/vm/src/run.rs
index fc8d7e0..1ba9dec 100644
--- a/vm/src/run.rs
+++ b/vm/src/run.rs
@@ -84,25 +84,25 @@
)?;
}
- let storage = if let Some(path) = config.microdroid.storage {
+ let storage = if let Some(ref path) = config.microdroid.storage {
if !path.exists() {
command_create_partition(
service.as_ref(),
- &path,
+ path,
config.microdroid.storage_size.unwrap_or(10 * 1024 * 1024),
PartitionType::ENCRYPTEDSTORE,
)?;
}
- Some(open_parcel_file(&path, true)?)
+ Some(open_parcel_file(path, true)?)
} else {
None
};
let kernel =
- config.microdroid.kernel.as_ref().map(|p| open_parcel_file(p, false)).transpose()?;
+ config.microdroid.kernel().as_ref().map(|p| open_parcel_file(p, false)).transpose()?;
let vendor =
- config.microdroid.vendor.as_ref().map(|p| open_parcel_file(p, false)).transpose()?;
+ config.microdroid.vendor().as_ref().map(|p| open_parcel_file(p, false)).transpose()?;
let extra_idsig_files: Result<Vec<File>, _> =
config.extra_idsigs.iter().map(File::open).collect();